An Apology.
Hello,
Yes Thor, you are correct. I should have handled this better and I offer my
sincere apologies to everyone.
I posted this tongue in cheek hoping that people would read it and think.
Rather it has become a mockery. I wanted to make the point that thinking about
embedded devices and other equipment is essential. This is not how it has
panned out.
As an example of what the issue is I have seen a printer that was used as a
Warez site in a company. Even when notified of this, nothing was done as the
printer "still worked fine". Patching Windows is bad enough, but little
attention is ever paid to appliances (network or otherwise).
Reversing on demand is becoming common. Crime has more money to spend then
security teams and pen testing does not reflect what attackers do (other than
non-targeted attacks). The economics of an attack based strategy favour the
criminal, not the tester.
I have in the last 4 years seen an appliance (not the current one) on the same
network as a SCADA system. In this case the firewall had a hole to allow access
to the device. As far as I know it is still active. The argument was that "who
cares if you compromise the sprinkler system". Of course it is easy to forget
that the SCADA system was meant to be protected by the firewall and remote
access to an embedded Linux system was a way to do this.
I have seen 100s of systems ignored as they have not got a common
vulnerability. A Nessus, Metaspolit, Core etc scan of an appliance will come up
clean as nobody cares to check unusual devices in the first place.
This was some of the point I failed to make.
I have been asked not to comment further on this using my work email and will
also limit what I say other than the apology on my University one for the time
being.
Offering code online would be completely irresponsible. So I shall not be doing
this. I doubt that the company would even 25% of the people who have the
product. Even with the press it is unlikely that most of the few users would
even now know or could be contacted.
Anybody who actually owns the product I shall help offline if they contact me
directly.
Regards,
Craig Wright