An Apology.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: An Apology.
From: cwrigh20@xxxxxxxxxxxxxxxxxxxxx
Date: 19 Jun 2008 17:41:40 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hello,
Yes Thor, you are correct. I should have handled this better and I offer my 
sincere apologies to everyone.

I posted this tongue in cheek hoping that people would read it and think. 
Rather it has become a mockery. I wanted to make the point that thinking about 
embedded devices and other equipment is essential. This is not how it has 
panned out.

As an example of what the issue is I have seen a printer that was used as a 
Warez site in a company. Even when notified of this, nothing was done as the 
printer "still worked fine". Patching Windows is bad enough, but little 
attention is ever paid to appliances (network or otherwise).

Reversing on demand is becoming common. Crime has more money to spend then 
security teams and pen testing does not reflect what attackers do (other than 
non-targeted attacks). The economics of an attack based strategy favour the 
criminal, not the tester.

I have in the last 4 years seen an appliance (not the current one) on the same 
network as a SCADA system. In this case the firewall had a hole to allow access 
to the device. As far as I know it is still active. The argument was that "who 
cares if you compromise the sprinkler system". Of course it is easy to forget 
that the SCADA system was meant to be protected by the firewall and remote 
access to an embedded Linux system was a way to do this.

I have seen 100s of systems ignored as they have not got a common 
vulnerability. A Nessus, Metaspolit, Core etc scan of an appliance will come up 
clean as nobody cares to check unusual devices in the first place.

This was some of the point I failed to make.

I have been asked not to comment further on this using my work email and will 
also limit what I say other than the apology on my University one for the time 
being.

Offering code online would be completely irresponsible. So I shall not be doing 
this. I doubt that the company would even 25% of the people who have the 
product. Even with the press it is unlikely that most of the few users would 
even now know or could be contacted.

Anybody who actually owns the product I shall help offline if they contact me 
directly.

Regards,
Craig Wright

Prev by Date: [ GLSA 200806-07 ] X.Org X server: Multiple vulnerabilities
Next by Date: Re: RFI ====> vBulletin v3.6.5
Previous by thread: [ GLSA 200806-07 ] X.Org X server: Multiple vulnerabilities
Next by thread: [ MDVSA-2008:117 ] - Updated fetchmail packages fix DoS vulnerability
Index(es):
- Date
- Thread