Bugtraq mailing list archives
Re: Vulnerabilities in some SCADA server softwares
From: Theo de Raadt <deraadt () cvs openbsd org>
Date: Wed, 23 Mar 2011 13:03:51 -0600
On 3/23/2011 2:13 PM, Theo de Raadt wrote:If *any* threat exists, that threat is increased by public exposure of unmitigated attack methodologyI think you have it wrong. Public exposure increases the visibility, and therefore customers install the patches quicker. Without public visibility, they will keep running the old code.You're flawed in your response: "Public exposure increases the visibility, and therefore customersinstall the patches quicker." ... When someone "full discloses" a vulnerability, there is no patch to install quicker.
With public involvement, the timeline goes a bit like this: 1 - Full disclosure 2 - Publically, the vendor looks bad to customers 3 - A fix is crafted immediately; tested rapidly, then released to customers. 4 - Publically, customer and vendor would look bad if they did not install the fix immediately -- as soon as it is available I am very well aware of what is going on out there in industry: Customers do not install patches unless they have to, because various realities of the environment make it hard. That does not make deferring the repairs acceptable. The public eye can help improve this situation.
This is obvious because there is no patch until either the vendor releases one, or staff using the product are capable of creating a work-around.
No, it is not obvious that no patch is available. Quite often patches or upgrades do exist, but it has not been deployed. Sometimes the SCADA vendor is responsible for trying to charge more, also.
In the case of the SCADA environment, we (again) are not talking about the potential of a defacement, blue screen, silly shell, we're talking about sensor, gears and often so much automation that it would be absurd for a SCADA engineer to "go it alone" and try create their own patch. Many of these systems don't have the option of failing or being taken offline. You also state: "Without public visibility, they will keep running the old code" the reality is, no one is going to outright replace some of these systems in these environments. These are not applications and or systems one can plop onto donated boxes. They have no choice BUT to run the code.
Oh give me a break. You are talking to me as if I am a child, which means you don't know who I am. The people involved in selling and re-selling these broken SCADA system software are the children. For financial or other reasons they have assumed that the same "quality control failure leads to bugs leads to exploits" game that has affected generations of software would not apply to them. It happened to the Unix environment. Then it happened to the Microsoft environment. Then it happened to the Linux environment. And then it happened to the browser environment. Currently it is happening to the cell phone environment. You expect me to believe it will not eventually happen to the SCADA environment? And it does not make an ounce of difference how much the defenders of the SCADA world whine about full disclosure being evil. I expect a surge of published exploits against SCADA software, and whining about "full disclosure" will not stop it. You might think you are all creative with your arguments, but we've heard it all before. And yes, I think someday soon we are going to start having the same arguments about software in use at hospitals, and I think full disclosure will happen about those too. As it should. Quality controls do not get strong until the risks are visible. So go ahead, talk about the risks but do not blame messengers. Yes, with SCADA there is tremendous danger to our infrastructure - from a safety perspective and from a financial perspective. But is the browser situation any different, for the public, if you total potential financial losses? (It is fair, a utility with a massive SCADA failure would eventually socialize the losses after conversion to dollars and cents). If there is danger, why are the vendors not getting ahead of the curve? We know they are not getting ahead of the curve. If you use SCADA software, go read your contracts to gauge where the liability lands. I suspect you already know. And I suspect all the people arguing against full disclosure work on "that side" of the industry.
Current thread:
- Re: Vulnerabilities in some SCADA server softwares, (continued)
- Re: Vulnerabilities in some SCADA server softwares R Michael Williams (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Michal Zalewski (Mar 23)
- RE: Vulnerabilities in some SCADA server softwares Jim Harrison (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Luigi Auriemma (Mar 23)
- RE: Vulnerabilities in some SCADA server softwares Jim Harrison (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Theo de Raadt (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Simple Nomad (Mar 23)
- Message not available
- Re: Vulnerabilities in some SCADA server softwares Simple Nomad (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Kent Borg (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Theo de Raadt (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Jamie Riden (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Willy Tarreau (Mar 25)
- Re: Vulnerabilities in some SCADA server softwares bugtraq (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares CJC (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Michal Zalewski (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Mike Hoskins (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 24)