Re: dumb. Comcast pop-ups

[Michael Collins <mcollins () aleae com>]

Jon already pretty much covered the response to this - remote  
administration, viewing, and to be frank, we plug in internet  
connectivity to *everything* these days.

That said, I also think that we forget there are three parties in  
security - attacker, defender and user.  From the user's perspective,  
we appear to exist solely to pee in their wheaties.  There exist a  
good number of organizations who have ultimate users (doctors,  
generals, senior faculty, CEOs) who you *have* to provide what they  
want, regardless of how insecure it is.

On Oct 11, 2009, at 5:27 AM, Jim Murray wrote:

> Michael Collins wrote:
> > Heh,
> >
> > One of the fun exercises I like to spring on people is to play out  
> > the
> > following scenario: assume you've got an embedded system of some kind
> > being controlled by a windows 3.1 box.  Let's say it's doing  
> > something
> > like wrapping candybars or stamping plaques or wahtever, it's
> > piecework payment.  The machine gets 0wned, and while it's not doing
> > anything that's impacting you personally, it's contributing a couple
> > of kb/s to spamming or ddosing or other fun things.  Is it in your
> > interest to sacrifice the day, and the consequent profits involved in
> > fixing your box, to solve the problem or better to just let it run?
>
> My first question has to be 'What is such a device doing connected to
> the public internet in the first place?'. If it really MUST be  
> connected
> then it should be properly protected. If you they don't do that and  
> get
> 0wned then you deserve the costs and inconvenience of cleaning up the
> mess you made, it's a safe bet you'll be more careful in future.
>
> > The problem was given a more concrete example by a colleague who
> > pointed out that most medical hardware running on windows boxes is  
> > not
> > only certified for windows only, but specific *patchlevels*, and that
> > consequently these machines can get restored, taken down,  
> > reinstalled,
> > and put back on the net with known vulnerabilities because their
> > software is certified with vulnerabilities intact.
>
> If I were to find any critical piece of medical hardware connected to
> the public internet it'd be very concerned indeed. Surely best  
> practice
> dictates that clinical networks are kept isolated from the
> administrative networks & public internet?
>
> Jim.
>
> -- 
>      DigitalDaemons IT Services.
> ---------------------------------------
>   E-Mail : jim () digitaldaemons co uk
>       PGP Key ID : 0xB7066495

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.