funsec mailing list archives
Re: dumb. Comcast pop-ups
From: Michael Collins <mcollins () aleae com>
Date: Sun, 11 Oct 2009 10:15:00 -0400
Jon already pretty much covered the response to this - remote administration, viewing, and to be frank, we plug in internet connectivity to *everything* these days. That said, I also think that we forget there are three parties in security - attacker, defender and user. From the user's perspective, we appear to exist solely to pee in their wheaties. There exist a good number of organizations who have ultimate users (doctors, generals, senior faculty, CEOs) who you *have* to provide what they want, regardless of how insecure it is. On Oct 11, 2009, at 5:27 AM, Jim Murray wrote:
Michael Collins wrote:Heh, One of the fun exercises I like to spring on people is to play out the following scenario: assume you've got an embedded system of some kind being controlled by a windows 3.1 box. Let's say it's doing something like wrapping candybars or stamping plaques or wahtever, it's piecework payment. The machine gets 0wned, and while it's not doing anything that's impacting you personally, it's contributing a couple of kb/s to spamming or ddosing or other fun things. Is it in your interest to sacrifice the day, and the consequent profits involved in fixing your box, to solve the problem or better to just let it run?My first question has to be 'What is such a device doing connected to the public internet in the first place?'. If it really MUST be connected then it should be properly protected. If you they don't do that and get 0wned then you deserve the costs and inconvenience of cleaning up the mess you made, it's a safe bet you'll be more careful in future.The problem was given a more concrete example by a colleague who pointed out that most medical hardware running on windows boxes is not only certified for windows only, but specific *patchlevels*, and that consequently these machines can get restored, taken down, reinstalled, and put back on the net with known vulnerabilities because their software is certified with vulnerabilities intact.If I were to find any critical piece of medical hardware connected to the public internet it'd be very concerned indeed. Surely best practice dictates that clinical networks are kept isolated from the administrative networks & public internet? Jim. -- DigitalDaemons IT Services. --------------------------------------- E-Mail : jim () digitaldaemons co uk PGP Key ID : 0xB7066495
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups), (continued)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Rich Kulawiec (Oct 17)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Michael Collins (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Michael Collins (Oct 13)
- Re: dumb. Comcast pop-ups Rich Kulawiec (Oct 10)
- Re: dumb. Comcast pop-ups Toralv_Dirro (Oct 10)
- Re: dumb. Comcast pop-ups Jon Kibler (Oct 10)
- Re: dumb. Comcast pop-ups Michael Collins (Oct 10)
- Re: dumb. Comcast pop-ups Jim Murray (Oct 11)
- Re: dumb. Comcast pop-ups Jon Kibler (Oct 11)
- Re: dumb. Comcast pop-ups Michael Collins (Oct 11)
- Re: dumb. Comcast pop-ups Larry Seltzer (Oct 10)
- Re: dumb. Comcast pop-ups der Mouse (Oct 10)
- Re: dumb. Comcast pop-ups Dave Dennis (Oct 10)
- Re: dumb. Comcast pop-ups der Mouse (Oct 10)
- Re: dumb. Comcast pop-ups Rich Kulawiec (Oct 11)
- Re: dumb. Comcast pop-ups Paul Vixie (Oct 11)
- Re: dumb. Comcast pop-ups Valdis . Kletnieks (Oct 11)
- Re: dumb. Comcast pop-ups Rich Kulawiec (Oct 12)
- Re: dumb. Comcast pop-ups Larry Seltzer (Oct 12)