Secure Coding mailing list archives
Re: SearchSecurity: Medical Devices and Software Security
From: Jeremy Epstein <jeremy.j.epstein () gmail com>
Date: Mon, 7 Jul 2014 13:19:37 -0400
Agree with you - there's nothing new in the article. I gave a talk a couple years ago at a conference on biomedical engineering, and there was one person in the room (out of a few hundred) who had heard of Therac-25. (Which I assume is what you were referring to with 1985.) If the article were instead published in a medical device or biomedical engineering journal, that would be something different. But as you say, putting it in on SearchSecurity is just the echo chamber of security folks. IMHO, anyone who builds medical devices that use software and hasn't read about Therac-25 should be considered as unqualified. (And if that gets anyone on the list to pull out Google, who didn't recognize the reference to 1985, so much the better!) On Sun, Jul 6, 2014 at 1:21 AM, security curmudgeon <jericho () attrition org> wrote:
On Mon, 30 Jun 2014, Gary McGraw wrote: : Chandu Ketkar and I wrote an article about medical device security based : on a talk Chandu gave at Kevin Fu?s Archimedes conference in Ann Arbor. : In the article, we discuss six categories of security defects that : Cigital discovers again and again when analyzing medical devices for our : customers. Have a look and pass it on: : : http://bit.ly/1pPH56p : : As always, your feedback is welcome. Per your request, my feedback: Why do so many security professionals think we need yet another article on medical devices that give a high-level overview, that ultimately boils down to "medical devices are not secure"? We see these every month or three, and have for a long time. Other than medical vendors who are very resistent to the idea that their devices have issues, who is this written for? Who exactly outside medical vendors think that those devices are secure? These articles do nothing.. absolutely nothing, to fix problems. They are bandwagon articles jumping on the 'medical security' wave that has some attention right now. Everyone writing these articles seems to be completely new to the medical arena. Most that write this crap that I have talked to can't speak to any of the history of medical disclosures. Names like Fu and Halperin are foreign to them, and the importance of 1985 in the timeline of medical issues is lost on them. If you find yourself Googling any of those, thanks for proving my point. This shit is not new. These articles are NOT advancing our field or the medical field. Sure, you are getting a slice of attention for the issue, but mostly in our echo chamber. Finally, your intro. "Since 1996 my company has analyzed hundreds of systems..." Really? Hundreds? You might want to fix that, else you come across as complete n00bz in the industry. I've done single engagements that involved tends of thousands of machines. Perhaps you want to qualify that to mean hundreds of vendors? Hundreds per months/year? To illustrate I am not the only one who feels this way: https://twitter.com/attritionorg/status/485652525589086209 1 minute later: https://twitter.com/SteveSyfuhs/status/485652988044656640 Seriously, dare to evolve. .b _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- SearchSecurity: Medical Devices and Software Security Gary McGraw (Jul 03)
- Re: SearchSecurity: Medical Devices and Software Security security curmudgeon (Jul 07)
- Re: [External] Re: SearchSecurity: Medical Devices and Software Security Goertzel, Karen [USA] (Jul 07)
- Re: [External] Re: SearchSecurity: Medical Devices and Software Security Jeffrey Walton (Jul 07)
- Re: [External] Re: SearchSecurity: Medical Devices and Software Security Goertzel, Karen [USA] (Jul 07)
- Re: [External] Re: SearchSecurity: Medical Devices and Software Security Gary McGraw (Jul 08)
- Re: [External] Re: SearchSecurity: Medical Devices and Software Security Goertzel, Karen [USA] (Jul 07)
- Re: SearchSecurity: Medical Devices and Software Security security curmudgeon (Jul 07)
- Re: SearchSecurity: Medical Devices and Software Security Jeremy Epstein (Jul 07)