Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

An Apology.

From: cwrigh20 () postoffice csu edu au
Date: 19 Jun 2008 17:41:40 -0000
Hello,
Yes Thor, you are correct. I should have handled this better and I offer my sincere apologies to everyone.

I posted this tongue in cheek hoping that people would read it and think. Rather it has become a mockery. I wanted to 
make the point that thinking about embedded devices and other equipment is essential. This is not how it has panned out.

As an example of what the issue is I have seen a printer that was used as a Warez site in a company. Even when notified 
of this, nothing was done as the printer "still worked fine". Patching Windows is bad enough, but little attention is 
ever paid to appliances (network or otherwise).

Reversing on demand is becoming common. Crime has more money to spend then security teams and pen testing does not 
reflect what attackers do (other than non-targeted attacks). The economics of an attack based strategy favour the 
criminal, not the tester.

I have in the last 4 years seen an appliance (not the current one) on the same network as a SCADA system. In this case 
the firewall had a hole to allow access to the device. As far as I know it is still active. The argument was that "who 
cares if you compromise the sprinkler system". Of course it is easy to forget that the SCADA system was meant to be 
protected by the firewall and remote access to an embedded Linux system was a way to do this.

I have seen 100s of systems ignored as they have not got a common vulnerability. A Nessus, Metaspolit, Core etc scan of 
an appliance will come up clean as nobody cares to check unusual devices in the first place.

This was some of the point I failed to make.

I have been asked not to comment further on this using my work email and will also limit what I say other than the 
apology on my University one for the time being.

Offering code online would be completely irresponsible. So I shall not be doing this. I doubt that the company would 
even 25% of the people who have the product. Even with the press it is unlikely that most of the few users would even 
now know or could be contacted.

Anybody who actually owns the product I shall help offline if they contact me directly.

Regards,
Craig Wright
Previous By Date Next
Previous By Thread Next

Current thread: