Re: Vulnerabilities in some SCADA server softwares

[Mike Hoskins <michoski () cisco com>]

On 3/23/11 9:46 AM, J. Oquendo wrote:
> How about we reflect reality?

We can't honestly do that, we all only have our perception.  It's funny 
how we can get stuck in a trap of 0 and 1.

My perception is we'll always disagree on disclosure technique, or at 
least nitpick some minor detail into infinity like we do with politics 
or religion.  We're human after all.

That said, bugs exist whether we find them or not, every software has 
them, and if the author had never reported them that in no way implies 
they were not already known and/or being used for subversive means with 
the potential intent to cause harm.

I guess I'm oldsk00l enough to like responsible disclosure, but also 
anti-authoritarian enough (who's making the rules?  why are they god?) 
to believe this is not black and white.  Scare away those who disclose 
(regardless of method), and you're left with undisclosed vulnerabilities 
the bad guys with the most to gain ($$$ to invest in teams of 
hacke^H^H^Hengineers, not just script kiddies) still know about and can 
most effectively leverage.

I say the only bad disclosure is no disclosure.  If vendors can't move 
fast enough, they'll be usurped by those who can make better use of new 
processes and technologies to keep up with trends.

PS: Is this really "hot" now?  My only thought when I read the original 
post was "about time" -- SCADA has been known (as in publicly aired on 
broadcast television) to have many gaping vulnerabilities for at least a 
decade.  The (obviously bogus) justification was usually it's restricted 
deployment model.