Dailydave mailing list archives
Re: Junk Hacking Must Stop!
From: Don Bailey <don.bailey () gmail com>
Date: Mon, 22 Sep 2014 14:12:27 -0600
Hello List, As an ex-hacker-of-things, I actually agree with the motivation behind this post. I still wouldn't call it "junk", but that's an entirely separate and subjective argument that no one in their right mind would care to get into. However, we should have matured as an industry to the point where we can get beyond the devices themselves, and I am disappointed to see my peers constantly deriding the highly qualified engineers building these devices. What a lot of security professionals don't have is the business sense or engineering experience to understand the real threat model in which these devices exist. Furthermore, calling the IoT/IoE (insert your favorite/preferred term here) movement "terror" is amateurish and insincere. As a result, we're seeing consultants foolishly directing embedded technology firms to go down bizarre rabbit holes, such as implementing PaX/Grsec for ARM/MIPS on devices whose threat-scape is "can someone force this washer to overheat the water via RF". This solves nothing. The real discussion must focus on the product life cycle, tangible risks to the end-user and business, and realistic and cost-effective security controls that scale. The less we focus on "everything can be owned!", the more we as an industry can actually effect real change. Hyperbole disguised as passion distracts industry outsiders and puts a bad taste in the mouths of people that legitimately need guidance. Distractions in the form of "hacked a thing!" or "fear the things!" is actually setting us as far back as an industry as the 8bit microcontroller security surfaces used by these devices. P.S. If you're just getting into hardware hacking and want to give a talk on hacking a "thing", welcome to 2010. Best, Don A. Bailey Founder Lab Mouse Security @InfoSecMouse https://www.securitymouse.com/ On Mon, Sep 22, 2014 at 12:53 PM, Dave Aitel <dave () immunityinc com> wrote:
Look, I get how we all love free trips to various locales other than Seattle or Boston or whatever (which are not, technically "locales" so much as just "places people happen to live"). But one more hacking talk about breaking into some random piece of electronics that people might use somewhere like a Internet-connected bed-warmer, or a MRI machine, or a machine people use to make MRI machines, and the whole hacking community is going to be wearing the cone of shame for a week! [image: your blackhat talk was not accepted!] Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a whole track called "Junk I found around my house and how I am going to scare you by hacking it". That stuff is always going to be hackable whetherornotyouarethecalvalry.org. I get that Barnaby hacked an ATM. I thought it was stupid then, and it's even stupider now when your basic ATM runs XP so it can display ads to you while you take money out of it. But it's not stunt hacking unless it can *wow* you. If you are wowed by someone owning XP these days, then you are out of it and need to be re-reading Carolyn Meniel's HappyHacker website. Yes, there is Junk in your garage, and you can hack it, and if you find someone else who happens to have that exact same Junk, you can probably hack that too, but maybe not, because testing is hard. Cars are the pinnacle of junk hacking, because they are meant to be in your garage. Obviously there is no security on car computers. Nor (and I hate to break the suspense) *will there ever be*. Yes, you can connect a device to my midlife crisis car and update the CPU of the battery itself with malware, which can in theory explode my whole car on the way to BJJ. I personally hope you don't. But I know it's possible the same way I know it's possible to secretly rewire my toaster oven to overcook my toast every time even when I put it on the lowest setting, driving me slowly but surely insane. So in any case, enough with the Junk Hacking, and enough with being amazed when people hack their junk. -dave :> _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Junk Hacking Must Stop! Dave Aitel (Sep 22)
- Re: Junk Hacking Must Stop! jericho (Sep 23)
- Re: Junk Hacking Must Stop! Don Bailey (Sep 23)
- Re: Junk Hacking Must Stop! Michal Zalewski (Sep 23)
- Re: Junk Hacking Must Stop! Andreas Lindh (Sep 23)
- Re: Junk Hacking Must Stop! dan (Sep 26)
- Re: Junk Hacking Must Stop! Marc Maiffret (Sep 26)
- Re: Junk Hacking Must Stop! Wim Remes (Sep 26)