Dailydave mailing list archives
Re: Junk Hacking Must Stop!
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Mon, 22 Sep 2014 13:44:50 -0700
Well, I wouldn't badmouth "IoT hacking" just for the sake of it - for better or worse, it's a growing and increasingly important attack surface, it is in many ways a decade behind the standards we've come to expect on the desktop, and it occasionally deals with genuinely interesting and possibly unsolved problems - say, around auth. The issue is chiefly that, as you note, a lot of the headline-grabbing research is just poorly thought out and often done with little ambition; if you have physical access to a fridge and even then, your technical expertise is limited to being able to brick it or infect it with SQL Slammer, it is perhaps wrong - on some abstract, existential level - for you to be able to get a lot of air time out of that. But then, it's not really fixable, right? It's a hot topic, both for legitimate reasons and because of its vaguely sci-fi vibe. Journalists want to write about it, people want to click on the links and pay for conference tickets, and the only way to improve the situation is to wait for things to calm down and keep putting out better work. If anything, I would warn against confusing the prevalence of low-quality, high-visibility research in a particular field with the whole thing not being worthy of our attention. Many people have made that mistake with web security some 10 years ago. /mz On Mon, Sep 22, 2014 at 11:53 AM, Dave Aitel <dave () immunityinc com> wrote:
Look, I get how we all love free trips to various locales other than Seattle or Boston or whatever (which are not, technically "locales" so much as just "places people happen to live"). But one more hacking talk about breaking into some random piece of electronics that people might use somewhere like a Internet-connected bed-warmer, or a MRI machine, or a machine people use to make MRI machines, and the whole hacking community is going to be wearing the cone of shame for a week! Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a whole track called "Junk I found around my house and how I am going to scare you by hacking it". That stuff is always going to be hackable whetherornotyouarethecalvalry.org. I get that Barnaby hacked an ATM. I thought it was stupid then, and it's even stupider now when your basic ATM runs XP so it can display ads to you while you take money out of it. But it's not stunt hacking unless it can wow you. If you are wowed by someone owning XP these days, then you are out of it and need to be re-reading Carolyn Meniel's HappyHacker website. Yes, there is Junk in your garage, and you can hack it, and if you find someone else who happens to have that exact same Junk, you can probably hack that too, but maybe not, because testing is hard. Cars are the pinnacle of junk hacking, because they are meant to be in your garage. Obviously there is no security on car computers. Nor (and I hate to break the suspense) will there ever be. Yes, you can connect a device to my midlife crisis car and update the CPU of the battery itself with malware, which can in theory explode my whole car on the way to BJJ. I personally hope you don't. But I know it's possible the same way I know it's possible to secretly rewire my toaster oven to overcook my toast every time even when I put it on the lowest setting, driving me slowly but surely insane. So in any case, enough with the Junk Hacking, and enough with being amazed when people hack their junk. -dave :> _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Junk Hacking Must Stop! Dave Aitel (Sep 22)
- Re: Junk Hacking Must Stop! jericho (Sep 23)
- Re: Junk Hacking Must Stop! Don Bailey (Sep 23)
- Re: Junk Hacking Must Stop! Michal Zalewski (Sep 23)
- Re: Junk Hacking Must Stop! Andreas Lindh (Sep 23)
- Re: Junk Hacking Must Stop! dan (Sep 26)
- Re: Junk Hacking Must Stop! Marc Maiffret (Sep 26)
- Re: Junk Hacking Must Stop! Wim Remes (Sep 26)