Date: Thu, 16 Jan 2014 14:52:37 +0000
From: Dan Ballance <tzewang.dorje@...il.com>
To: Źmicier Januszkiewicz <gauri@....by>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: EE BrightBox router hacked - bares all if you
 ask nicely

Well users do care about getting hacked when it happens - so maybe they do
need to be forced to pay a little more to be secure. This also has benefits
for e-commerce and on-line banking, credit card fraud etc - so there are
definitely companies who will benefit from reduced on-line crime so maybe
the end-user wouldn't need to be paying the whole bill? The ISP themselves
should also be paying for some of this additional cost - and if it's done
across the industry then their would be no competitive disadvantage.

I work as a senior developer, salaried for a company, and I do require all
of my developers to use security best practises as they develop. So I don't
think this is necessarily naive, but again about out-sourcing vs having
good staff in-house to do the company's work. Or if a company is going to
out-source they need to use an agency with good standards and reputation to
be sure work is completed to a professional standard. So I do agree with
you it all comes down to costs and who is going to pay.

I don't have time to right a detailed dissertation, but obviously there
would be a great deal that would need defining here for it to become law -
such as what is considered a minimum security standard and how to
certify/audit the work etc. Still seems worth doing to me.

All the best,

Dan.




On 16 January 2014 11:52, Źmicier Januszkiewicz <gauri@....by> wrote:

> True, some sort of legislation might do the trick, but there is always
> this nasty question which we all really hate: who is going to pay for
> that? We can't burden national budgets with stuff like that, ISPs do
> not produce more than they are paid by customers, so... end users! So
> technically, we'll be forcing end users to pay more for something they
> do not care as much about. :-) Also, the "standards" would need to be
> defined somehow (see Huawei vs U.S. of A. and other countries).
>
> With regards to security costs, my freelance programming experience
> tells me that people tend to produce no more than they are paid for;
> assuming someone would work extra hours to implement something not
> previously negotiated (see above) and hence not paid for is a bit
> naive (no offense). Same goes for companies that do outsourcing
> contracts, they are paid by hours and they pay by hours, so sometimes
> you are actually asked NOT to put in extra effort. :-) As for basic
> security practices, well, the device does ask for password, doesn't
> it. :-) Seems we should define "basic" here.
>
> A somewhat related point is that these "basic security practices" you
> mention are not actually taught anywhere on CS courses one would
> usually take, even less so on some "teach yourself {a language} in 21
> days" sort of courses/books. It is a ground-breaking revelation for
> many development folks that you can compromise an application via a
> crafted data file exploiting some sort of a buffer overflow!
>
> 2014/1/16 Dan Ballance <tzewang.dorje@...il.com>:
> > So your point is that there should be legislation to require companies to
> > adhere to certain security standards? I'd support that - particularly in
> an
> > ISP market which is clearly defined by national boundaries and law.
> >
> > I do agree with you this is probably to do with cheap out-sourcing, as
> well
> > as subsequent economic analysis. Where I disagree is that basic security
> > costs any more. Most of this stuff is what I would classify as "school
> boy
> > errors" - not a super-secure system designed by the finest security
> minds in
> > the industry. Anyone with even mid-range skills should be able to
> implement
> > basic security practises as they work IMHO. But I do take your general
> point
> > :)
> >
> > As for my shock - well I am still shocked. It sucks big time and they
> really
> > should be doing better. Let's hope Scott's article gets some coverage and
> > finds its way back to them.
> >
> >
> >
> >
> >
> > On 16 January 2014 09:32, Źmicier Januszkiewicz <gauri@....by> wrote:
> >>
> >> > Absolutely shocking lack of security considerations.
> >>
> >> Is it, really? I've got a feeling that companies don't give a s--t
> >> about your data, your privacy, and so on (proved by numerous examples
> >> out there), unless absolutely required to do so by law, and there is a
> >> good reason behind that. It is not a charity fund, you see; a company
> >> is all about money, even if they state otherwise via their "motto" or
> >> "mission", and as we all know, a dollar saved is a dollar earned... So
> >> they try to get it working by hiring 1-2
> >> Chinese/Indian/Pakistan/Younameit techies (not because they are bad at
> >> what they do, but because they are cheap), and squeeze them until the
> >> stuff is working somewhat. And that's it! Then those who made it work
> >> are fired, and another group with even thinner payslip is hired for
> >> "support". Note that at no point any emphasis on security of the
> >> product is made -- a company is not interested in spending more money,
> >> and workers are not interested in spending their life without any
> >> compensation.
> >>
> >> Why a company is not interested? Just some simple calculations anyone
> >> can do: having a working device/service/whatever brings in paying
> >> customers, having a secure device/service/whatever brings in expenses.
> >> So, we get the usual "sorry, we have no budget for that!" reply even
> >> if one asks for a security review.
> >>
> >> And then, see, even if your company manages to produce a "highly
> >> secure" device/service by hiring N brilliant minds and paying a
> >> 5-digit/mo each of them, then magic happens -- the cost of the end
> >> product is so high nobody buys it! Surprise! Will you pay 300 pounds
> >> more for something that does the same, but claims to be "secure"? No.
> >> Will a punter pay 300 pounds more for that? Hell no. Just as simple as
> >> that.
> >>
> >> I do find it amusing as people get "shocked" by such a simple thing...
> >>
> >>
> >> 2014/1/16 Dan Ballance <tzewang.dorje@...il.com>:
> >> > What a great write up and what an appalling mess for a UK ISP to be in
> >> > in
> >> > 2014. Absolutely shocking lack of security considerations. Thanks for
> >> > sharing this. I've just followed you on Twitter as well,
> >> >
> >> > cheers,
> >> >
> >> > Dan.
> >> >
> >> >
> >> > On 15 January 2014 20:28, Scott Helme <scotthelme@...mail.com> wrote:
> >> >>
> >> >> The BrightBox router is the standard equipment issued by UK ISP
> >> >> Everything
> >> >> Everywhere (EE) to its subscribers.
> >> >>
> >> >> The device not only leaks sensitive data but is remotely exploitable
> >> >> too.
> >> >> An attacker even has the ability to take control of your account as
> the
> >> >> router leaks your ISP account credentials.
> >> >>
> >> >> You can read the full article here:
> >> >> https://scotthelme.co.uk/ee-brightbox-router-hacked/
> >> >>
> >> >> Scott.
> >> >>
> >> >> _______________________________________________
> >> >> Full-Disclosure - We believe in it.
> >> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> >> Hosted and sponsored by Secunia - http://secunia.com/
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > Full-Disclosure - We believe in it.
> >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> > Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists