lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 19 Jun 2008 17:41:40 -0000
Subject: An Apology.

Yes Thor, you are correct. I should have handled this better and I offer my sincere apologies to everyone.

I posted this tongue in cheek hoping that people would read it and think. Rather it has become a mockery. I wanted to make the point that thinking about embedded devices and other equipment is essential. This is not how it has panned out.

As an example of what the issue is I have seen a printer that was used as a Warez site in a company. Even when notified of this, nothing was done as the printer "still worked fine". Patching Windows is bad enough, but little attention is ever paid to appliances (network or otherwise).

Reversing on demand is becoming common. Crime has more money to spend then security teams and pen testing does not reflect what attackers do (other than non-targeted attacks). The economics of an attack based strategy favour the criminal, not the tester.

I have in the last 4 years seen an appliance (not the current one) on the same network as a SCADA system. In this case the firewall had a hole to allow access to the device. As far as I know it is still active. The argument was that "who cares if you compromise the sprinkler system". Of course it is easy to forget that the SCADA system was meant to be protected by the firewall and remote access to an embedded Linux system was a way to do this.

I have seen 100s of systems ignored as they have not got a common vulnerability. A Nessus, Metaspolit, Core etc scan of an appliance will come up clean as nobody cares to check unusual devices in the first place.

This was some of the point I failed to make.

I have been asked not to comment further on this using my work email and will also limit what I say other than the apology on my University one for the time being.

Offering code online would be completely irresponsible. So I shall not be doing this. I doubt that the company would even 25% of the people who have the product. Even with the press it is unlikely that most of the few users would even now know or could be contacted.

Anybody who actually owns the product I shall help offline if they contact me directly.

Craig Wright

Powered by blists - more mailing lists