lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTikYn=gCjk-dBQOb9X61trAsPjYjeFw1u+_WE-Ug@mail.gmail.com>
Date: Thu, 24 Mar 2011 11:12:07 -0700
From: Michal Zalewski <lcamtuf@...edump.cx>
To: CJC <parttimesecurityguy@...il.com>
Cc: Theo de Raadt <deraadt@....openbsd.org>,
	Jim Harrison <jim@...tools.org>,
	Luigi Auriemma <aluigi@...istici.org>,
	"J. Oquendo" <sil@...iltrated.net>, bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in some SCADA server softwares

> A lot of people are failing to see the vendors customer side of things.
>  Industrial Control Systems (ICS), SCADA users, historically have their
> focus on availability (you don`t want you electricity/water/petrocehmicals
> being cut now do you) and safety (no one want to die making sure you get
> your electricity/water/petrochemicals), and security was never an issue
> because the SCADA systems were air gapped and the security needs were
> different that IT security.

Exactly the same arguments could have been brought up 15 years ago
against the then-disruptive and novel disclosure of vulnerabilities in
Unix systems or in Windows ("you can't just expect to shut down a bank
and roll out potentially disruptive security updates every week!"
coupled with "vendors certainly know what's best for us"). Back then,
commodity OSes have been designed insecurely because of similar
business considerations, and not because of malice.

The roots of BUGTRAQ are with the movement to end bug secrecy of that
era. It caused some pain, and also caused some significant long-term
improvements by convincing the public and the vendors that security is
something you simply can't afford not to care about.

Views on the cost / benefit balance of this process are varied, of
course, but knowing what I learned thanks to this process, I sure
wouldn't want to be using any of the operating systems available back
then.

/mz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ