lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAH72vigvpAwSQU6ncMwO8EfD7k4xGT8BAsiR=kd-e+fBAQqAOg@mail.gmail.com>
Date: Thu, 16 Jan 2014 12:00:18 +0100
From: Źmicier Januszkiewicz <gauri@....by>
To: gold flake <ptinstructor@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: EE BrightBox router hacked - bares all if you
 ask nicely

No sir, I believe I should have been more explicit at that than I was
-- I did not mean to say it is about nationalities. What I meant was a
simple matter of development costs when hiring personnel, and I think
you won't argue that a developer in UK costs less than a developer in
e.g. China or Pakistan, or Poland, or Belarus to that matter, will
you? It doesn't have anything to do with their culture at all, and
this point is proven by businesses hiring more and more from those
countries, simply because it is cheap. Please do not try to find any
point to start a "is this because I'm {insert something here}" thread
-- there was no intention to hurt anyone, and I did mean no offense to
any of the people of whatever race, nationality, or sexual
preferences, or whatever else, and I apologise if it sounded like
that. Let's abstract from whatever is used to differentiate between
social groups and concentrate on costs and expenses alone, alright?

What I was trying to say is that making a good and secure product is
not that important for the industry. Making a product that is "good
enough" is, and note that "good enough" does not include exhaustive
usability or security testing -- nobody is really willing to pay for
that. Maybe this is the problem we all should try to solve instead of
being shocked by another "0day haxx" of a cheap router provided by a
cheap ISP?

True, there are folks that care, like Scott, but how many of them are
out there? I bet it is well below 1% of all the users of that ISP.
Even if he would be willing to pay more for "more secure" product,
this likely won't justify the ISP's expenses on actually implementing
the additional security measures for existing products, testing them,
and, more important, keeping the firmware images up to date with
latest security patches (I bet it is not patched regularly, same as
all the others). So how can a company spend an extra budget on a SIRT
team + dev trainings + ... and still be competitive on the consumer
device market, where price is all that matters to most of buyers?
Discuss?


2014/1/16 gold flake <ptinstructor@...il.com>:
> May be off-topic but your rant got me wondering as to way suddenly
> nationalities are brought into picture when bad coding/security practices,
> etc, are being discussed. Is it really the culture of these countries (you
> mentioned India, Pakistan and China) that encourages slip-shod,
> corner-cutting work methodology that is to blame or is it something else? If
> something else, then why bring nationalities into the secure development
> debate? Or do we reserve Britishers to be labeled only as pedophiles and
> very good programers (just as an example)?  I think what you are trying to
> say is that it is the fault of the industry to push bad products on a public
> that does not know enough to care about.
>
>
>
>
> On Thu, Jan 16, 2014 at 3:02 PM, Źmicier Januszkiewicz <gauri@....by> wrote:
>>
>> > Absolutely shocking lack of security considerations.
>>
>> Is it, really? I've got a feeling that companies don't give a s--t
>> about your data, your privacy, and so on (proved by numerous examples
>> out there), unless absolutely required to do so by law, and there is a
>> good reason behind that. It is not a charity fund, you see; a company
>> is all about money, even if they state otherwise via their "motto" or
>> "mission", and as we all know, a dollar saved is a dollar earned... So
>> they try to get it working by hiring 1-2
>> Chinese/Indian/Pakistan/Younameit techies (not because they are bad at
>> what they do, but because they are cheap), and squeeze them until the
>> stuff is working somewhat. And that's it! Then those who made it work
>> are fired, and another group with even thinner payslip is hired for
>> "support". Note that at no point any emphasis on security of the
>> product is made -- a company is not interested in spending more money,
>> and workers are not interested in spending their life without any
>> compensation.
>>
>> Why a company is not interested? Just some simple calculations anyone
>> can do: having a working device/service/whatever brings in paying
>> customers, having a secure device/service/whatever brings in expenses.
>> So, we get the usual "sorry, we have no budget for that!" reply even
>> if one asks for a security review.
>>
>> And then, see, even if your company manages to produce a "highly
>> secure" device/service by hiring N brilliant minds and paying a
>> 5-digit/mo each of them, then magic happens -- the cost of the end
>> product is so high nobody buys it! Surprise! Will you pay 300 pounds
>> more for something that does the same, but claims to be "secure"? No.
>> Will a punter pay 300 pounds more for that? Hell no. Just as simple as
>> that.
>>
>> I do find it amusing as people get "shocked" by such a simple thing...
>>
>>
>> 2014/1/16 Dan Ballance <tzewang.dorje@...il.com>:
>> > What a great write up and what an appalling mess for a UK ISP to be in
>> > in
>> > 2014. Absolutely shocking lack of security considerations. Thanks for
>> > sharing this. I've just followed you on Twitter as well,
>> >
>> > cheers,
>> >
>> > Dan.
>> >
>> >
>> > On 15 January 2014 20:28, Scott Helme <scotthelme@...mail.com> wrote:
>> >>
>> >> The BrightBox router is the standard equipment issued by UK ISP
>> >> Everything
>> >> Everywhere (EE) to its subscribers.
>> >>
>> >> The device not only leaks sensitive data but is remotely exploitable
>> >> too.
>> >> An attacker even has the ability to take control of your account as the
>> >> router leaks your ISP account credentials.
>> >>
>> >> You can read the full article here:
>> >> https://scotthelme.co.uk/ee-brightbox-router-hacked/
>> >>
>> >> Scott.
>> >>
>> >> _______________________________________________
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >
>> >
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ