Ever since I read an article about the challenges of remote laser surgery being done by doctors at the Naval Hospital in Bethesda, MD, via satellite link on wounded soldiers in Iraq, I've been warning for years about the need to apply software assurance principles to the development and testing - and SCRM to the acquisition - of medical devices and their embedded software. I'm delighted to see someone with your influence start warning those who confuse software correctness and safety with software security of the potential havoc that can potentially be wrought by malevolent actors as these little widgets become increasingly networked and even Internet-accessible.
What I want to know is this: When is someone who can actually make a difference going to FINALLY figure out the real potential hazards of the Internet of Things. Certain physical systems and devices really should NEVER be connected to the public Internet - e.g., most Industrial Control Systems, all medical devices, any plane, train, or automobile. And others really never NEED to be Internet-connected. I mean, do we really, REALLY need to be able to access our refrigerators or washing machines over the Web? Aren't we all growing obese enough without making things so bloody convenient that we needn't even walk the 20 feet from the bedroom to the kitchen or laundry room to program the coffee maker or start another rinse cycle? Manufacturers of the latter need to stop trying so bloody hard to "improve" products that no longer need improvement. There does come a time when a technology goes as far as it can go - and any further attempts to "improve" it are either purely cosmetic, unnecessary, or dangerous. I wish all these manufacturers who waste their times trying to invent a better toaster would, instead, invent something entirely new to solve a problem that hasn't already been solved quite adequately for many decades. No wonder American manufacturing is no longer competitive. All they do is continually rearrange deck chairs on the Titanic to improve the view as the boat sinks, instead of inventing a new means of transportation that actually CANNOT be taken down by an iceberg. === Karen Mercedes Goertzel, CISSP Senior Lead Scientist Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com "Answers are easy. It's asking the right questions which is hard." - The Doctor ________________________________________ From: SC-L [sc-l-boun...@securecoding.org] on behalf of security curmudgeon [jeri...@attrition.org] Sent: 06 July 2014 01:21 To: Gary McGraw Cc: Chandu Ketkar; Secure Code Mailing List Subject: [External] Re: [SC-L] SearchSecurity: Medical Devices and Software Security On Mon, 30 Jun 2014, Gary McGraw wrote: : Chandu Ketkar and I wrote an article about medical device security based : on a talk Chandu gave at Kevin Fu?s Archimedes conference in Ann Arbor. : In the article, we discuss six categories of security defects that : Cigital discovers again and again when analyzing medical devices for our : customers. Have a look and pass it on: : : http://bit.ly/1pPH56p : : As always, your feedback is welcome. Per your request, my feedback: Why do so many security professionals think we need yet another article on medical devices that give a high-level overview, that ultimately boils down to "medical devices are not secure"? We see these every month or three, and have for a long time. Other than medical vendors who are very resistent to the idea that their devices have issues, who is this written for? Who exactly outside medical vendors think that those devices are secure? These articles do nothing.. absolutely nothing, to fix problems. They are bandwagon articles jumping on the 'medical security' wave that has some attention right now. Everyone writing these articles seems to be completely new to the medical arena. Most that write this crap that I have talked to can't speak to any of the history of medical disclosures. Names like Fu and Halperin are foreign to them, and the importance of 1985 in the timeline of medical issues is lost on them. If you find yourself Googling any of those, thanks for proving my point. This shit is not new. These articles are NOT advancing our field or the medical field. Sure, you are getting a slice of attention for the issue, but mostly in our echo chamber. Finally, your intro. "Since 1996 my company has analyzed hundreds of systems..." Really? Hundreds? You might want to fix that, else you come across as complete n00bz in the industry. I've done single engagements that involved tends of thousands of machines. Perhaps you want to qualify that to mean hundreds of vendors? Hundreds per months/year? To illustrate I am not the only one who feels this way: https://twitter.com/attritionorg/status/485652525589086209 1 minute later: https://twitter.com/SteveSyfuhs/status/485652988044656640 Seriously, dare to evolve. .b _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
