Agree with you - there's nothing new in the article. I gave a talk a couple years ago at a conference on biomedical engineering, and there was one person in the room (out of a few hundred) who had heard of Therac-25. (Which I assume is what you were referring to with 1985.)
If the article were instead published in a medical device or biomedical engineering journal, that would be something different. But as you say, putting it in on SearchSecurity is just the echo chamber of security folks. IMHO, anyone who builds medical devices that use software and hasn't read about Therac-25 should be considered as unqualified. (And if that gets anyone on the list to pull out Google, who didn't recognize the reference to 1985, so much the better!) On Sun, Jul 6, 2014 at 1:21 AM, security curmudgeon <jeri...@attrition.org> wrote: > > On Mon, 30 Jun 2014, Gary McGraw wrote: > > : Chandu Ketkar and I wrote an article about medical device security based > : on a talk Chandu gave at Kevin Fu?s Archimedes conference in Ann Arbor. > : In the article, we discuss six categories of security defects that > : Cigital discovers again and again when analyzing medical devices for our > : customers. Have a look and pass it on: > : > : http://bit.ly/1pPH56p > : > : As always, your feedback is welcome. > > Per your request, my feedback: > > Why do so many security professionals think we need yet another article on > medical devices that give a high-level overview, that ultimately boils > down to "medical devices are not secure"? > > We see these every month or three, and have for a long time. Other than > medical vendors who are very resistent to the idea that their devices have > issues, who is this written for? Who exactly outside medical vendors think > that those devices are secure? > > These articles do nothing.. absolutely nothing, to fix problems. They are > bandwagon articles jumping on the 'medical security' wave that has some > attention right now. Everyone writing these articles seems to be > completely new to the medical arena. Most that write this crap that I have > talked to can't speak to any of the history of medical disclosures. Names > like Fu and Halperin are foreign to them, and the importance of 1985 in > the timeline of medical issues is lost on them. If you find yourself > Googling any of those, thanks for proving my point. > > This shit is not new. These articles are NOT advancing our field or the > medical field. Sure, you are getting a slice of attention for the issue, > but mostly in our echo chamber. > > Finally, your intro. "Since 1996 my company has analyzed hundreds of > systems..." Really? Hundreds? You might want to fix that, else you come > across as complete n00bz in the industry. I've done single engagements > that involved tends of thousands of machines. Perhaps you want to qualify > that to mean hundreds of vendors? Hundreds per months/year? > > To illustrate I am not the only one who feels this way: > https://twitter.com/attritionorg/status/485652525589086209 > > 1 minute later: > https://twitter.com/SteveSyfuhs/status/485652988044656640 > > Seriously, dare to evolve. > > .b > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > _______________________________________________ >
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
