On Wed, Mar 23, 2011 at 02:36:38PM -0400, J. Oquendo wrote:
On 3/23/2011 2:13 PM, Theo de Raadt wrote:
If *any* threat exists,
that threat is increased by public exposure of unmitigated attack
methodology
I think you have it wrong.
Public exposure increases the visibility, and
On 3/23/2011 11:27 AM, Kent Borg wrote:
Would I install a stack of SCADA upgrades to *my* functioning
factory? Maybe not.
Scary, scary stuff.
Security needs to be designed in, implemented carefully each step
along the way, and reviewed. Instead people with security in their
job title so
On Mon, 21 Mar 2011, J. Oquendo wrote:
Reality: Car manufacturer was never made aware of the issue. How do you
propose a manufacturer fix an issue?
Due dilligence. If you sell a car that falls apart when someone pokes it
with a finger--or a piece of mission-critical software where someone with
The correct time for vendors to do their own homework on SCADA was
2003 - that was the wakeup call. Anyone who has programmed for SCADA
has always wondered what would happen if they started poking
undocumented values into undocumented registers, but may not have the
luxury of trying it out.
On 03/23/2011 03:01 PM, Jim Harrison wrote:
BTW, now that you know about it and there is no defined mitigation, what
exactly*will* you do about it?
This seems rather obvious, but
1. Ensure none of the affected SCADA systems are present on my work's
network (BTW none are present on my
If *any* threat exists,
that threat is increased by public exposure of unmitigated attack
methodology
I think you have it wrong.
Public exposure increases the visibility, and therefore customers
install the patches quicker.
Without public visibility, they will keep running the old
Simple Nomad wrote:
2. Ensure that these systems, if they exist, are not accessible from
either the Internet or even the local network where most of the users
are.
Much easier said than done.
The really scary SCADA systems are small cogs in large facilities that
have been been built up
On 23/03/2011 6:13 PM, Theo de Raadt wrote:
If *any* threat exists,
that threat is increased by public exposure of unmitigated attack
methodology
I think you have it wrong.
Public exposure increases the visibility, and therefore customers
install the patches quicker.
Without public
A lot of people are failing to see the vendors customer side of things.
Industrial Control Systems (ICS), SCADA users, historically have their
focus on availability (you don`t want you electricity/water/petrocehmicals
being cut now do you) and safety (no one want to die making sure you get
Analogy: Car owner has his car speed up ending up in almost near
catastrophe. Car owner goes to media outlets condemning the
manufacturer: How could you be so reckless! Thousand of lives...
Reality: Car manufacturer was never made aware of the issue. How do you
propose a manufacturer fix an
: Michal Zalewski [mailto:lcam...@coredump.cx]
Sent: Tuesday, March 22, 2011 2:24 PM
To: J. Oquendo
Cc: Luigi Auriemma; bugtraq@securityfocus.com
Subject: Re: Vulnerabilities in some SCADA server softwares
Analogy: Car owner has his car speed up ending up in almost near
catastrophe. Car owner
While I support full disclosure, I also advocate responsible disclosure. The
public _has_ a right to know, but in this case, they can play no significant
part in remedy or mitigation unless they are employees of the vendor or the
customer. I believe the best course of action for a SCADA
I believe the best course of action for a SCADA vulnerability would be to
let the vendor know first,
That's fine, but the controversy around the proper mode of disclosure
is here to stay. For every good argument you make, there is an equally
compelling counter-argument that other reasonable
...@autistici.org]
Sent: Wednesday, March 23, 2011 09:54
To: Jim Harrison
Cc: Michal Zalewski; J. Oquendo; bugtraq@securityfocus.com
Subject: Re: Vulnerabilities in some SCADA server softwares
I fundamentally disagree with the idea that public disclosure as a
means of vendor notification serves any purpose
On 3/23/2011 12:54 PM, Luigi Auriemma wrote:
I fundamentally disagree with the idea that public disclosure
as a means of vendor notification serves any purpose
so now the question is, why don't all these good guys spend their
personal time and skills to find these vulnerabilities and reporting
If *any* threat exists,
that threat is increased by public exposure of unmitigated attack
methodology
I think you have it wrong.
Public exposure increases the visibility, and therefore customers
install the patches quicker.
Without public visibility, they will keep running the old code.
On 3/23/2011 2:13 PM, Theo de Raadt wrote:
If *any* threat exists,
that threat is increased by public exposure of unmitigated attack
methodology
I think you have it wrong.
Public exposure increases the visibility, and therefore customers
install the patches quicker.
Without public
I fundamentally disagree with the idea that public disclosure
as a means of vendor notification serves any purpose
no problem, if you don't agree with full-disclosure or how I and the
other researchers like me handle these security vulnerabilities you have
the full power and freedom of finding
On 3/23/11 9:46 AM, J. Oquendo wrote:
How about we reflect reality?
We can't honestly do that, we all only have our perception. It's funny
how we can get stuck in a trap of 0 and 1.
My perception is we'll always disagree on disclosure technique, or at
least nitpick some minor detail into
On 03/23/2011 01:36 PM, J. Oquendo wrote:
You're flawed in your response: Public exposure increases the
visibility, and therefore customersinstall the patches quicker. ...
When someone full discloses a vulnerability, there is no patch to
install quicker. This is obvious because there is no patch
On 3/23/2011 2:13 PM, Theo de Raadt wrote:
If *any* threat exists,
that threat is increased by public exposure of unmitigated attack
methodology
I think you have it wrong.
Public exposure increases the visibility, and therefore customers
install the patches quicker.
Without
J. Oquendo wrote:
At what point in time did you try contacting any of the vendors for
these issues?
SCADA systems are infamous for being terribly insecure. (You can search
the internet for demonstration video of equipment catching fire because
of such bugs.) SCADA manufacturers seem to
On 3/21/2011 12:16 PM, Luigi Auriemma wrote:
The following are almost all the vulnerabilities I found for a quick
experiment some months ago in certain well known server-side SCADA
softwares still vulnerable in this moment.
At what point in time did you try contacting any of the vendors for
At what point in time did you try contacting any of the vendors for
these issues?
the vendors of the affected softwares have not been contacted.
How do you propose a manufacturer fix an issue?
in the security field a public vulnerability is a dead vulnerability,
anyone who has found and
The following are almost all the vulnerabilities I found for a quick
experiment some months ago in certain well known server-side SCADA
softwares still vulnerable in this moment.
In case someone doesn't know SCADA (like me before the tests): it's
just one or more softwares (usually a core, a
25 matches
Mail list logo