At 10:13 AM 8/16/03 -0400, Roy M. Silvernail wrote:
Security, as Schneier says, is a process. It's also a mindset, and I
think
one either has the mindset or he doesn't. And for those that don't have it, it is *very* difficult to impart.
And you don't get any droid-demonstrable features for all your efforts. Whereas being able to control <whatever> from a network has gee-whiz sellability. And the customer has a hard time imagining the attack -how are they going to find the network, how are they going to guess the password. I had the pleasure ca 1997 of figuring out how to browser-enable a multiton industrial machine (the kind with big red "stop" buttons, rotating lights on it when it was operating, and stickers showing various forms of dismemberment possible) once. A password was the only access control. I hope anyone who installed this understood firewalling and air gapping... (Meanwhile, my garage door is "protected" merely by the number of possibilities, 256)
On Sunday 17 August 2003 11:43, Major Variola (ret) wrote:
I had the pleasure ca 1997 of figuring out how to browser-enable a multiton industrial machine (the kind with big red "stop" buttons, rotating lights on it when it was operating, and stickers showing various forms of dismemberment possible) once. A password was the only access control. I hope anyone who installed this understood firewalling
and air gapping...
Don't count on it. I know of a number of the type of machine you describe that shipped with default networking on NT 4 SP3, destined for some factory's LAN. These are machine tool users, not IT grads. Think they'll remember to air-gap the tooling? They also shipped with explorer as the shell. Guess they never heard of alt-tab. Oh, and let's not forget... no virus scanner and no OS update policy. "The old DOS system didn't need those extra costs!" ;) The high point of one service call was catching the operator playing solitare on the control console of a very large and very dangerous machine.
participants (2)
-
Major Variola (ret)
-
Roy M. Silvernail