Secret Software Security

  • Wayne West

    SSC-Insane

    Points: 22586

    djackson 22568 (11/2/2015)


    Wayne West (11/2/2015)


    ... There was a recent Onion article that China is having problems hiring enough hackers because the USA is discovering more vulnerabilities too quickly.

    Awe, I feel so bad for china... Not! However given how poor the US is at patching, I have my doubts as to how true this is. Given the complete lack of truthfulness in the media, I wouldn't be surprised to find that the story had zero to little truth in it.

    It's The Onion. By definition there's zero to little truth in it.

    http://www.theonion.com/article/china-unable-recruit-hackers-fast-enough-keep-vuln-51719

    -----
    [font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]

  • benjamin.reyes

    SSCertifiable

    Points: 5249

    You know what the Onion is right?

    -I was too late

  • Ray Herring

    SSCertifiable

    Points: 5533

    "but I also truly believe that the pressures of getting software released overwhelm the concerns and dangers that exist overall. "

    You can talk about "the idiots that design" or "trusting to the good will" or government conspiracy or whatever Machiavellian reason you care to but Steve identified the issue with in his excellent editorial.

    I have been in this business since the late 70's. Military, regulated Telcos, commercial, VAR, professional services, in house support, etc. I have never, not ever, sat in a preliminary design meeting, project status meeting, or delivery meeting where management was interested in delaying the start or finish of a project to ensure security, reliability, etc. goals were met.

    I can sum up the typical agenda in the typical questions asked by management/sales.

    When will Feature X be available? (BTW, Can you add ... to the feature?)

    Why are you wasting time re-factoring?

    Can we deliver a week, month, quarter early?

    How can we reduce the costs?

    The closest I have come were discussions of which bugs had to be fixed in a given delivery but the bugs rarely concerned security or even performance issues.

  • djackson 22568

    SSChampion

    Points: 11713

    Ray Herring (11/2/2015)


    "but I also truly believe that the pressures of getting software released overwhelm the concerns and dangers that exist overall. "

    You can talk about "the idiots that design" or "trusting to the good will" or government conspiracy or whatever Machiavellian reason you care to but Steve identified the issue with in his excellent editorial.

    ...I have never, not ever, sat in a preliminary design meeting, project status meeting, or delivery meeting where management was interested in delaying the start or finish of a project to ensure security, reliability, etc. goals were met....

    The closest I have come were discussions of which bugs had to be fixed in a given delivery but the bugs rarely concerned security or even performance issues.

    Nice. I agree with your points, but I'll stick by what I said. At no point did I disparage "all designers" or "all developers". I called out a select few idiots because what they did was clearly idiotic. The only one with any reason to take offense to that would be the idiots alluded to in the post.

    Let's look at what I actually said.

    "auto companies need to be held responsible for the idiots that designed systems that would allow someone to control your vehicle through the radio."

    This sentence clearly puts the blame on management. Whenever someone says a company needs to be held responsible, they are referring to management.

    Also, "designed systems that would allow someone to control your vehicle through the radio" clearly calls out the "idiots" as idiots, because, well, how much of an idiot do you need to be to design something that poorly? I would love to hear one of those idiots, I mean engineers, argue that the design was due to pressure from above to do it quicker, I imagine we would have weeks of laughs on various social media sites!

    They designed a system that is part of a 2-ton killing machine, that allows anyone with Bluetooth access to take control of said killing machine remotely, without authorization, without any frickin security at all, and which allows that person to have complete unhindered control of the machine!

    I think that is about as bad as the idiots who designed and shipped UAVs without any security WHATSOEVER, that allowed people anywhere to access them. Nah, an automobile can be controlled by anyone who wants to murder, rape and rob innocent people anywhere. As bad as allowing anyone to view the remote feed from a UAV is, I think the auto example is far worse.

    I am sorry, but there is a huge difference between a bug that wasn't caught due to time constraints, and what is possibly the worst design decision of any software in the history of man.

    Dave

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 720963

    djackson 22568 (11/2/2015)


    Basically, don't require me to go to the dealer!

    Can't speak for others, but my BMW allows this. There is a USB port in the glove box that I've used to update firmware for the entertainment system. BMW doesn't advertise this, but you can do it yourself.

    I'm glad because the car has cellular connections, so I want to be able to patch it if they release one.

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 720963

    Wayne West (11/2/2015)


    This is one of the problems with the Internet of Things. If I have an IoT toaster, a low-margin item, is the vendor going to spend a lot of time to monitor it for vulnerabilities as time goes by? Is the OS even updatable?

    The IoT push is a big problem, and certainly far too many people are too trusting.

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 720963

    djackson 22568 (11/2/2015)


    I am sorry, but there is a huge difference between a bug that wasn't caught due to time constraints, and what is possibly the worst design decision of any software in the history of man.

    I don't know if it's the worst software design ever, but perhaps it might turn out to be one of the most reckless. Certainly it's poor design to have control mechanisms existing on the same OS and network as entertainment. Boeing, or at least United, has this on planes, which might be as bad or worse.

    To me, there should be separation of critical functions, like engines, steering brakes, etc. from entertainment. There should be separate OSes and separate physical (or even wireless) networks. There should be strong security for each, including the ability to disable remote connections. There should be separate ports for updating. or at least a separate physical port for the entertainment.

    Want to use the same screen? Use a switch to determine which OS gets the screen at the time.

    At the very least, at no time should a bug in the radio or bluetooth systems ever cause an issue in the control surfaces. Ever.

  • Gary Varga

    SSC Guru

    Points: 82166

    Steve Jones - SSC Editor (11/3/2015)


    ...At the very least, at no time should a bug in the radio or bluetooth systems ever cause an issue in the control surfaces. Ever.

    I'd like to think that we can all agree on that one.

    The only exception I can think as a potential viable design feature is the ability to utilise the "entertainment" network as a redundant network in case of emergency. Perhaps by then it is all too late anyway...we wouldn't ask a pilot to reboot would we?

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Wayne West

    SSC-Insane

    Points: 22586

    While I agree with your post, Steve, that control and entertainment should be isolated from each other, there's overlap. For example, if your car has OnStar or similar and you have a collision and your airbags inflate, the phone system automatically calls the central switch to see if you're OK or need emergency services.

    In an aircraft, I can't see any excuse for overlap. Yet when I flew from Phoenix to Denver on our way to Berlin, the flight had realtime mapping, which requires either a feed from the control systems or a redundant component to provide the information. You could also view this on your phone with the plane's WiFi. With efforts to shed every extra ounce on aircraft, I can't see an entertainment system being allowed a component that's already on the plane. You can do one-way feed with Ethernet which would theoretically prevent an entry point in to the control system, but would the designers think of that?

    -----
    [font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]

  • djackson 22568

    SSChampion

    Points: 11713

    Steve Jones - SSC Editor (11/3/2015)


    djackson 22568 (11/2/2015)


    I am sorry, but there is a huge difference between a bug that wasn't caught due to time constraints, and what is possibly the worst design decision of any software in the history of man.

    I don't know if it's the worst software design ever, ...Boeing, or at least United, has this on planes, which might be as bad or worse.

    At the very least, at no time should a bug in the radio or bluetooth systems ever cause an issue in the control surfaces. Ever.

    You win hands down. I was not aware of that! Wow. Just wow.

    Dave

  • Bill Talada

    SSChampion

    Points: 11956

    I watched a terrifying TED talk about the findings of a group tasked to hack a car. All systems are hackable if you take your car to a mechanic. And several systems are hackable if you are in proximity to a vehicle. Cell phone jammers were sold last year allowing you to disconnect a call in the car beside you. These hacks can affect the engine, brakes, power steering, etc.

    I'm seeing two trends. The first is states are locking down their systems so much it is hard for me to do my work. The second trend is companies externalizing the burden of protecting customer data. Actually they're doing the opposite and capitalizing on people not reading legal terms releasing the company from all liability and selling data. With the exponential national debt you'll see these two trends get more extreme. Anyone not surfing from a sandbox is taking chances.

Viewing 11 posts - 16 through 26 (of 26 total)

You must be logged in to reply to this topic. Login to reply