Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Printers

From: dan () geer org
Date: Thu, 14 Feb 2008 19:57:04 -0500

"Adrian P" writes:
-+----------------
 | Well, to me, embedded devices are the overlooked backdoor to
 | corporate networks. There is not enough attention being paid
 | to "miscellaneous" embedded devices such as IP phones, cameras,
 | printers, etc ... 


As far as I can tell, the general purpose computer is dead;
it just doesn't know it yet.  Nearly all the NYC banks of
note are returning to time-share (with modern accouterment)
and so-called service-oriented architecture (SOA) or software
as a service (SAAS) are little more than time-share with the
Internet in lieu of the mainframe backplane.  Example, the
newest trading floor of which I aware has no PCs at all, only
displays driven by VMs (typically Windows) running on big
iron (typically IBM Linux) in distant, redundant, obscure
data centers.  The reason is their realization that securing
the desktop is a fool's errand and security is, in any case,
a subset of reliability.

If we are to talk about the future, then we talk about
embedded systems as they are already two orders of magnitude
more numerous than keyboards and displays hence the future
threat space, which we must lead in the same way one leads
the deer when hunting, is a threat space where a computer is
not identifiable as such but is instead inside some
nondescript appliance.

So, starting what may be an embedded system thread, let me
ask whether an embedded system should or should not have a
remote management interface?  If it does not, then a late
discovered flaw cannot be fixed without visiting all the
embedded systems which is likely to be infeasible both
because some will be where you cannot go and there will be
too many of them anyway.  If it does have a remote management
interface, the opponent of skill focuses on that and, once a
break is achieved, will use those self- same management
functions to ensure that not only does he retain control over
the long interval but, as well, you will be unlikely to know
that he is there.

This leads me to a proposal: Embedded systems, if having no
remote management interface and thus out of reach, are a life
form and, as Agent Smith said, the purpose of life is to end,
i.e., an embedded system without a remote management
interface must be so designed as to be certain to die no
later than some fixed time.  Conversely, an embedded system
with a remote management interface must be sufficiently
self-protecting that it is capable of refusing a command.

The singularity approaches,

--dan

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: