Dailydave mailing list archives
Re: Printers
From: dan () geer org
Date: Thu, 14 Feb 2008 19:57:04 -0500
"Adrian P" writes: -+---------------- | Well, to me, embedded devices are the overlooked backdoor to | corporate networks. There is not enough attention being paid | to "miscellaneous" embedded devices such as IP phones, cameras, | printers, etc ... As far as I can tell, the general purpose computer is dead; it just doesn't know it yet. Nearly all the NYC banks of note are returning to time-share (with modern accouterment) and so-called service-oriented architecture (SOA) or software as a service (SAAS) are little more than time-share with the Internet in lieu of the mainframe backplane. Example, the newest trading floor of which I aware has no PCs at all, only displays driven by VMs (typically Windows) running on big iron (typically IBM Linux) in distant, redundant, obscure data centers. The reason is their realization that securing the desktop is a fool's errand and security is, in any case, a subset of reliability. If we are to talk about the future, then we talk about embedded systems as they are already two orders of magnitude more numerous than keyboards and displays hence the future threat space, which we must lead in the same way one leads the deer when hunting, is a threat space where a computer is not identifiable as such but is instead inside some nondescript appliance. So, starting what may be an embedded system thread, let me ask whether an embedded system should or should not have a remote management interface? If it does not, then a late discovered flaw cannot be fixed without visiting all the embedded systems which is likely to be infeasible both because some will be where you cannot go and there will be too many of them anyway. If it does have a remote management interface, the opponent of skill focuses on that and, once a break is achieved, will use those self- same management functions to ensure that not only does he retain control over the long interval but, as well, you will be unlikely to know that he is there. This leads me to a proposal: Embedded systems, if having no remote management interface and thus out of reach, are a life form and, as Agent Smith said, the purpose of life is to end, i.e., an embedded system without a remote management interface must be so designed as to be certain to die no later than some fixed time. Conversely, an embedded system with a remote management interface must be sufficiently self-protecting that it is capable of refusing a command. The singularity approaches, --dan _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Printers Dave Aitel (Feb 14)
- Re: Printers Adrian P (Feb 14)
- Re: Printers dan (Feb 15)
- Re: Printers Adrian P (Feb 14)