Fact Checking

Craig Wright is on the Board of Directors for GICSR (Global Institute for Cybersecurity + Research) and has ‘fact checked’ the ‘Fact Check’ article written by Scot Terban. See article here: FACT CHECK: SCADA Systems Are Online Now.

Of more interest to me than the fact checking, is the very common story I’ve seen of systems that were put in place by group of people, who’ve handed over the reins to someone else, who in turn have passed it on to another someone, and the knowledge of how the system actually works is gone.

I see this daily on a small scale and every now and again, it’s a not so small system that’s completely just flying on it’s own. No-one knows quite how it works, or even quite what it does.

The only way to reduce the risks inherent in these systems is to have good, clear documentation. Documentation that includes peoples names such as employees, contractors, suppliers, even competitors, that someone might be able to at least contact 10 years later and say “Hey, do you remember working on the xyz project? Would you be able to help us out here?”

Just a thought.

Stupid security

This sort of thing REALLY annoys me. Security through obscurity is a FEATURE of this product, the Wyse V10L thin client.

To quote:

And, with an unpublished API, Wyse Thin OS is one of the most secure operating systems on the market.

What rot. What that means translated is “not many people know how our stuff works, so therefore not many people can exploit it”.

And, yes, this may truly mean that it isn’t often exploited. But at some point it will be. Far better to be secure by design than by lack of being a target.

Security isn’t virtual

When speaking with some people, it has been evident that they figured virtual servers were more secure than traditional physical servers.

This quote: “I don’t want to be reverse engineering our products to find exploits or figure out signatures, fundamentally, that means we have to partner. Fortunately, there is a bunch that are happy to partner and I encourage that.” by VMware founder and chief scientist Mendel Rosenblum certainly indicates that there are security concerns (found via: VMTN Blog).

My take on it is this: not only do virtual servers have the same set of security issues as a physical server, but because there are now ‘more components in the system’ there are also more ‘points of failure’, that is, there are now more things to consider in order to make things safe.

Update 21st Sept 2007 3:32pm: see this on latest VMware bugs.