Comment from Bryan L Singer
Time: December 9, 2007, 12:15 pm

This falls into the category of: WTF???? Considering precedent generally holds that it is ILLEGAL to use someone else’s wifi. Several cases have been successfully prosecuted such as the first noted here in 2005 http://www.boingboing.net/2005/07/07/florida-man-arrested.html.

Comment from Ron Southworth
Time: December 9, 2007, 5:55 pm

Perhaps he is trying to be contraversial.

His blog has been quiet lately.

I think that he is reflecting a popular beleif with CIP time will have the final say on this.

WR2 Wireless

I wonder how long it will stay unsecure when someone steals his next book he is working on. Or is he really saying anything important does not reside on his wireless network I wonder if someone downloads kiddie porn from his network and the FBI come to take him away if he will secure it then.

Comment from Bryan L. Singer
Time: December 9, 2007, 6:17 pm

Herein lies the issue… You are responsible for what is on your network. And, if someone sets up a porn site on your computer or you didn”t take reasonable and prudent measure to protect against such things, there is a very good chance you will have a tough day in court proving you didn’t do this…

Comment from Dale Peterson
Time: December 9, 2007, 9:19 pm

I do believe a lot of what Bruce says is to be controversial and maybe make you consider something from a different viewpoint. The later isn’t bad. I actually met Bruce at a Crypto conference in the 80’s before he was famous and just trying to learn for his Applied Cryptography book, which he brought with him to later events. He is an excellent writer whether you agree or disagree with him.

I think he is referring to a school of thought that perimeter security is doomed to failure and endpoint security is what we should focus on. There is a project on this, I believe named castle. So in the wireless example, you could let anyone use the network, but they still could not affect the security of your endpoints. The internetwork communication that is allowed and required, the more sensical this theory looks.

Comment from Ron Southworth
Time: December 10, 2007, 3:00 am

Well he succeeded in getting people to discuss things which is what I believe he is aiming for, I can relate to his intent. I don’t dislike him for the record & he definitely does turn a good phrase in a techo book or two …

(Castle) It is a good theory provided the internetwork communications security encapsulation was not susceptible to inter endpoint communication attacks (man in the middle) For non real time requirements where latency is not an issue good crypto is available now.

Keeping ahead of what the bad guys can break is part of the cat and mouse game. Denial of service and distributed denial of service are still there and I suspect always will be in some form or other.

Given that this is his stock in trade that would seem to be consistent with keeping your nest healthy.

Comment from Jake Brodsky
Time: December 10, 2007, 8:18 am

Bruce’s point in his earlier pronouncement was never justified. It’s just a feeling. Reading between the lines, I get the impression that he feels the physical infrastructure is the more likely target. I wonder if he still feels that way today, given the discovery of how much exposure SCADA and DCS systems actually have on the internet.

Speaking to Bryan’s second point about responsibility for one’s network, I agree. And if one doesn’t use network security features, then the responsibility falls back to the OS management level.

How many of us are good at THAT? (especially with Windows)

Comment from Ralph Langner
Time: December 10, 2007, 4:22 pm

As for his opinion on critical infrastructure and cyber terrorism, I couldn’t put it any different than Bruce. Unfortunately, major forces in the marketplace, in government and in the research community have decided to make the cyber terrorist threat to critical infrastructure the big deal for SCADA security. While there are understandable and honourable reasons for this, it has gotten counterproductive, as the old FUD approach has become prominent. The downside is that after all we have significantly lost credibility.

According to my personal statistics, the majority of real-life security incidents can be attributed to 1. force majeure and equipment malfunction (as in the Brown Ferry incident), 2. accidental misconfiguration or misaddressing (like some overworked maintenance engineer typing in the wrong IP address in the heat of the battle and accessing the wrong controller – such everyday incidents rarely make it into the news), and 3. random malware infection (as in the Davis-Besse and DaimlerChrysler incidents). Well, these threats don’t make for dramatic scenarios that begin with “it was a dark and rainy night”. But they make a good case for getting the message over to management: We’re not talking about some evil turban-wearing guys sitting in a Tora Bora cave with a notebook, we’re talking about preventing everyday incidents that are bound to happen in industrial networks with their difficult to secure systems. Those everyday scenarios are hardly thrilling, but besides accounting for millions of dollars worth of production loss, they are something that process engineers, and even executives, can relate to.

Compare that to the cyber terrorist threat that few researchers bothered to detail. Now what would such an attack would look like? Don’t tell me it would look like the CNN video, or that cyber terrorists could crash airplanes in midair by bringing down the air traffic control system (hard to believe that anybody who asserts this has detailed knowledge of how this system works). Look at the evidence that is cited for the terrorist threat. Here is my personal litmus test for the effort that the author has put in his case: If the evidence boils down to the initials V.B., evidence is poor. As a matter of fact, old Vitek sure had any reason to demand pensions from all the big shot consultants who (ab)used his case in a sales pitch, from the researchers who cited him for acquiring big government projects and so on. I bet that all the research projects alone that had been justified by referring to Mr. B. sum up to a multiple of the several hundred thousand dollars worth of damage that he created. Funny enough, Vitek is the celebrity of our trade – quite a career for a fellow that was dumb enough to get questioned by police due to a parking violation. Anybody here who believes this would be evidence of a cyber terrorist threat against critical infrastructure, please raise their hands. (By the way, did the GAO actually buy this stuff?).

As with any discussion on topics of public interest, some subjects are sexy, while others are not. For example, in medicine, AIDS is sexy, while Alzheimer’s disease is not. Even though your risk of getting Alzheimer’s is much higher than getting AIDS, and there is no way you can reduce the risk of getting Alzheimer’s by behavioural changes, much more funding is provided for research on AIDS. It looks like we’re experiencing the same phenomenon with SCADA security: Intentional malicious attacks, especially cyber terrorist attacks, look like the big deal. Meanwhile, millions of dollars are lost and unsuspecting workers get injured due to less sexy reasons – and researchers, consultants, and government folks just happen to be too busy to care about.

Ok, there was some sarcasm in here. Nonetheless, I am thankful to Bruce for expressing an opinion that others in the security trade would view as having a negative effect on their business.

Comment from Jake Brodsky
Time: December 10, 2007, 5:38 pm

Ralph, speaking as an engineer who represents an asset owner, I agree completely. As we have just seen with the TCAA “hack” (if there really was one), your insiders are at least as big a threat as your outsiders.

However, that doesn’t minimize the amount of work that lies before us. It merely determines the focus of such efforts. Focus on key management servers, backup strategies, system validation, network management, and so on and so forth.

Short of a quiet interest by those who serve on red teams, most hacking efforts so far don’t care about industrial control systems. They’re boring. There is no money in attacking one. And as far as enforcement goes, you’d better be in another country with no extradition treaties because if the attack is exposed, you could be doing more than just a year or two in prison.

On the other hand, insiders know a lot. They may not care much about financial gain from the attack. And left to themselves, who knows what they might be capable of…