Jon already pretty much covered the response to this - remote administration, viewing, and to be frank, we plug in internet connectivity to *everything* these days.
That said, I also think that we forget there are three parties in security - attacker, defender and user. From the user's perspective, we appear to exist solely to pee in their wheaties. There exist a good number of organizations who have ultimate users (doctors, generals, senior faculty, CEOs) who you *have* to provide what they want, regardless of how insecure it is. On Oct 11, 2009, at 5:27 AM, Jim Murray wrote: > Michael Collins wrote: >> Heh, >> >> One of the fun exercises I like to spring on people is to play out >> the >> following scenario: assume you've got an embedded system of some kind >> being controlled by a windows 3.1 box. Let's say it's doing >> something >> like wrapping candybars or stamping plaques or wahtever, it's >> piecework payment. The machine gets 0wned, and while it's not doing >> anything that's impacting you personally, it's contributing a couple >> of kb/s to spamming or ddosing or other fun things. Is it in your >> interest to sacrifice the day, and the consequent profits involved in >> fixing your box, to solve the problem or better to just let it run? > > My first question has to be 'What is such a device doing connected to > the public internet in the first place?'. If it really MUST be > connected > then it should be properly protected. If you they don't do that and > get > 0wned then you deserve the costs and inconvenience of cleaning up the > mess you made, it's a safe bet you'll be more careful in future. > >> The problem was given a more concrete example by a colleague who >> pointed out that most medical hardware running on windows boxes is >> not >> only certified for windows only, but specific *patchlevels*, and that >> consequently these machines can get restored, taken down, >> reinstalled, >> and put back on the net with known vulnerabilities because their >> software is certified with vulnerabilities intact. > > If I were to find any critical piece of medical hardware connected to > the public internet it'd be very concerned indeed. Surely best > practice > dictates that clinical networks are kept isolated from the > administrative networks & public internet? > > Jim. > > -- > DigitalDaemons IT Services. > --------------------------------------- > E-Mail : j...@digitaldaemons.co.uk > PGP Key ID : 0xB7066495 > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
