[Dailydave] Junk Hacking Must Stop!

Don Bailey don.bailey at gmail.com
Mon Sep 22 16:12:27 EDT 2014 

Hello List,

As an ex-hacker-of-things, I actually agree with the motivation behind this
post. I still wouldn't call it "junk", but that's an entirely separate and
subjective argument that no one in their right mind would care to get into.

However, we should have matured as an industry to the point where we can
get beyond the devices themselves, and I am disappointed to see my peers
constantly deriding the highly qualified engineers building these devices.
What a lot of security professionals don't have is the business sense or
engineering experience to understand the real threat model in which these
devices exist. Furthermore, calling the IoT/IoE (insert your
favorite/preferred term here) movement "terror" is amateurish and
insincere.

As a result, we're seeing consultants foolishly directing embedded
technology firms to go down bizarre rabbit holes, such as implementing
PaX/Grsec for ARM/MIPS on devices whose threat-scape is "can someone force
this washer to overheat the water via RF". This solves nothing. The real
discussion must focus on the product life cycle, tangible risks to the
end-user and business, and realistic and cost-effective security controls
that scale.

The less we focus on "everything can be owned!", the more we as an industry
can actually effect real change. Hyperbole disguised as passion distracts
industry outsiders and puts a bad taste in the mouths of people that
legitimately need guidance. Distractions in the form of "hacked a thing!"
or "fear the things!" is actually setting us as far back as an industry as
the 8bit microcontroller security surfaces used by these devices.

P.S. If you're just getting into hardware hacking and want to give a talk
on hacking a "thing", welcome to 2010.

Best,
Don A. Bailey
Founder
Lab Mouse Security
@InfoSecMouse
https://www.securitymouse.com/

On Mon, Sep 22, 2014 at 12:53 PM, Dave Aitel <dave at immunityinc.com> wrote:

>  Look, I get how we all love free trips to various locales other than
> Seattle or Boston or whatever (which are not, technically "locales" so much
> as just "places people happen to live"). But one more hacking talk about
> breaking into some random piece of electronics that people might use
> somewhere like a Internet-connected bed-warmer, or a MRI machine, or a
> machine people use to make MRI machines, and the whole hacking community is
> going to be wearing the cone of shame for a week!
>
> [image: your blackhat talk was not accepted!]
>
> Yes, we get it. Cars, boats, buses, and those singing fish plaques are all
> hackable and have no security. Most conferences these days have a whole
> track called "Junk I found around my house and how I am going to scare you
> by hacking it". That stuff is always going to be hackable
> whetherornotyouarethecalvalry.org.
>
> I get that Barnaby hacked an ATM. I thought it was stupid then, and it's
> even stupider now when your basic ATM runs XP so it can display ads to you
> while you take money out of it. But it's not stunt hacking unless it can
> *wow* you. If you are wowed by someone owning XP these days, then you are
> out of it and need to be re-reading Carolyn Meniel's HappyHacker website.
> Yes, there is Junk in your garage, and you can hack it, and if you find
> someone else who happens to have that exact same Junk, you can probably
> hack that too, but maybe not, because testing is hard.
>
> Cars are the pinnacle of junk hacking, because they are meant to be in
> your garage. Obviously there is no security on car computers. Nor (and I
> hate to break the suspense) *will there ever be*. Yes, you can connect a
> device to my midlife crisis car and update the CPU of the battery itself
> with malware, which can in theory explode my whole car on the way to BJJ. I
> personally hope you don't. But I know it's possible the same way I know
> it's possible to secretly rewire my toaster oven to overcook my toast every
> time even when I put it on the lowest setting, driving me slowly but surely
> insane.
>
> So in any case, enough with the Junk Hacking, and enough with being amazed
> when people hack their junk.
>
> -dave :>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140922/940a1002/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cone_of_shame_blackhat.jpg
Type: image/jpeg
Size: 60126 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140922/940a1002/attachment-0001.jpg>

More information about the Dailydave mailing list