<div dir="ltr">Hello List,<div><br></div><div>As an ex-hacker-of-things, I actually agree with the motivation behind this post. I still wouldn't call it "junk", but that's an entirely separate and subjective argument that no one in their right mind would care to get into. </div><div><br></div><div>However, we should have matured as an industry to the point where we can get beyond the devices themselves, and I am disappointed to see my peers constantly deriding the highly qualified engineers building these devices. What a lot of security professionals don't have is the business sense or engineering experience to understand the real threat model in which these devices exist. Furthermore, calling the IoT/IoE (insert your favorite/preferred term here) movement "terror" is amateurish and insincere. </div><div><br></div><div>As a result, we're seeing consultants foolishly directing embedded technology firms to go down bizarre rabbit holes, such as implementing PaX/Grsec for ARM/MIPS on devices whose threat-scape is "can someone force this washer to overheat the water via RF". This solves nothing. The real discussion must focus on the product life cycle, tangible risks to the end-user and business, and realistic and cost-effective security controls that scale. </div><div><br></div><div>The less we focus on "everything can be owned!", the more we as an industry can actually effect real change. Hyperbole disguised as passion distracts industry outsiders and puts a bad taste in the mouths of people that legitimately need guidance. Distractions in the form of "hacked a thing!" or "fear the things!" is actually setting us as far back as an industry as the 8bit microcontroller security surfaces used by these devices. </div><div><br></div><div>P.S. If you're just getting into hardware hacking and want to give a talk on hacking a "thing", welcome to 2010. </div><div><br></div><div>Best,</div><div>Don A. Bailey</div><div>Founder</div><div>Lab Mouse Security</div><div>@InfoSecMouse</div><div><a href="https://www.securitymouse.com/">https://www.securitymouse.com/</a> </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 22, 2014 at 12:53 PM, Dave Aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Look, I get how we all love free trips to various locales other than
Seattle or Boston or whatever (which are not, technically "locales"
so much as just "places people happen to live"). But one more
hacking talk about breaking into some random piece of electronics
that people might use somewhere like a Internet-connected
bed-warmer, or a MRI machine, or a machine people use to make MRI
machines, and the whole hacking community is going to be wearing the
cone of shame for a week!<br>
<br>
<img alt="your blackhat talk was not accepted!" src="cid:part1.04080901.08070900@immunityinc.com" height="390" width="500"><br>
<br>
Yes, we get it. Cars, boats, buses, and those singing fish plaques
are all hackable and have no security. Most conferences these days
have a whole track called "Junk I found around my house and how I am
going to scare you by hacking it". That stuff is always going to be
hackable <a href="http://whetherornotyouarethecalvalry.org" target="_blank">whetherornotyouarethecalvalry.org</a>. <br>
<br>
I get that Barnaby hacked an ATM. I thought it was stupid then, and
it's even stupider now when your basic ATM runs XP so it can display
ads to you while you take money out of it. But it's not stunt
hacking unless it can <b>wow</b> you. If you are wowed by someone
owning XP these days, then you are out of it and need to be
re-reading Carolyn Meniel's HappyHacker website. Yes, there is Junk
in your garage, and you can hack it, and if you find someone else
who happens to have that exact same Junk, you can probably hack that
too, but maybe not, because testing is hard. <br>
<br>
Cars are the pinnacle of junk hacking, because they are meant to be
in your garage. Obviously there is no security on car computers. Nor
(and I hate to break the suspense) <b>will there ever be</b>. Yes,
you can connect a device to my midlife crisis car and update the CPU
of the battery itself with malware, which can in theory explode my
whole car on the way to BJJ. I personally hope you don't. But I know
it's possible the same way I know it's possible to secretly rewire
my toaster oven to overcook my toast every time even when I put it
on the lowest setting, driving me slowly but surely insane.<br>
<br>
So in any case, enough with the Junk Hacking, and enough with being
amazed when people hack their junk.<span class="HOEnZb"><font color="#888888"><br>
<br>
-dave :><br>
<br>
</font></span></div>
<br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>