fbpx

Tag Archive for security

Yet Another Security Flaw

August 13, 2015 future, Writing Comments Off on Yet Another Security Flaw

 

http://www.theverge.com/2015/8/11/9130203/wireless-hack-corvette-brakes-insurance-dongle

“‘We acquired some of these things, reverse engineered them, and along the way found that they had a whole bunch of security deficiencies,’ says Stefan Savage, the University of California at San Diego computer security professor who led the project. The result, he says, is that the dongles ‘provide multiple ways to remotely…control just about anything on the vehicle they were connected to.'”

So how paranoid does the average consumer really have to be?  Well, the truth is, not all that paranoid.  Right now, attacks like this have to be focussed, you have to know who you are going after, there has to be a personal connection of some kind.  They take research and consideration (they have to find your car, they have to figure out what kind of device you have implanted, if any, they then have to do some work to get access to that specific device, etc) so these are not “off-the’cuff” style hacks that can be thrown out willy-nilly like some *sshat firing off pepper-spray into a crowd of Black Friday shoppers.

The real risk will come when you get an enterprising soul who finds a way to hack 10,000 cars at once, then you are into hostage taking/hush money territory.  THAT’s when you have to worry about whether or not you should get the “good driver” discount by adding that wireless dongle to your dashboard.

It’s too late for the current crop of devices that are out there.  They are int he wild already, the security flaws have already been laid bare.  The real value in exposures like this is in encouraging companies to make sure they have at least passable security up front (many of these hacks are discovering close to NO security, security through obscurity, as it were), rather than adding the locks after the horse is already out of the barn.

The very fine line

April 27, 2015 future, Writing Comments Off on The very fine line

https://www.techdirt.com/articles/20150420/05585630727/fbi-united-airlines-shoot-messenger-after-security-researcher-discovers-vulnerabilities-airplane-computer-system.shtml

The above caught my attention the other day, in part because I have an ongoing fascination with transitional spaces.  Those grey areas which aren’t quite “good guy” and not quite “bad guy”.  Most of the ones I encounter are legal grey spaces (rather than moral ones).  A law or a rule has been placed in place that is ignored if the rulebreaker is working for the greater good, and enforced when the rulebreaker is operating with malicious intent.  Needless to say, this kind of inconsistent enforcement can become a problem, especially if clear secondary boundaries are not set.

Take (as a similar example) the bounties that companies like MSFT and Facebook place on finding security holes in their software.  There are potential criminal penalties for finding and exploiting these holes, but if you find one and are the first one to report it (I’m over simplifying here, I’m aware) there is often a bounty awarded.  In both cases, the act of hacking the software is technically illegal (again, oversimplifying), but the company chooses to reward one instance and persecute another (which makes sense, right?  One hack is by a good-guy, helping to make the software more secure, the other is the bad guy, exploiting the hack for personal gain).

But because of these inconsistencies, the laws get hard to enforce.  Law enforcement and the corporate interests may not align.  Hackers and crackers may switch hats with regularity, working on “white hat” projects and “black hat” projects simultaneously or in turn, depending where their interests lie and because of this, law enforcement tends to regard most (if not all) of them with equal suspicion, leading to incidents like the one above.