mailing list archives
Re: SearchSecurity: Medical Devices and Software Security
From: security curmudgeon <jericho () attrition org>
Date: Sun, 6 Jul 2014 00:21:38 -0500 (CDT)
On Mon, 30 Jun 2014, Gary McGraw wrote:
: Chandu Ketkar and I wrote an article about medical device security based
: on a talk Chandu gave at Kevin Fu?s Archimedes conference in Ann Arbor.
: In the article, we discuss six categories of security defects that
: Cigital discovers again and again when analyzing medical devices for our
: customers. Have a look and pass it on:
: As always, your feedback is welcome.
Per your request, my feedback:
Why do so many security professionals think we need yet another article on
medical devices that give a high-level overview, that ultimately boils
down to "medical devices are not secure"?
We see these every month or three, and have for a long time. Other than
medical vendors who are very resistent to the idea that their devices have
issues, who is this written for? Who exactly outside medical vendors think
that those devices are secure?
These articles do nothing.. absolutely nothing, to fix problems. They are
bandwagon articles jumping on the 'medical security' wave that has some
attention right now. Everyone writing these articles seems to be
completely new to the medical arena. Most that write this crap that I have
talked to can't speak to any of the history of medical disclosures. Names
like Fu and Halperin are foreign to them, and the importance of 1985 in
the timeline of medical issues is lost on them. If you find yourself
Googling any of those, thanks for proving my point.
This shit is not new. These articles are NOT advancing our field or the
medical field. Sure, you are getting a slice of attention for the issue,
but mostly in our echo chamber.
Finally, your intro. "Since 1996 my company has analyzed hundreds of
systems..." Really? Hundreds? You might want to fix that, else you come
across as complete n00bz in the industry. I've done single engagements
that involved tends of thousands of machines. Perhaps you want to qualify
that to mean hundreds of vendors? Hundreds per months/year?
To illustrate I am not the only one who feels this way:
1 minute later:
Seriously, dare to evolve.
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates