Home page logo
/

securecoding logo Secure Coding mailing list archives

Re: SearchSecurity: Medical Devices and Software Security
From: Jeremy Epstein <jeremy.j.epstein () gmail com>
Date: Mon, 7 Jul 2014 13:19:37 -0400

Agree with you - there's nothing new in the article.  I gave a talk a
couple years ago at a conference on biomedical engineering, and there was
one person in the room (out of a few hundred) who had heard of Therac-25.
(Which I assume is what you were referring to with 1985.)

If the article were instead published in a medical device or biomedical
engineering journal, that would be something different.  But as you say,
putting it in on SearchSecurity is just the echo chamber of security folks.

IMHO, anyone who builds medical devices that use software and hasn't read
about Therac-25 should be considered as unqualified.  (And if that gets
anyone on the list to pull out Google, who didn't recognize the reference
to 1985, so much the better!)





On Sun, Jul 6, 2014 at 1:21 AM, security curmudgeon <jericho () attrition org>
wrote:


On Mon, 30 Jun 2014, Gary McGraw wrote:

: Chandu Ketkar and I wrote an article about medical device security based
: on a talk Chandu gave at Kevin Fu?s Archimedes conference in Ann Arbor.
: In the article, we discuss six categories of security defects that
: Cigital discovers again and again when analyzing medical devices for our
: customers.  Have a look and pass it on:
:
: http://bit.ly/1pPH56p
:
: As always, your feedback is welcome.

Per your request, my feedback:

Why do so many security professionals think we need yet another article on
medical devices that give a high-level overview, that ultimately boils
down to "medical devices are not secure"?

We see these every month or three, and have for a long time. Other than
medical vendors who are very resistent to the idea that their devices have
issues, who is this written for? Who exactly outside medical vendors think
that those devices are secure?

These articles do nothing.. absolutely nothing, to fix problems. They are
bandwagon articles jumping on the 'medical security' wave that has some
attention right now. Everyone writing these articles seems to be
completely new to the medical arena. Most that write this crap that I have
talked to can't speak to any of the history of medical disclosures. Names
like Fu and Halperin are foreign to them, and the importance of 1985 in
the timeline of medical issues is lost on them. If you find yourself
Googling any of those, thanks for proving my point.

This shit is not new. These articles are NOT advancing our field or the
medical field. Sure, you are getting a slice of attention for the issue,
but mostly in our echo chamber.

Finally, your intro. "Since 1996 my company has analyzed hundreds of
systems..." Really? Hundreds? You might want to fix that, else you come
across as complete n00bz in the industry. I've done single engagements
that involved tends of thousands of machines. Perhaps you want to qualify
that to mean hundreds of vendors? Hundreds per months/year?

To illustrate I am not the only one who feels this way:
https://twitter.com/attritionorg/status/485652525589086209

1 minute later:
https://twitter.com/SteveSyfuhs/status/485652988044656640

Seriously, dare to evolve.

.b
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]