[SCADASEC] Fwd: [Full-disclosure] CORE-2008-0129 - WonderwareSuite Link Denial of Service vulnerability

Paul Ferguson fergdawg at netzero.net
Wed May 7 23:10:57 CDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- <southworthrg at bigpond.com> wrote:

>I think the need for awareness to be raised to the decision makers and
>managers of our control systems is somthing that needs to be promoted -
>you allready know my sentiment on FUD so I won't digress.   
>
>I think responsable disclosure especially in our industry is a very
>important thing to get it right for all affected.   
>

Hi Ron, et al., 

I'm a bit confused by your statement -- on one hand, you seem
to imply that security vulnerability disclosure is "FUD" and
irresponsible, and then you go on to laud "responsible
disclosure".

Perhaps you share your definition that separates the two?

Let's be clear here: security vulnerabilities need to be shared
with the community that they affect, and as soon as they are
known, in my opinion.

Especially with regards to SCADA-specific platforms.

In fact, I think it is even more critical to ensure that these
types of notifications come "out of the shadows" so that they
receive even more attention and reach a larger audience,
especially the audiences that they affect.

Having worked in Communications Security (COMSEC) and subsequently
in the network security arena for over 20 years, I find it somewhat
offensive to be lumped in with day-today, "de rigueur" IT folk,
which -- to their own credit have an entire different set of
hurdles. This, I believe, a disingenuous bait-and-switch to
obscure the real serious nature of vulnerability disclosure
in the SCADA area of operational continuity.

I think we mostly agree, but I just wanted to add my two cents
on this topic.

As you can readily see, as SCADA platforms embrace more
off-the-shelf management platforms (e.g. using TCP/IP, etc.),
we are moving into a "Tragedy of The Commons" event horizon
situation, where the importance of buffer overflows, etc. become
of critical importance.

You guys are now experiencing what we in the Internet security
field have already experienced (and continue to experience).

Thanks,

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFIIn1Lq1pz9mNUZTMRAm8vAJ9vuvEplhbNIhhgDrHwg3cMM++RZQCg+sV9
rxIgJHwVDJjmrHiAzwgz7mY=
=LhfH
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/

More information about the scadasec mailing list