[SCADASEC] Implications of SuiteLink's flaw

[Matthew Franz]

Jake,

'll bite off a tiny piece..

A serious question (not only for you but for others on the list) is
what hat color do the folks at CORE wear?

How about Digital Bond? IT Security Vendors? Control System vendors? DoE Labs?

What you are talking about is pre-disclosure. It might be
pre-disclosure before or after a fix, but in order for

Not only do different vendors have opinions/policies of pre-disclosure
but so do the national CERTs, so this is no small hornet's nest..

- mdf

>  Look, we have Black Hats, Grey Hats, and White Hats.  What I envision is
>  a group of Control Systems White Hats who will discuss the ramifications
>  and defenses among the community in relative confidentiality.  I can't
>  control the Black Hats.  But I have no desire to hand them any more
>  information than they deserve.  Thus far, most of the papers in Black
>  Hat conferences are relatively ignorant and benign.  I don't care to
>  speculate how long that situation will stay that way.
>
>  If we don't attempt to form this group, the White Hats will have no
>  other place to turn to.  We'll simply have to expose all SCADA systems
>  publicly.  That will make for some very busy, unstable SCADA patching
>  --or at the very least it will make SCADA systems very isolated and
>  difficult to communicate with.