[SystemSafety] Partly Off Topic: What Happens in October [No Classification]
Peter Bernard Ladkin
ladkin at causalis.com
Tue Oct 18 12:47:24 CEST 2016
On 2016-10-18 12:16 , Barnes, Robert A (NNPPI) wrote:
> Firstly, what are we attempting to achieve by patching systems? .... The reoccurring bone of contention
> with patching to address security vulnerabilities is safety certification: changing the software changes
> the system and recertification is therefore necessary. However, there is always more than one way to
> skin a cat and patching is just one way of managing a known vulnerability.
So, suppose you have a trusted communication system administered through a despec-ed version of Mac
OS. And somebody tells you they think it was compiled with the "go to fail" bug. So you don't
actually know if the code is validating its trusted communication partners or not. You and by now a
few hackers looking for a good time (let's hope that's all they are looking for). Presumably you
could find out in a day or so. Some hacker will likely be quicker.
Say the service is distributing session keys for, say, train control. (Germany will be doing this
centrally.)
I guess you could stop all long-distance trains running in the country until you've figured out
whether you're vulnerable, and until you've fixed it and revalidated the system. There'll be lots of
unhappy bunnies. (Did I say I once shared a carriage with the German Defence Minister?)
I'd be very tempted to patch, and to do so without first finding out whether I'm vulnerable. What
would you suggest I do instead?
PBL
Prof. Peter Bernard Ladkin, Bielefeld, Germany
MoreInCommon
Je suis Charlie
Tel+msg +49 (0)521 880 7319 www.rvs-bi.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20161018/60f17fa5/attachment.pgp>
More information about the systemsafety
mailing list