[SystemSafety] "Ripple20 vulnerabilities will haunt the IoT landscape for years to come"

paul_e.bennett at topmail.co.uk paul_e.bennett at topmail.co.uk
Thu Jun 18 12:12:05 CEST 2020 

On 6/18/2020 at 9:01 AM, "Peter Bernard Ladkin" <ladkin at causalis.com> wrote:
>
>On 2020-06-18 00:28 , Jon Hind wrote:
>> 
>> Am I worrying too much, or is this vindication ?
>
>Probably you are not worrying enough. Note that this isn't just 
>IoT. And it's not just some small SW
>vendor with a lightweight "convenient" TCP/IP stack. Last year it 
>was VxWorks.

Unless you are sure about your compiler and the libraries you load,
be worried I would say.

>Note also that the four vulnerabilities mentioned with a severity 
>rating of 10/9.8 are all data
>typing issues. Devices might get cuter, but the logic issues are 
>the "classic" issues.
>
>The question is what to do about these issues that have been 
>sitting around ("lurking" is hardly the
>right word) since the Internet became a thing 25 years ago. I use 
>the phrase "Extended data type
>vulnerability" (EDTV).

Nearer forty five Peter. I think it has been a concern when networking
systems for a long time, but it takes some a long time to begin
understanding the risks.

[%X---Nice anecdote-----X%]

>So what to do about EDTV? I am almost tempted to have two stickers 
>made. "Data type correct" and
>"Vulnerable to data type insecurities". The former I'll give out 
>to anyone who can provide me with
>appropriate assurance. The latter I'll just give out to anyone - 
>there are bound to be some people
>who will post them surreptitiously on any unattended machine......

If you change the message to "Potentially vulnerable to data type
insecurities", then be prepared to print in very large quantities. It
could be stuck on just about everything connected directly
connected to the net. ;)

Regards

Paul E. Bennett IEng MIET
Systems Engineer
Lunar Mission One Ambassador
-- 
********************************************************************
Paul E. Bennett IEng MIET.....
Forth based HIDECS Consultancy.............
Mob: +44 (0)7811-639972
Tel: Due to relocation - new number TBA. Please use Mobile.
Going Forth Safely ..... EBA. www.electric-boat-association.org.uk..
********************************************************************

More information about the systemsafety mailing list