So my last blogpost was nearly a year ago.
That’s … kinda bad. I should probably post more often.
Originally I had thought that posting ranty, angry posts was bad form and that instead of just yelling and flinging my arms about on a blog, I should find other ways of getting messages across.
Boy was I wrong
Since my last post, I’ve been interviewed by the BBC, the ABC, CNN Money, F5′s DevCentral, asked to write articles for several small publications, and asked to speak at half a dozen conferences because of my findings on shodan. Seriously – after giving essentially the same talk something like 3 times (but adding more meat every time) I had figured that people would get bored of me and shodan. Oops. I was wrong there too. Also, I keep finding shit. Last bit of laugh-then-cry hilarity was finding a pack of GE_CENTRICITY hits. It was an eyebrow raiser for me too.
I don’t mention this because I think it makes me special or whatnot – I mention it because it’s all a MASSIVE SURPRISE TO ME. Personally I don’t think these findings should be getting this kind of media attention – and I’ve openly scolded two reporters who used my findings to write ‘you should be scared’ articles.
Journalists: If you’re telling your audience that they should be afraid, it makes you a shitty journalist. You should be helping me(read: us, as in the security community) make it a big deal to the people that make these devices that what they’re doing is hurting the safety and privacy of people who buy their stuff – not telling the victims that they should be afraid. Shame on you.
I am not performing crazy reverse engineering, I’m not inventing epic hacks, I haven’t circumvented any impressive security controls (I found some fairly-bonehead level vulns on a bunch of cameras, but that’s about it).. all I’m doing is literally pointing out things that are connected to the internet. Albeit, I did write a bunch of scripts to automate this discovery process..
What? Are you saying there’s stuff online that people don’t know about.. .that’s hugely vulnerable? Or that orgs are allowing these massive security failures to go on unchecked?
Yes, actually, that’s exactly what I’m saying. People don’t care unless you hurt their image. They seemingly don’t care even if you hurt their pocketbook substantially. So long as their reputation goes unharmed, literally no fucks are given.
Step one is admitting you have a problem – and as a security community if we allow businesses and colleagues to keep doing this stuff, it means what we do is just a dog and pony show – and it makes us all look bad.
That’s all for now – let’s just focus on step one for a while – we have to find a way to make these vendors give fucks.
Finding out how is going to be the challenge.