[HN Gopher] When You Get Right Down to It, Most Security Is Base...
___________________________________________________________________
When You Get Right Down to It, Most Security Is Based on the Honor
System
Author : Aloha
Score : 31 points
Date : 2021-08-05 20:45 UTC (2 hours ago)
(HTM) web link (mhd-aboelez.medium.com)
(TXT) w3m dump (mhd-aboelez.medium.com)
| thaumasiotes wrote:
| From the 'segment of a realistic episode of a crime program':
|
| > "So it's an inside job?!"
|
| > "No, the hacker got in by guessing one of the clerks'
| passwords."
|
| > "That's not possible, we have a password security policy in
| place. Brute forcing that kind of thing would take hundreds of
| thousands of attempts."
|
| > "Well, normally, yes, but the clerk was using the same password
| for her email, and that server got hacked, and a file with all
| the usernames and plaintext passwords got dumped."
|
| > "But everyone knows user passwords need to be stored as one-way
| hashes so that getting the plaintext back out of them is
| impossible."
|
| > "They were hashed, but only md5! The hackers just used a
| rainbow table to do the lookups."
|
| A password security policy could have prevented that. ;p
| sokoloff wrote:
| About half the Epic (electronic medical records) terminals I
| see have the password posted on the front of the terminal.
| Often in a nice, professional PTouch label (so presumably by
| IT).
| aaron695 wrote:
| I think you are saying with a password security policy you
| couldn't rainbow table the md5 of the password following the
| policy?
|
| I'm not sure that's true anymore.
|
| Without salts (which the third party didn't have) I'd assume
| many passwords the human mind can remember within workable
| policy rules have been compromised.
| disabled wrote:
| Yep. I am terrified for the people who are running open-source
| medical devices via community-based code and reversed-engineered
| medical devices. Something bad is bound to happen.
|
| Specifications and details here:
| https://openaps.readthedocs.io/en/latest/
|
| The code is hosted on GitHub, and is against Microsoft's Terms
| and Conditions, for obvious reasons. Still, nothing is done about
| it.
| monocasa wrote:
| I used to be terrified of that as well, until meeting many
| former medical device engineers in the Denver area who got out
| for moral reasons. However shit you think the community code
| is, the official code is probably worse. Like kills people and
| hide behind lawyers already worse.
|
| It's not uncommon for these engineers to have a 'if I am
| incapacitated, do not hook me up to these devices' card in
| their wallet like you'd normally see for alllergies for
| products they've worked on.
| disabled wrote:
| Just FYI, the European Union made such projects illegal as of
| 26 May 2021. See Medical Devices Regulation (MDR) EU
| 2017/745: https://eur-lex.europa.eu/legal-
| content/EN/TXT/PDF/?uri=CELE...
|
| Also, these projects were designed on purpose to circumvent
| or in some cases break the law, which is the wrong approach
| to medical device design. It's dangerous and designs kill, as
| you know.
|
| See this stipulation (and control/command + f = "commercial"
| in paper):
|
| 27) 'making available on the market' means any supply of a
| device, other than an investigational device, for
| distribution, consumption or use on the Union market in the
| course of a commercial activity, whether in return for
| payment or free of charge;
|
| Also:
|
| 46) 'investigational device' means a device that is assessed
| in a clinical investigation
|
| Also:
|
| 1) 'medical device' means any instrument, apparatus,
| appliance, software, implant, reagent, material or other
| article intended by the manufacturer to be used, alone or in
| combination, for human beings for one or more of the
| following specific medical purposes:
|
| -- diagnosis, prevention, monitoring, prediction, prognosis,
| treatment or alleviation of disease,
|
| Also:
|
| (19) It is necessary to clarify that software in its own
| right, when specifically intended by the manufacturer to be
| used for one or more of the medical purposes set out in the
| definition of a medical device, qualifies as a medical
| device, while software for general purposes, even when used
| in a healthcare setting, or software intended for life-style
| and well-being purposes is not a medical device. The
| qualification of software, either as a device or an
| accessory, is independent of the software's location or the
| type of interconnection between the software and a device.
| monocasa wrote:
| Sure, I just have inside information into some of these
| systems (and enough inside knowledge to be scared of their
| lawyers enough to not name specifics). Therac style
| systemic implementation issues aren't uncommon. Think
| handle every failure mode by panicking the OS, and the
| hardware fails in the wrong direction for the patient
| without software control.
|
| IMO, yeah, community approaches might not be the ideal
| solution, but when it comes to my health it's the better of
| the two options I have (community that I can actually look
| at the implementation of vs. proprietary that I know has
| systemic regulatory issues and is a crap shoot on if it is
| actively killing people and the engineers who worked on it
| don't ever want it used on them). If it comes down to it
| I'm going to choose my health over legality every time.
| skybrian wrote:
| A third option might be some kind software transparency
| scheme, where every change is publicly available and
| audited, with bug bounties.
|
| This could be done to keep the professionals on their
| toes without resorting to relying on random unvetted
| software.
|
| They could even take pull requests, as long as the
| company takes responsibility for them.
| disabled wrote:
| > Think handle every failure mode by panicking the OS,
| and the hardware fails in the wrong direction for the
| patient without software control.
|
| Thanks, I am aware of this. It's called a block diagram,
| and is standard safety design. See page 3:
| https://pdfserv.maximintegrated.com/en/an/AN4675.pdf
| netr0ute wrote:
| Sad, Big Pharma strikes again.
| mattrj wrote:
| Fascinating. Want to know another secret about code quality?
| Custom software for banks generally sucks as well. That's
| your money it's messing with. am: "Let's try it in
| production" pm: We are going to need you to write a script to
| put everything back where it was.
| [deleted]
| e2le wrote:
| I doubt it's much worse than trusting your life to proprietary
| code written behind closed doors. Something bad usually happens
| every now and again.
|
| Of course, those insulin pumps are running insecure firmware
| allowing for adjustments to be made remotely by an sbc
| (Raspberry Pi) where the OpenAPS software lives and takes
| measurements from a GCM. Without the insecure remote interface
| on those insulin pumps, OpenAPS might not exist.
|
| I'm not sure it's moral to attack such a project built and
| maintained by diabetics who simply want to provide for
| themselves a better quality of life.
| disabled wrote:
| > Of course, those insulin pumps are running insecure
| firmware allowing for adjustments to be made remotely by an
| sbc (Raspberry Pi) where the OpenAPS software lives and takes
| measurements from a GCM. Without the insecure remote
| interface on those insulin pumps, OpenAPS might not exist.
|
| This is the issue here, with a cyber to physical attack which
| is bound to happen at some point, with some medical device,
| and this project is a huge target for something like that.
| This project was specifically mentioned in the book "Click
| Here to Kill Everybody" by renowned cybersecurity expert
| Bruce Schriener.
|
| OpenAPS was also designed to circumvent government laws, and
| is not-as-legal as the creators portray it to be. For
| example, one of the main "advocates" calls OpenAPS an "off-
| label qualification" for use, when in order for that to
| apply, the specific device intended to be used must be FDA
| approved. As you know, OpenAPS cannot be FDA approved at this
| point of time. This individual also illegally markets
| unapproved medical devices across the United States, Europe,
| Australia, and New Zealand, plus online.
|
| Yes, it is illegal.
| mypalmike wrote:
| Openaps is a shining example of why open source medical device
| control is effective and necessary. Talk to the developers.
| Talk to the users. For every fear that "something bad is bound
| to happen" there are dozens of stories where bad things
| actually did happen because these tools did not exist.
|
| The key to safety is that hardware itself a) shows the real
| state of things and b) has safety mechanisms in place such that
| even the most malignant control software would be no worse than
| poorly timed manual dosing.
| kktkti9 wrote:
| Duh; society is built on an honor system.
|
| We look away to "live our life" and tacitly believe others are
| behaving honorably.
|
| And they all do.
|
| Economists teach us inflation is good because if we increase
| worker buying power they might own more than the current
| landlords.
|
| Hedge funds short stocks 200% to crater companies and make a
| profit.
|
| Social media manipulates our biochemistry (arguably wasteful
| consumerism is built around this altogether.)
|
| We're undermining the security of our habitat for future people
| through all of this.
|
| Everyone is acting honorably given our detailed history of being
| honorable people.
| voz_ wrote:
| I notice a giant trend of new, throwaway, accounts quipping on
| here and on reddit about inflation. First order
| botting/targeting, or second order side-effects of shills hit
| by first order on another site?
| hncurious wrote:
| We are sitting ducks if you think about it. If a couple
| university researchers can get malicious code into the Linux
| kernel, just imagine what well funded state actors are doing?
|
| https://www.theverge.com/2021/4/22/22398156/university-minne...
| Godel_unicode wrote:
| Part of me wishes this test had gone on for longer, and had
| used several bugs of varying subtlety. I'm more interested in
| how long a supply chain bug can live than whether you can
| introduce one (because I've never questioned that possibility).
| austincheney wrote:
| Proper security is ensured by a validation process from a third
| party audit. That is expensive. For strictly internal scrutiny
| security is primarily the result of a proper risk analysis.
| Normally that means keep guessing until the software works enough
| and then refactor as necessary in response to some security
| apparatus far away from you. Same with accessibility, performance
| testing, and just about everything else beyond merely pushing
| content to screen.
| endisneigh wrote:
| When you get right down to it, civilization in general is based
| on the honor system.
| rcurry wrote:
| Honestly. I miss the old days. I worked in intelligence at the
| tail end of the Cold War. We kept all our shit on paper, in a
| safe, and planted a couple of nice young Marines with guns in
| front of it. It worked well as a system - so well in fact that
| when the OPM got hacked and a bunch or people's security
| clearance documents got leaked I was like "Well, thankfully my
| information couldn't have gotten leaked, it's on microfiche in a
| safe somewhere and I really doubt anyone would be stupid enough
| to scan all that shit into a computer." Of course about eight
| months later I get a letter in the mail, lol. Yep, they put it in
| a computer after all, ha ha.
| betwixthewires wrote:
| Off topic but relevant, I wonder how many medium writers watched
| their readership decline and don't know that it is because medium
| now requires an account to read articles.
| throwaway0a5e wrote:
| You have to trust _some_ people. Technical security reduces the
| number of people you need to trust and the extent you need to
| trust them.
___________________________________________________________________
(page generated 2021-08-05 23:00 UTC)