[SystemSafety] A Fire Code for Software?

Martyn Thomas martyn at thomas-associates.co.uk
Mon Mar 19 10:39:33 CET 2018


On 19/03/2018 05:46, Peter Bernard Ladkin wrote (excerpted):

> I don't yet see the legal leverage of the HSWA on OEMs here. Further, I don't yet see how to
> construct a lever. If as an OEM I give you a piece of kit and say "this kit has a four-ASCII-letter
> root password" and you use it for something and someone gets hurt because access control on the kit
> is brute-forced by a malicious intruder, then surely you are on the hook for inappropriate use, not
> I. There is nothing except pure commercial pressure (if that) motivating me to install stronger
> access control.
I agree in this particular case. But if an OEM sells you a system that
has been built using COTS components (Linux, say) and doesn't tell you
that buried in your alarm is a Telnet service with a default password
(perhaps because the OEM doesn't even know), and then your system is
hacked with bad consequences ...
Then I'd prefer to be the expert witness for the prosecution, not for
the defence.

Martyn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20180319/081caa9b/attachment.sig>


More information about the systemsafety mailing list