<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I seem to recall some analysis that showed air-gaps were very
difficult to achieve/maintain.</p>
<p>Perhaps a non-computerised safety-critical system is one way to
prevent interference<br>
Not so difficult these days with FPGAs and ASICs. <br>
</p>
<p>Peter<br>
</p>
<div class="moz-cite-prefix">On 19/06/2020 03:20, Les Chambers
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:000001d645e0$281cdf60$78569e20$@com.au">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
recently had cause to research current vulnerabilities in
our
Internet security regimes. I uncovered some mind blowing
stuff particularly
relating to man in the middle attacks and how easy it is,
firstly on local area
networks and secondly in transport layer security where I
thought we were safe.
If you want to be really afraid just Google 'SSL strip'. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Security
experts seem to have given up on LAN security because
of the massive rollout of firmware in network cards. That
code was written when
security wasn't an issue. And it's everywhere. And it will
not be fixed. Ever.
Wireless nets are another very sad story. Easily breakable
from a range of 800
metres with the right antennas and equipment. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I'm
sure better minds than mine are trying to fix these problems
with various security wrapper strategies but I was amazed to
find that the
problems havn't been solved. Maybe it's because we have too
many engineering
minds working and not enough criminal minds. There is a
difference I'm told by
a Professor of computer science.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">You
may have noticed that the keys are getting longer. I'm
advised that this is not because computers are getting
faster. It's just that
the math is getting better. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">So,
like coronavirus there may never be a cure. We must all just
suffer.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">So
if you've got a safety critical system your only option is
AIR GAP. And I'm sure there is someone out there who would
give me an argument
on that.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Enjoy
your day.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Cheers<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Les<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:
"Tahoma","sans-serif""
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;
font-family:"Tahoma","sans-serif""
lang="EN-US"> systemsafety
[<a class="moz-txt-link-freetext" href="mailto:systemsafety-bounces@lists.techfak.uni-bielefeld.de">mailto:systemsafety-bounces@lists.techfak.uni-bielefeld.de</a>] <b>On
Behalf Of </b>Martyn
Thomas<br>
<b>Sent:</b> Thursday, June 18, 2020 6:22 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:systemsafety@lists.techfak.uni-bielefeld.de">systemsafety@lists.techfak.uni-bielefeld.de</a><br>
<b>Subject:</b> Re: [SystemSafety] "Ripple20
vulnerabilities will haunt
the IoT landscape for years to come"<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>From the description<a
href="https://www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come/"
moz-do-not-send="true">
in the linked article</a>, the three most serious
vulnerabilities seem to be
buffer overflows. Such errors are easily avoidable but new
vulnerabilities will
continue to be built into products until programmers change
the way they write
and verify software. <o:p></o:p></p>
<p>Thousands of development teams have incorporated these
library routines in
their products and, unsurprisingly, failed to find the
vulnerabilities in their
testing. Yet today, thousands of development teams will
continue to resist
using better methods, tools and languages.<o:p></o:p></p>
<p>As Tony Hoare wrote decades ago: ‘In any respectable branch
of engineering,
failure to observe such elementary precautions would have long
been against the
law.’<o:p></o:p></p>
<p>Martyn<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
The System Safety Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:systemsafety@TechFak.Uni-Bielefeld.DE">systemsafety@TechFak.Uni-Bielefeld.DE</a>
Manage your subscription: <a class="moz-txt-link-freetext" href="https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety">https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety</a></pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Peter Bishop
Chief Scientist
Adelard LLP
24 Waterside, 44-48 Wharf Road, London N1 7UX
Email: <a class="moz-txt-link-abbreviated" href="mailto:pgb@adelard.com">pgb@adelard.com</a>
Tel: +44-(0)20-7832 5850
Registered office: 5th Floor, Ashford Commercial Quarter, 1 Dover Place, Ashford, Kent TN23 1FB
Registered in England & Wales no. OC 304551. VAT no. 454 489808
This e-mail, and any attachments, is confidential and for the use of
the addressee only. If you are not the intended recipient, please
telephone 020 7832 5850. We do not accept legal responsibility for
this e-mail or any viruses.</pre>
</body>
</html>