<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-GB link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I recently had cause to research current vulnerabilities in our
Internet security regimes. I uncovered some mind blowing stuff particularly
relating to man in the middle attacks and how easy it is, firstly on local area
networks and secondly in transport layer security where I thought we were safe.
If you want to be really afraid just Google 'SSL strip'. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Security experts seem to have given up on LAN security because
of the massive rollout of firmware in network cards. That code was written when
security wasn't an issue. And it's everywhere. And it will not be fixed. Ever.
Wireless nets are another very sad story. Easily breakable from a range of 800
metres with the right antennas and equipment. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I'm sure better minds than mine are trying to fix these problems
with various security wrapper strategies but I was amazed to find that the
problems havn't been solved. Maybe it's because we have too many engineering
minds working and not enough criminal minds. There is a difference I'm told by
a Professor of computer science.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>You may have noticed that the keys are getting longer. I'm
advised that this is not because computers are getting faster. It's just that
the math is getting better. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>So, like coronavirus there may never be a cure. We must all just
suffer.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>So if you've got a safety critical system your only option is
AIR GAP. And I'm sure there is someone out there who would give me an argument
on that.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Enjoy your day.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Cheers<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Les<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:
"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> systemsafety
[mailto:systemsafety-bounces@lists.techfak.uni-bielefeld.de] <b>On Behalf Of </b>Martyn
Thomas<br>
<b>Sent:</b> Thursday, June 18, 2020 6:22 PM<br>
<b>To:</b> systemsafety@lists.techfak.uni-bielefeld.de<br>
<b>Subject:</b> Re: [SystemSafety] "Ripple20 vulnerabilities will haunt
the IoT landscape for years to come"<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p>From the description<a
href="https://www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come/">
in the linked article</a>, the three most serious vulnerabilities seem to be
buffer overflows. Such errors are easily avoidable but new vulnerabilities will
continue to be built into products until programmers change the way they write
and verify software. <o:p></o:p></p>
<p>Thousands of development teams have incorporated these library routines in
their products and, unsurprisingly, failed to find the vulnerabilities in their
testing. Yet today, thousands of development teams will continue to resist
using better methods, tools and languages.<o:p></o:p></p>
<p>As Tony Hoare wrote decades ago: ‘In any respectable branch of engineering,
failure to observe such elementary precautions would have long been against the
law.’<o:p></o:p></p>
<p>Martyn<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>