Re: I have a 0-day exploit, but don't want to tell you what it is
Re: I have a 0-day exploit, but don't want to tell you what it is
- Subject: Re: I have a 0-day exploit, but don't want to tell you what it is
- From: Michael Crawford <email@hidden>
- Date: Thu, 01 Aug 2013 17:02:44 -0700
It's not enough to report a bug.
It's not enough to explain how to fix a bug.
What's required is to convince those who are in a position that they
could fix it, will take _responsibility_ to ensure that fix, once they
become aware of the bug in any way.
You know how it's commonly noted that managing coders is like herding cats?
Now suppose it were vital to the survival of a few dozen wounded
combat troops, that one find some way to get the supplies required to
save their lives to where they lay beneath an active firefight, by
sneaking in vast quantities of antibiotics, aneasthetics, sterile
gauze, sutures, needles and so on, through no other means than having
a bunch of feral cats carry it in to the battlefield, thereby carrying
it low to the ground and underneath the gunfire.
For me, it's not just a problem of finding some way that I can't lift
your credit card of your iPad anymore.
It's a problem, that from the comfort of my own home, of finding some
way that it would no longer be trivially easy for me to _detonate_ the
entire length of a three thousand mile long high-pressure gas
pipeline.
One of the very most effective acts of sabotage during the entire Cold
War, resulted from the United States, with Commander-in-Chief Reagan's
specific written authorization, doing just that to three hundred miles
of Soviet high pressure gas pipe, by planting some carefully and
slowly simmered, with eleven secret herbs and spices, industrial
control systems code into the hands of some Soviet pipeline engineers.
You know what the Stuxnet worm is? The Flame worm?
Uranium Hexafluoride Gas Turbine Centrifuge Casecades? Uranium
Assembly Weapons?
At least those worms only attack industrial control system code when
it's physically installed within the nation of Iran.
I know how to pull that same stunt off myself, I would require no more
than a day for a proof of concept, a month for a really interesting
deliverable, a year to murder tens of millions of innocents as I at
the same time totally decimated the entire planet's economy.
I resigned in protest from the vendor responsible for _that_
particular Deep Insight Into The Nature of Reality, in early 2006,
when I pointed out the fix to my colleagues, but was specifically
ordered by the guy who runs the place to stop pointing out things like
that to _anyone_.
I figured seven years would be enough for them to fix most of their
exploits, had they intended to do so, so at that point I went public
with it all over Creation:
TriHedral VTS Human Machine Interface / Supervisory Control And
Data Acquisition
http://www.trihedral.com/
HMI/SCADA is among the very most Human-Life Critical software _and_
hardware that has ever Walked the Earth.
The Canadian Coast Guard is heavily into TriHedral VTS.
The United States Coast Guard regards it as floridly delusional, to
use an HMI/SCADA product aboard ship in any way.
I've never even applied for a clearance, so the mere mention of the
word "Navy" in my presence there in Bedford could have been treason,
but my father was a Naval Anti-Aircraft Missile Fire Control Officer.
I expect lots of Navies would be all over TriHedral VTS like white on
rice.
Maybe right now, would be a good time to stay out of giant, robotic
automobile assembly plants, lest Glenn Wadden drop a pickup truck on
you, thereby making a widow of your wife instantly.
Industrial worker union halls are pretty good places to discuss this
kind of thing. They love to get public speakers, that's what Union
Organizers actually do. Jimmy Hoffa of the Teamster's Union got his
start by helping out the drivers of broken-down freight trucks.
It happens that the world-wide headquarters of Intel is in Hillsboro,
Oregon, not far from where I presently live in Salmon Creek,
Washington. I can get there and back in a couple hours for seven
bucks aboard an express bus and a good quality light rail train.
Their headquarters just absolutely _has_ to be one of the very largest
single structures on the Earth. A handheld telescope, and you could
see it from the Moon.
Again, companies like Intel are heavily into HMI/SCADA.
However my objective is not to decimate TriHedral's business, it's
employees, or its users, but to get that broken code FIXED. Thus my
CC of this particular mail to their support mailbox as well as to The
Forum On Risks To The Public In Computers And Related Systems:
http://catless.ncl.ac.uk/Risk
The reason I stopped filing bug reports against any codebase for any
reason, is that I filed a detailed report with test case maybe two
years ago, for a trivial to fix, as well as a trivial to exploit
security hole.
To the extent that I discussed it in public, I was resoundingly insulted.
The terse reply to my report from a system software engineer for that
particular platform, was that I was ignorant, no further discussion
was permitted, the case was closed.
I myself could, in perhaps one or two days, root perhaps one hundred
million boxen, each of which to this very day have that same exploit.
I expect there are lots of other platforms that have that same
exploit, as many of those who insulted me, I am quite sure do not
possess the platform I reported the exploit against.
Ever Faithful,
Michael David Crawford P.E., Process Architect
Solving the Software Problem
http://www.warplife.com/mdc/
email@hidden
+1 (805) 235-1267
While every diety hath the Insight to fortell the Future,
even G-d Almighty Himself possesseth not the Power to undo the Past.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden