Wednesday, May 2, 2012

Another Disclosure, this time with ICS CERT's Blessing

We're only a few months past Basecamp, and here we go again. Only this time there are fewer voices urging restraint.

Wired's Threat Level blog put up a story of a certain control system OEM that seemed uniquely unaware of the risks it had built into its products, and unwilling to make a change of any kind. At the time of publication, 25 April 2012, the company still hadn't budged.

Then, on 1 May 2012, the Christian Science Monitor was telling a different story: the vendor pledged to make and distribute a fix.

The Wired article ended with a couple of sentences that concisely capture this problem and make you want to laugh and cry at the same time:
Numerous researchers have been warning about the vulnerabilities for years.  But vendors have largely ignored the warnings and criticism because customers haven’t demanded that the vendors secure their products.
Have your heard the term "goat rope"?  How about "goat rodeo"?  This situation is definitely one of those ... and maybe both. Hope both the vendor and user sides figure out how to get their ducks in line, and fast.

Photo credit: Mike Baird at