Siemens SCADA Hacking Talk Pulled From TakeDownCon 104
alphadogg writes "A planned presentation on security vulnerabilities in Siemens industrial control systems was pulled Wednesday over worries that the information in the talk was too dangerous to be released. Independent security researcher Brian Meixell and Dillon Beresford, with NSS Labs, had been planning to talk Wednesday at a Dallas security conference about problems in Siemens PLC systems, the industrial computers widely used to open and shut valves on factory floors and power plants, control centrifuges, and even operate systems on warships. But the researchers decided to pull the talk at the last minute after Siemens and the US Department of Homeland Security pointed out the possible scope of the problem."
Re:Security through obscurity (Score:4, Informative)
It makes doing work more difficult, and there are still some attack vectors.
Re:Security through obscurity (Score:5, Informative)
"The vendor had proposed a fix that turned out not to work, and we felt it would be potentially very negative to the public if information was put out without mitigation being available." ... In the past, technology companies have threatened legal action against researchers, but Moy said that in this case the lawyers were not involved. "It's a temporary hold on the information; it's not that it's being buried," he said. "We just don't want to release it without mitigation being out there for the owners and operators of the SCADA equipment."
Hallelujah, Siemens gets it (Score:5, Informative)
A lot of people seem to want to scream about censorship, but they're missing the point. This is one of the best case scenarios I've seen in relations between companies and security researchers.
For those who can't be bothered to RTFA, here's a summary.
Researchers found a serious flaw. The company developed a fix. It turned out that the fix was flawed. The company told the researchers about the potential impact of giving the talk before the flaw was fixed, and the researchers voluntarily postponed the talk while a better fix is built.
That's it, and it looks like everybody did the best thing they could. Isn't this what we'd want Siemens to do? "You've got a right to give your talk, but we'd like you to postpone it. Here's why. Your call."
Re:"pointed out the possible scope of the problem" (Score:3, Informative)
Idiot.
First of all, don't you realize every time you make a joke about "anal probes" at the airport, you're being not-so-subtly homophobic? Same thing with prison-rape jokes. I'm about as much a fan of those jokes as I am of the acts.
Didn't you read the part where the DHS CERT (a part of US-CERT, which falls under DHS but has nothing to do with the TSA...) told NSS something like, "Um, guys, the patch Siemens released doesn't work, and there are thousands of these devices deployed all over the place, including the power plants in this here city.."
NSS decided to play it safe, they weren't forced to do anything. It's called responsible disclosure, and when Siemens gets their products fixed, it will be released.
But I know your type. You, my familial-basement-dwelling troll, assume coercion and conspiracy is how everything gets done by three-letter agencies. Ironic, considering you love to rant about how those same agencies assume everyone brown is a terrorist.
Bar none, the libertarian, open-source evangelizing, Apple/Microsoft bashing, EFF supporting types are some of the most bigoted, narrow-minded, reactionary, paranoid individuals I've ever met.
Re:Security through obscurity (Score:4, Informative)
And stuxnet was transmitted via USB sticks doing the sneakernet stuff...