Skip to content

Author: kris

Webservers in a Dishwasher

The Register reports on CVE-2017-7240, Web Server Directory Traversal in the Miele Professional PG 8528 Dishwasher (which is used in medical establishments to clean and properly disinfect laboratory and surgical instruments).

Yes, Dishwashers (and many microwaves and ovens) now come with touch screens, and network ports. Of course, as El Reg puts it

Appliance makers: stop trying to connect to the Internet, you’re no good at it. ®

but in this case the webserver even makes sense. The PG 8528 is a commercial washer and desinfector for hospitals and probably comes with remote service and diagnostics.

That makes it even worse that Miele has no security process for these devices at all:

And because Miele is an appliance company and not a pure-play IT company, it doesn’t have a process for reporting or fixing bugs.

Miele did not respond to the bug report they received in November 2016, ever.

The Interview in the Enterprise

See also an earlier article in the blog, and Why I Don’t Talk to Google Recruiters mentioned in the comments.

Where I work we have regular round tables, in which you can talk and ask questions to middle management from other departments than your own. I had the opportunity to talk to a person who manages development priorities and staffs teams, and who of course has some insight into hiring and the interview process. That was very enlightening.

For example, finding people to hire in a large organisation is a hard job. Hiring rates are quite fixed, so in order to find people to hire you need to go through a relatively fixed, larger number of resume reviews, phone screens and face to face interviews. Assume that for each three people you would want to hire you need to sift through 100 resumes – that’s 10.000 resumes to look at for 300 people to hire. And it can not be automated.

Number of road casualties in London

The Guardian had in 2010 an article about road casualties in London:

There you will find that the fall of 299 brought the annual total down from 3,526 killed or seriously injured on London’s roads in 2008 to 3,227 in 2009.

That’s an eight percent fall, which is pretty significant statistically. However, in human terms, the fact that well over 3,000 people were killed or seriously injured in both 2008 and 2009 seems rather more significant. That’s nine or ten a day, including 204 people killed in 2008 and 184 in 2009.

We still consider such numbers normal loss of live.

Chrome considers Symantec CA rogue

Ryan Sleevi writes:

Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years. […]

To balance the compatibility risks versus the security risks, we propose a gradual distrust of all existing Symantec-issued certificates, requiring that they be replaced over time with new, fully revalidated certificates, compliant with the current Baseline Requirements. […]

Given the nature of these issues, and the multiple failures of Symantec to ensure that the level of assurance provided by their certificates meets the requirements of the Baseline Requirements or Extended Validation Guidelines, we no longer have the confidence necessary in order to grant Symantec-issued certificates the “Extended Validation” status.

Electric car confusion

Autoblog titles: The race for autonomous cars is over. Silicon Valley lost. The point they want to make is:

To paraphrase Elon Musk, Silicon Valley is learning that “Making rockets is hard, but making cars is really hard.” People outside of the auto industry tend to have a shallow understanding of how complex the business really is. They think all you have to do is design a car and start making it. But most startups never make it past the concept car stage because the move to mass production proves too daunting.

and

Yet, while companies like Google and Apple are giving up on making cars, they’re not giving up on the auto industry. There is another area where Silicon Valley could play a dominant role and it’s all about accessing car-based data.

It’s about the margins – making a thing gives you around 10% markup, making things out of data gives you much, much higher margins. This also frames the current discussions about privacy within the German government, and who is to own your data (hint: not you), especially when you drive.

Tractor hacking and the right to repair

Vice Motherboard has an article about US farmers hacking their John Deere tractors, because the software in the machinery comes with very limiting conditions.

To avoid the draconian locks that John Deere puts on the tractors they buy, farmers throughout America’s heartland have started hacking their equipment with firmware that’s cracked in Eastern Europe and traded on invite-only, paid online forums.[…]

“If things could get better, [companies like John Deere] should be forced to freely distribute the same software dealers have,” they said. “And stop locking down [Engine Control Module] reading functionality. They do this to force you to use their services, which they have a 100 percent monopoly on.”[…]

“What happens in 20 years when there’s a new tractor out and John Deere doesn’t want to fix these anymore?” the farmer using Ukrainian software told me. “Are we supposed to throw the tractor in the garbage, or what?”