Skip to content

Month: March 2017

Webservers in a Dishwasher

The Register reports on CVE-2017-7240, Web Server Directory Traversal in the Miele Professional PG 8528 Dishwasher (which is used in medical establishments to clean and properly disinfect laboratory and surgical instruments).

Yes, Dishwashers (and many microwaves and ovens) now come with touch screens, and network ports. Of course, as El Reg puts it

Appliance makers: stop trying to connect to the Internet, you’re no good at it. ®

but in this case the webserver even makes sense. The PG 8528 is a commercial washer and desinfector for hospitals and probably comes with remote service and diagnostics.

That makes it even worse that Miele has no security process for these devices at all:

And because Miele is an appliance company and not a pure-play IT company, it doesn’t have a process for reporting or fixing bugs.

Miele did not respond to the bug report they received in November 2016, ever.

2 Comments

The Interview in the Enterprise

See also an earlier article in the blog, and Why I Don’t Talk to Google Recruiters mentioned in the comments.

Where I work we have regular round tables, in which you can talk and ask questions to middle management from other departments than your own. I had the opportunity to talk to a person who manages development priorities and staffs teams, and who of course has some insight into hiring and the interview process. That was very enlightening.

For example, finding people to hire in a large organisation is a hard job. Hiring rates are quite fixed, so in order to find people to hire you need to go through a relatively fixed, larger number of resume reviews, phone screens and face to face interviews. Assume that for each three people you would want to hire you need to sift through 100 resumes – that’s 10.000 resumes to look at for 300 people to hire. And it can not be automated.

7 Comments

Number of road casualties in London

The Guardian had in 2010 an article about road casualties in London:

There you will find that the fall of 299 brought the annual total down from 3,526 killed or seriously injured on London’s roads in 2008 to 3,227 in 2009.

That’s an eight percent fall, which is pretty significant statistically. However, in human terms, the fact that well over 3,000 people were killed or seriously injured in both 2008 and 2009 seems rather more significant. That’s nine or ten a day, including 204 people killed in 2008 and 184 in 2009.

We still consider such numbers normal loss of live.

1 Comment

Chrome considers Symantec CA rogue

Ryan Sleevi writes:

Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years. […]

To balance the compatibility risks versus the security risks, we propose a gradual distrust of all existing Symantec-issued certificates, requiring that they be replaced over time with new, fully revalidated certificates, compliant with the current Baseline Requirements. […]

Given the nature of these issues, and the multiple failures of Symantec to ensure that the level of assurance provided by their certificates meets the requirements of the Baseline Requirements or Extended Validation Guidelines, we no longer have the confidence necessary in order to grant Symantec-issued certificates the “Extended Validation” status.

3 Comments