Thread: [FRC Blog] Einstein Report Released
View Single Post
  #127   Spotlight this post!  
Unread 14-07-2012, 01:43
techhelpbb's Avatar
techhelpbb techhelpbb is offline
Registered User
FRC #0011 (MORT - Team 11)
Team Role: Mentor
  
Join Date: Nov 2010
Rookie Year: 1997
Location: New Jersey
Posts: 1,620
techhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond reputetechhelpbb has a reputation beyond repute
Re: [FRC Blog] Einstein Report Released
Quote:
Originally Posted by Tom Line View Post
I disagree entirely. I don't believe anyone believes (or believed prior to Einstein) that the system is above flaw.
It's is in my experience over 17 years extremely common for people to assume that the field can not be the source of a problem. Often they are correct but that only makes it more troubling when they are not.

Quote:
Take any system, no matter how well designed, and subject it to 60,000 ambitious folks all playing with it and see how secure it is.
No problem I do that every day literally. Only it's more than 60,000 people. I do computer security for a living as well as operating a few businesses that work with computing, electronics, and electrical. We have lots of security problems and we do our best to identify, qualify, quantify, document and offer resolution.

Sometimes we get solutions and sometimes we do not.
If we don't get resolution then we know where to look when the trouble starts.

Quote:
This week's 'Yahoo' password hack displays just what happens when even the most competent network security is open for public interaction.
It's off topic but that's a bad example. Anyone competent wouldn't store a password in clear text in a database with that sort of exposure to risk. You pad, hash and salt (and it's very simple there are existing tools to do this for you). They obviously left this old stuff laying around without regard for the SQL injection attack that is all the vogue for XSS these days. In point of fact we've been using this as a wonderful example of exactly why I have a policy document for the developers to avoid this exact attack vector (they are only very lucky that it wasn't a black hat that went after them quietly). They were also not very forthcoming about the possibility of the scope of the breach as they have a XSS single sign on they implement. Worse...some people think it was 'Yahoo Voice' that was breached but there's another Yahoo service 'Yahoo Voices' (that's right it's one letter off and the reporters who have to handle the announcement are not keeping it straight). It's an example of everything you don't do if you value your security or your business before, during and after a breach.

I grant you they have lots of other security issues at Yahoo right now that I am well aware of as are plenty of others. Surely they are not the only company that fails to be vigilant or gets utterly complacent. I'm sure someone figured they were saving a dollar (and maybe they did).

However, not all breaches are equal. The more people know about a problem the more silly you will feel when you get nailed for it. FIRST's deauth vector is not new, Hack-A-Day exposed this very publicly last year and other sites well before that. All that was required to breach this? Download code.

Quote:
Someone WILL find a way in. Google, Microsoft, and even the stock market have been subject to security invasions as well.
Perhaps the most effective hack is not a hack at all. Social engineering is the easiest and most effective hack because it hacks people. However, you don't differentiate you consider them all the same. Social engineering hacks are also why what you write next will not be nearly effective as you think:

Quote:
I hate to say it, but in this situation security through obscurity is FIRST's best bet. The entire system needs to be removed from the consumer electronics spectrum that all these common tools are designed to work with. I.e. - standard a/b/g/n wireless needs to disappear. If this does not change and go to a proprietary system, I will 100% guarantee you WILL see this happen again.
Actually it doesn't matter what spectrum you use or how obscure. It's radio and it can be blocked cheaply and easily (though obviously illegally...but they gotta find you and prove it). As long as it's wireless denial of service will always be possible if you're willing to take enough risk as the attacker.

Obviously a band less frequently used will make it more obvious what you are doing. However once you commit to those frequencies without recourse they could hold you hostage long enough that the cost to continue will be extreme.

I don't actually disagree that they should move some of this from the bands where people accidentally could interfere with phones and such. I just don't think it matters as long as the field aspect is assured. So in that regard I think the field comm. specific stuff should be put somewhere and let anyone use WiFi for whatever they like. Let the users deal with the security issues, finding channels, and if you like give them a solution that ought to work in that regard but get out of the business of letting student written robot code interfere in field comms. The fields comm. stuff is generally unique to the competitions anyway, outside of the competitions WiFi is plenty workable.
Reply With Quote