- Email: [email protected]
Blaming the victim
Computers and Security, Vol. 16, No. 6
Title: Author:
Embedded Systems: The Other Problem Alasdair Kemp, Institution of Electrical Engineers
Some cameras have displays which show dates, and allow the date to be printed on the pictures.The date can also be used as a control, for example, to prevent double exposures. On 1 January 2000 there are three possibilities. Probably the date will show up correctly and the camera will operate properly. But the camera might be annoying and show a peculiar date and need to be reset. The worst case would be if the camera stopped working because you are trying to take pictures at a date earlier than the date of the first picture, so it ‘knows’ that something is wrong. This could be very annoying for the camera owner. It could create serious difficulties for camera shops and camera manufacturers. Now imagine that there are many video cameras operating automatically and linked together as a security and safety system intended to protect the public and prevent malicious damage to equipment by preventing illegal access. If that system does not operate properly someone might get killed; or the entire plant might have to close down; the operating company might go out of business, there could be knock-on effects for other companies and for the general public; these could affect general safety and security. These scenarios are more than merely annoying. The problems with date information in embedded systems are that: no one knows how many embedded systems there are and where they are (except that they are ‘everywhere’), and they are not always easy to detect no one knows which .devices depend on date information in embedded systems l
l
there are very many different ways in which the problem might show up, and we keep finding new ones it is d&cult to get the information needed to decide which systems are at risk both business knowledge and technical skills are needed to decide where the risk is high and a particular system needs to be given priority the proportion of really significant cases may be quite low but all systems have to be considered the date problem first showed up in computers used for business many years ago; its significance for embedded systems was not appreciated until quite recently Embedded systems and the devices which contain them have been very useful and commercially successful.As a result they have been used in ever more innovative ways for a larger number of purposes, for longer, and by many more companies than their original designers could have imagined to be possible.
CLOSING ADDRESS: Title: Author:
Blaming the Victim Eugene Spafford, Purdue University
Whenever a new security incident occurs the victim tends to blame the hackers, the authorities blame the corn uter underground, (one or two loonies blame UF 8 s), and the hacker community blames the victim. Blame the victim?! Whatever for? The victim didn’t commit the crime! This paper will examine the premise that erhaps the victim does share the blame. We know w% at makes ood security: good policy, investment in resources, c i oice of quali software, and on-going training. However, too many 7 otential) victims fail to a ply the knowled e so har CQ -won by others. Perhaps tK ey really are to b7 ame for what happens.
527
Title: Author:
Embedded Systems: The Other Problem Alasdair Kemp, Institution of Electrical Engineers
Some cameras have displays which show dates, and allow the date to be printed on the pictures.The date can also be used as a control, for example, to prevent double exposures. On 1 January 2000 there are three possibilities. Probably the date will show up correctly and the camera will operate properly. But the camera might be annoying and show a peculiar date and need to be reset. The worst case would be if the camera stopped working because you are trying to take pictures at a date earlier than the date of the first picture, so it ‘knows’ that something is wrong. This could be very annoying for the camera owner. It could create serious difficulties for camera shops and camera manufacturers. Now imagine that there are many video cameras operating automatically and linked together as a security and safety system intended to protect the public and prevent malicious damage to equipment by preventing illegal access. If that system does not operate properly someone might get killed; or the entire plant might have to close down; the operating company might go out of business, there could be knock-on effects for other companies and for the general public; these could affect general safety and security. These scenarios are more than merely annoying. The problems with date information in embedded systems are that: no one knows how many embedded systems there are and where they are (except that they are ‘everywhere’), and they are not always easy to detect no one knows which .devices depend on date information in embedded systems l
l
there are very many different ways in which the problem might show up, and we keep finding new ones it is d&cult to get the information needed to decide which systems are at risk both business knowledge and technical skills are needed to decide where the risk is high and a particular system needs to be given priority the proportion of really significant cases may be quite low but all systems have to be considered the date problem first showed up in computers used for business many years ago; its significance for embedded systems was not appreciated until quite recently Embedded systems and the devices which contain them have been very useful and commercially successful.As a result they have been used in ever more innovative ways for a larger number of purposes, for longer, and by many more companies than their original designers could have imagined to be possible.
CLOSING ADDRESS: Title: Author:
Blaming the Victim Eugene Spafford, Purdue University
Whenever a new security incident occurs the victim tends to blame the hackers, the authorities blame the corn uter underground, (one or two loonies blame UF 8 s), and the hacker community blames the victim. Blame the victim?! Whatever for? The victim didn’t commit the crime! This paper will examine the premise that erhaps the victim does share the blame. We know w% at makes ood security: good policy, investment in resources, c i oice of quali software, and on-going training. However, too many 7 otential) victims fail to a ply the knowled e so har CQ -won by others. Perhaps tK ey really are to b7 ame for what happens.
527