[Info-vax] OpenVMS versus Windows/GE Telemetry Control Systems.
David Froble
davef at tsoft-inc.com
Wed Jan 16 12:40:08 EST 2013
Simon Clubley wrote:
> On 2013-01-15, David Froble <davef at tsoft-inc.com> wrote:
>> Well, if you're not going to go along with my light hearted approach,
>> then all I'll say on the matter is that people are suppose to know what
>> they are doing, or they should not be doing it.
>>
>> I'm sure there are lots of ways to 'vet' a USB memory stick before using
>> it in a secure environment. I'm sure there are many other methods of
>> insuring maleware doesn't reach vital systems.
>>
>
> And what happens when that USB stick, in addition to declaring itself as
> a mass storage device also decides to declare itself as a HID keyboard
> so that it can enter commands ? :-)
>
>> To me, one of the few things that I can think of is computer systems
>> that know how to vet anything fed to them, and do so. Variations on
>> that theme might be the "sandbox" approach you seem to favor, software
>> that can be set up to accept only certain things and rejects anything
>> else, and such. No autorun stuff that can get at the OS. Just specific
>> applications for accepting valid data.
>
> You don't need autorun to get at the OS if you are targetting a specific
> site and can arrange for your own USB stick to be plugged into a system
> on that site.
>
> IOW, you might think to vet files on a mass storage device before
> allowing access, but did you also think to vet something which looks
> like a keyboard ?
>
> Simon.
>
You just did ..
:-)
I'm not saying I got all the answers. What I'm saying is the approaches
used today just aren't adequate. The problem is, most don't care,
aren't going to change, and are going to sooner or later get raped. I,
or anyone else, can't help someone that doesn't want to be helped.
More information about the Info-vax
mailing list