It's like rattling on a door to break in...
... and have the whole house collapse.
Of course nobody blames Deutsche Telekom for having their TR-069 open to all the world instead of limiting it to the IP-range of their ACS servers.
UK police have arrested a suspect in connection with an attack that infected nearly 1 million Deutsche Telekom routers last November. The as-yet-unnamed 29-year-old British suspect was arrested at a London airport by officers from the UK's National Crime Agency (NCA) on Wednesday, Reuters reports. The attack on Germany's …
Of course nobody blames Deutsche Telekom for having their TR-069 open to all the world instead of limiting it to the IP-range of their ACS servers.
If you find a weakness, you inform the owner or operator. If you use it to cause harm, you are committing a criminal act. If you're smart enough to find such a weakness, it can be safely assumed that you also know right from wrong so if the evidence is solid I have zero problems with people like being locked up.
@Anonymous Coward
My reading of Mr (my assumption) Berger's original post does not reveal, to my limited wit, any view that the perpetrator, if the suspect did indeed perpetrate the penetration, should not suffer consequences.
What I did read was a prediction/ opinion that the company penetrated will suffer _non_ consequences (legally or financially at least) for not bolting the stable door properly in the first place.
While no infrastructure or application can ever be declared 'impenetrable', bean counters and people who's bonuses depend on short term cost cuts and shorter term apparent profits will never decide to spend money on stable door bolts until and unless there is a penalty (and a painful one) for not doing so.
At least, that's my view. Of course, I'm an Idiot... (blush).
While no infrastructure or application can ever be declared 'impenetrable', bean counters and people who's bonuses depend on short term cost cuts and shorter term apparent profits will never decide to spend money on stable door bolts until and unless there is a penalty (and a painful one) for not doing so.
You have highlighted a genuine problem. How long should elapse between market release and hack before any decision is made about the security of a device? At one end of the scale anything that gets hacked within a day or two of going into service clearly has inadequate security. If, however, the product survives (say) three years before succumbing to an attack would you come to the same conclusion? If you would, at what point would you come to a different conclusion? As you yourself said "no infrastructure or application can ever be declared 'impenetrable" so how long between release and hack can be described as "adequate" or better?
I'm all for punishment of the C Suite for a multitude of reasons but there has to be a degree of fairness to it, even if only a teensy weensy little bit.
How long should elapse between market release and hack before any decision is made about the security of a device?
Industry standard is 6 months.
If the manufacturer doesn't make any responses, then you can either publish the exploit/vulnerability (minus the codes or procedures) or "take it to the next level".