1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 31.36 (2/2)

    From RISKS List Owner@21:1/5 to All on Mon Aug 12 20:30:46 2019
    [continued from previous message]

    Subject: Researchers wrest control of one of world's most secure industrial
    controllers (The Times of Israel)

    “Siemens is aware of the research from Technion, Haifa and Tel-Aviv University to be presented at BlackHat USA 2019,” Siemens said in an emailed statement to The Times of Israel.

    In response, the firm recommended that users of the controller SIMATIC S7-1200/S7-1500 enable the feature `access protection' to prohibit
    unauthorized modifications of the devices. Siemens also recommended to
    follow and implement the defense-in-depth approach for plant operations, and
    to configure the environment according to its operational guidelines for Industrial Security.

    https://www.timesofisrael.com/researchers-wrest-control-of-one-of-worlds-most-secure-industrial-controllers/

    Good response, "prohibit unauthorized modifications of the devices".

    ------------------------------

    Date: Thu, 8 Aug 2019 14:44:49 -0700
    From: Rob Slade <rmslade@shaw.ca>
    Subject: Writing about writing

    I came across a post on the ISC2 blog. It's an article by Chris Veltsos
    (*Dr.* Chris Veltsos, if you please, or, to his friends, Dr. Infosec) on "Writing Cybersecurity Articles--Getting Through the Tough Times." As the title somewhat implies, it's about how to get through writer's block when writing about infosec. https://blog.isc2.org/isc2_blog/2019/08/writing-cybersecurity-articles-getting- through-the-tough-times.html

    I'm really not sure how to take this.

    First off, if you work in infosec, you pretty much automatically have the
    best inspiration in the world. There is always something new happening in infosec. There is always something new happening that is applicable to infosec. Techies, in various fields, are always arguing about which field
    in high tech is the fastest moving. I figure infosec has a lock on it: whatever is happening, in whatever tech field, has security implications.

    As a bit of background, I've published four books. (Or six, depending on
    how you count them.) Over the years I've written monthly columns for at
    least three periodicals. For twenty years I had a project doing books
    reviews in technical literature. (Always at least weekly: often daily.)
    I've abandoned a number of blogs. Since I got into infosec I have *never*
    run out of things to write about. I don't have the *time* to write about everything I want to. (I desperately want voice recognition to get good
    enough to take dictation.)

    I don't understand "writer's block." I don't understand dry spells.
    (Fatigue, I could understand ...)

    So, then, to the specifics of what Chris has to say about it.

    He says you need motivation. (And aqueducts, apparently.) Oh, come on.
    You work in infosec. You are saving people's privacy, money, jobs. Your colleagues, your friends, your family. How is that not enough motivation? (Yeah, sure, the stupid things your colleagues, friends, and family do is sometimes depressing. So, take some time to yell at them via your writing
    ...)

    He says you need to think about why you are writing. Sorry, isn't that the same thing as your motivation? (Oh, unless you are just writing for self-promotion. Yeah, I could see how that could get pretty dry at times
    ...)

    He says you need to think about your writing "environment." Yeah, I hear
    about that all the time. Saw a movie last night that had a writer who
    couldn't write without everything just so in the "environment." Again,
    while I understand that having the building collapsing around you could be a distraction, I don't understand this "environment" business. I've written
    at home, on planes, in airports, on trains, at work between demands, on the bus, in coffee shops and restaurants, in hotels, and while waiting to be
    called to testify in court. You're writing about infosec. It needs to be done.

    He says you should think about pen and paper, if a computer doesn't do it
    for you. OK, if necessary. I mostly use a computer, or laptop, or
    something with a keyboard. I've used tablets and smartphones. (I *hate*
    soft keyboards.) I've used pen (or even pencil) and paper. (My handwriting
    is terrible. Always has been.) (But I've always wanted to try out those
    pens that save what you've written ...) I've used whiteboards, blackboards, chalk, or a piece of burnt stick on a rock. Whatever works.

    His last three suggestions are, basically, give it a rest and come back to
    it. OK. I've often got multiple bits on the go, so I might leave one for a time and concentrate on others.

    But I'm writing about infosec. There's too much to leave it for long ...

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.36
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)