Hacker News new | past | comments | ask | show | jobs | submit login

> There is no good reason for any of these devices to have a public IP address.

That's a bold statement to make for someone who, I'm assuming, has absolutely no idea what these systems are or what the company wants to do with them.

Security policy is super easy when you don't actually have to get anything done.




As somebody who is responsible for security policy: there is no good reason for any of these devices to have a public IP address. Full stop. We did fine back when they weren't networked, we don't need to start now.


What do you know about these devices or the company's requirements?

You're making a lot of assumptions because you're a know-it-all on the internet.


If a safety system is on the Internet, it is no longer safe. I don't see why this is so hard for people to understand - if these things get hacked, best-case is a bunch of actual physical productivity is lost; worst-case is that people fucking die.

You idiots don't stop to think about if you should do something, just because you can. Internal networks with an airgap are somewhat more acceptable, but the public Internet or accessible from a device that can be pivoted to is completely unacceptable.


Assumption made: the safety system mentioned had anything at all to do with the safety of human beings. For all we know, this is an entirely lights-out operation.

From the article, it sounds more like these were systems designed to protect the equipment, which they did. A loss of productivity due to equipment failing or being destroyed has an associated cost. If that cost, factoring in the probability of that event, is less than the cost of not having these things remotely accessible (however that is determined), then the math is pretty clear about what choice you make.

Even if humans are involved, that's just another cost to factor in. People get killed in work accidents all the time.

This is the problem with "security people". Their only care in life is stopping attacks, so they don't give a damn what the cost is and how it relates to the rest of the organization. We take calculated risks every single day, and if we didn't, nothing would ever get done.


>From the article, it sounds more like these were systems designed to protect the equipment, which they did. A loss of productivity due to equipment failing or being destroyed has an associated cost. If that cost, factoring in the probability of that event, is less than the cost of not having these things remotely accessible (however that is determined), then the math is pretty clear about what choice you make.

People are not good at figuring out probabilities of events like being hacked - and that's assuming somebody even thought about that as a possibility, which is not at all a given in an industrial setting. The smaller factories that have clung to life here in the Midwest, for example, basically have one 'computer guy' who knows enough to keep things going.

>Even if humans are involved, that's just another cost to factor in. People get killed in work accidents all the time.

This reads like you think that people dying is acceptable risk to take. I'm going to leave it at that, lest I just call you a bunch of unpleasant names for an entire paragraph.

>This is the problem with "security people". Their only care in life is stopping attacks

It's as if that's my fucking job or something, eh?

>so they don't give a damn what the cost is and how it relates to the rest of the organization. We take calculated risks every single day, and if we didn't, nothing would ever get done

Sure we care. An airgapped internal network for this sort of thing would be an acceptable compromise for accessing something remotely. The public Internet is stupid to the point of gross irresponsibility.


> An airgapped internal network for this sort of thing would be an acceptable compromise for accessing something remotely.

Do you even listen to yourself? Do you understand the concept of "remote"?

>This reads like you think that people dying is acceptable risk to take.

Yes, clearly this is a ridiculous notion. No one ever signs up for things that carry a risk of death like driving, being a soldier, or getting shot into space.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: