Wednesday, September 12, 2007

Security Anecdote Theater, episode 3

Ferris Wheel
Some years ago my wife and I took the kids to an amusement park and we decided to ride the Ferris Wheel. Curious as to how the thing worked, I started looking at the mechanicals as we waited in line- lots of big parts, but a pretty simple design. The drive system was a few large electric motors driving the steel outer rings of the wheel via automotive tires and wheels.

It looked like a good setup, well thought out and obviously designed with safety in mind- then the Ferris wheel stopped. The tires driving the wheel were retreads. An enormous and expensive machine, and they cut corners on the drive system to save maybe $100 on the tires. I immediately began to wonder where else they had cut corners. We rode anyway, but the ride was a lot more thrilling than a Ferris Wheel should be as we discussed the possible scenarios for a stunning and catastrophic failure.

You probably won't find retreads in your shiny new network and security devices- but when you look around you may find that some corners have been cut. Even if you can't perform code review yourself, you can and should look at the hardware for obvious weaknesses and poke at the system with tools like Nmap and Nessus.
Better to find and address issues before you put the systems in production.