Jump to content

LabVIEW Security Vulnerability


Recommended Posts

As for the .net secure comm, I didn't go too deep into it, I simply trust the .net department when they say it is secure. 

I'll ask them in our next meeting.

As for the certification of code in the community and inside NI... I feel very much like the CERN guy from the video.

No one is concerned with security. They just check for functionality, calibration, maintainability, licenses and safety.

The only solution I see is the agreement defining the limited responsibility

Link to comment
1 hour ago, 0_o said:

As for the .net secure comm, I didn't go too deep into it, I simply trust the .net department when they say it is secure. 

I'll ask them in our next meeting.

As for the certification of code in the community and inside NI... I feel very much like the CERN guy from the video.

No one is concerned with security. They just check for functionality, calibration, maintainability, licenses and safety.

The only solution I see is the agreement defining the limited responsibility

You may also be interested in the responses when I posed the question Security? Who cares?. I don't think much has changed since then.

Link to comment

LOL, you could have started with this post saying that you already talked this issue over there. Thanks.

It's always nice to read stuff that Jack, you and the rest of the old folks here write about yet it didn't calm me at all. 

It is as if we are all experts here, real programmers and physics/elec engs yet when it comes to security we just finished kindergarten and we heard of another big world out there from rumors.

  • Like 1
Link to comment
On 7/19/2018 at 2:43 PM, 0_o said:

It is as if we are all experts here, real programmers and physics/elec engs yet when it comes to security we just finished kindergarten and we heard of another big world out there from rumors.

It may not help to calm you down at all, but even many of the security experts just know barely what they are talking about. It's a special world and the really tricky part is that what is considered safe enough today is already tomorrow outright inadequate. A computer from just 10 years ago wouldn't survive even a single day nowadays when connected to the net without being compromised in some ways, and even fully up to date computer systems are under continuous attack when they are visible in any way to the big dangerous net out there.

You can only hope that your network modem will keep your internal network invisible and that the modem itself hasn't been compromised in some way already. Mirai and friends don't only can be used to attack network cameras but just about any network appliance.

Link to comment
On 7/20/2018 at 3:00 PM, rolfk said:

It may not help to calm you down at all, but even many of the security experts just know barely what they are talking about. It's a special world and the really tricky part is that what is considered safe enough today is already tomorrow outright inadequate. A computer from just 10 years ago wouldn't survive even a single day nowadays when connected to the net without being compromised in some ways, and even fully up to date computer systems are under continuous attack when they are visible in any way to the big dangerous net out there.

You can only hope that your network modem will keep your internal network invisible and that the modem itself hasn't been compromised in some way already. Mirai and friends don't only can be used to attack network cameras but just about any network appliance.

Well. Just to fan the flames of fear a bit more :D . I worry more about all the web/DNS servers, updaters, databases and weird and wonderfully named background tasks/services,(some of which I have no idea what they are for) that get installed by NI out-of-the-box, than tricksy code like that. I try and push that sort of defence problem to IT. However, when you install LabVIEW the attack surface increases 100 fold.

It would be helpful if NI produced a document detailing all the services and background apps - what they do, what they are for and, more importantly, what LabVIEW features rely on which. A lot of them could also be on-demand rather than continuously running as I have found out by trial and error.

Edited by ShaunR
Link to comment

The problem is not only with those services.

When I need to send someone an exe that says hello world I need to send along LV Runtime with a lot of functionality that my exe doesn't actually require.

It is the same with .net but this is not the case in python for example.

The fundamental issue can be compared to VM vs dockers:

In the VM you have a complete OS with all the security and tools while in the case of a docker you only take the functionality you actually need with you.

Maybe a VM can get you better in depth security but a docker has much less attack surface.

Edited by 0_o
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.