The National Academies Press

Currently Skimming:

2 Technical Considerations for Secure Software Updates
Pages 14-18

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 14... ... VULNERABILITIES IN OLDER SYSTEMS As a graduate student 17 years ago, Fu focused on creating secure, scalable, high performance software updates. At that time, software updates were made via RPM Package Managers (RPMs) Read the entire page →
From page 15... ... Unfortunately, many software products still do not use proper authentication, leaving this channel open to exploitation, Fu said. Antivirus software can cause other problems as well; Fu described an instance when the system at a Rhode Island hospital accidentally misclassified a critical Windows DLL as malicious, and the hospital's admission systems ground to a halt, forcing the hospital to stop admitting patients except for those with gunshot wounds. Read the entire page →
From page 16... ... each have, for example. Philips, a maker of medical devices and other electronics, is considering providing consumers with a list of the software components used on its devices, so that they have a better understanding of the risks they take when using each product, Fu noted. Read the entire page →
From page 17... ... LEGAL MECHANISMS FOR DISCLOSURE AND UPDATES In the discussion, Eric Grosse, an independent consultant, wondered if it were possible, legally, to attach a copyright notice to open-source tools in such a way that it would be possible to extract a list of all the software components operating in the system and their respective version numbers, thus allowing a user to more accurately assess whether updates are needed. While recognizing that the legal questions involved in such a solution are better answered by a lawyer, from a technical perspective, Fu suggested such a solution would find some support in the National Institute of Standards and Technology (NIST) Read the entire page →
From page 18... ... Fred Schneider added that it may sometimes be feasible to update an associated part of the software system but not necessarily the device itself. In the recent Mirai attack, for example, a firewall from the Internet service providers could have been used to address the large amount of traffic coming from the devices, thus compensating for the fact that the device manufacturers had not built sufficient protections into the affected devices themselves. Read the entire page →

From page 14...

... VULNERABILITIES IN OLDER SYSTEMS As a graduate student 17 years ago, Fu focused on creating secure, scalable, high performance software updates. At that time, software updates were made via RPM Package Managers (RPMs)

Read the entire page →

From page 15...

... Unfortunately, many software products still do not use proper authentication, leaving this channel open to exploitation, Fu said. Antivirus software can cause other problems as well; Fu described an instance when the system at a Rhode Island hospital accidentally misclassified a critical Windows DLL as malicious, and the hospital's admission systems ground to a halt, forcing the hospital to stop admitting patients except for those with gunshot wounds.

Read the entire page →

From page 16...

... each have, for example. Philips, a maker of medical devices and other electronics, is considering providing consumers with a list of the software components used on its devices, so that they have a better understanding of the risks they take when using each product, Fu noted.

Read the entire page →

From page 17...

... LEGAL MECHANISMS FOR DISCLOSURE AND UPDATES In the discussion, Eric Grosse, an independent consultant, wondered if it were possible, legally, to attach a copyright notice to open-source tools in such a way that it would be possible to extract a list of all the software components operating in the system and their respective version numbers, thus allowing a user to more accurately assess whether updates are needed. While recognizing that the legal questions involved in such a solution are better answered by a lawyer, from a technical perspective, Fu suggested such a solution would find some support in the National Institute of Standards and Technology (NIST)

Read the entire page →

From page 18...

... Fred Schneider added that it may sometimes be feasible to update an associated part of the software system but not necessarily the device itself. In the recent Mirai attack, for example, a firewall from the Internet service providers could have been used to address the large amount of traffic coming from the devices, thus compensating for the fact that the device manufacturers had not built sufficient protections into the affected devices themselves.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

2 Technical Considerations for Secure Software Updates Pages 14-18

2 Technical Considerations for Secure Software Updates
Pages 14-18