Hi Sapphire Wyvern -

I'm the research lead of the Project Basecamp team, so hi.

I did hem and haw about releasing exploit tools for the vulnerabilities, but the truth is that Digital Bond tried informing the vendors years and years ago about these vulnerabilities. Starting in 2001, DB simply told people about the problems. In 2006 DB started releasing Nessus checks to demonstrate that PLCs were vulnerable without releasing the exact 'how' to exploit them. Neither path worked...we heard from more lawyers than engineers. Now that we're releasing exploit tools and causing bad days for the vendors and (unfortunately) end users, vendors are starting to come around and listen.

It stinks, but that's what has been required. Some vendors are taking the issues seriously, others are not. The ones that aren't are going to see a lot more pressure from us, I think...

Reid

See http://www.ted.com/talks/rob_reid_the_8_billion_ipod.html . Perhaps the iPhone is worth $8 billion (I mean, you are technically stealing every song on the iPhone as well as the phone itself).

I'll seventeenth the GQ-4X. I have a bunch of adapters, some soldering tongs, and the like for reverse engineering and reprogramming chips. It's been a great programmer, works fine under virtualization (I use it on a mac, using a windows guest VM, inside of VMWare Fusion. It does not work to share this with a guest under Virtualbox, but Virtualbox is crap for USB support).

I grabbed mine from mcumall also. It's been a very reliable (with one exception) programmer.

My only problem with mcumall's parts was one of their PLCC32 adapters was laid out wrong. It promised to work with a particular Atmel chip, but had one of the address lines swapped with the 'read' strobe, which made for very confusing output until a friend exhibited the intelligence to trace the adapter out. My buddy cut the trace on the board and blue-wired the adapter, since then it has worked fine.

This is what "I wonder if...," means. A request for all parts of the source to which an owner of the product is entitled would tell for sure.

According to Digital Bond, Beresford's PLC runs Linux. Cue the GPL requests for Siemen's source code now (I wonder if the backdoor username and password are hard-coded into a GPL's utility :)).

Disclosure: I work for Digital Bond.

Reid

You could probably configure it to send the files to the bitbucket, sure. A lot of times an open file server would be used to host malicious software (so some exploit says to grab its payload from ftp://yourftpserver/uploadedfile.exe). In thise case the files would be interesting for a honeypot to capture, so that they could be analyzed to see what the malicious payload is doing.

Dionaea has a nice FTP honeypot. It will even let bad guys (or bad automated programs) upload files. It's available here [carnivore.it].

Be careful, of course. You want to be safe in case these attacks are automated tools doing something icky like uploading kiddie porn or illegal music to your honeypot...(I'm not sure which would be worse).

I learned Linux by installing it on my desktop and forcing myself to run it as my primary OS. What taught me the most? When things went wrong.

I recommend coming up with ways to break the computer wherein fixing it will cause learning. Start by assigning the use of a utility or system service that is actually configured incorrectly and isn't running. This teaches things like: run the program from the command-line to see what it is outputting to stdout, look at log files, edit configuration text files. Make things harder by breaking boot services, changing the xserver configuration so that it starts as a command-line, etc. Finish by breaking grub, or deleting /etc/passwd and forcing them to boot into single-user mode to fix things.

Troubleshooting a computer is the best way to learn...

I recommend that anyone interested in the issue of 'subjective reality' read Farhad Manjoo (of Slate Magazine)'s "True Enough: Learning to Live in a Post-Fact Society". It's quite a fascinating look at the issue of our new media landscape...

What upsets me the most is that if I legally purchase windows for my computer I am limited on how much I can upgrade

Sadly you didn't purchase windows, you licensed it. Welcome to the world: intellectual property gets all the protection that physical property gets, with none of the 'disadvantages' (ability to loan, etc).