Today, in LA, Hikvision hosted its first cybersecurity road show in the USA:
Inside, we share feedback, good and bad from the show.
Today, in LA, Hikvision hosted its first cybersecurity road show in the USA:
Inside, we share feedback, good and bad from the show.
That sign is hilarious. No recording devices allowed for the protection of the attendees? If recording devices are that dangerous, why does Hikvision manufacture them? Ya, I'm being funny and not at the same time.
That sign was obviously done so Hik could control the outcome of their damage control road show without those meddling kids at IPVM.
Good - Chuck Davis. Davis was polished, knowledgeable and passionate about cybersecurity.
Mixed - The presentation was heavy on basics and the theme that everything has cybersecurity vulnerabilities (e.g., Microsoft) and that therefore Hikvision is just like everyone else.
A slide showing A*** and D****, contrasting to Axis and Dahua, made the case that Hikvision was better than them.
Hikvision becoming a CVE Numbering Authority to report their vulnerabilities was cited as another validation.
Bad - Attendance was quite poor with only ~60 attendees, even including Hikvision's many employees in attendance.
When someone in the audience asked about getting OEM firmware updates for vulnerabilities, Hikvision VP Jeremy Howard noted that it depended on the contract and how much they spend, which undermined Davis emphasis on cybersecurity.
There was no discussion about the Chinese government nor any impact of Hikvision being controlled by the Chinese government.
Hikvision becoming a CVE Numbering Authority to report their vulnerabilities was cited as another validation.
I saw that a couple of weeks ago. My first thought was "Hikvision must be planning to have a LOT of new CVE's if they feel it is worthwhile to be an NA".
Maybe HIK will be 'the' central POC of CVE NA for all CCTV vulnerabilities? ;)
Mixed - The presentation was heavy on basics and the theme that everything has cybersecurity vulnerabilities (e.g., Microsoft) and that therefore Hikvision is just like everyone else.
Actually more or less true statement.
The statement itself is true, much like the statement 'everyone makes mistakes' is true but it's also misleading since their underlying point is to say that everyone is the same.
I don't find it misleading, it's facts - all manufactures, regardless industry suffer of same mistakes, in one way or another.
The main points are, 1) how can the manufacture minimise the 'mistakes' (education/punishments.. etc?), 2) How will the manufacture own the vulnerability of the mistakes(s)?
Mistakes will be made - and it's there - simple facts, and no escape from that.
(I don't eve recall how many times i've said same thing here on IPVM, but maybe in different wordings)
Mistakes will be made but as in any domain, the amount and severity of mistakes will vary.
Also, there is the other factor of whether these things are mistakes or are done maliciously.
Thoughts?
I thought we was now talking about vulnerabilities, not backdoors... backdoors are NOT vulnerabilities. period.
BTW, good example how to own vulnerabilities;
Today I saw +30 advisories from Cisco, all with CVE, reported by Cisco itself.
How about that Hik/Dahua/Geovision/XM/Axis/TVT/Avtech/whatever?
One myth, ironically, is their claim about 'great turnout', even their own marketing image shows mostly empty seats:
That's a lot of money and time to spend for such a poor turnout.
This "event" follows Hik's philosophy... If you spend a ton of money and say it's great... it's gotta be great, regardless of the truth!
Isn't that the opposite of their philosophy? "Why spend so much for A*** or A****** or H***** cameras, when ours are better and cost less money?"
Sean, you are totally correct, but I was just speaking to their never ending marketing and outreach spending.
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.