Slashdot Mirror

"Robo calls make me not want to own a phone at all. I get a couple each week, and they distract me from day. Today one woke me up. Robo calls should be illegal, including political robo calls."

Because every lawmaker will vote for that..


"There should be a way to disable text messages on phones. The phone company's dirty secret is that they over charge for text messages so they don't want to provide this service. Every time some spammer sends me scam bait, it costs me .10."

You do realize there is a way to do it..Talk to your porvider and tell them to disable it...They have to do it by most countries laws.


"Phishers, and all those email scams should be looked into by the FBI too."

They are looked into by the government..It's called the FCC..People complain, they look into it http://www.us-cert.gov/report-phishing


"Look at the people who mail everyone who signs up for a webpage with a bill for their webpage making them think it comes from their webhost, but it is actually a scammer wanting money."

Why you always pay directly to the hoster..not a random letter


"I'm pretty sure it always wasn't this way, but today, it seems like a large portion of incoming communication is from someone who wants to scam you. I can understand not being able to shut down some threats out of the country, but a lot of these things come from inside the country."

No they do not..They usually come from Russia and China and Africa

I agree whole heartedly. The security curve is an asymptotic one. You'll never reach secure. The biggest security risk in any system (computer system or non-computer system) is the person sitting at the desk. This is why secretive government agencies like the US DoD don't let anyone use a DoD computer until they've background checked and taken the requisite training classes.

This is Slashdot. Naturally, there will be amazing advice about elite encryption and protecting your most secretive plans from government spooks. Government? Really? Frankly, I'm more worried about the data that Visa and MasterCard have about me than the government stealing pictures of my kids marching band contests.

The original poster asked valid questions about reasonable outside threats - Malware. I'm a fan of free (as in beer) scanners that detect known threats disguised in innocent looking payloads. That adorable icon that Aunt Betty says is adorable could be an installer for a malware program. Also, subscribe to CERT bulletins or a similar organization that publishes information about emerging threats and vulnerability.

Tell the webhost they have XYZ days to fix the problem before you publish the exploit.

https://forms.us-cert.gov/report/ is also a good place to report exploits.
But if you're shy, I'd also consider forwarding the details to a reputable security research company,
so that maybe they can alert others with misconfigured systems and CERT.

This alert is actually not very new and dates back to July. ICS-CERT re-releases things all the time in order to update small things and be sre people see an update, no matter how minor. Here is the original that came out in July:

http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-195-01.pdf [us-cert.gov] -- It's pretty much identical from what I can see.

There should be some de facto standard "how to choose a good password" guide, hosted by EFF or some other reputable organization. Then we would recommend web services to have a link to this guide during password creation process.

Like this, you mean?

The problem with authoritative guides for this is that if most people follow the guide without thinking, the job becomes easier for the crackers. They can then use partial rainbow tables that exclude everything that the guide tells people not to do, and include what they tell them to do. Passwords work best when they are as varied as possible.

The best place to start is here

http://www.us-cert.gov/cas/signup.html

then onto the security announce list of whatever distro you use.

Those two alone will probably give you enough information to keep your system safe

Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent.

Android requires that you give consent, since it tells you what permissions the application needs prior to installing it. So by very definition, these data leakages on Android are not malware. The user said it was ok for that application to collect that data.

Report it to CERT. (Or other corresponding security organization if you are outside the US.)

Lets be clear here, then.

Is or is not Microsoft to blame for executable content that a user double clicks? Because if we had a clear "no" to that, I think the entire "Windows security vs OSX security" discussion would basically be over.

I think you have a good point, but it's not really that simple. You see, in Windows, there are exploits that can hit you just by viewing an image. (Windows Metafile vulernability, anyone?) Yes, that one's been patched, but there have been quite a number of them before and since. You don't get that on the Mac. On the mac, the malware has to rely on a dumb user.

My point is that Microsoft is having to patch for "multiple vulnerabilities" all of the time. You know that it has more. So does the malware author. He probably knows them before Microsoft does. Here's a cut-and-paste from US-CERT:

TA11-256A Microsoft Updates for Multiple Vulnerabilities September 13, 2011
TA11-222A Adobe Updates for Multiple Vulnerabilities August 10, 2011
TA11-221A Microsoft Updates for Multiple Vulnerabilities August 9, 2011
TA11-201A Oracle Updates for Multiple Vulnerabilities July 20, 2011
TA11-200A Security Recommendations to Prevent Cyber Intrusions July 19, 2011
TA11-193A Microsoft Updates for Multiple Vulnerabilities July 12, 2011
TA11-166A Adobe Updates for Multiple Vulnerabilities June 15, 2011
TA11-165A Microsoft Updates for Multiple Vulnerabilities June 14, 2011
TA11-130A Microsoft Updates for Multiple Vulnerabilities May 10, 2011
TA11-102A Microsoft Updates for Multiple Vulnerabilities April 12, 2011
TA11-067A Microsoft Updates for Multiple Vulnerabilities March 8, 2011
TA11-039A Microsoft Updates for Multiple Vulnerabilities February 8, 2011
TA11-011A Microsoft Updates for Multiple Vulnerabilities January 11, 2011

I think they just keep copying and pasting "Microsoft Updates for Multiple Vulnerabilities". Either that, or they have a macro. Nothing in there about Apple. Why? They don't seem to need to. They did their homework and did it right the first^D^D^D second time (yes, there was classic MacOS), and the Linux folks got it right before both of them. And before anyone brings up the kernel.org stuff, that was a stupid user with a weak password, not an OS vulnerability.

http://www.us-cert.gov/

From the US-CERT "About Us" page:

US-CERT's mission is to improve the nation's cybersecurity posture, coordinate cyber information sharing and proactively manage cyber risks to the nation while protecting the constitutional rights of Americans. US-CERT vision is to be a trusted global leader in cybersecurity - collaborative, agile, and responsive in a complex environment.

Information is available from the US-CERT web site, mailing lists, and RSS channels.

US-CERT also provides a way for citizens, businesses, and other institutions to communicate and coordinate directly with the United States government about cyber security.

Who runs US-CERT?
US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS).

Where is US-CERT located?
US-CERT is located in the Washington DC Metropolitan area.

What is US-CERT's relationship to NCSD and DHS?
US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS). The NCSD was established by DHS to serve as the federal government's cornerstone for cyber security coordination and preparedness, including implementation of the National Strategy to Secure Cyberspace .

SCADA networks are usually on a completely separate domain from the corporate network. It'll be behind two sets of firewalls controlled by anal retentive engineers

Thanks for making me snort my coffee. Two problems: a Siemens S7 PLC is a PLC, not a SCADA system. They are extremely different things. It's like confusing a toaster and a kitchen. Everyone seems to miss this. Problem two: while up until a few years ago, PLC's didn't have network connectivity, so they couldn't be connected to ethernet (they now are routinely), SCADA systems are almost all ethernet capable, and in my experience, they are rarely even put on a separate VLAN, much less behind a firewall. Besides, Stuxnet was designed to transmit via USB thumbdrives and laptops which are used by everyone in industrial control systems. In my experience, control systems are the least secure systems on the planet, which is scary because they control stuff in the real world! If you want to follow the (very sad) security state of industrial control systems, follow ICS-CERT.

OWASP is very good, and I would add another site here that also has good up to date information about site security.

I agree. Especially when those code domains are evolving comparatively rapidly. It makes the business of making and selling websites much harder as there's no one technology which is both multimedia capable and available across all platforms. ( Flash + specialist iOS html is my current best for minimum number of versions for multimedia web delivery ). It makes choosing a speciality as a developer difficult which surely results in less specialists.

I have doubts at this stage that html5/js is the one size fits all future solution. It's fragmented before reference implementation and it's best features are unavailable on some browsers ( WebGL on IE, Etc. ).

I also have doubt that Adobe will release a sleek and secure Flash player. Though we've yet to see fallout from html/js implementation security lapses, ( http://www.us-cert.gov/current > WebGL ). We've yet to see the rise of annoying html adverts which use core browser functionality and so aren't easily disabled. Flash may yet not be the greater evil. ( Keeping multimedia in a plugin works for me. )

I wouldn't put it past Apple to sell 'Now with Flash !' at a later date either.

I want accelerated 3d to everyone who accesses it with a modern browser, I'll happily deal with differing workload per device. Currently it's not only impossible, but there is no clear way to see it happening.

Malware, short for malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior.

You can dismiss my arguments all you like, I'm fully confident that I'm correct in this instance and that you are either off your rocker, a Sony fanboy, or a Sony astroturfer.

it does not impact "shiny media" such as CDs or DVDs that contain Autorun files. We are aware that someone could write malware to take advantage of that, but we haven't seen it in the wild. (We also think malware on shiny media would be less likely to have widespread impact, because people burn CDs less often than they insert USB drives.)

They are just messing with windows registry settings for autorun. Any admin concerned with security has already done this manually since conflicker.

The only sure way to kill this vector for infection is :

REGEDIT4
[HKEY_LOCALMACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Before we all blow up, the warning was from one alum to their alma mater, and was suggesting not to post links to cables and WL on facebook, twitter, etc. because "engaging in these activities would call into question your ability to deal with confidential information, which is part of most positions with the federal government" which, honestly, is pretty reasonable. If the State Department is deciding between equally-qualified five candidates, and three have indicated they sympathize with WL, well then the choice is down to two. Just like companies looking at your pictures on facebook before hiring. It sucks but it's true - be responsible with what you say about yourself.

"Before we all blow up" makes the assumption most posters were already in some sane, rational starting point. All you can do is sit back and laugh at them. Watch this.

ZOMG US GOVERNMENT IS SUPPRESSING WIKILEAKS READ IT HERE
http://www.us-cert.gov/current/#potential_wiki_leaks

Enjoy the Olympic scale conclusion jumping and tin foil hat craft fair.

Start with ICS-CERT (Industrial Control Systems - Cyber Emergency Response Team). Note: While they use the "us-cert.gov" domain, they are NOT a part of US-CERT.

Specifically, take a look at their "Recommended Practices: section: http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html

is here: http://www.us-cert.gov/control_systems/pdf/ICSA-10-238-01B%20-%20Stuxnet%20Mitigation.pdf Probably a little more accurate than crappy media reporting.

Wow. The instructions for disabling Autorun are hideous: http://support.microsoft.com/kb/967715. Is this really how one disables it?

This one looks slightly less hideous: http://www.us-cert.gov/cas/techalerts/TA09-020A.html.

I apologize in advance for the noob question.

This is a Windows-only problem. Solution here.

Import the following to registry:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:blahenterrandomlettershere"

It will cause windows to ignore anything inside autorun.inf by replacing the content with non-existing entry ie. null.

Delete this branch from registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

It will wipe away any cached mountpoints and their autorun information.

Disclaimer: This will disable the USB autorun related vector for malicious code as well as any other mounted media or network resource. 'Autoplay' and all its features will still function the way you set them. This fix will break anything that depends on code inside autorun.inf ie. say goodbye to nice 'automatic installation', drive media renaming or placing nice icons to itself etc. Mostly useless stuff. Some special usb-sticks with software features built on autorun might not work anymore. Sad.

Except that using that method a worm/virus can easily re-enable it by setting the relevant registry keys back. A more thorough way to disable it is explained at this US-CERT page, and it doesn't depend on having an up-to-date version of windows that has been patched to properly honor the relevant registry keys (earlier versions don't do it properly).

Another way to mitigate the issue on external drives is to make a bogus "AUTORUN.INF" directory on the drive, put a file in it, and make both of them read-only. Then if a worm tries to install it's own autorun.inf file to spread the infection it will have to be smart enough to see the one you've put there, turn on the write flags, delete the old one, and then copy over its autorun.inf file. So far I haven't seen any that are smart enough to do that, so for now it immunizes the device.

"You want a reason for installing flash blocking plugins."

You're searching for one?

• Mc Daily News
• US-Cert
• Adobe Systems
• Fortiguard
• Softpedia Software Shill
• MacNN

Many of these articles are redundant, I posted the links to show how ubiquitous the stories are. Flash will be around for a while since its the only game in town. But that will change, give it time. I DO NOT hate flash, but its old, there has got to be a better way to publish rich media, there just has to. I think, in time, as the OSS community wakes up to the need, some really great tools and protocols for interactive media that's at least as good as flash will come along.

the side effect of turning off autorun [...] might not be desirable (e.g., if it's someone else's machine)

For me, it is the desired side-effect, because these people will usually call me for help when they get a virus. I do tell them that I disabled it though, and try to explain why if they seem willing to listen.

Also, if a worm blindly writes it's own autorun.inf file, then your modified one will get overwritten. Make sure you at least write-protect the file.

The files do have the read-only attribute.

autorun correctly disabled

One of my 2 reg entries is actually what is recommended in your link.

What I don't know yet is if it works on Win7 or if something else is needed. I'm not so much into fixing Windows any more, since I switched to Ubuntu. There's enough to do to try to fix/customize that now ... :-)

Not bad. Although the side effect of turning off autorun on any machine in which the USB device is inserted might not be desirable (e.g., if it's someone else's machine). Also, if a worm blindly writes it's own autorun.inf file, then your modified one will get overwritten. Make sure you at least write-protect the file.

My strategy is simpler. Besides having autorun correctly disabled on all the machines I own, I have a read-only directory that's called "autorun.inf" with a readme.txt file in it on any external device. Any worm that attempts to write over it would have to figure out that it's a directory and delete it and the files within it first. From testing on infected machines, none of them have been that smart (yet).

I still like your idea that actively purges the scourge of autorun from each machine.

gets() is officially deprecated in ISO C99 standard, though, and will be removed entirely in ISO C1X. Most compilers today (even non-C99 ones) will output a warning if they see it, and warnings-as-errors is standard development practice for C/C++ these days.

Also the "secure" functions in TR 24731 (strcpy_s, strcat_s etc) will be part of the base standard library in C1X.

"I disabled all autorun/autoplay after that, but I'm still wary enough that I run Avast to help avoid another similar situation."

Yes to disabling autorun. That's the vector for the only worm I've seen in 10 years of running XP in the way the previous post described (it came in on a USB flash drive). So, add to his list:

* Disable autorun/autoplay correctly (note: Microsoft's advice will NOT kill it off completely).

* Run something lightweight like StartupMonitor to catch programs that try to install things in the various startup locations (useful to control bloatware too)

And something else I've done:

* make a fake, read-only AUTORUN.INF directory on usb flash drives and other portable devices so that when a worm tries to write on there, the filename already exists and it fails. So far I've not seen any worms smart enough to look for pre-existing files and delete them before attempting overwriting, and by making it a directory with that name the deletion process is more complicated.

To add to this, threats tend to evolve over time. Watch for Technical Cyber Security Alerts on a regular basis. Better is to subscribe to the mailing list. Be prepared to update firewall/IDS software or configuration changes to address new threats. Be prepared to roll-out vendor patches in response to these threats. Verify any such roll-out as coming from a trusted source and behaving correctly in a test environment.

You must always weight the cost of security with what is being protected. If the information is not that valuable, it may be faster to have good configuration management and rebuild on detection of issues.

Simply sending a reboot command, or a single command that causes the machine to hang, isn't a DOS

This is a common view of a DoS because flood-style attacks are the types you hear about on the news and on Slashdot, however what you said is simply not true. Crashing a webserver remotely is, without a doubt, a denial of service attack, as you are denying service to the end user. It makes absolutely no difference what means you use to accomplish this goal. If you don't believe me, just take a look at this week's CERT security bulletin: http://www.us-cert.gov/cas/bulletins/SB10-040.html.
For Wireshark:

Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function.

For Asterisk:

Asterisk Open Source 1.6.0.x before 1.6.0.22, 1.6.1.x before 1.6.1.14, and 1.6.2.x before 1.6.2.2, and Business Edition C.3 before C.3.3.2, allows remote attackers to cause a denial of service (daemon crash) via an SIP T.38 negotiation with an SDP FaxMaxDatagram field that is (1) missing, (2) modified to contain a negative number, or (3) modified to contain a large number.

Postgresql:

The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."

So we have malformed packet, bad handshake, and a poorly handled statement, all of which cause what the CERT is classifying as "denial of service," and none of which even remotely match what you describe as a DoS attack.

security features don't matter if you don't use them

The difference between Linux and Windows is not in terms of security features that you do or don't use. The key difference is that Microsoft deliberately channels "not-quite-what-you-wanted-ware" to your system and those channels are used by others for putting malware on your system. The entire point of ActiveX is to put software on your computer you didn't ask for. The reason why autorun wasn't disabled when you thought it was is because MS wants to be able to automatically install software. The .Net/Silverlight system has the same idea behind is and will turn out to be a similar disaster. At the very least it will be used to inflict DRM you don't want.

No amount of astroturfing will change the fact that when you get a Linux system, you get to choose exactly what is there and exactly what isn't. Since you only choose the bits you want you don't tend to choose the bits (except flash) that are designed to automatically install malware. I'll agree that this isn't a fundamental difference between the security Linux Kernel and Windows kernel's security mechanisms. VMS, which Windows copied was certainly more secure than UNIX. However, that's a purely academic discussion. The actual Linux system you install is less likely to deliver software you don't want than the Windows system.

wouldn't imposing a botnet onto a home computer by force (edict or whatever, against their will) for military purposes be the electronic equivalent of quartering soldiers in a persons home?

I said "a campaign against botnets", not "a botnet" itself. I must not have made it clear that I meant botnets controlled by foreign states, not a botnet controlled by the US Armed Forces (for which you'd be justified in pleading the Third). I was thinking more along the lines of a 21st century counterpart of "duck and cover": Ad Council PSAs directing citizens to a comparison of how well the various operating systems and anti-malware packages detect threats being tracked by US-CERT and by other agencies. So unless you claim that the anti-malware packages themselves form a botnet, I don't see how the Third Amendment would apply.

[IE8 has] no add-ins, and there doesn't appear to be such an ecosystem on the horizon.

Never fear; I'm sure there will be plenty soon enough, and they will most likely install themselves! Check here to find out about new ones as they get released.

I wonder if we will be seeing US-CERT standing up to Microsoft the way they did with this (a vector for conficker) with him in charge.

I have a sick feeling about this. This guy was surely part of the Microsoft effort to call this a feature. And what was this "political infighting" that the article alludes to? I hope it wasn't over whether to go after Microsoft for aiding in the creation of the largest botnet to date.

Looks like those Reg Edits might address the vulnerability on a lower level but I figured I'd throw the US-CERT steps up here for discussion\reference. Details at http://www.us-cert.gov/cas/techalerts/TA09-051A.html

Disable JavaScript in Adobe Reader and Acrobat

Prevent Internet Explorer from automatically opening PDF documents

Disable the display of PDF documents in the web browser

http://www.us-cert.gov/cas/techalerts/TA09-020A.html

http://en.wikipedia.org/wiki/Autorun#The_AutoRun_disable_bug

You're absolutely wrong. Why do you people keep trusting Microsoft?

Sorry, but this one is definitely your operating system's fault.

You do know that turning off autorun does not turn off autorun, right?

Even worse, the secondary vector for Conficker is something Microsoft calls a feature and lied about fixing, forcing US-CERT to shove a hack down their throats.

You can start here:

https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/358-BSI.html

And for specifically for web apps:

https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/assembly/639-BSI.html

Then you frighten yourself by playing with the toys here:

http://insecure.org/

You can start here:

https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/358-BSI.html

And for specifically for web apps:

https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/assembly/639-BSI.html

Then you frighten yourself by playing with the toys here:

http://insecure.org/

I'd like to point out that if you fail to follow the steps above and double-click the item in MyComputer (please don't, click yours!) it would still autorun the biatch - so don't get your hopes too high about saving grandma and her daughter with registry modifications :( source: http://www.us-cert.gov/cas/techalerts/TA09-020A.html

In an alert issued on Monday, US-CERT said Microsoft's instructions on turning off Autorun are "not fully effective" and "could be considered a vulnerability."

[several paragraphs later]

Instead, users should make a different modification to the Windows registry, US-CERT said. In the alert, it gave the new value as well as instructions on how to copy it to Windows Notepad and import it into the registry.

Hey, Computerworld editors (and to whomever else it may concern): when you finally tell the reader that the alert contains information the user wants to know, it might be a good idea to link to that source again so the reader doesn't have to search back in the article to find the previously supplied link. Further, I'd suggest using a link to the named anchor when available where the solution is provided to make it even easier.

In an alert issued on Monday, US-CERT said Microsoft's instructions on turning off Autorun are "not fully effective" and "could be considered a vulnerability."

[several paragraphs later]

Instead, users should make a different modification to the Windows registry, US-CERT said. In the alert, it gave the new value as well as instructions on how to copy it to Windows Notepad and import it into the registry.

Hey, Computerworld editors (and to whomever else it may concern): when you finally tell the reader that the alert contains information the user wants to know, it might be a good idea to link to that source again so the reader doesn't have to search back in the article to find the previously supplied link. Further, I'd suggest using a link to the named anchor when available where the solution is provided to make it even easier.

Uh, from the CERT advisory:
III. Solution

Disable AutoRun in Microsoft Windows

To effectively disable AutoRun in Microsoft Windows, import the following registry value:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

If you think you know more than the people at CERT, good luck to ya.

well, presumably that's what the default "ask me what to do" option, with the program listed at the top, is supposed to effect.

but the option to set your own icon + description then makes it too easy to mislead people, currently.

=====

by the by... the CERT recommendation - http://www.us-cert.gov/cas/techalerts/TA09-020A.html - now notes that MS have an update available for manual install (XP etc.) and/or coming up on windows update (vista, server 2003) that -does- fully close the other vectors that CERT mentions.

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type:Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

In other words: any idiot on your network can gain admin access to any attached Windows-based system with file-sharing enabled. I'm really glad that they're releasing an emergency patch for this, because that's a pretty fucking crazy description of an exploit, especially since it affects all versions of their last 10 years of operating systems.

Please read: http://www.us-cert.gov/cas/techalerts/TA08-190B.html

You're not answering the question, because unless the upstream resolver is not doing recursion the stub resolver will not issue queries that the attacker can see and so will not receive packets from the attacker:

Stub resolvers that will issue queries in response to attacker behavior, and may receive packets from an attacker, should be patched.

Please read: http://www.us-cert.gov/cas/techalerts/TA08-190B.html

Vulnerable SCADA systems are numerous and Homeland Security has several initiatives to get them under control. Earlier this year they demonstrated how easy it was to take over a generator and make it crash and burn ... So, fixing worms or not has its consequences. If you are successful you might reboot a control computer and bring down the grid. If you don't somebody in Russia might. In any case, with networked controllers all over in our water, gas, and electrical infrastructure, things will get interesting eventually. It is a sad situation the people who understand enough to automate large control systems don't realize the impact of a vulnerable network on their systems.