Stuxnet May Represent New Trend In Malware

Trailrunner7 writes "As more information continues to come out about the Stuxnet worm and the vulnerabilities that it exploits, it's becoming increasingly clear that this kind of attack may be a preview of the attacks that are likely to become commonplace in the months and years ahead. The most interesting aspect of all of this is the fact that the attackers behind Stuxnet clearly knew about the vulnerability in the Siemens WinCC system before the malware was written. That implies the malware authors had some advance intelligence about the configuration of the Siemens software and knew exactly where there was a weakness."

Uh - what?

The article that the summary links to in support of the idea that the attackers had inside information is actually about a hardcoded password that existed for *two years* before the vulnerability was found. The article argues pretty strongly that security through obscurity is no security at all and makes no mention of anyone having inside information - how can you get it so wrong?

Re:Uh - what?

Because Trailrunner7 has stock in Siemens' competitors. Not that Siemens doesn't deserve shit over this. Hardcoded password. Stupid idea.

Re:Uh - what?

[v1]

I see the article boiling down to a different point -- should vendors be held liable for exploitation of a bug that was brought to them some time ago? Article says they knew about a hardcoded pw two years ago and sat on their thumbs, and then it questions whether this is negligence. There is no question. That is negligence, they will be sued, and they will lose.

Since we keep seeing things like this come up over and over, it seems reasonable to assume that companies like this simple consider things a "calculated risk", and determine the chance of being caught x the cost of being caught is less than the cost of fixing it, and so they do nothing.

The only way to fix this is to increase the average cost so that it becomes greater than the cost of fixing it. To accomplish this, customers should be able to sue vendors that have been informed of critical security flaws in their software that have not fixed it in a timely manner, and there should be specific laws on the books for fines to be levied on companies that manage to not get sued until their refusal to fix their bug is being exploited and harming their customers, to make the resulting legal actions much more expensive than simple lawsuits from individuals. (why aren't these things considered "class action"?)

Re:Uh - what?

[Cryacin]

Yep. The password really is 1,2,3,4,5,6.

Re:Uh - what?

[LeDopore]

Article says they knew about a hardcoded pw two years ago and sat on their thumbs, and then it questions whether this is negligence. There is no question. That is negligence

Not always. Some control systems are run on a dedicated computer without Internet access. Some control systems need to have little downtime to avoid serious consequences. (Some manufacturing plants or refineries have razor-thin margins - an extra 1% downtime could mean the difference between profit and bankruptcy.) In cases like these, if a hard-coded password means a faster system recovery, it's the right choice.
If I had software on my desktop system with a hard-coded password, I'd be justifiably pissed. However, for some industrial applications (including some SCADA installations) , the simplicity of not needing to enter a unique password plus a physical air gap of security trumps a forced-unique password with only digital security - particularly if that digital security is Windows-based (where adding a keylogger would have resulted in almost as bad a p0wnage as what Stuxnet already has)!

Re:Uh - what?

Huh, that's the same password as on my luggage!

Re:Uh - what?

[Ephemeriis]

Not always. Some control systems are run on a dedicated computer without Internet access. Some control systems need to have little downtime to avoid serious consequences. (Some manufacturing plants or refineries have razor-thin margins - an extra 1% downtime could mean the difference between profit and bankruptcy.) In cases like these, if a hard-coded password means a faster system recovery, it's the right choice.

So, why not have a password that is generated in some known way?

The HIS system where I work has a "daily password" - it changes every day. That password is necessary to conduct some operations. Folks who need to conduct those operations know how to look up the daily password. They do so, then they have that password to hand out to whoever needs to do stuff that day. And the daily password becomes useless the next day, so you don't have to worry about it being abused.

The POS system I used to work with had some kind of dynamically generated password. If you had to call technical support for something they'd have you read off some numbers on the screen, and they'd give you back a password to get into the register's internals. Again, it isn't static so it can't be abused for long. But it is generated in a known way so it can readily be obtained.

Seems to me that this would have been a better way to do things.

However, for some industrial applications (including some SCADA installations) , the simplicity of not needing to enter a unique password plus a physical air gap of security trumps a forced-unique password with only digital security

"Air gap" doesn't mean much if you're just using some kind of removable media to transfer information from the insecure world to the secure world, instead of CAT5. If you aren't somehow protecting access to that removable media, your air gap gives you no additional security.

It should be genuinely impossible for anything to auto-run on removable media. Only allow media in your own, special format. Or only allow specific file types to be accessed or imported. And put some kind of password on the media access portion, to make sure only folks who know what they're doing are accessing it.

If you're letting anyone transfer anything on a USB stick, you may as well plug the machine into the network because your air gap isn't doing you any good.

Re:Uh - what?

[v1]

Some manufacturing plants or refineries have razor-thin margins

They choose to operate at those margins. That's the case of a few companies in a given market. If I choose to slash prices at my grocery store so my margins are 1%, I am accepting a serious risk that if several things go wrong at the same time I will be put out of business. That's no reason for anyone to prop me up or give me special favors. I chose to put myself in a position of serious risk and lost a reasonably possible bet. My fault, not your responsibility. Same thing applies here.

Re:Uh - what?

Spaceballs reference failed. It's 1,2,3,4,5. There is no 6.

Re:Uh - what?

[KDR_11k]

It's a result of strong competition, except for price collusion there isn't really a way out of that situation once you and all competitors have driven the margins that low.

Re:Uh - what?

[Runaway1956]

"(Some manufacturing plants or refineries have razor-thin margins - an extra 1% downtime could mean the difference between profit and bankruptcy.)"

I think you exaggerate. If not, then the executives and other decision makers are incompetent boobs, and the company SHOULD go bankrupt for hiring them.

I'm a maintenance man at a manufacturing plant. Our management is only marginally competent - but we have enough redundancy to see us through when something goes down. Sure, it HURTS when a computer dies, and the vendor won't honor the guarantee unless we send the computer back to the factory. But, bankruptcy? Come on . . . .

Re:Uh - what?

[HAKdragon]

There aren't any commas, either.

Re:Uh - what?

[Anne+Thwacks]

If not, then the executives and other decision makers are incompetent boobs, and the company SHOULD go bankrupt for hiring them.

OTOH, their uncle (or father-in-law) is the chairman so they are going to stay put.

Re:Uh - what?

[Velex]

"Air gap" doesn't mean much if you're just using some kind of removable media to transfer information from the insecure world to the secure world, instead of CAT5. If you aren't somehow protecting access to that removable media, your air gap gives you no additional security.

Don't forget to bring human psychology into play. The "air gap" will make people look at the system in question differently. It can be the difference between someone deciding "hey, I can update MyFace on this computer" and "oh, this is technical." That psychology is also viral, e.g. the computer they produce said removable media on will also become "technical."

Kind of an unrelated example, but it made me think. At work last week, we had a client who needed us to go to USPS' website to track orders for people calling in. Some agents refused to do so stating that USPS wasn't an authorized website. Apparently to make it authorized in their view, I had to add a BLUE LINK to it rather than creating a button that launched it with the tracking number they'd typed in. Or maybe that just proves that females are all whiny, lazy drama queens who regularly cause problems and shouldn't be allowed outside of the kitchen.

Re:Uh - what?

[Ephemeriis]

Don't forget to bring human psychology into play. The "air gap" will make people look at the system in question differently. It can be the difference between someone deciding "hey, I can update MyFace on this computer" and "oh, this is technical." That psychology is also viral, e.g. the computer they produce said removable media on will also become "technical."

Either that... Or they'll think oh, this thing is secure, it's got an air gap, nothing can get to it, so I don't have to worry about viruses/worms/whatever.

Re:Uh - what?

...there isn't really a way out of that situation once you and all competitors have driven the margins that low.

When competition has driven margins so low that companies have to do unethical things to stay in business, such as dumping toxic waste into the river, high-frequency stock trading, or using hard-coded passwords on safety-critical systems, we use a 100+ year old technology called "government regulation" to correct the market failure.

Re:Uh - what?

My password is 12345spoon !

Re:Uh - what?

[sjames]

Well, yeah, 1,2,3,4,5 is completely insecure, so they added the 6. Nobody would ever guess that!

Re:Uh - what?

Really? Your MBA and years of experience in this industry have taught you this? There are more than a few industries where a 1% PM are considered outstanding. Not every business can run the kind of profit margins found in oil/gas, financial services or your mom's bedroom.

Re:Uh - what?

[Yert]

No need for government regulation. The company will get hit with the downtime that will bankrupt them, and the next company won't run at quite as low of a margin. In the meantime, the C-levels and Board of Directors is arrested and prosecuted for any violations of local, state, and federal laws by the corporation. This act alone would reign in 90% of the abuses in the USA... but all too often, "the decision was made at Corporate", and in the end, no one is responsible.

Re:Uh - what?

they might be sued.. about that I will not disagree, but negligence requires that the defendant breached a duty which was both the proximate and actual causes of the damages to the plaintiff.

the problem here (showing "duty").. from what source does the duty to fix it arise? Unless there is law specifically saying the fix had to be made once discovered or maybe if the contract established that such a duty would inure, if specific type of exploit were discovered, then maybe. Where oh where is the duty???
where on where is the duty. The next problem might be in the "proximate" two years later??

Re:Uh - what?

If not, then the executives and other decision makers are incompetent boobs, and the company SHOULD go bankrupt for hiring them.

OTOH, their uncle (or father-in-law) is the chairman so they are going to stay put.

Then there's even more reason they should go bankrupt if they allow nepotism to override sound business practices!

Well duh...

There's no point in fixing anything just because you know it's wrong. You just wait until it infects your customers and becomes a liability. Even then, you have the bean counters figure out if it's worth paying off. Corporations are only liable for the current quarter, so no point in paying attention to the next quarter.

Re:Well duh...

There's no point in fixing anything just because you know it's wrong. You just wait until it infects your customers and becomes a liability. Even then, you have the bean counters figure out if it's worth paying off. Corporations are only liable for the current quarter, so no point in paying attention to the next quarter.

This is so wrong. You charge your customers for the upgrade to fix their systems. Duh, indeed.

More common?

[Spad]

Given that we have absolutely *no* idea how many similar attacks have been conducted in the past against really "niche" applications like this without being detected, I think it's a little naíve to assume that this is the start of a new trend.

We find out about most malware because it's so widely targeted and so many people are affected by it, but when you're targeting your malware at a handful of companies and probably directly delivering it via email or physically ("dropped" USB stick in the parking lot) with the aim of keeping it undetectable for as long as possible, it makes it much more difficult for the targets and security researchers to even know it exists.

Re:More common?

[jofny]

Actually, you are factually incorrect here. The methodologies youre describing do make it more difficult, but we have plenty of insight into what's been happening - it's just either close hold or not making the news. Just because -you- don't know, don't assume "we" don't know.

How can he get it so wrong?

[NotSoHeavyD3]

Umm, you do realize this was something posted on Slashdot, right?

As someone familiar

with the products from Siemens (internal point of view) let me say:

- They know jack shit about software and the process around it
- They care (a bit) about the customer, especially if there's a loud complaint
- Politics hampers the sw development process (as in, let's spend 500% in sw here because 'blah' can't be bothered to change the original software)

Because Soulskill is kdawsons alternate account

Or they share a brain

Who could have guessed?

[briuq0ah]

Seriously? The attackers knew about the vulnerability before they wrote something to exploit it? I never would have guessed

Re:Who could have guessed?

That article is pretty ridiculous, isn't it? The author is Captain Obvious.

SCADA frustrations

[brxndxn]

My career is in industrial automation - and I am an IT guy who 'gets' both sides of things. There are not a lot of people like me and I constantly face an uphill battle when I try to explain computer security to people or try to explain why certain things are much more complicated than they believe. For example, you have an industrial network that is completely unnattached from the corporate network that is used for automating an exothermic chemical process on a large scale where you cannot just 'hit e-stops' and safely shut down the process. If you lose 'visibility' on the process at any time, there is potential for an explosion or chemical release. They think they're immune to viruses and they do not run virus-scanning software (imo, usually a good thing in an industrial network) so they do not even bother to completely lock down the computers. We're talking Windows boxes where everyone knows the admin password. After a virus or two, they usually pay me to lock everything down and put the operators on limited profiles. Then, the white-collar management wants to be able to connect into everything to see what is going on. Suffice it to say.. it's a damn headache. IT doesn't get it and the plant managers don't get it.. And usually one wins out over the others. If IT wins, expect a plant to randomly shut down because they push an incompatible Windows patch. If the plant wins, expect a laughably insecure network where an operator charging his cell phone can take the whole network offline.

Basically, if you ask an IT guy 'What is security?' it will be a lot different than an industrial plant manager's response. An industrial plant manager will say a SCADA system is most secure if the people on site always have control over the plant. If a man has his hand caught in a machine, should another person at the plant have to login to a terminal to turn the machine off?

I'm frustrated by this virus, though, because from what I've seen, there has been NO utilities released to detect if you have it. I have seen abnormal activity on multiple HMI computers and the people in charge of maintaining them plug their thumb drives in randomly thinking as long as their laptop doesn't detect a virus on it, they're safe. At least conficker was obvious to detect on a thumb drive or running computer.

If there is a utility, can someone link to it for me?

Re:SCADA frustrations

Well. Like any dumb technician would say... install malwarebyte or format/reinstall. But for the professionals, that is out of the question 90% of the time when it comes to systems like these where doing it can knock of networks for a few days.

I had a client with a nasty rootkit. He runs his $1million-per-year business off of it. He's smart enough to back-up his PC, etc. but once his son got on it just once and went to some porn sites, he got hit by that rootkit and didn't know what to do. He didn't want to restore his system because he was afraid that could affect.

I ran a scourge anti-virus program and they weren't able to remove it. I used rootkit revealers to find out what it is and managed to see where it kept hiding itself. A friend gave me a copy of MRI-GeekSquad and did a scan and deleted it. Then I held the system for at least another day to see if it would pop up. So far, I haven't heard from my customer about it coming back.

But yeah, when it comes to systems like these you need a really good program or a cocktail of them.

Re:SCADA frustrations

This is just the start in Industrial Automation/SCADA. The workhorse of automation is the "Programmable Logic Controller" or PLC. These have, basically, no security, including open network ports which can be used to change variable (think setpoints for temperature, pressure, startup/shutdown sewage pumping stations, etc.). While most of these are not exposed on open networks, a disgruntled employee could cause major damage. A SCADA virus that exploits these weaknesses could bring down large pieces of infrastructure.

The solution is not to try to protect the network. As the parent says, this is a loosing battle and access to the devices is necessary for Management and for Operators. The solution is to protect the devices. Treat each one as if it were open on a public network, firewalls, strong passwords, limited port access, etc. etc. This is a trivial retrofit with, say an embedded Linux system.

Then you can safely use the Windows systems a views only. No control on those platforms. As views, they work fine since they are familiar and pushing a bad patch, or a virus doesn't bring down the control system.

Re:SCADA frustrations

Full Ack.

I have worked for a well-known company who builds large plants for various industries (including food processing). The SCADA systems they set up were a real nightmare. Most plant-controlling computers were directly connected to the internet (no NAT), not even a personal firewall was used. Some had even activated the Windows default shares (C$ and such). The computers were never patched, and the software they used for remote administration transmitted login data unencrypted.

The people who configured and developed/extended the SCADA systems were mostly engineers coming from the machine industry or electrical engineers. They didn't know much about IT, and even less about IT security. I was never in a position to look at the source code (I was working for the internal IT department), but I bet it was full of holes.

Sometimes we had to fix software problems for customers, on plants that were installed a long time before I was working at the company. Some of these plants had computers still running on Windows NT 4.0 - because the SCADA system they used didn't work on any newer OS and they didn't want upgrade it (cost). I was amazed that this thing was still running (more or less).

I bet that even a medicore black hat could take most of these plants down within hours - this could be a real threat.
I guess the only reason this hasn't happened very often yet is that it doesn't give the attacker much profit.

-- AC

Re:SCADA frustrations

[leuk_he]

NO NO NO. installing a cocktail of AV software is NOT the answer in a system that has to do 27/7 operations and has to be kind of real-time responsive. What you do not wat it that it gives a false positive on an essential program that controls the plant. you do not want to inititiale a scan at the moment 2 reactive componentes are mixed.

as for the tools, look for
  Right click My Computers > Properties > Hardware > Device Manager:

            - Go to View > Show Hidden Devices
            - Go to Non-Plug and Play Drivers

        Disable both MRXNET and MRXCLS:

If that is the case you might want to look for some portable virus scanner...

Re:SCADA frustrations

[Metroid72]

Sounds like your organization doesn't have the right support for security (most likely they don't understand).
You need to engage in a business impact analysis exercise and see what comes out of that.

That will be input for your policies, procedures, standards, etc.

Re:SCADA frustrations

[tchuladdiass]

I've got a good way to deal with many root kits. What is the one thing that a root kit does well? When you read an infected file, it will give you the "clean" file's contents (by intercepting the OS read system call). So the way to deal with them is simple: You're enemies strength is its weakness.

While the OS is running (with root kit), make a copy of all OS files (c:\WINDOWS, system32, drivers, ...). The root kit will make sure you have clean versions, since that is what it wants you to see. Afterwards, boot off a live Linux CD, then cmp the OS windows directory with the copy you made. Any executable file that is different is likely to be a hiding place for the virus.

Now it is possible for the root kit to still write out infected files when you make copies of them, but this process has worked on the last several infections I've had to clean up. Follow up with a regular virus scan afterwards to catch any registry shenanigans and you should be golden.

Re:SCADA frustrations

[Runaway1956]

You seem to have read AC's post differently than I did. He didn't suggest that you INSTALL an AV cocktail on your machines. He stated that a cocktail of security applications are necessary to deal with an infected machine. That Geek Squad disk is exactly that - a bootable disk with quite a variety of utilities, suitable for dealing with a wide variety of problems.

I can't remember offhand, but I think there are six different AV's on the disk, each of which automagically updates itself when the utility is called. And, each of those AV's is on the disk, because it has proven superior to any of the other in certain situations.

Your advice is sound, you just seem to have misinterpreted what AC said.

Re:SCADA frustrations

[Runaway1956]

"Some of these plants had computers still running on Windows NT 4.0 - because the SCADA system they used didn't work on any newer OS"

Guilty as charged. Yep. A hard drive died recently, and a machine that is worth half a million sits idle because of it. "Don't we have a disk image? I can get this thing running in a few hours, if I can run to the store for a hard drive!" "Disk image? What the hell is THAT?"

Phhht. No backup, in any form. And, this expensive machine sits idle due to the failure of a ~$50 component.

Fortunately, MOST of our equipment runs on Linux, and MOST of our equipment just runs and runs and runs.

Re:SCADA frustrations

[Barny]

Or you could just grab a solid linux running windows-virus scanner, like the Kaspersky rescue disk, I find it tends to cut the rootkits up pretty well.

Re:SCADA frustrations

what a nice buzzword

business: $$$ for me
impact: a forceful, exciting word
analysis: smartness, i'm one of the smartest people on the planet
exercise: what i should do more of to keep my tight body

Re:SCADA frustrations

[Jaxoreth]

NO NO NO. installing a cocktail of AV software is NOT the answer in a system that has to do 27/7 operations and has to be kind of real-time responsive.

That's why most shops don't offer more than 24/7 uptime. The three extra hours a day is plenty of time to run AV software.

Re:SCADA frustrations

[gad_zuki!]

>If IT wins, expect a plant to randomly shut down because they push an incompatible Windows patch.

What a load. A responsible IT department would be doing testing of patches without going live and I can't remember the last time a patch failed in the last several years I've been patching Windows machines in the enterprise with all manner of hardware and software combination. Lots of organlizations manage to figure this out, why yours can't seems to be a problem with either you or the companies you work with.

>At least conficker was obvious to detect on a thumb drive or running computer.

It should be trivial to detect the Stuxnet shortcut and the Realtek signed driver it installs. The latter moreso because its not going to be easy to have different versions of it.

Re:SCADA frustrations

[bertok]

"Some of these plants had computers still running on Windows NT 4.0 - because the SCADA system they used didn't work on any newer OS"

Guilty as charged. Yep. A hard drive died recently, and a machine that is worth half a million sits idle because of it. "Don't we have a disk image? I can get this thing running in a few hours, if I can run to the store for a hard drive!" "Disk image? What the hell is THAT?"

Phhht. No backup, in any form. And, this expensive machine sits idle due to the failure of a ~$50 component.

Fortunately, MOST of our equipment runs on Linux, and MOST of our equipment just runs and runs and runs.

I didn't know Linux was immune to hard-drive failure! 8)

Re:SCADA frustrations

[Xeleema]

# man mdadm

Re:SCADA frustrations

I can't remember offhand, but I think there are six different AV's on the disk, each of which automagically updates itself when the utility is called.

Off topic but, IMHO anyone who uses an inane phrase like "automagically" to describe a technical activity like virus clean-up should not be allowed to advance in the IT profession beyond Geek Squad-level drone.

what about the "scary factor"

[ma1wrbu5tr]

I hope they manage to keep the obscurity as far as how much of our infrastructure depends on these systems. Firesale anyone?

More lame armchair "analysis"...

"The most interesting aspect of all of this is the fact that the attackers behind Stuxnet clearly knew about the vulnerability in the Siemens WinCC system before the malware was written. That implies the malware authors had some advance intelligence about the configuration of the Siemens software and knew exactly where there was a weakness."

So what you're saying is that all other malware doesn't make use of advance intelligence to exploit weaknesses in software or its common configuration?

Virtualization

Here's a neat trick for newer windows os (or XP, as I've never seen vista/7 used in industrial application):

Run a windows guest on the secured box. Bridge its connection to the host's adapter and disable all the host's net adapter items in its properties (so it only provides connectivity to the guest). This way, the guest may interact normally with the rest of the company's network. To exchange files, use the local folder sharing feature in the virtualization app. Only activate it when necessary, or limit it to read-only if you only need to export information from the host.

Unless there's a traversal vulnerability in the virtualization app, this method is relatively secure.

VirtualBox can do that for 'free' or evaluation purpose.

Cue in the fallacies...

Cue in the fallacies from the paid M$ astroturfing fanbois, singing in chore "monocrop argument, monocrop argument".

Fail

[PPH]

Right click My Computers > Properties > Hardware > Device Manager:

That's Windows you're working with. And if you are using Windows in an industrial environment, you've already screwed up. Forget about the usual /. nonsens of Windows Bad, Linux Good. Actually, you'll need a special RT version of Linux. According to Microsoft licensing terms Windows is NOT suitable for use where life or property loss may result from failure. Game over.

Re:Fail

[bertok]

Right click My Computers > Properties > Hardware > Device Manager:

That's Windows you're working with. And if you are using Windows in an industrial environment, you've already screwed up. Forget about the usual /. nonsens of Windows Bad, Linux Good. Actually, you'll need a special RT version of Linux. According to Microsoft licensing terms Windows is NOT suitable for use where life or property loss may result from failure. Game over.

If you only need POSIX C, then there are even better options, such as VXworks and QNX. If real-time response and availability matters, then a modular microkernel based operating system is the way to go.

For example, take a look at Cisco's IOS XR, which is QNX based. It can even restart crashed drivers, which would take both Linux and Windows down in most circumstances.

Just because you have a hammer that's not as blunt as another hammer doesn't mean you should use it as a chisel!

Re:Fail

[leuk_he]

>> Right click My Computers > Properties > Hardware > Device Manager:

That are instruction from some av to detect stuxnet.

And as a maintainer of computer hardware, you rarely get to choose, you often get some kind of mix of OS that has to be maintained, the only choice you get is to maintain it or not maintain it.

Beside that, linux != unix != best OS for every utility

Costs trickle down

[nurb432]

I guess you don't understand the basics of economics. If you increase the cost of doing business for a company, they just pass it along to consumers as higher prices to offset the increased bottom line cost.

CUSTOMERS are who pay the bills for a company, not the tooth fairy or some magic box.

Same concept goes for 'ya, stick it to them evil companies with higher taxes', but that is a different topic for a different day.

Re:Costs trickle down

[v1]

I guess you don't understand the basics of economics. If you increase the cost of doing business for a company, they just pass it along to consumers as higher prices to offset the increased bottom line cost.

That makes one very basic (incorrect) assumption, that companies continue to be in business after said events. Consumers aren't always willing to pay for business's mistakes, often times businesses take most of the hit directly because their customers won't tolerate the goods/service costs getting jacked up to pay the extra bills, and the company folds or loses a lot of assets to pay the bill.

What would you do if you usually got your gas at say, BP stations, and suddenly you see BP's stations are a quarter a gallon more expensive than everybody else? Companies can't just always pass stupidity charges straight on to their customers.

Re:Costs trickle down

[nurb432]

Sure they pass 'stupidity' down. True, they wont do it all at once in a case like BP due to the MASSIVE hit they are going to take ( actually, i don't see them surviving in this case, it may be beyond being able to charge it back and keep going ) but they will do it incrementally to gain it back in the long run.

25 cents will drive customers away i agree, but what about 5? Its easier to hide it when you have larger ticket items, 150 before, 160 after and the customer doesn't even notice.

Re:Costs trickle down

[v1]

25 cents will drive customers away i agree, but what about 5? Its easier to hide it when you have larger ticket items, 150 before, 160 after and the customer doesn't even notice.

Yep, they'll try to make it look like an inflation thing. It all comes down to whether they can dig out of their hole before the consumers figure out they're overpaying. I don't see BP going under though, the oil industry practically mints money, their cash reserves are obscene and anyone will lend them money.

The only thing they have working against them is everyone in the biz is basically in an unofficial Trust arrangement, everyone sells their product at a lot higher than its actual value should be, and as long as they all keep their prices at the same high level the consumers don't have a choice. This means if BP really wants to jack their prices up, the entire industry will have to go up. Or looked at from the other direction, they can't raise their rates for the same reason they can't lower them. This is not one of those industries where supply-n-demand determine cost - they artificially control the supply so they can adjust the price to where they find it's most profitable. This whole BP mess has got to really be messing with their profit formulas.

So basically what I'm saying is that BP can't skim money from us without the rest of the industry also getting a cut. Which means if it does get passed onto us, we'll be paying for a lot more than BP's costs, which really stinks. The only good option for us (the consumer) is for BP to soak up* the cost of the spill by spending down their reserves*.