Slashdot Mirror
Inside CERT Australia
mask.of.sanity writes "The Australian Government has a list of software holes that are so sensitive they're kept hidden from the public. These weaknesses are being used by criminals to steal our money and our data. They may even be a cornerstone to planned attacks on critical infrastructure, like energy, water and transport. But in the murky battle between those that protect us and those who seek to harm, these vulnerabilities are also the bait with which cyber-criminals are caught."
You don't want HONEST people to know that the software is worth one cubic turd. Only criminals should possess that knowledge, because they are the people who will put it to best use!!
BTW - who knows why turds are round, and tapered instead of cubes?
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
If even RSA (a security expert) is compromised, I wonder how long it'll take for this list to get leaked, especially now that it has been publicized.
Or maybe the publicity is another bait and switch :P. It'd be cool if it was, but I doubt it.
What - you don't like Ausies? You should go see the wizard, and get your attitude fixed. Hey, he gave the lion a heart, or something like that, didn't he? Or, the tin man? Whatever - go see the Wizard of Aus.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Yippee. Yet another Australian "story".
Just what we needed.
Its a story from the land down under.
Where systems blow and denials thunder.
any possibility that the list could be used to hack computers the Australian government doesn't like is completely impossible.
Stuxnet anyone ?
TFA:
The privileged group of more than 300 companies under CERT Australia's wing is expanding, but it does not plan to offer the secretive information more broadly.
This is corporate welfare at its finest: make the people pay to give a competitive advantage to particular companies.
When will this primitive targets-based, public-private-partnership experiment born somewhere in the '80s finally collapse? When will parties and their representation in government reflect the people again? Whether left or right, authoritarian or socially liberal, your view is no longer represented unless you've paid for it.
Your services are required. I expect the information to appear on Wikileaks ASAP.
-- Even if a god did exist, why the fsck should I worship it?
Yippee. Yet another Australian "story".
Just what we needed.
Its a story from the land down under.
Where systems blow and denials thunder.
Careful there. You are making me remember the flute riff and that could be expensive for both of us.
http://michaelsmith.id.au
Yippee. Yet another Australian "story".
Just what we needed.
Its a story from the land down under.
Where systems blow and denials thunder.
Careful there. You are making me remember the flute riff and that could be expensive for both of us.
I wonder just how long it will be before any communication which enables recall of copyrighted material needs a license. After all I clearly communicated the riff to you over a computer network.
Tell people to fix these fucking "seekrit" bugs, and if they don't, make them public. Responsible disclosure. You have wankers who are on the tax payroll creating more paychecks out of the public dime for cyber "war" and fail to realize that if you just secure your fucking systems, then cyber "war" is just about impossible.
http://www.auscert.org.au/ and http://www.cert.gov.au/
http://www.auscert.org.au/render.html?cid=2
"Formed in 1993, AusCERT is one of the oldest CERTs in the world and was the first CERT in Australia to operate as the national CERT, which it did until 2010. "
As always governments don't like competition - in this case for security & secrets
The Singularity is closer than you think
Quant
They already banned squirters and small breasted women, it was only a matter of time before they were going to cover up sensitive holes.
Nyah, plbt! Because we inserted those vulnerabilities in the first place.
You'll never find them.
All our passwords are "beer"
No, you didn't communicate the riff. :-)
You communicated a trigger which activated the riff which was already embedded in the receiver, kinda like a lookup table
No, you didn't communicate the riff. You communicated a trigger which activated the riff which was already embedded in the receiver, kinda like a lookup table :-)
A bit like PirateBay communicating the torrent header!
Let's just say I know (not well personally, but mix in a crowd) a person who lectures and researches security at a university on the aus west coast.
The guy has secret clearance, all of his net presence locked down, a great understanding of various technical and social engineering attacks. I don't know what he does in Canberra exactly but from all the talk of honeypotting I hear out of context I assume it likely to be AusCert.
We really do have some genius sec people in this country. Heck, they even get paid more than all the TS-SCI plebs in the US that are paid diddly-squat by military contractors. Australia, albeit rather weak on the global stage, is laying solid foundations - just you wait.
"The Australian Government has a list of software holes that are so sensitive they're kept hidden from the public"
What Platform do these software holes run on, what imdemnification do the endusers get from the manufacturers of the Software holes?
"The agency has knowledge of security vulnerabilities that, if publicly disclosed, could grind significant elements of cyber crime to a halt .. the vulnerabilities may be more valuable if they are kept hidden and used as a means to track skittish cyber criminals"
That's the dumbest thing I ever read, as is patently obvious, the crooks are way ahead of the security "professionals".
"If we become aware of control nodes for botnets or those that harvest data that is being ex-filtrated out of a network, we will pass that information on so that it can be blocked at firewalls and organisations can see if they have a compromised machine"
As a security professional, someone should tell Rothery that there any number of ways to bypass a firewall.
"One of the specific concerns is how a bank may protect or deal with an attack against an air-conditioning system charged with the vital role of keeping a datacentre cool"
Solution: don't connect your air-conditioning system to the Internet .. :)
NO.
But you may have your choice of a Kangaroo or a Koala.
I've built up so much character I have an alter-ego
That's clearly aiding and abetting. Brains are the entertainment centres of human experience. Illegal memory associations will be criminalized and a forcibly installed magnetic memory dampener activated every time a memory of an unlicensed song is about to emerge. The skull integrated memory dampener will be made obligatory via the war against terror though and inappropriate voting.
I integrate, deploy, and maintain a SCADA system for a large water and waste-water utility.
Here are some facts on the ground:
1. Yes, the software is out of date, and it is poorly reviewed. The reason is that the market is small, the deployment costs are huge, and it is difficult to differentiate the bad from the worse. The effort required to swap out SCADA or control system software make similar office operations look trivial.
2. Yes, the flaws are hard to fix. We design these things for safety, and reliability, first. We have an ethical duty to turn the CIA model upside down to become the AIC model. Security is often an afterthought. In any case, most of you probably do not realize that security for an industrial process is very different from security for an office. In an office, if the computer stops, the whole office process stops and that's it. Nothing more happens. In an industrial process, the physics and chemistry of the process will continue to do something whether your control system is online or not. In other words, unlike in an office, the control system for an industrial process augments the process, it does not run it. Thus, if you crash the office computers, everything stops. If you crash a control system, the process keeps doing something, even if it is something that nobody would ever want .
3. Industrial processes can't "just shut down" on a whim. To patch a control system you need to get to a place where the process can be safely shut down, and the new process can be safely validated to prove that it does everything that is expected of it. Getting this much time and attention from people takes significant down time. With the lean operations that most places run, that kind of downtime may not be available for an entire SEASON.
4. Because of this, revealing software flaws is often a dangerous proposition. By the time we can safely patch something in an industrial control system, there may be tool kits for script kiddies.
5. Due to safety concerns, almost nobody will seriously consider an effort to spray patches to the field. Again, this is not the office. The penalty for getting things wrong could be deadly. Automated patching without careful testing on each stage of the process can be a firing offense in some companies.
I believe that the theory that the Australian CERT is using is that by keeping some flaws quiet, they reduce the chance that others may develop script kiddie development kits. I honestly do not know whether this can work, but I give them credit for trying. It will be interesting to see what metrics they use to prove this effort is effective.
Finally, please stop with the "industrial software is crap" nonsense. We engineers know that all too well; but there are no better alternatives. Would you like to see us go back to the days when everything was run with pneumatic controls or analog computers? I'll bet you wouldn't appreciate the prices you'd pay. If you like electricity and running water, find ways to write better software.
Nearly fifty percent of all graduates come from the bottom half of the class!
This is complete irresponsible nonsense. "... the bait..."? Really?
First of all, this is called honeypotting but without the benefit of actually having complete control over the monitoring, logging and the PCs to be compromised... oh wait... maybe they do. I wonder if the rest of Australia is okay with their government withholding information and using them as "bait" while at the same time not being particularly capable of a wide-spread law enforcement activity?
Someone didn't think this stuff through before they said it.
"All secrecy is inherently evil!" - Anonymous.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Sorry mate, you're all a bunch of crocodile dundees out there as far as we are concerned. How about you go on a walk about and get used to the idea.
Keep the hat but add some corks.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Wow! What an amazingly detailed stretch of the imagination!
So you think Stuxnet did this? Really? You're out of your mind. I'm against this support of Israel and all that stuff -- it's simply not our (USA) business to take care of those people and I think it's an embarrassment that we remain connected with them in so many ways. But I'm not going to say I hate Jewish people -- I like Jewish people! I like their food, their sense of humor and while I don't like EVERYTHING about Jewish culture (and I am certainly anti-religious) the vast majority of them are good, decent people who work for a living just like I do. It's the leadership you need to focus on here, just like the leadership if the US or any other country that isn't serving the interests of the people.
I'm not saying you have no right to be angry or to put out your hate message -- I'm saying you should at least be accurate about it. And really -- you should re-evaluate what you believe to see if it's actually reasonable and logical. I think you will find it's not.
> I integrate, deploy, and maintain a SCADA system for a large water and waste-water utility.
What development platform do you use?
> the control system for an industrial process augments the process, it does not run it. Thus, if you crash the office computers, everything stops. If you crash a control system, the process keeps doing something, even if it is something that nobody would ever want.
I don't even understand this bit or else you're just talking techno waffle and I've worked in ths industry for decades both hardware and software, if that's supposed to count for anything.
> Industrial processes can't "just shut down" on a whim. To patch a control system you need to get to a place where the process can be safely shut down ..
No one in their right mind "patches" a running system.
> revealing software flaws is often a dangerous proposition. By the time we can safely patch something in an industrial control system, there may be tool kits for script kiddies.
How do you design it in such a way that it is accessable to "script kiddies"?
fox news, that incenses the poor and middle class to actually fight against their own interests
You don't understand these people.
OK, an analogy of sorts: I don't shoplift. It's against my interest to not shoplift. Why then, do I not shoplift? I have this feeling that taking stuff from other people is wrong. Yes, I know, I'm being stupid and I should just do what is in my best interest. I also get really pissed off when other people shoplift, even if I'm not the shopkeeper and even if I don't see it happen. Perhaps you feel differently?
When the government takes money from other people to supply my healthcare, I get the same feeling. It's like shoplifting. It's in my interest, but it is wrong.
Yeah, we see you as morally corrupt.
What a bunch of lunatics thinking they are so omnipotent in their "secret" knowledge they can outsmart everyone by being so secretive. The only real benefit to this that I can see is that (presuming they are able to be as secretive as they claim, a big if) the obvious inevitable downsides to this strategy will not be obvious to the public because they are secret. Basically, by taking the whole world off their bench and pretending to be able to do the work of the wider public in secret they will inevitablely fail in the most embarrassing ways. But if they keep it secret then the embarrassment won't be made public and their public funding can continue. So basically the best approach for them is to do nothing while pretending (secretly!) to be very busy. Then they won't make mistakes because they haven't done any real work. Secrecy for the sake of secrecy! Somehow these machinations remind me of the logic in the novel Catch-22. Glad to hear institutional insanity is alive and well 70 years later.
Stupidity is its own reward.
Off to Brainjail for you!
you should have a $500,000 savings account in case sometimes bad happens. because contributing to a group fund that other people draw out of is communist, right?
that you think financial common sense on the question of the best way to pay for healthcare is morally corrupt shows how propagandized you are
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
There's a difference between Israelis and Jews.
you don't have a choice
if you are young and healthy and have no health insurance, but you break your arm, we do not inquire as to your bank account before treating you. we treat you. then, being poor, as most young people are, you avoid the bill, or declare bankruptcy. what a nice society
this is the way it has been for decades: the state and feds constantly reimbursing hospitals for unpaid bills so thehospitals don't go under. in other words, we already have universal healthcare, that you already pay for, in the most idiotic way most expensive way via your taxes. in other words, your position is called FREELOADING: the acknowledgment that you can get injured, but not planning financially.for the possibility
he only financial common sense is universal health care insurance. you want a choice? the choice you want is to not be insured, thereby forcing me, the taxpayer, to pay for your care. which is alternatingly hilarious and maddening that you talk about robberey when it is you who is robbing me. so many morons like you argue that universal healthcare rewards freeloaders who don't work. yes, it rewards them: it says you live in a society that will not let you die just because you get injured
meanwhile, you argue for the choice, the "freedom," to freeload. you want the freedom from financial responsibility for when you break you arm
i am really sick of you utterly ignorant propagandized fools
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
put your money with your mouth is, ignorant free market fundamentalist
you want hospitals to turn away people who can't pay?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it