Slashdot Mirror

← Back to Stories (view on slashdot.org)

Inside CERT Australia

Posted by samzenpus on from the shiny-red-button dept.

mask.of.sanity writes "The Australian Government has a list of software holes that are so sensitive they're kept hidden from the public. These weaknesses are being used by criminals to steal our money and our data. They may even be a cornerstone to planned attacks on critical infrastructure, like energy, water and transport. But in the murky battle between those that protect us and those who seek to harm, these vulnerabilities are also the bait with which cyber-criminals are caught."

9 of 74 comments (clear)

  1. Re:Makes sense by Anonymous Coward · · Score: 4, Funny

    BTW - who knows why turds are round, and tapered instead of cubes?

    That's so your ass doesn't clap when you take a shit.

  2. corporate welfare by Hazel+Bergeron · · Score: 4, Insightful

    TFA:

    The privileged group of more than 300 companies under CERT Australia's wing is expanding, but it does not plan to offer the secretive information more broadly.

    This is corporate welfare at its finest: make the people pay to give a competitive advantage to particular companies.

    When will this primitive targets-based, public-private-partnership experiment born somewhere in the '80s finally collapse? When will parties and their representation in government reflect the people again? Whether left or right, authoritarian or socially liberal, your view is no longer represented unless you've paid for it.

    1. Re:corporate welfare by circletimessquare · · Score: 3, Interesting

      it's not new, it goes way back before the '80s, corps used to get away with a lot worse, in some cases, they ran everything:

      http://en.wikipedia.org/wiki/Hudson's_Bay_Company

      in fact, if we go to the stars, it will probably under the same form as this:

      http://avp.wikia.com/wiki/Weyland-Yutani

      it makes sense that corporations take these risks, profit, then they are absorbed. the point is, corporations are never going away, because they do make sense for many reasons in terms of the most efficient way to do things. however, they are like beasts of burden: you must harness them and put them to use, or they run roughshod over your society. like GE, which paid no taxes to the USA, where the corporation is corrupting our system of government to stand above the people:

      http://abcnews.go.com/Politics/general-electric-paid-federal-taxes-2010/story?id=13224558

      additionally, we are making progress. the labor movement a hundred years ago made a huge step forward (that yes, we are backsliding on now)... after the civil war, corporations had a larger military than the federal govt, to suppress labor. blackwater is a hiccup in comparison:

      http://en.wikipedia.org/wiki/Pinkerton_National_Detective_Agency

      2 steps forward, 1 step back. this struggle is going on for centuries. but please do not forget we ARE making progress against the corruption of the people's will by monied interests. it is very difficult, and takes time and much effort. today, they have an entire corporate propaganda machine, fox news, that incenses the poor and middle class to actually fight against their own interests, like affordable healthcare. it is absurd, but real

      People of the same trade seldom meet together, even for merriment and diversion, but the conversation ends in a conspiracy against the public, or in some contrivance to raise prices. It is impossible indeed to prevent such meetings, by any law which either could be executed, or would be consistent with liberty and justice. But though the law cannot hinder people of the same trade from sometimes assembling together, it ought to do nothing to facilitate such assemblies; much less to render them necessary.

      http://en.wikipedia.org/wiki/The_Wealth_of_Nations

      --
      intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  3. Re:Yippee. Yet another Australian "story". by Chrisq · · Score: 2

    Yippee. Yet another Australian "story".

    Just what we needed.

    Its a story from the land down under.

    Where systems blow and denials thunder.

    Careful there. You are making me remember the flute riff and that could be expensive for both of us.

    I wonder just how long it will be before any communication which enables recall of copyrighted material needs a license. After all I clearly communicated the riff to you over a computer network.

  4. Re:If RSA is compromised... by digitalchinky · · Score: 3, Insightful

    From the article: (CERT) Australia, formed in 2009.

    I'd say you are spot on. The article reads like an advert attempting to convince the reader that CERT Australia is important. The Defence Signals Directorate has been providing this type of service to big corporations and local government since the early 90's. (I worked there for a decade, not that this is important)

  5. Reality Check by AB3A · · Score: 5, Informative

    I integrate, deploy, and maintain a SCADA system for a large water and waste-water utility.

    Here are some facts on the ground:

    1. Yes, the software is out of date, and it is poorly reviewed. The reason is that the market is small, the deployment costs are huge, and it is difficult to differentiate the bad from the worse. The effort required to swap out SCADA or control system software make similar office operations look trivial.

    2. Yes, the flaws are hard to fix. We design these things for safety, and reliability, first. We have an ethical duty to turn the CIA model upside down to become the AIC model. Security is often an afterthought. In any case, most of you probably do not realize that security for an industrial process is very different from security for an office. In an office, if the computer stops, the whole office process stops and that's it. Nothing more happens. In an industrial process, the physics and chemistry of the process will continue to do something whether your control system is online or not. In other words, unlike in an office, the control system for an industrial process augments the process, it does not run it. Thus, if you crash the office computers, everything stops. If you crash a control system, the process keeps doing something, even if it is something that nobody would ever want .

    3. Industrial processes can't "just shut down" on a whim. To patch a control system you need to get to a place where the process can be safely shut down, and the new process can be safely validated to prove that it does everything that is expected of it. Getting this much time and attention from people takes significant down time. With the lean operations that most places run, that kind of downtime may not be available for an entire SEASON.

    4. Because of this, revealing software flaws is often a dangerous proposition. By the time we can safely patch something in an industrial control system, there may be tool kits for script kiddies.

    5. Due to safety concerns, almost nobody will seriously consider an effort to spray patches to the field. Again, this is not the office. The penalty for getting things wrong could be deadly. Automated patching without careful testing on each stage of the process can be a firing offense in some companies.

    I believe that the theory that the Australian CERT is using is that by keeping some flaws quiet, they reduce the chance that others may develop script kiddie development kits. I honestly do not know whether this can work, but I give them credit for trying. It will be interesting to see what metrics they use to prove this effort is effective.

    Finally, please stop with the "industrial software is crap" nonsense. We engineers know that all too well; but there are no better alternatives. Would you like to see us go back to the days when everything was run with pneumatic controls or analog computers? I'll bet you wouldn't appreciate the prices you'd pay. If you like electricity and running water, find ways to write better software.

    --
    Nearly fifty percent of all graduates come from the bottom half of the class!
    1. Re:Reality Check by AB3A · · Score: 3, Insightful

      The truth is that the software industry marches forward at a much faster pace than we can deploy. Today's ultra reliable souped up cool stuff becomes yesterday's "what the hell were they thinking?" stupidity very quickly. In truth, it's not just about the code YOU write, it's the code that OTHERS write. They're making assumptions about your work and you're making assumptions about their work. Those assumptions are often wrong.

      From my perspective as an end user, I often can not see the dividing line between you and your component software companies. I often can not tell whether you're using VxWorks, an embedded version of BSD, or some small company's custom RTOS. So whatever you do to improve your code may be irrelevant if the host OS crashes. From where I sit, the end result is the same.

      That said, stability in most embedded OSs is usually pretty good. But the issue here is not stability. The issue is whether the software can stand up to even a mild attack. I once saw someone attack a SIL rated PLC with a LAND attack (names of guilty parties redacted to protect industry). The PLC curled up and crashed.

      I would like to be able to say better things, but I have seen otherwise. Sorry...

      --
      Nearly fifty percent of all graduates come from the bottom half of the class!
  6. Honeypotting your whole nation? Really? by erroneus · · Score: 2

    This is complete irresponsible nonsense. "... the bait..."? Really?

    First of all, this is called honeypotting but without the benefit of actually having complete control over the monitoring, logging and the PCs to be compromised... oh wait... maybe they do. I wonder if the rest of Australia is okay with their government withholding information and using them as "bait" while at the same time not being particularly capable of a wide-spread law enforcement activity?

    Someone didn't think this stuff through before they said it.

  7. dear blind propagandized fool: by circletimessquare · · Score: 2

    you don't have a choice

    if you are young and healthy and have no health insurance, but you break your arm, we do not inquire as to your bank account before treating you. we treat you. then, being poor, as most young people are, you avoid the bill, or declare bankruptcy. what a nice society

    this is the way it has been for decades: the state and feds constantly reimbursing hospitals for unpaid bills so thehospitals don't go under. in other words, we already have universal healthcare, that you already pay for, in the most idiotic way most expensive way via your taxes. in other words, your position is called FREELOADING: the acknowledgment that you can get injured, but not planning financially.for the possibility

    he only financial common sense is universal health care insurance. you want a choice? the choice you want is to not be insured, thereby forcing me, the taxpayer, to pay for your care. which is alternatingly hilarious and maddening that you talk about robberey when it is you who is robbing me. so many morons like you argue that universal healthcare rewards freeloaders who don't work. yes, it rewards them: it says you live in a society that will not let you die just because you get injured

    meanwhile, you argue for the choice, the "freedom," to freeload. you want the freedom from financial responsibility for when you break you arm

    i am really sick of you utterly ignorant propagandized fools

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it