Slashdot Mirror
Local Emergency Alert System Hacked, Warns Dead Rising From Graves
First time accepted submitter Rawlsian writes "Great Falls, Montana, television station KRTC issued a denial of an Emergency Alert System report that 'dead bodies are rising from their graves.' The denial surmises that 'someone apparently hacked into the Emergency Alert System...This message did not originate from KRTV, and there is no emergency.'"
Gotta get to the shopping mall. Stop at the sporting goods store and pick up some weapons and ammo. The zombies will feast on the easier targets for 30 days or so.
Those systems that were never meant to go on the internet were somehow available on the internet? It's too bad some broadcast stations don't know when to air-gap
If computers were people, I'd be a misanthrope.
Supposedly this is the capture of the hacked broadcast: http://www.youtube.com/watch?v=nc60XPCXrh8
The preceding line was intentionally left blank.
Nah, he did a community service by demonstrating the failure without starting a panic over a real possible event. No one should have believed it.. At least not anyone with half a BRAAAAAAAAAAIINSS!!!!
Do not look into laser with remaining eye.
KXLH in Helena reported the same,
http://www.kxlh.com/news/bogus-emergency-alert-message-transmitted/
they may be sister stations that share an EAS infrastructure?
On the contrary.
This is an obvious prank, and is unlikely to cause any harm, except to embarrass those who ought to be embarrassed. It would have been much more harmful to send an alert about a more believable disaster. Can you imagine the panic if the hoax had been about rising floodwater, or an incoming storm or hurricane?
This hack has the benefit of exposing a weakness before it could be maliciously exploited, in probably the only way that guarantees action will be taken. As we've seen, being a good white-hat and reporting the potential security is likely to result in you being prosecuted, and the fault being swept under the carpet.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Who the hell on this site supported Adam Lanza?
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
It's been a few years since I worked down there, but EAS always seemed like pretty primitive tech. One of the last remaining bastions of serial printer ports as I recall. It is (or was a few years ago) ugly, annoying, tended to chop the ends off of messages, and many of the weather service alerts either were for somewhere entirely remote from us, or were so garbled that they were incomprehensible.
I'm entirely unsurprised that it's easy to hack in to EAS.
Three Squirrels
It didn't end in disaster, but it really could have been worse. Some people rely on warning systems like this...think of, for example, tornado warning systems.
I'll admit, I laughed, and I do agree; it pointed out a weakness in the system that shouldn't have been there. Still, the right thing to do is to stop the culture of encouraging grey hat behavior by rewarding people who find weaknesses...rather than simply condoning them.
This message did not originate from KRTV, and there is no emergency
those are some wily zombies
how many pairs of boxer shorts should you own?
Not cause any harm? It won't be so funny when the dead start rising from the grave and no one believes it because this guy cried wolf already! Thousands of people will disregard the warning and subsequently get their brains eaten! It won't seem so fun then!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Who the hell on this site supported Adam Lanza?
Or Chris Dorner for that matter? You know if I didn't know better I'd suspect that AC was trying the cheap propaganda trick of linking the names Aaron Swartz, Julian Assange and Bradley Manning, (who, whether we agree with of their actions or not, we ought to recognise as men of high ideals), with those of crazy mass murderers?! But no, my friend AC would never do that kind of thing.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
Nah, he did a community service by demonstrating the failure without starting a panic over a real possible event. No one should have believed it.
How do you know it isn't real. Maybe the government ordered them to issue these denials to stop public disorder spreading in the wake of the Rapture? Huh?
Repent now sinner! Another hour and it may be too late.
Obviously someone with half a brain should have believed it. Who else ate the missing half?
Now when the REAL zombie apocalypse arrives, everyone will assume it's just another prank...
This is an obvious prank, and is unlikely to cause any harm, except to embarrass those who ought to be embarrassed.
I doubt that. If you are referring to the local officials who implemented the system or maintain it, then no, they have nothing to be embarrassed about. They didn't design the system, they just installed what was compatible with everyone else. Those who designed the system will probably not be overly embarrassed, either.
I doubt you're referring to the prankster, who certainly won't be embarrassed at all, even though such public displays should be embarrassing to him. It's like finding a mailing list and sending a bunch of spam to it to prove how insecure it is; annoying everyone on the list who can do nothing about it and really changing nothing.
The only likely result of this will be a confirmation in the minds of the public that hackers are nutcases who need to be put in jail for doing stupid things, not a sudden realization that hackers are here to save us from our mistakes.
And remember not to run up stairs to escape them, leaving you stranded on the roof like EVERY FUCKING MOVIE IN EXISTANCE.
>This is an obvious prank, and is unlikely to cause any harm...
Isn't that just what CBS executives said before airing War of the Worlds?
http://en.wikipedia.org/wiki/War_of_the_Worlds_(radio)
If Debbie Harry is out dropping rhymes again then the world really is coming to an end...
Do not look into laser with remaining eye.
As we've seen, being a good white-hat and reporting the potential security is likely to result in you being prosecuted, and the fault being swept under the carpet.
I tried that. I reported to a school that they put social security number together with full name, address etc on a html page, made it accessible without logging in and they transferred it without any encryption. It looked it they made a page for each student and then emailed the student in question the URL to their "personal page". I ended up talking to some lady, who went "only criminals would detect such flaws. You must be a hacker. I'm calling the police right away". They didn't dare to keep the page up when I kept a cool head and said I would report it for privacy violation if they didn't remove it.
Two mysteries remains though: ... and lives...". I kind of knew that even before they decided to tell me.
1: why send a mail with a personal link to a page containing only stuff, which could be written in the mail
2: why send out "your daughter's name is.. and is born on
Oh and in case you wonder. Their "security" is that the personal URL contained a hash value. Nobody would be able to guess a hash value and get info on a stranger, right?
Hey, the CDC doesn't run zombie apocalypse drills for no reason
https://www.youtube.com/watch?v=I28e0IqIgPc -- KRTV out of Great Falls, Montana.
Later studies suggested the panic was less widespread than newspapers had indicated at the time. During this period, many newspaper publishers were concerned that radio, a new medium, would render them obsolete. In that time of yellow journalism, print journalists took the opportunity to suggest that radio was dangerous by embellishing the story of the panic that ensued
The parallels almost write themselves...
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
I think these gentle reminders about security are great and are part of the spirit of hacking.
Which would the USA rather have: (a) goofball hackers create a zombie panic, or (b) our next enemy uses a coordinated attack to create actual panic?
Reminds me of the infamous "War of the Worlds" broadcast by Orson Welles.
Futurist Traditionalism
Nobody would be able to guess a hash value and get info on a stranger, right?
Actually, yeah. That's pretty much the exact function of a properly constructed cryptographic hash function.
cry more you bitch.. There are too many wannabe insecure tyrants like yourself in this society who are cheering on the big ones.. It was a harmless prank that deserves a slap on the wrist at best. It doesn't even sound like it was a denial of service, nor was the context of the message believable by any stretch.
Get a grip.
All they would have had to do was walk a little bit faster!
This is an obvious prank, and is unlikely to cause any harm, except to embarrass those who ought to be embarrassed.
No one is cutting the hacker any slack anymore,
Prankster. White Hat, Black Hat, No one gives a damn about his motives, No one shares his sense of humor
Break into a system meant for emergency use only and the hammer will come down.
http://www.facebook.com/uppermichiganssource
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Break into a system meant for emergency use only and the hammer will come down.
Fine. But it should come down equally as hard, if not more so, on those who accepted public money to build a secure system and failed to do so. Anything else is scapegoating.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Well, one out of three, anyway.
Lemme guess ... Bradley?
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
http://en.wikipedia.org/wiki/Assange_v_Swedish_Prosecution_Authority
Assange fled Sweden rather than defend himself against the charges.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
well what we do now is imprison them/ruin their careers, thus when they get out of jail after 20 years, the only thing left is to become a paid black hat for hire. ex-con murderers have an easier time of it..
gotta love laws written by ivy league lawyers who were ex popular-jocks in highschool.
This is an obvious prank, and is unlikely to cause any harm, except to embarrass those who ought to be embarrassed. It would have been much more harmful to send an alert about a more believable disaster.
Such as an invasion from Mars?
-- Thou hast strayed far from the path of the Avatar.
Uh huh. I'm not falling for their cover-up!
First the undead rise from their graves. Then the establishment covers it up. And it's not a coincidence that there are shortages and limits on ammo.
I'm an American. I love this country and the freedoms that we used to have.
I find nothing in that citation to indicate that Assange has been charged with any offence. On the contrary and to quote directly: "Assange has not yet been formally charged with any offence."
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
"Mine is the last voice you will ever hear. Don't be alarmed."
But it should come down equally as hard, if not more so, on those who accepted public money to build a secure system
First you need to know if that is what they were paid to do or not. What was the intended level of security and did they meet that requirement? "Oh noes, a hacker broke in and made a fake announcement!" Was preventing that part of the original requirements? Easy to see in 20/20 hindsight.
And second, the people who accepted the money to build the system locally didn't design it or generate the requirements. They got money to buy something that worked with everything else being used. They could have refused to buy anything that wasn't secured better than everything else, but then they'd not be getting any alerts from anyone because their system would not be interoperable.
When the Zombies do come, there's no real point in fighting or running, eventually they will win.
First you need to know if that is what they were paid to do or not. What was the intended level of security and did they meet that requirement? "Oh noes, a hacker broke in and made a fake announcement!" Was preventing that part of the original requirements?
Then the person who wrote the requirements should get hit with the hammer. An attacker compromised your system - sometime, somewhere, someone dropped the ball.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Somehow I doubt the person who implemented it knows what 'cryptographic' means.
And tsk, tsk. What can I say, it's a battle between the young and the old internal geeks.
I also note sadly to myself that my old geek would scold, while the current enforcement mindset would encourage terrorist charges. And also noting that the fact that I would even _think about that_ is fucking sad.
"Gold still represents the ultimate form of payment in the world." - Alan Greenspan, 1999
Here it is folks, proof positive that methamphetamine is bad for you.
Faster! Faster! Faster would be better!
http://en.wikipedia.org/wiki/Assange_v_Swedish_Prosecution_Authority
Assange fled Sweden rather than defend himself against the charges.
Hmmm
Except that is not correct, he did not flee, he left Sweden legally. It was only after he had left Sweden that the new prosecutor issued a new arrest warrant.
Being a good guy white-hat doesn't get you arrested. Not realizing the difference between telling someone "Hey your door is open" from the outside of their house and saying "Hey your door is open from in someone's bedroom" is what gets you arrested. Well that and the kind of self righteous attitude that makes "white hats" believe that if a vulnerability isn't fixed within a day of them having reported it they have the right to take down the system or reveal said vulnerability to the world. In other words, the fact that I have forgotten to lock my door doesn't give you the right to enter my house and if you do so, even to tell me that I've forgotten to lock my door you aren't a "good guy", not even if you have some of your stuff in my house.
Our government must maintain their monopoly on frightening the public and driving them into a mindless panic.
Have gnu, will travel.
Amazing that this got through to the front page of /. in the same week that it happened!
*Still* negative function...
Agreed. The zombies thing is so obvious as to be wallowing in complete and utter lameness. I recommend caning, BTW.
OTOH, if he'd come up with something a bit more original and suited to the season... say, an invasion of Frost Giants...
Il n'y a pas de Planet B.
Sounds like a test of the voting system the Republicans are planning to have in place for 2014. ;-)
I've calculated my velocity with such exquisite precision that I have no idea where I am.
They're coming soon. Maybe you should think twice about opening the door.
This is no different than joyriding the fire trucks. The system is there for emergencies, and crap like this devalues it's emergency status.
I actually agree with you, but unfortunately my inner Responsible Adult who deplores this act for exactly the reasons you cite is having a loud argument right now with my inner child who is laughing his head off. I'm still not sure who is winning.
except to embarrass those who ought to be embarrassed.
I think he was referring to people who "Got to the shopping mall after stopping at the sporting goods store to pick up some weapons and ammo".
Most local TV stations are already air gapped.
Not the equipment. The air gap is usually between the ears of the anchor
He should have reported that Dihydrogen Monoxide has been detected in the city's water system. :-D
For the uninitiated (see http://dhmo.org/
Dihydrogen monoxide:
is called "hydroxyl acid", the substance is the major component of acid rain.
contributes to the "greenhouse effect".
may cause severe burns.
is fatal if inhaled.
contributes to the erosion of our natural landscape.
accelerates corrosion and rusting of many metals.
may cause electrical failures and decreased effectiveness of automobile brakes.
has been found in excised tumors of terminal cancer patients.
Despite the danger, dihydrogen monoxide is often used:
as an industrial solvent and coolant.
in nuclear power plants.
in the production of Styrofoam.
as a fire retardant.
in many forms of cruel animal research.
in the distribution of pesticides. Even after washing, produce remains contaminated by this chemical.
as an additive in certain "junk-foods" and other food products.
Instead of the oblig. xkcd:
The walking dead
Even if it was wrong it was at least pretty obvious that it wasn't a real emergency. No need to bust people like that hard, it was highlighting a problem in the system that could have been abused in a lot worse manner.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
http://en.wikipedia.org/wiki/Assange_v_Swedish_Prosecution_Authority
Assange fled Sweden rather than defend himself against the charges.
Nonsense. There are no charges. They cannot file charges against him without first interviewing him, which is something that the prosecutors have repeatedly refused to do. I am a bit curious why they want to extradite him without interviewing him first while he is abroad. He has repeatedly tried to get the prosecutors/police to interview him while he is abroad. But, they are specifically are going out of their way to avoid interviewing him (most likely so they can argue that they must extradite him in order to complete their investigation.) It seems quite likely that they feel that once they have interviewed him, they will not have a sufficient basis to press charges against him. I mean, if they felt confident that once they had interviewed him, they would be able to press charges, then they should just do that and file charges and the whole process of extraditing him would have been greatly simplified.
But what's to be done when the man from Mars stops eating cars and eating bars and now he only eats guitars (get up)? He already shot you dead and ate your head after all.
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
This hack is clearly an invocation of the Emergency Alert System. The EAS is a hierarchically-organized digital message propagation system that has no authentication scheme for the vast majority of the nodes that participate in the network. Since every moderately-sized licensed broadcast radio and TV station in the United States is required to participate in the network, that is a lot of attackable nodes.
The hierarchy is easy to exploit if you wish to spoof an alert on a specific station. All you need to know is the specific list of stations that your target listens to for alerts and a mobile radio transmitter that you can position relatively closely to your target's EAS receiving equipment. The list of "source" stations for your target is often public information, or can be deduced very easily. (Search for "<city> eas plan" in your favorite search engine.) The radio transmitter required is nothing more than a VHF two-way radio, which can often be a "modded" Amateur Radio which can transmit outside of the legal Amateur bands.
Step 4 (transmission) is extremely easy, even with low-powered equipment (250mW). Because of your proximity and the FM Capture Effect you will have no problem overpowering the real source station without adversely affecting or alerting anyone outside a 1/2 mile radius.
My guess is the attackers here did precisely this. They probably exploited this TV station by spoofing a local NOAA weather radio channel that the TV station was listening to for alerts.
Except that is not correct, he did not flee
Nor is he charged; Nor if he were to be charged would definitely be with 'rape' (sexual misconduct seems more likely); nor were he charged would we be entitled to presume anything other than his innocence; nor were we to examine the publicly known facts that led to the warrant being issued would I (here YMMV) be led to doubt that innocence; nor was that expose (if I have the same book in mind) written by his "best friend"; nor is the accusation that he is "motivated purely by money" anything other than absurd; nor is his penchant for promiscuous relationships with members of the opposite sex pertinent as to his motivations in running Wikileaks, as it happens. And surely there is no one so innocent as seriously to believe that if the two women he slept with in the same week had not confided this fact in each other none of this would now be of any concern to anyone. Hell hath no fury.
In favour of OP it can at least be said that in going out of his way to defame someone he has been gentlemanly enough to do so in a way that will not enable him to hide, like a coward, behind any 'truth' based defence.
Oddly enough, I'm conservative enough to believe that some level of state secrecy, problematic as it is, is a necessity even in a democracy. I'm not 100% behind what either Assange does (nor 100% against it). I shall, however, scurry to his defence when people, rather addressing the substantive issue of state secrecy, seek to attack his stance and the activities of Wikileaks on the entirely irrelevant basis of his alleged sexual misconduct.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
No, of course it won't be funny when the dead start rising from their graves.
Now, about a week or two in, when there are shamblers and the general panic will be replaced with 'most of us are undead or eaten'? The zombie victim-bating and misc. mutilation games will be INSANELY funny.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
So there was a security issue and it was demonstrated to the public. Now it has to be fixed. Imagine for a second what would have happened if someone with bad intentions used the hole to spread panic or divert help away from a real event. It might be a bit silly, but we are all better of if systems like these get tested once in a while.
They also don't take bathroom breaks, don't need time off. Health and safety laws don't apply to them, they're genuinely American (don't forget to bring geo-coded picture of your personal grave), if one or two get caught up in machinery or drop from scaffolding no-one will ask inconvenient questions, and they will work for a few pounds of squishy matter a day that should be easy enough to obtain.
Am I the only one who sees an opportunity here?
I had a discussion with three or four people who insisted on defending Chris Dorner, mostly with little information (at least two of them thought he was fired by the LAPD within the last year).
The truth is that all men having power ought to be mistrusted. James Madison
Fine. But it should come down equally as hard, if not more so, on those who accepted public money to build a secure system and failed to do so.
That would be the techies who designed and maintained the system, am I right?
This is the part where you will find the geek whistling "Don't look at me" as he tries to fast-fade out of the picture.
Anything else is scapegoating.
The scapegoat is forced to accept responsibility for the sins of others. The hacker is jailed for his crimes. There is a difference and it is a difference that matters.
I wonder what tone would need to be sent to trigger this system, but hey ...
... just turn on your polite scanner or marine radio to the NWS channels and listen next time there's a psuedo-emergency. They have about 100 times as many psuedo-emergencies as real ones so they'll be plenty to listen to. Its not that complicated.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
polite scanner
police scanner. Autocorrect Fs me up more than it helps me.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Billions of taxpayer dollars are wasted because Congress is full of wankers.
You seem to hold the common misperception that there is perfect security. There isn't. At any price. When you're building a system, you want it to be perfectly reliable, perfectly secure, perfectly easy to use, etc. You can't have that. You also want it to cost as close to zero as possible. You nearly always can't have that. LIke it or not, you settle on a system that costs more than you want, is reliable enough, secure enough, easy enough to use, etc, where "enough" is sometimes not as good as you really want, but as good as you can get with the resources you have.
So no, the fact that an attacker compromised a system doesn't always mean someone dropped the ball. Sometimes it does, but not always and not necessarily.
Do you have any idea what effect this would have on your average /. reader?
Rapture was last year, buddy. Think about that for a moment. Yes, you're all still here with the rest of us.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
I agree with the insightful posters who are declaring the probable reality of this zombie attack. But how are we to know? Have you ever been to Montana? Do you even know anybody who's been to Montana? Do you even know anybody who knows anybody....well, you get my point. Hell's bells, there could be a high-kicking chorus line of zombies dancing down Main Street in Helena and who would know? Believe me about this. I live in Ohio. I know about states that nobody visits.
I'm just wondering what's wrong with joyriding fire trucks. Skateboarders have done it for at least three generations now, the only people that they've endangered are their own stupid selves.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Lies and damn lies, as anyone who played Left 4 Dead knows full well.
"I can't get over how FAST they all are, it's not even fair. I'm calling zombie bullshit on that, you know? They're not...ALLOWED to be so fast." - Zoey
I had a discussion with three or four people who insisted on defending Chris Dorner.
I stand corrected. Foolish of me to underestimate the pull of contrarianism, I suppose.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
Lies and damn lies, as anyone who played Left 4 Dead knows full well.
"I can't get over how FAST they all are, it's not even fair. I'm calling zombie bullshit on that, you know? They're not...ALLOWED to be so fast." - Zoey
Well if you are a zombie 'purist', then the only true zombies are George Romero's version. Dumb, slow, easily fooled, can't talk... The only way for them to get you was by surprise, turn a corner and they're right there! Before you can recover from the fright... too late, you're zombie food.
I haven't played this Left4Dead, but it sounds like they've broken Romero's unwritten zombie rules. I don't think I like this trend. Nope, don't like it one bit. These kids today shouldn't be messin' with 'the classics'. T'aint right, I tells ya'.
So no, the fact that an attacker compromised a system doesn't always mean someone dropped the ball. Sometimes it does, but not always and not necessarily.
No, it always does. Unless there is some physical property of the universe that means that this particular hole in this system just cannot be closed, someone made a mistake. Whether that mistake was in the engineering or the specification, or if that mistake can be readily forgiven depends on a whole host of other things - including how much time and resources were allocated to the project, what the specifications were, whether security was knowingly being traded off for other factors, etc.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Bet a lot of Montana /.ers who were watching soiled themselves. Hope the FCC catches up with these dickheads and throws the book at them!
My karma is bad. Don't get too close!!!