Chinese Hackers Infiltrate US Army Database, Compromise Safety of Dams

coolnumbr12 writes "Chinese hackers have infiltrated a sensitive U.S. Army database that contains information about the vulnerabilities of thousands of dams located throughout the United States. The U.S. Army Corps of Engineers' National Inventory of Dams (NID) has raised concerns that information gathered in the hack could help China carry out a cyber-attack on the national electrical power grid."

This crosses one of Obama's famous red lines.

You guys have nine years to knock that shit off or there is gonna be trouble.

Re:This crosses one of Obama's famous red lines.

[davester666]

Yes, we might stop letting them lend us money!

how is this not an act of war?

is there proof that it's tied to the chinese govt? if so, this seems like an overtly aggressive action.

Re:how is this not an act of war?

[sabri]

Is there proof that it actually was a Chinese citizen behind the keyboard? All they did so far is trace the origin back to a Chinese IP address.

Even if the culprit turned out to be a person with Chinese citizenship, it could very well be the same thing as some pimply faced youth somewhere in a fly-over state hacking into a Chinese database. It does not have to be related to the government. However, if it is, China has some explanation to do.

I'm also wondering whether or not the DOD is purposely saying "it's the Chinese" to avoid people asking them "why don't you secure your shit better?".

Re:how is this not an act of war?

[ewhenn]

Actually it just makes me want to ask, "why don't you secure your shit better.... from the Chinese?"

Re:how is this not an act of war?

[AK+Marc]

The last time everyone swore it was the Chinese, it was later tracked down to an internal computer. Wolf doesn't work after the 10,000th accusation without proof.

Re:how is this not an act of war?

[AK+Marc]

It was China who hacked South Korea, until the company announced it was an internal IP that hacked them, not China. And if China hacks so many people so often, why has there never been any proof? Does an IP identify a person?

Re:how is this not an act of war?

How about the Iranian scientist who was assassinated? People thought it was CIA/Mossad, but it turned out that he was working undercover for the US, and was assassinated by the Iranian intelligence service.

By your logic, that single event should exonerate the US for any future occurrences of assassination inside Iran.

Re:how is this not an act of war?

[AK+Marc]

But that was CIA, just not for the original reasons.

Re:how is this not an act of war?

[icebike]

Even if the culprit turned out to be a person with Chinese citizenship, it could very well be the same thing as some pimply faced youth somewhere in a fly-over state hacking into a Chinese database. It does not have to be related to the government. However, if it is, China has some explanation to do.

The great firewall of china won't allow any access to foreign sites that they don't like, but turns a blind eye to wholesale hacking by pimply faced kids? Who is THAT naive any more?

That it came from their IP and means nothing in and of itself. Especially when you RTFA and find this nugget

“The U.S. Army Corps of Engineers is aware that access to the National Inventory of Dams (NID), to include sensitive fields of information not generally available to the public, was GIVEN to an unauthorized individual in January 2013 who was subsequently determined to not to have proper level of access for the information,” Pierce said in a statement.

“[U.S. Army Corps of Engineers] immediately revoked this user’s access to the database upon learning that the individual was not, in fact, authorized full access to the NID,” he said.

So there was no hacking involved. Simply someone handing out a password to a database to someone else who was not authorized. Since someone in the US Army or someone the Army authorized handed over the credentials you can hardly call it an act of war.

Someone screwed up, and it took months to find out about it. It may well have been something entirely innocent (if ill advised) as allowing hydrological engineers to compare notes on some aspect of dam construction or dam safety.

Re:how is this not an act of war?

[icebike]

Something happens in US, initial reports point to China
IT CAN'T BE CHINA

In this case it was china, but they were GIVEN access to the data, they didn't steal it.
RTFA.

Re:how is this not an act of war?

[fazey]

You clearly dont own a server. There are always IPs belonging to China poking and prodding your server. Then when you report it, they dont respond at all, and the IP is never AUP'd. So yes... it was probably f'ing China.

Re:how is this not an act of war?

[AK+Marc]

How often are they from the US? Russia? And do you think it might be related to the reports that China has the greatest number of zombies?

Re:how is this not an act of war?

[sabri]

There are always IPs belonging to China poking and prodding your server.

It is not difficult to figure out which netblocks are currently in use by Chinese entities. It is also not difficult to configure a firewall.

Re:how is this not an act of war?

[philip.paradis]

Do you seriously believe that events, suppositions, theories, possibilities, government-backed PR statements from $insert_nation_here, and similar fodder that winds up in mainstream media reports represents the sum total of events that relate to or are orchestrated by the intelligence community? If so, pat yourself on the back; you've surely got it all figured out. What will you do with all your free time now? I suppose you could start by making your way off the couch to retrieve another Mountain Dew and bag of Doritos. You must be running low after all that excessive thinking you just demonstrated.

Re:how is this not an act of war?

[hedwards]

Does it really matter? The thing which concerns me here is that this sort of critical infrastructure is wired to the net without any sort of airgap. Regardless of whether it's the Chinese government backing it or just some random anarchist group, it's deeply concerning that these systems are connect to the net at all.

Re:how is this not an act of war?

[donscarletti]

How is this not an act of war?

Same reason nothing the Soviets ever did was an act of war: because retaliation would be too costly.

Re:how is this not an act of war?

[fazey]

The entire point of the experiment was to see which country the attacks were coming from. Therefore a firewall would defeat the purpose.

Re:how is this not an act of war?

[easyTree]

Something happens in Iran, initial reports point to USA
IT MUST BE THE USA

Something happens in US, initial reports point to China
IT MUST BE THE USA

FTFY

Re:how is this not an act of war?

[icebike]

Go read the story.
They were given a password and authority to access the data.

Only later was it discovered they were not eligible to be granted access. They didn't hack anything. They logged in with credentials they had been given.

Reading is fundamental. Stay in school.

Re:how is this not an act of war?

[ls671]

CIA uses Slackware?

Re:how is this not an act of war?

[cold+fjord]

So there was no hacking involved. Simply someone handing out a password to a database to someone else who was not authorized.

It's called social engineering, and it is a well recognized hacking technique used in some infamous cases.

Since someone in the US Army or someone the Army authorized handed over the credentials you can hardly call it an act of war.

War, no. But it is still espionage apparently conducted by one of the last countries controlled by a Communist government whose officials periodically make public statements about attacking the United States with nuclear weapons.

The nature of the information they sought access to, and apparently obtained, isn't benign.

Dam - Sensitive Army database of U.S. dams compromised

. . . The database categorizes U.S. dams by the number of people that would be killed if a dam fails. They include “significant” and “high” hazard levels. . .

“In the wrong hands, the Army Corps of Engineers’ database could be a cyber attack roadmap for a hostile state or terrorist group to disrupt power grids or target dams in this country,” Van Cleave said in an email.

Gen. Keith Alexander, commander of the U.S. Cyber Command, warned in a 2011 speech that cyber attacks were escalating from causing disruptions to actual destructive strikes, including cyber attacks on hydroelectric dams.

Alexander provided what he said were indirect examples of two types of anticipated cyber attacks. . . The second involved the catastrophic destruction of a water-driven electrical generator at Russia’s Sayano-Shushenskaya dam, near the far eastern city of Cheremushki, in August 2009. One of the dam’s 10 650-megawatt hydro turbine generators, weighing more than 1,000 tons, was mistakenly started by a computer operator 500 miles away.

As a result, the generator began spinning, rose 50 feet in the air, and exploded, killing 75 people and destroying eight of the remaining nine turbines at the dam. . . more

Re:how is this not an act of war?

[kosty]

Proof? Who gives two $hits? I'm f$cking relieved that they haven't tried to pin it on Syria, Iran, Chechnya(?), The Tea Party, Occupy*, Iraq, Afghanistan, Pakistan, Mexican Drug Lords, Canadian pharmacies, poor people, rich people, unions, PETA, gun owners, gun makers, Muslims, drug addicts, Social Security, or Medicaid & Medicare, or smokers.

Re:how is this not an act of war?

[icebike]

The Russian story is apocryphal, snd there is not a shred of evidence of social engineering in the story.

In fact it seems to be a simple screw up on the part of someone in the Army.

Re:how is this not an act of war?

[oobayly]

Wow, so a computer operator 500 miles away badly repaired a 29yr 10mo old turbine which had a history of vibration, and caused it to lift out of its seat (by 15ft, not 50ft), and caused it to explode and kill 75. Well at least the Washington Times got one part correct. The accident happened in August 2009 and a report was released in October 2009, and in 2013 the Washington Post made up a fictional story on cause of the accident. I'm going to jump to conclusions here and say the they needed to pad out a shitty article with an example of "Cyber Terrorism" to reel naive reader in.

From Wikipedia

The report states that the accident was primarily caused by the turbine vibrations which led to the fatigue damage of the mountings of the turbine 2, including the cover of the turbine. It was also found that at the moment of accident at least six nuts were missing from the bolts securing the turbine cover. After the accident 49 recovered bolts were investigated from which 41 had fatigue cracks. On 8 bolts, the fatigue damaged area exceeded 90% of the total cross-sectional area.[2]

I've already made this reply once, but seeing as two people have used the exploding turbine as an example of "what could go wrong", I felt I needed to correct somebody who was "wrong on the internet".

Re:how is this not an act of war?

Not necessarily. There are many, many insecure servers and desktops in China and Taiwan; the language barrier, reliance on Windows XP, high rate of piracy (meaning patches rarely get applied) all combine to make it a humungous petri dish for malware and botnets. If you were trying to cover your tracks, it's be the logical place to vector your probes and attack through.

Re:how is this not an act of war?

[cold+fjord]

I felt I needed to correct somebody who was "wrong on the internet".

The story I link to, at the Washington Times, just says the turbine was turned on in error, which caused the destruction and death. It doesn't say that it was cyber terrorism, only that such a thing is possible if done deliberately rather than by accident. I think you've overreacted a bit.

But, I believe your motives in defense of the Rodina are pure, so I will award you a link.

Re:how is this not an act of war?

[synapse7]

China has got to love us. Without us who would buy all their cheap shit and provide new technology to copy?

Re:how is this not an act of war?

[operagost]

Wish I had mod points.

Re:how is this not an act of war?

[NeoMorphy]

The latency would make me go insane!

Re:how is this not an act of war?

[oobayly]

But, I believe your motives in defense of the Rodina are pure, so I will award you a link [youtube.com].

Wow, I didn't see that coming. There I was thinking that I was citing a report from post-soviet Russia (which in no way supports the idea that it was switched on by accident, but that it was running as per usual). But it's interesting that you bring up the accusation of unerring defence of a nation, when you yourself appear (in comments on this article) to vigorously defend the actions of - from what I assume from your spelling of defence - you home country the USA. In fact, your apparent concern with Communism would have fitted in well in the 1950s!

It does state that

..and none of the workers present wanted to make or had no authority to make decisions about further actions regarding the turbine. It seems they were used to those high levels of vibration,

So, in stereotypical Russian fashion, nobody wanted to bring up the problem with the director. Something that appears to happen all too frequently in Soviet and post-soviet Russia.

Re:how is this not an act of war?

[guinea+pig+C]

Also, just because it is a Chinese address, does not necessarily mean that it is a Chinese citizen. Shanghai, Shenzhen and dozens of other Chinese cities are filled with entrepreneurial expats at the moment, who understand that the best business opportunities are now in places like the Pearl River Delta and not Paolo Alto. Many of these guys are very computer literate, and it only takes one disgruntled individual trying to get back at those responsible for flushing their home county's prospects down the toilet.

Doesn't matter

I'm sure the leaks we know about are weak compared to the ones we don't know about

Real reason

quoted from "https://news.ycombinator.com/item?id=5642408"

Of course they can, what makes you think they aren't?

But a more interesting question is to look at what information is presented and what is missing. How much is new, how much is old. Then on policy stories like this one I sometimes pop over to the senate web site and look at what's coming up on the senate calendar [1] and oh look, on May 7th they are having a hearing to talk about

      Hearings to examine the Department of the Air Force in
      review of the Defense Authorization Request for fiscal
      year 2014 and the Future Years Defense Program.

Hmm, who is in charge of Cyber Command? Why it's the Air Force! Who would have guessed.

(yes I can be that cynical)

Re: Real reason

Maybe you should pop over to wiki too. CyberCom is not a air force subordinate command. Its a joint command currently commanded by an Army general.

Re:Real reason

[DigiShaman]

Chair Force!

Fixed that for ya.

Re:Real reason

[cold+fjord]

In this case you would get more insight from a calculator or spreadsheet than from cynicism. The US Cyber Command budget isn't that large compared to either the Air Force budget or the DoD budget. Finding some justification to bump it up wouldn't make much difference - it isn't going to be the tail that wags the dog.

Misplaced cynicism can also mislead you by pointing you in the wrong direction, as above. If you started digging into the question of Chinese espionage against the United States, you would quickly and easily lean that it is a huge effort against wide ranging targets. Why you would think this relatively minor event is in some way inconsistent wtih the total Chinese effort, and therefore not real, is baffling. Interesting who you effectively trust.

China also has more than 3,000 front companies in the U.S. “for the sole purpose of acquiring our technology,” . . .
Inside the Chinese Boom in Corporate Espionage
Chinese Army Directing Cyber Espionage Against Western Businesses
China military unit 'behind prolific hacking'
The China Problem

Re:Real reason

The Air Force is NOT in charge of [US] Cyber Command. Gen Keith Alexander, USA, DIRNSA is CYBERCOM's commander.

From the USCYBERCOM unclassified home page:

USCYBERCOM is a sub-unified command subordinate to USSTRATCOM. Service Elements include:

• USA – Army Forces Cyber Command (ARFORCYBER)
• USAF – U.S. Air Force, 24th Air Force
• USN – Fleet Cyber Command (FLTCYBERCOM)
• USMC – Marine Forces Cyber Command (MARFORCYBER)

What Information?

[Alex+Pennace]

From the article it isn't clear exactly what information was deemed sensitive. Does this information include very specific details (like, "here is the password to that plant's SCADA system?" Or does it cover broader details that the public had free access to prior to the September 11 attacks, such information now being withheld as "critical infrastructure information?"

Re:What Information?

[linatux]

Hopefully the SCADA systems have a password other than the default

Re: What Information?

[s.petry]

123456

conf password is "password"

Re: What Information?

[AG+the+other]

Actually army network passwords have or at least had to be when I worked for them 15 letters long, contain no dictionary words and have a minimum of 2 small letters, to caps and two symbols. They are also changed every 30 days and can not be reused.
Also at random times all passwords are just set to be reset because that is what the admins are told to do.

Re: What Information?

[slashmydots]

I don't think the military owns or operates hydroelectric dams though

Re: What Information?

[xQx]

Meaning the three most effective ways to gain access are:
1. Take high res photos of people's desks as you walk past and read use the passwords that will be written on yellow sticky notes around the place.
2. Steal someone's phone or diary and look for the passwords they've noted in their contacts or notes.
3. When you find the password, which will be something like "skldjfsldfjsklfjsf!@*(#3-Feb13" and it's now 30 days later, try "skldjfsldfjsklfjsf!@*(#3-Mar13" or "skldjfsldfjsklfjsf!@*(#3-Mar14"

Because at the end of the day a human needs to remember these ridiculous passwords, and they will revert to either writing it down or using a pattern.

Re: What Information?

The Army Corps of Engineers manages public waterways & dams in the eastern states.

Re: What Information?

[nomasteryoda]

Wow... that's exactly my password... LOL --- if you believe that, then you are a windows loser

Re: What Information?

[rahvin112]

The human memory thing is why we should have moved to pass phrases a LONG time ago. You can get far more entropy with a phrase than you can ever get with a password, no matter how complex.

A simple four word phrase with capitalized words and some punctuation would easily have 4x the number of characters as that impossible to remember 15 letter password. And as you noted, 30 day changes ensure there is a date, or number that allows the use of the same password with a slight variation.

Re: What Information?

[AG+the+other]

They operate at least 4 or 5 in the state or Arkansas alone. During the 50s and 60s they just about damed up everything bigger than a trickle from a water hose here.
That's the Core of Engineers. That are where the guys that build for the Army get practice for digging in the USA for when they go other places.
They have a totally cool model of the Mississippi river in Vicksburg that they use to simulate floods, droughts and other projects in the entire Mississippi river drainage.
That's a big area in case you didn't know.

Re: What Information?

[WWJohnBrowningDo]

contain no dictionary words and have a minimum of 2 small letters, to caps and two symbols

Ironically, anal retentive password rules like this one actually undermines the password entropy. In this case I'll bet 99% of the passwords contain exactly two symbols.

Re:What Information?

[citizenr]

Hopefully the SCADA systems have a password other than the default

Can you finally change Siemens default password or will it still break whole system and is not supported like in the 'good old days'?

Re: What Information?

[ceoyoyo]

Try "this is FU#K!NG stupid1". If that doesn't work, go to 2. If spaces aren't allowed, omit them.

Re: What Information?

[Holi]

>Notice: If you post anonymously do not expect a reply.
Even if it's interesting and on topic?

Which this comment most definitely isn't.

Re: What Information?

[Holi]

and you have a false sense of superiority based on the OS you use.

Re: What Information?

[DigiShaman]

Correct horse battery staple.

http://xkcd.com/936/

Re:What Information?

[Jah-Wren+Ryel]

Or does it cover broader details that the public had free access to prior to the September 11 attacks, such information now being withheld as "critical infrastructure information?"

Given the alarmism and push for "cyberwarefare" I'm willing to bet all that was in those files were things like the engineering specs of the dams and maybe the results of any surveys since that would be part of plans for maintenance and repair.

Re:What Information?

[Holi]

>It has things like rough estimates of dam height, volume of water impounded, vague evaluations of condition and age, etc

>compares pretty poorly to what can be learned from examining Google Earth or any map site with aerial photograph overlays

You can get dam height, water volume measurements, and age/condition from Google Maps? You must have the new alpha version.

Re: What Information?

[WGFCrafty]

And watch every password become "Mary had a Little Lamb!" ;-)

Re: What Information?

[physicsphairy]

I do like phrases, but I am suspicious of the *real* entropy associated with them (I promise you it is not just a function of the number of characters). The problem is, as always, the end user is still free to abuse the system and make dumb password choices.

I think we need to stop letting users choose their own passwords. The only reason to do that is to make it easier for them to memorize, but then the easiest thing to memorize is something trivial and insecure, and to base it on something personal (which makes things like visiting your facebook page a possible vector of attack), so you are really just encouraging bad passwords. At best, users should be allowed to prompt the generator with some inputs (take a word, embed it in a larger phrase) or choose part of a two-part authentication.

Re: What Information?

[adolf]

IThinkUrWrong
123456789012

Re: What Information?

[tragedy]

It's not meant to be a function of the number of characters. If you have a four word phrase, each word can be any of at least a quarter of a million English words, which gives 4 sextillion possible combinations. That's not even counting all the possible nouns you could throw in there, not to mention a little random punctuation, etc.

For passwords, I think we should start having multi-factor authentication. It's the 21st century, it's high bleeding time anyone with cause to have lots of passwords had their own secure cryptography device to take with them everywhere loaded up with various kinds of cryptography with a library of write-once, read-never (but overwrite allowed when obsolete) hidden keys and volumes of one-time pad (the other copies of which are kept securely by various organizations they have to work with such as banks, employers, etc.). Then, for everything that requires a password, they enter one password on whatever they're logging in to and one password onto their personal encryption device, which is plugged into the computer/atm/security system/etc. they're accessing and authenticates with it.

Re:What Information?

[cold+fjord]

You would be wrong in your bet. Among the information it contains is the number of people that would be killed if it fails - sort of a target list for bombers and saboteurs. I expect the information can be used in other ways as well. If you bother going to the link, make sure you read page 2 as well.

Re:What Information?

[some+old+guy]

No and yes.

Just try doing periodic security tasks. Siemens security is still a bloated, badly implemented kluge-fest. Hell, on big systems you're down for days just migrating to a new IP address range. Don't even get me started on S7 subnet ID's. Know-how Protect has bricked more 300's than all the maintenance doofusses in history.

Honeywell Distributed, Delta V, and Rockwell are all miles ahead of Siemens on this.

Re: What Information?

[foobsr]

"The quick brown fox jumps over the lazy dog."

For oldish nerds.

CC.

Re:What Information?

[cold+fjord]

From the article it isn't clear exactly what information was deemed sensitive.

Here is a better article.

The database tells you how many people will be killed if any given dam breaks. It is effectively a target list. No doubt there is other data there as well.

Re: What Information?

[mongoose(!no)]

As another user of this database, he's right, a lot of the size information for the farm dams appears to be estimates, gathered from state departments of environmental protection and such. Of course the data is better for the big hydropower and irrigation dams. You can create an account and get all that data yourself. The data that's not publically available, if I'm not mistaken, isn't blueprints of the dam facilities, just some quantifications of the dam's condition and maybe some short written details. Yes, it could help a terrorist select a target, but it's not as big of a deal as the article says. The database certainly doesn't have the passwords for SCADA systems or anything like that.

Re: What Information?

[LordLimecat]

Or do like I do, find some document, object, painting, or device near where I work, go to school, or live, and take a phrase off of it. Mangle the phrase a little bit, you have yourself a secure password thats already written down.

Hey, now you even know my pattern. Have fun figuring out what I used.

Re:What Information?

[Jah-Wren+Ryel]

Among the information it contains is the number of people that would be killed if it fails - sort of a target list for bombers and saboteurs.

So basically a tabulation of the census data for the downstream towns. The kind of thing that would take a normal person a few days to approximate within an order of magnitude for all of the dams is hardly a significant risk.

If you bother going to the link, make sure you read page 2 as well.

You mean the Sayano-Shushenskaya dam reference? That is a very extreme distortion of the facts, given the agenda of the guy making the statement, I would say borderline criminal. A 30 second google and a couple of minutes of reading should give you some perspective.

Re: What Information?

[s.petry]

I was at the DOD for a decade, I know the rules. That was a joke based on the /. article a few days ago regarding the most commonly used passwords.

Re: What Information?

[LoRdTAW]

skldjfsldfjsklfjsf!@* !!!!!

Amazing! Thats the same password on my luggage!

Re: What Information?

[neonKow]

I will make three points here:
1. Brute-force attacks are not the main vulnerability of passwords at this point, so debating entropy is a little pointless
2. Your calculation of 4 sextillion combinations of words is overly optimistic
3. And 4 sextillion doesn't even compare that favorably to current password schemes

1. It's almost trivially easy to defeat brute-force attacks compared to securing passwords from being lost through social engineering, trojans, and general poor password practice.

2. There may be a quarter of a million words, but the average user will choose a passphrase that has:
(a) an adjective-noun pair,
(b) words all 4 characters or more
(c) from a vocabulary of about 2000-4000 commonly used words,
(d) and include a lot of nouns that are animals, places, sports, or objects found around the office (rather than more abstract nouns like "conciousness" or "ambiguity")
The entropy in that is much lower than 4 sextillion.

3. Even if we went with your 4 sextillion (4 * 10^21) value of entropy, that is 1/5th the entropy of a 12-character password that can be any combination of upper/lower-case characters, digits, or one of 10 punctuation characters (72^12 = 2 * 10^22). At best, your scheme is better than an 11-digit password. A slight improvement, but not revolutionary.

Also, I can't think of any 2-factor authentication that doesn't involve a central authority of some sort, which poses incredible scaling and logistics issues. Since the internet is international, you'd need an international authority. Good luck getting people to agree on one. Cell phones might be the closest thing we have to a consensus, but that obviously leaves out huge populations of the world where that can't be relied on.

For better or worse, passwords are probably going to remain the same as they have been for the past decade.

Re: What Information?

[jfengel]

I'm skeptical of the claims for pass phrases. Yes, everybody remembers "correct horse battery staple". But will you remember "yogurt hazmat oak pluto" and "flat happy loan grievance" and "ochre lemon marathon leopard" and a dozen others? Will you remember which one goes with which site? Will you remember what order the words go in?

There may be some net advantage in the end, but I don't think it's anywhere near as large as it's commonly presented. In the end, they get more entropy because they have more entropy, and that means bits in your brain. The large number of characters is counteracted by the patterns of your native language. Each word has about 8 or 9 bits because you're drawing from a dictionary of perhaps 50,000 words, and you can increase entropy additively only because the words don't cue you to each other. That makes them hard to remember in exactly the way that makes them secure.

Pass phrases are supposed to have an advantage in using other forms of memory: your mental picture of a horse looking at a battery staple might remind you (and nobody else) that the horse is correct. It's an interesting theory, but I'd really like to see a real-world test to justify whether it actually significantly increases one's ability to memorize the several hundred (or several thousand) bits one is supposed to need to have different, high-entropy passwords at a significant number of sites.

Re: What Information?

[AG+the+other]

The military actually were moving to a card and password combination when I left.
The cards are not anything like a credit card so aren't easily duplicated.

Re: What Information?

[tragedy]

I will make three points here:
1. Brute-force attacks are not the main vulnerability of passwords at this point, so debating entropy is a little pointless

Fair enough. The main vulnerability of passwords will always be people. Most people will use the same password or a slight variation on it for just about everything. Heck, even I do that for groups of non-vital accounts. For most people, a phishing site can offer something in exchange for signing up, record the credentials the user enters, then try to log in any number of places and, chances are, if the same person has an account there the same credentials will work. The only real reason to debate entropy is because, usually, when you suggest using combinations of words instead of obfuscated passwords, someone will point out that a passphrase with just a few elements doesn't have as much entropy as a password with more elements. Then someone else has to point out that, since there are so many more possibilities for the individual elements, the passphrase can work out favorably, especially if it's easier to remember. I'm playing that role.

2. Your calculation of 4 sextillion combinations of words is overly optimistic

Not really. There are a quarter of a million English words in the OED. Some of them are obsolete, but that doesn't matter, it only matters that they will be memorable in a passphrase. That's enough for the 4 sextillion (ok, I rounded up by 94 quintillion or so, but we can ignore such a trifling sum) and that's ignoring all the possible forms of all these words and a heck of a lot of nouns that probably drive it north of a million possibilities per element.

Naturally, the actual words people choose for themselves will typically be from a much more limited set. Of course, the same is true of traditional passwords. Things like childs name plus numerical representation of date of birth are a pretty common way to deal with password requirements. I should have been more clear that I think where multi-word passwords work best is when they're generated by the computer for the human to remember, in which case they're typically easier to remember than an equivalently character-based password.

3. And 4 sextillion doesn't even compare that favorably to current password schemes

It actually can, unless you insist on only ever having four words in the multi-word passphrase, but allow the traditional password to be arbitrarily long. You give an example below of a 12 digit password, but realistically most people have passwords shorter than that. 72^2.906286310633014 ~= 250000, so let's just round to 3 and say that you're always going to need three times as many characters as words to beat the multi-word passphrase provided that the number of possible characters/words stays where we speculated.

The poster I replied to was opining that we should stop letting users pick their own passwords. If we do this, then the multi-word passphrase will probably be easier to remember. My preferred solution is to continue to use weak-sauce solutions like user-selected passwords and/or biometrics but to combine them with some sort of secure cryptographic device that the end user carries.

Also, I can't think of any 2-factor authentication that doesn't involve a central authority of some sort, which poses incredible scaling and logistics issues. Since the internet is international, you'd need an international authority. Good luck getting people to agree on one. Cell phones might be the closest thing we have to a consensus, but that obviously leaves out huge populations of the world where that can't be relied on.

I'm thinking of a multi-function crytographic device not tied to one particular scheme. It could theoretically be built into a cell-phone, but would need to have its own dedicated, isolated hardware. The biggest challenge with integrating it with a cellphone would be the problem of securely transmitting data in the c

Just got to say

[ColdWetDog]

Dam these Chinese!

Re:Just got to say

[Karl+Cocknozzle]

Dam these Chinese!

...And then three hours later you just feel like you'll pass out if you don't hack somebody else...

Re:Just got to say

[powerlord]

Three Gorges Dam in ... One Dam Out!

Three Gorges Dam in ... One Dam Out!

Three Gorges Dam in ... One Dam Out!

False. Flag.

Subject. Line.

Re:False. Flag.

[TapeCutter]

Nah, it's clearly pot meets kettle.

Re:False. Flag.

[cold+fjord]

The alleged "Operation Olympic Games" was not against China but Iran in an attempt to forestall a nuclear weapons conflict, and the mistaken bombing of the Chinese embassy, for which compensation was paid, was the result of incorrect coordinates for a Yugoslavian installation and didn't involve the internet.

Re:False. Flag.

[rich_hudds]

the mistaken bombing of the Chinese embassy, for which compensation was paid, was the result of incorrect coordinates for a Yugoslavian installation

At least one investigation concluded that the bombing was a deliberate attack to try and stop Stealth Fighter technology being passed back to China.

Can you back up your confident assertion that it was a mistake?

Oh yeah, thats a great idea

[MichaelSmith]

Destroy the economy of your biggest customer. Thats a great way to stay in business.

Re:Oh yeah, thats a great idea

[Nerdfest]

I'd guess that China's long term goal is not merely economic domination.

Re:Oh yeah, thats a great idea

[cmurf]

Another great idea would be for posters to consider either not making things up, or state who has raised concerns (as absurd as they may be).

Re:Oh yeah, thats a great idea

[Genda]

Yeah, because the Chinese have bases in countries all over the world... Oh, wait that's us. No, it's the Chinese who are spending themselves into oblivion on weapons of war... Oh, wait, that's us again. We spend more on our military than the next 13 nations combined (but we can't afford to educate our children... bright.) I dunno, perhaps if we moved from offense to defense, these things wouldn't be issues?

Just a thought.

Re:Oh yeah, thats a great idea

They could have conquered the world two thousand years ago, but decided that they had grown too big. They actually are also limiting their own population with the "one child" laws and such. I seriously doubt they want more region than they currently have.

Re:Oh yeah, thats a great idea

[Sri+Ramkrishna]

Even more funny is the fact is that since we can't educate our chidlren, we'll have to import our talent to run our war machines since we'll be nothing but a bunch of ignoramous who believe that dinosaurs and Jesus got along or something silly that or that the earth is only 5000 years old.

Re:Oh yeah, thats a great idea

[Bing+Tsher+E]

I don't think there is a lot of continuity in the powers that ruled China 2000 years ago and the regime in power now. It's shocking that anybody could even think that was relevant.

Re:Oh yeah, thats a great idea

[Sardaukar86]

The issues with the US education system do not appear to be the result of insufficient funding.

Re:Oh yeah, thats a great idea

[magarity]

Yeah, because the Chinese have bases in countries all over the world... Oh, wait that's us. No, it's the Chinese who are spending themselves into oblivion on weapons of war... Oh, wait, that's us again. We spend more on our military than the next 13 nations combined (but we can't afford to educate our children... bright.) I dunno, perhaps if we moved from offense to defense, these things wouldn't be issues?

Just a thought.

You need to check the ratios on the federal budget to see on what it is the US is spending itself into oblivion. Military spending is not the lion's share. And spending on public education exceeds what the feds spend on the military.

Re:Oh yeah, thats a great idea

[ceoyoyo]

http://www.usgovernmentspending.com/year_spending_2013USbn_14bs1n_3036508031#usgs302

Looks like defense is ahead of education. That defense budget seems a little suspicious too. Lots of zeros. And does it include funding the wars?

Re:Oh yeah, thats a great idea

[saygaicom]

http://www.usgovernmentspending.com/year_spending_2013USbn_14bs1n_3036508031#usgs302

Looks like defense is ahead of education. That defense budget seems a little suspicious too. Lots of zeros. And does it include funding the wars?

Ban xem chi tiet tai day nhe tri mun

Re:Oh yeah, thats a great idea

It's defense.
That other part is offense. Not in the list. Too offending.

Re:Oh yeah, thats a great idea

[cold+fjord]

Yeah, because the Chinese have bases in countries all over the world...

The People's Republic of China, A.K.A. communist China, has a growing number of military bases and access to facilities around the world. The Chinese fleet has been participating in anti-piracy actions around Somalia, giving them experience in extended naval deployments. The Chinese navy is planning to build something like four aircraft carriers and is currently flying aircraft off their first one that they are bringing into operation now after learning much from the Brazilian navy. Chinese special forces have been training the military in Venezuela. The Chinese are active in Africa.

The Chinese have also been bullying many of their neighbors, laying claim to distant islands and extensive land areas. Why don't you ask the Indians what they think of China's behavior, they are forming several new airborne infantry units to help deal with the threat? Or the Japanese, who are suffering a growing number of incursions by Chinese aircraft and sea vessels? Of perhaps the Philippines, which is seeing Chinese territory grabs on their doorstep?

No, it's the Chinese who are spending themselves into oblivion on weapons of war... Oh, wait, that's us again.

US military spending has recently generally been between 4% to 5% of GDP, well below historic levels. The army and navy and rumps of what they were at the end of the Cold War. Spending on social welfare programs is several times the military budget and is continuing to grow, and will grow for decades to come. It is Social Security, Medicare, Medicaid, now joined by Obamacare which really starts kicking in this year, that will bankrupt the US, not the military spending.

I'm afraid you don't know what you are talking about there.

We spend more on our military than the next 13 nations combined

A large part of that is personnel costs. The US has an all volunteer military that pays its members a salary competitive with the civilian sector unlike many other major nations that use conscription to fill their armies. An American corporal in the Army or Marines makes about what a Chinese general makes per month. I'm sure you can figure the impact of that out. Same thing applies to weapons purchases. Maybe you've heard that Chinese engineering staff and factory labor is cheaper than American?

On the other hand pretty much all European countries allied with the United States spend less than they should by treaty goals. As a result they had a hard time with the intervention in Libya without American assistance.

If it makes you feel better the Chinese are upping their military budget by 10.7% this year.

(but we can't afford to educate our children... bright.)

The US throws large amounts of money at education. The problem isn't with how much money, but what it is spent on, like growing numbers of administrators. There are also social factors that come into play that the education budget itself can't fix. The teachers unions don't help much either.

You don't really have this right either.

I dunno, perhaps if we moved from offense to defense, these things wouldn't be issues?

If platitudes could solve things they wouldn't be issues either.

Re:Oh yeah, thats a great idea

[Genda]

They have a over a billion people and their economy is slated to pass ours this decade. They're out-spending and out-developing us in science, education, space exploration, national infrastructure, environmentally friendly energy and resources, and telecommunications. The only way we're going to compete is to regain and maintain our technological edge. This would require giving up a corporate state that is busily figuring how to sell off the next generation to the highest bidder. If there's any good news, its that China has even more greedy bastards than the U.S. and they may implode in an orgy of economic cannibalism even before we do.

Re:Oh yeah, thats a great idea

[cold+fjord]

If you look at the totals in the right column, they aren't that different - the defense budget is roughly about 110% of education spending. (Assuming the numbers are correct.)

There seems to be a lot of zeros in both numbers. I'll bet I know what confused you - you only looked at the federal spending and most defense spending is federal, most education spending is local and state. But totals? Not that different.

Education $781.2 billion
Defense $857.7 billion

I'll note two things. First, the defense totals are only that high since they lump in things like veterans programs into it whereas it is a separate agency that contributes nothing to current operations. It is debatable but reasonable point.

Second, it isn't clear that more money for education will necessarily produce a better outcome.

Does Spending More on Education Improve Academic Achievement?

While you are on that page you also might as well note the totals spent on pensions and health care compared to the military budget.

Re:Oh yeah, thats a great idea

[ceoyoyo]

I'm not confused. The GP stated that the US spends more on education than defence. It doesn't. I was surprised the two are so close. You guys don't seem to be getting value for your money. I agree that insufficient funding doesn't seem to be the problem.

It's entirely fair to lump veterans' programs into defence spending. Maintaining standing forces and deploying those forces mean you're going to have veterans to take care of. Not including the cost of veterans' programs is like not including the cost of active operations in defence spending (which I've seen several people insist should be the case).

There are lots of statistics showing that the US doesn't get value for its money in health care. As for pensions, you should probably check the US government income breakdown: http://en.wikipedia.org/wiki/File:U.S._Federal_Receipts_-_FY_2007.png. It looks like social security spending is (currently) more or less in line with social security income.

Re:Oh yeah, thats a great idea

[LordLimecat]

(but we can't afford to educate our children... bright.)

Note: Im trying to cite sources on both sides-- not just heritage, but also huffington-- and to include "primary" sources (US Dept of Education).

Interesting thing about education is that there seems to be little direct relationship between spending and results with education. Look at [PDF WARNING] per-pupil spending by state (Table 8, on page 26), and compare to NAEP performance by state. You have some top spenders in the first few top spots, but you also have the very top spenders-- New York and DC-- all the way at the bottom of the list; and you have a number of others scattered throughout the rankings. It would be nice if there were a combined graph somewhere, but I wasnt able to find one.

Also (and I didnt know this till looking it up just now), apparently per-student expenditures have doubled since 1970, and yet scores have remained flat:
http://www.heritage.org/static/reportimages/796DF8C7C231CFFE366308277E88CF57.gif
http://www.huffingtonpost.com/bill-gates/bill-gates-school-performance_b_829771.html
(verify the numbers @ http://nces.ed.gov/fastfacts/display.asp?id=66 and http://www2.ed.gov/about/overview/fed/10facts/edlite-chart.html)

Its almost as if, after a certain point, spending on education has very little effect. Almost as if "getting iPads for your students" doesnt ACTUALLY magically implant knowledge in their brain, or motivate them to learn. Almost as if there are much more important factors like family and community involvement.

Re:Oh yeah, thats a great idea

[Impy+the+Impiuos+Imp]

Ooooh, we're down to under a trillion borrowed this year! The amount borrowed is only $120 billion more than the entire DOD!

Our credit card bill, interest only, is $330 billion this year. Did we get our money's worth the last 30 years?

Well, the politicians you elected borrowing that sure did, and retired fine. Ahhh, public servitude.

Re:Oh yeah, thats a great idea

[jd.schmidt]

Who voted this guy as informative? Deceptive is more like it.

The Chinese may have increased their defense spending by 10.7%, but it is still a much smaller percentage of their GDP than the percentage the U.S. spends. Even after the "Draconian" cuts, the U.S. spends 4.4% of its GDP on military, the Chinese spend around 2.0% of GDP, noticeably below the world average of spending on defense BTW. Also much of the Chinese increase probably simply matched their economic growth.

And of course the U.S. economy is bigger, so we spend much more over all! The only real world power that comes close to our military spending by percentage is Russia, a country that bankrupted itself with military spending.

By comparison, our spending on social programs, besides social security and Medicare AKA true welfare, is the lowest per capita of first world economies. Alternatives to Social Security may be worth talking about, but it is a separate budget by design and have nothing to do with Military spending. Linking them at all is deceptive.

If the most expensive military in the world, bar none, by every imaginable measure isn't a good enough military, we need to fire every general and get competent ones.

Re:Oh yeah, thats a great idea

[cold+fjord]

Actually yes, there is.

The Republic of China, which is the sovereign government that used to control all of China, including mainland China, but after the Chinese civil war now only controls the island province of Taiwan.

Re:Oh yeah, thats a great idea

[Nivag064]

Since native American solders are too expensive, perhaps the US should off shore satisfying its military requirements - I hear that Chinese Generals are quite cheap!

Lazy execs or engineers?

[grantspassalan]

I don't understand why anyone would want to connect really important things such as power plants and dams to the Internet. We have been running such things for about a century now and they work just fine. Anything behind a barbed wire fence should never be connected to the Internet. Why do people do this? Just for the convenience of some fat executive or lazy engineer who doesn't want to get his fat @$$ out of this office and see what is really going on with the machinery?

Re:Lazy execs or engineers?

Anything behind a barbed wire fence should never be connected to the Internet.

Earl! Unplug the cows!

Re:Lazy execs or engineers?

[Karl+Cocknozzle]

I don't understand why anyone would want to connect really important things such as power plants and dams to the Internet. We have been running such things for about a century now and they work just fine. Anything behind a barbed wire fence should never be connected to the Internet. Why do people do this? Just for the convenience of some fat executive or lazy engineer who doesn't want to get his fat @$$ out of this office and see what is really going on with the machinery?

The issue isn't that individual devices are connected to the Internet per se, the problem is that many of these networks are not designed to isolate the sensitive systems from "vanilla" office computers. The problem is people in operations centers need access to weather, news etc and while they have news channels on video wall with various other readouts, sometimes they need to confirm stuff. If it really is going to freeze suddenly, that will require extra capacity as heaters, water heaters, and engine block-heaters get switched back on by some people.

They could run parallel LANs, with separate workstations and networks for the "sensitive" operational machines and the "regular" vanilla workstations where people do email and crap.

The risk is at the touch points, and good luck shutting them all down. How will the administrators receive alerts if the "sensitive" systems can't send SNMP pops to a monitoring system outside the virtual-wire--or to one inside of it that then emails you outside the wire. At some point, PEOPLE become the touch point and sneaker net with USB tokens becomes a problem. You can shutdown and cement over the USB ports but some applications require dongles somewhere and eventually something gets plugged into something and autorun.exe happens and the next thing you know, they're hacked by Chinese.

This problem runs many, many layers deep. If only "unplugging it" was that easy.

Re:Lazy execs or engineers?

No its much more than that. Some of it even being driven by the federal government through the SmartGrid initiatives. Their are networks throughout the power transmission system that control power switches, transformers, and power generation. The software to control all of this is complex and you need people in diverse locations to be able to monitor and react. Things like priority and location of a powerline impact along with a map can be propagated to linemen on rugged tablets.

So meet those desires they connect these devices with their corporate networks and consequently to the internet. And.. just for the record the tech talent at utilities doesn't tend to exactly be the highest of quality so I'm sure there are plenty of vulnerabilities for those looking..

Re:Lazy execs or engineers?

[slashmydots]

Fat ass engineer actually, I would assume. Also he's probably offsite and a 3rd party contractor for cost reasons.
I have an idea! Make a local-only computer. Have a display of all settings and readings. Point a webcam at it. Tada, read-only access to all the settings and readings, lol.

Re:Lazy execs or engineers?

[Karl+Cocknozzle]

Anything behind a barbed wire fence should never be connected to the Internet.

Earl! Unplug the cows!

Ahh, spring... When a young AC's thoughts turn to love...

If only I had mod points... Well crafted.

Re:Lazy execs or engineers?

[sirsnork]

Firewalls can and do block incoming traffic. The only machine allowed to make outbound connections is the SMNP trap server, and it can only connect to internal SMTP server.

Sneakernet is the problem, electronically securing systems that must send electronic alerts, not so much

Re:Lazy execs or engineers?

[Gogo0]

quick clarification, in the Army (even CoE), SENSITIVE information is what is on the "vanilla" computers 99% of the time. it is a designator for information that is classified higher than PUBLIC, lower than SECRET, and for use at work only.

SENSITIVE data could be anything between a list of unit personnel's home telephone numbers to a comprehensive list of vulnerabilities across the entire unclassified network. anything deemed too-sensitive is classified higher and resides on a different network.

odds are better than decent that this is not information that will allow all our dams to be shut down or something, however it could give whoever nabbed it an overview that, combined with other data, could be compromising. its like someone reading your diary. it sucks, and they learned a lot, but it probably wasnt very valuable information to begin with. at least it shouldnt be.

Re:Lazy execs or engineers?

[grantspassalan]

So how did these power plants and dams and refineries all get run before the Internet was invented that enables hackers from China to possibly control such industries? Don't they still have people in the control rooms of these places? Do they still have telephones? Do they know how to use them to call someone higher up if there is trouble? All of these things worked reasonably well before, so why can't they now? Why should there be any Internet connection into any of these critical places? If a plant operator needs to know whether it is going to freeze tonight, why can't he/she find that out over the phone, like they used to?

Yes, in some cases it might be less convenient, but sometimes it is necessary to give up convenience for security. Security, cost as well as convenience have been always will be a trade-off. Evidently, many of the operators of these critical industries value convenience and lower cost more than security. As for dongles, why would anybody in his right mind ever even dream about buying any software that requires such idiotic devices? Those gadgets are just a form of DRM and we all know that there has never been any DRM that has NOT been bypassed.

Re:Lazy execs or engineers?

[ceoyoyo]

Hm. Seems like the sensitive bits of the dam should have it's own computer(s) and network. There are no USB ports. You get alerts on a screen because somebody is sitting in front of it, and picks up the phone or types out an e-mail on a different computer, if necessary. There are no dongles - those are security hazards.

When you built a dam you used to build an entire, monolithic control room to go with it, hardware and all. There really isn't much excuse for using software with dongles and connecting the dam operating hardware to the internet, directly, indirectly, or via sneakernet.

Re:Lazy execs or engineers?

[HPHatecraft]

Anything behind a barbed wire fence should never be connected to the Internet.

Earl! Unplug the cows!

Ahh, spring... When a young AC's thoughts turn to love...

If only I had mod points... Well crafted.

ahh, spring -- AC's bloom!
love scarlet, supplants green buds
a flash of brilliance

Re:Lazy execs or engineers?

[Dabido]

So people can work from home so that when anything blows up killing everyone on site, you're not there! Do you want to vent gases? Hmmm .... yes.

Re:Lazy execs or engineers?

[grantspassalan]

Those who want to be totally safe in life should never get out of bed in the morning! That of course doesn't mean that person will be safe, because most people by far die in bed.

Re:Lazy execs or engineers?

[Karl+Cocknozzle]

Firewalls can and do block incoming traffic. The only machine allowed to make outbound connections is the SMNP trap server, and it can only connect to internal SMTP server.

Sneakernet is the problem, electronically securing systems that must send electronic alerts, not so much

And where do these machines get security updates from? Any commercial software they're running has to be developed somewhere, and any in-house software would likely be developed on the "office" side, so you then run into the problem of how do you make a "secure-office" network that "can't talk to anybody" and then you quickly ask "But if the devs are on a "secure network" that nobody connects to, how do they get their code to production?" ...And then we're right back to the sneakernet and all the weaknesses that come with it...

SNMP was an example, but it is probably the most-simple problem to solve because "a firewall" solves it completely. The other issues, not so much.

Re:Lazy execs or engineers?

[Karl+Cocknozzle]

When you built a dam you used to build an entire, monolithic control room to go with it, hardware and all. There really isn't much excuse for using software with dongles and connecting the dam operating hardware to the internet, directly, indirectly, or via sneakernet.

This just doesn't reflect reality. Dams, power plants, etc are all businesses, and have to interface with other businesses that buy the product that they produce. So if they need an app with a dongle to sell power then you'd better figure out a way to give them their dongle or you can find another job.

It's easy to say "Dongles are a security risk!" and be right while missing the forest for the trees: If the dongle is required to sell power you will have the dongle. Period.

This idea that you can have your cake and eat it too--that is, that we're going to turn back the clock to 1982 with non-networked computer systems (and even non-computerized plants) is a fantasy. And that we'll somehow magically do so without any physical connection to the outside world is also fantasy, or without any USB ports? HA! The same crowd with pitchforks and torches in hand over the fact that dams and power plants have LANs that connect to the Internet would be the same people to jump into action if those LANs were disconnected from the outside world permanently and then wound up compromised because they're running out-of-date operating systems and software because it is suddenly verboten to connect those machines to Windows Update, or to any machine outside the "firewall," or to carry the updates in on physical media.

There is no such thing as "perfect" security, and anybody who tries to tell you there is has something to sell you that relies on you believing this unicorn can ever exist. It can't, but they'll still cash your checks until the day you stop writing them.

Not the hack compromises the safety

[gweihir]

The vulnerabilities of the dams are the real problem, but for some reason the government prefers to lie about that. Most of these vulnerabilities are probably pretty obvious to an expert (and, yes, the Chinese have experts on damns and these can go to the US for vacation), so hiding these problems is pretty stupid in the first place.

Re:Not the hack compromises the safety

[Karl+Cocknozzle]

The vulnerabilities of the dams are the real problem, but for some reason the government prefers to lie about that. Most of these vulnerabilities are probably pretty obvious to an expert (and, yes, the Chinese have experts on damns and these can go to the US for vacation), so hiding these problems is pretty stupid in the first place.

Right, but we don't want no more liberal big gubmint!" And so the dams go unrepaired. As go the bridges. And waterways. And embankments. And highway offramps...

Every great many years something fails spectacularly, and a few dozen commuters get splashed into the river. See also Minneapolis... Then lip service is paid, asses are kissed, and in the end only the absolutely worst bridges are fixed, the rest simply get "back-burnered" until the next stimulus bill comes along. And millions of commuters drive over these roads and bridges every single day.

Have fun! I'm riding my bike.

Re:Not the hack compromises the safety

[gweihir]

Indeed. What I find truly fascinating is the double standards. Terrorism kills quite small numbers of people in comparison, yet billions are spend (or better: wasted) to "fight" it. Yet this clear and present danger to critical infrastructure is ignored. Typically, you should not attribute to maliciousness what can be adequately explained by stupidity, but I think the state of the US infrastructure problems have exceeded what stupidity can explain some time ago.

Re:Not the hack compromises the safety

[cold+fjord]

The vulnerabilities of the dams are the real problem, but for some reason the government prefers to lie about that.

A better article on the incident.

Among the data that was potentially stolen was the number of people that would be killed by any given dam failing. Effectively it is a target list. I'm not sure what you think is a lie. Trained eyes don't penetrate very far into concrete.

...so hiding these problems is pretty stupid in the first place.

Publicizing your vulnerabilities along with a target list isn't so bright either.

Re:Not the hack compromises the safety

[russotto]

Among the data that was potentially stolen was the number of people that would be killed by any given dam failing.

That's interesting but not something any competent intelligence service couldn't figure out from open source information.

Re:Not the hack compromises the safety

[Karl+Cocknozzle]

You may want to look into those incidents deeper and look into how much money is wasted on graft, corruption, and pork barrel spending before you kneejerk and boldly claim they were due to simply not having a big enough budget.

I don't think I said that at all.

What I was trying to do was make a point about the dogmatic opposition to any spending involving infrastructure in this country as "big government!" When in fact the term you want is "effective government." And the same government can be bloated and mis-managed in one area and underfunded in another--the fact that some money is wasted in some part of the government doesn't justify ignoring these critical infrastructure items.

Re:Not the hack compromises the safety

[Karl+Cocknozzle]

FYI, that bridge collapse, you know the one where that involved real people that readers here actually know, was a government failure.

Careful, with all that heat you might set your straw-men on fire.

You say 100% true: It was a government failure--but it was the government's failure to fund upgrades and repairs, not their failure to spend wisely. Yes, there probably is money that could be redirected from wasteful propositions to this--but it wasn't, and the reason it wasn't is because a few idiots convinced their congressmen that it was "Smart" to vote against any spending on everything until we could get rid of President Nigger.

And here we are.

Sorry if you knew the people on the bridge when it collapsed--but you're not doing their memory any favors to dig in your heels and say "Spend other money!" We both agree the government was responsible to maintain and/or repair the bridge, so what's the beef with me? Your beef is with the "Any spending is bad big gubmint!" people, not me. The Teatards alternative to wasteful spending wasn't "Spend it more wisely," but "let's eliminate the few taxes we charge rich people" which hardly would have fixed the bridges.

Pearl harbour..

[GigaBurglar]

Not a troll - I just don't hide it any more. It's a movie and you are the audience. Quick roll out the cyber tanks I'm literally shitting myself . Critical mass. Bleh.. I don't belong in this shit-hole.

Article translation

[hugg]

According to http://www.wired.com/threatlevel/2013/05/hacker-breached-dam-database/:

"Chinese hackers" = “the Chinese government or military cyber warriors” according to unnamed officials

"sensitive U.S. army database" is a database where users are emailed their username and password in cleartext

"Non-government users can query the database but cannot download data from it" (???)

Re:Article translation

[cold+fjord]

"sensitive U.S. army database" is a database where users are emailed their username and password in cleartext

The term you're looking for is "Sensitive But Unclassified."

It is one of the issues mentioned in this classic: The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage

Defining ‘sensitive but unclassified' surprisingly complex

How

Does this even happen?

Don't they have consultants, etc. that collect huge sums of money to provide security against these kinds of attacks?

Also as other people have mentioned, why on earth are you able to attack the national power grid, arguably the most important bit of infrastructure in America. The US Gov should have plenty of infrastructure available to them to segregate any kind of network required for communication between plants.

Re:How

[Fjandr]

If you talk to someone who handles regulatory compliance for a major power company, the requirements are ludicrous.

For example, you must document that electronic door access panels are not running antivirus software because they don't have the capability to do so. Otherwise your company is fined. The former example is absolutely not a joke, it is an actual Federal regulatory compliance requirement. This is how US dollars are spent on critical infrastructure security.

So why don't we...

[Kaenneth]

just fix the vulnerabilities?

Re:So why don't we...

[slashmydots]

Moneeeeeeey. A $50 billion fighter jet to bomb 3rd world countries is far more beneficial than a 99.9999% secure electrical grid.

Re:So why don't we...

[cold+fjord]

Interesting guess, but nope. Can you think of anything else that might involve city and state regulatory power?

Fucking hell

[readingaccount]

Does everything these days have the security of a sheet of toilet paper? Either the Chinese are excellent hackers or we suck at security.

Re:Fucking hell

Either the Chinese are excellent hackers or we suck at security.

The software was probably written by a Chinese outsourcing firm in the first place.

Re:Fucking hell

[readingaccount]

The software was probably written by a Chinese outsourcing firm in the first place.

So we're paying the Chinese to hack... ourselves?

Sounds like smart Government spending to me!

Re:All your dam are belong to us! We now take wate

[flayzernax]

Nothing got disabled. Worst case scenario information that could be used to disable may have been garnered.

Though... for such a big bad country the U.S. is certainly taking all these intrusions in stride...

Is there a law for that

[future+assassin]

quick draft it up so the regular citizens can be blamed and punished.

Re:All your dam are belong to us! We now take wate

[Genda]

That's because if we actually made too big a stink, we'd have to deal with the dirty deeds we did in the first place to prompt such a response and the last thing we really want to do is to begin airing our dirty laundry. Grumbling under our breath about what a bunch of douches the Chinese are is about as far as we can go without having to scrape large amounts of egg off of our collective faces.

expletive

[Tablizer]

Oh Dam!

Re:Must be getting old

[pspahn]

If we really push how "uncool" it is to be a script kiddie, before long we will have hipsters calling themselves script kiddies. At that point, we can have someone to point and laugh at.

Public Information

[edibobb]

The U.S. Army Corps of Engineers doesn't keep classified information on civilian projects online, do they? Electrical distribution control systems are not accessible over the internet, are they? It looks to me like someone, whether Chinese, Lebanese, or Portuguese, got some not-so-sensitive information from the Corps of Engineers site, and the U.S. government is using it in its publicity campaign to pass laws giving the government (gasp!) more control over the internet.

Re:Public Information

[AK+Marc]

That, and I think that you could make a good bit hosting a hack-jump box. Log in and hack from China. Guaranteed zero response. No investigation, no evidence. It came from a Chinese IP, so we'll assume it is the government and not investigate any further.

Hacking the US government from China is a heck of a lot safer than doing it from the UK.

Re:Public Information

[rahvin112]

The corp doesn't do electricity. They do water. Dams, canals, dikes, etc. The information is likely sufficiency reports that include known weaknesses of the system, such as small foundation cracks in a dam that are a potential future issue that is being monitored but has not presented sufficient information to warrant repair.

Information such as that can be used to plan and execute attacks on system weaknesses. Another example would be ultimate capacity of a dam, which is the point at which an inflow would compromise the design of the spillway and result in dam failure. If you know the precise amount of inflow required to cause failure you can more precisely target with much higher success.

Many people don't realize how destructive these systems can be if unleashed. Destroying the Hoover dam would probably kill more than a million people in the subsequent flooding as much of the LA valley was washed into the ocean.

The other aspect is that much of this information will remain useful for decades to come. Inflow failure rates used in my previous example will likely remain constant as long as the dam stands. Many of these weaknesses will never be repaired because their risks will never out weigh the costs. So in theory even 50 years from now some of that information would still be valuable in an attack scenario.

Re:Public Information

[cold+fjord]

The U.S. Army Corps of Engineers doesn't keep classified information on civilian projects online, do they?

The data in the system included the number of people that would be killed if any given dam failed. Effectively it is a target list.

. . .and the U.S. government is using it in its publicity campaign to pass laws giving the government (gasp!) more control over the internet.

Its a news story, not a publicity campaign. They would rather not discuss it as it is embarrassing, if you haven't caught the drift of the articles (plural - here is a better one.)

I guess it is damned if they do, damned if they don't: Our security is weak and people complain about how stupid it is to have internet vulnerabilities of the type we have, but don't change any laws or regulations that we work under since that is controlling random uninvolved internet lusers.

Re:Public Information

[edibobb]

Everything you mentioned is publicly available information, as it should be. Census data, highway routes, and weather forecasts can also be used in attack planning. It doesn't mean we should limit access to that information to government security forces.

In some other universe...

[fox171171]

Chinese hackers have infiltrated a sensitive U.S. Army database that contains information about the vulnerabilities of thousands of dams located throughout the United States. The U.S. Army Corps of Engineers'...

...retaliated swiftly by fixing the vulnerabilities.

In our universe...

[fox171171]

Chinese hackers have infiltrated a sensitive U.S. Army database that contains information about the vulnerabilities of thousands of dams located throughout the United States. The U.S. Army Corps of Engineers'...

...got an immediate increase in budget, nothing was done to fix the vulnerabilites, and SOPA, CISPA, TPP, and a bunch of other crap got turned into law.

and somenation can take out the 3 gorges dam

[Joe_Dragon]

and some nation can take out the 3 gorges dam and make for big time flooding.

If they drop the one child policy...

[AmazingRuss]

... they're gonna need some lebensraum. Long term could be 4 generations. Look how far China has come in the last 4.

Re:All your dam are belong to us! We now take wate

[AK+Marc]

No harm was done. It's more like calling a weather balloon over your airspace an act of war. "It could be full of poisonous gas"

Do you really want to start a war over an unproven act of zero harm?

what about embedded systems / ones that only have

[Joe_Dragon]

what about embedded systems / ones that only have a few basic longin names?

Re:Been going on for at least a decade

[TigerPlish]

Oh, and another thing -- The next World War will really be fought inside the computer and the various networks. Yeah, drone bombs and bullets and real deaths -- but the real damage, I suspect, will be done by manipulating utilities and financial systems.

Wow, Sum of all Fears is starting to sound plausible. Didn't that one start with an attack on the stock exchanges? Bogus transactions, etc?

Re:what about embedded systems / ones that only ha

[AG+the+other]

They were outlawed. Not allowed on the network. Had to be upgraded and removed from the network.

Re:hiding vulernabilities from al-qaeda

[gweihir]

Al-Qaeda does not and never had the capability for a large terrorist attack in the US. September 11th was only possible due to terminal incompetence and arrogance on the side of the FBI and others. There is absolutely no point in keeping this data from them.

If there should be a terrorist organization in existence than can blow up US dams, then they do not need that database. The only thing that hiding this database accomplishes is to make sure the US population does not find out how their tax money is wastes by arrogant incompetents in power. That completely explains why this data got classified. The mess-up got so bad that even ordinary people would be able to understand it, and hence to hat to be hid.

It's Obvious - They're looking for .....

.... Megatron. Where did you think USA have been getting all their technology from?

Oblig.

[ma1wrbu5tr]

Dam Hackers!

Re:Been going on for at least a decade

[ceoyoyo]

Was that the one where the rouge Japanese pilot flew his 747 into the US capitol building? No, wait, that was a different book.

BS

[jodido]

1. There's not a single fact in the article that even points to China. The Corps of Engineers doesn't say anything about China. So where does the OP subject line come from? 2. Why would you believe a story that can't even spell "dam" right when that's what it's about?

Re:"It could be full of poisonous gas"

[AK+Marc]

Yes, and how'd that work out for us?

Re:Been going on for at least a decade

[WGFCrafty]

“I know not what weapons world war III will be fought with, but world war IV will be fought with sticks and stones." Albert Einstein

Simple solution...

[bjwest]

Take our power grid OFF THE FUCKING INTERNET! Our power grid, air traffic control system and rail control system should all be on their own SIPERNET-grade secure network. There is no way in hell you can justify any part of these systems being accessible from the friggin internet. If Joe Blow the power grid manager wants an iApp to monitor what's going on, tell him to shove his iPhone up his iDiotic ass and call someone to find out.

Re:Simple solution...

[Fjandr]

That won't happen as long as the Federal government is throwing money at power companies to implement Smart Grid.

Trang Xinh ep

[saygaicom]

Cách iu tr mn hiu qu cach tri mun

False. Insight.

[cold+fjord]

Subject line.

Re:Must be getting old

[cold+fjord]

We used to call them script kiddies. Is that term no longer cool?

Not if it is the Chinese government, no.

China military unit 'behind prolific hacking'

Simple question

[ThatsNotPudding]

Is China's intimate info on the public Internet and laughingly insecure?

Then why is the US's? I guess one could argue that's the price of a (theoretically) free and open society, but sloth and incompetence shouldn't be covered by the same ideals.

In soviet Russia

[Coren22]

In soviet Russia, dams damn you.

From the article:

In addition to causing a major disruption to the national power grid, hackers could access the systems that control a dam’s turbine generators. A computer mistakenly started one in a Russian damn in 2009, killing 75 people and destroying eight of the nine other turbines in the dam.

OMG fear, fear, control!

[DarthVain]

Seriously. Does anyone really fall for this. This is two things: 1) Justification of Control and 2) Justification of Budget.

Full stop.

Do you really think that a branch of the US military has a database that controls the operations of dams throughout the land and that "hackers" could penetrate such a system to cause havoc?

At worst some dude with a Chinese IP, was messing about stumbling around and may have accessed a system where a dam DB might be contained. Even if they got access to the system, and even if they managed to access the DB, likely all it was is an inventory of dams and likely their location and specifications for engineering purposes, for maintenance and management. So yeah perhaps if they managed to access all those things (big if, as all should be secure) then they might be able to deduce "vulnerabilities" in that they might see a damn is 60 years old and in need of repair/replacement, or access to structural diagrams that might illustrate a design flaw if it actually has one... However they should still have to physically travel to nowhere land to get access and likely do some physical things to even hope at any compromise. Thinking that the reds are accessing critical dams over the internet and will imminently be able to cause them to somehow overload, explode, fail, etc... is ridiculous.

I don't buy that for a second, other than the military needs to make excuses for its existence and budget, and these PR wars are what give the politicians the excuse to keep dumping more money into them.

How is this NOT an act of war?

[Stan92057]

How is this NOT an act of war?

"hacking"

[DQKennard]

Having skimmed through the comments about how the hack is some kind of act of war, and why is this stuff accessible anyway, and blahblahblah, I Googled "National Inventory of Dams".

Here it is: http://geo.usace.army.mil/pgis/f?p=397:12:

So, you click on it and there's choices like login or "request new username". To get one, you fill in various identifying information, including what kind of organization you're with and why you need access. I expect that responding differently to the type of organization question gets you different levels of access. I expect that the "hack" was that someone lied in answering one or more of the questions, and whoever set up the access gave the person more than appropriate access because there was insufficient credential checking for a higher level of access, or because the person just setup the account without doing some required check. It looks like there's some level of public access allowed, and there's even an available choice of "foreign government" as organization type.

I picture it as someone, possibly foreign national, possibly Chinese, who has some connection to a US University and said he needed access to engineering-level data for failure analysis. Is that a "hack"? Is that an "act of war"?

what is the vulnerability?

[DrProton]

Crowds can be so ignorant.

What is this vulnerability of a dam? Other than earthquakes, volcanoes, erosion, design errors, and tons of dynamite, I mean. I'm reading speculation about how control systems and whatnot might be exposed to nefarious internet packets from China. Dams are generally rather sturdy constructions. That's why they hold back all those cubic kilometers of water. Is the worry that floodgates will be opened and downstream havoc will result? Surely there must be interlocks in place to prevent that.

Dams can fail. According to Wikipedia, the biggest dam failure in history was in China.

I'm so scared.

[VortexCortex]

Wait. What are we scared of? Really? I mean, Let's just save the money and give them half of what we'd spend on a war.

I mean, many of the heinous acts we've "fought for our freedom" to prevent, or were scared would come true esp. in the cold-war, we're slowly instituting here in the USA. What, exactly, are we scared of? Oh no! China has Taken Us Over! The media will be beholden to the Government! The government will censor the Internet! It will be HORRIBLE! Yeah, it's worse over there in China, but that's because they've yet to build out infrastructure, and thus willfully exploit citizens for industrial and corporate gains... Not really much different than here if things keep on going the way they're going.

Really though. Say China hacks the damns and power grid... What if we just give them all the root passwords? You think they're really going to do anything with this "power"? There's a chance they could?! Yeah, right. Retaliation's a bitch. They're not going to risk it, they just like boasting that they can hack stuff. We hack all over the place too, just that everyone knows we do so it's not news, it's "intelligence" or "national security" when we do it, and no one should be scared because we're a responsible 1st world nation...

Screw it. Can we just use the level skip code and save all the time, drama and lives? Let's just get a single world wide currency and elect a global government. I don't even care who runs it, not like it'll matter anyway. Maybe then we can all build ships to explore the stars together. That's the end-game right? I mean, after whoever "wins" whatever war, or hostile take-over, merger, etc, folks rebuild from the destruction and work together under a common umbrella... right?

Pathetic humans, can't see even a century in front of their own noses, despite having the whole playbook in their written history. Anyone can see they're on the cusp of engendering their first race of machine sentience and they still haven't taken the time to avert a civil cyborg war by properly defining what a "person" is yet. I just know all this BS is because they're only children -- no other sentient races on the world to learn proper sharing and ethics with. ::sigh:: If only the Neanderthals hadn't been so damn sexy.