Hacking Group Linked To Chinese Army Caught Attacking Dummy Water Plant

holy_calamity writes "MIT Technology Review reports that APT1, the China-based hacking group said to steal data from U.S. companies, has been caught taking over a decoy water plant control system. The honeypot mimicked the remote access control panels and physical control system of a U.S. municipal water plant. The decoy was one of 12 set up in 8 countries around the world, which together attracted more than 70 attacks, 10 of which completely compromised the control system. China and Russia were the leading sources of the attacks. The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."

Actually...

[djupedal]

The plant is real and the headline is a cover up/reverse sneak - because panic. But hey, if it turns out to be a honeypot, don't expect it to work twice :)

Re:Actually...

[plopez]

Along the lines of telling the Germans "All your spies are belong to us".

Re:Actually...

Fake Chinese Army Hackers take over Dummy Water Plant, and then boogeyboogeyboogeyman. Like anyone would waste an opportunity to scare the public if there were a real attack. Do you have any idea how much you can make from a little panic, both politically and financially?

Re:Actually...

[icebike]

The honeypot plants may have been more real than real plants. Chances are real plants have nothing this sophisticated.

(Some of these honeypots were designed to look like they were "located" in China, Russia, Australia, and Brazil. Did they think the attackers would be fooled by these things? Not all of those places would be running the same model of water plant.).

Then it says:

None of the attacks displayed a particularly high level of sophistication, says Wilhoit, but the attackers were clearly well versed in the all-too easily compromised workings of industrial control systems. Four of the attacks displayed a high level of knowledge about industrial systems, using techniques to meddle with a specific communication protocol used to control industrial hardware.

Well which is it? Not too sophisticated, but the busted into his lame decoys easily enough.

He was able to access data from their Wi-Fi cards to triangulate their location.

He claims to have triangulated where the attacker was based on their wifi card. REALLY? How is that done? He knows where every wifi router in the world is does he? Triangulate!!! All Wifi cards use three routers? Who knew! Each of which has its position known?

Somewhere there are some people chuckling at this guy.

Re:Actually...

[sumdumass]

Well which is it? Not too sophisticated, but the busted into his lame decoys easily enough.

Forcing a door open is not the same as sophisticated lock picking. But nonetheless, the point about sophistication seems to be what they did once they got access. Most did menial tasks while 4 meddled with a specific communication protocol.

He claims to have triangulated where the attacker was based on their wifi card. REALLY? How is that done? He knows where every wifi router in the world is does he? Triangulate!!! All Wifi cards use three routers? Who knew! Each of which has its position known?

I'm not sure your reading comprehension is up to speed here. The web interface that was hacked embedded an exploit framework called BeEF so the researcher could gain access to the attackers system through the browser. What he likely did was query the networks detected by the wifi cards then crossed them to data from sites like WiGLE or perhaps something even more specific.

This is more then enough to get a Geographical location of a person and narrow it down to not only country, but city and even neighborhoods within the city.

Oh, and the triangulation isn't on where the wifi car itself accesses a router, but with the names of the specific networks the wifi cards can see. If you see several distinctly different named networks, the odds of them being in more then one location is low so you know it has to be a location close enough to all of them to be seen at the same time. For instance, if I see the SSIDs duck_butter, shoreline, bbangsoon, and linksys, I can find that I am near the Chicago Water Commissioner's office at Pfc Milton Olive park, near the Chicago harbor. Go ahead and look it up.

Somewhere there are some people chuckling at this guy.

I think that happens to all of us every once in a while. I was laughing pretty good earlier at someone too.

Re:Actually...

That last sentence was one of the best comments I've seen in a long, long time. Well done.

Re:Actually...

[AmiMoJo]

Using a compromised machine to do your hacking is pretty basic. I imagine the wifi cards in question are in compromised machines, not the attackers.

InSANE -- why...?!!!

Why are critical systems on the 'net?
They functioned perfectly 30 years ago without the internet...

CAPTCHA = 'yourself'

Re:InSANE -- why...?!!!

Why are critical systems on the 'net?

I can't answer your rhetorical question, but...this is how it begins... Doesn't seem good.

Next escalation might be to disable access and/or power in the area where "APT1" are located?

Re:InSANE -- why...?!!!

[Jeng]

Remote access for people who don't want to be physically at the plant.

IE: Management

Re:InSANE -- why...?!!!

IE...?

That makes it doubly worse tha they're using Internet Explorer!!!!

Re:InSANE -- why...?!!!

[AHuxley]

Re: "Why are critical systems on the 'net?"
So one lower cost, union free, engineer can be contracted to look over many subsystems from a great distance.
vs having local technical staff who need paying and pensions. Local staff over time may get to know their legal rights and fight for their wages - state and federal.
You also had heavy commercial lobby efforts to update State control systems to 'save' cash long term.
Products using industrial "solutions" created for secure site networks where spread over vast state or regional networks via the 'internet' or 'wireless'.
ie States trying to get rid of on site long term union staff and great sales reps moving around cities and states with networks to sell.

Re:InSANE -- why...?!!!

Plants nowadays always have some kind of remote SCADA. The network between sites may be isolated, but somewhere along the line there is often an internet-connected computer that will also have a connection to the isolated network for client-side monitoring and control software.

All that it takes it to hack one of these. They pretty much always exist, even if they shouldn't. Someone will connect a cable so they can browse Facebook while monitoring sites.

Re:InSANE -- why...?!!!

[plopez]

Nah. Just send in the drones. There have to be drones.

Re:InSANE -- why...?!!!

[plopez]

you forgot "Based in Bangalor" in regards to the low cost engineer

Re:InSANE -- why...?!!!

[plopez]

You don't get it dude. It's the Internet, a whole new paradigm. It' different this time. Now your workers can work from home 24/7 BYOD through a cloud enabled clustered virtual remote systems management tool.

Re:InSANE -- why...?!!!

[interval1066]

There are a lot of upsides to putting controls systems on the net. Not applauding it, just sayin'. I wrote a blog article about it; here 'tis.

Re:InSANE -- why...?!!!

[Diakoneo]

Interesting read, thanks! Sorry, no mod points...

Re:InSANE -- why...?!!!

Perfect example why privatization of infrastructure is a stupid idea.

Ron Swanson, you are WRONG!

Re:InSANE -- why...?!!!

[chill]

I swear that last sentence was copied verbatim out of a PowerPoint slide our CIO sent around...

Re:InSANE -- why...?!!!

[postbigbang]

Yeah! Fun! Saves money!

Here are the downsides: you're attacked at every IPv4 address about 100x a day by the bots, and much more densely if you look interesting. Without an air gap, you expose all your stuff to a bunch of hackers ranging from script-kiddies to those with power tools. None of them wants your PLC to run after they tweak a few knobs.

Multiple authentication and encryption methods (see the https attacks 'announced' at Black Hat) are becoming child's play. All of the incredible engineering that these things have gone through haven't had the funds needed/expended towards making them brutally difficult to crack. It's always an afterthought after the sales guy leaves.

It's also my biggest problem with the IEEE-- lots of wonderful protocols. Security is an afterthought, rather than being built from the onset into each platform. Look at the ludicrousness of WEP and WPA1. Tell me these guys were thinking. Sure, glorious and fast, and with security as paper-thin as can be.

Re:InSANE -- why...?!!!

[lightknight]

Random guess?

TCP/IP is less expensive than developing your own network protocol. Using public data lines (the Internet) is less expensive than using your own private, leased lines. Using no encryption is less expensive than mediocre encryption, and a hell of a lot less expensive than serious encryption (you are either paying for developer time, or a library, or both).

Re:InSANE -- why...?!!!

[Jeremy+Erwin]

"Vent radioactive gas?" [types] Y E S.
"Sound alertness horn?" Y E S. [it sounds in the distance]
"Decalcify calcium ducts?" Well, give me a Y, give me a...Hey!

Re:InSANE -- why...?!!!

[VortexCortex]

Why are critical systems on the 'net? They functioned perfectly 30 years ago without the internet...

CAPTCHA = 'yourself'

Because these systems were not actually functioning perfectly 30 years ago. They are systems that are a bit newer than that, hence they didn't exist 30 years ago, thus they have the capability to be connected to the 'net. Networks reduced the cost of maintenance...

Look, just because the reasons aren't good reasons, doesn't mean they aren't reasons. I'm not disagreeing with you. You're the one asking "why?" In truth, I can't really tell you "why?" That's a religious question, and I'm a basement dweller who doesn't even believe in "sun" or "water". I can only tell you what, and how. Who knows why anyone puts dummy water plant systems on the 'net. To catch hackers? Maybe. If I had to guess it would be to further the conspiracy that "baths" exist. I'm unconvinced, these systems weren't actually connected to a "water" plant. HA, Nice try! Debunked the water myth right in the title, the only part that anyone cares about. My initial research does point to a final answer as to "why", but studies indicate I'll need to construct a massive supercomputer and let it think deeply until you've forgotten the question and mistranslated this very event sufficiently, probably erroneously labeling me a virgin, as translators are wont to do. It will need to be optical based, so I'll need a giant prism and lots of fiber optic cable, but such a taboo undertaking can only occur underground; Hence only Nasty Stinking Assholes like me can be trusted to do it. Don't worry, all of this will sound much more prophetic in 7.5 million years, everything does. Even acid trips seem like revelations given just a few thousand. Hmm, for good measure...

Future anthropologists: Beware the sharknado! Global weirding is a bitch!

Re:InSANE -- why...?!!!

but all this cybersecurity nonsense the government wants to impose is part of the cost of putting everything online. and if it's going to cost us our freedoms and if it's going to cost all this taxpayer money then it's not really saving us any money.

"So one lower cost, union free, engineer can be contracted to look over many subsystems from a great distance.
vs having local technical staff who need paying and pensions. "

and do you really think having someone remotely monitor the system is going to reduce or eliminate the need for local staff? Is that how it ever works in reality? Or is that some fantasy land you made up. You still need local staff.

Re:InSANE -- why...?!!!

[evilviper]

Why are critical systems on the 'net?
They functioned perfectly 30 years ago without the internet...

RIGHT! Having a dial-in modem on the PTSN was OH-SO-MUCH MORE SECURE!

Has absolutely NOBODY here ever seen the movie "War Games"?

Re: InSANE -- why...?!!!

Troll comment but think about it

- lazy management ( think about all the people who have root access to machines that they don't need)
- lazy server administration ( easier to share one set of creditials than it is to setup hundreds of accounts on thousands of machines)
- remote administration, or access to machinery that is otherwise dangerous to be near ( eg nuclear, radioactivity, biohazard, crush hazard, etc)

  The real question is why these connections are not live monitored, I am not talking about having some dude sit there and stare at a screen all day, but rather, whenever a login succeeds or fails, someone who is physically in the building knows about it and can verify that the login is indeed being done when needed.

Re:InSANE -- why...?!!!

[RocketRabbit]

You're such a fuckin' commie with your labor union speak.

This has nothing to do with unions, and everything to do with modernization of systems, and the Siemens company.

Re:InSANE -- why...?!!!

[AK+Marc]

I've worked with engineers. The only other group worse is doctors. Lawyers are bad, but not as bad. Engineers think "that's not that hard" and do things like bring in a home router to work as a wireless access point because they can't be bothered to follow the IT rules for safe wireless. Turns out, they plug the "LAN" port on the router in, handing out DHCP and with the LAN address on the router 192.168.1.1 (the same as the corporate default gateway - picked long before I started working there), we also used 192.100.1.1 and 192.200.1.1 for subnets. I pointed out the stupidity of that (they aren't private addresses), and was laid off in the next round of layoffs, the guy who picked the ranges was previously promoted to manager and had a saw in the layoffs). Back to the engineers. I tracked down the MAC conflicting with the gateway, and was yelled at for keeping him from doing his job. My boss and his boss later had a talk with him, and he was more apologetic.

Re:InSANE -- why...?!!!

[plopez]

Homer is that you?

Re:InSANE -- why...?!!!

Even 10 years ago affordable managed Layer 2 switches from HP had DHCP spoofing protection.

Re:InSANE -- why...?!!!

[AK+Marc]

Well, this was in 2001, so 12 years ago (more than your 10). The switches all supported 802.1x (yes, it was wired security first, before wireless), but nobody would pay for it. It would have also fixed the problem. A MAC joins that doesn't authenticate? Into the sandbox for you. I proposed it, but it was declared (shortly before this) that the users could all be trusted, so I was told to unplug the ports in public areas (previously, the unsecured areas of the lobby had live ports on the network), but we'd trust our employees 100%. Shortly after this incident, there was a merger, and all resources were thrown into that. No idea if they ever did anything that would fix rogue DHCP, though that wasn't the problem. The problem was "arp spoofing" as an undesired MAC responded as 192.168.1.1, taking down a good bit of the users.

Re:InSANE -- why...?!!!

[mwvdlee]

Next time you think of posting a comment like that, could you please use a quill to write it on a piece of parchment and have it delivered by horse drawn mail carriage to the slashdot offices?

Re:InSANE -- why...?!!!

Why are critical systems on the 'net? They functioned perfectly 30 years ago without the internet...

These aren't critical systems, these are honeypots. They have to be on the internet so that hackers can hack them. If you're saying this story about showing who is behind these attacks is pointless, because true systems shouldn't be on the internet, then that's very niave.

Re:InSANE -- why...?!!!

[edxwelch]

Social media integration.
What use is a water plant if you can't control it via a twitter feed? How we managed 30 years without this is beyond me.

Re:InSANE -- why...?!!!

[Pinky's+Brain]

Give them a locked down laptop for a couple thousand dollar which can only log into the VPN for the plant and fuck all else.

Re:InSANE -- why...?!!!

[Pinky's+Brain]

Those computers should be set up to make sirens blare the moment they get a second network connection besides the internal LAN ... it should take intentional hacking to connect these computers to the internet or to connect a non-allowed computer to the internal network (normal computers aren't designed to be quiet on a network connection). It shouldn't be as easy as pulling a sticker off a USB/network port, or connecting your normal computer with internet into the internal network.

The problem isn't that "someone" wants to connect a cable to browse facebook ... the problem is that management wants to do it, without sirens blaring.

Re:InSANE -- why...?!!!

[seven+of+five]

Don't bother... they're here.

Re:InSANE -- why...?!!!

So a "critical" system is internet based. uninteruptable in design. And is designed to be "low cost", but hackable, to a "russian" mob, who can say pay us, or else...
That's low cost? Ok, grandma is on life support, and cannot pay the ransom demand, ...thats low cost? Your child wants a drink of now unpurified water, thats low cost?
Define low cost.

Re:InSANE -- why...?!!!

He said "from a great distance"

Re:InSANE -- why...?!!!

[umghhh]

I always thought that the stories about managers being worthless shitbags etc are overblown. Then I learned about managers in one of the customer systems my company was maintaining. The systems were isolated from internet orginaly and there was no need for them to be directly connected besides corporate vpn systems deemed secure enough for O&M stuff to access the sites remotely. Now manager of one of the sites complained about some problem with storage capacity (in modern times???) - the closer inspection of the site systems revealed that the storage capacity was properly dimensioned for the task but filled up with pr0n and it was site manager that was responsible. This is an anecdote of course but as it is not the only one I know I would imagine that this happens quite often. Which means any site with humans around need urgently internet access and enough bandwidth to provide for good pr0n watching experience.The design of internal IT systems must be able to cope with this of course - you cannot tell customer that s/he should not watch pr0n at work - after all it is their time and money and pay for maintenance not for advice on pr0n consumption. I do not thing water plant are much different. Boring places where pr0n is good for keeping spirits high especially of people that have not much to do anyway i.e. managers.

Re:InSANE -- why...?!!!

[umghhh]

you forgot about another reason - watching pr0n at work!

Re:InSANE -- why...?!!!

[umghhh]

As for the freedoms you think you 'are going to' lose. Go on and start googling for say pressure cookers, nails and backpacks - see how fast you will find yourself pushed to the ground by a anti-terror unit of local police dep. Funny how these things work, is it not? It seems now that Snowden blew the cover away they think they can use their monitoring infrastructure without restraint.

Re:InSANE -- why...?!!!

[umghhh]

Well that is a bit OT but maybe not. I have masters degree in electrical engineering but I work with IT, programming and in QA for 20y now. I loved this job till fuckers brought their new way of work (not sure what that is called these days - do not read these memos). I never practised my electrical engineering degree but I keep the good engineering practice with me and what I see is not funny nor is it inspiring, well it does inspire fear of failure.... People with 'computer science' or equivalent education doing 'engineering' in their wicked ways have no fucking clue what the word engineering actually means, they probably do not even know that such thing like engineering exists (albeit I have seen IEEE manuals for sw development - guess nobody reads those). They have also another problem or actually a set of them: because nobody taught them: about communication, working in teams and such stuff and because there are still big groups of autists among them (no hurt feelings here please, besides other mental problems I am an autist too but I 'learned' basics of social interaction to the point clumsy normalos drive me crazy) they are incapable to provide a normal advice to the user or people that have to integrate their produce into something bigger and of different nature (cars or IA stuff etc) which in current days is often the case. Of course this goes wrong more often that it should be. I am not really sure I want to indulge in blame game but putting it all on 'engineers' is just unfair. The 'take it home and see if it works' attitude is the result of general perception of software and IT industry i.e. you can do it on the cheap because the only tools you really need is a brain with eyes and hands to type shit in.

The engineers I now (some of them working in software development too) tend to learn every day and do things that are practical not because it is shiny, currently fashionable new shit. Of course this approach is limited by morons in management that like the new, shiny, currently fashionable shit. It is also true that there are as many brainless engineers as tey are brainless computer scientists but at least engineers had a chance to learn how to do things practically at the university and because of that they have it a bit easier than the computer science types.

So in short what I wanted to say is this - it is not to blame computer scientists - they just repeat patterns valid in all fields of so called computer science or IT. If you blame engineers, call them idiots etc you in principle say: fuck computer science too. In fact in proper engineering, use of cow pie as a building material has actually been stopped some time ago - we tend to favor steel and concrete and other better suited stuff and only if there is no other way use cow dung but even that is done with due diligence instead of thoughtless piling of shit that the Computer Scientists are used to. Still one must admire the height software piles of shit can reach - I am shocked almost every day...

Re:InSANE -- why...?!!!

But they shouldn't be able to activate anything. All they should have is the online equivalent of status lights and guages. (And to be honest, there's not much harm in having that information public.) Keep the operation of valves and turning pumps on/off limited to people physically in the building. If something monitored looks off, management can make a phone call and talk to a plant operator. Of course there's still some opportunity to hack, but it's limited to social engineering. However I figure that will be difficult if most people at a given facility know each other and who they're dealing with.

Re:InSANE -- why...?!!!

[ae1294]

No he's right. Busting unions is a greater benefit than exposing a security risk to Chinese crackers.

One is allowing a mind-virus to establish a foothold after glorious leader Reagan exposed them for the frauds they are and the other is a minor technical issue wich will be patched next Tuesday.

It's interesting, isn't it, that there exists people who actually think like this.

No not really... they don't drink tap water... that's for common foke and animals... Have you ever heard about...fluorination of water? Do you know what that does to a man??? Do you know where it comes from?

Re:InSANE -- why...?!!!

[AK+Marc]

People with 'computer science' or equivalent education doing 'engineering' in their wicked ways have no fucking clue what the word engineering actually means,

"computer science" when I was at Texas A&M was an Electrical Engineering degree, bestowed by the Electrical Engineering department, and taught by Electrical Engineering faculty.

The difference is engineering (the real kind, I've done some work where the "engineer" was worse than the computer science you complain about), is about failure. Most people care whether something works. Engineers care whether something fails, and how. Trying to get someone to answer the "when you exceed operational guidelines by 10%, what does it do?" question in the real world is really hard.

we tend to favor steel and concrete and other better suited stuff and only if there is no other way use cow dung but even that is done with due diligence instead of thoughtless piling of shit that the Computer Scientists are used to.

Like the engineer that gave me plans to increase the load capability of my deck by adding more cross supports. If I'd done that, the deck would have collapsed because the weak point was where it was joined to the house (something that actually happened not far from us from someone who used their deck without inspecting the support, incorrectly assuming it was built strong enough to be usable). Of course, I ignored the engineer and built with concrete and steel, rather than adding the recommended wood that would have actually weakened the structure (by adding weight at places other than the weak point). The problem is I have an official engineering report with an official recommendation I didn't follow. So if I sell the house, or if a car runs into my house or there's a major earthquake that breaks the house, I may have some trouble because I ignored the engineer because he was wrong. And no, for a minor house update, costing $1500 in work, I don't feel like spending $10,000 on engineers until I get one that's competent. They are damned expensive because they are to tightly regulated. I already spend more than the fix on the engineer.

But, when lives are not on the line, "due diligence" is overkill. "Best practices" is the proper standard. You don't need to be perfect, just as good as everyone else. It's much cheaper, and the same result most of the time.

Re:InSANE -- why...?!!!

Two reasons. One is leased lines cost a *hell* of a lot more, on both absolute and per-bit basis - when that was all there was, they were used and they were a lot safer. Second is the C -suite jerks who always want to see what the plant that makes money, while their feet are on the desk, or playing golf - are doing, and they insist that IT hook them up. Being cost-conscious, IT often as not (and perhaps incompetance gets in here somewhere) gives them full access, rather than read-only. In fact, in some protocols, read-only might not be workable, because you have to be able to "write" to ask for the data.

Re:InSANE -- why...?!!!

[Nethead]

I'm working IT in aerospace now. Not a day goes by that I don't mutter to myself, "and these guys build airplanes."

Re:InSANE -- why...?!!!

The same reason people use a remote. ;)

Re:InSANE -- why...?!!!

[AK+Marc]

Do they fight over every little thing? My sister dated an aerospace engineer, his favorite saying was "yes, I am a rocket scientist" or "yes, it is rocket science". He wasn't that smart, but he spent years studying fluid dynamics, so thought he was smarter than everyone else.

Re:InSANE -- why...?!!!

[Nethead]

Yes, for the most part. And these guys just do cabin reconfigurations.

"I lost all my mapped drives and AutoCAD says my license is bad!"

"Yes, that's what happens when you connect the wifi to the Lowe's next door."

Re:InSANE -- why...?!!!

[DirtyLiar]

you cannot tell customer that s/he should not watch pr0n at work - after all it is their time and money and pay for maintenance not for advice on pr0n consumption.

Well, of course you CAN. The wisdom of such a course may be pretty low though.

But what you SHOULD do depends on your relationship with the ACTUAL customer: HIS employer.

1) It's never wrong, in these sorts of situations to tell the person himself:
---- " I know what the problem is, and I can fix it immediately if you like. I bet you didn't realize that there are a large number of non work-related image / music / video files on your computer that are taking up so much room that your computer has trouble finding the free-space in which to run. If you like I can delete them for you right now, and your problem will go away. Immediately. " If he says OK, delete the files then defrag the machine. (But they won't say yes. They all know about the porn and want to keep it.)
- Another solution would be to recommend that he move the files to a personal USB drive. If he doesn't know how to do that tell him that if he buys a thumb-drive large enough to fit the files, you will help him move them.
- If he does not want to spend the money on a thumb drive, many corporations allow each department an IT, or even an office supplies allowance. If his has not been used yet, he can often times have the company buy him a thumb drive. (In my experience, engineers can be the cheapest people on earth.)
- Whatever you do, a non-threatening, non-confrontational, and helpful attitude is safest for you. Be sure to document the situation, what you did, what you said, and what he told you. Maybe even get him to sign something stating that he's refused to allow you to fix the problem by removing the non-work related files taking up the space on his computer. But not right away, give him an opportunity to "save face" and clean it up himself. If you feel that you need to CYA though, have him sign something. Don't warn him that you'll do this, or he may refuse, or develop a tactic to turn it back around on you. Besides, people will do foolish things (and it would be foolish of him to sign it) when not given time to think about the repercussions of their actions. Just couch it like this: "Ok. I just need you to sign here stating that you have declined to allow me to fix the problem". And have a print-out ready for him to sign and date, with an empty line to specify the solution to the problem, where you can write in something like "delete 100Gb of non work-related files". That might not be exactly non-threatening, and non-confrontational, but it will prevent him from going over your head to say you've refused to fix the problem. Never say, "You know, you could get fired just for having all that porn on your computer." At best that sets YOU up as his enemy, and for revenge later on down the road. At worst it's insubordination and will get YOU terminated. Remember, just like a Police Officer is going to believe another Police Officer over you, a manager is going to believe another manager over you, if only to keep the peace between the two. What you need in both cases is evidence, ready at hand. (Oh, never turn over your original documents though. Just to CYA.)

2) If you are both employee's of the same company:
---- Tell YOUR supervisor. Yes, managers can be real d***s, and many seem to think that their position in the company means that they can punish others for doing their jobs when that job entails reminding them that they too are subject to the rules. But if anybody who matters is going to be on your side, that's most likely to be your supervisor. Besides, messages like these are often better received when they come from a business equal or superior. And your boss can always take it to his boss. I would not recommend going around your boss to the manager's boss, not at first anyway. That sort of thing often makes YOU look like the insubordinate bad-guy, and often managers will pull

Re:InSANE -- why...?!!!

[CHIT2ME]

Sounds to me like the repubs want to put the nations critical infrastructure at risk to save a few bucks so that their rich butt buddies won't have to pay higher taxes.

Re:InSANE -- why...?!!!

[AaronW]

In my local city the water company has sites all over the place. Many of the sites are small and spread out and it saves a lot of time and effort if things can be done remotely. Many of these sites are too small to have someone man them all the time.

Re:InSANE -- why...?!!!

[DirtyLiar]

Why are critical systems on the 'net?
They functioned perfectly 30 years ago without the internet...

First, your question is not rhetorical. It's a legitimate question. Those who say it's not seem to think that being boss means always being right, never needing to be told "NO". There are companies that work like that, but they are all doomed to fail if the boss can't ever be wrong. Power only grants a person power. Not wisdom, or vision, or intelligence. The powerful may surround themselves with Yes Men, but that doesn't make their ideas any better, wiser, or informed.

The answer to your question is "Because stupid, greedy, lazy, ignorant, and intellectually short-sighted people want to work from home, on vacation, or from the Food Court at the mall."

Yes. Critical Systems being on the internet IS NEVER A PROBLEM. Anywhere. Until someone high up in the company MAKES it a problem by INSISTING that those systems be made accessible from the internet. It is NOT a REAL problem. It does NOT have to exist. It is not an unhappy customer, or a broken machine. It's not caused by wear and tare, nor absence of sheen. (sorry dr suess) It's an artificial problem that was created by someone in power insisting on the impossible. No system created by man is, or can be, perfect. And destruction is ALWAYS easier than creation. Meaning that no matter how smart s/he is, anything a wo/man can build, another wo/man can destroy. So any security system built one can be defeated by another. It's a fact of life. Hell, it's a fact of the universe.

(After this point, my "You"s are all pointed at generic management, or maybe specific management, but not you personally.)

Hell, it wouldn't even BE a problem if they wouldn't demand the ability to OPERATE things from online. A webcam of some meters, and access to a telephone, VOIP, email, or even some SMS text messages to some actual people, would allow manage(rs)/(ment) to keep in touch with what's going on at work, and make any changes needed via a real person. And don't you whine about security. YOU wanted to put the whole operation on the 'net. But no, it's my solution that's the problem. " That's too many people, I got to cut down staff, otherwise we won't be able to make more money than we did last year, and THAT means that I get a smaller bonus than I could have. And I gotta do it from deep inside my easy chair, or poolside, at some tiny Guatemalan Internet cafe, or God knows where else, whether I've forgotten my phone, or tablet, or computer or not. Because money, don'tchaknow, is more important than my employees and the lives of the population that WILL be put at risk WHEN (not if) security is broken, and the whole thing goes down. " (No water, No Power, another Chernobyl, or even a breached dam drowning hundreds of thousands because we couldn't send the excess water from a heavy rain through the overflow.)

A webcam, no matter how hacked, CANNOT make changes to systems, as long as the computer that it is hooked to or part of is not connected to any internal network. That is what caused the only known instance of a computer virus successfully infecting computers in a NUCLEAR POWER PLANT in North America. Some ID10T plugged his personal laptop into the network (a security violation in itself) then dialed up the internet (A MASSIVE SECURITY VIOLATION). A virus from the internet infected said idiot's computer, from which it reached out to infect the other computer systems on the network. Luckily for us all, the other computers were not running a Windows OS, but a system specifically designed to run on this specific hardware designed for work ONLY in THIS nuclear power plant, so the virus went nowhere after being introduced to the system. And why were there no other Windows computers running in the nuclear power plant? Because it was old. Designed and built before Windows was a thing.

Let me ask. Do you want YOUR personal safety left up to the chance that your local utilities are running on outdated computer sy

Re:InSANE -- why...?!!!

If they're using 192.168.1.1 they're going to land on the configuration page of my internet box. Just saying...Stupid engineers..

Re:InSANE -- why...?!!!

[Gen_Music]

Because that wouldn't impress management's management. They want shiny remote controls so they can tell their bosses that the plant can be adapted 24/7 at the touch of a button. Makes their ego's swell.

Re:InSANE -- why...?!!!

[kaatochacha]

It's odd, my father was an aerospace engineer dealing in hydraulics and fluid dynamics, and he was forever saying how little they knew.

Maybe...

They should stop hooking these systems up to the fucking Internet.

Re:Maybe...

They should stop hooking these systems up to the fucking Internet.

Ok. You're volunteering to pay higher taxes to employ on-site unionized IT personnell at each site instead of outsourcing management to a remote randomer in Bangladesh. Noted.

But how do you sell it to the masses?

Re:Maybe...

By telling them if they don't, evil Chinese hackers will stop their water, gas and power.

Re:Maybe...

[sumdumass]

Lets explore this concept a bit.

Lets say that each unionized employee that would be on site cost the utility $150,000 a year and you need 3 of them at each site to achieve disconnection from the internet. That's only $450K a year per site and lets say it covers 20 sites per company or utility type (lets examine Columbus Ohio which charges a sewage fee based on water usage so the 20 sites would cover both aspects). That's about $900 million a year. A big amount or is it. This is taxes, benefits and all connected with the employment of the people.

Columbus, in their 2012 consumer confidence report (under the power and water reports section) claimed they provide 51 billion gallons of water to 1.1 million people per year. Of course this is all measured in cubic feet x 100 (100 cubic feet) when billing (noted by ccf). 1 ccf of water is equal to 748 gallons of water according to their site. So if we divide the 51 billion gallons by 748, we should get the ccf being billed. What we now have is 68,181,818 ccf or we could shorten that to about 68.1 million ccf. Now, to reach that $900 million/ year, it would take a rate increase of $13.50 per ccf which brings in $920,454,543 extra.

According to Columbus' website, the high side of the charges currently is $1.56 per ccf for water (this is without sewage fees added). The example they give for a non-industiral user shows about 16 ccf per month. This is an increase in a bill for this amount of usage of $216.00 per month or $2,592 per year over what they pay now.

Someone please check my math for errors as it's been a while. I went into this thinking it would only be a couple cents per unit increase and was surprised at how much extra it actually would be.

Re:Maybe...

By telling them if they don't, evil Chinese hackers will stop their water, gas and power.

No they won't. We're way out here in Bumfuk, Minnebraska in between a forest and a corn field, so nobody in China cares about us. We know they only want to attack New York City.

Re:Maybe...

450K*20 != 900M, it's only 9M! Your rate increase would be $0.135/ccf, on the order of 10%. Given the sewer and other charges, that's more like a 4% increase on the bill. Not the end of the world.

The real problem

So... the dummy systems that are sufficiently realistic in mimicking real systems to fool enemy hackers have been thoroughly breached a total of ten times?

That's not good.

Next Steps

[FarField12]

Spoof the interface to make the attackers believe they are attacking a foreign industrial plant.
In reality, they are attacking the utility plant located down street based on WiFi location.
The main purpose of the honeypot system is to obfuscate the true location of the target (the attackers own infrastructure).
Then watch hilarity ensue.
Defense systems would be great. You could get countries to nuke themselves using their own cyber ops team.

 

Re:Next Steps

[kesuki]

"Defense systems would be great. You could get countries to nuke themselves using their own cyber ops team."
most nuke plants are water cooled turning off a water plant would cause the nuke plants that depend on that cooling water to melt their cores if not safely shut down. so yeah there is nuclear concerns and even a coal or nat gas plant also requires cooling and most are not near much water, as they tend to push them out of sight of normal people. so this is pretty serious stuff.

Re: Next Steps

[rickb928]

There may be a nuclear plant that relies on a public water system for cooling water, but I bet not. Most are located near reliable water sources such as rivers, oceans, you know...

Re: Next Steps

Like this one! https://www.google.com/maps/preview#!q=fukushima+reactor&data=!1m4!1m3!1d528330!2d141.025798!3d37.315169!4m10!1m9!4m8!1m3!1d262450!2d140.4004537!3d37.8004935!3m2!1i1745!2i999!4f13.1

Unfortunately, it was not located near a large body of electricity as well

Re:Next Steps

[GodfatherofSoul]

I guarantee those evil socialist Chinese don't allow plants to be networked like ours are.

Re: Next Steps

[AK+Marc]

The problem was it was *too* near a large body of water.

Re:Next Steps

[plover]

H@xx0n> Hey, look, I've hacked into the City of Endersgame! Watch me pwn their electric generator!

H@xx0n has left the channel.

Re:Next Steps

Actually, they are, more and more.

Bull

[WGFCrafty]

"The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."

Uhhhhhh Stuxnet was an exploit of Siemen's industrial control systems which regulated the RPMs of centrifuges....

Re:Bull

Uhhhhhh Stuxnet was an exploit of Siemen's industrial control systems which regulated the RPMs of centrifuges....

I guess Americans and Israelis aren't people. Kidding! Please don't rendition me!

Re:Bull

[CriminalNerd]

His point was that industry systems in the US (and outside of Iran) are also prone to attack, and that it's not just some security paranoia that the site manager could just brush off so he can get to the admin controls via Remote Desktop.

Lets see ...

[PPH]

... how many people file insurance claims for water damage to their homes when the fictitious pumps were commanded to full power.

Re:Lets see ...

[slick7]

... how many people file insurance claims for water damage to their homes when the fictitious pumps were commanded to full power.

How many people have been damaged by the acts of out of control politicians who answer to anyone that has the price to pay? When do the voters get their chance to be heard?

Re:Lets see ...

[Jedi+Alec]

How many people have been damaged by the acts of out of control politicians who answer to anyone that has the price to pay? When do the voters get their chance to be heard?

Once every election cycle. Unfortunately the vast majority doesn't have a clue.

Re:Lets see ...

Likely none. Most systems are designed by somebody smart enough to do things like putting regulation and relief valves downstream in the system. Most places also have water towers as a buffer too, so if the plant itself goes offline for a short while, there's no loss of mains pressure. (And these are in place because some issues in a utility plant operation couldn't be dealt with instantaneously - at least before automation. Might take a guy 5 minutes to close a valve after an alarm goes off on the status board, etc. Such systems may seem redundant with automation, but aren't bad to have as cheap insurance.)

However if somebody does something like setting a pump to full power while that pump has it's feed intake shut off, that's likely going to be pretty expensive in terms of replacing that pump and dealing with any downtime. That's the thing that can cause real problems if inadequate safetys are in remote control software or can be hacked around.

He attacked the attackers

Wilhoit used a tool called the Browser Exploitation Framework, or BeEF, to gain access to his attackers' systems and get precise data on their location. He was able to access data from their Wi-Fi cards to triangulate their location.

While I personally think that's awesome, how is that legal?

Re:He attacked the attackers

While I personally think that's awesome, how is that legal?

First, it's cyber-selfdefense. Second, they were in a foreign country so no local laws apply and the foreign country isn't going to request extradition of someone who fooled their best hackers. In fact, their l33t boys are probably breaking rocks at a fine government establishment by now.

Why are critical systems on the 'net?

[ridgecritter]

In part, perhaps because 30 years ago the advantages of/needs for large scale efficiency and coordination weren't so great as today? Isolated systems may have higher operations costs and may not efficiently integrate into big systems, but they tend to have few or no remote attack vulnerabilities. Bottom line: economics favor connected systems, and anything on the net can be pwned.

Re:Why are critical systems on the 'net?

[werewolf1031]

It's understandable that those systems need to be connected to each other, but in that case they should have their own, completely isolated network to do so, preferably one that is utterly incapable of connecting to the Internet at large. The current setup is just begging for disaster, which is a 'when', not an 'if'.

Exposing these systems on the Internet is just lunacy.

Re:Why are critical systems on the 'net?

[Ol+Olsoc]

It's understandable that those systems need to be connected to each other, but in that case they should have their own, completely isolated network to do so, preferably one that is utterly incapable of connecting to the Internet at large.

But DUDE!, If we did this, we'd like, have to connect all those power grids with, like - wires! Where we gonna get that?

Re:Why are critical systems on the 'net?

[jon3k]

Which is why MPLS exists and we build private WANs. The REAL answer here is because Pointy-Haired-Boss wants to be able to login from home,

Re:Why are critical systems on the 'net?

[AK+Marc]

MPLS exists to economically sell VLANs over shared networks. You put your security in the hands of a 3rd party. Just hope they built a good network.

The PHB is often not a manager, but a clueless engineer who spends $10,000,000 to build a SCADA network air-gapped from the IT's LAN, then sets up a computer on the LAN and SCADA with remote login enabled, and AAA managed by local user accounts on an XP system. Then, when a problem happens, goes to the COO and complains that IT is not letting him do his job.

Don't laugh, I've seen it multiple times. Every time with oil drillers, one of which owned the Deepwater Horizon, the others in Alaska.

Re:Why are critical systems on the 'net?

[rtb61]

More sensibly under law, all remote control system for essential infrastructure should be banned unless they can be guaranteed (as in you 'WILL' go to prison) secure. Can't secure it to that level, then don't do it because you do not have the right to privatise the minimal gain profits whilst socialising the huge cost of failure (including lives lost).

Quite simply this provides only two things. First, honey pots are really good at attracting a focusing attention and should be inserted on all high security systems, to draw attacks and allow investigatory follow up. Second, it is really bad idea to put high risk of life infrastructure under across the internet remote control, if you do, you should pay the full criminal penalty for when your security is broken.

Re:Why are critical systems on the 'net?

[plover]

So you would have the city leasing expensive lines between plants? I've not met too many people who complained their taxes and water rates were too low, and that they wanted the same service with more security and were willing to pay extra for it. I do, however, see a constant parade of talking heads on TV who bitch incessantly about how high taxes are, how they'll cut taxes when they get in office, or that government budgets should be cut by 10%. Well, their budgets were cut and so the cities cut their corners, and saved whatever money they could, and now their water system is in the hands of hackers. They got exactly what the taxpayers told them they were willing to pay for. We have the exact systems we deserve.

Could they and should they beef up their security? Of course. But does each water system owner even know if they have a problem? These guys are civil engineers in sleepy little towns, not security wonks. They probably didn't install the ICS themselves, they probably contracted all that out, and among the site survey forms they filled out was "choose your system password (minimum 6 characters)" and trusted the vendor to provide the rest of the security (back in 1993 when they installed it.) They might not even know they can change it, or how to change it. or that they need to do something different. Even if they did, the first rule of ICS configuration is "DON'T TOUCH IT!" So don't expect them to get all excited about the chance to make a change.

They would likely learn a lot more about these problems at their state's annual public works conference, if their city can afford to send them this year, and if their state can afford to hold one.

Re:Why are critical systems on the 'net?

[evilviper]

Which is why MPLS exists and we build private WANs.

Sorry, but your MPLS WAN is far LESS SECURE than a proper IPSec tunnel over the internet, while being vastly more expensive.

Re:Why are critical systems on the 'net?

[Pinky's+Brain]

Yep, the solution is that simple ... make them criminally liable and make shit roll uphill (ie. go after management). First suit behind bars is the first time they get serious about security.

Re:Why are critical systems on the 'net?

I am sure that fixing the SCADA system at the water plant is the first thing they will do with more tax revenue. You can be serious?

Re:Why are critical systems on the 'net?

[jon3k]

First of all, you assume I'm not using IPSec. And I get a little thing called QoS which let's me deliver voice and video.

Re:Why are critical systems on the 'net?

[jon3k]

Yes and no. I'm not using wide-area L2. I'm using standard RFC2547 BGP/MPLS. And why does everyone assume you can't run IPSec over private point to multipoint WANs? It's just IP and BGP as far as I'm (the customer) is concerned. I peer with the PE via BGP and the routes come out on the other end.

But to your second point, absolutely agree.

Re:Why are critical systems on the 'net?

[evilviper]

you assume I'm not using IPSec

Yes, because if you are, then the high cost of MPLS is quite pointless for you. The end-points being on an MPLS network are harder to reach by the public, but you could pretty well accomplish the same thing with a good firewall dropping communications to/from your IPSec endpoint from every IP other than the single intended source/destination IP address. You could harden it to an extreme degree with a bridging/transparent firewall.

And I get a little thing called QoS which let's me deliver voice and video.

Voice and video travel over the internet quite well.

Re:Why are critical systems on the 'net?

[jon3k]

You have no idea what you're talking about. Plain and simple. MPLS provides end to end SLA and packet prioritization. This allows me to classify voice/video over other traffic by setting DSCP values. That's how voice still works instead of being stomped on by other traffic. You cannot deliver voice over the Internet with any type of delivery guarantee. That's why private IP networks like frame relay and MPLS exist.

Re:Why are critical systems on the 'net?

[evilviper]

You cannot deliver voice over the Internet with any type of delivery guarantee

No, but you don't NEED a "guarantee". A great many people use VoIP successfully over the internet every day. There are extremely few companies where the quality of the calls are ultra-critical. A 911 emergency response center would be one, but even for high profile business activities, a rare packet delay or drop will barely be noticeable, and won't have any effects on business operations.

That's how voice still works instead of being stomped on by other traffic.

Having QoS on the routers, firewalls, or whatever endpoint at BOTH ends, will also allow you to prioritize voice traffic, and throttle all others.

Long gone are the days of congested backbones. The congestion is in the "last mile", and you can control that with QoS queue prioritize and throttling at both of your endpoints.

MPLS is a terribly expensive choice if all you need it for is allowing you to avoid doing proper QoS on your own network.

There are some (few) good reasons to do MPLS, like multi-site failover using the same IP space. But QoS for non-critical workloads like VoIP certainly isn't one of the worthwhile ones.

Re:Why are critical systems on the 'net?

[jon3k]

I don't know if you're a troll or ignorant, but I always follow this rule of thumb: never attribute to malice what you can attribute to ignorance, so I'll assume the latter.

Having QoS on the routers, firewalls, or whatever endpoint at BOTH ends, will also allow you to prioritize voice traffic, and throttle all others.

Long gone are the days of congested backbones. The congestion is in the "last mile", and you can control that with QoS queue prioritize and throttling at both of your endpoints.

MPLS is a terribly expensive choice if all you need it for is allowing you to avoid doing proper QoS on your own network.

I want to touch on this in particular, because I think you're confused. It's not about QoS on MY network, it's about all the intermediary devices respecting the QoS values that I set on traffic, and that traffic is delivered to CPE with the correct priority. What you do at the edge of your network, towards the Internet, has absolutely ZERO impact on how it's eventually delivered on the other end. MPLS provides guaranteed END-TO-END QoS. The fact that you can write a route-map and slap a DSCP value on a packet as it leaves your router out onto the Internet does absolutely NOTHING to guarantee delivery. NOTHING. That's why we call the Internet "Best Effort".

And if you think VoIP is non-critical, well, you're just completely fucking retarded. If you think someone picking up their phone and making a phone call is LESS important than how quickly a print job finishes, I can't help you. You're just clueless.

You don't seem to understand the concept of packet queues or jitter, so I'm going to assume that's why you seem to confuse the impact of both bandwidth and latency on the delivery of voice traffic. You cannot, I repeat, cannot, deliver voice to an enterprise over the Internet with any level of reliability. I'm not getting paid to explain this, so I'll leave it as an exercise to the reader to understand why. I think I've given you enough hints to do your own research. I have spent a decade designing, implementing and maintaining large scale enterprise WANs and very large voice deployments (many thousands of endpoints, every conceivable form of gateways and trunks - mgcp, h.323, sip, pri, fxs, etc etc etc). I assure you, you have NO IDEA how to implement a functioning enterprise voice system. But don't take my word for it, try to roll out a few thousand SIP endpoints and run it over the Internet and let me know how that goes for you.

Re:Why are critical systems on the 'net?

[AK+Marc]

And why does everyone assume you can't run IPSec over private point to multipoint WANs?

Because the Internet is cheaper and more reliable. Sensible people run a dynamic multipoint VPN over the Internet if they are going to run full end-to-end encryption. So the only sensible assumption is that someone paying for a "private" circuit is not running encryption (aside from the US government, who leases dedicated circuits, and then encrypts everything over it).

Re:Why are critical systems on the 'net?

[jon3k]

And why does everyone assume that all traffic can be delivered over the Internet. A bunch of arm chair network engineers on slashdot, I swear to god. Let me know when you deliver voice to a few THOUSAND registered voice endpoints over DMVPN on the Internet and tell me how it goes for you.

Re:Why are critical systems on the 'net?

[evilviper]

I don't know if you're a troll or ignorant, but I always follow this rule of thumb: never attribute to malice what you can attribute to ignorance, so I'll assume the latter.

Actually, the problem is YOUR ignorance, here, so you're still failing to understand what I'm explaining to you.

The fact that you can write a route-map and slap a DSCP value on a packet as it leaves your router out onto the Internet does absolutely NOTHING to guarantee delivery

I never said anything about DSCP. "Tagging" a packet is the isn't QoS, it's just telling the devices further down the line how you want them to do the QoS. By just tagging it and pushing it out, you're simply leaving it to your ISP's routers to do the actual QoS, and let them put your VoIP packets higher in their buffers/queues (rather than prioritizing them higher in YOUR buffers/queues and throttling other traffic).

The congestion is never on the backbone. The bottleneck is always the slow ISP link to the endpoints (eg. your OC-3 or whatever). That's why managing the queuing of your packets in and out of your network is sufficient, and will give you very good performance even with low-latency applications.

And if you think VoIP is non-critical, well, you're just completely fucking retarded

VoIP has been designed to handle a reasonable amount of packet loss. An occasional bit of jitter or packet loss will not ruin your conversation.

MPLS provides guaranteed END-TO-END QoS.

That's a SLA contract issue, NOT a technical one. When your ISPs routers are overloaded and your MPLS has trouble, you'll get a tiny amount of money back from them, while you won't get the same payout because of similar trouble with your internet connection. Nothing about MPLS guarantees that a router will never be oversubscribed, it just says your ISP will try, just slightly harder, to deliver your packet first, in the event of congestion.

I have spent a decade designing, implementing and maintaining large scale enterprise WANs and very large voice deployments (many thousands of endpoints, every conceivable form of gateways and trunks - mgcp, h.323, sip, pri, fxs, etc etc etc). I assure you, you have NO IDEA how to implement a functioning enterprise voice system.

Fun. But I happen to have been in the game well over a decade, so your CV doesn't impress me. The fact that you don't seem to understand how QoS actually works suggests a superficial knowledge of the subject, and an unfortunate deference to expensive "magic" services provided by others.

If you're in an environment where the folks at the top are happy to waste obscene amounts of money on unnecessary services, you may manage well enough. But you really make yourself less valuable that way, and may make yourself look stupid if you ever move up to a position where your colleagues aren't as ignorant, and look at you funny when you insist that what they've been doing for years, "...won't work without buying the magic tiger-repelling rock!"

Re:Why are critical systems on the 'net?

[jon3k]

That's a SLA contract issue, NOT a technical one.

I'm talking about RTT latency guarantees. My provider guarantees a CONUS 65ms RTT. I'm not talking about outage response time. I realize you have clearly never worked with leased circuits so this is totally lost on you. I'm sure you're learning a lot today.

VoIP has been designed to handle a reasonable amount of packet loss. An occasional bit of jitter or packet loss will not ruin your conversation.

VoIP is delivered via RTP, a UDP protocol. A packet lost is an interruption in voice. You cannot redeliver it, because it would arrive out of order. The fact that you think "an occasional bit of jitter or packet loss will not ruin your conversation" shows me everything I need to know about your level of both experience and technical expertise.

You have CLEARLY never built or run a network carrying a signficant amount of voice services. You also don't understand the concept that you can only QoS outbound traffic, and that inbound traffic can't be prioritized towards your edge device resulting in - gasp! - jitter/loss. This is why QoS doesn't work on the Internet. And your bizarre theory that there isn't congestion or queueing delays on the Internet is just shockingly ignorant. I'm really done here, you are speaking from a place of ignorance -- you clearly have no experience in this arena and you have a LOT to learn.

Re:Why are critical systems on the 'net?

[evilviper]

ignorance + arrogance = idiocy

Factually inaccurate statements make me doubt your story about deploying VoIP on a large scale. UDP makes no difference, and your incorrect assertion that VoIP has ZERO forward error correction is something I wouldn't even expect from an entry level CCNA.

And for the record, you most certainly can throttle incoming connections, it's just not as finely controllable and beneficial as outgoing QoS, which is more common. But I made it clear the first time around I was talking about controlling both ends of the connection.

For that matter, I think I was extremely clear that I was talking about latency guarantees by the rest of my statement you didn't quote... They are empty promises of service you'd be getting anyways, and only worth the price of the penalties your ISP has agreed to pay. It's not at all unusual for companies of offer ridiculously impossible SLAs, knowing it'll bring in more business, and paying the penalties is cheaper than actually maintaining that level of service.

Anyhow, be gone with you, Mr Jr Network admin for whatever unfortunate company.

Re:Why are critical systems on the 'net?

[AK+Marc]

I've never seen anything that can't be delivered over the Internet. IPX/SPX tunneled over GRE works fine.

Let me know when you deliver voice to a few THOUSAND registered voice endpoints over DMVPN on the Internet and tell me how it goes for you.

The largest DMVPN network is 20+ THOUSAND nodes. And if you are encrypting everything over MPLS, you have as many encrypted endpoints as the DMVPN solution. What are you using for your thousands of encrypted endpoints in your MPLS network?

Re:Why are critical systems on the 'net?

[jon3k]

Factually inaccurate statements make me doubt your story about deploying VoIP on a large scale. UDP makes no difference, and your incorrect assertion that VoIP has ZERO forward error correction is something I wouldn't even expect from an entry level CCNA.

Will not solve the problems associated with running large VoIP deployments on the public Internet. Period. You have clearly never done this, you're just guessing because you used Skype once. You don't seem to understand how sensitive voice traffic is, so I'd suggest you do a little reading.

And for the record, you most certainly can throttle incoming connections, it's just not as finely controllable and beneficial as outgoing QoS, which is more common. But I made it clear the first time around I was talking about controlling both ends of the connection.

Not on the Internet. Let me explain this in a concrete example so you understand why you can't run QoS on the Internet.

1. User A starts a VoIP call over your Internet connection. For some reason you QoS outbound VoIP traffic (even though it's "non-criticial" - your words)
2. User B starts to download a large file
3. As traffic leaves your router, towards the Internet, the VoIP traffic is given priority in the output queue.
4. Now, the traffic starts coming back. Your providers router now starts sending the traffic BACK to you. He has no outbound QoS policy to prioritize the RTP stream in his output queue. The large file traffic now completely stomps on the VoIP traffic, causing packet loss and delivery delays.

If QoS worked on the Internet, we'd all mark our traffic with the highest priority AND THEN QOS WOULDNT WORK ON THE INTERNET. Use your brain.

For that matter, I think I was extremely clear that I was talking about latency guarantees by the rest of my statement you didn't quote... They are empty promises of service you'd be getting anyways, and only worth the price of the penalties your ISP has agreed to pay. It's not at all unusual for companies of offer ridiculously impossible SLAs, knowing it'll bring in more business, and paying the penalties is cheaper than actually maintaining that level of service.

We monitor and alert on our RTT in our NMS. I've had half a dozen LSP reengineered over the MPLS core and I've had loops reprovisioned to make sure they were meeting their SLA. Once again, you're speaking far beyond your level of experience.

Let's go over how completely wrong you are again:
1) Doesn't understand RTT SLA
2) Doesn't understand the need for inbound QoS
3) Thinks QoS works on the Internet
4) Thinks an interruption in voice service is acceptable
5) Thinks voice is a "non-critical" service.

Anyhow, be gone with you, Mr Jr Network admin for whatever unfortunate company.

You are, a fucking dipshit. Bye.

Re:Why are critical systems on the 'net?

[jon3k]

I've never seen anything that can't be delivered over the Internet

Now you have.

What are you using for your thousands of encrypted endpoints in your MPLS network?

GET VPN on ISR G2 at branches. Voice endpoints behind those.

Re:Why are critical systems on the 'net?

[AK+Marc]

The Real-time Transport Protocol (RTP) defines a standardized packet format for delivering audio and video over IP networks

Your link proves you wrong. Perhaps you meant to include "with some arbitrary SLA I assign", but without such caveots, I will not add them for you.

GET VPN on ISR G2 at branches.

GET VPN *is* a dynamic multipoint VPN (And GET VPN and DMVPN are often combined, in practice). Both work fine over the Internet (and in fact, were both designed to do so). Note, I didn't say DMVPN, until addressing your comments on it. I spelled it out in lower case, including all dynamic multipoint VPNs, not just Cisco's proprietary DMVPN (tm).

As a security expert, I always keep my eyes open for the next thing, or a better way, but you sound like a little guy who is personally invested in some solution, and arguing dumb shit like "IP doesn't work over the Internet" (a required deduction of your assertion that "RTP can't be delivered over the Internet").

I only wrote this one so that anyone reading your worthless drivel could recognize it for the wrongness it is, as others might not be as well versed in multi-site encryption.

Re:Why are critical systems on the 'net?

[jon3k]

Ok, you're missing the point here so I'll spell it out: you cannot reliably deliver voice service over the public Internet in an enterprise environment. MPLS provides guaranteed RTT and QoS, end-to-end. I don't sell anything. I run a medium-large enteprise IP WAN and deliver voice service to several thousands sccp endpoints (along with mgcp/h.323 gateways, many thousands of VG analog ports, etc). You cannot reliably provide the same service over the public Internet with DMVPN.

Re: Why are critical systems on the 'net?

[BitZtream]

Then you are the most inexperienced of computer users.

You really mean to say you've never experienced lag? That alone is why VoIP sucks ass in every single instance I've ever seen.

Re:Why are critical systems on the 'net?

[jon3k]

OH, a "security expert". Gotcha. You really aren't qualified to have a discussion on the delivery of voice service to a large, geographically distributed IP WAN with me. Twas nice talking to you.

Re:Why are critical systems on the 'net?

[AK+Marc]

I've done all that. You are wrong on every point. A "VoIP" expert has installed Asterisk once on a home PC and (optional) uses it as an answering machine. Funny how you are wrong on all points, provably so (using quotes from your own cites that directly contradict you), and declare me unqualified so you can stop discussing the facts (not that you ever started) because you know you are 100% wrong and look like a fool.

Re:Why are critical systems on the 'net?

[jon3k]

Haha, suuuuure. I can tell by the fact that you don't know the difference between MPLS and VPLS that you're quite the expert on WAN design.

Re:Why are critical systems on the 'net?

[AK+Marc]

For various definitions of "public Internet". Back before VoIP was a big thing, I did what you claim is hard. You want to know what worked great? Using the "public Internet" when all nodes are on the same carrier (presuming you did the research to verify the traffic between the nodes won't leave the network, as happens with AT&T today for a variety of routes). US to SE Asia with voice quality that exceeds the older private network at under 10% of the cost. Did that 10+ years ago. Yawn. Wake me when you are trying to solve something I didn't already solve in an "imposssible" way 10 years ago.

If you are using MPLS for global VoIP, I'd assume AT&T. The last time I looked, they were the only ones claiming that coverage. Having used their network before for similar things, it sucked. The public Internet was better (except for Egypt and Vietnam where the public Internet was regulated enough that it was nearly illegal, and private lines with government taps were required). When MPLS is so bad, and touted as so much better than the Internet, people get an improperly low opinion of the Internet.

That and your work must suck something fierce when you say "it's impossible to carry RDP over the Internet" when you mean "RDP works fine over the Internet, but not to my arbitrary and unstated SLSs." When what you say is the opposite of what you mean, your communication skills suck, and since VoIP is a communication skill, we'll assume that sucks as bad.

Re:Why are critical systems on the 'net?

[jon3k]

You cannot deliver VoIP (RTP) to a geographically dispersed WAN over the Internet at scale. I've done it, you haven't.

MPLS exists to economically sell VLANs over shared networks.

Read this carefully: You. Have. No. Idea. What. You. Are. Talking. About.

Bye.

Re: Why are critical systems on the 'net?

[AK+Marc]

Lag doesn't break the connection. VoIP sucks because VoIP "experts" (like jon3k) are idiots. Lag is irrelevant. I've had calls over double-satellite-hop, and it was unpleasant, but "worked". (and I've done VoIP over satellite double-hop as well, no worse than double-hop PSTN/MPLS) Jitter is worse. Most "experts" don't know the difference, or get so used to dumbing it down for PHBs it makes them dumber.

Re:Why are critical systems on the 'net?

[AK+Marc]

Ok, you're missing the point here so I'll spell it out: you cannot reliably deliver voice service over the public Internet in an enterprise environment

So you were lying when you said "The Internet can't carry RTP". Glad you cleared that up, but that doesn't make you right on any particular point.

Re:Why are critical systems on the 'net?

[AK+Marc]

You cannot deliver VoIP (RTP) to a geographically dispersed WAN over the Internet at scale. I've done it, you haven't.

It can't be done, but you've done it? And you've done it, but know for a fact I can't and haven't?

You aren't even bothering to remain consistent within the same sentence.

Read this carefully: You. Have. No. Idea. What. You. Are. Talking. About.

Yeah, I'm a top technical guy working on one of the largest MPLS networks on the planet, and *I'm* the one that doesn't know what it is...

You are wrong on every point, but getting so emotionally attached to your superiority that you've lsot it. Some frothing-at-the-mouth cave dweller mad because someone somewhere might be better at what he does than he is. Yes, good bye is probably the best choice for you, you are in over your head at your job, and here.

I mourn for your users.

Re:Why are critical systems on the 'net?

[jon3k]

No you fucking idiot, I'm saying you cannot deploy VoIP on the public Internet. Fuck you're dim. Of course you can literally SEND rtp traffic over the Internet, it's just UDP datagrams. What I'm saying is IN PRACTICE YOU CANNOT DO IT AND HAVE A FUNCTIONING VOICE PLATFORM.

Re:Why are critical systems on the 'net?

[jon3k]

One of us is advocating deploying VoIP on the public Internet. The other is advocating deploying VoIP over a secure MPLS network. One of us knows what the fuck he's talking about. The other one doesn't. I'll let you guess which is which.

I mourn for your users.

Well, considering my network provides end-to-end delivery guarantees and you use the best-effort Internet, I think mine will be far better off. Oh right, you don't actually build networks. You're a "Security Expert".

Re:Why are critical systems on the 'net?

[AK+Marc]

VPLS exists because MPLS was used for VLAN transport almost exclusively until VPLS, and still, to this day, does the same. Go ahead, prove me wrong. Tell us how your MPLS network couldn't work if unshared on dedicated L2 switches using VLANs. I've yet to see something that didn't essentially distill down to that. The "bonus" is that bandwidth efficiency is better on MPLS and uptime is better because STP sucks. Yes, they are technically different, but I've never seen anything that indicated that MPLS couldn't have the description I gave it. VPLS is a service that literally sells VLANS over MPLS, which implies that MPLS does so, if not natively, then easily. You are the one that doesn't know ow VPLS relates to MPLS.

Re:Why are critical systems on the 'net?

[jon3k]

You are so catastrophically wrong I don't even know where to begin, but I'll give it a shot. Quite simply, MPLS wasn't created specifically to transport L2 traffic. It was a replacement for frame relay. That's basically it. Wide area Layer 2 was just a feature. You seem to think that MPLS was designed to carry Ethernet. It wasn't. That's why we have EoMPLS. It's not native to the protocol, we encapsulate ethernet and transports it over an MPLS core.

Re:Why are critical systems on the 'net?

[jon3k]

Go ahead, prove me wrong.

Oh shoot, almost forgot.

Re:Why are critical systems on the 'net?

[evilviper]

You don't seem to understand how sensitive voice traffic is, so I'd suggest you do a little reading.

You said: "A packet lost is an interruption in voice."
Your link says: "Some degree of packet loss won't be noticeable"

ie. You're not a VoIP engineer.

The large file traffic now completely stomps on the VoIP traffic, causing packet loss and delivery delays.

Except it doesn't, because none of the internet protocols are one-way broadcasts. Controlling the ACKs sent out directly controls the speed of incoming traffic. NO network admins responsible for a network larger than 10 people would make a stupid ignorant mistakes like this. Weighted fair queuing is CCNA-level network bare-bones network admin basics. A network won't even be USABLE for two people at the same time if proper queuing isn't enabled.

ie. You're not even a network engineer.

If QoS worked on the Internet, we'd all mark our traffic with the highest priority AND THEN QOS WOULDNT WORK ON THE INTERNET.

This isn't even a coherent thought. Replace "internet" with "MPLS" and it would still work just fine.

Tagging isn't QoS. You don't NEED QoS "on the internet" as the backbone is fast. You need QoS on the bottleneck, which is always your uplink, and your network admin (which you are not) controls the queues and hence QoS on those.

2) Doesn't understand the need for inbound QoS

You've made it clear you don't even understand what QoS or queuing IS or DOES. Having my knowledge insulted by you is practically a compliment at this point.

Your comments in this thread are one of the best examples I've even seen of the old adage:

"It is better to keep your mouth closed and let people think you are a fool, than to open it and remove all doubt."

Re:Why are critical systems on the 'net?

[evilviper]

Some frothing-at-the-mouth cave dweller mad because someone somewhere might be better at what he does than he is. Yes, good bye is probably the best choice for you, you are in over your head at your job, and here.

I don't think so. With all the factually incorrect comments jon3k has made in a tangential thread, I don't believe he has any VoIP knowledge, but worse, I don't see that he has more than entry-level knowledge of networking at all (incorrect statements on queuing and whatnot).

http://slashdot.org/comments.pl?sid=4046997&cid=44472765

My guess is he is either some new college graduate who has a lot of time to read about this stuff but has never played with any of it. Or some Junior Network Admin who does mindless grunt work on someone else's large corporate network, but doesn't actually engineer or really understand any of it. Then again, it could be some combination of the two.

Re:Why are critical systems on the 'net?

[jon3k]

You said: "A packet lost is an interruption in voice." Your link says: "Some degree of packet loss won't be noticeable"

You forgot the whole quote:

Packet loss causes interrupts. Some degree of packet loss won't be noticeable, but lots of packet loss will make sound lousy.

So let's try again. I said: A packet lost is an interruption in voice.
The link says: Packet loss causes interrupts.

Sure, you might get lucky with sub 1% packet loss during breaks in speech.

Except it doesn't, because none of the internet protocols are one-way broadcasts. Controlling the ACKs sent out directly controls the speed of incoming traffic.

Yes, tell me all about the ACKs used during the transmission of UDP RTP stream (spoiler: there is no such thing as a UDP ACK, it's a TCP function). Your ignorance continues to astound. Let's pretend for a second that UDP actually sent ACKs and you could rate limit the inbound VoIP traffic. Now you've introduced delay, causing jitter. Out of order packets are of course dropped, because that would produce garbled voice. Put simply: "How are you today" becomes "How you today are".

Great plan.

This isn't even a coherent thought. Replace "internet" with "MPLS" and it would still work just fine.

Just because you don't understand it doesn't mean it doesn't make sense. QoS tagging isn't respected on the Internet, because everyone would just set THEIR traffic to the highest priority. Once all traffic is set to the highest priority, there's no way to differentiate and all traffic ends up in the same output queue.

You need QoS on the bottleneck, which is always your uplink, and your network admin (which you are not) controls the queues and hence QoS on those.

This is just ignorant drivel. This braindead concept you have that the only point of saturation is OUTBOUND traffic leaving your edge device is just ignorance. Ever wonder why most consumer broadband connections are asymmetric? Because there's more traffic received than sent.

You don't understand that you cannot control the output queue on your ISPs router is just lost on you. Look, if you don't believe me, try it. Take your router, tag your VoIP traffic and then download a Linux ISO via bittorrent. Watch what happens.

You've made it clear you don't even understand what QoS or queuing IS or DOES.

Yes, clearly. Look it's painfully obvious you have no idea what you're talking about with regards to delivering voice, and even basic networking concepts are completely lost on you. It's becoming painfully awkward to even respond to you, I feel like I'm scolding a child.

Re:Why are critical systems on the 'net?

[jon3k]

Here, don't believe me, believe SANs. Seriously, you can yell and argue but you clearly have a lot to learn and that's a decent overview to get you started.

In IP telephony packet loss is unacceptable. The performance of an IP call will suffer greatly if packet loss occurs. The quality of the conversation will lag if packet loss reaches more than 5%

From experience, 5% packet loss would make for a completely unacceptable level of quality. At least relative on the level of service I provide.

Delays in voice traffic create gaps in the transmission that may be heard by the receiver, resulting in unhappy customers. QOS technology features concrete priority service to voice traffic to establish predictable delivery. Usually small in size, transmission of voice packets range from 80 to 256 bytes. Unless QOS techniques are used such voice packets can be delayed between larger data packets. QOS techniques used are packet fragmentation and interleaving. One of the crucial technical issues with QOS is that in order to be effective it must be supported end-to end. For VoIP to be of functional quality the network should essentially have a bare minimum data rate and bounded delay variation.

If QoS mechanisms are supported on only portions of the network there are no guarantees that the traffic will get the handling end-to-end that is necessary to achieve success.

Re:Why are critical systems on the 'net?

[evilviper]

So let's try again. I said: A packet lost is an interruption in voice.
The link says: Packet loss causes interrupts.

No, you're just misquoting them. They're saying *significant* packet loss will be a problem. You said *any* packet loss will be audible. Their statement is true, if simplistic. Your statement is completely incorrect, and no amount of back-peddling will change it.

tell me all about the ACKs used during the transmission of UDP RTP stream

You're suggesting that someone will "download a large file" using RTP? (those are precisely your words)

everyone would just set THEIR traffic to the highest priority.

You've still utterly failed to explain why this same thing supposedly can't happen on MPLS.

you cannot control the output queue on your ISPs router

Indirectly, you can. Throttling, queuing, prioritizing ACKs, RED, etc. If you handle queuing properly, you'll prevent your ISP's router queue from filling, and therefore eliminate delays and bursts. Any entry-level network engineer should know that extremely well.

Take your router, tag your VoIP traffic and then download a Linux ISO via bittorrent. Watch what happens.

The fact that you don't know how to do it doesn't make it impossible, or even difficult for a beginner to do. Go look-up a few Cisco papers on fair queuing before further demonstrating your ignorance. This is stuff you'll need to know before you can hope to get a job in the field, so it'll be time well-spent.

Re:Why are critical systems on the 'net?

[AK+Marc]

Yes, tell me all about the ACKs used during the transmission of UDP RTP stream (spoiler: there is no such thing as a UDP ACK, it's a TCP function).

You stated that file transfers would break voice. With aggressive WRED, you can transfer files without impacting voice. As your other link stated, a few lost packets will not break voice, but a few lost TCP packets will greatly slow down TCP. If you could spell IP, you'd know that. Aggressive WRED and no QoS will result in "acceptable" voice performance, and limit TCP traffic (which is why it's not relied upon, the impact on TCP, not the impact on UDP).

Re:Why are critical systems on the 'net?

[AK+Marc]

Here, don't believe me, believe SANs [sans.org].

You bash "security experts" then quote them. Oh, and your paper is 10 years old, and doesn't support your position.

Re:Why are critical systems on the 'net?

[AK+Marc]

And he's also the kind that's never wrong. No matter how much you prove him wrong, you just didn't understand his particular issue.

Like a teen girl who thinks nobody has ever loved anyone else the way she loves her boyfriend. Yet loves Twilight because it captures her angst so well, her and 300,000,000 other teen girls with unique feelings exactly the same as each other.

Glad it's not just me. Some people aren't educable.

Re:Why are critical systems on the 'net?

[AK+Marc]

No, I actually do build networks, ones more than 10 times the size you talk about running. But you'll think anything I say you don't like is a lie, and anything you do like, you'll quote endlessly. For someone who quotes SANS (A security organization) seems silly you are so anti-security.

Re:Why are critical systems on the 'net?

AK Marc is right. You don't know what you're talking about. I also did it 10 years ago.

Re:Why are critical systems on the 'net?

[AK+Marc]

You should say what you mean, not lie to try to make others look bad and reveal your idiocy.

Re:Why are critical systems on the 'net?

[AK+Marc]

I didn't "advocate" anything. One of us can read (and knows networking) the other is you.

Re:Why are critical systems on the 'net?

[AK+Marc]

Quite simply, MPLS wasn't created specifically to transport L2 traffic. It was a replacement for frame relay. That's basically it. Wide area Layer 2 was just a feature.

Have you ever used frame relay? I'll give you a hint. You'd configure a subinterface (VLAN-tagged network), and frame relay would transport that VLAN. The replacement of frame relay did the same thing. It's a private network service, and a VLAN is a private network.

You seem to think that MPLS was designed to carry Ethernet. It wasn't. That's why we have EoMPLS [ietf.org]. It's not native to the protocol, we encapsulate ethernet and transports it over an MPLS core.

No, it carries Ethernet just fine. EoMPLS is to tunnel Ethernet, not participate in it. If you participate, then you don't need EoMPLS. EoMPLS is where you need to support 802.1 standards across a WAN (L2CP and such).

It's only idiots like you that think that MPLS is somehow natively incompatible with Ethernet that it needs the extra-cost services to do what it does natively without issue. Even your tiny little ISR G2 routers will do MPLS or VRF-lite in an MPLS manner, with Ethernet LAN and Ethernet WAN. How does it separate VRFs? VLANs. Just like I said, and the exact opposite of what you said. Like always.

Re:Why are critical systems on the 'net?

[AK+Marc]

Once again, your link proves me right and you wrong.

Re:Why are critical systems on the 'net?

[jon3k]

TCP windowing, using ACKs, is designed to transfer as much data as possible. Client A has no concept that Client B is sending voice traffic. Client A will cause disruptions to voice traffic when downloading large files. This isn't a theory. You seem to think there's some coherency between data streams from different hosts passing through a router, they have no idea about one another.

Look, don't believe me - try it yourself. Setup an RTP stream between two endpoints over the Internet, enable whatever features you want (eg - QoS), and then download a Linux ISO via bittorrent.

Re:Why are critical systems on the 'net?

[jon3k]

1) Calling SANs "security experts" is incredibly myopic. There stated goal is security but they work with lots of ACTUAL experts, in lots of fields.
2) Good news: all of it is still relevent, but feel free to point out anything I quoted that isn't. Turns out protocols don't change a whole lot.
3) Yes it does. (eg "In IP telephony packet loss is unacceptable. ")

Here's the bottom line: I've seen people use broadband for voice backup during leased circuit outages -- it's horrible. I always use analog POTS and SRST. Voice on the Internet can be done, it works some of the time and when it fails you just kind of shrug and go "oh well, nothing we can do". Look, talk to a voice engineer, talk to someone (other than me) who's deployed large networks and voice installations. But don't call the guy with running Asterisk using some random SIP trunking service, I'm talking about real legitimate installations delivering consistent, real service.

Re:Why are critical systems on the 'net?

[jon3k]

Good argument.

I'll give this one more shot. Most MPLS networks are implemented using pure IP/BGP implementations, not L2 VPNs. The _VAST_ majority. Putting VPNs on MPLS is someting we came up with later. Usually how it works is, the CE peers with the PE via [e]BGP. Then from the PE to the LSR and switched across the MPLS core. I say switched and not routed because it's using label switching. Notice how none of this is Layer 2? There's a /30 between me and the PE, and I peer via BGP on a circuit (typically) running PPP (although I've had quite a few circuits delivered via metro-e as well). This is far and away the most common implementation. Again, don't believe me, call up any MPLS provider (I can give you some suggestions if you'd like) and ask them.

Re:Why are critical systems on the 'net?

[AK+Marc]

Have you ever seen any MPLS provider that requires unique addressing? If so, which one?

If not, then that demonstrates network separation. That is often called a VPN (by the MPLS providers), but it is identical to a separate VLAN. It's network separation. You can't broadcast across or route to them (without explicit links built between them), same as a VLAN.

I work for the largest MPLS provider in my country, and am directly involved with the MPLS network. I know I know more than you on MPLS, especially since you are essentially requesting I consult with myself. No, I'm not the guy that builds the configs on our P-nodes. I'm the guy that tells the network config guys what to do.

You pay someone else to run your network for you, and assert that makes you an expert on the network you are buying. Apparently I'm an expert cobbler, since I bought shoes this weekend.

Re:Why are critical systems on the 'net?

[AK+Marc]

Here's the bottom line: I've seen people use broadband for voice backup during leased circuit outages -- it's horrible.

You are confusing "consumer grade, mass market broadband" with "dedicated data center-grade" Internet.

Learn the difference and get back to us.

Look, talk to a voice engineer, talk to someone (other than me) who's deployed large networks and voice installations.

You don't get it. I've done it. More than you. And you are wrong. There are commercial providers running multinational VoIP over the Internet (look at the thousands of calling card providers, almost all buy a toll-free number in a country, and lots of VoIP between a bunch of countries for delivering the calls, almost all of it over the Internet for the lower cost).

Most of the VoIP in deployment is over the "Internet". That you don't know what the Internet is doesn't change the facts.

Re:Why are critical systems on the 'net?

[AK+Marc]

I don't believe you. I set up an RTP between two points and started an FTP. Voice was flawless.

Re:Why are critical systems on the 'net?

[evilviper]

You seem to think there's some coherency between data streams from different hosts passing through a router, they have no idea about one another.

No he never said anything of the sort. The "coherency" comes from the buffer/queue of the "router" that is getting both streams.

The router can choose to drop packets from the large file download until the speed falls, while NOT dropping any packets from the RTP stream. That's real QoS / fair queuing... The kind of thing any entry level network engineer knows about, but yet you still believe is mythical or magical. Anybody who has ever set-up even a single router almost certainly knows about fair queuing, so apparently, you have not.

No matter how many times you loudly repeat your denials, your ignorance / incompetence of networking will not change these facts.

Re:Why are critical systems on the 'net?

[evilviper]

Look, talk to a voice engineer, talk to someone (other than me) who's deployed large networks and voice installations.

You've been talking to one (me) for quite a while, and he (I) keeps telling you that everything coming out of your mouth is nonsensical bull crap.

Not only do I not believe you've ever "deployed" a "large network", I don't believe you've ever managed a small network. The nonsense and patently obvious ignorance of basic networking concepts completely undermines your false assertions of your own imaginary (lack of) skills.

Re:Why are critical systems on the 'net?

[evilviper]

Most MPLS networks are implemented using pure IP/BGP implementations, not L2 VPNs

Your statement doesn't even make sense. MPLS *is* a "L2 VPN" technology. What do you think the "L" in MPLS stands for? If it wasn't acting like a VLAN, and separating each customer's traffic, you would see traffic from the MPLS network of the company down the street (you don't have dedicated physical links). Instead the label switching, like VLAN tagging, is keeping it separate at the layer-2 level. BGP and IP are layer-3 protocols, so there's really no such thing as "pure IP/BGP". You've still got MPLS on layer 2, doing tagging, just like VLANs do.

More Fake Infrastructure Called For

[retroworks]

We need redundant fake infrastructure to prepare for just this type of attack. A "New Deal" scale of fake spending, creating thousands of fake jobs, to build fake dams, bridges, highways and subways.

Re:More Fake Infrastructure Called For

Sounds like a very insubstantial line of defense to me.

Re:More Fake Infrastructure Called For

How much government spending does one fake attack buy? Because you know that of course the spending will be real, but it will pay for a bigger NSA.

Re:More Fake Infrastructure Called For

[plopez]

Sounds like most pork barrel defense programs I've ever heard of.

Why are critial systems hooked into the net?

[NobleSavage]

This just one more example of why critical systems should never be connected to the internet. The should always be an air gap.

Re:Why are critial systems hooked into the net?

[Skapare]

These systems get their tech support and vendor updates via ... the internet (and most likely not encrypted). Oh, I agree. The air gap needs to be mandated.

Re:Why are critial systems hooked into the net?

[evilviper]

Why are critial systems hooked into the net?

Because exchanging information with other systems is necessary.

Because people off-site want or need to monitor the status.

Because routinely plug a USB flash drive into a net-connected computer, and then into the air-gapped network (to update software or exchange other info/data) isn't actually much more secure.

Because there are varying degrees of "critical".

Because if it's really a "critical" system, you don't want to wait for tech support to arrive on-site to get problems fixed.

Because "the internet" itself happens to be a "critical" system.

Because the old days of connecting systems to the PSTN (eg. dial-in modems) wasn't actually any more secure than connecting them to the internet.

Because having an air-gapped network provides a false sense of security, that can fall apart in a big way.

This just one more example of why critical systems should never be connected to the internet.

Platitudes are oh-so-easy to spout off, no matter how ignorant you are of the issue, but don't offer any insight or solutions to the root cause of the problems.

Re:Why are critial systems hooked into the net?

This just one more example of why critical systems should never be connected to the internet. The should always be an air gap.

There is no such thing as a fool proof plan. For instance: WIFI can breach an "air gap". :sigh:

Re:Why are critial systems hooked into the net?

Interesting then how such systems worked fine for decades without the internet...

Because people off-site want or need to monitor the status.

They can feel free to call the onsite person who is monitoring the system to get an update, you know, like they used to....

Re:Why are critial systems hooked into the net?

[evilviper]

Interesting then how such systems worked fine for decades without the internet...

READ BETTER
There aren't enough superlatives in the language to emphasize this point enough.

A paragraph from the very damn comment you're replying to:

"Because the old days of connecting systems to the PSTN (eg. dial-in modems) wasn't actually any more secure than connecting them to the internet."

Has nobody here seen the movie "War Games"? What's with all the completely mindless anti-Internet Ludditeism?

Laugh

[koan]

"The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."

The first eh? I guess he hasn't heard of the tools included in such common distros as Back Track, why do you suppose SCADA exploitation apps are in there?

Exempt?

[Pharoah_69]

Just a suggestion but 'exempt' has consequences. If these jobs there were 'non-exempt', then might not have happened. It seems government is looking for reasons for a physical war to be waged.

Re:hacked by chinese

[Endovior]

RTFA. Yes, IP addresses are easily spoofed, and provide essentially no information on the target. That is, in fact, why more information than that was gathered, using the nature of the honeypot in question to gather additional data from the attacking machines. I suspect that it would be possible to configure your system and network in such a way as to spoof the nature of your own local network configuration so that a counterattack of this nature would reveal misleading information about your locality... but the nature of the attacks, and the response to them, make this exceedingly unlikely. tldr; yeah, it was people in China and Russia, and there's proof. Still doesn't mean that their governments were involved, of course.

and now the PHB saves big by remoteing it out

[Joe_Dragon]

and now the PHB saves big by remoteing it out to one office.

Re:Well color me shocked

[Culture20]

Pooh sets up a honeypot; finds most attacks come from himself and bees. Oh bother.

Re:hacked by chinese

RTFA. Yes, IP addresses are easily spoofed, and provide essentially no information on the target. That is, in fact, why more information than that was gathered, using the nature of the honeypot in question to gather additional data from the attacking machines. I suspect that it would be possible to configure your system and network in such a way as to spoof the nature of your own local network configuration so that a counterattack of this nature would reveal misleading information about your locality... but the nature of the attacks, and the response to them, make this exceedingly unlikely. tldr; yeah, it was people in China and Russia, and there's proof. Still doesn't mean that their governments were involved, of course.

Could you say "nature" a few more times, please?

Now how to prevent it?

[MavEtJu]

As somebody who left the network / sysadmin business before the attacks started from the inside (send enough malware to everybody inside a company and you will get lucky at a certain moment), how would you protect it best?

Airgap it (or properly firewall it), and people will complain about the costs of duplicate infrastructure, remote support from vendors will be a pain etc.

Monitor the network and spot anomalies, it's a hard task but could be the way to go. Except that you need skilled people there (not saying that there aren't, my experiences in a TAC shows that there aren't many).

Letting the attackers waste time in a honey-pot while your own network is isolated? At least you learn from it and you give them a false sense of victory.

What is wisdom, any thoughts?

Re:Now how to prevent it?

Business Band wireless data. Connect the system to a network, sure, but keep that network separate. The air gap doesn't have to exist at the end point. Put the air gap where you need it, where the people and administrators are. It's called an "intranet". So, use that private dedicated network for the control systems. Other systems that go out on the net are not connected to it. However, there can be people with newfangled technology that lets them glide from one terminal to the next. Amazing, I know! It's called a rolling char. Chairs with Wheels! What will they think of next?!

Re:Now how to prevent it?

[satuon]

Non-text attachment automatically scrubbed.
Non-intranet hyperlink automatically censored.
Text looking like a non-intranet hyperlink automatically censored.
^^^
Secure corporate intranet email client.

Who cares?

People still haven't learned to keep these vital systems disconnected from the internet and its not like our government is going to say "ah HA! We caught you China RED handed!" because China will just say that we did something similar to them, which may or may not be true, and in the end we get no where with people still not caring about any of this except for maybe a day on CNN in between spots for a tropical storm and a celebrity baby.

So yeah, yay. We caught someone doing something we already knew they were/would do.

US Chamber of Commerce Supports Hackers

[Required+Snark]

Nice to know that the Republicans and the US Chamber of Commerce are supporting Chinese and Russian hackers testing cyber-warfare against our critical infrastructure. Because we all know that left to their own devices corporations always put public welfare ahead of short term profit.

http://articles.latimes.com/2012/aug/03/nation/la-na-cyber-security-20120803

U.S. Chamber of Commerce leads defeat of cyber-security bill

Gen. Keith Alexander, head of the National Security Agency, and Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, were among those who pressed for a White House-backed cyber-security bill to regulate privately owned crucial infrastructure, such as electric utilities, chemical plants and water systems.

If the senators didn't act, they argued, it would make it harder to stop hackers, criminals and hostile nations from wreaking unimaginable havoc, such as knocking out sections of New York City's electrical grid for days during a summer heat wave. But theU.S. Chamber of Commerceand other business groups strenuously opposed the measure, condemning it as excessive government interference in the free market and arguing that cumbersome federal regulations could hamper companies trying to defend against cyber intrusions.

Democrats overwhelmingly supported the legislation, but for Republicans, it meant a stark choice between competing constituencies: national security officials and business leaders. Even after the bill's backers made the standards voluntary, the Chamber of Commerce, which spends more on lobbying than any other trade group, opposed it.

On Thursday, the Senate cyber-security bill failed to overcome a Republican-led filibuster. Analysts say the bill couldn't breach a wall of anti-regulatory sentiment that proved resistant to the dire warnings.

The measure fell short of the 60-vote threshold needed to end debate, 52 to 46, with 40 Republicans joined by six Democrats voting in support of the filibuster.

"Rarely have I been so disappointed in the Senate's failure to come to grips with a threat to our country," said Sen. Susan Collins, the ranking Republican on the Senate Homeland Security Committee and one of the bill's chief sponsors, who had tried in vain to sway her GOP colleagues. Just four sided with her.

But theU.S. Chamber of Commerceand other business groups strenuously opposed the measure, condemning it as excessive government interference in the free market and arguing that cumbersome federal regulations could hamper companies trying to defend against cyber intrusions.

Re:US Chamber of Commerce Supports Hackers

Here's the problem. A lot of legislation sounds nice on the surface, but implementation can be worse than doing nothing. Look at the ADA legislation post on Freakonomics and how it actually discourages hiring now. New York is a poor example, they couldn't energize an extra powerline under the river due to environmental lawsuits. Judging by the wording of the article, it is probably poorly written like the EPA and the ability to regulate any point source without actually defining what a point source is. I heard they have defined a point source to even include sunlight.

Re:hacked by chinese

Like there was proof that Iraq had weapons of mass destruction? Forget it, there is no proof, and given the current anti NSA climate, it is much more likely that this is a false flag operation to remind people of their fears.

Our future is Battle Star Galactica

Hard lines and 0 networking, from the physical layer on up, to the outside world. Anything else should be considered exploitable, stealable, readable, and sabotagable from anywhere on earth.

Re:first post

You failed in life so hard people are laughing at you. You should have marked the anon box because now we all you know your name and think you are a fool. Have a nice day failure.

What intelligence organisations are for...

This is exactly the kind of thing western foreign intelligence agencies should be working on.
Rather than collecting data from their citizens, hacking friendly governments and corporations for profit, they should be working to actively defend against intrusions.

If they suspect an IP address of relaying hostile traffic, can't they be proactive about tracking attack vectors and warning friendly infrastructure managers about vulnerabilities?

Re:hacked by chinese

[AK+Marc]

If I root a computer in China, and then attack a computer in the US, how can the person in the US identify the location of the attacker (me), without rooting the computer in China? They just really really want it to be in China, so it is?

How would you take them off?

In the old days, you might need a person at each site monitoring a console. You'd run a daily report of any incidents. If the site was small, it might be checked once a WEEK. I learned about some water systems like this in California that are on the 'net and being monitored all the time now. Small systems up in the hills where you need 4wd to get to them. Old days == once a week to make sure it's OK. Now == all the time to make sure the water is there if you need to put out a fire or make up for the drought.

Unless you put somebody on each site and/or reduce your monitoring frequency dramatically you can't take it off the 'net.

During a certain Goldilocks period in tech you might, "run a POTS line there and talk to it with an acoustic modem". The problem with that is that even what you think is a POTS line is routed over IP today.

That said, probably is more secure to connect via "POTS" line because even though it's routed it's not addressable. They'd have to root a telco switch or something and intercept your control signals, which seems a lot less likely.

Re:How would you take them off?

Until someone finds vulnerability in NSA's, um, metadata collection systems, and uses those to reflect and modify 3rd party traffic, remotely. Only a matter of time.

Re:Water plant?

Yeah, I can not imagine why the enemy would want to stop our water supplies and destroy our crops.

Dumb question

Why are water plants, utilities, etc placing their systems on the Internet? I can see loads of advantage to using the backbones for communication, but a vlan or even just a VPN should be used. And any system that is connected to it, should NEVER be allowed to touch the internet. Ever. In fact, the computer should be checking to see if it does and if so, then it records that it has, and will not connect to the utility vlan/VPN.

That still don't explain why it needs to be on net

You do not need something which is connected on normal net line. You close all ports whatsoever, put a hardware router and firewall before and do all transaction on SSH. Cost difference ? Minor. Hassle difference and higher security.

Not working well outside US

I used the service (and others similar for example for geolocation) all over the world. Once you are in the US the accuracy drop by hundred of miles litteraly. Unless you ask the real provider, your location is pretty much fucked up. My Wifi card is for example located ion FfM, and I am located by IP in Berlin, and located by Wifi card in Bonn. That's hundred of Km. The problem is at some point many provider outside the US are NATing. So service like wiggle and so forth , while getting right what your wifi card is connected to or its neighbors, almost always place it at the wrong geographic location. Pretty much due to NATing only my ISP knows where I am. Otherwise for everybody else, the BEST they can come up with is : "germany".

Re:Not working well outside US

[sumdumass]

I'm not trying to defend WiGLE but it isn't really identifying by IP or any other stock measure. I understand about the geolocation data based on IP addresses but the WiGLE site is mostly user generated by war drivers along with GPS data built by programs like Kismet and netstumbler. It refines the locations by averaging the latitudes and longitudes of the SSIDs gathered using the signal strength (squared) as a weight.

In other words, it relies on users- not out dated published materials who have visited the field and location. Try it yourself and see how accurate it is. Click on the map page, zoom out enough until you can click and drag it to your area, look at the available networks to your computer and then try to zoom in to where you are at and see if they are listed. Someone, or more likely several people, have been at or near your neighborhood and posted their finds. There are aps that run on phones and people can turn them on while driving home from work, riding the bus or subway or while doing anything else too. Imagine the Google street view car mapping access points and making all the information searchable.

Well, it looks like their site might have been slashdoted. It's not showing the SSID's any more and has replaced it with a plot error message. It might take a while for them to get it back up properly. I found my area and it was accurate within football field range. The Chicago example I posted was a random look up trying to be as neutral as possible.

Re:Water plant?

[plover]

I've never heard of anyone using city water for large scale crop irrigation. A greenhouse or two might use city water, but not a field of corn. Farmers will dip a pipe into a creek, river, pond, or lake, and pump the water to the fields. They will drill into the aquifer. They will hire trucks to haul in water. But they will not pay the city to pump the water. And the city probably wouldn't let them even if they wanted to, because they use so much water they'd drain their towers, leaving them nothing to fight fires.

Just damaging a few pumps and valves would shut down a city. Last year Minneapolis had a 20 block area shut down for a day due to a single burst water main, leaving many downtown buildings without potable water. Businesses sent the employees home because they couldn't provide sanitary facilities. Restaurants couldn't cook. The physical damage was minor flooding of a street and a construction site, but the financial damage was large.

filthy yellow hordes!

all hail the true and righteous in the land of the free and the home of the brave!

why is this reported by MIT?

is MIT the new NSA?

Ok, right, but who were the other countries?

FTFS:

"The decoy was one of 12 set up in 8 countries around the world, which together attracted more than 70 attacks, 10 of which completely compromised the control system. China and Russia were the leading sources of the attacks"

OK, so where did the other attacks come from?

You see, this is why the "Oh, yeah, we do, but so does everybody" falls down. When it comes to pointing out proof of danger (if you can call it that) from hacking on critical infrastructure, "everybody is doing it" NEVER includes those who use that "defence" of their spying and hacking.

Was it something like China, Russia, USA, Europe in the top 4 order?

Not that the headline says so, it only wants to say China and Russia are doing it most.

But everyone does it, don't they?

Apparently not as important when it;s someone else doing it, only when it's YOUR country doing it...

Plus other problem with you

Why is it that you place unionised workers as being paid $150k?

That is what an engineer would be paid, unionised or not.

Remember: you pay the CEO high value to get the best CEO. Why do you demand the worst engineer to do the work?

Re:Plus other problem with you

[sumdumass]

I just grabbed an arbitrary high value that I thought would include not only the worker's pay, but the employment taxes, benefits packages, management costs, insurance, retirement, and so on. The actual employee may only be making 80K or less but the entire cost of the employee is what I was going for.

There are a ton of costs beside the employee's pay that are associated with employing a worker. The entire picture is what I was trying to capture and I was trying to be on the high side of the estimate..

Re:hacked by chinese

[TheP4st]

it is much more likely that this is a false flag operation to remind people of their fears.

The US State Dept. travel alert is more likely to be a false flag operation as that is something that significantly more people will understand and relate to than this relatively 'geeks only' topic which at best only will earn a few paragraphs in most media. At risk of placing myself in the tinfoil hat category I have to admit that my very first thought when I read about the alert were, "this is very conveniently timed with the XKeyscore leak a few days earlier ".

Why is it not read only access?

The sensors can absolutely be designed to give out and not recieve information and duplicated sensors can be used to display state but not affect those items that read that state for operation.

So why must the monitoring be read/write and not readonly?

If you are monitoring a plant and see something that looks odd, you go there and modify locally. No need to do it remotely.

Re:Than vs. then

[uglyduckling]

My breakfast is better, up yours. My breakfast is better, eat yours.

clear evidence....

"The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."
Because what our alies do with other countries' industrial systems (like p.e. centrifugues) is not evidence.....

Everyone war games everything

[WOOFYGOOFY]

1 Every nation war games every scenario and as a part of securing the ability to realize those scenarios should they have to, they carry on things with potentially sinister applications. News at 11.

2 Just saying this so no one gets drummed up into the idea that "this means they're going to attack!" or "this is totally outrageous !!" It is outrageous, on PlanetNice where humans are banned. Back on Earth, where humans are what they are ...goto 1

OT:Re:Than vs. then

[umghhh]

as for trolls the parent was actually quite informative and for me non-native speaker of english it was an intere4sting read. Still a troll as it should be but a nice one. At least something positive to think about on lazy sat afternoon.

They're MORONS then (siding with NSA here)... apk

Siding with General Alexander on this one (I personally object to their scanning US citizens via xKeyScore + prism though, bigtime)! Why? Well, I see, & have seen, daily for the past 15++ yrs. now just how much malware or malscripted sites that infest folks occurs is how/why. I get a range of roughly 200-5000 a day on those (& other 300-400 a day on bogus things advertisers put into page you don't see like trackers too). I know what I'm about here, via my application for building custom hosts files (that adds more security, speed, reliability, & also anonymity to an extent):

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

Most folks wouldn't believe how much goes on from "cracker/malware makers" daily - it's unreal! They must be profiting by it, and then you take what security sites like ThreatPost, Dancho Danchev, sophos & others puts out too ontop of it which we only see a fraction of here in news articles? You get the picture, pretty fast, as to "what's-what" on that account.

APK

P.S.=> This happening almost makes you *think* the idiots want to leave 'backdoors' in their systems - a "good excuse" imo, for one of their own to 'hack in' from either the outside or even inside internally to say "Oh, it was hacker/crackers' that did it". Seriously! Don't they realize they set customers @ risk & when you do that, class-action lawsuits can harm a companies' profitabilty/bottom-line even with insurances vs. it which by them leaving the side windows open & unlocked for lack of a better analogy, but they are triple locking the front door only to their business set themselvse wide open to negligence suits + other damages).

BattleStar Galactica

Best line I heard in years goes something like this in regards to automatic voltage controllers for electrical generators: "inexperienced youngsters write all kinds of so-called features into the control software, most of which you should TURN OFF immediately, and NEVER turn back on - just like all the crap in 'WORD' bloatware".

Find a Vietnam fighter pilot and ask them what they did to the fuse box that powered all the "flight alarms" immediately after leaving the ground.

Recommended reading:

199307 Engineering Times - Will High Technology Bring Engineering Disaster? [unverified software applied by unqualified users]
199409 Scientific American - Software's Chronic Crisis, W. Wayt Gibbs [software is being written but not by programmers]
199409 IEEE Spectrum - Judgment's Subtle Presence [replacing the decisions made by people with pre-programmed ignorance]
199703 IEEE Spectrum - Reflections on Complexity, Robert W. Lucky [just because you can does not mean you should]
199707 WIRED - Digital Obesity, Nicholas Negroponte ["personal computers" have never been people friendly]
199707 IEEE Institute - Software Engineering [accreditation of educational programs for "professional" programmers]
199800 Walking on Thin Ice by Peter de Jager [how the Y2K problem was created by the bureaucrats, not the programmers]
199802 WIRED - Productivity Paradox [the numbers, folks, where are the numbers to back up the continued spending?]
199907 US NRC- 464th ACRS - Commentary by Dr. Graham Wallis on RETRAN-3D [only "real professors" know what is correct way to "engineer"]
199907 No High Tech Training - The Financial Times by Rebecca Christie [a partial explanation of the productivity paradox]
200004 US NRC - Digital Instrumenation Research Plan [the emperor has no software quality assurance program]
200502 US NRC ACRS Sub-C on THP - Commentary by Dr. Graham Wallis on TRACE [user manuals generally suck - DUH! so do most textbooks]
200503 How computers make kids dumb - Andrew Orlowski - San Francisco [the title says it all]
2009?? Bounded Model Checking Using Satisfiability Solving - Edmund Clarke, Armin Biere, Richard Raimi, and Yunshan Zhu[just WOW]
201206 Botched Computer Analysis Does In California Nuclear Plant [Management bonuses will NOT be returned to the ratepayers]

like you said

[nten]

TFA indicates they rooted the attacking computers using holes in the browsers they were attacking with, and then used the visible wifi hotspots to locate the machines. It does not say that they checked to make sure the machine was not being remotely controlled, or itself a honeypot. Using this technique not all the sophisticated attacks came from China, some were U.S., Japan, France, etc. but over half were from China. Also not all the honeypots were in the U.S., so its not only the U.S. being targeted.

Re:like you said

[AK+Marc]

Right, 67% of the non critical attacks came from Russia, and "about half" of the critical attacks came from China. That means nothing. China was 40% of the arbitrarily defined "critical" attacks (and the UK could have been 45%, more than China), but Russia was where the majority of the attacks came from? Sounds like we are targeting the Chinese for blame. There was no direct link given about the Chinese attacking US plants, just the implication that since so many attacks came from China, and one of the honeyplants was in the US, China must have attacked the US.

Re:like you said

[Endovior]

Eh, I don't see it as 'targeting' the Chinese, per se. Personally, I think that it boils down to a combination of population and enforcement. More people, plus access to tech, means more potential hackers. Of course, the big issue is that would-be hackers in China face rather more significant risks in using their skills domestically than do similar individuals in the US. At the same time, I don't imagine the Chinese government would be extensively concerned about tracking down individual hackers within their borders who are infiltrating the critical systems of other nations... unless, perhaps, it's to offer them employment. Accordingly, I don't at all find it surprising that there'd be lots of Chinese hackers attacking sites elsewhere in the world. No nefarious plots, just script kiddies flexing their code.

Naturally, 'no nefarious plots' is the naive view. There are probably a few actual nefarious plots somewhere out there. My point is that not everything is a nefarious plot, and in fact the majority of things are not.

Agreed, & 1 other point: "hidden/buried" claus

Per my last post though just prior to/above yours? See subject-line above, this http://it.slashdot.org/comments.pl?sid=4046997&cid=44465451 and of course my agreement with you, to an extent (which I cover in that link)!

PLUS what I have HAD to "re-evaluate" as well that I also pointed out today in that link!

(Yes - I had to "backpeddle" on because up front? It's a GOOD THING not only for security, but job creation, and even for companies vs. insurance coverage denials + customer lawsuits)

Stilll - yes, against PRISM here - mainly for reasons of "big brother" possible misuses/abuses via "absolute power corrupting absolutely" + mortal men, & low "ROI" imo, vs. spying on EVERYONE (especially fellow US citizens)...

However: Yes I am upset about republicans blocking the "cyber security bill" -> http://news.slashdot.org/comments.pl?sid=4046897&cid=44465983 for MANY reasons also!

APK

P.S.=> Again though, for what YOU stated, & what I do now in my subject-line above - I hate when they put up something that yes, sounds good "up front" but *try* to "sneak in" things inside of 100's of pages bill legislations in the "fine print"... what? Nobody will READ them?? Maybe politicians are like that - but it's our money being spent, there WILL be folks checking (especially nowadays)... apk

weak

[t8z5h3]

70 is low, I get 65 a day from my home hunny pot... mostly jest sweeps but there are some e-mail/ftp/php attacks done on it each day.

So, how many...

...arrests or other legal action did it result in? None? Then your experiment did nothing but waste time and money to state the obvious.

Re:Than vs. then

It said replace with another word, not with another word and some punctuation.

FAIL.

Re:Well color me shocked

Pooh sets up a honeypot; finds most attacks come from himself and bees. Oh bother.

thanks
I needed a smile.