Slashdot Mirror
Target's Data Breach Started With an HVAC Account
Jim Hall writes "Security blogger Krebs reports that Target's data breach started with a stolen HVAC account. Last week, Target said the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now claim that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. Attackers stole network credentials from Fazio Mechanical Services, then used that to gain access to Target's network. It's not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network."
Please post this to new articles if it hasn't been posted yet.
On February 5, 2014, Slashdot announced through a javascript popup that they are starting to "move in to" the new Slashdot Beta design.
Slashdot Beta is a trend-following attempt to give Slashdot a fresh look, an approach that has led to less space for text and an abandonment of the traditional Slashdot look. Much worse than that, Slashdot Beta fundamentally breaks the classic Slashdot discussion and moderation system.
If you haven't seen Slashdot Beta already, open this in a new tab. After seeing that, click here to return to classic Slashdot.
We should boycott stories and only discuss the abomination that is Slashdot Beta until Dice abandons the project.
We should boycott slashdot entirely during the week of Feb 10 to Feb 17 as part of the wider slashcott
Moderators - only spend mod points on comments that discuss Beta
Commentors - only discuss Beta http://slashdot.org/recent [slashdot.org] - Vote up the Fuck Beta stories
Keep this up for a few days and we may finally get the PHBs attention.
Discussion of Beta: http://slashdot.org/firehose.pl?op=view&id=56395415
Discussion of where to go if Beta goes live: http://slashdot.org/firehose.pl?op=view&type=submission&id=3321441
Alternative Slashdot: altslashdot.org
http://slashdot.org/?nobeta=1
Use it while you can, because they say they're gonna take it away soon.
**NOW WITH LINE BREAKS**
Please post this to new articles if it hasn't been posted yet.
On February 5, 2014, Slashdot announced through a javascript popup that they are starting to "move in to" the new Slashdot Beta design.
Slashdot Beta is a trend-following attempt to give Slashdot a fresh look, an approach that has led to less space for text and an abandonment of the traditional Slashdot look. Much worse than that, Slashdot Beta fundamentally breaks the classic Slashdot discussion and moderation system.
If you haven't seen Slashdot Beta already, open this [slashdot.org] in a new tab. After seeing that, click here [slashdot.org] to return to classic Slashdot.
We should boycott stories and only discuss the abomination that is Slashdot Beta until Dice abandons the project.
We should boycott slashdot entirely during the week of Feb 10 to Feb 17 as part of the wider slashcott [slashdot.org]
Moderators - only spend mod points on comments that discuss Beta
Commentors - only discuss the Beta - Vote up the Fuck Beta stories
Keep this up for a few days and we may finally get the PHBs attention.
Do you actually pay to use slashdot or are you complaining about a service you use freely that is no longer up to your high standards?
We pay in two ways. Well, three, if you include those that pay directly. But otherwise, we pay by contributing, and we pay by watching ads.
Believe me, there's no confusion about the immensity of the community's contribution to the site.
This is very true. Please keep the feedback coming. The more constructive, the better.
Kill Slashdot Beta and start from scratch.
That is a constructive suggestion, and absolutely doable.
Than why are you pulling a microsoft and ignoring your community? Your community /is/ your product. Like microsoft forcing metro with Windows 8 the beta site isnt functional and you insist on ignoring the very hands that feed you. Without your community slashdot is just another has been website.
The whole point of the beta is to get feedback from the community. If we were ignoring you, we would have just flipped the switch and not looked back.
I can't promise we'll implement every suggestion (indeed, many are contradictory), but we absolutely consider them.
This is very true. Please keep the feedback coming. The more constructive, the better.
I admire you actually coming out and posting, but I'd point out that there has been a plethora of constructive, detailed feedback on the beta already, seemingly to no avail.
But since you asked, I'd recommend:
Keep the Classic Slashdot.
I've emailed them... they ignore... the more they ignore the quicker their downfall.
Ignore your userbase, and you shall have none. If I am ignored much longer, I will leave. Just like I left mashable after their AOL'ed it.
PS. I've been a slashdotter for 7+ years.
No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
I can't promise we'll implement every suggestion (indeed, many are contradictory), but we absolutely consider them.
You only need to implement ONE suggestion and everyone will be happy. Let people continue to use Classic interface if they choose. That's all you need to do.
Modern HVAC controls are much more than thermostats. There are typically resets for supply air temperatures based on outside air conditions and time of day, and boiler water temperature setbacks based outside air conditions. Fan and pump systems can get feedback from the positions of dampers/valves throughout the system, and the VFD can slow down to minimize energy usage based on the feedback from the worst-case zone in real time. The list goes on, but all of this energy optimizing relies on lots of real time data, and the easiest way to do this is on an ethernet network.
Many large clients, particularly those with multiple locations like school districts or big box stores will hire a controls company, and pay them a bunch of money to save a target dollar amount or percentage amount on their energy costs. This is typically done through an online interface to monitor multiple locations simultaneously, and keep them all operating the same way. The user doesn't typically care how the contractor sets this up, they just want the savings. The cheaper the contractor can get to the target the more money he makes, which can lead to corner cutting by the contractor.
Some people (government, some Universities) tend to make the controls sub-contractors install a second, independent TCP/IP network for their equipment. But this security comes at a cost premium, particularly in existing buildings that already have a network in place for their computer needs. Most places I have seen don't bother with this due to the cost and the general availability of network connections in today's world. If the security is setup properly this shouldn't be needed, but we all know how often proper security is overlooked.