Target's Data Breach Started With an HVAC Account

Jim Hall writes "Security blogger Krebs reports that Target's data breach started with a stolen HVAC account. Last week, Target said the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now claim that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. Attackers stole network credentials from Fazio Mechanical Services, then used that to gain access to Target's network. It's not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network."

beta?

[Iniamyen]

/* This space reserved for thousands of whiny basement-dwellers fucking the cheese, or something like that */




Please mod down in advance, thanks.

Re:beta?

/* This space reserved for thousands of whiny basement-dwellers fucking the cheese, or something like that */

// Are you suggesting that it took thousands of Beta developers to perform unnatural acts upon a wheel of Swiss Cheese?

Re:beta?

[frisket]

<-- It only takes one, and the rest will follow -->

it IS immediately clear

Well, the beta sucks, but to the article's point, Target wasn't following PCI guidelines.

"...as we migrate our audience..."

[NoNonAlphaCharsHere]

That's the problem right there.

Dear DICE:
We're not "your audience", we're your CONTRIBUTERS. You're just the chalkboard we have our discussions on. Shut the fuck up, display a few ads, and stay the fuck out of the way.

Re:"...as we migrate our audience..."

Do you actually pay to use slashdot or are you complaining about a service you use freely that is no longer up to your high standards?

Re:"...as we migrate our audience..."

[dmomo]

There are readers and contributors. Slashdot acknowledges some people as meaningful contributors by allowing them to disable ads. So, yes. We contributors ARE paying to use the site by offering our content. We're not giving the content for free, we get compensated in the form of a site that lives up to our high standards. So, when the compensation fails to be adequate, we must be vocal. We understand that we can stop using the "free" site at any time. We become vocal in hopes it doesn't have to come to that.

Re:"...as we migrate our audience..."

Well, aren't you just an entitled little shit.

Re:"...as we migrate our audience..."

[dmomo]

It will soon change to: "as our audience migrates". Keep up the discussion outside of their moderation power over on reddit: http://www.reddit.com/r/social...

Re:"...as we migrate our audience..."

[arth1]

Do you actually pay to use slashdot or are you complaining about a service you use freely that is no longer up to your high standards?

We pay in two ways. Well, three, if you include those that pay directly. But otherwise, we pay by contributing, and we pay by watching ads.

Re:"...as we migrate our audience..."

[dmomo]

That will soon change to "as our audience migrates away". This needs more attention outside of the moderators' control. Continue over at reddit: http://www.reddit.com/r/social...

Re:"...as we migrate our audience..."

Where do people get this strange notion that the hosters of free services should never receive negative feedback?

They provide the service for free because they want people to use it (usually for ad revenue, though there are other motivations). If people don't like it, they won't use it. Providing negative feedback informs the providers that something is driving users away, which suggests changes that could increase usage, which is ultimately what the provider wants.

Receiving something for free does not negate one's right to complain about it.
 

Re:"...as we migrate our audience..."

[bmxeroh]

Uh well, yeah he's paying for it so I would say he is...

Re:"...as we migrate our audience..."

Dear Dice:
I am the audience. I read more than I contribute. I've been coming here a long time and have learned a great deal, even to the point I can once in a blue moon contribute. I've even clicked a couple ads. If the contributors leave so will I, I'll follow. Spot on, this is just a chalkboard. Sites come and go. It's a pity to see Slashdot devolve, but it happens. On the bright side Dice, you'll still have your chalkboard and chalk.

Re:"...as we migrate our audience..."

Here is Dice's "Contact Us" page. [diceholdingsinc.com] Everybody be sure to call them tomorrow using whatever numbers from that page you can get to ring. Tell every darn receptionist in every darn one of Dice's holdings, along with anyone you can get them to connect you to, that the Slashdot beta is terrible and you won't shut up until it goes away. Fax them a well-illustrated complaint or two or three. Send them a choice letter via snail mail, along with whatever memorabilia you wish.

They keep soliciting our feedback, they can get our feedback, right where it counts.

Spread the word by mentioning this in every article's comments.

The most obvious contact points are:

Dice Holdings Inc.
1040 Avenue of the Americas, 8th Floor
New York, NY 10018
T: 212-725-6550
F: 212-725-6559

Slashdot
594 Howard St Suite 300
San Francisco, CA 94105
Tel: +1-877-433-5638
www.slashdot.com

capcha = wretch !!

Re:"...as we migrate our audience..."

[Teancum]

Do you actually pay to use slashdot or are you complaining about a service you use freely that is no longer up to your high standards?

You do realize that even subscribers to Slashdot are getting the shaft here too? Some people actually are paying for Slashdot, so shut the F*** up about this kind of reasoning and learn a bit about what people are complaining about.

Re:"...as we migrate our audience..."

[Soulskill]

Receiving something for free does not negate one's right to complain about it.

This is very true. Please keep the feedback coming. The more constructive, the better.

Re:"...as we migrate our audience..."

[Soulskill]

Believe me, there's no confusion about the immensity of the community's contribution to the site.

Re:"...as we migrate our audience..."

[Magic5Ball]

There's a lot of hate from Anonymous Coward for critics of beta.

I hope this isn't Dice astroturfing their own site.

Re:"...as we migrate our audience..."

[plopez]

Freely? We do get marketed to. See the ads scattered all over /.

Re:"...as we migrate our audience..."

I 'pay' by being fed ads.

Re:"...as we migrate our audience..."

The Beta is harder to read and harder to comment on.
There is too much whitespace, and not enough text.
Has anyone seen even one single thing you could count as an improvement?
Let's assume the Slashcott really takes off. Will that be enough for your corporate overlords to abandon this ill-conceived project?

Re:"...as we migrate our audience..."

[arth1]

This is very true. Please keep the feedback coming. The more constructive, the better.

Kill Slashdot Beta and start from scratch.
That is a constructive suggestion, and absolutely doable.

Re:"...as we migrate our audience..."

[wjwlsn]

Well, aren't you just an entitled little shit.

Do you not understand his argument, or are you really just an asshole? The value of Slashdot that keeps old-timers coming back, and brings new people in, is the content... and virtually all of that content is created and moderated by the users. Yes, the site itself is valuable as well, but only because it enables a certain style of discussion and fosters a particular kind of community, all built around that user content.

When the site no longer enables the discussion and fosters the community that is Slashdot, it ceases having any value. People will leave. The quantity, quality, and very nature of the content will change... and as that continues, more people will leave. Now you're into a potentially unstoppable death spiral, and whatever remains will be just a pale image of the greatness that once existed.

Do you expect us to keep our mouths shut? We don't want to see Slashdot die! Even if an alternative pops up somewhere, it won't have all the history that this site has. Losing all of that will be tragic.

Re:"...as we migrate our audience..."

[onyxruby]

Than why are you pulling a microsoft and ignoring your community? Your community /is/ your product. Like microsoft forcing metro with Windows 8 the beta site isnt functional and you insist on ignoring the very hands that feed you. Without your community slashdot is just another has been website.

Re:"...as we migrate our audience..."

[EL_mal0]

The thing that is most frustrating to me is that is seems that many of the complaints brought up when the Beta first went public persist. Looking back at the feedback in that comment section, there are a lot of specific criticisms of the site. It wasn't general complaining, but pointing out stuff that should be fixed. Lots of that went ignored.

I wrote an email back in October with some feedback, and I wrote another today. The company has had five months to fix some pretty basic things and listen to feedback. It didn't.

It might be time to move on.

Re:"...as we migrate our audience..."

[gallondr00nk]

Since Slashdot without comments is more or less pointless, we actually are paying, it just isn't with money.

If a website is a commodity, then our user generated content and comments are likewise a commodity. On some sites this contribution is pretty marginal, but on Slashdot it's the basis of the entire business model.

Since Slashdot profits from the userbase contributions, that means those contributions have a value.

So yes, I pay, though the contributions are probably not worth a lot ;)

Re:"...as we migrate our audience..."

[Soulskill]

Than why are you pulling a microsoft and ignoring your community?

The whole point of the beta is to get feedback from the community. If we were ignoring you, we would have just flipped the switch and not looked back.

I can't promise we'll implement every suggestion (indeed, many are contradictory), but we absolutely consider them.

Re:"...as we migrate our audience..."

[PvtVoid]

Do you actually pay to use slashdot or are you complaining about a service you use freely that is no longer up to your high standards?

Well, I provide content by commenting, and I improve the quality of content by moderating. For nothing. Without people like me doing that, Slashdot ceases to exist.

Re:"...as we migrate our audience..."

[gallondr00nk]

This is very true. Please keep the feedback coming. The more constructive, the better.

I admire you actually coming out and posting, but I'd point out that there has been a plethora of constructive, detailed feedback on the beta already, seemingly to no avail.

But since you asked, I'd recommend:

Keep the Classic Slashdot.

Re:"...as we migrate our audience..."

[RDW]

Believe me, there's no confusion about the immensity of the community's contribution to the site.

Join us! Give yourself to the Dark Side. It is the only way you can save your friends. Yes, your thoughts betray you. Your feelings for them are strong. And we have cooler spaceships and better dialogue.

Re:"...as we migrate our audience..."

[wjwlsn]

Believe me, there's no confusion about the immensity of the community's contribution to the site.

That's a bit of an understatement. Without the community, there is no Slashdot. So why do you think the community exists in the first place?...

... because the design permits unfettered chaos while providing the means for users to wade through it quickly and efficiently, so they can easily promote the best content to the top!

Beta hinders that style of conversation. Yes, the chaos does create a lot of noise, but some of that "noise" is valuable. Some of the best posts I've ever seen on Slashdot ... whether funny, insightful, interesting, informative, touching, inspirational, or just plain nuts ... were actually completely off-topic. Beta makes it much more difficult for the chaotic mish-mash to occur, grow, and be distilled.

Re:"...as we migrate our audience..."

[Spy+Handler]

I can't promise we'll implement every suggestion (indeed, many are contradictory), but we absolutely consider them.

You only need to implement ONE suggestion and everyone will be happy. Let people continue to use Classic interface if they choose. That's all you need to do.

Re:"...as we migrate our audience..."

[Bill,+Shooter+of+Bul]

Oh, I don't know, probably the people complaining about the people complaining about beta are Dice Employees. Wouldn't suprise me.

Re:"...as we migrate our audience..."

[Em+Adespoton]

Unicode support please :)

Re:"...as we migrate our audience..."

[Monoman]

The Beta leaves much to be desired and seems like it is change for the sake of change.

Quit trying to be what other sites are being and stay true /.'s roots.

Re:"...as we migrate our audience..."

[Em+Adespoton]

I know as the middleman, you're not really in the best situation to answer, but where *is* the confusion? We've had a laundry list of requested improvements to slashcode for years, and instead of seeing them get fixed (with some notable exceptions), we get a superficial GUI replacement that makes the most common actions more difficult, and ignores the idiosyncrasies of its specific target audience and instead moves over to a more "standardized" stack that in the past drove many people to abandon other discussion sites for slashdot in the first place.

Re:"...as we migrate our audience..."

[Goaway]

I tried telling you once already that there is no longer any way to see replies to your posts, making discussion impossible and the comment section unusable.

But if you're using beta, I guess you wouldn't know, because you never saw that you got a reply.

Re:"...as we migrate our audience..."

[DrJimbo]

Excellent comment. OTOH, my cynical side is suspicious of how tone-deaf the site owners seem to be. It makes me wonder if the following item was on an NSA todo list somewhere:

Destroy Slashdot. After those damned Snowden leaks the Slashdot community seems to be united against us. As long as they were divided and bickering, they were not a threat.

Re:"...as we migrate our audience..."

[Frosty+Piss]

The day that Slashdot Beta becomes the default Slashdot is the day I stop coming to Slashdot.

Re:"...as we migrate our audience..."

[DarkOx]

Okay,

Please make a discussion system like D1 available, even if it has to be limited to some table that won't flow the page to accomodate the rest of the new page layout.

Re:"...as we migrate our audience..."

[Rival]

I don't envy your position; nobody likes being a spokesman in front of an angry mob. Thank you for keeping things calm.

Here's the situation: you've got an old codebase which you'd like to get rid of, and an old userbase which you'd like to keep. Unfortunately they're part and parcel, and it's sounding like divorcing the two isn't much of an option. The question thus comes down to which is more important.

If I may ask: has anyone in the userbase specifically requested that classic view support be dropped?

I'm not talking about those who have asked for updates and added functionality, or the corporate personnel who are driven toward new shininess for some reason. Their suggestions and desires ought to be considered! But enhancements don't need to come at the expense of existing systems.

Now we're not idiots here; we recognize that keeping classic mode may very well require a few small modifications in order to maintain compatibility with this new revision. But these would be a drop in the bucket compared to the amount of effort expended so far, and should be well worth it to maintain a satisfied and contributing user base.

What are your thoughts? Have any contradicting user suggestions been made? Has a cost analysis been done? Or is it simply a few people with power in a closed room saying, "Let's make a change to get with The Future!(c)" Without evidence to the contrary, it feels like the latter, which makes everyone all the more butt-hurt.

Re:"...as we migrate our audience..."

[lgw]

What more can we say than we like the current system better? The Beta fails in many ways - hiding post times, hiding UID, making it hard to navigate "up", and so on.

Why fix what isn't broken? I still browse with the original no-JavaScript layout, just a page of comments and no "live" controls. It's great; it's just the way I like it. I like "reply to this" as a plain old link that I can middle-click on to compose a reply in a new tab. I like the fact that the entire comment tree is pre-expanded and I don't need anything but "Page down" to read.

Want to make me happy? Fix the bug where in this mode most of a page will have the same comments repeated from the previous page. Everything else is great, thanks.

Re: "...as we migrate our audience..."

No need to start from scratch. Just keep classic as default and beta as an option. This gives slashdot infinite time to actually make beta good. The whole "click for more" thing in the comments should only appear when you are hundreds of comments deep, and clicking it should load hundreds more if not the rest of the comments.

Re:"...as we migrate our audience..."

[Soulskill]

If I may ask: has anyone in the userbase specifically requested that classic view support be dropped?

No, of course not. And make no mistake, we'd love to leave the classic site around in perpetuity for those who prefer it.

But it does take engineering resources to maintain. Maybe not a lot, but not a trivial amount either. There are a number of concerns here; eventually, something about the old site will break, and we'll have to dedicate engineering time to fixing it. Whenever we roll out a new features on the new version, we'll have to think (read:test) to make sure it doesn't screw anything up on the old site.

Our engineering team is small. We're going to leave the classic site up for some period of time, but it's a non-zero drain on limited resources. And as time goes by, that drain only gets bigger, as the codebases diverge.

Regardless, I'll bring it up again with the engineering team and see if we can at least extend classic site some more.

Re:"...as we migrate our audience..."

[DerekLyons]

If we were ignoring you, we would have just flipped the switch and not looked back.

But that's essentially what you're doing - the switch may be flipping in slow motion, but it's flipping none the less. All the pious corporatespeak to the contrary doesn't change that one bit. You claim to regard the community, while completely *disregarding* them.

Re:"...as we migrate our audience..."

[DerekLyons]

If I may ask: has anyone in the userbase specifically requested that classic view support be dropped?

No, of course not. And make no mistake, we'd love to leave the classic site around in perpetuity for those who prefer it.

But it does take engineering resources to maintain. Maybe not a lot, but not a trivial amount either. There are a number of concerns here; eventually, something about the old site will break, and we'll have to dedicate engineering time to fixing it.

Do you think you're talking to children here? What you say of the old code is equally true of the new code.

We appreciate the communication, but we only only appreciate communication. If all you're going to do is sling bullshit, go home. We're not illiterates and we know marketdroid bull a mile away.

Re:"...as we migrate our audience..."

[AmiMoJo]

I disagree. The beta site needs to go. If it becomes the default it will just drive people who can't be bothered to switch every time or who are new and don't know you can switch. It's that bad, that broken.

Soulskill, what is actually wrong with the classic layout that needs such a radical change to fix? Why can't you implement improvements on that platform?

Re: "...as we migrate our audience..."

[rmdingler]

I, for one, have I intentionally shopped for a product on line and purchased it through the ad that invariably popped up on /.

And I would happily purchase a lifetime subscription to keep commenting on Classic.

I love the green lines.

Re:"...as we migrate our audience..."

[AmiMoJo]

The only thing the admins or Dice can do to get some respect back and apologise to the contributors is to admit that the beta site was a mistake. It's hard to write off all that work, but sometimes it's the best thing.

After the mobile site fiasco no-one has any confidence in the developers any more. When the mobile site launched you couldn't even scroll the screen without accidentally clicking something, and even now I always just use the classic desktop site. On the other hand some guy hacked up a far better mobile app in a few weeks (PlusFive, free on the Android Play store). Sorry, but your guys just suck, the project has failed and worst of all there was nothing wrong with the classic site in the first place.

Re:"...as we migrate our audience..."

[tftp]

Believe me, there's no confusion about the immensity of the community's contribution to the site.

The community's contribution *is* the site. Who would need a blog with ten articles per day and no discussion?

Unfortunately, lack of confusion does not mean "correct understanding of the lay of the land." The business development people may be totally wrong and at the same time not confused about what they perceive as truth. Is the Pope confused about his religion?

If the classic "just the bytes, ma'am" mode disappears, contributors who care about such things will instantly migrate elsewhere. Hell, 90% of people around here can whip up a new Slashdot-like discussion board out of existing bits and pieces in under 24 hours. What would be the value of the JS monstrocity that the new owners of /. are trying to foist upon the very educated clientele? I have JS disabled, and I have no interest to browse /. in any other mode. I reviewed the Beta in Chrome, with JS, and found it useless and unacceptable.

Re:"...as we migrate our audience..."

[AmiMoJo]

If only you hadn't wasted all that effort building a broken beta site, and had instead focused on improving the classic site.

Out of interest, what drove the decision to start over with a new layout and code base instead of trying to improve what you had? Is the Classic code really that bad or something? I remember when the mobile site launched and one of the developers listed all the cool technologies they were trying to shoehorn in to it, so it really just seems like a desire to pad their CVs and play with new toys was the main motivation.

Have you considered open sourcing the code again? I'm sure there would be plenty of people willing to improve it for free.

Re: "...as we migrate our audience..."

[arth1]

No need to start from scratch. Just keep classic as default and beta as an option.

Two words come to mind: Polishing. Turd.

No, the Beta site is beyond repair, and better rewritten from the ground up. Sometimes things are so failed that you have to let them go and start over. This is a perfect example.

Re:"...as we migrate our audience..."

[rmdingler]

1) As you are readily able to see, this post is a reply to your comment. This part of the forum is essential to the give and take I love about the site. Many times a reply to an entrenched belief has set me on the path to differing and sometimes enlightening understanding.

2) Posted user ID is an important consideration when I read a post. I will give a post that seems offensive another look for clarity if the UID is lower and I am much more forgiving of an ignorant post if the UID is very new.

3) My internet is down, the power is off, it is cold, and I will have to start a vehicle to charge this android phone i am thumb-typing on in the driveway so that I can post this reply. That's how much I love this site.

Re:"...as we migrate our audience..."

[frinsore]

I don't hate the current beta site but I do find it unusable. The beta site has made some improvements over the months but I doubt that it will be fulfill the minimum requirements any time soon.

My current complaints:
1. Fixed width and a lot of wasted space. I browse with a window width of 1200 on a PC. The comments end up being around 400 pixels wide, that is a lot of wasted horizontal space. On a tablet I can understand having a dead area around the edges of the screen to help avoid accidental touches but on a PC it's wasteful. Also that side bar is completely worthless once someone has scrolled below it yet it still takes up the screen real estate.

2. The side bar can't be customized. On the classic site I can add/remove different widgets for things that I care about. I realize that the web has moved on since those widgets were first designed so I can understand changing them. But that doesn't mean that I want to have widgets that I actively ignore, I haven't cared about the slashdot poll in years and that's not going to change; also I don't care about what was on the site 10 years ago this day.

3. The comments seem to have bugs. On the main site there are 7 replies to this comment's parent while on the beta site there are only 2 replies. What happened to the other comments? It seems that the only the first 2 comments by date are displayed meaning some +5 comments aren't being displayed which brings the average of the entire comment system down by a significant amount.

4. Make a dedicated forum/thread/story/etc where you engage with community about the new site. Currently people are complaining in the comments of every article because that's the only place they feel like they can vent. Make a dedicated area to talk about the new site design and where the designers explain their design decisions. I know that showing people how the sausage is made is scary and that it will invite a lot of criticism but it also can create a lot of trust.

Re:"...as we migrate our audience..."

[ttucker]

Well, aren't you just an entitled little shit.

He is entitled to leave and not come back. In fact so are you, please exercise that entitlement.

Re:"...as we migrate our audience..."

[girlintraining]

The whole point of the beta is to get feedback from the community. If we were ignoring you, we would have just flipped the switch and not looked back.

Soul, I know you are in a difficult position, having been told to do spin control for a furious userbase. But you don't have to insult our intelligence. Redirects to beta were going on well before this, and the sentiment hasn't changed. It's been negative from the moment people started getting redirected. Management has been ignoring the users from day one under the notion that they'll like it once they get used to it, and hey, look at how Facebook changes things and people complain, but keep using Facebook.

But your seniors don't seem to understand that this isn't Facebook. This isn't a site for the general population, and it's not irreplaceable nor without intense competition. There are thousands of internet forum sites out there, many of whom have the same target audience. I do not buy the argument for one second that management was ignorant of the poor opinion held of it's new "beta".

I get that they bought the house and now they want to repaint it so it's "theirs", but they've gone too far. Very far too far. They have failed to understand their target audience completely, believing that we're just like any other of the dozens of assets they hold in their portfolio, and it'll homogenize with the rest if they just stay the course.

It won't. They're going to tank their investment and once the users bail, they won't come back. They'll be like the MySpace of the IT world: It was popular at one time, but now it's a ghost website nobody cares about, just another content aggregation website, and not even a particularly valuable one. Nobody wants to see this happen... apparently, except for the senior management. We've spoken clearly, and unequivocably, in every possible way, that this is a bad decision. We've been doing this for days, and have received no indications from these people that they've even noticed.

Do we have to set fire to the facilities they live in? DDoS all their sites? I mean, really, Soulskill... we've exhausted every avenue to let these people know "Hey dudes, train coming. Train. Big train. Honk honk. Motherfucking train, on the mother fucking tracks, coming your way. TRAIN." ... And they seem to be content to just lay there like some drunk and wait for it to run them over.

If this is how it has to be, fine. But at least tell us that if Slashdot goes tits up someone on the Dice board of directors is getting shit-canned... because otherwise, the nerd rage that has built up here is going to find other, less pleasant, ways of extracting their pound of flesh from Dice. If you think the Slashdot Effect on other websites is bad... wait until a hundred thousand pissed off IT people each sitting on massive bandwidth pipes, decide to ping the SS Dice Fail Boat. It will not be pretty.

Re:"...as we migrate our audience..."

[ttucker]

I just tried to cruise the comments section using the beta, and that is where things are the worst. There is no quote parent button, and it made me copy and paste the reply title by hand. There is no link to get a permanent reference to a single comment. Comment text does not show bold or italic. Quoted text is merely italic, but not indented or anything.

This horrible re-write is particularly insulting because the old site is relatively good, minus a few quirks (like having comments formatted with html only). A superficial design change should not need to break so much functionality, unless they are actively trying to eliminate it.

Re:"...as we migrate our audience..."

[Khyber]

"But it does take engineering resources to maintain."

As if your new EXTREMELY WASTEFUL (check it yourself, bandwidth usage is up) beta will do any better in resource usage.

"eventually, something about the old site will break, and we'll have to dedicate engineering time to fixing it. "

You're already doing that to the beta. This is how I know you're not engineers - you fail to follow the motto - 'Make it work, then make it work better.' Forcing beta is BROKEN and doesn't work, quit trying it.

"Whenever we roll out a new features on the new version, we'll have to think (read:test) to make sure it doesn't screw anything up on the old site."

Quit trying to be new. Seriously. It's like playing catch-up with the Johnsons. Not only is it fucking annoying, but it's a waste of time, resources, engineering (ha) skills, and money.

DID YOU HEAR THAT, DICE? YOU ARE WASTING MONEY. SHIT IS LEAPING OUT OF YOUR POCKETS.

"Our engineering team is small."

I'm the ONLY engineer on my team, and I handle over six hundred food production sites (including programming, monitoring, maintenance, crop checking, website development and maintenance, etc.) ACROSS THE GLOBE. I do that on a budget so infinitesimally small as to make you guys look fucking rich in comparison. What's your excuse, now?

"We're going to leave the classic site up for some period of time, but it's a non-zero drain on limited resources."

Hey, here's an idea from a REAL ENGINEER - quit wasting limited resources on a failing design, dump it, and divert those resources into improving what works.

"And as time goes by, that drain only gets bigger, as the codebases diverge."

Yea, so quit diverging codebases, stick with what works. You call yourselves engineers, start acting like them.

"Regardless, I'll bring it up again with the engineering team and see if we can at least extend classic site some more."

How about you fire your engineering team and just hire me on?

Looks like I can do all of their jobs, plus mine, plus work at a warehouse running one of the most expensive and difficult forklifts on the planet, plus ensure that hundreds of stores remain stocked with inventory, without a problem. Sounds like your engineers don't know how to do jack with limited resources. One person is essentially running three companies at once. How many are you using to run ONE?

Re:"...as we migrate our audience..."

Could be.

Re:"...as we migrate our audience..."

[Reeses]

Why not do this in an open/community driven manner?

Set up a persistent discussion (make it a tab, "Changes are a coming to Slashdot", weigh in with a comment) and explain what changes you want to make, and why. Let the community hash it out. Maybe let us vote on a feature, and allow us to test it out on some dummy (or real) test stories to see how it works.

Or, instead of committing to wholesale, all at once change, change subsystems and let the community test them. See if slashdot can be slashdotted. And move forward.

You know, like actual professional software developers do. Not like Microsoft does.

Re:"...as we migrate our audience..."

[Reeses]

In my redirects to the beta (on mobile) it was immediately (and I mean immediately) obvious that whoever designed the beta had no fucking clue how people used the site and turned it into some sort of engadget clone.

I don't know how whoever designed it thought that all I wanted to read were headlines on my phone. It was embarrassing. And disappointing.

The changes have helped, but the mobile experience still doesn't completely "get it". But it's getting better.

Re:"...as we migrate our audience..."

This is the same thing I sent them on my feedback email. If I can't have classic, I'll simply stop coming. Speaking AC as I already moderated.

Re:"...as we migrate our audience..."

[Specter]

You're wasting your breath frinsore. Many of us who had early access to the beta complained about the exact list of things that has the general /. population so upset. We were ignored.

You had your constructive feedback Soulskill and you pissed on it. Please stop coming here pretending to want feedback.

If you actually give a shit stop talking and prove it. Fix the stuff you've broken in beta.

Re:"...as we migrate our audience..."

[Specter]

+1 This is the most concise argument I've seen yet for why the current commenting system is so loved:

"... because the design permits unfettered chaos while providing the means for users to wade through it quickly and efficiently, so they can easily promote the best content to the top!"

OMG...focus your efforts on making this feature of the site more awesome and forget the rest of the window dressing.

fuck beta

fuck it to hell.

Re:FUCK BETA

[synapse7]

**NOW WITH LINE BREAKS**

Please post this to new articles if it hasn't been posted yet.

  On February 5, 2014, Slashdot announced through a javascript popup that they are starting to "move in to" the new Slashdot Beta design.

  Slashdot Beta is a trend-following attempt to give Slashdot a fresh look, an approach that has led to less space for text and an abandonment of the traditional Slashdot look. Much worse than that, Slashdot Beta fundamentally breaks the classic Slashdot discussion and moderation system.

  If you haven't seen Slashdot Beta already, open this [slashdot.org] in a new tab. After seeing that, click here [slashdot.org] to return to classic Slashdot.

  We should boycott stories and only discuss the abomination that is Slashdot Beta until Dice abandons the project.
  We should boycott slashdot entirely during the week of Feb 10 to Feb 17 as part of the wider slashcott [slashdot.org]

  Moderators - only spend mod points on comments that discuss Beta
  Commentors - only discuss the Beta - Vote up the Fuck Beta stories

  Keep this up for a few days and we may finally get the PHBs attention.

Re:FUCK BETA

[foobar+bazbot]

Your links are broken; see html source in my pastebin...

Please post this to new articles if it hasn't been posted yet. (Copy-paste the html from here so links don't get mangled!)

On February 5, 2014, Slashdot announced through a javascript popup that they are starting to "move in to" the new Slashdot Beta design. Slashdot Beta is a trend-following attempt to give Slashdot a fresh look, an approach that has led to less space for text and an abandonment of the traditional Slashdot look. Much worse than that, Slashdot Beta fundamentally breaks the classic Slashdot discussion and moderation system.

If you haven't seen Slashdot Beta already, open this in a new tab. After seeing that, click here to return to classic Slashdot.

We should boycott stories and only discuss the abomination that is Slashdot Beta until Dice abandons the project.
We should boycott slashdot entirely during the week of Feb 10 to Feb 17 as part of the wider slashcott

Moderators - only spend mod points on comments that discuss Beta
Commentors - only discuss Beta
  http://slashdot.org/recent - Vote up the Fuck Beta stories

Keep this up for a few days and we may finally get the PHBs attention.

-----=====##### LINKS #####=====-----

Discussion of Beta: http://slashdot.org/firehose.pl?op=view&id=56395415

Discussion of where to go if Beta goes live: http://slashdot.org/firehose.pl?op=view&type=submission&id=3321441

Alternative Slashdot: http://altslashdot.org (thanks Okian Warrior (537106))

Re:FUCK BETA

Keep this up for a few days and we may finally get the PHBs attention.

Uh, the whole reason Beta is terrible in the first place is that the PHBs DON'T read Slashdot. Other readers/commenters will notice, but "corporate" won't.

Car Analogy Time!

[sinij]

If Beta was hot grits, then Natalie Portman would be driving Beowulf cluster of HUGOs!

Re:Car Analogy Time!

[TWiTfan]

My mother was a Beta, you insensitive clod!

Re:Car Analogy Time!

I got your car analogy right here:

Hating on beta is like that guy who just bought a new Volkswagon. Most folks do not care about Volkswagons and are not even all that familiar with them, but there is a large minority who love them beyond reason. They need to drag the Volkswagon brand into every conversation regardless as to whether or not it is germane or anyone cares one whit. It gets old and tedious, and you just wish they would just shut the fuck up and get over themselves.

I never thought about it like this but Volkswagon is the Apple of car manufacturers.

Re:Car Analogy Time!

What the heck is a HUGO? Google and Wikipedia fail me here.
Is this some sort of inside joke?

Re:Car Analogy Time!

[Em+Adespoton]

No; Volkswagon is the Linux of car manufacturers -- it's the people's car.
BMW is the Apple of car manufacturers.
And of course, Windows is the K-Car.
Interestingly, we don't appear to have a viable Toyota/Honda in the OS marketplace.

Re:Car Analogy Time!

[Specter]

In Soviet Russia, insensitive clods BETA you mother!

Re:Car Analogy Time!

[cbiltcliffe]

Watch Disney`s Cars 2.

Network segmentation

[Dan+East]

why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network

Because they have just one big unified network for everything. That probably saves them money, unless something really bad were to happen...

Re:Network segmentation

[bjwest]

My guess is because IT is not given control over security, not listened to and told to "just do it" when they try to point out the security problems during planning. Butt you can bet your ass they're the one blamed when all hell breaks in.

Re:Network segmentation

Buck Feta!

Re:Network segmentation

Cheap Greek Cheese!

Re:Network segmentation

[mlts]

In most companies, someone poking around would have their access clamped shut by an internal IPS, with SMS messages going out to admins via the IDS.

I'm sure there has to be a perfectly justifiable way to explain this, but almost any corporate network tends to be well segmented, with finance being the most locked down of any area [1]. Unless the internal fabric got compromised, this shouldn't have happened unless it was an attack with a lot of collusion from parties inside the organization.

[1]: One place I worked at had the machines in finance completely disconnected from the Internet, and were separated from each other (no file sharing possible unless going through the company servers.) If people wanted to browse the Web, they used Citrix receivers and a terminal server, which was configured to not let files in or out. Said machines were not just locked down via AD, but used both BitLocker (to keep the machines from being booted from other media) and DeepFreeze [2] to help ensure that if malware did get on the boxes, it wouldn't persist. All data was stored on remote machines. So far, AFIAK, these precautions did a good job at keeping bad guys out.

[2]: DeepFreeze isn't 100%, but it does come in handy as an additional tool for a locked down environment to keep things clean.

#insert

Re:Network segmentation

If they were PCI compliant this would not be possible there is no way that there is a "justifiable" explanation. At a minimum they and whoever does their audits should have their authorization to process cards and perform PCI audits respectively pulled... not that this is likely to happen.

Re: Network segmentation

i'm thinkin some repair guy need to print an invoice and some beta admin just gave him full access, cause that the way the real world works. kinda like giving carte blanche to your new beta development team. what could go wrong?

Re:Network segmentation

[mythosaz]

It's not even necessarily that. The HVAC may or may not have had access into the "real" system, but it, at minimum, allowed them a foothold from which to perform penetration testing .

I remember implementing a change to our security because a chain that broke ultimately because some local SQL express SA accounts were open (on workstations, with 3rd party products that required local SQL express), which allowed further and further enumeration that ultimately ended with the discovery of a domain admin's credentials.

Re: Network segmentation

[TWX]

HVAC now relies on controls that are themselves Ethernet devices. Those devices in turn need to be reachable over the computer network, and a third-party HVAC company that is paid to monitor and service the air conditioning will need access to those HVAC controllers and to EMS (Energy management system) controllers to do their work. Since the devices are components on the network that can authenticate via 802.1X, they'll need credentials both to be on the network and to allow that third party to VPN into the network to monitor them.

The stupid part is that the HVAC controllers were not vlanned off to their own segment, only connected to HVAC-monitoring computers and a VPN gateway for just this function, but given how congested IDFs are and how expensive the staff is to continually maintain vlans and associated ports, I'm not surprised at all that this happened.

Re:Network segmentation

It takes a lot less time and most people won't notice the difference until it's too late.

http://www.despair.com/mediocr...

Re:Network segmentation

[mlts]

Maybe I've not seen an example of this, but there is a point where a I've not seen any meaningful enforcement of these regulations, be it PCI-DSS3, HIPAA, FERPA, Sarbanes-Oxley, or others. For example, from what has been shown in previous examples, PCI is almost a joke and given lip service at best. Tokenization of card numbers? Yeah, right.

Are these laws even relevant these days, since they don't seem to be actually heeded?

I wonder about replacing the existing penalties with taxes. A firm can ignore a regulation, but what would happen is a tax would kick in at a stiff percentage of their net worth or overall revenue (not profit, as that can be easily messed around with.) So, if a firm wants to leave credit card numbers in the clear, great... they will end up taxed to oblivion.

Re:Network segmentation

[Bigbutt]

When I worked at IBM, management of the IDS for the IRS was outsourced to India.

[John]

Re:Network segmentation

[aaarrrgggh]

No, it is that proper security is really hard to do, especially when you deal with third parties that need to access portions of the network that management also needs to access. It doesn't help when the third party has one company account, and a reasonably high turnover rate of employees.

I used to have a rolodex of access cards for different clients and sites. Many companies required a different card for each building. Then this magical internet came along and they merged all of the security systems into central corporate security. Like magic I only needed one card for each client, locked down to specific areas I needed access in different building. Then... they had a problem. I couldn't get into the building to help out. It wasn't the end of the world, but the project manager I was working for ended up giving me all access to keep it from happening again. It took two years for a corporate security audit to call me and ask why the hell I needed "ring zero access" or whatever they called it. Up until that I had cash vault access for whatever stupid reason.

The bigger and more distributed organizations get, and the deeper the tree is on the contractors they work with, the more it becomes impossible to manage security without paying a huge efficiency penalty.

Sorry to get so off-topic; aren't we supposed to be talking about how miserable the beta.slashdot.org site is? Completely unusable; are there any other competing websites that could resurrect the old slashcode?

Re:Network segmentation

My guess is because IT is not given control over security, not listened to and told to "just do it" when they try to point out the security problems during planning. Butt you can bet your ass they're the one blamed when all hell breaks in.

You be surprised the number of security unaware IT directors and managers in many organisations. External vendors have no reason for direct access to an internal network including the data stored therein.

Re: Network segmentation

[chromeronin799]

And all that segmentation costs money and hits productivity. You do realise Target would probably be as cheap as possible? I've inly worked in 2 placed with security you've described. A government support service and a bank. No corporate has had the money to do this, not even the retail outlets I've worked with. Building management servers probably authentic to are to the same forest as the finance server, which thanks to the shitty way AD requires lots of open ports proably means a flat open corporate back end.

Re: Network segmentation

[khasim]

... but given how congested IDFs are and how expensive the staff is to continually maintain vlans and associated ports, I'm not surprised at all that this happened.

That's why they should have their own Internet connection coming in. They should NEVER touch the production network. There's just too much risk (as shown by Target).

Re:Network segmentation

[OakDragon]

Wow, there was a security audit?!

Re:Network segmentation

the others might be laws, but pci isn't.

Re: Network segmentation

[dgatwood]

But a Target store doesn't get its network rewired very often, and doesn't get the HVAC cables rewired ever (for some multi-year definition of "ever"). There's really no good reason for those to not be on their own separate physical switch, but if you're going to use a shared switch, it still isn't that hard. You just lock those ports to a nonstandard VLAN, disable tagged VLAN access for those ports, and leave all the other ports on the default VLAN, and you're done. Oh, and label the cables, and stick a piece of tape with the words "HVAC ports" above those few ports so that nobody will yank the cables later, try to plug something else in, and wonder why it doesn't work, or try to plug one of those cables into a different port.

Better yet, color-code your jumper cables: blue for HVAC, red for registers, and white for general use. Do not let any color route to any other color, and ensure that whoever is wiring up a new device understands that the color in the back room should be the same as the cable that's semipermanently attached to the device on the other end, and always plugs red cables into red ports, blue into blue, and white into white.

This really isn't rocket science.

Re:Network segmentation

PCI is as good as a law. Cross those boundaries, and Visa yanks your merchant status, which hurts more than any corporate law can do.

Of course, even PCI-DSS3 doesn't seem to be enforced.

PS: The Slashdot beta is better than sex!

Re:Network segmentation

[chipschap]

My guess is because IT is not given control over security, not listened to and told to "just do it" when they try to point out the security problems during planning.

I was once the security advisor at a Large Place. A senior manager came to me and said, I want to forward all my email to Gmail so I can read it at home. (Much of it was sensitive stuff.) He said, "what do you advise?" I said, obviously, not to do it as it presented unacceptable risk, forwarding internal sensitive email to an external source beyond our control. He replied, "OK, I asked you the question, document that, will you? I can't help it if you gave the wrong answer" and he went ahead and set up forwarding. Actually, had someone set it up because he was clueless about how to do it.

Re: Network segmentation

[TWX]

I have an idea, trying working network infrastructure for even a metro-sized organization, where there are less than a handful of staff members for dozens of sites, and those staff members don't have the authority to keep service technicians for other disciplines out of the telecom closets and enclosures. Now take away their budget so that they have to scrounge for patch cords, and set up a situation where building facilities staff routinely make changes without informing the IT department, let alone infrastructure.

Do that, then try to keep things consistently set up.

In short, I know how to do it, you know how to do it, most of us in the profession know how to do it. What we don't have is resources, and we're unlikely to get them.

Re:Network segmentation

[aaarrrgggh]

Damn FDIC. Oh well...

By the way, the phone number for Dice Holding's corporate headquarters is 212-725-6550. Be sure to give them a call and let them know what you think about their new design.

Re:Network segmentation

[taustin]

The enforcement comes after a breach, not before. It takes of form of "You weren't compliant, even though you swore under oath you were, so you are 100% responsible for all costs. You pay for the investigation, you pay for remediation, new cards, mailing costs, etc., and you pay 100% for all fraud committed with the stolen numbers. You do so now, or we sue you until you do." And you, the merchant, agreed to all that when you signed up for the merchant account, so you'll lose if you fight.

The enforcement, in this case, according to TFA, is up to $420 million.

But PCI compliance isn't actually all that difficult to do, and Target probably was compliant. There are numerous provisions for exceptions based on business need. If you decide you need computerized HVAC systems, and given the size of their stores, they do, and you can demonstrate that it's cheaper (and probably by quit a bit) to contract that out to a third party, and I'm sure they can, and that third party give s a significantly lower quote if they can work remotely, and it's hard to imagine that's not the case, then there's a business need for remote control. And that is an opportunity for compromise, as Target has brilliantly demonstrated.

Be interesting to see some details on exactly how that compromise took place. Most likely, I would imagine, social engineering, or a simple bribe.

And no, there's no requirement anywhere in PCI that your air conditioners be segmented from your credit card processing servers. Yeah, it's stupid not to, but if "don't be stupid" were a PCI compliance issue, there wouldn't be a single credit card merchant anywhere in the world.

Re: Network segmentation

[taustin]

Nice theory. How much less per hour are you willing to make to pay for it?

Re:Network segmentation

[cusco]

Most companies??? Hardly. On a properly run network, sure. Those are rarer than hens' teeth. Retail corporations are some of the worst for squeezing their employees as much as possible while paying them as little as possible, if the network engineers are even Target employees and not contractors. The company that I used to work for refused to bid on jobs to install security equipment in retail stores for the simple reason that it is impossible to break even without doing shoddy slap-together work much less make money.

If Target is typical of most retail companies each store is a standalone node with a single link (with backup) up to regional/district hub. The segmentation happens at the store level, and everything within that segment can talk to everything else because no one wants to deal with the nightmare of custom VLAN configurations for each store. There **might** be an IDS running on the Corporate headquarters network, but it's doubtful that it would even be configured correctly much less maintained and monitored.

Seriously, here's how bad it is in the retail world. My wife has to do her annual self-review on the corporate network, so she brought home the instructions that they gave the employees. With 18 years of experience working with computers, web applications, and following obscure and poorly written documentation I was unable to make heads or tails of this mess. Not only are they unable to build a decent web app for something as simple as annual reviews, they can't even create a usable step-by-step instruction guide.

The major surprise in the Target attack was that it has taken this long to happen.

Re:Network segmentation

[AmiMoJo]

I used to work at a place that made fire alarm systems. People were using the fire alarm panel to control HVAC too. Anything to save a few bucks and "add value" to the safety critical fire alarm and smoke extract system.

Sucked almost as much as Slashdot Beta.

Re:Network segmentation

>In most companies

{citation needed}

Seriously though, I don't think you realize the reality of security "on the ground" in "most" companies. The Fortune 500 and other huge companies are dwarfed in number by the mom and pop shops and the small businesses.

Re: Network segmentation

[dbIII]

Yes but we live at a time when Automatic Teller Machines full of money are running on WindowsXP and are on the internet. The usual rules of sanity are not seen to apply.
Thus a long chain of stupidity, which never would have been accepted in the "less computer savvy" 1990s, leading to a breach. There are many things they should have done starting with your suggestion above to keep others out of where the money is handled.

Re:Network segmentation

[maz2331]

I call shenanigans. This type of breach shouldn't be remotely possible if the cardholder data environment (CDE) was behind a proper firewall as per the PCI specifications. That means that anything that stores card data has a VERY short whitelist of what it may communicate with, and then only on the bare-minimum of ports. And no, just a VLAN won't cut it there. All of the registers, card readers, internal servers, switches, etc on which the card data flows are required to be firewalled both inbound and outbound to the absolute bare-bones minimum possible. Someone, somewhere, trusted something internal to the network but outside of the CDE, that something was compromized, and out poured cardholder data like a firehose. Or they just said they firewalled and segmented without actually doing it.

Re:Network segmentation

[Cramer]

No, it's not "really hard". It simply requires people with a clue to actually take the time to do it correctly. Plugging everything into a stack of unmanaged switches is quick and doesn't require any education at all. Granting you "access to everything" was the quick, expedient solution to a problem that was never later resolved.

Re:Network segmentation

[JWSmythe]

Some places are horrible about it.

I took over IT at a company, which included badge access to various parts of the building. It always seems to be up to whoever is issuing cards that day. Some low access employees had 24/7 all door. Some senior executives could only open their own office door, but couldn't open the exterior doors outside of 9am to 5pm. There were a whole list of ex-employees, who never turned in their cards, who still had 24/7 all door access.

A long time ago, like at one of my first jobs, I worked cash registers at a major retail chain (no, not Target). That chain had registers throughout the store. I was suppose to be locked down to my store, and a handful of registers in my assigned area.

A year after I left the company, I happened to be shopping at a company store in another city. For giggles, I tried my register login, and it worked. Well, I asked the person at the register to let me log in, and it worked. :) It's not like I could have done a lot. I could have issued credits to credit cards, if they had been used at the store. I could no-sale the register. So, I could walk out of the store with a fistful of cash, and take all the debt off my credit cards.

My access remained for a few years, until someone finally figured out, "Hey, that guy doesn't work here."

Unfortunately, I'm a good guy. I didn't steal anything. I have a terrible allergy to jail.

Re:Network segmentation

[BVis]

But PCI compliance isn't actually all that difficult to do

No, so long as you have the ability/authority to make the changes that PCI requires. If you've got a back-office accounting system that can't handle tokenized credit card information, and 100% will NOT accept anything less than a full credit card number and expiration date to enter an order, it's "compensating control" time. Which is a fancy way of saying "Our business practices suck and we don't want to change them, so security suffers".

Re:Network segmentation

Could it be forwarded with encryption? Would that help?

Never been a so free

[cfulton]

To say fuckity fuck fuck fucking /. you used to be so kind.

FUCK BETA

[synapse7]

Please post this to new articles if it hasn't been posted yet. On February 5, 2014, Slashdot announced through a javascript popup that they are starting to "move in to" the new Slashdot Beta design. Slashdot Beta is a trend-following attempt to give Slashdot a fresh look, an approach that has led to less space for text and an abandonment of the traditional Slashdot look. Much worse than that, Slashdot Beta fundamentally breaks the classic Slashdot discussion and moderation system. If you haven't seen Slashdot Beta already, open this [slashdot.org] in a new tab. After seeing that, click here [slashdot.org] to return to classic Slashdot. We should boycott stories and only discuss the abomination that is Slashdot Beta until Dice abandons the project. We should boycott slashdot entirely during the week of Feb 10 to Feb 17 as part of the wider slashcott [slashdot.org] Moderators - only spend mod points on comments that discuss Beta Commentors - only discuss the Beta - Vote up the Fuck Beta stories Keep this up for a few days and we may finally get the PHBs attention. Discussion of Beta [slashdot.org] Discussion of where to go if Beta goes live [slashdot.org] Alternative Slashdot [altslashdot.org]

Maybe this is why we have the beta

[Bob+the+Super+Hamste]

Maybe this is why we have the slashdot beta issue, something came in with the HVAC account at dice. It sucks enough that the HVAC system might be to blame.

Re:Maybe this is why we have the beta

[TheGratefulNet]

well, even if they swapped plus and minus on the power supply or turned the switch from SUCK to BLOW, I'm not sure it would improve the beta, any.

Re:Maybe this is why we have the beta

[sconeu]

So, if I understand you correctly, you are saying that Dark Helmet designed the Slashdot Beta?

Re:Maybe this is why we have the beta

[kolbe]

At least Target didn't change their website after fucking up so badly

Slashcott

Please post this to new articles if it hasn't been posted yet.

On February 5, 2014, Slashdot announced through a javascript popup that they are starting to "move in to" the new Slashdot Beta design.

Slashdot Beta is a trend-following attempt to give Slashdot a fresh look, an approach that has led to less space for text and an abandonment of the traditional Slashdot look. Much worse than that, Slashdot Beta fundamentally breaks the classic Slashdot discussion and moderation system.

If you haven't seen Slashdot Beta already, open this in a new tab. After seeing that, click here to return to classic Slashdot.

We should boycott stories and only discuss the abomination that is Slashdot Beta until Dice abandons the project.
We should boycott slashdot entirely during the week of Feb 10 to Feb 17 as part of the wider slashcott

Moderators - only spend mod points on comments that discuss Beta
Commentors - only discuss Beta http://slashdot.org/recent [slashdot.org] - Vote up the Fuck Beta stories

Keep this up for a few days and we may finally get the PHBs attention.

Discussion of Beta: http://slashdot.org/firehose.pl?op=view&id=56395415
Discussion of where to go if Beta goes live: http://slashdot.org/firehose.pl?op=view&type=submission&id=3321441
Alternative Slashdot: altslashdot.org

GET OUT OF BETA FREE CARD

http://slashdot.org/?nobeta=1

Use it while you can, because they say they're gonna take it away soon.

Brick and Mortar Stores Need to Rethink

[dmomo]

The design of their security. They should redesign it by committe. Here are some suggestions for your Target Security Beta:

* More whitespace. Credit card thieves hate whitespace.
* Big goofy graphic before they can steal your credit card info
* Force a lot of scrolling, this will definitely send attackers away
* Make the store look like Buzzfeed. This will send them screaming.

Bitcoin not affected

Under [pure] Bitcoin, only the owner of money can initiate a transaction.

HVAC vendor has network access to the POS system?

[jdastrup]

Might as well give HVAC vendors access to the slashdot beta servers so they can destroy it as well.

That's how it always happens

[GodfatherofSoul]

The weakest link won't be the shiny titanium front door.

Re:That's how it always happens

[Em+Adespoton]

No, it's always about hiding the relevant bits behind a shiny interface.

Boycott

Please post this to new articles if it hasn't been posted yet.

On February 5, 2014, Slashdot announced through a javascript popup that they are starting to "move in to" the new Slashdot Beta design.

Slashdot Beta is a trend-following attempt to give Slashdot a fresh look, an approach that has led to less space for text and an abandonment of the traditional Slashdot look. Much worse than that, Slashdot Beta fundamentally breaks the classic Slashdot discussion and moderation system. If you haven't seen Slashdot Beta already, open this in a new tab. After seeing that, click here to return to classic Slashdot.

We should boycott stories and only discuss the abomination that is Slashdot Beta until Dice abandons the project.

We should boycott slashdot entirely during the week of Feb 10 to Feb 17 as part of the wider slashcott

Moderators - only spend mod points on comments that discuss Beta
Commentors - only discuss Beta
http://slashdot.org/recent [slashdot.org] - Vote up the Fuck Beta stories

Keep this up for a few days and we may finally get the PHBs attention. Links of note:

Discussion of Beta: http://slashdot.org/firehose.pl?op=view&id=56395415
Discussion of where to go if Beta goes live: http://slashdot.org/firehose.pl?op=view&type=submission&id=3321441
Alternative Slashdot: altslashdot.org
IRC Discussion: freenode #slashdot-refugees

The marked-up text of this comment can be found at http://pastebin.com/UdLBWbs6

that explains BETA

[stenvar]

BETA must have started with an HVAC account as well; that's why it sucks so badly.

Re:that explains BETA

[BronsCon]

Rather, it blows.

Please recreate user base

In case Slasdot forks...I suggest if someone wants to register with user name that exists on slashdot, ask him to post a slashdot comment containing a particular key, and then give that comments's link. This way, we will know that Anne_Nonymous is Anne_Nonymous etc.

You have reserved a lot of space for that.

[dccase]

With the beta you can only see 3 or 4 whiny replies per page on a big screen.
No way I'm scrolling through thousands of them.

I don't think I could be arsed to read through many good ones either.

Buh Bye

P.S. It automatically ate my line breaks. Funny it wants to save space by removing actual message formatting.

Re:You have reserved a lot of space for that.

Here, use this:

http://slashdot.org/?nobeta=1

how about PCI compliance

It might be "easier" to run a unified network but that doesn't explain why they ignored PCI laws.

It's good thing to remember as they take you (the target CTO) off to prison.

Re:how about PCI compliance

[taustin]

The only segmentation required is for WiFi and publicly visible servers, like web and email. And "segmentation" isn't really defined in the PCI specs, so it's very, very fuzzy. Remote access to any part of the network is explicitly allowed (provided it's encrypted) if it's needed. And that's the thing about PCI - almost anything can be an exception based on the needs of the business. When the choice is between keeping the network secure and losing an important customer, even Visa and MasterCard get real practical, real quick. And Target is a big customer. I suspect they're one of the handful (as in, you can count them on your fingers) Class I merchants in the country.

Plus, as has been noted, PCI isn't law, it's a contractual requirement with a merchant account. A purely civil matter. It isn't possible to go to prison for not being PCI compliant (though many have speculated there might be an "inside job" component to this, which would be a completely different matter).

I try something new

[oRCAD+Monkey]

After my nap I had a fantastic idea. If I copy classic Slashdot web page and post to beta, maybe, maybe beta change to classic. I hope I fix beta and everyone will be happy again Slashdot Log out oRCAD Monkey Submit Newsletter Jobs Channels SlashTV rss stories submissions popular blog ask slashdot book reviews games idle yro cloud hardware linux management mobile science security storage Slashdot journal entries can be automatically submitted as stories Newer Older Target's Data Breach Started With an HVAC Account Posted by samzenpus on Thursday February 06, 2014 @04:05PM from the sneaking-in dept. Jim Hall writes "Security blogger Krebs reports that Target's data breach started with a stolen HVAC account. Last week, Target said the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now claim that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. Attackers stole network credentials from Fazio Mechanical Services, then used that to gain access to Target's network. It's not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network." Read the 20 comments xsecurity story Military Electronics That Shatter Into Dust On Command Posted by samzenpus on Thursday February 06, 2014 @03:22PM from the poof-it's-gone dept. First time accepted submitter MAE Keller writes "Two U.S. companies are joining a military research program to develop sensitive electronic components able to self-destruct on command to keep them out of the hands of potential adversaries who would attempt to counterfeit them for their own use. From the article: 'Last Friday DARPA awarded a $2.1 million contract to PARC, and a $3.5 million contract to IBM for the VAPR program, which seeks to develop transient electronics that can physically disappear in a controlled, triggerable manner.'" Read the 129 comments xbetatest xmilitary xtechnology xditchbeta xvaprware story The Standards Wars and the Sausage Factory Posted by timothy on Thursday February 06, 2014 @02:40PM from the these-things-take-time dept. Esther Schindler writes "We all know how important tech standards are. But the making of them is sometimes a particularly ugly process. Years, millions of dollars, and endless arguments are spent arguing about standards. The reason for our fights aren't any different from those that drove Edison and Westinghouse: It's all about who benefits – and profits – from a standard. As just one example, Steven Vaughan-Nichols details the steps it took to approve a networking standard that everyone, everyone knew was needed: 'Take, for example, the long hard road for the now-universal IEEE 802.11n Wi-Fi standard. There was nothing new about the multiple-in, multiple-out (MIMO) and channel-bonding techniques when companies start moving from 802.11g to 802.11n in 2003. Yet it wasn't until 2009 that the standard became official.'" Read the 136 comments xit xwireless xnetworking xbureaucracy xorganization story New Type of Star Can Emerge From Inside Black Holes, Say Cosmologists Posted by Soulskill on Thursday February 06, 2014 @02:00PM from the cross-black-holes-off-your-list-of-good-hiding-places dept. KentuckyFC writes "Black holes form when a large star runs out of fuel and collapses under its own weight. Since there is no known force that can stop this collapse, astrophysicists have always assumed that it forms a singularity, a region of space that is infinitely dense. Now cosmologists think quantum gravity might prevent this complete collapse after all. They say that the same force that stops an electron spiraling into a nucleus might also cause the collapsing star to 'bounce' at scales of around 10^-14cm. They're calling this new state a 'Planck star' and say its lifetime would match that of the black hole itself as it evaporates. That raises the possibility t

Re:HVAC vendor has network access to the POS syste

[kruach+aum]

Not as good as the one about self-destructing chips, still pretty good

DiceNews for Dicks

[Junior+Samples]

Rename the beta site and call it "DiceNews for Dicks". Then load it up with stories about the Deport Justin Beiber Movement http://www.google.com/url?sa=t... and news for Kardashian stories https://www.google.com/search?...

Leave Slashdot alone!

Re:DiceNews for Dicks

Seriously. This isn't People Magazine. This is a website populated by programmers, technicians, and engineers. We don't care if your website looks nice, we care if it works.

BETA DOESN'T WORK FOR US.

Big dumb and pretty isn't going to sell, here.

Community Was Right

[MarkvW]

Watch 'Community' on NBC. You'll see that the HVAC people are the hidden power in our civilization. Be very afraid.

Re:Community Was Right

[Antipater]

So you're saying that only Troy Barnes, the Truest Repairman, can save us from Beta?

Re:Community Was Right

[Megane]

Except he's on a one year cruise or something. So I guess we're totally fucked.

turn off javascript

[fredan]

turn of javascript for slashdot.org, fsdn.com, googleadservices.com and truste.com.

problem solved.

Re:turn off javascript

[neo-mkrey]

NoScript and AdBlock+ are your friends.

Re:turn off javascript

turn of javascript

Ah yes, that is a bit of truth that has served me well for the last decade. When sites completely break when you turn off javascript, it has been a safe sign that I should find something better to do with my time.

Re:turn off javascript

[sexconker]

turn of javascript for slashdot.org, fsdn.com, googleadservices.com and truste.com.

problem solved.

Don't forget to block third-party cookies!

Analytics

[Etherwalk]

They probably have it all on one network so they can easily correlate the data. HVAC settings will influence purchases and a smart store is dynamically setting temperature to maximize sales volume, although within certain constraints.

Re:Analytics

[Nos.]

It doesn't have to be on the same network to easily correlate data.
You pull from many locations to one to correlate data.

This "protest"

This "protest" is generating quite a few page views.

just say'in.

Re:This "protest"

Until the Slashcott next week.

Re:This "protest"

[Iamthecheese]

Indeed, and if Dice can't see past the next three months they may see that as desirable. Discussion boards like Slashdot need their contributors WAY more then the contributors need them. Remember what happened when Digg ignored their users? If Dice wants Slashdot for its large number of techies the dumbest thing they can do is to drive away said techies.

"Been slashdot'd" takes on a whole new meaning...

[QuietLagoon]

After seeing what the new beta site looks like, in the future "being slashdot'd" will mean being destroyed by someone who does not understand what they are destroying.

Target breech was bad, but not as bad as /. BETA!

[CQDX]

Beta sucks

BETA SUCKS

FUCK BETA

Did the software have fixed passwords / users?

[Joe_Dragon]

Did the software have fixed passwords / users?

Some software needs an fixed login to work.

Slashdot Beta

[ShaunC]

Target fucked somewhere between 40 million and 110 million people. DICE is now trying to fuck something south of half a million people.

Cut this shit out. Revert. Take the DICE Marketing department out for a nice big lunch, drinks and all. Then send them home for the weekend. Then undo the damage they've done.

I'm sadly sure that this is an intentional ploy to drive away long-time users ("geeks" and "nerds") who have contributed so much that, like me, they're eligible to disable advertising. What they don't understand is that even if my karma was shit (we don't get numbers anymore, I guess mine would be 50++++++), I'd still be using Ghostery and AdBlock to block the ads without Slashdot's generous option.

Wake up, guys. This is a tech site. The comments make the site. The users make the site. We aren't going to sit around and watch it go to shit. You will have nothing, ZERO left if the beta interface goes into production, except for a few new users who came over from MSNBC.

Writing, wall, see it, hope you have negotiated a nice severance package.

Re:Slashdot Beta

[kolbe]

So what you are saying here is that slashdot is fucking more people than DICE and Target combined? Cowboy Neal needs to verify this... I think the number is higher.

Re:Slashdot Beta

This was a tech site.
I started my "life in computing" in 1978 after completing my BSc (physics) as a Computer Engineer working for ICL (International Computers) in New Zealand.

The changes I have seen!

To those that have contributed over the years to Slashdot I thank you!

The comments really do make the site. The users make the site...even if some do not RTFA.

Stating the obvious I fully agree with your comment. So where to from now? Ars Technica or The Register?
Both trump the BETA Slashdot.

I will participate in the Slashdot boycott.

Glenn.

In MY experience ...

[khasim]

I have gone through this exact same "logic" at places where I've worked. It's impossible to explain to some people that ... while the person putting in X may be completely honest you are depending upon that person to have as good security practices as you have.

Except that that person does not have any idea of what network security is. Or computer security.

But it will make it easier if vendors X, Y and Z have remote access to their systems which are on the production network.

It will be more difficult if we have to pay an ISP for the cheapest line they have and colour-code it and label it and super-glue it so that they have access but it does not touch the production network. At least not without someone coming in and physically re-wiring it.

Re:In MY experience ...

[leonardluen]

and wouldn't that be the purpose of ACL's and firewalls? you can share the same physical network but with proper ACL's you shouldn't be able to access the financial segment of the network from the hvac segment.

what purpose does any of the hvac machines need on the financial side of the network? any traffic going between the two (in either direction!) should be blocked and send up red flags.

Re:In MY experience ...

[DarkOx]

Sure you can put ACLs are switch ports and you can do layer two firewalls; in general you don't. Usually if you have a switch that can do ACLs you have a switch that can also do routing, so you can segment the network as well for little cost. That segment makes the broadcast domains smaller. Usually that leads to better performance. If you are doing layer 2 firewalls its usually in the data center. Doing it on the plant floor would probably just create lots a problems for protocols like ARP, and if it does not its leaving open lots of side channels that you can't monitor as easily.

Re:In MY experience ...

[khasim]

and wouldn't that be the purpose of ACL's and firewalls?

In general, yes. But the situation should not arise where you have to firewall a vendor's system because it should not be touching your production network in the first place. It's adding risk when it is not necessary.

what purpose does any of the hvac machines need on the financial side of the network? any traffic going between the two (in either direction!) should be blocked and send up red flags.

Yes, it should. You are correct.

But this doesn't have to be between the financial sub-net and the HVAC sub-net. The HVAC system only needs access to a machine that DOES have access to the financial network.

Or access to a machine that has access to a machine that has access to the financial network.

Or access to a machine that has access to a machine that has access to a machine that has ......... the financial network.

It's easier just to keep it off the production network.

Beta is great !

Yes, that is right, the Beta UI of Slashdot is the best invention ever. I am sure that the HVAC system could also benefit from it. Who wouldn't want a system that looks like 'any other site', feels un-nerd-like and is guaranteed to drive away advanced users ! In the end, the system is sure to draw the attention of only those people that want to spend time spamming and trolling. I think it is a great idea for that purpose...

That, and Beta sucks.

Fuck the Beta

Visit the Wiki at http://altslashdot.org/
Come on IRC channel #slashdot at irc.slashnet.org. Or use the web client: http://www.slashnet.org/webclient
We can rebuild this site anew!

Re: Comment on this story.....

I cannot comment on this story because I can only display 2 comments at a time on the screen - despite there being loads of unused real estate down either side of the page. I'll spend the rest of the evening srolling down to see if I can work out who is saying what....

Michael P. Durney President and CEO of Dice

Just called the owner of Slashdot on 212-725-6550, even his secretary knows already the subject in advance.
The redesign of Slashdot, I think they got the message, but maybe you have to make sure...

Re:Michael P. Durney President and CEO of Dice

Just called the owner of Slashdot on 212-725-6550, even his secretary knows already the subject in advance.
The redesign of Slashdot, I think they got the message, but maybe you have to make sure...

I called too. Same result.

Answer to "Why weak security?"

[sehlat]

Because good security, like anything else worth buying, costs $$$. So it looks like a loss on the books. Remember, "the books" don't show the loss Target's taking in lost trade until the trade is lost by incidents like this. And even then, I'll be they don't do very much other than put some cosmetics on their system.

For the same $tupid reason: "The $tockholder$ won't like it."

Why HVAC contractor has network access

[LaughingVulcan]

Either A) some IM, email, or trouble ticket system, or B) remote setting of network enabled thermostats and diagnostics of HVAC units remotely. And the submitter can't think of that? Then why post it. And why not segregate the payment system? Uh, cause that costs money to do, and PCIDSS is a fucking stupid thing 99% of the time. It is only used to blame retailers instead of making the Vendors and Card companies design and ensure airtight security, as it should be. Does make one wonder why any retailer POS system should travel on the Intertubes and networkable systems, though, instead of fixed landline. (Yeah, unrealistic, but if the credit card industry won't man up and take responsibility then maybe that's what they should be relegated to.)

Re:Why HVAC contractor has network access

[SrLnclt]

Modern HVAC controls are much more than thermostats. There are typically resets for supply air temperatures based on outside air conditions and time of day, and boiler water temperature setbacks based outside air conditions. Fan and pump systems can get feedback from the positions of dampers/valves throughout the system, and the VFD can slow down to minimize energy usage based on the feedback from the worst-case zone in real time. The list goes on, but all of this energy optimizing relies on lots of real time data, and the easiest way to do this is on an ethernet network.

Many large clients, particularly those with multiple locations like school districts or big box stores will hire a controls company, and pay them a bunch of money to save a target dollar amount or percentage amount on their energy costs. This is typically done through an online interface to monitor multiple locations simultaneously, and keep them all operating the same way. The user doesn't typically care how the contractor sets this up, they just want the savings. The cheaper the contractor can get to the target the more money he makes, which can lead to corner cutting by the contractor.

Some people (government, some Universities) tend to make the controls sub-contractors install a second, independent TCP/IP network for their equipment. But this security comes at a cost premium, particularly in existing buildings that already have a network in place for their computer needs. Most places I have seen don't bother with this due to the cost and the general availability of network connections in today's world. If the security is setup properly this shouldn't be needed, but we all know how often proper security is overlooked.

Re:Why HVAC contractor has network access

PCIDSS is a fucking stupid thing 99% of the time. It is only used to blame retailers instead of making the Vendors and Card companies design and ensure airtight security, as it should be.

PCI is only a starting point of designing and implementing a reasonably secure system for dealing with the card information. As this leak seems to demonstrate, even the very basics are still lacking at some of the "big players".

I kinda think the Beta is awesome.

[gdek]

I honestly don't understand what the fuss is about.

Re:I kinda think the Beta is awesome.

I honestly don't understand what the fuss is about.

Was it designed by your son or something?

Re:I kinda think the Beta is awesome.

[edxwelch]

Careful, what you say!
There seems to be an angry anti-BETA lynch mob out there

Re:I kinda think the Beta is awesome.

[bobbied]

I honestly don't understand what the fuss is about.

Was it designed by your son or something?

Perhaps he works for them? Just saying..

Re:I kinda think the Beta is awesome.

I personally think it was done badly. However I know people who actually uttered 'hmm windows 8 its not bad'. Seriously? Whatever floats your boat. There are people who might like the redesign. They are probably in the minority. To call someone a 'shill' or 'works for the company' is very lazy thinking.

Re:I kinda think the Beta is awesome.

[kharchenko]

Tried moderating there yet?

I just bought myself a year of Reddit Gold

[ShaunC]

Because the /. beta can't even properly suck on my nuts :(

Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator.

Re:I just bought myself a year of Reddit Gold

[bobbied]

If the problem persists, and all other options have been tried, contact the site administrator.

Hello?

Loyal readers trolling Slashdot protesting beta ..

[kbahey]

Dice can't see it, since they are new here (he he)...

The most loyal long time most avid readers of Slashdot, are not trolling the site, in protest of the failed beta. Never thought I would see the day ...

Where is GNAA, Natalie Portman grits, and frist prost when you need them!

Let me explain ...

I have been a regular visitor to Slashdot for around 15 years. For that, I get the checkbox to disable ads, though I browse with Javascript disabled so my browser does not slow down.

I come here for the discussions, and often read comments at +5, changing that only if I find a discussion interesting and warrants reading at a lower level.

The new beta uses JQuery for the comment threshold selector, and changes that on the fly. This means all the comments are loaded, but not visible, and processing any page with considerable number of comments will slow down MY computer! If I have a few tabs open to read later, my computer will be unusable.

What is worse it that they require you to click on the slider on every article to change the threshold! This is just insane!

If they insist that I enable Javascript to browse the site at the threshold I want, then they will lose me as a long time. I imagine that others long timers will hate the site too.

Dice have to remember that this site has two unmatched features, interlocked: a moderation system that is good at cutting down the trolling, spamming, and noise, and a comment section that is frequented by many people who are passionate about technology and other nerdy stuff.

If they wanted to intentionally ruin the site and drive people away, they would not have done any worse than what they are doing now.

If they manage to aggravate a lot of their users, the comment section will no longer be attractive to the audience. Perhaps we should revive kuro5hin?

I wrote the above in a feedback form that I filled a while ago, and I am emailing this comment to their feedback@slashdot.org. Please send them feedback too.

HVAC on slashdot beta

Depending on your point of view, two things that suck, or blow...

Banksters and microchips

It's not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target's payment system network.

Not clear if these conglomerate retailers are part of the bankster push for international electronic monetary data systems: ie, the microchip implants are coming.

Breach the BETA

I've woken up hung-over and found women in my bed that looked better than BETA. I've never regretted fucking them as much as I'd regret FUCKing BETA!

Wow, this is incredibly bad...

[KingRobot]

I pretty much left slashdot once, when Dice took over, because the quality of the content went downhill... now the quality of the site has gone downhill too. So long slashdot. BTW, for those who remember CmdrTaco, he's working on a pretty interesting new project called Trove - check it out!

Beta, NO!

[Octojay]

I have been lurking around here pretty much since Slashdot's inception. I finally felt the need to make an account today to let it be known that I will be joining the Slashdot boycott on February 10-17th. I (and apparently everyone else) made their feedback for the beta when it was introduced. They decided to not listen. This site is truly something special, its community and insightful discussions are completely unmatched. We can't let them ruin it. Join the boycott, a severe drop in traffic should get their attention because apparently our protest is falling upon deaf ears.

common user / pass are easier with contract / subs

[Joe_Dragon]

common user / pass are easier to work with and manage when you are dealing with contracts / subs even more so in an area like hvac where the workers are not IT people and you have field work that can get subbed out to local firms now giving each tech there own login can be hard to keep track of and you have to deal with lock outs do to expiring passwords as they may need to use them day to day.

Obligatory XKCD?

Is there an obligatory XKCD to explain how badly Beta sucks???

PCI isn't law

PCI is a compliance issue, not law. The payment card industry will just make you pay more for your credit card transactions if you're not compliant.

PCI also widely open to interpretation so it isn't exactly a standard. I worked for a company that implemented PCI on it's own product. We always had PCI "auditors" or "experts" who claimed we were not compliant. Once we made them read the document, they shut up. Who knows who Target hired for PCI compliance? You can have unencrypted credit card go over https and that's compliant. You can have it behind a firewall and that's, you guessed it, compliant.

The real problem is that PCI puts the onus on retailer to make cards safe when it's up to the payment card industry to make their cards and transactions more secure. It's a B.S. standard that only places a band-aid on the real problem.

Re:PCI isn't law

[taustin]

Non compliance is about more than transaction fees. It also who determines pays when there is a breach. If Target is non-compliant, they are 100% responsible for all investigation and remediation costs (as well as any fraud committed using the compromised card numbers). In this case, according to TFA, that's up to $420 million, with only $160 million in insurance. A $260 million write-off probably won't put Target out of business, but it'll sure piss off the shareholders when it shows up in the annual report.

On the other hand, if they are compliant, they're not responsible for any of that.

An IRC Channel for slashdot refugees

[thinkingrodent]

Post this on every story that pops up, even if it's already been posted. IRC for slashdot refugees. http://webchat.freenode.net/?c...

How did they pass the audit?

[wcrowe]

It's not immediately clear why Target would have given an HVAC company external network access,..

They probably have access to the network because the heating and AC for the stores is centrally controlled, like it is at Walmart, for instance. That's not a suprise. ... or why that access would not be cordoned off from Target's payment system network."

This is definitely the bigger question. PCI is pretty clear about this. My next question is, how did they pass the audit?

Re:How did they pass the audit?

Actually there is no such thing as an PCI audit. All audits are outsourced to so-called to QSAs (qualified security assessors). Most QSAs are most interested in selling their services and their procedure book/product rather than really auditing anything real. You buy the QSAs stuff, they give you a clean bill of health...

Think of it like what happens when there is a security breach and they offer "free" credit monitoring. The monitoring company could give a rats ass about your credit, they just want to sell you their service after the free introductory period has expired and collect their money.

Slashdot Beta sucks

[Adeptus_Luminati]

I've emailed them... they ignore... the more they ignore the quicker their downfall.

Ignore your userbase, and you shall have none. If I am ignored much longer, I will leave. Just like I left mashable after their AOL'ed it.

PS. I've been a slashdotter for 7+ years.

Re:Slashdot Beta sucks

Slashdot Beta really is awful.
I've already quit using nbcnews.com because of their horrible interface.
Slashdot...your next.

Re:Slashdot Beta sucks

[Alternate+Interior]

You've a lower UID than me and I'm sitting at 13y. I've provided feedback, months ago when this was alpha and again yesterday when they made this announcement.

Beta is def better than alpha was. Commenting is infinitely better on Beta than Alpha. But it's STILL incredibly backward compared to Classic. Slashdot is literally the only site (besides dedicated forums) where comments are worth doing. I suspect what's happening is Alpha was shit, developers feel like they've addressed the problems in Beta but people are still complaining and so developers and/or management have gone standoff-ish. I can only suspect no one at Dice REALLY interacts with commenting. Reading comments isn't the same thing.

(Of course I still miss the old table-based /. of yore. It was the best. If you want a change, bring back classic /. Classic.)

Re:Slashdot Beta sucks

[strikethree]

No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.

I like your .sig

Do I have a comment

Just trying out this BETA product. Looking good! :=)

Was about to read the story.

[aaaaaaargh!]

But then Beta was switched on and I quickly turned away. :(

Re:"Been slashdot'd" takes on a whole new meaning.

[wjwlsn]

I was thinking something similar, but it was more like being destroyed by the very community that you were trying to court... out of an unwillingness to heed the warnings from that same community.

Really?

[akpak]

Then why minimize (literally) the community's contribution? This box I'm typing in is given less than 1/4 of the page width here. The rest of that space is off-center column lines and unused space. Everyone's comment below mine will get even less space. If you value discussion and "contribution," then allow that content to shine and give it the visual weight it deserves. Also: Where are my line breaks? This is Usability 101 stuff here, guys...

POS Network Segregation...

[MobSwatter]

One of my accounts has remote web accessible thermostats and the site share's a single public static IP, but my intranet is split between 3 different lan segments with the POS segment isolated. Looks like it might be NSA preferred level of effective security configuration...

how the fuck do I switch back to the non-beta? I

seriously - wtf. I was getting annoyed by all the anti beta protestors - until I was forced to view beta. fuck beta, I come here to read threads of collapsed discussion not this 5000 pages of bullshit.

Umm... no network activity alerts?

[Y-Crate]

I get that Target might've forced their IT department to take the cheap way out and forgo a nice, isolated building management system. That's out of their control.

But how could they not notice the spike in network traffic as data was being sent to the hackers?

They should know how much bandwidth their terminals are chewing up on average, how many transactions are occurring, approximately how much data should be crossing the network per transaction and have an eye out for a sudden burst of outgoing data heading to one IP address.

Is there something I'm missing here?

Re:Umm... no network activity alerts?

[dbIII]

But how could they not notice the spike in network traffic as data was being sent to the hackers?

By saving money on the monitoring system.

They should know how much bandwidth their terminals are chewing up on average ...

Such a thing only happens when someone put put in the effort to have a monitoring system. It doesn't happen by magic. Easy to set up in many cases but not there unless someone had set it up.

Is it really so bad?

[chipschap]

I'm on Beta now, and while it's too much into "white space" and definitely far less practical, I don't see why all current discussions have to be spammed with complaints. At present I don't want to read /. in any form.

Re:Is it really so bad?

YES.

Repost this

[tekpagan]

Dice: Frankly, many of us want a new design, Classic is broken in so many ways. But beta is terrible, and this is what is wrong:

        * The value that Slashdot brings to its users is not in its articles. Frankly, the articles are terrible. The value that Slashdot provides is a discussion forum for self-selected nerds.

* As such, it is vital that you remember that the community is not just an audience, it is also your primary content creator.

        * Your new redesign does not allow the community to create (or even consume) content because:
                                        - It makes it impossible to follow discussions in the comments sections. This is largely because of the max-width on window and the fact that of the space left over is taken up by a useless sidebar. The vertical spacing is also overdone.
                                                - Slashdot has a fragile but effective moderation system. Your changes make it impossible for readers to leverage that system to read a high quality discussion and ignore the trolls.
                                        - It disregards conventions of the community. UIDs matter. We’re nerds. We understand that you need to attract a younger audience, but for a lot of us (including the younguns) it is thrilling to see a post from somebody who has been there from the beginning.

        * In the last 24 hours Soulskill has bitterly commented that the community has been involved since October and that they also get emails supporting the new design; only the comments are an echo chamber. This comment demonstrates a deep incompetence in your development team. Soulskill should have been citing A-B testing numbers. A-B testing is cheap, easy and effective but instead you are taking stabs in the dark.

        * Your ability to attain user acceptance is dismal. A number of years ago, when Taco needed to modernize the site, he solicited the community for designs, and awarded the best designer and used that design. That is how you leverage a community and gain their acceptance: incorporate them in the design process. As a bonus, you won’t have utterly useless redesigns that will either ruin your website or have to be scrapped.

Such as?

[Sable+Drakon]

The real problem being the fact the US still moronicly uses MagStripe/Pin for payment cards instead of a Chip/Pin system.

Re:Such as?

[quetwo]

It's not even that good. It's Mag Strip + Signature for credit transactions. It's Mag Strip + PIN for ATM/ECH transactions (which are a separate issue all together). I keep smirking that the PCI industry is pushing for new notification laws but is totally ignoring upgrading their systems to at LEAST Chip + Pin terminals or cards. Things won't get better, and notification will only make people paranoid at first, then eventually ignore them as they become white noise.

Hell, I can't even get a chip+pin card here in the states anymore. My bank stopped issuing cards with chip+pin about two years ago, even for those who requested it.

Re:Such as?

[Sable+Drakon]

I know, I kinda find that pathetic myself. I know I wouldn't mind the alerts, as it's much more in-line with other payment systems such as Paypal or Google Wallet. It'd allow users to fight fraudulent charges in real-time so long as the notification also includes the name of who/what is generating the transation.

Re:Loyal readers trolling Slashdot protesting beta

[aaarrrgggh]

Time for a firefox extension "classic slashdot?"

Re:Loyal readers trolling Slashdot protesting beta

[aaarrrgggh]

There is always the approach of calling Dice Holdings. Their telephone number is 212-725-6550.

That's why Trader Joe's hasn't had a data breach !

[Iskie]

The stores aren't heated. They're FREEZING!

Silly argument

[dbIII]

Apply your silly argument to electrical wiring and you'll see exactly how silly it is.
Considering the likely consequences it's worth treating this stuff almost as seriously as electrical gear. You should NEVER have building facilities staff routinely making changes without informing the IT department in such an environment. The consequences of failure are too great and a part time cable monkey is so cheap. It doesn't take long at all to turn a member of building facilities staff into someone that will know what they are doing and will inform IT when changes are made.

Re:Silly argument

[TWX]

Apply your silly argument to electrical wiring and you'll see exactly how silly it is.

In my jurisdiction, there's no licensing for low-voltage. If the organization is self-inspecting then there's no penalty for a shoddy job without proper penetrations and firestopping and supporting the cable in the ceiling, and even for an entity that can't self-inspect, if there's no licensing or permitting required, changes can be made without an inspector ever taking a look at the work.

It flat-out comes down to priorities from those at the top of the organization. Now that Target has gotten spanked because of something dumb, they'll give it the priority that it deserves.

Re:Silly argument

[Rich0]

Apply your silly argument to electrical wiring and you'll see exactly how silly it is.

If it weren't for the requirement for licensed electricians and the long precedent of company-sinking lawsuits when these laws are broken, you'd probably get electrocuted every time you touched a store shelf.

At my workplace the telecom gear is all centrally managed, but with about as generic a configuration as you could imagine. Network credentials really only have a few levels of access - if they can connect to the VPN they can connect to ANYTHING. If you have physical access to a network port, then you can also connect to anything. In both cases the ID might not let you log into any particular resource, but the network will route arbitrary packets just about anywhere.

Apparently the door card readers are an exception because the last time I needed to have one of those installed it cost a fortune to run security conduit (filled with pressurized gas with a sensor so that it would be very difficult to tamper with the cable run without being detected). Of course the door this protected was made out of wood and located in a building that was essentially unoccupied over the weekend (though you would need off-hours access (which is readily available but logged) unless you planned to enter during business hours and hide in a bathroom).

All the arguments above are true - we could have ACLs on everything, VLANs, RBAC on servers, and all the other goodies. The problem is that maintaining all that stuff costs somebody time and as a result we end up with ACLs that get half populated before somebody just sets some really broad grant of permission.

Re:Loyal readers trolling Slashdot protesting beta

[kbahey]

There is already something like that, here.

But it deals with the CSS only, and will not handle the backend part. See my comments on the above comment.

Re:"Been slashdot'd" takes on a whole new meaning.

"Slashdotted"? Should be "Diced" instead.

i prefer really wide comments section(like before)

i prefer really wide comments section(like before) as i have a side by side dual monitor layout, and prefer indentation in the threads over box-within-box. I have set my display to be at arm's length, like when i might need to tilt the flatscreen. The boxes' lines can be annoying instead of helping, but if you must use them,at least alternate them, something like black lines-dark-lines-gray lines, and so on.

well, that's chilling news!

[Polo]

har, har!

Typical Business Decision:

"We're not paying for two networks! Do it all on one!"

-Target

sure

[geekoid]

"The Beta is harder to read and harder to comment on."
how so? I find it to be the opposite.

"There is too much whitespace, and not enough text."
And...?

"Has anyone seen even one single thing you could count as an improvement?"
sure. The look, the design, it's faster, easier to read, and far more appealing to a newer generation.

No it is not

[geekoid]

Are you stupid? that is not a constructive suggestion. It's a statement.

Are you really that stupid?

I"m part f the commnity

[geekoid]

and I like the new site.

Oh, right, you think you speak for the community.

I don't like this place. It's too bright

[VibratoryDavid]

beta hatin'

HVAC Remote

Big box retailers that have say 1000 or more stores realize that they can save significant amounts of money by controlling HVAC and lighting. None of that is controlled at the store - there might be an override that a manager can use - but it's one of those THINGS that is purposely a PITA to make them not want to do it...

Temperature, humidity, ventilation, light levels - all controlled by a schedule tied to how the store is used. There's one level for overnight stocking/cleaning, and another for customer times... Occasionally, the store is open earlier for a sale and the local or regional schedule has to be accommodated. The PLC's that control all this stuff need to be programmed accordingly, so rather than paying a fully-loaded Big Box employee, they pay a consultant, who pays a gnome to handle it.

They remote in, upload the schedule, or push out an immediate change (like Jimmy the Overnight guy had a heart attack, turn all the lights on for the ambulance!) and it's all good.

The problem is that they rarely restrict those logins once they're logged into the network... Or there's some common hole to get around... A big box retailer I worked at had a Unix-based system... vi was the editor. Anyone remember :! sh ?? Dropped you to a shell, and ummm, the whole thing was running as root, so need I say more?

Unfounded assumptions...

Everyone seems to be assuming that because the hack *started* with the HVAC account, that it was done *only* using said HVAC account.
The first step in such an attack is to get access to the network. The access level doesn't have to *start* with your ultimate goal, you just need to get your foot in the door. From there, you take advantage of network/OS/software security flaws, social engineering, etc. to gain the access privileges you ultimately need.

I say, blame the NSA...

[jkyrlach]

Here's what I want to know. Did the NSA have knowledge about this vulnerability? If they did, and they didn't report it, they should be held at least partly accountable. Based on what we've learned that the NSA knows, it's likely they both knew about these vulnerabilities and knew that Target was vulnerable to them. Target should launch a FOIA request to find that out, and then sue the NSA for failing to disclose these vulnerabilities.

i build targets

[insaneclown]

i build targets...infact i do the cabling side of it and i can tell you it is nessisary for the HVAC companies to have external access to networks, and they do have separate VLANS to try to avoid these kinda of things but i think the hacker prolly just knew what he was doing....duh they were a hacker lol

Traced Back doesn't mean A directly to B

It is where they started. Do they do online purchases? Do they do cash register purchases? So there is somewhere where store centric networks and corporate networks converge, probably an accounting system

So some store had remote access for climate controls, and also had the store network attached to the hvac controls so the manager could turn up the heat. HVAC credentials dropped a sniffer, found a user device coming in, jumped on there, back to the rest of the network.

Some idiot didn't just trip over the keys to 70 million records. Someone didn't decide to do this the day before Thanksgiving for BlackFriday. It was a very long process that didn't get noticed until the real hackers gave some script kiddies the keys to muddy the waters.

We fixed that problem years ago......

Our Building Automation (HVAC, Lighting, ect) system does not need VPN to work.

https://www.facebook.com/tcsbasys

You missed the point by a MILE

[dbIII]

My Point: Where major consequences are possible care should be taken.

The electrical wiring bit was an analogy of something else with major consequences so there's no point shifting the goalposts to low voltage (WTF?) especially since that doesn't apply to building wiring anyway apart from in a few rare edge cases.

You are needlessly complicating the issue

[dbIII]

The issue is simple. An outsider needs limited access. You can do that without complex ACLs on everything.
Outside of computing it's managed pretty damn well with door keys that give differing amounts of access so why should we think we are special just because we work with computer networks?

Re:You are needlessly complicating the issue

[Rich0]

The issue is simple. An outsider needs limited access. You can do that without complex ACLs on everything.
Outside of computing it's managed pretty damn well with door keys that give differing amounts of access so why should we think we are special just because we work with computer networks?

The door key analogy is actually a good one. The HVAC contractor was likely given a userid/password with access to stuff like email and the HVAC system. The network itself is open so they can send packets anywhere on the network. They didn't use their key to hack into credit card processing devices - they no doubt exploited a flaw in their software.

So, this is analogous to being issued a building key and an office key. You use your building key to get into the building on a weekend, then you walk to somebody else's office and pick the lock on their door.

If you want to do what most security experts would like to see done with ACLs on a computer network, then you stick a lock on every phone, door, filing cabinet, water cooler, microwave, and cafeteria. You put locks on the chairs in the cafeteria so that you can't use a chair without removing the chain holding it under the table. The vending machines have locks too. If you call up somebody on the phone you have to authenticate with them using a shared secret before they'll even tell you their name, let alone help you. If you walk up to a secretary you present your ID and let her check against the authorized list before he provides a service to you. Also, at every intersection in every hallway you install doors and key each one individually. Employees walk around with huge rings full of hundreds of keys.

If you did this the guy who wants to break into somebody else's office over the weekend would have a hard time indeed. They might need to break through 14 doors just to get to the office, with a chance of detection at each one. Once inside the office he would need to break open locks on drawers, and even the pens would be chained to the desk. Even still, a determined attacker might still get past it if there isn't an army of guards actively patrolling the building.

That is the problem with ACLs and controlling network access. Sure, you can VLAN every port and only route packets from it to devices that it is supposed to talk to, but it is a nightmare to maintain. So, most companies tend to be much looser on security. An HVAC account probably couldn't log into the most critical resources, but they could almost certainly send packets to the servers controlling them and thus attack them.

I do think that VLANing the credit card readers and cash registers would still make sense. It isn't like these are general-access resources on the network.

Re:You are needlessly complicating the issue

[dbIII]

I'm sorry, but all your complex stuff above can be dealt with far more simply by redirection at the router level down a cable that has nothing to do with the internal network. They should not be allowed to get onto the same network as the machines that deal with monetary transactions - doing such a thing would have been seen as fucking stupid in 1990 and it's still fucking stupid. Email, as you mentioned above, is not a good enough excuse.

Re:You are needlessly complicating the issue

[Rich0]

Sure, VLANing the payment kiosks seems to make a lot of sense to me. However, the HVAC will almost certainly be on a general-purpose network unless you segregate just about every system in a corporation onto its own network. No large company I'm aware of operates that way.

Honestly, though, the only thing that seems stupid in this whole scenario is that the payment machines have access to a customer's authentication credentials in the first place, and that for that matter the authentication credentials are printed in plain text on the front of the card for the whole world to see. There is no reason the card can't contain a chip housing a private key that would make it unnecessary to protect any of the downstream transmissions.