Slashdot Mirror
US Hacker Sets Off 156 Sirens At Midnight (dallasnews.com)
"I had the displeasure of being awoken at midnight to the sounds of civil-defense/air-raid sirens," writes very-long-time Slashdot reader SigIO, blaming "some schmuck with a twisted sense of humor." The Dallas News reports:
Rocky Vaz, director of Dallas' Office of Emergency Management, said that all 156 of the city's sirens were activated more than a dozen times... Dallas officials blame computer hacking for setting off emergency sirens throughout the city early Saturday... It took until about 1:20 a.m. to silence them for good because the emergency system had to be deactivated. The system remained shut down Saturday while crews safeguarded it from another hack.
The city has figured out how the emergency system was compromised and is working to prevent it from happening again, he said... The city said the system should be restored Sunday or Monday.
City officials reported 4,400 calls to their 9-1-1 emergency phone number in the first four hours of Saturday morning, with over 800 occurring in that first 15 minutes when all 156 sirens started going off simultaneously.
The city has figured out how the emergency system was compromised and is working to prevent it from happening again, he said... The city said the system should be restored Sunday or Monday.
City officials reported 4,400 calls to their 9-1-1 emergency phone number in the first four hours of Saturday morning, with over 800 occurring in that first 15 minutes when all 156 sirens started going off simultaneously.
He's a dick who doesn't give a shit about endangering people who really need emergency services.
Dear Texas: you have shit security and morons managing it. This is dangerous. I sounded the appropriate warning systems.
There have been recent reports of problems with the Dallas 911 infrastructure causing hold times and delays which resulted in deaths. This may have been an attempt to further highlight the problems.
City officials reported 4,400 calls to their 9-1-1 emergency phone number in the first four hours of Saturday morning, with over 800 occurring in that first 15 minutes when all 156 sirens started going off simultaneously.
People, people, people, when the emergency sirens are sounding, the authorities already know about the emergency. You don't need to call 9-1-1 to tell them about it, really.
People are so incredibly stupid.
Let me guess, SQL injection strikes again?
Just cruising through this digital world at 33 1/3 rpm...
I've seen municipal systems that were set up years ago without any hardware firewalls, just Windows XP. They ignored my advice to harden the systems. It's alarming that towns are not fully proactive about their municipal Internet-of-things. This alarm system in Dallas is simply mischief that points out the flaws in one system. Other systems, some critical to a town's functioning, are still vulnerable. Politicians are mostly dumbasses that run on ideas, but once in office are dumbfounded, dazed and confused., on all levels of government.
John would call Bob on the POTS and they would talk. At the end of the chat Bob would activate the local siren.
Over the years the siren staff would get to know the other staff and no false calls and fake orders could occur.
Domestic spying is now "Benign Information Gathering"
Everywhere has shit security. Every manager is a moron. Everything is dangerous.
A door being unlocked does not give one the right to steal what's behind it, and similarly having a vulnerable system does not give one the right to attack it.
You do not have a moral or legal right to do absolutely anything you want.
Having in the past been "one of those weird people interested in warning sirens as a hobby", I have a fair bit of knowledge to how insecure their control systems actually are, and thus how trivially easy it is to compromise them. Although security is slowly improving, a lot of older siren systems are controlled using unencrypted analog radio signals transmitting standard DTMF (telephone-type) tones. For a malicious person, it is shockingly easy for them to turn on an off-the-shelf police scanner, find the frequency used to control the system, record the activation signal (such as during a regular monthly test), then at a later time use an illegal transmitter of some sort to rebroadcast that recorded activation signal on the same frequency over and over. I do not know what control method Dallas uses for their siren system, but the fact that one of the news articles (CBS News) I read about this said the FCC has been asked to help investigate leads me to believe more than likely such an attack was utilized...and this isn't the first time such has happened.
The only air raid siren I hear is the alarm on my iPad 2 going off at 4:30AM so I can start my government IT job at 7:00AM during the week. On the weekends I sleep in late and get up at 6:30AM.
"We had people asking if we were being attacked because of what's going on overseas."
So they called 911. When terrorism strikes, call 911 for all your news info! (Not really, that's a bad idea).
"First they came for the slanderers and i said nothing."
I agree. I would like just to add that a door has several functions, and one of them is being a border line, not only physical one but also moral, legal, psychological, etc.
For example, if there is a picket fence around a property it does not mean that this fence must be impenetrable, i.e. to have barbed wire, movement sensors, etc. But still it is a good picket fence which have got many useful functions.
And people should not think, - oh, this picket fence is not secure, so I can cross it and do whatever I want on this property.
Eh... not necessarily.
In a past professional life, I maintained an Emergency Broadcast System transmitter. EBS works by cutting into radio transmissions if a neighboring station transmits the right signal, repeating the broadcast on the local station. Essentially, if one station reported an emergency, the whole region would repeat it automatically. If the sirens work similarly, hijacking one would trigger the whole system.
The whole point is moot, anyway. Ability doesn't need to be shown.
You do not have a moral or legal right to do absolutely anything you want.
A door being unlocked does not give one the right to steal what's behind it
That is correct. However, when the entire world has immediate access to that door, then not securing the door makes you an incompetent idiot who has no business holding any job related to security. Depending on the good behavior of literally everyone with an internet connection makes you at fault for whatever happens if it was your job to secure it. Securing it is possible. The existence of malicious parties does not negate your responsibility, it strengthens it. The chance of encountering malice on the internet is 100%.
Dogs can jump over picket fences.
"First they came for the slanderers and i said nothing."
There is no such thing as perfect security. Given enough time any system can be broken.
Now can you tell us where is this line in the digital world? Is it you IP address ? Or maybe it's you router ? Or your web server's TCP port number ?
If you access any of those with the intent to hack, then you might go to jail for it. People have gone to jail for going to a URL with their browser.
See, the door analogy isn't that obvious in the digital world.
I'll clarify it for you: break into someone's house, go to jail. Break into someone's computer system, go to jail. That is the analogy. It's not perfect, but the point is correct: "poor security" isn't a defense in a court of law.
"First they came for the slanderers and i said nothing."
You know Russia has subs parked on every undersea communication link that the US has right? The first blow in any war will be the US having its metaphorical eyes, ears, and tongue hacked off.
Then, when the real air attack happens, two hours later, the alarm system is disconnected, I think that was with a museum or something, but the idea is the same. RIP Dallas.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
So the sirens sound, and presumably the North Koreans have a nuclear strike on the way. And what do the good citizens do? _nothing_. Only 4400 actually tried to figure out what was wrong; the rest simply ignored it.
You might as well get rid of the entire system, nobody cares about it anyway...
I lived literally across the street from one of those fucking things and was working second shift. Every single fucking "test" Wednesday, I would wake up at 10 am in sheer fucking terror and try to hide under a desk thanks to the duck and cover indoctrination I was given as a child.
Awww, it went off when you were awake? My tiny violin laughs in your general direction.
UID doesn't really tell us anything beyond how long ago someone registered their account... I was reading Slashdot for several years before I ever registered an account. Might still have been in the 6 digits, I don't really know. I also don't really care.
There is no XUL, only WebExtensions...
Apologies for my ignorance, but are sirens like this common in the USA and if so, what for?
So far as I am aware we don't have any such things her in the UK (I haven't seen one, heard one being tested, received a leaflet about them or seen a news report about them). We certainly used to have them when I was a child back in the 1970s and I remember occasionally hearing the one in our village being tested when I was at school. But we got rid of them all when the cold war ended.
I can see how such a thing might be useful in areas where tornados could be expected, but (and again sorry for my ignorance) I thought that tornados couldn't strike built up areas like Dallas as big buildings broke up the air flow.
The article did not say what the immediate response of the authorities was, did radio and TV stations promptly transmit a 'do not worry' message?
How does this work in the US ?
Here around in Europe, the authorities are supposed to immediately broadcast informations about the alert on all available channels (TV, radio, web, public announcement systems, etc.) informing about the nature of the threat and the proper procedure to follow to stay sage.
(Well in theory. In practice, given the relative peacefulness of life Europe, 99.9% times you're going to hear a siren, it's just a test of the system as announced the day before in the local newspaper / newscast, and the only thing you're supposed to do is just check that you can hear them and then eventually proceed with the announced evacuation drill that your employer has planned to coincide on that day).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
You know Russia has subs parked on every undersea communication link that the US has right? The first blow in any war will be the US having its metaphorical eyes, ears, and tongue hacked off.
Hence the interest in satellite-to-satellite communications.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I guess they should turn on their TV to see if the emergency broadcast system had kicked in. If it had, do what that says. But is that how people reacted.
The sirens appear to offer little purpose if they aren't achieving that; more thought required?
My father told me afterwards that the air raid sirens in the UK all had their own power supply with a relay, all controlled by cables from a switch in the police station which seems reasonable.
Soon after we moved into a new home together, maybe 25 years ago, at around midnight one night, some jokers managed to break into the building housing the local air raid siren. All they needed to do was use a length of wood to jam the relay contacts together and everybody was on the phone to the emergency services to confirm whether or not the Russian nuclear bombers were heading this way!
Maybe you should be grateful. He has exposed a security hole that will now be fixed - hopefully. Far better than it being found after, for instance, an arsonist disables the alarms before burning down a neighbourhood.
But never even think for a moment the people who left the doors wide open, keys in the ignition, built homes without doors....
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Understand folks, these sirens NEVER go off unless they're testing or there's a tornado,large hail, etc.
Rousing people from their sleep in this manner, coincidentally right after we launch 60 cruise missiles at a Russian ally, is fucking frightening.
Frankly, it wasn't until I learned on Twitter that Dallas was the only place were the sirens were going off that the panic subsided.
Been reading since 98. Didn't register until 2000+.
Subtract 19 years from the AC poster above, and I think someone's grossly incontinent.
Calling it a 'US hacker' is completely wrong at this point since they have not identified the hacker. News titles should stick to facts.
I'll clarify it for you: break into someone's house, go to jail. Break into someone's computer system, go to jail. That is the analogy. It's not perfect, but the point is correct: "poor security" isn't a defense in a court of law.
That doesn't actually clarify it. At what point have I broken in? Did I break in when I performed the equivalent of asking your PC to let me connect to it? No falsified credentials, no lock picking, just a nice and pleasant "excuse me Mr PC, may I view your c-drive please?" and the PC going "certainly stranger whom I do not know".
This is why I prefer the Crazy Ex analogy over my fellow AC's attempt at maintaining the door analogy. If I knock on your door, and for whatever reason your Crazy Ex is inside, and they invite me in, I have no reason to suspect that this person is not allowed to let me in, and I have committed no crimes by entering. If your Crazy Ex is having a yard sale while you are out of town, and I buy all your stuff from your Crazy Ex, again I have no way of knowing that they do not have permission to sell these things, and I have again committed no crimes (whether or not the stuff should be returned is a different discussion. The point is, I committed no crime when acquiring those items.).
Likewise, if I change a query string variable, and suddenly I can see my neighbor's account information, I have no way of knowing whether or not AT&T meant for me to be able to view that, or whether their "Crazy Ex" is in the building granting access to things that others should not see. You might claim it obvious, but in reality, it isn't. For another example, I can look up the water bills of anyone in my county, just by knowing the house address. I'm not even changing a query string variable. My county literally has a form that consists of "enter an address and click 'submit'". Sure, it feels weird that I can do that, but I arrived at the page simply by navigating from the county home page, so I have to believe that it is perfectly legal.
You know Russia has subs parked on every undersea communication link that the US has right? The first blow in any war will be the US having its metaphorical eyes, ears, and tongue hacked off.
Hence the interest in satellite-to-satellite communications.
But in humans propensity for insanity, we'll no doubt send up some satellite killers, and the resulting rubble will make our first war in space be our last for at least a hundred years, depending on the orbital decay And that's we as in all of us.
And for Ivan bragging about his subs, why would you cut off one of the best weapons you have? Cutting off the US would hurt you and your tactics more than ours. How you going to alter the vote counts then?
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Someone has cited an multi-thousand dollar cost per siren to fix the broken system which used unencrypted radio and touch tone signalling.
I'm sure that it is possible to set up a Raspberry Pi to authenticate the received touch tones in a way similar to the two-factor authentication fobs, at a much reduced cost, no? Or am I missing something?
A door being unlocked does not give one the right to steal what's behind it
That is correct. However, when the entire world has immediate access to that door, then not securing the door makes you an incompetent idiot who has no business holding any job related to security.
Let's go, mod AC up.
Especially in a country like the US, where we have the dual issues of being interventionist, and being top of the worldwide heap for a while, we make a lot of enemies (don't feel smug about it, everyone gets a turn) Just being at the top of the heap means there are groups who want to tear you down.
And the internet invites them into our living rooms, and our warning sirens. And a lot of other things as well. We've put things on the IoT that never should have been there. IoT is a pretty good illustration of unfixable stupid.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
There is no such thing as perfect security. Given enough time any system can be broken.
And when you have a system that the whole world can hack it, all you do is make it certain that it will be hacked.
A system where people need actual physical access isn't perfectly secure, but it is hella unlikely that a Nigerian Prince is going to have direct access to it.
I mean it isn't like we didn't have these things before the internet. Wonder how humans survived?
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
What attack? That was normal operation of the sirens. An attack would have been if he cranked up the volume and blew them out. Or maybe planting malware for more nefarious purposes. If you leave your door unlocked and somebody comes by and opens then closes it every few minutes is that an attack?
You don't buy into psychological warfare?
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Who wants to bet there's some new files on the system?
Get up!
Every time one of these things happens slashdot blames the sys admins.
I don't know about that. I know myself, I blame the dumfuks who decided to put life-critical systems on the internet. That should not even be legal.
And those sirens are life critical. Texas is hit by a fair number of tornadoes, and the public siren is the last leg of "get your ass under cover. A lot of people have no doubt been saved by the sirens.
So if someone wanted to start invoking "boy who cried wolf" syndrome, just start sending a lot of commands for false alarms.
Sysadmins just do what they are told to do, the powers that be make the decisions to put life-critical devices on an inherently open communications system,
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
I live in Dallas. Worked overnight Friday, saw people posting things on facebook about the sirens going off at somewhat random locations across the city. Co-workers saw similar posts from their friends.
"Well that's fucked up. Who tests the sirens in the middle of the damn night?"
"No one. That's done at like 1pm on a Wed... Odds are some jackass managed to hack the control systems."
Now, if he were a super dick there'd be a hidden job to make it happen again in a week or two.
You know Russia has subs parked on every undersea communication link that the US has right? The first blow in any war will be the US having its metaphorical eyes, ears, and tongue hacked off.
Hence the interest in satellite-to-satellite communications.
Sure, but the Russians have subs parked near every satellite too -- checkmate.
It must have been something you assimilated. . . .
Did I break in when I performed the equivalent of asking your PC to let me connect to it? No falsified credentials, no lock picking, just a nice and pleasant "excuse me Mr PC, may I view your c-drive please?"
Yes.
Likewise, if I change a query string variable, and suddenly I can see my neighbor's account information, I have no way of knowing whether or not AT&T meant for me to be able to view that, or whether their "Crazy Ex" is in the building granting access to things that others should not see.
It doesn't matter. What matters is what the jury will think of your intentions.
"First they came for the slanderers and i said nothing."
The page advises:
If this is an approaching electrical storm (and tornadoes are often VERY lightning-generating), lying in a ditch or other cut in the ground can be suicidal.
When lightning strikes the ground the current spreads out, just as the other end does in the cloud. (And it doesn't have to even hit: When a charged cloud is over the ground the opposite charge collects beneath it, and when the cloud discharges it the collected charge runs away, creating a "surge" with much the same effect).
The current tends to spread out near the surface. A ditch or other cut into the ground makes a gap in this easy path - and a bolt will tend to cross it at the narrowest point. If you're crouching in the ditch the easiest path across the ditch is through you.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The kid should be stung up for something like this.
You could jail him under a siren and test it a lot.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Go to the government and find the stupid, cheap, incompetent anal aperture(s) who decided to save a few dollars by connecting a CIVIL DEFENCE system INSECURELY to the INTERNET,..
What makes you think it was done over then Internet?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
"This is yet another serious example of the need for us to upgrade and better safeguard our city's technology infrastructure," Rawlings said
This is an even better example of the need to downgrade. The sirens weren't always connected to the Internet. What compelling reason requires them to be connected to the Internet now?
Internet security lesson #1: if it doesn't need to be connected to the Internet, don't connect it to the Internet.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Today I learned that the emergency weather warning service can double as an air raid service as well!
Looking for a computer support specialist for your small business? Check out
Opens neighbours unlocked door. "Hello. You left your front door open. This is a really bad neighbourhood and you should lock your doors before someone not nice comes along."
> Do we really expect everyone to obsess over every system to prevent idiots
> from hacking them or should we focus on punishing those who do the hacking.
When "idiots" can compromise a warning system, and potentially cause a lot of deaths,YES!
> Its like saying people who paint graffiti are not the
> issue, we should make walls that do not accept graffiti.
People who paint graffiti are *AN* issue. The problem is that there are a lot of assholes, and just plain evil people, out there. And that's just in the USA. There are 7 billion people on the planet. If you allow all of them access to your systems, there'll be someone who hates you enough to screw you over...
* Kim Jong Un
* or some random Russian criminal who wants some bitcoins to restore your documentation files
* or the thousands of islamic militants who are perfectly willing to blow themselves up if they can kill several "infidels" in the process
* etc, etc
It's not paranoia if they really are out to get you. The correct answer is similar to the military's "need to know" approach. Ask yourself "who *REALLY* needs to access this system", and then only allow them access.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
There's a large difference between a vulnerability that requires someone to be physically present to exploit it (graffiti on a wall) and a vulnerability that potentially anyone on the planet with an internet connection can exploit--or a radio.
I actually agree with you, it's often not cost-effective to secure things that require physical access to exploit. However, network-connected things have potentially billions of attackers.
Furthermore, the attacks can be automated, so that one person can attack millions of targets.
Anything connected to the Internet is at far more risk than anything that is not.
--PM
Proton decay might or might not ever happen. Not decided yet as far as I know.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
Other than the hilarity and the lulz of it all, one could argue that the hacker did them a favor by highlighting a flaw in their security in a fairly harmless way which will now be fixed to prevent it from happening again. Though unlikely, should such flaws be taken advantage of in a more nefarious way they could be used to deactivate during an actual attack or otherwise mess with the system for criminal intent.
It's Russia. If that's not paranoia, the odds are that those subs have been there since before the USSR collapsed--and are still there because they're not going anywhere, unless somebody works out how to tow a mildly defunct sub that can't manage to surface.
I'm getting rather amused by the Left's current paranoia about Russia's abilities. I'm more inclined to think that this air raid siren hack will turn out to be the result of incompetence, particularly given the speed of the patching of security. It looks suspiciously like they'd been told politely to patch, were too lazy to patch, and got put in a position where they had to patch.
What attack? That was normal operation of the sirens. An attack would have been if he cranked up the volume and blew them out. Or maybe planting malware for more nefarious purposes. If you leave your door unlocked and somebody comes by and opens then closes it every few minutes is that an attack?
You don't buy into psychological warfare?
Depends on what is done when the door is opened and closed. If the person is opening it, reminding the people inside that "This door is supposed to be locked," and closing it--the only problems are if it doesn't get done, if the person(s) who ought to have locked the door keep their jobs if this goes on for long, and if the person who is delivering the 'lock the effing door' message isn't part of security because then it means somebody else is having to do security's job.
Sure, but the Russians have subs parked near every satellite too -- checkmate.
Metaphorically, they probably do. I'm sure they have plans in place to knock out satellites should a war ever occur.
"That's the way to do it" - Punch
P-O-E