Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google's Doors Hacked Wide Open By Own Employee (forbes.com)

Posted by msmash on from the for-the-record dept.

Last July, in Google's Sunnyvale offices, a hacker found a way to trick doors into opening without the requisite RFID keycard, Forbes reported Monday. Luckily for Google, it was David Tomaschik, an employee at the tech giant, who only had good intentions. From the report: When he sent his malicious code across the Google network, he saw the lights turn from red to green on the door to his office. Then came the satisfying thunk as the lock opened. It was the culmination of work in which Tomaschik had uncovered vulnerabilities in technology made by Software House, the creator of the office controllers managing the physical security of the California site.

Last summer, when Tomaschik looked at the encrypted messages the Software House devices (called iStar Ultra and IP-ACM) were sending across the Google network, he discovered they were non-random; encrypted messages should always look random if they're properly protected. He was intrigued and digging deeper discovered a "hardcoded" encryption key was used by all Software House devices. That meant he could effectively replicate the key and forge commands, such as those asking a door to unlock. Or he could simply replay legitimate unlocking commands, which had much the same effect. Tomaschik also discovered he could do all this without any record of his actions. And he could prevent legitimate Google employees from opening doors. "Once I had my findings it became a priority. It was pretty bad," he told Forbes. Google then moved quickly to prevent attacks on its offices, according to Tomaschik.

64 of 112 comments (clear)

  1. Unsure about this by proibido · · Score: 4, Interesting

    If they protect their own facilities like this imagine our own data :S

    1. Re:Unsure about this by Anonymous Coward · · Score: 1

      How a third party handles its own product doesn't seem like it could represent how Google develops their own services.

    2. Re:Unsure about this by that+this+is+not+und · · Score: 3, Insightful

      A lot of third parties do much better than Google. Google dabbles in a lot of directions, at the whim of their loose and often undirected management.

    3. Re:Unsure about this by Anonymous Coward · · Score: 1

      Oh sure, I just think it's a bad comparison. Google bought a product that it turns out has a security flaw. How some other company operates and sells their products can't really represent Google's own development practices.

    4. Re:Unsure about this by arth1 · · Score: 4, Interesting

      How some other company operates and sells their products can't really represent Google's own development practices.

      No, but it shows that they use and rely on 3rd party unverified and ill designed programs, giving it access to their networks. That does taint their own products, even if everything they themselves did were safe and secure - to misuse a metaphor, it's fruit from a poisonous tree.

    5. Re:Unsure about this by swillden · · Score: 1

      How some other company operates and sells their products can't really represent Google's own development practices.

      No, but it shows that they use and rely on 3rd party unverified and ill designed programs

      So does every company. So does yours. But how many others do this sort of investigation? Software House has thousands of clients, but it was Google that found the problem -- and published it.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    6. Re: Unsure about this by arth1 · · Score: 1

      The time to check for flaws is before putting it on your trusted network, not afterwards. Someone was allowed to make the decision to put a 3rd party IP based security system on the same network as trusted resources, without first evaluating it for security. This seems like a management problem to me.

    7. Re: Unsure about this by Zero__Kelvin · · Score: 1

      You are pretty desperate to point and grunt "Google bad!". I guess your understanding of computer security is so low you don't realize that pretty much every company on the planet has at least one Windows machine on their network that regularly updates with unvetted code.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  2. Internet of shit still shit by Anonymous Coward · · Score: 2, Insightful

    News at eleven.

  3. Open All The Doors by that+this+is+not+und · · Score: 1

    He blew it. The proper thing to do would be to have designed and introduced a trojan/worm into the security system. When it reached critical mass, it would be triggered to open all the doors, continue to reopen the doors, and defend itself against removal.

    1. Re:Open All The Doors by Joe_Dragon · · Score: 1

      just cut the power or set off the fire alarm and that will open a lot of the doors and it's part of the fire code.

  4. Re:That's why google support sucks by captbollocks · · Score: 1

    Like finding a solution to why our emails sent through gmail servers go to spam folders of our customers on gmail and whom we have been communicating with via email for years.

    Trying to get a support case escalated when the support muppet can't give you an answer is nearly impossible unless you start yelling at the support muppet. Then you get a manager muppet and have to go through the whole process again.

  5. Kinda weird by bobstreo · · Score: 1

    Why put your door locks in an accessible network?

    My office doors weren't RFID. You had to actually insert a card into the standalone locks which needed to be programmed for access. The locks also kept a record of who/what accessed them. I like old school.

    The only downside was the magnetic strip would wear out after a few years...

    1. Re:Kinda weird by OzPeter · · Score: 4, Insightful

      Why put your door locks in an accessible network?

      At some point having a centralized control increases flexibility and security over and above the effort needed to implement it.

      In your old school scenario if you were fired then Fred down at IT would have to schedule someone to physically come to your office and and re-program your door lock to stop you gaining access to not only your office but all those other sensitive places that you previously frequented. That would take time and manpower to do.

      In a connected world, run one script and *poof* you are instantly persona non grata in the entire organization. Of course the connected world scenario does require security to be correctly implemented. But that is what pen testing is all about. It is akin to the software corollary that untested software should be considered broken.

      --
      I am Slashdot. Are you Slashdot as well?
    2. Re:Kinda weird by Asgard · · Score: 1

      >accessible network

      I think the suggestion was that the locks should be on a separate network than is accessible to anyone other than building management.

    3. Re:Kinda weird by mystik · · Score: 3, Interesting

      There is a risk to fully automatic organizations like that.

      https://idiallo.com/blog/when-...

      Can be pretty scary when there are no checks and balances to the automation.

      --
      Why aren't you encrypting your e-mail?
    4. Re:Kinda weird by OzPeter · · Score: 1

      >accessible network

      I think the suggestion was that the locks should be on a separate network than is accessible to anyone other than building management.

      I was replying to the OP was reminiscing about how good disconnected locks were.

      --
      I am Slashdot. Are you Slashdot as well?
    5. Re:Kinda weird by OzPeter · · Score: 1

      There is a risk to fully automatic organizations like that.

      https://idiallo.com/blog/when-...

      Can be pretty scary when there are no checks and balances to the automation.

      I've seen that story before and its a bit disingenious. The machine didn't fire him, the non-renewal of a contract by a person fired him. The system did its job correctly.

      --
      I am Slashdot. Are you Slashdot as well?
    6. Re:Kinda weird by bobstreo · · Score: 1

      Why put your door locks in an accessible network?

      At some point having a centralized control increases flexibility and security over and above the effort needed to implement it.

      In your old school scenario if you were fired then Fred down at IT would have to schedule someone to physically come to your office and and re-program your door lock to stop you gaining access to not only your office but all those other sensitive places that you previously frequented. That would take time and manpower to do.

      In a connected world, run one script and *poof* you are instantly persona non grata in the entire organization. Of course the connected world scenario does require security to be correctly implemented. But that is what pen testing is all about. It is akin to the software corollary that untested software should be considered broken.

      Nah, the parking lots, security fence entry and building entry were on RFID which was on a separate network. Easy to revoke if needed.

    7. Re:Kinda weird by decep · · Score: 4, Insightful

      > Why put your door locks in an accessible network?

      This one is easy. One of the purposes of encryption is allowing trusted communication over untrusted networks. If the communication is properly authenticated and encrypted, who cares who can see it. The key word being "properly".

      Getting encryption and authentication right on a mass-produced, IoT product is extraordinarily difficult. Making it [reasonably] future-proof, even more so.

    8. Re:Kinda weird by sjames · · Score: 1

      Many of those are connected by a serial protocol through their own physical wiring.

      That goes back to one or more security panels that connect via serial to a PC that may or may not have a network connection.

      Of course, for safety, many of those are fail open and the wiring isn't physically secured such that you can short the wires to the latch to open the door without leaving a record of access.

    9. Re:Kinda weird by sjames · · Score: 2

      That's exactly why for the sake of belt and suspenders you should at least use a vlan to isolate the security traffic if not a physically separated network.

    10. Re:Kinda weird by rea1l1 · · Score: 1

      >In your old school scenario if you were fired then Fred down at IT would have to schedule someone to physically come to your office and and re-program your door lock to stop you gaining access to not only your office but all those other sensitive places that you previously frequented. That would take time and manpower to do.

      This could very well be considered a feature in terms of checks and balances.

      >In a connected world, run one script and *poof* you are instantly persona non grata in the entire organization.

      Indeed. And that is a lot of power in a single tool. The power itself makes it a much more valuable target to those with malicious intent. To create such an all powerful tool and not need to worry, your developers need to be PERFECT in every way. Keep in mind, no one is perfect, which is why no one should install such an all powerful tool. There is no such thing as perfect security, so stop connecting all of these important systems together. You're asking for a collapse.

    11. Re:Kinda weird by aaarrrgggh · · Score: 1

      Not for most systems I have seen-- they work kindof like a certificate authority with a revocation list. No control communication over the IP network, just RS-485.

    12. Re:Kinda weird by swb · · Score: 1

      I have to deal with building security systems sometimes and nearly always the RFID locks (which encompasses the RFID reader, secondary keypad if there is one, and electromechanical lock mechanism) aren't ethernet enabled.

      The "locks" are hardwired to controllers which can be networked but are programmed by some software application which in turn places each keycard into whatever access groups its supposed to have. The controllers are then updated with add/deletes of card profiles. I see about half the controllers networked in these systems, and about half have some old laptop with a crossover or serial cable connected for programming.

      The network can be completely down and the card access system works just fine, the only problem is you couldn't alter the controller database or access profiles (except with the ones with a dedicated PC).

      I was literally at a facility Friday that was setup this way when it was built to manufacture fentanyl patches, so I'm assuming the DEA considered it secure. My customer took over the building and it had zero network, the old tenant literally programmed a dozen "master" keycards and left them to new ownership right before they yanked all the switches.

      The main security control panel was in the computer room with a dedicated PC for card access management, but since the new owners only make soap and not fentanyl, they decided to network the card access PC so HR and facilities management could alter card profiles remotely. Obviously this is something of a security weakness, since you can ultimately hack accounts to get to the management PC and reprogram access card profiles, but you can't actually work the locks themselves as far as I can tell.

      The bigger problem, IMHO, is that companies are cheap and look at the card access systems as a fixed system that needs no upgrading and no maintenance contract. The software is shitty with poor OS portability, the ancient management PC dies and nobody can reprogram cards for a couple of weeks until the vendor is tracked down, a maintenance agreement signed and a bunch of software updates installed.

    13. Re:Kinda weird by swillden · · Score: 1

      That's exactly why for the sake of belt and suspenders you should at least use a vlan to isolate the security traffic if not a physically separated network.

      The Google network is heavily segmented, though Google has shifted to consider that more of a management feature than a security feature. Google relies primarily on the BeyondCorp zero trust model to provide security, because network segmentation really doesn't. Segmentation isn't useless, but it provides no protection against adversaries who get access to the wires.

      I'm sure the badge readers were on a separate VLAN. But Google doesn't trust network segmentation and obviously chose to investigate potential vulnerabilities. Which is a good thing, for Google, for its users and customers, and for other Software House customers (and, almost certainly, customers of Software House's competitors, because I'd be very surprised if the whole door access industry weren't at least this bad).

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    14. Re:Kinda weird by Calydor · · Score: 1

      And the system apparently had permissions somewhere up around CEO level seeing as NO ONE was able to stop what it was doing.

      I'm curious what would have happened if they'd told the machine the CEO had been fired.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    15. Re:Kinda weird by sjames · · Score: 1

      According to TFA, they segmented the network in response to the hack. And yes, VLAN isn't perfect. That's why you want belt AND suspenders, not belt OR suspenders.

    16. Re:Kinda weird by swillden · · Score: 1

      According to TFA, they segmented the network in response to the hack.

      Okay.

      And yes, VLAN isn't perfect. That's why you want belt AND suspenders, not belt OR suspenders.

      Except that VLANs are more like wearing suspenders made of a few, thin threads. It's almost nothing. Proper cryptographic security is the right solution here, and once you have that, a VLAN provides nothing -- other than traffic management, which is what it's really good for. VLANs were never intended to be used as a security measure, and shouldn't be applied with any expectation that they're adding significant security.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    17. Re:Kinda weird by ebvwfbw · · Score: 1

      For a door lock? Ever set some of this "IOT" which is really "ICT" or Internet Connected Technology? Some of the crap requires windows and explorer for the controls. Vlan, they barely meet minimum requirements as it is.

      If you want to keep people out, use a good old commercial door lock. That'll keep almost all the lock picks out. They an also put spools, other things in to make it a lot harder.

    18. Re:Kinda weird by sjames · · Score: 1

      There are many reasons you might want centrally controlled access control with cards. For example, if 1000 people have legitimate access, how long do you suppose it will be before a copy of THE key goes missing somewhere?

    19. Re:Kinda weird by ebvwfbw · · Score: 1

      There are many reasons you might want centrally controlled access control with cards. For example, if 1000 people have legitimate access, how long do you suppose it will be before a copy of THE key goes missing somewhere?

      I run into this all the time. That's not what the problem is. The problem was his office. For central places it's not nearly as much of a concern. There is usually a guard there, CCTV, other people. They can also piggy back in. Then they filter people down by floor, then often by other key card access areas. Most of these places today if you have an actual office, whatever you do is worth protecting. Otherwise you're usually out in a bull pen at a half desk.

      I remember even over 20 years ago I had to use a card to get to the floor, then a card to get out of the elevator area where the elevator lobby was. Then I could get to my office, which had a commercial cylinder. This was not a government building.

      I know the thing a lot of auditors love to see today is centralized control. I can lock employee 10013 out with one mouse click! Computer access, office access, even the coffee club and bathroom is off limits to him now (release the hounds)!

  6. What, no network isolation? by Slashdot+Junky · · Score: 2

    Clearly, the door access/lock system has or had design problems and needs these properly addressed. It's presence was made worse by poor network security. It should have been on a dedicated network and certainly not on the general LAN/VLAN. This guy had access to the network and shouldn't have unless the poking around was blessed.

    --
    .
    Landfill Mining Co.
    Managing the (Un)natural Resources of Tomorrow
    1. Re:What, no network isolation? by ledow · · Score: 1

      Agreed.

      VLAN. With RADIUS. Or the very least MAC-based RADIUS and blocking any unknown devices.

    2. Re:What, no network isolation? by WaffleMonster · · Score: 1

      Clearly, the door access/lock system has or had design problems and needs these properly addressed. It's presence was made worse by poor network security. It should have been on a dedicated network and certainly not on the general LAN/VLAN. This guy had access to the network and shouldn't have unless the poking around was blessed.

      Physically securing wires is a fools errand. You can't protect wires that go everywhere.

      Every dime spent on a fools errand is a dime not spent securing what is attached to those wires.

    3. Re:What, no network isolation? by Slashdot+Junky · · Score: 1

      Physically securing wires is a fools errand

      Correct. Wires are pretty easy to sufficiently protect through physical barriers that aren't easily breached without noise and adherence to smart policy. Like most things in need of securing, network and network attached devices require a multi prong approach. And similarly to all security implementations, the one that Google may have employed along this with door lock/access management solution would have been defeated by those sufficiently motivated even without its bad design.

      --
      .
      Landfill Mining Co.
      Managing the (Un)natural Resources of Tomorrow
    4. Re:What, no network isolation? by viperidaenz · · Score: 1

      Google don't have dedicated networks full of systems that blindly trust everything, as they're on "trusted networks".
      They have one massive network, with devices that are supposed to be secure.

    5. Re:What, no network isolation? by swillden · · Score: 2

      This guy had access to the network and shouldn't have unless the poking around was blessed.

      "The guy" is a member of Google's Red Team, which is the group tasked with finding internal security problems. He was "blessed".

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  7. Re: Haxxy haxxy haxx0rz!!!1! by tysonedwards · · Score: 2

    Americas nuclear arsenal is an offline system that relies on humans to receive a message, validate its authenticity, and then choose to act. There are decided differences between what is effectively a mechanical turk and an internet of shit device.

    --
    Thirty four characters live here.
  8. Re:Since when google became a bank? by GuB-42 · · Score: 4, Funny

    I heard they have free food, and that it is really good.

  9. Re: Weird by tysonedwards · · Score: 2

    I am surprised the door locks were on the same network as workstations. Actual traffic isolation would have prevented someone from finding this flaw unless they start tearing holes in their walls.

    --
    Thirty four characters live here.
  10. WhatCouldPossiblyGoWrong by PPH · · Score: 1

    Particularly if you are Turing testing a hot looking android named Ava.

    --
    Have gnu, will travel.
  11. He's a Google employee by Bruce66423 · · Score: 1

    This means that they will be dealing with the legal side, and will have ensured that there are no issues. One of the advantages of being an employee.

  12. Re: Weird by shess · · Score: 1

    I am surprised the door locks were on the same network as workstations. Actual traffic isolation would have prevented someone from finding this flaw unless they start tearing holes in their walls.

    Is it clear that it was on the same network as workstations? I left Google in 2017, and for many years the internal networks had been heavily segmented. I'd be very surprised if any random RFID node or printer could have communicated directly with my workstation. In fact, I don't think my machines could talk to each other from physically adjacent Ethernet ports without requesting a network change.

  13. Re:Since when google became a bank? by omnichad · · Score: 1

    It's called a Lauer lock

  14. I think Bart Simpson said it best... by StandardCell · · Score: 2

    when he said this...

    1. Re:I think Bart Simpson said it best... by TechyImmigrant · · Score: 1

      when he said this...

      Static encryption keys are fine as long as you keep them secret and randomize the protocol. It's when you set about inventing key update protocols that it all goes to shit, Eh TLS?

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  15. Re: Haxxy haxxy haxx0rz!!!1! by JaredOfEuropa · · Score: 1

    Can the officers in the silo even reprogram the missiles or launch independently? That sounds like a monumentally bad idea. What would stop them from declaring the Free State of Silo 16 and threaten to nuke Washington if their demands for beer, beef and pre ban AR15 weren’t met?

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  16. And then David was fired by bettodavis · · Score: 1

    As a reward for being such a trouble maker.

  17. Re: Haxxy haxxy haxx0rz!!!1! by Antique+Geekmeister · · Score: 1

    In theory? No. In practice? That is a very good question. These are, generally, skilled officers, educated well enough to manage a tremendous responsibility correctly and reliably. One or more of them might be clever enough to outsmart flawed security.

  18. Re: Weird by Antique+Geekmeister · · Score: 1

    Oh, my. It's very easy to ask why someone else did not spend several times the amount of money in capital costs and support costs for an infrastructure change. What is the return on investment?

  19. Re: Weird by tysonedwards · · Score: 1

    At what point did vlan tagging become DLC?

    --
    Thirty four characters live here.
  20. Re: Weird by Antique+Geekmeister · · Score: 1

    Ideally, the doors would be on a physically distinct network with its own switches, not a VLAN tagged distinct network. That means physically distinct wiring all the way back to the wiring closets, and no plain repeaters or shared switches all the way back to any central switch for the door controller system. In practice, a few facilities bother to set up tagged VLAN's on shared switches. But unless the switches are also programmed to only communicate with specific MAC addresses on specific ports, anyone can plug in a device on such port and access any of the relevant devices on any of the VLAN's, simply by network programming of the client device, even with an appropriately tagged virtual IP address. It's possible to do that kind of restriction of access: but developers in most networks will _despise_ the security people for doing this, because it tends to cause far more failures for the developers than it prevents. Even simple wiring practices such as "the red socket is for internal security, and non-registered devices plugged into it will make us turn off the port" will upset people.

    The "internally open" network, including the infrastructure devices, is very common. Indeed, it is part of the core design of the "Internet of Things" approach to network design were all devices should be accessible at all times. Without testing, I'd not insist that Google does this. But the approach of "don't worry about the internal network, just leave it open" is very commonplace.

  21. Lack of security not a hack by FeelGood314 · · Score: 2

    You need to be able to review and understand the commands being sent on a network. Often just a one hour review will reveal that there is no real security. There are 3 levels of lack of security:

    1)Static keys, no replay attack prevention, sending the session key with a static key are all things that happen all the time.

    2)Authorization: The next level of security fuck-up for many small devices like these is a complete lack of authorization. Any device that is in radio range or has access to the LAN during the joining window can join the network. (think of WiFi or Blue Tooth as an example).

    3)Identification: Most devices have no means to prove they really are who they say they are. Thus an attacker who takes one device apart and extracts its keys can impersonate almost any other device. Many networks don't even care what device joins, as long as it has a static piece of information and they have no defense against man-in-the-middle attacks. This is also the case where a single device connecting to a network can see everything. When you log into a website and pull up your information and then change the query string to another user's ID and see their information, that isn't a hack. The site is performing as designed.

    I call these lack of security, they aren't bugs or vulnerabilities, the system was simply was never designed to be secure. You aren't hacking a system that didn't have security*.

    *Disclaimer: If you live in a certain country where pointing out something has no security embarrasses people with money you are likely to get charged with unauthorized use of a computer, lose all financial resources, be threatened with 10^20 years in prison and have to take a plea deal. Don't ever do security research in that country.

    1. Re:Lack of security not a hack by phantomfive · · Score: 1

      Good post.

      --
      "First they came for the slanderers and i said nothing."
  22. When it comes to physical building security... by Xnet+Project · · Score: 1

    Security automation measures such as RFID scanners, card insert readers, IP Security cameras, etc should always been kept on its on closed-loop network and redundant power source as a best practice. Opening security systems for buildings on a main network can, and will always result in major flaws to the physical security of an infrastructure of a housed facility, and will almost always result in vulnerability points whether it's from a localized or external source.

  23. Re: Weird by N1AK · · Score: 1

    Ideally, the doors would be on a physically distinct network

    Ideally, they wouldn't be on any network at all if you fixate only on theoretical security threats... but in the real world both your suggestion and this was have passed well beyond the point where the inconvenience exceeds to the additional security benefit. If you can compromise VLAN security to the extent that you could directly access and exploit an access control unit you could almost certainly do the same thing to access and compromise far more valuable things.

  24. Serious Linux security & maintenance question by RogueWarrior65 · · Score: 1

    Let's say that you have built a Linux-based "appliance" and it's deployed in numerous places around the world. Let's also say that you need to make some changes to system libraries for new versions. AFAIK, the only way to do this is to have root access. So how would you build some sort of updating software that a user with no Linux experience could run that would allow for installation of new system components? If you have to have root/superuser access, how do you keep it secure? Is there another way to do this?

  25. Re:Serious Linux security & maintenance questi by _Sharp'r_ · · Score: 1

    You don't need the end user to have root access, you just need to have an update process running which can acquire root access, or at least access to the files which need to be updated.

    So you give each appliance a private/public keypair and the public key of your update server. The process which has access to update would then only accept encrypted updates both designated for that appliance's specific key and signed using the update server's private key. Mutual authentication.

    You can do that online via a TLS session, or offline using USB sticks or whatever. It's easy enough to automate either process, although the USB version would require someone to physically plug something in.

    Another way to increase the security of the process is to require a reboot before any system files can actually be updated. It's more disruptive, but presumably if you have any sort of proper monitoring setup, an unplanned reboot shouldn't be missed.

    --
    The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
  26. Door security theatre? by Latent+Heat · · Score: 1

    What is the mission of the security system at Google?

    What I figure it is for at Google and many other tech companies is to satisfy a legal requirement, for I.P. protection and especially to satisfy the U.S. Patent Office.

    If you make a public disclosure, it sets a clock ticking for a U.S. Patent and it may prevent issuance of a patent in other countries. If you make a confidential disclosure, you are protected against tripping that clock, but how do you guarantee that when you are talking to other Google employees you are making a confidential disclosure? It appears that two conditions establish a "safe harbor" on legal confidential disclosure -- that the employees you are talking to have all signed the corporate patent agreement and that there are locks on the doors and guards at the entrance to the facility.

    So Google doesn't need Minuteman Missile Base level of security, it only needs to go through the motions of security to satisfy the lawyers. However hackable their door locks were, they were satisfying the legal requirement, that is, until Genius Google Employee hacked them. Now that this vulnerability has been disclosed, Google has to rework their door locks as does every other fine user of that particular door system.

    Great job, Genius Google Employee!

  27. Re: Haxxy haxxy haxx0rz!!!1! by phantomfive · · Score: 1

    Unlike the door, it would be hard to try the nuke over and over to reverse engineer what message was being sent.

    --
    "First they came for the slanderers and i said nothing."
  28. Port Mirroring by SirSmiley · · Score: 1

    How could he even see the traffic unless he was mirroring a switchport and sniffing traffic he shouldnt be doing in the first place? He obviously had access to the door swipe VLAN and access to the network switch

  29. Re: Since when google became a bank? by Zero__Kelvin · · Score: 1

    That's one way to let the whole world know you have never worked at a tech company in your life I guess.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  30. Re:Serious Linux security & maintenance questi by ebvwfbw · · Score: 1

    As long as it can get out to the internet that's not a problem. I used to do this two decades ago with Linux firewalls I used to set up in Washington. Lot of NPOs. As long as they kept up their payment it would keep updating the machine. Sometimes I'd have to hoof it out there and do an in person upgrade. The bitch ran into it when they had no trouble so they'd cut the support contract. Then call me about a year or so later because someone broke in.

    I don't do any of that anymore. Sold that business off. However it's not hard. All you need is a cron job that updates every day. Set up a reboot schedule so kernels will get updated. That's very simple. The bitch is when you upgrade remotely and something goes wrong. One time I had to get on a plane to fix that. Machine was many miles away.