dumb-asses who hook their SCADA systems to the internet richly deserve what they get
Agreed, but what bothers me is that I sometimes have little choice in relying on services provided by the aforementioned dumb-asses (e.g. electricity).
The steps you mention are good ones, but an air gap is still a very good step in that defense in depth approach. Also, several of the steps you mention avoid damage to systems, which is always a good idea (even if just protecting against your own software problems). However, they don't necessarily guard against interruption of service. For things like the electrical grid that can be serious. Bonus points if you can cause a cascade failure.
I have read plenty of stories about how hackers will drop elevators full of passengers into the basement, and turn traffic lights "all green". But anyone that works on those systems will tell you that it is all baloney. It is physically impossible to do that from software.
Yes, the elevator thing is silly as they've all had mechanical safety features since the days of Elisha Otis. If by turning traffic lights all green you mean in both directions, then that's also probably silly. That doesn't mean that all scenarios, including the damage from the interruption of certain services, are silly.
This is high-octane scare mongering. Be afraid, everyone!
You act as though someone were calling for a nuclear attack. Even if this story is total garbage, I hope it gets lots of attention. Something has to be done about our insecure SCADA/infrastructure, regardless of whether you think the threat is from the Evil [insert whatever you hate here] or a bored kid in the basement.
I'm nominating you for Secretary of State. It's a brilliant diplomatic strategy. The US and Iran can become allies in a war against Adobe. Then in the spirit of George Washington's advice about international affairs, we can say we're sorry about the shah, they can say they're sorry about the hostages, and we can put the whole mess behind us. Bonus points for destroying Adobe.
Why is it okay for the US to sponsor cyber attacks, but not the Iranians?
I'm not going to get all philosophical as that's not my shtick. I'm not even going to say it's "okay" for us to do it and not them (did somebody actually say that?). As an American I'd rather the US be successful in its attacks and the "enemy" not. I don't pretend it's anything more than that.
That doesn't mean I'm a bang the war drum type about Iran. However I'd rather they not get nuclear weapons. I'm not sure how far the US should go to prevent that (I'd certainly be opposed to a full blown war) but Stuxnet was a clever technique that didn't even hurt anyone. My attitude is "well done". I don't want Iran to be successful in a similar attack on the US. So far it seems they're only gathering intel, but the possibility of targeting our infrastructure is frightening. It's also potentially much more damaging than destroying some centrifuges.
The Chinese stole it off one of the classified networks (like SIPRNet), which the DoD has known to be compromised for quite some time.
At least according to Wikipedia, SIPRnet is used for classifications up to the level of secret, which is high enough to cause damage. It also has 4.2M users, which is far too many. I don't care how good your firewalls or whatever are, that's just too many eggs in one basket. While you can go overboard with it, a certain amount of compartmentalization is needed for security.
what the DoD doesnt exactly recommend is the precise thing that would secure us from this manufactured menace: reduce the amount of off-shored and outsourced manufacturing to China.
The DoD has nothing more powerful than nuclear weapons, but the outsourcers are listed on the stock exchanges.
In the old days this stuff would be kept on airgapped networks. Today we have 'globalized workforces' and companies are run by MBAs who don't really understand or care about things the military does.
Unbelievable. In the old days defense contractors had to pass security audits. What happened to them?
Agreed. The B52 was flying before any of the current generation was even born. Today's pilots may be flying the same s/n airplane their dad flew but it is not the same airplane.
A few years ago I worked on a (non-classified) avionics upgrade for B-52's. If you'd told me when I was a kid that someday I'd be doing that, I'd have laughed at the idea.
If you program your smartphone in assembler instead of Java+15 layers of abstraction and indirection, then, Yes.
Quiet, you're giving away the secrets of the ancients (I'm one of them). Many people these days are unaware of the fact that 8-bit micros even exist, and that computers can be made to run without an operating system! Strange but true.
these were first designed in the 70's and even with some upgrades i bet smartphones have a lot more computing power than the aegis cruise
Irrelevant. Straight computing power is cheap, but things like tracking and guidance algorithms aren't. Also, apparently unknown to many Slashdotters, there are technologies other than computers. Many are supposed to be classified (at least the details) and not available commercially.
In the 1970s, China managed to kludge together a weak clone of Boeing's 20+-year-old 707
Ancient history. China has changed a lot since then.
China... has found better success in getting people to willingly hand them the capabilities and processes. China's MD-80 license production and the assistance they got from McDonnell-Douglas is the biggest factor in their current aerospace pushes being at least semi-feasible.
There I agree with you. The spy stuff seems pointless compared to what we just hand over. Don't forget GE, which first gave China know-how in building gas turbines (less than a half-step from jet engines) and IIRC is now developing a "partnership" to make jet engines in China. Applied Materials set up a big research lab there, so maybe in the future they can skip the intermediary step of importing it from America and just have "American" companies develop it over there.
so individuals of a country stand for all of those in that country
Stop being sanctimonious. The OP didn't say or imply that. Yes, saying the "Chinese" is not strictly accurate, but is often used the way the OP did in these discussions. I prefer to say "China" but even that's not strictly accurate. "Chinese government" would be the best phrase, but the shorthand is well understood. Even during the bad old days of the Cold War, when Reagan talked about the evil empire, it was well understood that most Americans, including Reagan, had nothing against the Russian people and the various other peoples in the USSR. Animosity toward a people is usually reserved for actual shooting wars, and even then is optional.
so americans are their own worst enemy
Of course, has there ever been a people that wasn't true of?
Which demonstrates further that almost all classification is about hiding secrets from ones own citizens.
What it really proves is that the British press covers the US better than the American press. As an American, I've known that for some time, and do (at least occasionally) look at the BBC or some British papers for US news.
As far as "almost all classification is about hiding secrets from ones own citizens", I think that's generally true but doesn't apply to the design details of weapons systems. It's one thing to know about the existence of a weapons system, its general capabilities and performance, and quite another to know all the details in the engineering files.
Think about all of the people that have access to these drawings in electronic form.
We could always go back to hand-made drawings. I miss the ammonia smell of a blue-line machine.
On a slightly more serious note, while you're right that nothing can be made completely spy-proof, making it more spy-proof helps to minimize the problem. In the days of paper drawings, you had to keep them in a locked filing cabinet and lock them up if you so much as left your desk to get coffee. A PITA but that's how security is. The article doesn't say, but I wouldn't be surprised if many of the compromised machines were, at least indirectly, connected to the Internet. That should be a complete non-no, just as it should be in SCADA. The use of thumb drives (or other removable storage) should be severely restricted. Only get them from IT (who should scrub them) and not allowed in or out of the building except literally under guard. Same with laptops. Also a vetted and enforced process for destroying old hard drives, etc., etc., etc. Again. a real PITA, but procedures that were at least as much of a PITA were used in the paper drawing days.
Because it isn't like China, Russia, Iran, North Korea, or various other countries would want to upgrade their military independently of the US, for their own purposes. None of their weapons designers ever had an original idea, or were the first ones to make a concept actually work in a weapon.
That's utterly irrelevant, unless you believe that the same things are true of the US. You're the one who is making a ridiculous assumption about the Chinese (etc.) military and defense contractors, specifically that they suffer from NIH. I doubt they're that stupid. The US wasn't when after VE day it grabbed as many German rocket scientists as it could. You know, the folks who, in addition to their direct or indirect contributions to US military capability, were responsible for the first US satellite getting into orbit and the Apollo missions getting to the moon.
It makes sanctions, import tariffs and laws like the Patriot Act II much easier to enable.
How can you possibly equate tariffs w/ Patriot Act N? Last time I checked the federal government clearly has the power to levy tariffs, and in the last 200+ years nobody has come up with a decent argument for how they interfere w/ civil liberties. By contrast Patriot Act N is another step in turning that troublesome Bill of Rights into toilet paper.
Many European countries have coalition governments, something I can warmly recommend.
There is a rough equivalent in the US, when there is mixed control of the presidency and the two houses of congress. That's actually the norm, and so for better or worse you pretty much have to come up with something like a coalition to pass any bill. Like coalition parliaments, that can be productive or it can be a deadlock.
Regardless of how people would debate that interpretation, the problem has nothing to do with with the difference between parliamentary systems and the US system. Under the same system of government it has now, once upon a time the US was in the forefront of the environmental movement. It took years for Europe and Japan to catch up. Unfortunately the US is now busy moving backwards.
Is it your scientific contention that every bad thing that *COULD* happen *MUST* happen no matter how unlikely or how many precautions are taken against it?
Could you possibly come up with less meaningful boilerplate argument?
dumb-asses who hook their SCADA systems to the internet richly deserve what they get
Agreed, but what bothers me is that I sometimes have little choice in relying on services provided by the aforementioned dumb-asses (e.g. electricity).
I have read plenty of stories about how hackers will drop elevators full of passengers into the basement, and turn traffic lights "all green". But anyone that works on those systems will tell you that it is all baloney. It is physically impossible to do that from software.
Yes, the elevator thing is silly as they've all had mechanical safety features since the days of Elisha Otis. If by turning traffic lights all green you mean in both directions, then that's also probably silly. That doesn't mean that all scenarios, including the damage from the interruption of certain services, are silly.
This is high-octane scare mongering. Be afraid, everyone!
You act as though someone were calling for a nuclear attack. Even if this story is total garbage, I hope it gets lots of attention. Something has to be done about our insecure SCADA/infrastructure, regardless of whether you think the threat is from the Evil [insert whatever you hate here] or a bored kid in the basement.
It really will be a photo finish to see which country has more cheap, lazy, and incompetent mid and upper level bureaucrats and MBAs.
The ultimate cage match: MBA's vs. theocrats.
And I thought that "what do Twinkies and Internet connections have in common" was just a philosophical question.
I'm nominating you for Secretary of State. It's a brilliant diplomatic strategy. The US and Iran can become allies in a war against Adobe. Then in the spirit of George Washington's advice about international affairs, we can say we're sorry about the shah, they can say they're sorry about the hostages, and we can put the whole mess behind us. Bonus points for destroying Adobe.
Why is it okay for the US to sponsor cyber attacks, but not the Iranians?
I'm not going to get all philosophical as that's not my shtick. I'm not even going to say it's "okay" for us to do it and not them (did somebody actually say that?). As an American I'd rather the US be successful in its attacks and the "enemy" not. I don't pretend it's anything more than that.
That doesn't mean I'm a bang the war drum type about Iran. However I'd rather they not get nuclear weapons. I'm not sure how far the US should go to prevent that (I'd certainly be opposed to a full blown war) but Stuxnet was a clever technique that didn't even hurt anyone. My attitude is "well done". I don't want Iran to be successful in a similar attack on the US. So far it seems they're only gathering intel, but the possibility of targeting our infrastructure is frightening. It's also potentially much more damaging than destroying some centrifuges.
how can we be sure what the contractors were doing?
DoD security audits. They at least used to be required for any contractor or sub-contractor doing classified work.
You would still have to get rid of the coffee.
The Chinese stole it off one of the classified networks (like SIPRNet), which the DoD has known to be compromised for quite some time.
At least according to Wikipedia, SIPRnet is used for classifications up to the level of secret, which is high enough to cause damage. It also has 4.2M users, which is far too many. I don't care how good your firewalls or whatever are, that's just too many eggs in one basket. While you can go overboard with it, a certain amount of compartmentalization is needed for security.
American propaganda
Please cite your evidence for that assertion.
what the DoD doesnt exactly recommend is the precise thing that would secure us from this manufactured menace: reduce the amount of off-shored and outsourced manufacturing to China.
The DoD has nothing more powerful than nuclear weapons, but the outsourcers are listed on the stock exchanges.
In the old days this stuff would be kept on airgapped networks. Today we have 'globalized workforces' and companies are run by MBAs who don't really understand or care about things the military does.
Unbelievable. In the old days defense contractors had to pass security audits. What happened to them?
Agreed. The B52 was flying before any of the current generation was even born. Today's pilots may be flying the same s/n airplane their dad flew but it is not the same airplane.
A few years ago I worked on a (non-classified) avionics upgrade for B-52's. If you'd told me when I was a kid that someday I'd be doing that, I'd have laughed at the idea.
If you program your smartphone in assembler instead of Java+15 layers of abstraction and indirection, then, Yes.
Quiet, you're giving away the secrets of the ancients (I'm one of them). Many people these days are unaware of the fact that 8-bit micros even exist, and that computers can be made to run without an operating system! Strange but true.
these were first designed in the 70's and even with some upgrades i bet smartphones have a lot more computing power than the aegis cruise
Irrelevant. Straight computing power is cheap, but things like tracking and guidance algorithms aren't. Also, apparently unknown to many Slashdotters, there are technologies other than computers. Many are supposed to be classified (at least the details) and not available commercially.
In the 1970s, China managed to kludge together a weak clone of Boeing's 20+-year-old 707
Ancient history. China has changed a lot since then.
China ... has found better success in getting people to willingly hand them the capabilities and processes. China's MD-80 license production and the assistance they got from McDonnell-Douglas is the biggest factor in their current aerospace pushes being at least semi-feasible.
There I agree with you. The spy stuff seems pointless compared to what we just hand over. Don't forget GE, which first gave China know-how in building gas turbines (less than a half-step from jet engines) and IIRC is now developing a "partnership" to make jet engines in China. Applied Materials set up a big research lab there, so maybe in the future they can skip the intermediary step of importing it from America and just have "American" companies develop it over there.
so individuals of a country stand for all of those in that country
Stop being sanctimonious. The OP didn't say or imply that. Yes, saying the "Chinese" is not strictly accurate, but is often used the way the OP did in these discussions. I prefer to say "China" but even that's not strictly accurate. "Chinese government" would be the best phrase, but the shorthand is well understood. Even during the bad old days of the Cold War, when Reagan talked about the evil empire, it was well understood that most Americans, including Reagan, had nothing against the Russian people and the various other peoples in the USSR. Animosity toward a people is usually reserved for actual shooting wars, and even then is optional.
so americans are their own worst enemy
Of course, has there ever been a people that wasn't true of?
Pogo: We have met the enemy and he is us.
Which demonstrates further that almost all classification is about hiding secrets from ones own citizens.
What it really proves is that the British press covers the US better than the American press. As an American, I've known that for some time, and do (at least occasionally) look at the BBC or some British papers for US news.
As far as "almost all classification is about hiding secrets from ones own citizens", I think that's generally true but doesn't apply to the design details of weapons systems. It's one thing to know about the existence of a weapons system, its general capabilities and performance, and quite another to know all the details in the engineering files.
Think about all of the people that have access to these drawings in electronic form.
We could always go back to hand-made drawings. I miss the ammonia smell of a blue-line machine.
On a slightly more serious note, while you're right that nothing can be made completely spy-proof, making it more spy-proof helps to minimize the problem. In the days of paper drawings, you had to keep them in a locked filing cabinet and lock them up if you so much as left your desk to get coffee. A PITA but that's how security is. The article doesn't say, but I wouldn't be surprised if many of the compromised machines were, at least indirectly, connected to the Internet. That should be a complete non-no, just as it should be in SCADA. The use of thumb drives (or other removable storage) should be severely restricted. Only get them from IT (who should scrub them) and not allowed in or out of the building except literally under guard. Same with laptops. Also a vetted and enforced process for destroying old hard drives, etc., etc., etc. Again. a real PITA, but procedures that were at least as much of a PITA were used in the paper drawing days.
Because it isn't like China, Russia, Iran, North Korea, or various other countries would want to upgrade their military independently of the US, for their own purposes. None of their weapons designers ever had an original idea, or were the first ones to make a concept actually work in a weapon.
That's utterly irrelevant, unless you believe that the same things are true of the US. You're the one who is making a ridiculous assumption about the Chinese (etc.) military and defense contractors, specifically that they suffer from NIH. I doubt they're that stupid. The US wasn't when after VE day it grabbed as many German rocket scientists as it could. You know, the folks who, in addition to their direct or indirect contributions to US military capability, were responsible for the first US satellite getting into orbit and the Apollo missions getting to the moon.
It makes sanctions, import tariffs and laws like the Patriot Act II much easier to enable.
How can you possibly equate tariffs w/ Patriot Act N? Last time I checked the federal government clearly has the power to levy tariffs, and in the last 200+ years nobody has come up with a decent argument for how they interfere w/ civil liberties. By contrast Patriot Act N is another step in turning that troublesome Bill of Rights into toilet paper.
Many European countries have coalition governments, something I can warmly recommend.
There is a rough equivalent in the US, when there is mixed control of the presidency and the two houses of congress. That's actually the norm, and so for better or worse you pretty much have to come up with something like a coalition to pass any bill. Like coalition parliaments, that can be productive or it can be a deadlock.
Regardless of how people would debate that interpretation, the problem has nothing to do with with the difference between parliamentary systems and the US system. Under the same system of government it has now, once upon a time the US was in the forefront of the environmental movement. It took years for Europe and Japan to catch up. Unfortunately the US is now busy moving backwards.
Is it your scientific contention that every bad thing that *COULD* happen *MUST* happen no matter how unlikely or how many precautions are taken against it?
Could you possibly come up with less meaningful boilerplate argument?
In the same manner that oak barrels inject other hydrocarbons into scotch. Benzene in trace amounts might make the beer tastier. Umm, benzene.
There may be some minor differences in the physiological effects of different hydrocarbons. /sarcasm
However, if you want benzene in your beer, then add some. I'll refrain.