You know, whether you agree or disagree with what Snowden did, that in no way justifies killing him without a... oh, what was that quaint thing we used to require? That's right, a trial. Rule of law, and all that.
If there were to be a trial it is almost certain they would exclude pretty much all avenues of defense that support what he actually did and why. Rule of Law is no more in this country. Just ask Aron Schwartz, Bradley Manning and the host of other whistle blowers prosecuted by the self proclaimed most open administration in history. If they want you gone they simple twist the millions of laws that exist and make up new interpretations if that's not enough. But you will be gone.
Actually, they don't need a kill switch for the phones to do this--there are a lot fewer devices to shut off if you simply shutdown the cell-towers in the area to cutoff communication.
You're missing the point. Shutting down the cell tower is going to affect far more people than the protestors. You're going to actually add to the number of people motivated to protest. With a targeted kill switch you can just affect the actually protestors. They're already raising hell so it doesn't add to your problem.
This is the thing that people really don't understand about the modern police state. They compare it to police states of the past. In the past the oppressors only had very blunt tools for controlling the oppressed. The oppressors ability to monitor the actions of the oppressed were very limited. So they had to immediately jump on any hints of dissension since they had no idea how much more there was they had missed. That is no more. That is the last war.
In the modern police state they can let the sheep bleat all they want. They have the ability to minutely track dissension. This way they only have to target people who are actually taking action that might cause real problems. You let people bleat all they want allowing them to think they are free to do what they want. Once it's decided they've crossed a line the tools of oppression can kick in. And they no longer require capture and torture. The oppressors already know the details of what and who is involved. They can simple eliminate those they need to within the realm of the "law". There is so much crap illegal it's almost guaranteed everyone commits the occasional felony.
the fact that they also dominate the desktop space
The desktop has been regulated to a increasingly insignificant backwater of computing devices. We no longer have a monoculture. There exists a healthy competition at least as things stand now. Android is modifiable enough for the time being.
functionality to be placed in ubiquitous consumer devices may not have the world's best security controlling them.
No. Functionality in a monoculture of secret proprietary devices determined by a single entity most certainly doesn't have the best security controlling them. There is no motivation to spend time and money on that.
Indirectly you make a point though. The government dictating functionality puts us back into the same boat as we were when Microsoft was in control. This is especially the case when the documents defining the functionality are created by technological idiots who are as like as not to think the internet is bunch of connected tubes.
Or do these same people chide those who mention Orwell, Rand, and other authors of fiction?
You know, there are different levels literary significance. Comparing a weekly crime drama meant solely to get ratings to a great literary work themed by the author to provide a message is kind of like the idiot in the post further down validating arguments used by a state leader to justify a surveillance state because random people in an Internet forum use the same type of argument. If people can't make that distinction we are lost already considering what's shown on TV.
Wyden knew what was going on because of the classified briefings and tried to leverage that into an inappropriate disclosure to server his political goals.
So you're saying it's ok to lie to Congress which is the branch of office that is suppose to have oversight of the NSA. Seems to me it's Congress that should be deciding what is an inappropriate disclosure of NSA actions. Letting the NSA decide what is an inappropriate disclosure pretty much negates Congressional oversight. You are either blind or an idiot if you don't see the implications of that.
Your list probably has nothing on it that is illegal under American law and much hyperbole.
Of course it's not illegal when you can use secret interpretations of the law that twist the meaning to make anything you do legal. Secret interpretations of the law pretty much in and of itself negates the whole concept of rule of law. It's illegal for the NSA to collect information on US citizens except with a specific warrant. So just redefine the word "collect". The data is gathered and stored but that is not "collecting" it. It's not "collected" until someone actually looks at it. But that's not illegal. Yeah, right. At that point illegal and legal become irrelevant since nothing the government does will ever be "illegal".
I haven't heard of them doing anything illegal (even if some might tend to make you uncomfortable).
Just proves you're selectively listening then. At the very least there is the undeniable lying to Congress while under oath. Unless of course the NSA has some secret interpretation of perjury and the laws related to it that makes it legal when they do it. Wouldn't surprise me in the least. The list of other illegal and questionable actions is long and lustrous but since you deny the obvious and confessed no doubt you'd be blind to any other evidence.
Since we are able to post these words, especially as an AC, it shows that there is still freedom in the West.
That's just not true. With the level of monitoring and control they're trying to establish they don't have to overtly oppress every modicum of dissent. Far better to let the sheep bleat. When they can track and have a record of every place you've gone and every person you've contacted it gives them the ability to let dissension go until it actually gets to the point it is seriously disruptive or has a chance to change things.
You can live where you want, work in the field you want, and watch whatever you want to on TV or on the web.
I can only watch on TV what they put on TV. If you don't think the corporations running TV are in bed with the government you really need to open your eyes. In a lot of the western democracies you can no longer watch what you want on the web. And they can track everything you look at on the web. We don't really know to what extent they are already doing that. That's not freedom. There are so many laws in the US the friggin Library of Congress can't even tell how many there are. No one can possibly know when or if they're breaking a law. If the government decides they don't like you they can find a whole host of charges to bring against you. Just ask Aaron Swartz. That's not freedom. If you report on illegal activity by the government you're at the least hounded out of your job and taxed with unbearable legal expenses. If your smart you just end up exiled, persona non grata. That's not freedom.
You may be tracked. But, you are not shot at when trying to leave the US. You are still free.
Wow. Just Wow. So unless they shoot at you you're free? They track where you go and imprison you if you go someplace they don't like. Yeah, that's freedom alright.
You're evaluating the control and oppression exercised by the government in terms of the historical past. To put in in military terms you're fighting the last war. The technology has advanced to the point that the tools of the past are no longer relevant. Hell, Winston Smith had a higher level of freedom than we're going to have once facial recognition becomes effective. At least he could move around with some level of freedom. The way they're going now every security camera will be tracking and recording your every movement.
I strongly suspect you've not discussed this with anyone who actually lived behind the Iron Curtain, such as Estonians, East Germans, Poles, or Russians.
I know a few people that experienced it. No one had every contact they made with with anyone recorded and stored forever. A very limited number of people had their location tracked constantly 24/7. There is no need to rely on informants reporting on their neighbors. The technology will track everyone and everything. Just wait until facial recognition becomes reliable. What people don't realize is the exceptional level of power and control provided by the misuse of the technology available today. We are at a crossroads right now. The technology available today could provide a level of knowledge, freedom and prosperity never before experienced or it could be the tool for the greatest level of control and oppression every established. The "free" western democracies should be championing the former. Instead they're rapidly moving towards the latter.
The notion of this being an Iron Curtain is a bit silly IMHO.
You're right. What they're doing is far more oppressive and effective than anything the creators of the Iron Curtain ever dreamed of.
However every country on Earth has laws against their citizens defecting to the enemy, and serving as enemy combatants.
Those laws are supposed to be applicable when the country is at war, at least in a country with rule of law. I wasn't aware that Britain was at war with Syria.
Why should Muslims get a free pass, because it's currently unfashionable to call them out on antisocial and illegal behaviour (under the rubric of "anti racism")?
So now what you're saying is that "antisocial behaviour" is the equivalent of serving as enemy combatants.
The Western Democracies are so far down the slippery slope people like you can't even see the top anymore. They've got their propaganda machines cranked up to a level that would leave Goebbels in a highly admirable daze.
As someone further up posted, your chances of dying from choking on a grape are far higher than dying from a terrorist attack. Yet here you're defending the government monitoring and oppressing a group simple for have what you define as "antisocial behaviour".
WiFi and Bluetooth. I'd be very surprised if either could be read at 8 miles in any kind of real world environment (lots of radio noise). Transmitting distance requires energy.
Does this device provide any protection against location tracking?
Unless they establish their own cellular radio network that's not possible. The phone still requires a layer one and two connection which are provided the the cellular company.
Layer one and two are the problem. Tor helps with layer 3 and 4. Your cell phone radio (layer one) has to give identifying information to the cell tower so the cell tower can authenticate it and link it to the network (layer 2). This is done continuously while the cell radio in the phone is on through the command channel. It's constantly checking in with all the cell towers within range so it can be determined which cell is the best for data connections and handing off to the optimal tower. So regardless of if and/or what your doing data wise they can triangulate based on the cell towers your phone is talking to and get a reasonable close location. Text messages also go through the command channel rather than a data channel explaining why you can often send a text message even when you can't get a call through.
If you when admin'ing a system prefer the Unix/Linux way of monitoring processes, that is a matter of taste and what you are used to I guess.
It has nothing to do with monitoring processes. It has to do with being in complete control of what processes are running at all levels. You don't have to monitor processes.
A firewall makes port scanning harder (because by default computers respond 'port closed', so the scanner doesn't have to wait for timeout).
All that does is slow it down a bit. I'm not buying that it would be worth the greatly added complexity.
A separate firewall can protect against vulnerabilities in the network connection code (when it's easier to upgrade the firewall machine).
This is the one place you can make an argument and I thought about that after I made my post. But thinking it through security is about mitigating risk. Vulnerabilities in drivers are pretty rare. Especially in something as old and standardized as network drivers. And malware attacking at this level is even more rare. Anything above the driver level (layer 5 and above) is going through your firewall anyway with encrypted traffic unless you write some form of propriety firewall software that does deep packet inspection. The other point is from a security perspective I would make the base assumption that the network my control system is plugged into is unsecured anyway. I want to secure what I can control. I can't control what is on the network my devices are functioning on. There are just too many stupid people in the world to assume otherwise.
A separate firewall blocking connections out prevents malware from sending messages back home once it's installed.
Again I'd rather secure this on my system. It should scream bloody murder or even shut down if a port is opened. Now arguable you're getting into the realm of local firewall and or IDS software here though.
A firewall lets you filter traffic, to make sure nothing strange is getting through.
That's not really a firewall. That's more in the realm of an IDS. I wouldn't argue against having an IDS installed. But in that case I would rather install a true IDS/IPS rather than a firewall that may provide some IDS functionality.
I can follow that for WinCE generation, but since you say blanket Windows, care to expand on what in the NT security model of Windows Embedded Standard that makes it impossible to implement even the most basic of security?
Being able to simple and with certainty determine exactly what is running on the box especially with regards to external communications.
DC1/DC2, handles SMB shares for users and general data storage for the engineering staff
DB1/DB2/DB3, has 50+ services running that handles everything from antivirus updates to OPC data
OPC1/OPC2/OPC3/OPC../OPC12, handles routing for MMS traffic between database servers and equipment/controllers
History logger, runs an oracle DB for logging every single action in the plant, required by law in this field.
BACKUP1/2, SMB shares on raid for backups of all servers and clients.
If you're using SMB on a control system your application is broke beyond the point of idiocy already. And that's my point. If you start with a broken design you're going to end up with a broken system no matter how much money and effort you put towards isolating and securing it. If you design correctly it's MUCH cheaper in along run. You're not spending massive amounts of money on what are essentially people plugging their fingers into holes in the dyke and there are a lot more than one or 2 holes.
what you're describing (the port listening part) *is* a firewall - just locally installed and managed.
No it's not. A firewall in every sense that I've experienced the word being used is a piece of software that monitors and filters network traffic whether installed locally or running as a gateway node on a network. What I'm saying is don't run any software that listens for network traffic except the piece of software that is using the traffic. There a huge difference. One adds complexity. You have to configure the firewall software to except the correct traffic and only the correct traffic. The other way it doesn't matter what traffic is send because there is nothing there listening to it. This make things simpler since there is nothing to misconfigure.
The traditional idea of "a firewall" is exactly that, but in a centrally managed package that makes changes somewhat easier to manage and MUCH easier to scale. No difference functionally, really, except for the "listening for specific secured encrypted messages" part, which is an application-level thing anyway. Furthermore, if planned carefully, the "secured encrypted messages" part can be offloaded to a layer 6/7 switch as well, so even that's not always a restriction.
See. this is exactly what I'm talking about. None of this is needed and contributes nothing but complexity and additional points of failure. This is an industrial control system. It's not a general network. If the only thing listening is the secure software what exactly are you going to configure the firewall software to do? What is there to scale? Your application is going to be receiving the exact same traffic if the firewall is there or not. If the application and the box it's running on are secure and running on a secure system the firewall serves no purpose. If I have a Linux/Unix box I can control exactly what is running and ensure the only thing listening for network traffic is my software. And it's trivially easy to do this if you know even basic system administration. Additionally you can configure it to ignore any additional hardware connected so some idiot plugging a USB stick in won't do anything no matter what is on it. No need for anti virus software. None of this is particularly difficult or expensive to do.
So really you just want application hardening (a good idea in most cases) and a firewall to filter the port but you want to do that N number of times for however many hosts you have doing the same job (speaking about more complexity!) instead of centralizing it once or twice to redundant switches, etc.
No. If there is no other software running why do I need software to filter the port? What you're talking about is adding pointless software.
Proper isolation, firewalling and virus/malware is.
No it isn't. That is a recipe for failure. Simplify and secure the system. Reduce the points of failure to the minimum and make sure the few that are required are secured. Adding more complexity and more points of failure just increase the probability of failure.
The problem with that is, by putting it on the internet, they've broken it (even if the breakage hasn't hit home yet). Nobody wants to admit that they've done that, but it's their own damn fault. A good start to fixing things would be to airgap the SCADA network from the internet, and if connecting is necessary at all, to use a good double firewall with hardened DMZ machine in between.
You know, I've never understood this predisposition towards firewalls. Secure the system such that it only listens on a specific port for specific secured encrypted messages. No need for a fire wall. A firewall just adds more complexity and points of failure. It's much more efficient to secure the system's communications than to try to secure the various access points.
The problem isn't Windows (not sure if you are implying this or not).
Yes it is. Only idiots put any kind of embedded and/or control system on Windows. There are a whole host of reasons why but a primary one is the design of Windows makes it impossible to implement even the most basic of security.
No, it's not clear. A lot of Snowden's evidence is fairly crap.
It's pretty clear to anyone who is paying attention to what is happening. It's only doubtful if you buy the crap the government is feeding you which they have repeatedly backtracked on after further revelations put the lie to their previous declarations. Strange people were saying the same crap some ten years ago when some guy reported about a back room at AT&T with highly secret government computers monitoring all network traffic. Kinda funny that turned out to be undeniable true also.
I reiterate, just because voting doesn't give you the result you want doesn't mean that voting is broken. Voting is not intended to get you the result you want it's intended to get the result that the people for whatever definition of the people your country uses(in the US it's the plurality of people in a given geographic district) want.
Yeah, I'm sure the majority of the people in the US want to live in a police state. You really have no clue what is happening and it really saddens me that so many other people are right there with you. When a government official can blatantly commit perjury by lying to congress without consequences it's pretty clear that rule of law is gone in the US and without it also gone is any ability of the people to control the government. Clinton got in trouble for lying about getting a blow job. This guy lies about what is pretty clearly illegal and unconstitutional spying on US citizens and doesn't even lose his job. And don't give me any crap about the spying being legal. It's legal only by virtue of the constitution and rule of law no longer applying to the government. There are many many more examples of the government no longer adhering to rule of law and/or doing what is in the interest of the people paying them rather than the people they're supposed to representing. Just open your eyes and pay attention.
Slashdot Mirror
You know, whether you agree or disagree with what Snowden did, that in no way justifies killing him without a... oh, what was that quaint thing we used to require? That's right, a trial. Rule of law, and all that.
If there were to be a trial it is almost certain they would exclude pretty much all avenues of defense that support what he actually did and why. Rule of Law is no more in this country. Just ask Aron Schwartz, Bradley Manning and the host of other whistle blowers prosecuted by the self proclaimed most open administration in history. If they want you gone they simple twist the millions of laws that exist and make up new interpretations if that's not enough. But you will be gone.
Actually, they don't need a kill switch for the phones to do this--there are a lot fewer devices to shut off if you simply shutdown the cell-towers in the area to cutoff communication.
You're missing the point. Shutting down the cell tower is going to affect far more people than the protestors. You're going to actually add to the number of people motivated to protest. With a targeted kill switch you can just affect the actually protestors. They're already raising hell so it doesn't add to your problem.
This is the thing that people really don't understand about the modern police state. They compare it to police states of the past. In the past the oppressors only had very blunt tools for controlling the oppressed. The oppressors ability to monitor the actions of the oppressed were very limited. So they had to immediately jump on any hints of dissension since they had no idea how much more there was they had missed. That is no more. That is the last war.
In the modern police state they can let the sheep bleat all they want. They have the ability to minutely track dissension. This way they only have to target people who are actually taking action that might cause real problems. You let people bleat all they want allowing them to think they are free to do what they want. Once it's decided they've crossed a line the tools of oppression can kick in. And they no longer require capture and torture. The oppressors already know the details of what and who is involved. They can simple eliminate those they need to within the realm of the "law". There is so much crap illegal it's almost guaranteed everyone commits the occasional felony.
the fact that they also dominate the desktop space
The desktop has been regulated to a increasingly insignificant backwater of computing devices. We no longer have a monoculture. There exists a healthy competition at least as things stand now. Android is modifiable enough for the time being.
functionality to be placed in ubiquitous consumer devices may not have the world's best security controlling them.
No. Functionality in a monoculture of secret proprietary devices determined by a single entity most certainly doesn't have the best security controlling them. There is no motivation to spend time and money on that.
Indirectly you make a point though. The government dictating functionality puts us back into the same boat as we were when Microsoft was in control. This is especially the case when the documents defining the functionality are created by technological idiots who are as like as not to think the internet is bunch of connected tubes.
If you start making phones with kill switches, that is going to be a very attractive target for hackers.
Fuck hackers. Do you even begin to realize the level of control this adds to out wonderful benevolent government's ability to control the people?
There are various proposals around to eliminate cash. Eliminating cash would eliminate lots of crime
There are various proposals around to eliminate cash. Eliminating cash would allow the government to better track everything you do.
FTFY
Or do these same people chide those who mention Orwell, Rand, and other authors of fiction?
You know, there are different levels literary significance. Comparing a weekly crime drama meant solely to get ratings to a great literary work themed by the author to provide a message is kind of like the idiot in the post further down validating arguments used by a state leader to justify a surveillance state because random people in an Internet forum use the same type of argument. If people can't make that distinction we are lost already considering what's shown on TV.
Wyden knew what was going on because of the classified briefings and tried to leverage that into an inappropriate disclosure to server his political goals.
So you're saying it's ok to lie to Congress which is the branch of office that is suppose to have oversight of the NSA. Seems to me it's Congress that should be deciding what is an inappropriate disclosure of NSA actions. Letting the NSA decide what is an inappropriate disclosure pretty much negates Congressional oversight. You are either blind or an idiot if you don't see the implications of that.
Your list probably has nothing on it that is illegal under American law and much hyperbole.
Of course it's not illegal when you can use secret interpretations of the law that twist the meaning to make anything you do legal. Secret interpretations of the law pretty much in and of itself negates the whole concept of rule of law. It's illegal for the NSA to collect information on US citizens except with a specific warrant. So just redefine the word "collect". The data is gathered and stored but that is not "collecting" it. It's not "collected" until someone actually looks at it. But that's not illegal. Yeah, right. At that point illegal and legal become irrelevant since nothing the government does will ever be "illegal".
I haven't heard of them doing anything illegal (even if some might tend to make you uncomfortable).
Just proves you're selectively listening then. At the very least there is the undeniable lying to Congress while under oath. Unless of course the NSA has some secret interpretation of perjury and the laws related to it that makes it legal when they do it. Wouldn't surprise me in the least. The list of other illegal and questionable actions is long and lustrous but since you deny the obvious and confessed no doubt you'd be blind to any other evidence.
Since we are able to post these words, especially as an AC, it shows that there is still freedom in the West.
That's just not true. With the level of monitoring and control they're trying to establish they don't have to overtly oppress every modicum of dissent. Far better to let the sheep bleat. When they can track and have a record of every place you've gone and every person you've contacted it gives them the ability to let dissension go until it actually gets to the point it is seriously disruptive or has a chance to change things.
You can live where you want, work in the field you want, and watch whatever you want to on TV or on the web.
I can only watch on TV what they put on TV. If you don't think the corporations running TV are in bed with the government you really need to open your eyes. In a lot of the western democracies you can no longer watch what you want on the web. And they can track everything you look at on the web. We don't really know to what extent they are already doing that. That's not freedom. There are so many laws in the US the friggin Library of Congress can't even tell how many there are. No one can possibly know when or if they're breaking a law. If the government decides they don't like you they can find a whole host of charges to bring against you. Just ask Aaron Swartz. That's not freedom. If you report on illegal activity by the government you're at the least hounded out of your job and taxed with unbearable legal expenses. If your smart you just end up exiled, persona non grata. That's not freedom.
You may be tracked. But, you are not shot at when trying to leave the US. You are still free.
Wow. Just Wow. So unless they shoot at you you're free? They track where you go and imprison you if you go someplace they don't like. Yeah, that's freedom alright.
You're evaluating the control and oppression exercised by the government in terms of the historical past. To put in in military terms you're fighting the last war. The technology has advanced to the point that the tools of the past are no longer relevant. Hell, Winston Smith had a higher level of freedom than we're going to have once facial recognition becomes effective. At least he could move around with some level of freedom. The way they're going now every security camera will be tracking and recording your every movement.
I strongly suspect you've not discussed this with anyone who actually lived behind the Iron Curtain, such as Estonians, East Germans, Poles, or Russians.
I know a few people that experienced it. No one had every contact they made with with anyone recorded and stored forever. A very limited number of people had their location tracked constantly 24/7. There is no need to rely on informants reporting on their neighbors. The technology will track everyone and everything. Just wait until facial recognition becomes reliable. What people don't realize is the exceptional level of power and control provided by the misuse of the technology available today. We are at a crossroads right now. The technology available today could provide a level of knowledge, freedom and prosperity never before experienced or it could be the tool for the greatest level of control and oppression every established. The "free" western democracies should be championing the former. Instead they're rapidly moving towards the latter.
The notion of this being an Iron Curtain is a bit silly IMHO.
You're right. What they're doing is far more oppressive and effective than anything the creators of the Iron Curtain ever dreamed of.
However every country on Earth has laws against their citizens defecting to the enemy, and serving as enemy combatants.
Those laws are supposed to be applicable when the country is at war, at least in a country with rule of law. I wasn't aware that Britain was at war with Syria.
Why should Muslims get a free pass, because it's currently unfashionable to call them out on antisocial and illegal behaviour (under the rubric of "anti racism")?
So now what you're saying is that "antisocial behaviour" is the equivalent of serving as enemy combatants.
The Western Democracies are so far down the slippery slope people like you can't even see the top anymore. They've got their propaganda machines cranked up to a level that would leave Goebbels in a highly admirable daze.
As someone further up posted, your chances of dying from choking on a grape are far higher than dying from a terrorist attack. Yet here you're defending the government monitoring and oppressing a group simple for have what you define as "antisocial behaviour".
Further examples:
WiFi and Bluetooth. I'd be very surprised if either could be read at 8 miles in any kind of real world environment (lots of radio noise). Transmitting distance requires energy.
Does this device provide any protection against location tracking?
Unless they establish their own cellular radio network that's not possible. The phone still requires a layer one and two connection which are provided the the cellular company.
http://www.oneluckyelephant.com
Layer one and two are the problem. Tor helps with layer 3 and 4. Your cell phone radio (layer one) has to give identifying information to the cell tower so the cell tower can authenticate it and link it to the network (layer 2). This is done continuously while the cell radio in the phone is on through the command channel. It's constantly checking in with all the cell towers within range so it can be determined which cell is the best for data connections and handing off to the optimal tower. So regardless of if and/or what your doing data wise they can triangulate based on the cell towers your phone is talking to and get a reasonable close location. Text messages also go through the command channel rather than a data channel explaining why you can often send a text message even when you can't get a call through.
If you when admin'ing a system prefer the Unix/Linux way of monitoring processes, that is a matter of taste and what you are used to I guess.
It has nothing to do with monitoring processes. It has to do with being in complete control of what processes are running at all levels. You don't have to monitor processes.
A firewall makes port scanning harder (because by default computers respond 'port closed', so the scanner doesn't have to wait for timeout).
All that does is slow it down a bit. I'm not buying that it would be worth the greatly added complexity.
A separate firewall can protect against vulnerabilities in the network connection code (when it's easier to upgrade the firewall machine).
This is the one place you can make an argument and I thought about that after I made my post. But thinking it through security is about mitigating risk. Vulnerabilities in drivers are pretty rare. Especially in something as old and standardized as network drivers. And malware attacking at this level is even more rare. Anything above the driver level (layer 5 and above) is going through your firewall anyway with encrypted traffic unless you write some form of propriety firewall software that does deep packet inspection. The other point is from a security perspective I would make the base assumption that the network my control system is plugged into is unsecured anyway. I want to secure what I can control. I can't control what is on the network my devices are functioning on. There are just too many stupid people in the world to assume otherwise.
A separate firewall blocking connections out prevents malware from sending messages back home once it's installed.
Again I'd rather secure this on my system. It should scream bloody murder or even shut down if a port is opened. Now arguable you're getting into the realm of local firewall and or IDS software here though.
A firewall lets you filter traffic, to make sure nothing strange is getting through.
That's not really a firewall. That's more in the realm of an IDS. I wouldn't argue against having an IDS installed. But in that case I would rather install a true IDS/IPS rather than a firewall that may provide some IDS functionality.
I can follow that for WinCE generation, but since you say blanket Windows, care to expand on what in the NT security model of Windows Embedded Standard that makes it impossible to implement even the most basic of security?
Being able to simple and with certainty determine exactly what is running on the box especially with regards to external communications.
DC1/DC2, handles SMB shares for users and general data storage for the engineering staff DB1/DB2/DB3, has 50+ services running that handles everything from antivirus updates to OPC data OPC1/OPC2/OPC3/OPC.. /OPC12, handles routing for MMS traffic between database servers and equipment/controllers
History logger, runs an oracle DB for logging every single action in the plant, required by law in this field.
BACKUP1/2, SMB shares on raid for backups of all servers and clients.
If you're using SMB on a control system your application is broke beyond the point of idiocy already. And that's my point. If you start with a broken design you're going to end up with a broken system no matter how much money and effort you put towards isolating and securing it. If you design correctly it's MUCH cheaper in along run. You're not spending massive amounts of money on what are essentially people plugging their fingers into holes in the dyke and there are a lot more than one or 2 holes.
what you're describing (the port listening part) *is* a firewall - just locally installed and managed.
No it's not. A firewall in every sense that I've experienced the word being used is a piece of software that monitors and filters network traffic whether installed locally or running as a gateway node on a network. What I'm saying is don't run any software that listens for network traffic except the piece of software that is using the traffic. There a huge difference. One adds complexity. You have to configure the firewall software to except the correct traffic and only the correct traffic. The other way it doesn't matter what traffic is send because there is nothing there listening to it. This make things simpler since there is nothing to misconfigure.
The traditional idea of "a firewall" is exactly that, but in a centrally managed package that makes changes somewhat easier to manage and MUCH easier to scale. No difference functionally, really, except for the "listening for specific secured encrypted messages" part, which is an application-level thing anyway. Furthermore, if planned carefully, the "secured encrypted messages" part can be offloaded to a layer 6/7 switch as well, so even that's not always a restriction.
See. this is exactly what I'm talking about. None of this is needed and contributes nothing but complexity and additional points of failure. This is an industrial control system. It's not a general network. If the only thing listening is the secure software what exactly are you going to configure the firewall software to do? What is there to scale? Your application is going to be receiving the exact same traffic if the firewall is there or not. If the application and the box it's running on are secure and running on a secure system the firewall serves no purpose. If I have a Linux/Unix box I can control exactly what is running and ensure the only thing listening for network traffic is my software. And it's trivially easy to do this if you know even basic system administration. Additionally you can configure it to ignore any additional hardware connected so some idiot plugging a USB stick in won't do anything no matter what is on it. No need for anti virus software. None of this is particularly difficult or expensive to do.
So really you just want application hardening (a good idea in most cases) and a firewall to filter the port but you want to do that N number of times for however many hosts you have doing the same job (speaking about more complexity!) instead of centralizing it once or twice to redundant switches, etc.
No. If there is no other software running why do I need software to filter the port? What you're talking about is adding pointless software.
Proper isolation, firewalling and virus/malware is.
No it isn't. That is a recipe for failure. Simplify and secure the system. Reduce the points of failure to the minimum and make sure the few that are required are secured. Adding more complexity and more points of failure just increase the probability of failure.
The problem with that is, by putting it on the internet, they've broken it (even if the breakage hasn't hit home yet). Nobody wants to admit that they've done that, but it's their own damn fault. A good start to fixing things would be to airgap the SCADA network from the internet, and if connecting is necessary at all, to use a good double firewall with hardened DMZ machine in between.
You know, I've never understood this predisposition towards firewalls. Secure the system such that it only listens on a specific port for specific secured encrypted messages. No need for a fire wall. A firewall just adds more complexity and points of failure. It's much more efficient to secure the system's communications than to try to secure the various access points.
The problem isn't Windows (not sure if you are implying this or not).
Yes it is. Only idiots put any kind of embedded and/or control system on Windows. There are a whole host of reasons why but a primary one is the design of Windows makes it impossible to implement even the most basic of security.
Driver support is not Micosoft's fault. That's the Vendors.
It's funny how this is the case when talking about Windows but when talking about Linux the opposite is true.
Don't worry. Fail safe measures will be implemented in order to keep the systems secure.
Yeah like fail safe code for nuclear release...Hey, wait...that's the code for luggage...
No, it's not clear. A lot of Snowden's evidence is fairly crap.
It's pretty clear to anyone who is paying attention to what is happening. It's only doubtful if you buy the crap the government is feeding you which they have repeatedly backtracked on after further revelations put the lie to their previous declarations. Strange people were saying the same crap some ten years ago when some guy reported about a back room at AT&T with highly secret government computers monitoring all network traffic. Kinda funny that turned out to be undeniable true also.
I reiterate, just because voting doesn't give you the result you want doesn't mean that voting is broken. Voting is not intended to get you the result you want it's intended to get the result that the people for whatever definition of the people your country uses(in the US it's the plurality of people in a given geographic district) want.
Yeah, I'm sure the majority of the people in the US want to live in a police state. You really have no clue what is happening and it really saddens me that so many other people are right there with you. When a government official can blatantly commit perjury by lying to congress without consequences it's pretty clear that rule of law is gone in the US and without it also gone is any ability of the people to control the government. Clinton got in trouble for lying about getting a blow job. This guy lies about what is pretty clearly illegal and unconstitutional spying on US citizens and doesn't even lose his job. And don't give me any crap about the spying being legal. It's legal only by virtue of the constitution and rule of law no longer applying to the government. There are many many more examples of the government no longer adhering to rule of law and/or doing what is in the interest of the people paying them rather than the people they're supposed to representing. Just open your eyes and pay attention.