Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Inside CERT Australia

samzenpus posted more than 3 years ago | from the shiny-red-button dept.

Australia 74

mask.of.sanity writes "The Australian Government has a list of software holes that are so sensitive they're kept hidden from the public. These weaknesses are being used by criminals to steal our money and our data. They may even be a cornerstone to planned attacks on critical infrastructure, like energy, water and transport. But in the murky battle between those that protect us and those who seek to harm, these vulnerabilities are also the bait with which cyber-criminals are caught."

cancel ×

74 comments

Sorry! There are no comments related to the filter you selected.

Makes sense (0)

Runaway1956 (1322357) | more than 3 years ago | (#35779478)

You don't want HONEST people to know that the software is worth one cubic turd. Only criminals should possess that knowledge, because they are the people who will put it to best use!!

BTW - who knows why turds are round, and tapered instead of cubes?

Re:Makes sense (4, Funny)

Anonymous Coward | more than 3 years ago | (#35779516)

BTW - who knows why turds are round, and tapered instead of cubes?

That's so your ass doesn't clap when you take a shit.

Re:Makes sense (0)

Meddik (1849590) | more than 3 years ago | (#35779940)

I gotta quit reading comments while drinking Coffee, that was hilarious!

Re:Makes sense (1, Offtopic)

NoMaster (142776) | more than 3 years ago | (#35779770)

BTW - who knows why turds are round, and tapered instead of cubes?

Because you're not a wombat [museumvictoria.com.au] ?

Re:Makes sense (0)

Runaway1956 (1322357) | more than 3 years ago | (#35779846)

"Wombats produce 4-8 of these cube-shaped scats per deposition event" which has no realation whatosever with an event horizon, I'm sure.

That's simply amazing. They really do some strange things in Auastralia!

Re:Makes sense (0)

sortius_nod (1080919) | more than 3 years ago | (#35780460)

It's not us that are strange, it's the rest of the world that's strange!

Re:Makes sense (0)

dbIII (701233) | more than 3 years ago | (#35780024)

Wombats have cubic crap. I don't know why. It is a way to tell if there are wombats around - apart from the big holes under or through fences. Wonderful animals but not entirely cute. Imagine a bag of completely set cement covered in fur with teeth like bolt cutters and you are not far from the idea of a wombat. Just as well they are herbivores.

Re:Makes sense (0)

sortius_nod (1080919) | more than 3 years ago | (#35780486)

Angry herbivores. I remember camping in high school and watching one headbutt a classmate who got too close to it's burrow. He's lucky it didn't decide to maul him as their claws are like pineapple cutters.

Re:Makes sense (1)

johnsnails (1715452) | more than 3 years ago | (#35780548)

hahha, this is soo true! We tied rope to a friend and sent him down a wombat hole to fetch a lost soccer ball. Bhahah, stupid thing to do thinking back to it!

If RSA is compromised... (1)

errandum (2014454) | more than 3 years ago | (#35779480)

If even RSA (a security expert) is compromised, I wonder how long it'll take for this list to get leaked, especially now that it has been publicized.

Or maybe the publicity is another bait and switch :P. It'd be cool if it was, but I doubt it.

Re:If RSA is compromised... (3, Insightful)

digitalchinky (650880) | more than 3 years ago | (#35779700)

From the article: (CERT) Australia, formed in 2009.

I'd say you are spot on. The article reads like an advert attempting to convince the reader that CERT Australia is important. The Defence Signals Directorate has been providing this type of service to big corporations and local government since the early 90's. (I worked there for a decade, not that this is important)

Yippee. Yet another Australian "story". (-1)

Anonymous Coward | more than 3 years ago | (#35779486)

Just what we needed.

Re:Yippee. Yet another Australian "story". (0)

Runaway1956 (1322357) | more than 3 years ago | (#35779496)

What - you don't like Ausies? You should go see the wizard, and get your attitude fixed. Hey, he gave the lion a heart, or something like that, didn't he? Or, the tin man? Whatever - go see the Wizard of Aus.

Re:Yippee. Yet another Australian "story". (1, Offtopic)

Chrisq (894406) | more than 3 years ago | (#35779508)

Yippee. Yet another Australian "story".

Just what we needed.

Its a story from the land down under.
Where systems blow and denials thunder.

Re:Yippee. Yet another Australian "story". (0)

MichaelSmith (789609) | more than 3 years ago | (#35779602)

Yippee. Yet another Australian "story".

Just what we needed.

Its a story from the land down under.

Where systems blow and denials thunder.

Careful there. You are making me remember the flute riff and that could be expensive for both of us.

Re:Yippee. Yet another Australian "story". (2)

Chrisq (894406) | more than 3 years ago | (#35779612)

Yippee. Yet another Australian "story".

Just what we needed.

Its a story from the land down under.

Where systems blow and denials thunder.

Careful there. You are making me remember the flute riff and that could be expensive for both of us.

I wonder just how long it will be before any communication which enables recall of copyrighted material needs a license. After all I clearly communicated the riff to you over a computer network.

Re:Yippee. Yet another Australian "story". (0)

stiggle (649614) | more than 3 years ago | (#35779718)

No, you didn't communicate the riff.
You communicated a trigger which activated the riff which was already embedded in the receiver, kinda like a lookup table :-)

Re:Yippee. Yet another Australian "story". (0)

Chrisq (894406) | more than 3 years ago | (#35779740)

No, you didn't communicate the riff. You communicated a trigger which activated the riff which was already embedded in the receiver, kinda like a lookup table :-)

A bit like PirateBay communicating the torrent header!

Re:Yippee. Yet another Australian "story". (0)

Anonymous Coward | more than 3 years ago | (#35779866)

That's clearly aiding and abetting. Brains are the entertainment centres of human experience. Illegal memory associations will be criminalized and a forcibly installed magnetic memory dampener activated every time a memory of an unlicensed song is about to emerge. The skull integrated memory dampener will be made obligatory via the war against terror though and inappropriate voting.

Re:Yippee. Yet another Australian "story". (0)

Anonymous Coward | more than 3 years ago | (#35784454)

Off to Brainjail [youtube.com] for you!

Re:Yippee. Yet another Australian "story". (-1)

Anonymous Coward | more than 3 years ago | (#35779706)

go fuck your self American piece of shit.

Re:Yippee. Yet another Australian "story". (-1)

Anonymous Coward | more than 3 years ago | (#35779900)

Go fuck a drop bear, convict.

Of course ... (0)

Anonymous Coward | more than 3 years ago | (#35779518)

any possibility that the list could be used to hack computers the Australian government doesn't like is completely impossible.

Stuxnet anyone ?

corporate welfare (4, Insightful)

Hazel Bergeron (2015538) | more than 3 years ago | (#35779526)

TFA:

The privileged group of more than 300 companies under CERT Australia's wing is expanding, but it does not plan to offer the secretive information more broadly.

This is corporate welfare at its finest: make the people pay to give a competitive advantage to particular companies.

When will this primitive targets-based, public-private-partnership experiment born somewhere in the '80s finally collapse? When will parties and their representation in government reflect the people again? Whether left or right, authoritarian or socially liberal, your view is no longer represented unless you've paid for it.

Re:corporate welfare (3, Interesting)

circletimessquare (444983) | more than 3 years ago | (#35779830)

it's not new, it goes way back before the '80s, corps used to get away with a lot worse, in some cases, they ran everything:

http://en.wikipedia.org/wiki/Hudson's_Bay_Company [wikipedia.org]

in fact, if we go to the stars, it will probably under the same form as this:

http://avp.wikia.com/wiki/Weyland-Yutani [wikia.com]

it makes sense that corporations take these risks, profit, then they are absorbed. the point is, corporations are never going away, because they do make sense for many reasons in terms of the most efficient way to do things. however, they are like beasts of burden: you must harness them and put them to use, or they run roughshod over your society. like GE, which paid no taxes to the USA, where the corporation is corrupting our system of government to stand above the people:

http://abcnews.go.com/Politics/general-electric-paid-federal-taxes-2010/story?id=13224558 [go.com]

additionally, we are making progress. the labor movement a hundred years ago made a huge step forward (that yes, we are backsliding on now)... after the civil war, corporations had a larger military than the federal govt, to suppress labor. blackwater is a hiccup in comparison:

http://en.wikipedia.org/wiki/Pinkerton_National_Detective_Agency [wikipedia.org]

2 steps forward, 1 step back. this struggle is going on for centuries. but please do not forget we ARE making progress against the corruption of the people's will by monied interests. it is very difficult, and takes time and much effort. today, they have an entire corporate propaganda machine, fox news, that incenses the poor and middle class to actually fight against their own interests, like affordable healthcare. it is absurd, but real

People of the same trade seldom meet together, even for merriment and diversion, but the conversation ends in a conspiracy against the public, or in some contrivance to raise prices. It is impossible indeed to prevent such meetings, by any law which either could be executed, or would be consistent with liberty and justice. But though the law cannot hinder people of the same trade from sometimes assembling together, it ought to do nothing to facilitate such assemblies; much less to render them necessary.

http://en.wikipedia.org/wiki/The_Wealth_of_Nations [wikipedia.org]

fox news "againt own interests" (1)

r00t (33219) | more than 3 years ago | (#35783990)

fox news, that incenses the poor and middle class to actually fight against their own interests

You don't understand these people.

OK, an analogy of sorts: I don't shoplift. It's against my interest to not shoplift. Why then, do I not shoplift? I have this feeling that taking stuff from other people is wrong. Yes, I know, I'm being stupid and I should just do what is in my best interest. I also get really pissed off when other people shoplift, even if I'm not the shopkeeper and even if I don't see it happen. Perhaps you feel differently?

When the government takes money from other people to supply my healthcare, I get the same feeling. It's like shoplifting. It's in my interest, but it is wrong.

Yeah, we see you as morally corrupt.

so that's why you don't buy insurance? (1)

circletimessquare (444983) | more than 3 years ago | (#35784620)

you should have a $500,000 savings account in case sometimes bad happens. because contributing to a group fund that other people draw out of is communist, right?

that you think financial common sense on the question of the best way to pay for healthcare is morally corrupt shows how propagandized you are

Re:so that's why you don't buy insurance? (1)

r00t (33219) | more than 3 years ago | (#35788398)

If I choose to buy insurance, I'm choosing to gamble. I may "win" by getting expensive care provided to me, or "lose" by staying healthy and getting nothing.

If I'm forced to buy insurance (private or government) then I'm being forced to gamble. My choice has been taken from me. Maybe I want to gamble, and maybe I don't, but taking away the choice is not OK.

I don't feel right taking your choice from you. Please don't take mine from me.

dear blind propagandized fool: (2)

circletimessquare (444983) | more than 3 years ago | (#35789224)

you don't have a choice

if you are young and healthy and have no health insurance, but you break your arm, we do not inquire as to your bank account before treating you. we treat you. then, being poor, as most young people are, you avoid the bill, or declare bankruptcy. what a nice society

this is the way it has been for decades: the state and feds constantly reimbursing hospitals for unpaid bills so thehospitals don't go under. in other words, we already have universal healthcare, that you already pay for, in the most idiotic way most expensive way via your taxes. in other words, your position is called FREELOADING: the acknowledgment that you can get injured, but not planning financially.for the possibility

he only financial common sense is universal health care insurance. you want a choice? the choice you want is to not be insured, thereby forcing me, the taxpayer, to pay for your care. which is alternatingly hilarious and maddening that you talk about robberey when it is you who is robbing me. so many morons like you argue that universal healthcare rewards freeloaders who don't work. yes, it rewards them: it says you live in a society that will not let you die just because you get injured

meanwhile, you argue for the choice, the "freedom," to freeload. you want the freedom from financial responsibility for when you break you arm

i am really sick of you utterly ignorant propagandized fools

Re:dear blind propagandized fool: (1)

r00t (33219) | more than 3 years ago | (#35793928)

There is that problem, yes. It is reasonable for the government to cover the cost of treating everybody who is unable to shop around for low prices and think about payment. The free market is broken if you have a bullet in your heart; there is no time to compare prices or decide if medical care is not worthwhile.

For a broken arm, there is no reason you should get treatment without payment. It's not immediately life threatening, it doesn't impair your ability to phone doctors, and you can wait.

Really, your complaint should be against the unfunded mandate that hospitals (ones accepting medicare/medicade and having an emergency room) accept all people without regard to past debt and without the ability to deduct unpaid bills from judgements against the hospital.

social darwinism is your answer? (0)

circletimessquare (444983) | more than 3 years ago | (#35794584)

put your money with your mouth is, ignorant free market fundamentalist

you want hospitals to turn away people who can't pay?

Re:social darwinism is your answer? (1)

r00t (33219) | more than 3 years ago | (#35804260)

you want hospitals to turn away people who can't pay?

Of course. It's unreasonable that they provide services for free.

Hey, I want a free pony too. With wings. And it farts rainbows.

I'm far from a free market fundamentalist. I recognize that there are times when a free market is impossible, I'm paranoid about the instability that leads to monopoly and too-big-to-let-fail situations, and I strongly support taxing externalities like pollution. Ordinary non-emergency health care can and should be much more of a free market than it is today.

When you are simply unable to shop around for treatment, there is no free market. In this case, the government should pay. They should pay for heart attacks, cracked skulls, diabetic shock, and similar. They should not pay for slow-growing skin cancer, long-term drug supplies, heart valve replacement, and similar.

Re:dear blind propagandized fool: (1)

TheLink (130905) | more than 3 years ago | (#35803670)

Yeah.

Taxpayers are already paying for other people's healthcare! They pay for the poor people who queue up in ER.

It's just being done in one of the most inefficient ways in the Western World.

And these fools don't want to fix it, and provide stupid reasons against fixing it.

Re:fox news "againt own interests" (1)

TheLink (130905) | more than 3 years ago | (#35803630)

When the government takes money from other people to supply my healthcare, I get the same feeling. It's like shoplifting. It's in my interest, but it is wrong.

Get a clue. It's in their interest too.

Because the Government is ALREADY taking money from other people to supply your healthcare, it is just being done very inefficiently.

When you are very sick/injured and have no money you go to ER (either yourself or via an ambulance/"good samaritan") at a state hospital and they will treat you using OTHER PEOPLE'S money.

They don't just ignore you and let you suffer/die, because your country is still a _civilized_ society (it may not be true in the future but it still is, built up from the work and sacrifice of past generations). And not that morally corrupt yet[1].

If those other people want to continue living in a civilized society this part of the membership fee. It is in their interest that their membership fees are used wisely. Sending poor people home from ER and only treating them when they are sick enough is a bad and inefficient way to do healthcare. Having insurance companies and HMOs profit from people's ignorance and stupidity is also an inefficient way of providing healthcare.

Currently the USA has one of the most expensive (if not the most expensive) healthcare per capita, and by most statistics it's not serving most people as well. The billionaires of course have access to bleeding edge treatment unavailable in most other countries.

[1] Ezekiel 16:49-50 Now this was the sin of your sister Sodom: She and her daughters were arrogant, overfed and unconcerned; they did not help the poor and needy. They were haughty and did detestable things before me. Therefore I did away with them as you have seen.

Re:corporate welfare (1)

Yvanhoe (564877) | more than 3 years ago | (#35779956)

The Australian Government has a list of software holes that are so sensitive they're kept hidden from the public. These weaknesses are being used by criminals to steal our money and our data.

So... Criminals know about these but the general public that needs to protect itself is not informed. That is great work the governement is doing.

Re:corporate welfare (1)

gl4ss (559668) | more than 3 years ago | (#35779984)

300 companies, so they could just as well be yelling the holes from the rooftops. where do they shop for the holes though?

seems just like shammy attempt at pr and funding for the office that keeps this super secret hacker mega leet list.. which the companies that sign up for can't know what it has before signing up for it of course. of course they couldn't even limit it to just companies they want, so practically anyone would have access.

this is a _business_ for cert australia. nothing more. cert is not supposed to be a business, but the guys there have no other venues really...

Julian Assange... (1)

The Fanta Menace (607612) | more than 3 years ago | (#35779560)

Your services are required. I expect the information to appear on Wikileaks ASAP.

Re:Julian Assange... (-1)

Anonymous Coward | more than 3 years ago | (#35779646)

You mean that communist terrorist rapist Aussie? It appears he's too busy editing for Slashdot these days, under then name "samzenpus".

God says... (0)

Trivial Solutions (1724416) | more than 3 years ago | (#35779568)

record attained many enemy Would barking Physician corruptly
time widows displayed produced trusting talkers Afterwards
FITNESS Oxford speaks winding names disgusted expression
boast separateth sentiment apt inspecting eluding subtilty
music harmoniseth stars wisely candle bleeding abandon
smile position buyers confesses struggle reclaim sittest
posted infidelity penetrating mixture virgins thickets
drudgery Whatever Bible legally seeketh eternity employest
forsakest gratings terrors prayer Triers applied gatherest
BREACH caught burned prescribed forsake incorruption continent
different surf reigns wring losing littles callest unceasing
barren Heaven nourishments apply remembered

Moronic (1)

Anonymous Coward | more than 3 years ago | (#35779622)

Tell people to fix these fucking "seekrit" bugs, and if they don't, make them public. Responsible disclosure. You have wankers who are on the tax payroll creating more paychecks out of the public dime for cyber "war" and fail to realize that if you just secure your fucking systems, then cyber "war" is just about impossible.

Re:Moronic (1)

Runaway1956 (1322357) | more than 3 years ago | (#35779730)

Well - maybe not "impossible" - but it would take a sophisticated and competent wanker to wage war against a properly secured system.

For reference - 2 certs (1)

tqft (619476) | more than 3 years ago | (#35779636)

http://www.auscert.org.au/ [auscert.org.au] and http://www.cert.gov.au/ [cert.gov.au]

http://www.auscert.org.au/render.html?cid=2 [auscert.org.au]
"Formed in 1993, AusCERT is one of the oldest CERTs in the world and was the first CERT in Australia to operate as the national CERT, which it did until 2010. "

As always governments don't like competition - in this case for security & secrets

sky lit up, buildings blowing away, earth shaking (-1)

Anonymous Coward | more than 3 years ago | (#35779648)

nothing on the 'news'. maybe it blew away. all this biblical style 'weather' etc.. is unnerving our animals? 2nd band of terroristic atmospheric commotion in as many hours? long day ahead? bunny or jesus? neither will help now? those with genuine hymens will be given (high) priority placement in the chosen ones' departure/reward area. the rest of us unaltered unchosen primates??? excess. like queer cave dwellers. who needs 'em?

as for the royals, chosen ones, weapons peddlers, .5billion remaining pop. georgia stone whack job/exterminators etc..;

disarm (weapons vaccines media emt etc...)

leave. yes, you're right, the glorious 'day of departure' has arrived early, even if it's too late for many of us. go. now. today. goodbye

Obvious next step (1)

drmofe (523606) | more than 3 years ago | (#35779662)

They already banned squirters and small breasted women, it was only a matter of time before they were going to cover up sensitive holes.

Re:Obvious next step (-1)

Anonymous Coward | more than 3 years ago | (#35779788)

*ba-dum-tish*

Australia? Secrecy? Good riddance! (-1)

Anonymous Coward | more than 3 years ago | (#35779678)

All secrecy is inherently evil! This way stupid aussies will see themselves hacked to bits and pieces by chinese cyber-specops and one day, probably not more than 20 years afar, the big "yellow junk" invasion fleet will arrive at their down under shores to take the mineral resource of the vast, but sparsely populated country.

I am hereby showing you why all secrecy is inherently evil! Did you know the Fukushima disaster was caused by the uncontrolled spread of the zionist-american Stuxnet military worm, which was designed to disable the iranian uranium centrifuges and the russo-iranian reactor at Bushehr by means of cyber-sabotage?

Control of backup systems in the Fukushima-1 reactors were switched over from domestic, but 1980s vintage Toshiba to Siemens Simatic S7 PLC years ago. These new systems them became infected due to the rampant USB-borne Stuxnet epidemic and did not work properly when needed, after the earthquake impulse started to scram the reactors. The tsunami had little to do with loss of backup coooling, overheating and eventual explosion of those BWR reactor blocks.

BTW, did you know that the particular "Khan P-1" urianian centrifuge set, used to develop and test the Stuxnet e-combat worm, was donated by Col. Gadhafi, when Libya made peace with the NATO a few years ago? The USA then shipped this set, identical to that of Iran, to the secretive zionist A-bomb factory at Dimona. This obsoleted set of pakistani origin was re-assembled with great effort in Dimona, kitted out with iranian-like bootlegged Siemens S7 PLC and then ran live to precisely experiment with Stuxnet attack code. That is the reason the jewish cyber-sabotage strike on Iran's atomic industry was so efficient. Now that Stuxnet has done all its duty, this little secret of Col. Gadhafi is is no longer a risk to the west, so he can be bombed out of his office at will by NATO warplanes.

On the other hand, the spreading routine of Stuxnet was totally lousy and it spilled over to much of Asia and the Middle East, via USB-bearing travelers, including the permanent loss of India's Hindisat-4B civil telecomms satellite, whose Simatic-based ground controls went belly up from the side-effects of Stuxnet infection. Now it's Japan that is being wrecked by Stuxnetan, which is curious as the jewish and the japanese are the only two nations on Earth who claim to be directly descended from God(s). More like deicide than, compared Kain and Abel. If so, keep fingers crossed the japs won't decide to finish what the mustached austrian painter started.

No news outlet will report on the above info. Now you understand why cyber-security and anti-malware efforts should never involve any secrecy at all. When secrecy is involved you can be sure they mean cyber-warfare, cyber-espionage and cyber-sabotage, potentially killing many thousands of civilians, as the end of the Fukushima saga will show. Their words speak terror alertness, national security, but they mean carnage, those politicians and the IT-sec people who prostituted themselves for politics! Freedom of speech forever!

Irony (1)

TapeCutter (624760) | more than 3 years ago | (#35780028)

"All secrecy is inherently evil!" - Anonymous.

Re:Australia? Secrecy? Good riddance! (1)

erroneus (253617) | more than 3 years ago | (#35780166)

Wow! What an amazingly detailed stretch of the imagination!

So you think Stuxnet did this? Really? You're out of your mind. I'm against this support of Israel and all that stuff -- it's simply not our (USA) business to take care of those people and I think it's an embarrassment that we remain connected with them in so many ways. But I'm not going to say I hate Jewish people -- I like Jewish people! I like their food, their sense of humor and while I don't like EVERYTHING about Jewish culture (and I am certainly anti-religious) the vast majority of them are good, decent people who work for a living just like I do. It's the leadership you need to focus on here, just like the leadership if the US or any other country that isn't serving the interests of the people.

I'm not saying you have no right to be angry or to put out your hate message -- I'm saying you should at least be accurate about it. And really -- you should re-evaluate what you believe to see if it's actually reasonable and logical. I think you will find it's not.

Re:Australia? Secrecy? Good riddance! (0)

Anonymous Coward | more than 3 years ago | (#35786364)

There's a difference between Israelis and Jews.

The NSAs list is bigger (0)

Anonymous Coward | more than 3 years ago | (#35779688)

Nyah, plbt! Because we inserted those vulnerabilities in the first place.
You'll never find them.

Not a major security hole (0)

Anonymous Coward | more than 3 years ago | (#35779702)

All our passwords are "beer"

Re:Not a major security hole (0)

Anonymous Coward | more than 3 years ago | (#35779734)

But if your password is "beer", and Foster's is Australian for "beer", does that mean your password is really Foster's?

Re:Not a major security hole (1)

TapeCutter (624760) | more than 3 years ago | (#35780110)

Fosters isn't "Australian for beer", we just tell you that so you won't guess our password.

New Icon (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#35779720)

Off topic, but can we get a new icon for Australia? How about the coat of arms or the Australian flag? USA gets a flag. EU gets a flag. Australia should get a flag too. Alternatively, since the Australian dollar is worth more than the US dollar at present, perhaps we could just buy Slashdot and run it our way.

Re:New Icon (0)

Tsu-na-mi (88576) | more than 3 years ago | (#35779848)

NO.

But you may have your choice of a Kangaroo or a Koala.

Re:New Icon (0, Offtopic)

erroneus (253617) | more than 3 years ago | (#35780030)

Sorry mate, you're all a bunch of crocodile dundees out there as far as we are concerned. How about you go on a walk about and get used to the idea.

Re:New Icon (-1)

Anonymous Coward | more than 3 years ago | (#35780282)

Oh no. Our American cousins are getting upset. Listen, have a cheeseburger. It'll calm you down. Of course, its low nutritional value and high fat content will likely reduce your life expectancy but that's perfectly normal. After all, the US has one of the lowest life expectancy figures in the developed world.

Re:New Icon (1)

TapeCutter (624760) | more than 3 years ago | (#35780120)

Keep the hat but add some corks.

I don't think SocEng would work on them either.. (1)

Anonymous Coward | more than 3 years ago | (#35779750)

Let's just say I know (not well personally, but mix in a crowd) a person who lectures and researches security at a university on the aus west coast.

The guy has secret clearance, all of his net presence locked down, a great understanding of various technical and social engineering attacks. I don't know what he does in Canberra exactly but from all the talk of honeypotting I hear out of context I assume it likely to be AusCert.

We really do have some genius sec people in this country. Heck, they even get paid more than all the TS-SCI plebs in the US that are paid diddly-squat by military contractors. Australia, albeit rather weak on the global stage, is laying solid foundations - just you wait.

big aussie logic FART .. (1)

doperative (1958782) | more than 3 years ago | (#35779810)

"The Australian Government has a list of software holes that are so sensitive they're kept hidden from the public"

What Platform do these software holes run on, what imdemnification do the endusers get from the manufacturers of the Software holes?

"The agency has knowledge of security vulnerabilities that, if publicly disclosed, could grind significant elements of cyber crime to a halt .. the vulnerabilities may be more valuable if they are kept hidden and used as a means to track skittish cyber criminals"

That's the dumbest thing I ever read, as is patently obvious, the crooks are way ahead of the security "professionals".

"If we become aware of control nodes for botnets or those that harvest data that is being ex-filtrated out of a network, we will pass that information on so that it can be blocked at firewalls and organisations can see if they have a compromised machine"

As a security professional, someone should tell Rothery that there any number of ways to bypass a firewall.

"One of the specific concerns is how a bank may protect or deal with an attack against an air-conditioning system charged with the vital role of keeping a datacentre cool"

Solution: don't connect your air-conditioning system to the Internet .. :)

Re:big aussie logic FART .. (1)

Puff_Of_Hot_Air (995689) | more than 3 years ago | (#35779936)

Solution: don't connect your air-conditioning system to the Internet .. :)

Every time I see a slashdot post on network weaknesses with infrastructure I always see the line above. "Don't connect X to the Internet; problem solved". So here's a question, what do you mean when you say this? Do you mean make sure the network the air-conditioner is on is physically isolated from the Internet? Or do you just mean "isolated" via some router magic or other. I say this knowing that the situation on the ground is that there is hardly a network in any system that is physically isolated. Pretty much every mine, every water treatment plant, every power station, every building, has a physical connection between networks, and often a communications link from SCADA to business networks. A lot of work goes into securing the end points, but there is generally little security inside. Is this not good enough? Can these external entry points not be secured?

Re:big aussie logic FART .. (1)

doperative (1958782) | more than 3 years ago | (#35780070)

> Do you mean make sure the network the air-conditioner is on is physically isolated from the Internet? Or do you just mean "isolated" via some router magic or other

IPsec running over IP tunnel running on embedded hardware would go along way to defeating such breaches, that they don't implement such solutions owes more to incompetence and we-can't-be-bothered ..

Re:big aussie logic FART .. (1)

Puff_Of_Hot_Air (995689) | more than 3 years ago | (#35780122)

Well, I think you'll find that they often can be bothered (in fact I know these guys take this stuff very seriously). If thats all you need to ensure the air-conditioner is secured, whats the problem?

Reality Check (5, Informative)

AB3A (192265) | more than 3 years ago | (#35779908)

I integrate, deploy, and maintain a SCADA system for a large water and waste-water utility.

Here are some facts on the ground:

1. Yes, the software is out of date, and it is poorly reviewed. The reason is that the market is small, the deployment costs are huge, and it is difficult to differentiate the bad from the worse. The effort required to swap out SCADA or control system software make similar office operations look trivial.

2. Yes, the flaws are hard to fix. We design these things for safety, and reliability, first. We have an ethical duty to turn the CIA model upside down to become the AIC model. Security is often an afterthought. In any case, most of you probably do not realize that security for an industrial process is very different from security for an office. In an office, if the computer stops, the whole office process stops and that's it. Nothing more happens. In an industrial process, the physics and chemistry of the process will continue to do something whether your control system is online or not. In other words, unlike in an office, the control system for an industrial process augments the process, it does not run it. Thus, if you crash the office computers, everything stops. If you crash a control system, the process keeps doing something, even if it is something that nobody would ever want .

3. Industrial processes can't "just shut down" on a whim. To patch a control system you need to get to a place where the process can be safely shut down, and the new process can be safely validated to prove that it does everything that is expected of it. Getting this much time and attention from people takes significant down time. With the lean operations that most places run, that kind of downtime may not be available for an entire SEASON.

4. Because of this, revealing software flaws is often a dangerous proposition. By the time we can safely patch something in an industrial control system, there may be tool kits for script kiddies.

5. Due to safety concerns, almost nobody will seriously consider an effort to spray patches to the field. Again, this is not the office. The penalty for getting things wrong could be deadly. Automated patching without careful testing on each stage of the process can be a firing offense in some companies.

I believe that the theory that the Australian CERT is using is that by keeping some flaws quiet, they reduce the chance that others may develop script kiddie development kits. I honestly do not know whether this can work, but I give them credit for trying. It will be interesting to see what metrics they use to prove this effort is effective.

Finally, please stop with the "industrial software is crap" nonsense. We engineers know that all too well; but there are no better alternatives. Would you like to see us go back to the days when everything was run with pneumatic controls or analog computers? I'll bet you wouldn't appreciate the prices you'd pay. If you like electricity and running water, find ways to write better software.

Re:Reality Check (1)

Anonymous Coward | more than 3 years ago | (#35780054)

I write SCADA software for one of the top 5 players (anonymous for obvious reasons). I resent your implication that the software is poorly written. I have worked for many different software companies, and the standard at this one is the highest of any of them. It must be; SCADA software is designed to run for many months at a time, flawlessly. SCADA software is infinitely configurable, and often includes a scripting language, which means that it cannot be statically verified (unlike a lift control system for example). All code is code-reviewed, unit tested, and the dev-test ratio is nearly 1:1. Now yes, some of the things you say are true; it look like arse, it's difficult to configure, and worst of all security is greatly lagging (this is because SCADA networks used to be isolated, security just meant blocking the operator). The size of the dev teams for this software is small compared to that of something like an iphone or an OS, but for what it does, the standard is high. I used to work as a systems engineer once long ago, and cursed the SCADA software a great deal, but being crap to use doesn't mean it is crap. The problem the industry as a whole has, is that we are connecting these networks to our businesses and nothing on these network can be secured. Not the SCADA system, not the PLC's, not the RTU's. We need a solution to this problem, because right now it is the wild west. The next war wont start with a bomb, your power will go out, and your water will smell like shit...

Re:Reality Check (3, Insightful)

AB3A (192265) | more than 3 years ago | (#35780452)

The truth is that the software industry marches forward at a much faster pace than we can deploy. Today's ultra reliable souped up cool stuff becomes yesterday's "what the hell were they thinking?" stupidity very quickly. In truth, it's not just about the code YOU write, it's the code that OTHERS write. They're making assumptions about your work and you're making assumptions about their work. Those assumptions are often wrong.

From my perspective as an end user, I often can not see the dividing line between you and your component software companies. I often can not tell whether you're using VxWorks, an embedded version of BSD, or some small company's custom RTOS. So whatever you do to improve your code may be irrelevant if the host OS crashes. From where I sit, the end result is the same.

That said, stability in most embedded OSs is usually pretty good. But the issue here is not stability. The issue is whether the software can stand up to even a mild attack. I once saw someone attack a SIL rated PLC with a LAND attack (names of guilty parties redacted to protect industry). The PLC curled up and crashed.

I would like to be able to say better things, but I have seen otherwise. Sorry...

Re:Reality Check (0)

Anonymous Coward | more than 3 years ago | (#35786468)

I am not trying to defend the state of play in regards to security. This was actually the point of my post; nothing on a SCADA network is securable. The SCADA software itself is probably better than your average RTU/PLC, but the focus on security has only begun in recent years. Secure software requires a good deal more than just "no buffer overflow exploits", a great deal of trust has been assumed in these systems. The budget for proactive security enhancements is small, and all the devices are on Ethernet and essentially un-securable. As you mentioned in your post, you can't roll out firmware updates to devices whenever you feel like it. Updating SCADA may be a little less risky, but is still a big issue, and many customers will run versions that are 5 or more years old (due to the cost of upgrading). So the real issue in my opinion, is that we are connecting these very fragile networks to our business networks, and hoping like hell that the connection cannot be breached. We as an industry get away with it because the barrier to entry is high, and there is little financial reward.

Re:Reality Check (0)

Anonymous Coward | more than 3 years ago | (#35786620)

A very good post. Very insightful.

Unfortunately, I can not and will not mod up the posts of anyone with your username. It blows any credibility you may otherwise have had out of the water.

Re:Reality Check (0)

Anonymous Coward | more than 3 years ago | (#35780226)

I call BS on this SCADA software is a huge market. It's just unfortunately an afterthought to the actual process hardware.

Re:Reality Check (1)

Anonymous Coward | more than 3 years ago | (#35780692)

I do mission-critical safety and security systems for aviation.

We have an ethical duty to turn the CIA model upside down to become the AIC model.

The CIA Triad itself isn't inherently weighted to value one principle over another. You make the differentiation between the office process and industrial by saying:

Yes, the flaws are hard to fix. We design these things for safety, and reliability, first.... In an office, if the computer stops, the whole office process stops and that's it.... In an industrial process, the physics and chemistry of the process will continue to do something whether your control system is online or not.... If you crash a control system, the process keeps doing something, even if it is something that nobody would ever want .

I'm assuming you're saying that safety and reliability is more important than security? How can you possibly treat a known and reproducible attack vector as anything less than a safety and reliability issue? I just don't understand this logic, security issues should be treated just like any other risk, threat and vulnerability in a Risk Mitigation, Management and Monitoring Assessment. Given the variety of security issues from denial of service/lack of availability and privilege escalation exploits, both of which can leave the system in a fail-unsafe mode which can be just as serious (if not more so depending on your application) as any other safety issue. My point is, if I knew my government was withholding information about an exploit for one of my systems and didn't disclose it simply because it was more valuable to them left open, I'd be investigating legal options because someone being able to exploit a buffer overflow in my software allowing them to pretty much execute anything they please within the security context is just as much as a safety issue as misplaced greater-than-or-equal to for some sensor reading firmware for a primary instrument.

augmenting the industrial process ? (1)

doperative (1958782) | more than 3 years ago | (#35781398)

> I integrate, deploy, and maintain a SCADA system for a large water and waste-water utility.

What development platform do you use?

> the control system for an industrial process augments the process, it does not run it. Thus, if you crash the office computers, everything stops. If you crash a control system, the process keeps doing something, even if it is something that nobody would ever want.

I don't even understand this bit or else you're just talking techno waffle and I've worked in ths industry for decades both hardware and software, if that's supposed to count for anything.

> Industrial processes can't "just shut down" on a whim. To patch a control system you need to get to a place where the process can be safely shut down ..

No one in their right mind "patches" a running system.

> revealing software flaws is often a dangerous proposition. By the time we can safely patch something in an industrial control system, there may be tool kits for script kiddies.

How do you design it in such a way that it is accessable to "script kiddies"?

Re:augmenting the industrial process ? (0)

Anonymous Coward | more than 3 years ago | (#35786574)

You are clearly an idiot. 'SCADA system', look it up. He will use "SCADA" software to design his scada system. 'Control System', look it up. If the control system stops controlling, the process that was being controlled goes *gasp* out of control! (who would have thought it?). What industry are you in again? The ignorant make snide comments about things you don't understand industry?

Honeypotting your whole nation? Really? (2)

erroneus (253617) | more than 3 years ago | (#35780020)

This is complete irresponsible nonsense. "... the bait..."? Really?

First of all, this is called honeypotting but without the benefit of actually having complete control over the monitoring, logging and the PCs to be compromised... oh wait... maybe they do. I wonder if the rest of Australia is okay with their government withholding information and using them as "bait" while at the same time not being particularly capable of a wide-spread law enforcement activity?

Someone didn't think this stuff through before they said it.

Megalomaniacs (1)

rusl (1255318) | more than 3 years ago | (#35784010)

What a bunch of lunatics thinking they are so omnipotent in their "secret" knowledge they can outsmart everyone by being so secretive. The only real benefit to this that I can see is that (presuming they are able to be as secretive as they claim, a big if) the obvious inevitable downsides to this strategy will not be obvious to the public because they are secret. Basically, by taking the whole world off their bench and pretending to be able to do the work of the wider public in secret they will inevitablely fail in the most embarrassing ways. But if they keep it secret then the embarrassment won't be made public and their public funding can continue. So basically the best approach for them is to do nothing while pretending (secretly!) to be very busy. Then they won't make mistakes because they haven't done any real work. Secrecy for the sake of secrecy! Somehow these machinations remind me of the logic in the novel Catch-22. Glad to hear institutional insanity is alive and well 70 years later.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>