Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Citizen Eavesdrops On Former NSA Director Michael Hayden's Phone Call

StickyWidget Guys has some brass ones... (390 comments)

Even took a picture with him afterwards.

about 9 months ago
top

Ask Slashdot: How Best To Disconnect Remote Network Access?

StickyWidget Re:Never heard of a firewall? (284 comments)

In IT, it's a very easy concept. Process control and industrial control systems is another matter entirely. They don't have a firewall team, or an IT staff, or a network admin, or a Windows Domain Architect, or any of that stuff. They don't have 4 days to wait for a change control board to approve access, because they usually need the vendor to fix crap immediately, or lose a few hundred thousand dollars in lost product.

They have Steve, who has been at the plant since God stopped by for tacos. Steve knows some stuff about computers, like how to google common problems, or he asks his 12 year old kid how to fix it.

Culture is entirely different, the level of experience required with IT equipment is minimal in the operation. Most of the equipment comes preconfigured, doesn't change for 5 years, and if it breaks they get a replacement in the mail. And, they are usually required to NOT change network configs, mainly because they can royally screw something up (and generally do).

I'm not making excuses here, I think good change management would be important. But, these guys operate at the same basic IT level as a McDonalds. I wish I could communicate the exact depth and width of the gap between IT and IndustrialControl, but nobody in IT ever believes me.

~Sticky

about a year ago
top

Ask Slashdot: How Best To Disconnect Remote Network Access?

StickyWidget Re:you're overthinking it. (284 comments)

Airgaps aren't a panacea. USB keys, CDs, even floppy disks (yes, these places still have those) can all bridge an airgap in a non-detectable manner.

Most of these systems have no actual monitoring to ensure that the integrity of the network stays constant. And, if it makes a process control professional's life easier, they WILL connect it to the internet for 'a little while', go home, forget, and completely deny they did it if the fit hits the shan.

The people need change too.

~Sticky

about a year ago
top

Ask Slashdot: How Best To Disconnect Remote Network Access?

StickyWidget Re:Short answer? Yes. (284 comments)

Agree. They will do this. Seen it everywhere. And if the run is too long for a cable, prepare for wireless.

~Sticky

about a year ago
top

Ask Slashdot: How Best To Disconnect Remote Network Access?

StickyWidget Re:Relays & ATtiny (284 comments)

No. What happens to equipment or people if lightning strikes nearby, or if a major pump shorts out? Will it transmit the current into the process switches, causing a larger issue? Will it electrocute someone nearby? Questions like these need to be answered before tossing equipment into an industrial environment.

Neat idea, needs more than just an ATtiny. It was good though that you picked a relay that requires power from the ATtiny to turn on, I've seen other guys accidentally set stuff to fail open when they lose power.. Nasty business.

~Sticky

about a year ago
top

Ask Slashdot: How Best To Disconnect Remote Network Access?

StickyWidget Re:Never heard of a firewall? (284 comments)

Some vendors require this kind of remote access during warranty period of their equipment. Basically, the equipment doesn't belong to the client fully until it has met all requirements in the contract. Typically, this is 3 months to a year of service under operating conditions specified. So, what do you do when your contract requires you to keep a door open for the vendor, or otherwise absorb the risk of a ~1-5 million dollar job not being supported by them? Additionally, the guys allowing the vendors are normally not the guys you want screwing around in the firewall config on a regular basis. The physical switch makes some sense for people who are used to pressing buttons, turning levers, etc to make things happen/stop happening. ~Sticky

about a year ago
top

Ask Slashdot: How Best To Disconnect Remote Network Access?

StickyWidget If you'd read my report... (284 comments)

You wouldn't have an osm to worry about.

~Sticky

about a year ago
top

China Plans National, Unified CPU Architecture

StickyWidget Awesome Idea for US Intelligence Agencies (240 comments)

If the new architecture has backdoors, I'm sure we'll spend a lot of money to crack the backdoor, and then it to infiltrate Chinese systems.

Win!

~Sticky

more than 2 years ago
top

Purported FBI Report Calls Anonymous a National Security Threat

StickyWidget Re:Interesting... (159 comments)

Remember kids, if your group declares that it has no real leadership, and is a decentralized collective of individuals that spontaneously gather together, than the FBI has a real tough case to justify to their superiors. But, if they start compiling evidence that there ARE leaders, and those leaders can be held responsible for the crimes of the followers, then they can pursue a case. That's RICO. [http://en.wikipedia.org/wiki/Racketeer_Influenced_and_Corrupt_Organizations_Act], and it's a big freakin deal.

Everyone calls Anonymous a bunch of childish pranksters, but creating an organization that requires the FBI to jump through hoops just to open a priority investigation hints at deeper intelligence.

~Sticky

more than 2 years ago
top

Purported FBI Report Calls Anonymous a National Security Threat

StickyWidget There's Another Reason it's a Nat'l Sec Threat.. (159 comments)

It opens up all kinds of legal methods to track, surveil, and identify potential Anonymous members that wouldn't be possible for a 'nuisance' group, and remove most of the privacy obstacles around getting information.

The FBI is building up evidence against Anonymous and Lulzsec to get a National Security Letter. After that letter comes in, the FBI has all kinds of new powers to work with under the Patriot Act. They won't need a court order to subpoena ISP, internet, and bank records, and wiretaps can be done with fewer obstacles.

~Sticky
/Yadda Yadda.

more than 2 years ago
top

Chief NSA Lawyer Hints That NSA May Be Tracking US Citizens

StickyWidget Hmm. Complicated. (213 comments)

Probably cross-border listening stations intercepting calls from US numbers, that just happen to be within the US at the time. Whoops.

The only complicated part of this is the 'find some jackass to give a legal justification'.

~Sticky

about 3 years ago
top

Duplicate RSA Keys Enable Lockheed Martin Network Intrusion

StickyWidget Re:Spoken like a true spokesperson... (138 comments)

Multiple keys wouldn't have helped, since it appears the attackers identified all the seeds that were ordered by Lockheed from RSA. Whatever process they used to assign these seeds to unique individuals would have been robust enough to notice that the individual was using two.

It was endgame. Everyone should have trashed all their tokens weeks ago.

~Sticky

more than 3 years ago
top

Swiss To End Use of Nuclear Power

StickyWidget Re:Headline Misleading (470 comments)

A misleading headline on Slashdot? Say it ain't so.

~Sticky

more than 3 years ago
top

DHS Chief: What We Learned From Stuxnet

StickyWidget Another thing Learned... (125 comments)

...is that guys at Langner Communications have seriously the best control system security chops out there.

~Sticky
/My opinions are my own.

more than 3 years ago
top

Obama Calling For $53B For High Speed Rail

StickyWidget Build it and They Will Come (1026 comments)

Look, the government really needs to get behind this effort. If a train track system was built that connects major cities with one another, AND if it's designed to be fast, accommodate lots of trains at nearly the same time, and is safe, companies will line up with products to use it.

I'm talking:
1. Siemens and GE producing trains and traincars designed for the tracks
2. Caterpillar and Mack produce the engines
3. ABF, DHL, Fedex, etc will all buy the trains and engines and use them to deliver goods
4. We'll use that for our internet orders, and to transport goods and services anywhere cheaply

It's not just about passenger trains, there's an entire market segment out there ripe to be innovated by trains. I'm talking about trucking companies, we could get them out of cities. We could reduce fuel costs, and insurance.

~Sticky

more than 3 years ago

Submissions

top

SCADA over Cell Often Improperly Secured

StickyWidget StickyWidget writes  |  more than 4 years ago

StickyWidget (741415) writes "The Control System Security research firm DigitalBond recently published two blog posts dealing with the security of cellular based networks. Basically, the same networks that carry IP from your cell phone to the Internet are being used for command and control of water, electric, and other critical infrastructure. DigitalBond researchers ran a low and slow port scan over their Verizon network cards, and preliminarily identified 1420 Raven Airlink devices. These Airlink devices are used primarily in remote, rugged, environments for interfacing local control systems to a master control station. The main point is that carriers [including Verizon http://b2b.vzw.com/productsservices/customapplications/privatenetwork.html%5D are targeting critical infrastructures with products claiming a "private network" when often none exists. These 'private' networks are often easily accessible by other subscribers, and coupled with insecure design on the utility side, could put operations of critical infrastructure in jeopardy. [Post 1: http://www.digitalbond.com/index.php/2010/03/01/scada-devices-on-verizon-and-other-wireless-networks/%5D [Post 2: http://www.digitalbond.com/index.php/2010/03/02/using-verizon-broadband-for-scada/%5D"
Link to Original Source
top

Shutterbug Drops Nuke Plant from Electric Grid

StickyWidget StickyWidget writes  |  more than 6 years ago

StickyWidget (741415) writes "An emergency shutdown of a reactor at the Indian Point nuclear power plant was caused by signals from a worker's digital camera. Federal regulators said radio frequencies from a camera too close to a control panel interfered with a boiler pump that provides water to four steam generators. Water levels dropped, and Indian Point workers had to shut down the reactor two days before a scheduled refueling shutdown. No radiation was released.

Yep, you heard right. American nuclear power plants can be taken offline by standing too close to a panel with a powered up digital camera."

Link to Original Source
top

Miconfigured DHS Email List Exposes User Data

StickyWidget StickyWidget writes  |  more than 6 years ago

StickyWidget (741415) writes "At 8:19 this morning, a subscriber to the DHS Daily Open Source Infrastructure Report emailed to the Department of Homeland Security a note that said he was changing jobs, and would like to receive the DHS Daily at his new email address. The DHS Daily provides an open source news summary of articles involving the US infrastructure that might be of interest to the security community. It is distributed via email each day to (now obviously) thousands of individuals across the country, many in positions of power at government, private industry, and other organizations.

The email listserv was improperly configured, allowing the exposure of the names, phone numbers, titles, and organizations of many individuals involved in the security community. What's more, recipients of the emails continually sent emails back to the listserv, attempting to tell others not to send any more email, causing even more spam to accumulate. Computer Sciences Corporation, was outed in one of the emails by DHS personnel as being the contractor in charge of the listserv.
"

Link to Original Source
top

DHS: Hacking Electric Power Control Systems

StickyWidget StickyWidget writes  |  more than 6 years ago

StickyWidget (741415) writes "Researchers who launched an experimental cyber attack caused a generator to self-destruct, alarming the federal government and electrical industry about what might happen if such an attack were carried out on a larger scale. DHS acknowledged the experiment involved controlled hacking into a replica of a power plant's control system. Sources familiar with the test said researchers changed the operating cycle of the generator, sending it out of control. In a previously classified video of the test, the generator shakes and smokes as a direct result of the attack, and then stops.

"I can't say it [the vulnerability] has been eliminated. But I can say a lot of risk has been taken off the table," said Robert Jamison, acting undersecretary of DHS's National Protection and Programs Directorate."

Link to Original Source

Journals

StickyWidget has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>