OT: Stuxnet worm hit industrial PLC systems

If she made him haul out the rotting trash and empty beer cans, they would have plenty of room.

Actually, some places in Canada, they're paid in the $25.00 range.. Just think of that!

Late at night, by candle light, Jan Panteltje penned this immortal opus:

course,

Siemens PLCs.

The really critical valves, pumps and whatever are supposed to be physically interlocked and protected. They can not rely only on the PLC logic for that. Eg. e-stops should be hard-wired into the controls. Same for temperature and pressure switches. You don't want something blowing up because the PLC went haywire and ignored a pressure switch or something.

Still, someone with ill intentions can wreak a lot of mischief if he manages to remotely access a PLC and just plays around with it for a bit.

- YD.

Late at night, by candle light, "Michael A. Terrell" penned this immortal opus:

course,

flog, flog, flog

What do you expect ?

As far as I understand, the US has not had conscription since the Vietnam years. In order to attract new personnel, some "free" education is offered (free = some tours to Irak/Afganistan).

From the management point of view, you get a large number of people cheaply, but what kind of people does this program attract ? Of course, there are a few very talented persons with bad financial backgrounds, but mostly such programs attract people, that have no other way to go.

In practice, you get what you are paying for.

It's obvious that you know nothing about today's US military.

What's a "wormproof serial link"? The worm doesn't need to spread across the link; it just needs to infect the system at one end of it and send commands across the link.

I think that's backwards. "Embedded" TCP/IP stacks have a fairly poor track record compared to those in real OSes.

If you want security, the main point is to resist the temptation to let users control the system via control software (even a terminal emulator) running on the same system that they use to read their email and browse the web.

If you can't afford the desk space for separate terminals, or even a KVM switch, at least keep the control software in a separate VM.

But whatever you do, don't provide a "web interface" that people will use from the same browser they use for everything else.

Unfortunately, there are a lot of losers around. Or (probably more commonly) people working for losers but who want to keep their job.

Who is your boss going to listen to? You with your sound security practices or someone with a huge "hospitality" budget selling a "Web 2.0 SCADA interface"?

If it's the former, then lucky you; a lot of people would very much prefer your job to theirs.

I no longer have a boss. :) I do still do some free computer & network consulting for small businesses.

More than once I've had to go over the heads of the IT department to make them fix security issues, or to make it clear that certain computers were not to be connected to the company network, or for them to touch without a written request. Things like a computer controlled test bed that ran an obsolete OS. We opened the plant one Monday morning, and the IT monkeys had wiped the computer, and 'Upgraded' it. They didn't back up the test software, or even ask if it would run under another OS. That cost 12 hours production time as I pieced together a working set of Windows 2.0 and the test software from dozens of sets of failed backup disks. They almost lost their jobs over that screw up. BTW, It was Scientific Atlanta who wrote the test bed software when they cloned one of our products. After a lawsuit they asked us to manufacture the hardware they had already sold, and take over all repairs. Then they threw out the source code when they packed up the relay racks to ship them to Florida.

As far as who someone will listen to, I used to work as a Broadcast Engineer. These days a lot of networked computer equipment is used and it's fun to watch radio stations try to get by on the cheap. Instead of hiring a pro in the digital broadcast studio field, they call a computer store at random, or take out the repairs in trade for advertising. Then they wonder why nothing works right. :)

So why then could one lonely geek in a London bedsit wreak such havoc on them if they were properly prepared and configured secure systems?

Think what a team of enemy hacker could do...

I don't doubt that the hardware is capable of being secure. But I do doubt that the monkeys using it can do the job correctly. Even the UKs Daily Mail thinks this guy should not be sent to rot in US jails.

If you leave doors wide open on secure systems then you are asking for big trouble. This guy was pretty harmless but what about our enemies? (and they may well be a lot smarter about covering their tracks).

Regards, Martin Brown

Perhaps this question might be politically incorrect in the US of A, but what is the demographic distribution of population groups in the military forces compared to the general population ?

Bringing the discussion back to S.E.D, while working in projects paid by various national armed forces, I would not be at all surprised that most of the "secrecy" is simply due to avoiding showing the incompetence of people making the actual orders :-).

Anyway, the US military might be able to hire competent people after a decade without foreign wars.

On a sunny day (Sat, 18 Sep 2010 14:55:24 +0300) it happened Paul Keinanen wrote in :

In my view the US army is largely a social project for the US weapon manufacturers. They start wars so these people can remain in their jobs, same for the mil brass. Of course they offer up some cannon meat in the process, and the lower educated poor are used for that. It is not about how to 'win' a war, it is about how to stay in combat as long as politically possible, test new (some extremely unbelievably stupid) weapon system ideas, like for example how the Taliban was [is?] using a cheap or even free Russian TV hack program to watch the video streams send by the US drones, because US thought it was not worth encrypting those pictures. US hardly ever wins wars (Vietnam, South America, Iraq, Afghanistan), they always have to leave, with the place left in a mess, installing a weak US puppet government, that then will be toppled later, Weapon sales has its hold on US government in a big way. There are 2 export products basically: MS windows (and we all know how fantastic that is), and Weapon systems. They play Iran, make everybody think it has the bomb, or maybe CIA even gave them plans for the bomb, so they can sell $$$$$$$$ to its neighbour countries. Thy bribed Israel by paying it some extra not to smash that Iranian nuclear plant. Same in N Korea, the whole east is buying US arms and technology to protect against that 'danger'. The game goes on. Of course with all those explosives stocked, the old rule, 'what is there will be used' may make for some big fireworks some day. For the US it has always been the strategy : Do it far away from home. Now, when economics are not so good, things could explode at home. As we all know Texas will go back to Mexico, NY and Portland to Canada, and Californaiee will be ruled by King Arnold Schwarzenegger. Jim T. will also become a Mexican citizen. :-) Disclaimer: I claim everything. Back on the terrorist list :-) LOL

h...

n of course,

The nets I work in are.

ure

for

did

Said the idiot that thinks that racks are secured by tiny locks and vault like cabinetry.

I'd bet that it is you that is at least ten years behind the curve, boy.

manufacturers.

Fortunately, your view is worthless, as always.

Civilian contractors. You have to take a lot of tests to enter the US military these days, unlike W.W.II where all you needed was two feet and a somewhat regular pulse.

Launch a brute force attack that would set off all kinds of alarms.

No surprise. If someoone from the US hacked your government's computers they would be crying like babies as they demanded their head on a pike.

Ever heard of a 'Honey Pot'?

Contact some US military recruiters and ask them what the current requirements are to join. They reject a lot of people because they don't have the required skills.

That's the Europoean model, like where they didn't bother giving their troops the days passwords, or telling them which site markers to use, or what areas would be under heavy fire that day.

I love it when you project your failings on the US.

the

This is how/why we know what level you entered at.

=20 BWUAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAH= AHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!!!

Nope, still cleaning toilets (his greatest dream).

With that scat fetish, "Asspergers", perhaps.