"I have watched this thing grow... to the incredible proportions it has reached today. I have studied the facts ... facts, and by projecting the statistics I realized the time has come to act. I realized I had to act before the entire will and vitality of the free Western world was sapped and polluted and made rancid... The …
So if they take utilities out...
How do they continue the attack without POWERED network infrastructure. OK maybe the big boys have a UPS. how long will they last?
In other scaremongering articles I have pointed out that almost ALL utilities have the ability to be run purely locally (off network), with some help of the humble telephone, or if they are down too then HAM radio enthusiasts might finally have their day as heroes.
This article is absolutly a breath of fresh air. Other articles on the use of SCADA to infiltrate utilities is a lame duck.
just sit back and watch
"It is necessary only for the good man to do nothing for evil to triumph'"
In this case, I doubt if the chinese (or anyone else, either) need to hack away a american infrastructure - it seems to be quite capable of falling over on it's own. Given the parlous state of almost all software projects: the brittleness of the software, the unexpected side-effects and best of all, the lack of understanding when it comes to making changes - I'm amazed that more things don't go wrong.
Of course, if the chinese weren't there it would be necessary to invent them - or another boogie man. The alternative would be having to face up to the unpalatble truth that the software that companies pay millions-to-billions for is basically, crap. In the particular case of hardening the strategic oil refineries to withstand attack, taking their control systems off the internet would be an extremely effective first and last step.
I love it when a pedant makes an ass of himself.
As the article states they are not named for the red berry but for the "surname of Tom Rasberry" and if he wishes to spell his surname in that fashion and the ants are named for him then they are rasperry ants and not raspberry ants.
Why can't it be true? Instead of ridiculing America, as Europeans are wont to do,
investigate to find out the truth.
Shades of Neuromancer
So this will all end with special forces teams in ultralights dropping outside Beijing to hack into the Chinese defense network ?
There are about one hundred (give or take) cables commercial connecting North America with the rest of the world, presumably the military connections are better defended than the commercial ones.
When the attack comes (they're gonna bury us in IP packets, not hang us with the rope we sold them?), how about just unplug the routers? Perhaps cut all the cables coming out of China? Maybe do an adroit change from IP to Decnet (it's not routable, you know, hahahah!)
This though would be too simple. Indeed, in view of the 10 Km tall barrel of pork that "fixing" the 'net would enable, it could not be considered cost effective.
"In another manner of speaking, if one can fill a room with bull, hearsay and gossip, there's always a magic tipping point where it transforms into fact, like lead turns into gold when touched by the Philosopher’s Stone in alchemy."
Rational BS, but surprisingly accurate as emotive logic.
Closing the gap
I'm sure we can close the tunnel and cyber gap by hacking in there precious bodily fluids before they do it to us!
Note to self: Watch Dr. Strange Love again.
Call me old fashioned....
...but if I wanted to take a refinery offline, I'd just toss a couple grenades over the fence and beat a hasty retreat.
(Flame for the obvious.)
Nuclear option = Big Red Button
Easier to add a Big Red Switch, turn off all border routers. Perfect isolationism. No cyber attacks happening then apart from those dirty sixth columnists ... (file sharers, literate commies, atheists, etc.)
Re: Chinese cyberattacks
Ask the same bout 11/9 being an inside job...
Confuse them by artistry
Could it be that the people who fall for this bull are the ones who think of "cyberspace" in terms a a fully-connected 4-D continuum in which you can "move around" and play cat and mouse. In fact, the idea that William Gibson laid out and that "conceptual artists" promote until today.
As opposed to a very low-dimensional sparse network of protocol exchanges, more like a railway.
If someone said that some enemy is bound to make a massive attack using only the railway as invasion device (and the soldiers are not allowed to get off the trains either) you would laugh, right. Just separate you railway network from theirs, then go back to sleep.
More on this fun subject:
@ Simon Painter
"I love it when a pedant makes an ass of himself."
For example by posting a comment attached to the wrong article ?
"Your security is only as good as your most clueless user."
With that being said, it's a sad fact that Western Defense organisations world wide have to have some link to the public internet.. So vendors can communicate with sub-contractors and sub-contractors can share data with prime contractors and prime contractors can pass unclassified data to said defense organisations.
I really don't think it matters how "secured" your publically facing network is, if you have one user who completely ignores good sense and reads every email, surfs web sites that those in the know, wouldn't touch with a bastile box, then it's only a matter of time.
I was attempting to compare this to "The Six Degrees of Seperation" but it's not that glamorous. It's more like binary fission, where you pummel one atom, it splits and its two halfs take out two other atoms and the whole chain reaction squares uncontrollably.
The only way to truly have a secure infrastructure is to have it disconnected from "the net". Period. But how practical is that when you have to go through the telcom's multiplexed pipes (even if they are encrypted)?
As crazy as it may sound, there may be a degree of truth, but due to the sheer magnatitude of the whole thing, "rational" people don't want to admit it...
"..So this will all end with special forces teams in ultralights dropping outside Beijing to hack into the Chinese defense network ?..."
i doubt it. you forget the chinese have the ability to fight back. the US only brings 'freedom and deee-maaacracy' to those countries unable to defend themselves.
Yep. 98% of software is crap and doesn't do anything that people weren't doing before.
Excuse me, but Dick Destiny IS a yank. As you would know if you read his blog...
strategic oil refinery?
Those that stop functioning when there is a powercut? Like a powercut which happens when a powerstation is being flooded. Oh I see - this rise in number of floods in recent years are caused by the Chinese. Hmm - the Chinese should immediately stop using their gas guzzling 4x4 me think...
oh it was about cyberwar...
Re: Shades of Neuromancer
Yes, right in time for the Chinese EMP's to take 'em down!
Anyway, it seems like this "expert" watched Die Hard 4.0 and failed to notice that the über-plot involving power shutdowns actually required *physical presence* in the actual facilities. So even Hollywood knows that remote-hack-powerdowns are not really a credible threat.
I'd peg a blackout more on a SCADA system running under Windows, though.
meet low tech warfare
Devices on a few strategically placed comm lines out of china should kerb their enthusiasm. Let's just hope they haven't made any 'strategic investments' in data centres or BOT nets around the globe.
Simon Painter and AC replying to him....didn't you do this in another thread too?
Or am I just losing my mind?
Is El Reg really just The Matrix and I just saw the black cat twice?
Paris 'cause I'm clueless as she is.
You must have meant "Dick Destiny is a yank-off". This is a stupid story from a guy who flicks comments out of his nose about anything that strikes his fancy ... no expertise required.
The only thing worse that fear-mongering is mocking others who may have some actual knowledge of a situation in an attempt to ridicule the ideas presented to make yourself seem more important.
Facts? We don't need no stinking facts. Pick a topic and yank-off about it ... DONE!
We don’t need any other country to do this! We do just fine on our own, just look at how much information has been lost by the US, OZ and a bunch of other countries. By just giving it out, no encryption, no pass word protection and sent by carrier with out protection.
We use Windows that is inherently insecure with known bugs and most of us do not apply patches because we wait to see what the patches will do to the O/S.
This lets the bad guys use the problem with the O/S because we wait to see what problems come from the patch.
It seems to me that the main problem is the O/S that we use and how we accept the standards they use.
If it has bugs we need to find them and let them know, and if they think it is bad enough they might fix it. And if they do we need to see if it breaks something else.
What is wrong with this picture?
Something like this?:
i) anything you really don't want spread is NEVER electronic, and subject to whatever level rules + need to know;
n) if must be electronic, then all systems physically connected have the same level or n <-> n-1, with hopefully proven interface; + whatever level n-1 rules + need to know.
But then again
But then again why would they bother ? , since the entire basic operational mantra of any of the mafia style owned and operated US super size mega corporation is basically maximise profits , stiff the stockholder as the senior management loot the company at every opportunity and shoot the customer who pays the higher then normal end user bills in the face literally at every level and basic equipment maintenance is not an option at any generating plant as it cost the chairman some of his salary and bonuses thus !
So effectively all the US Electricity generating consortia concerned are basically shooting themselves in the head , the heart , the posterior and the legs every day of the week they operate and are self creating their own form of impending disaster as we saw not all that long ago in state with the largest population in the Union which quickly ended after the death of the evil "ENRON Texas Thieves Empire " !
Those that fail to read the boot notes since November 9th , 1965 are but doomed to self replicate same !
There is a good deal of elegance in so neatly dovetailing two obviously desirable goals.
1. Create and sustain the myth of a formidable foreign enemy who is always threatening to destroy us all (cf 1984)
2. Explain away the frequent failures of various kinds of service, which are really caused by corruption or incompetence in the ranks of government and large organizations, by blaming them all on that external enemy.
High marks for artistic merit!
Our Mission: to spin up the pork machine, and gold-plate our cushy jobs
"The only thing worse that fear-mongering is mocking others who may have some actual knowledge of a situation in an attempt to ridicule the ideas presented to make yourself seem more important."
Care to enlighten us? I see no "ideas presented", only strategy boutique output sexing up threats pulled from alternate universes depicted in classic early 80's SF. If you don't agree and think you might be attacked by your printer's BIOS (as happened to Saddam, allegedly) why dontcha provide details?
Do you really really really really think that Windows does not have a killswitch that can be activated remotely ?
You know, even barring the fact that some of the Reg writers may actually have a modicum of knowledge and experience, I think you should bear in mind that many of the Reg readership have some pretty extensive knowledge and experience in matters IT.
At the end of the day, hacking a power plant's infrastructure, or hacking a web site, it's all the same. You need knowledge of the protocols the remote system responds to, a reasonable idea of the infrastructure between you and them, and a knowledge of what applications/hardware sits between their connection point, and an area inside their network you can establish a beachhead on.
So that means either a fairly large amount of probing, or, more likely bribery and intelligence gathering. There is no "magic application" that you push button, receive access. Cracking into a system is long, boring, tedious work, the bulk of which isn't done in front of a computer. To penetrate say, I don't know, my personal web server, you might not need a lot of expertise, I use a set of readily available open-source apps, and apply 80/20 rule to the security on my web server. All eight visitors will be traumatized if it gets cracked, but the reality is it probably won’t, it’s not big enough for the 20% of the crackers out there who could get through to bother with.
That said, if that web server was something I threw a few months at securing, used obscure tools configured in very non-standard ways, and periodically changed configurations, (I could even have a pseudo-random change script to do so automatically, and a corresponding one on my backup and update servers to keep them able to transmit data with the changes,) then getting into that server would be a miserable pain in the ***.
Now, give me a few million and a research team of 20, and I sure as hell could 'secure' a power plant, while maintaining connectivity to critical networks for updates/monitoring/configuration: all the above ideas, with a magic "detect attack, disconnect from network" trigger, a few backup networks, maybe even a non-internet connected communications link to a remote site, (radio? dark fibre? Military networks?) in case of extreme attack. Throw some BODIES at MONITORING, (you know, trained professionals who know what they are looking for,) and bob's your uncle.
Certainly that's an overly simplified way of looking at it, but that's the point. We, the Reg readership, know it is overly simplified, and we can all read between the lines. The whole concept of "the evil hacker boogymen are coming to get us is just a giant bucket of deja moo: the feeling you've heard this bull**** before.
As long as you design a network along the principles of the least privilege, and you don't connect anything to anything else unless it absolutely must be connected, (and you implement systems that will cause a disconnection if under attack, as well as appropriate overrides,) then any computer system can be secured. The problem is rarely, if ever the computers, the problem is, as always, the people involved.
From the twits who brows myfacepornbook with added browser exploits on top, to the design decisions being made by politicians and managers instead of IT professionals, people are the weak point. The greedier that the people in charge are, the more corners they will cut. The more corners they cut, the harder such systems are to defend. If the ‘merkins want to defend their country against cyber attack, the only way they will do it with regulation, not weapons. Regulate that critical industries must meet certain minimum security standards, and have people of a minimum talent and ability monitoring such systems 24/7.
That, however, isn’t as "sexy" a solution, and doesn’t get the pork out of the barrel and into the hands of their friends. Long live the land of the 'free'.
Re: Deja vu
It's happened before; see http://www.theregister.co.uk/2008/05/21/orange_broadband_down/comments/. I remember it happening somewhere else, but it seems to have now disappeared without a trace... very sinister.
Anonymous so that El Reg won't be able to... uhhh.. oh.
Q. "Why Can't It Be True?"
A. "Because only a complete idiot would build a control system that didn't have some kind of interlocking in it." Computers are never flawless; you want them to drive things but you have to assume that they will eventually run amok. Since you know they will fail you make sure that they fail gracefully -- after all, nobody wants ten tonnes of red-hot ingot crashing through the wal of a foundry ("Oops, software bug.....")
The problem with pundits and journalists is that their knowledge of systems design is derived from watching "Jurassic Park". This movie is an object lesson on how *not* to design a control system, its got just about everything wrong with it, from the system architecture, the coding, the coding team, documentation, test methodology -- the works. (It should be mandatory viewing for trainees...) "Jurassic Park" was an accident waiting to happen and any real facility built like that would never make it through commissioning.
Maybe it is easier to blame some people confident in the knowledge that they could not, would not, cannot make response anyway?
Look to the hardware
US Navy had (has?) issues with system networking components provided by vendors buying from where all (most) our bits and pieces originate (China). The ultimate trojan, built into the foundation. No door knocking needed. But, Beijing is not alone: http://spaces.icgpartners.com/index2.asp?NGuid=827D4DA2FB37496AB3F3C7F8CB55DD4F
Truth by persistence
'the truth of a thing is determined by the number of Americans who can be found to assert it. In another manner of speaking, if one can fill a room with bull, hearsay and gossip, there's always a magic tipping point where it transforms into fact, like lead turns into gold when touched by the Philosopher’s Stone in alchemy.'
The Wikipedia philosophy strikes again!
I like the way its assumed...
that nobody has thought up a defence (yes, 'merkins it is spelt using c!) for this. Which of course there is, it may not be published or talked about or even known by me and you but there will be a plan.
Don't forget that not so long ago the US Air Force was tasked with defence of cyberspace "in the air, space and cyberspace" (or something like that) goes the slogan.
My coat is the one with the CAT-6 cable on it!
Crack Code vs Hacked Codes
"Don't forget that not so long ago the US Air Force was tasked with defence of cyberspace "... By George Posted Monday 9th June 2008 08:27 GMT
A Convenient/Inconvenient Black Hole Money Pit which, with every wrong move made, Guarantees Assured Bankruptcy. Yes, Folks, it is a Poison Chalice Indeed and you'd better be Good at what you do, for IT does not suffer Fools in CyberSpace at All.
And as it is a Universal Space, the US Air Force cannot expect any of their Systems to be Exclusive and Proprietary .... for that would smack of Imperialism and that feeds Delusional Grandeur and Hubris, which is all too apparent, and destroying itself on Earth. The Bright Sparks working CyberSpace Systems have already ensured that such Oxymoronic Behaviour cannot Defile Virgin Virtual Spaces.
And you don't hear very much about the RAF Cyber Command Flight....Per Ardua ad MetaAstra. But then that is just how they like it.
To paraphrase a well-worn, worn out phrase ....They're just getting on with the job ..... although you can be assured that it is nothing like the farce that Government Ministers deliver whenever they use it to duck out of awkward and embarrassing questions.
"You must have meant "Dick Destiny is a yank-off". This is a stupid story from a guy who flicks comments out of his nose about anything that strikes his fancy ... no expertise required."
It did a pretty good job of eliciting a response from another from a guy who flicks comments out of his nose about anything that strikes his fancy ... no expertise required
"The only thing worse that fear-mongering is mocking others who may have some actual knowledge of a situation in an attempt to ridicule the ideas presented to make yourself seem more important."
No, the only thing to do to fear-mongers is to mock and ridicule them. Especially when they're clearly talking through their arse.
"Facts? We don't need no stinking facts. Pick a topic and yank-off about it ... DONE!"
Yup! Clearly a philosophy you follow religiously. Trevor Pott (above) put it far more eloquently than I but, in a nutshell, there are significant numbers of readers of ElReg that have forgotten more on this subject than you could ever learn.
Posted anonymously through neccessity
I gotta agree with you.
What could China _possibly_ have to gain from this?
There seems to be a lot of this nonsense being directed against China by the American press, politicians and agencies of late.
I can only imagine that there must be some political subtext, and the American public (and indeed the wider, western audience) are supposed to swallow this crap, just as they did the rubbish about Iraq having WMDs.
The unfortunate thing is that this stream of propaganda probably will have the desired effect of breeding (more) xenophobia and racism amongst many people :(
Everything in excess
Very politically-incorrect update of the punchline of a very old shaggy dog story:
On the information superhighway, a lane is only as strong as its weakest chink.
Mine is the one with the shoeprint on the back at about butt level.
@Mr. Pott & AC
Did you guys read the article? My comment was about the author's racism, not about specific hacking techniques.
Are you in agreement that the problems described are, in fact, the result of "Chinese" hackers, as opposed to, oh, American, Indian, Taiwanese, British or ??? hackers?
And what evidence was presented during this sliming of the Chinese people?
I said nothing related to whether U.S. infrastructure is secure, or whether hacking said infrastructure was possible by any determined person of reasonable skill.
Dick Destiny is a jingoist race-baiter, and this article adds to the evidence for that. He put little thought into proving his "point", and only succeeded in regurgitating positions commonly held by those with small minds.
The largest hive of miscreants is here, in the United States, not in China.
Keep pretending it's the Chinese until you're blue in the face. I don't care. But you don't get a free pass to hide behind the blatant racism.
Oh, and AC ... my first Internet experience ... 1968 ... over a teletype machine connected to the MIT mainframe ... leading to a lifelong passion and career in network computing. Don't presume to have any sort of hegemony on knowledge. There's always someone more knowledgeable than you. Always.
Re: @Mr. Pott & AC
George Smith is drawing attention to US scaremongering. I am at a loss to understand how you can think of this article as racist.
Re: @Mr. Pott & AC
Your comment "The only thing worse that fear-mongering is mocking others who may have some actual knowledge of a situation in an attempt to ridicule the ideas presented to make yourself seem more important" was taken by me to be a defense of the "fear mongering" of the 'merican government, and it's various amorphous arms. The Reg staff aren't fear mongering, as I read it, they wrote an article rife with sarcasm to ridicule the fear mongering the 'mericans are doing. The Reg staff aren't being racist, they are reporting on the "racism" (if you want to call it that) that is being pushed by the 'merican government.
Please re-read the article, and pay close attention to the bit where it is reporting the statements and opinions of others, as opposed to the areas where he discusses his personal opinions and views. I think you'll find that he comes out saying, in a brief summary "'merican gov't making up crap to get more money to feed to thier friends via government contracts" also, perhaps "'mericans using fear to rule their populace, much of it stuff you need not fear."
So sort of...anti-fear mongering then?
I still don't agree with his approach
I see little point to this article except, perhaps, to "...ridicule the ideas presented to make yourself seem important", while at the same time continuing to propagate the notion that the Chinese are preparing some sort of official cyber-Armageddon by repeating it without overt dissent.
There is no rational discussion of how it is unlikely that a nation such as China would consider launching a cyber attack as a government-led assault, and there is even a "Let's conduct a thought excursion and pretend it's all real, every last word.." section to wrap things up, again without a dissenting opinion or any argument against that position which would mitigate the inference that China might, in fact, by responsible for everything he mentions. He's feeding the fire, not helping to extinguish it.
If the article was intended strictly to mock the opinions of a couple of Americans, then perhaps I didn't catch on to the oblique sense of humour. Re-reading the article for a third time leaves me still angry at Mr. Smith's pusillanimous prose, without bringing me any closer to getting his joke, whatever it may have been.
He's attempting to let himself off with his disclaimer, "To spend too much time arguing details is to be drawn into the deranged world of the American way of threat description." and, for me, it's not working.
ell oh ell, wut?
Why should Mr. Smith be conducting a "discussion of how it is unlikely that a nation such as China would consider launching a cyber attack as a government-led assault?" The purpose of this article was to report that there are people, people in power, how believe such things.
The sentence "Let's conduct a thought excursion and pretend it's all real, every last word.." is of itself implication that he doesn't believe that what is represented here is a real threat, but, as stated, as a thought exercise, examines it as such, and proceeds to reveal how, even if there WERE super [INSERT NATIONALITY HERE] hackers trying to take down the US that...it just doesn't matter.
You seem really hung up on the fact that china was mentioned as the "bad guy hackers." That's not Mr. Smith's fault, as again, this is REPORTING on the opinions of OTHERS, and examining those opinions.
Maybe you could ask Mr. Smith to do a piece on why the Chinese government would not launch an attack on the US, or, BETTER YET, write one yourself, with appropriate research, maybe references and quotes from experts in various appropriate fields, and then submit it to El Reg for inclusion in their pages.
You seem to be attacking writing an editorial on a news item, as opposed to an opinion piece based on your opinion. They are two very different things.
Nowhere in this piece does Mr. Smith "to propagate the notion that the Chinese are preparing some sort of official cyber-Armageddon." Instead he sidesteps the ENTIRE ISSUE of "are they/are they not" and says "well, if they WERE planning cyber Armageddon...it wouldn't matter, they can't really do that much to them power plants anyways."
So my question for you: are you simply an epic troll, or are you of the class of people who think that by wearing a Transformers T-Shirt with a gun on it, you are perpetuating hate/negative stereotypes/cartoon fandom/[random insanity here]. The only argument you seem to raise is that because Mr. Smith happens to mention (and perform a thought experiment based on the idea,) that authorities in the US are claiming that Chinese "hackers" are preparing a "cyber Armageddon," and that somehow this is bad/wrong because...um...why, again?
It's a cartoon gun on a t-shirt, in the hands of an 80's super hero, I mean, it's an editorial exploring the thought process (or lack thereof) of ‘merican authorities making ludicrous claims.
He's not holding a gun himself, I mean, he's not claiming to believe the Chinese are preparing cyber attacks.
Pleasure irritating a Reg Mod with old threads with ya!
Dead vulture because, seriously, dead thread is dead.
I'm just an epic troll, I guess. Sorry ...
Here's how it should have been done
Last word from me on this. Here's how it should have been done ... without the jingoism: