Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Comment Not as scary as it sounds (Score 1) 41

I figured that I would chime in here, since I've worked on these types of systems, and in this type of environment for nearly 30 years.

It is common to see these types of alerts for all kinds of HMI software, PLC's, and DCS's. They all have security vulnerabilities discovered, just like any software-based systems do. In the electric utility environment in the US, these systems fall under NERC CIP regulations. There will be someone at the utility tasked with keeping track of these alerts and making sure that systems are patched. For really old systems, they will be planning upgrades.

These Industrial Controls Systems (ICS) will be firewalled from the business networks, which will again be firewalled from the Internet. It is common to have a data historian pushing data out of the secured ICS network onto a system on the business networks. This allows managers, engineers, and anyone else who needs the data for analysis and reporting to do so without having to be inside the plant. These days it is common to have a mechanical engineer working on something from across the country through these historian systems.

The firewalled connection pushing the data out of the network may just be a connection between two servers over a particular TCP port that must be initiated from inside the ICS network as an example of the simplest, and probably the most common example. It is more common these days for the data to be pushed to a DMZ server, which then passes it to the business system, making it even more secure. It is also common to use a data diode, where there is only a fiber optic transmitter on the inside and a receiver on the outside, so you can't even physically pass a signal into the ICS network.

I'm not an expert in these particular Schneider systems, but the alert seems to be for HMI software used in the control room to operate the equipment. These systems would be on the firewalled ICS network and not exposed to the business network, so it is unlikely that someone would be able to access them from the company's business network, much less the Internet.

Security of these ICS networks is taken pretty seriously, and the visibility and attention to security have increased greatly in the last ten years. It certainly isn't as far along as it could be, but the ominous picture of cooling towers, which most people equate to nuclear plants, although they are common in large coal units as well, makes this look much worse than it probably is. I can assure you that there are none of these Schneider systems connected to the Internet controlling a nuclear reactor anywhere.

I'm not trying to paint a rosy picture here, merely suggesting that in all probability there will be some engineers patching some firewalled HMI systems in the coming weeks, while they continue to beef up the security at their plants, and not a nuclear meltdown as some script kiddie exploits this hole in a nuclear control system sitting on the Internet with this hole in it.

Comment Nuclear desalinization after disasters (Score 4, Interesting) 203

My father pointed out to me that the nuclear carriers can be a great help after humanitarian disasters as they can desalinate large quantities of water. I found an article about the Carl Vincent that says that it can desalinate 400,000 gallons of water a day. We stationed it off the coast of Haiti after the earthquakes there.

http://content.time.com/time/s...

Comment Re:Shocking... (Score 1) 104

I have to agree. You can't build a system that isn't ever going to be hacked. You can build a system using the best available practices that is very difficult to hack and put the most effective system possible in place to detect hacking attempts as early as possible. To a large extent, it seems that they did a respectable job in both respects. I'm sure that they can make improvements and will learn lessons from this. They are a well capitalized company and it is absolutely vital that they maintain credibility in this respect. The value of their service diminishes greatly if it is not secure. They simply can't be seen as ineffective in this matter.

I am especially impressed that they obviously had an effective plan together to quickly update client applications in the event that something like this happened. They pushed out updates for IOS and Android very quickly. They even updated Penultimate which was only recently integrated into Evernote. It seems like they had their act together as far as that was concerned.

They obviously need to stay on top of this game. I'd like to see two factor authentication and better not encryption options. I have my concerns about using Evernote, but I am still a pretty heavy user with over 6000 notes. So far, the benefits outweigh the risks. From what I have learned about this incident so far, I don't think that my appraisal of the cost and benefit will tip the other way. I hope that it stays that way because we don't learn anything new about this incident that seems careless or irresponsible, and because they continue to develop the product and improve the security.

Lord of the Rings

Lord of the Rings Online To Go Free-To-Play 138

darkwing_bmf sends word of Turbine's announcement that Lord of the Rings Online will become a free-to-play game this fall. 'The move is another validation of the free-to-play business model, where gamers can play for free and pay real money for virtual goods such as better weapons or decorative gear for their game characters. The business model has been popular in Asia but only recently took off in the US. This move shows the pressure is building on game publishers to shift to the new business model or face declining audiences.' According to a post on the official website, LotRO's micro-transaction system will be "very similar" to how Turbine's DDO store works, and current subscribers will maintain all of their privileges.
Image

Facebook Master Password Was "Chuck Norris" 319

I Don't Believe in Imaginary Property writes "A Facebook employee has given a tell-all interview with some very interesting things about Facebook's internals. Especially interesting are all the things relating to Facebook privacy. Basically, you don't have any. Nearly everything you've ever done on the site is recorded into a database. While they fire employees for snooping, more than a few have done it. There's an internal system to let them log into anyone's profile, though they have to be able to defend their reason for doing so. And they used to have a master password that could log into any Facebook profile: 'Chuck Norris.' Bruce Schneier might be jealous of that one."
Wii

Wii Hardware Upgrade Won't Happen Soon 325

As high-definition graphics become more and more entrenched in this generation of game consoles, Nintendo has had to deal with constant speculation about a new version of the Wii that would increase its capabilities. Today, Nintendo of America president Reggie Fils-Aime bluntly denied that a hardware revision was imminent, saying, "We are confident the Wii home entertainment console has a very long life in front of it." He added, "In terms of what the future holds, we've gone on record to say that the next step for Nintendo in home consoles will not be to simply make it HD, but to add more and more capability, and we'll do that when we've totally tapped out all of the experiences for the existing Wii. And we're nowhere near doing that yet."

Comment From '92 - '08. RIP PC gaming. (Score 5, Informative) 531

How things change in just over 15 years.

1992:

Buy Doom after getting to try 1/3 of the game first.

* Be able to play it via dialup modem or LAN for as long as you have the working equipment.
* Be able to sell the game after you're done with it and have that second user have the game be just as usable to them.
* Enjoy playing thousands of user-created maps and mods -- anything from a monster health editor to a porn graphic replacement mod.

2008:

Buy game X.

* Require internet permission to install it. Hopefully you haven't committed the mortal sin of installing it more than three times.
* Require internet permission every time you wish to run the game.
* Require CD checking despite the above.
* Unable to sell the game to people who want something more than a coaster.
* Multiplayer server for Game X goes down after year because Game X 2009 edition is now out. People who still want to play the original Game X via LAN/hosted internet games are SOL and anyone hacking together hosting capabilities likely receives notice from lawyers.
* Have some type of over-zealous security check built into the game mess with your computer, internet connection, or both.
* Deal with an over-moderated/sterile mod community.

Comment Re:It's going down the toilet (Score 1) 96

The second thread you link almost reads like a Monty Python skit.

"You won't let me *not* play for free?! Well, in that case I'll cancel my *second* and *third* accounts dedicated to not playing! See how you like me not playing for free now! And my first account? Well, it'll not only 'not play' all that often, but pay to do so! In your face, CCP!"

Comment Source code for the expansion (Score 1, Funny) 96

I've had to pull a few strings to grab a hold of the expansion's source code. Luckily the download should be a small one.

GenerateExpansion()
    for (i = 1..200)
        GenerateSolarSystem()
    end for
end GenerateExpansion()

GenerateSolarSystem()
      GeneratePlanets(random(1..20))
      GenerateBases(random(1..3))
      GenerateAsteroidFields(random(1..5))
      GenerateSecurityLevel(random(0.0..1.0))
      Connect(this, universe)
end GenerateSolarSystem()

I kid, I kid...

Comment Re:Of course he had a choice (Score 1) 1115

>Of course McCain had a choice. One he was urged repeatedly by the media to take just after selection, many citing the previous example of George McGovern and Eagleton. Instead he stuck by here even through criticism from his own party, never mind the media.

I was talking about supporting the daughter after it became a big story, not the VP pick (which I think you are talking about). Both McCain and Palin had to stand by the daughter.

>You are not serious, right?

I really am. I barely knew anything about the election, except for the race between Obama and Clinton, but the stories about Palin were just too much to ignore. And no, they weren't positive stories. It just seemed to me to be, as other commentators had named it, a "hail mary" choice.

>You don't think tens of millions in contributons the days after the announcement, and as great a viewership of the Republican convention speeches as Obama got to be an amazing achievement?

I'm actually more impressed by the $10 million raised by Obama after Palin's first speech. She only raised $1 million after the speech.

Comment Waiting for GPL V4 (Score 2, Insightful) 382

It doesn't seem fair to attack Microsoft with GPL V3 without also going after Google. Google gets to use GPL software without ever having to release source because they're not selling software, they're selling services. If Microsoft did that GPL V4 would come out faster than you can say Free Software.

Slashdot Top Deals

"Call immediately. Time is running out. We both need to do something monstrous before we die." -- Message from Ralph Steadman to Hunter Thompson

Working...