May 06, 2018

A Solution to the Fermi Paradox

At some point every advanced species reaches such a level of prosperity and safety amongst their creative classes that whatever serves as their equivalent of an amygdala atrophies to such a degree that some theoretically intelligent minds conclude that an "internet of things" is a good idea and nobody has the good sense to tar and feather them. 

To wit.

The cyber threat hunters had honed their chops at the National Security Agency -- the world's premier electronic spy agency. And last fall, they were analyzing malware samples from around the world when they stumbled across something highly troubling: the first known piece of computer software designed to kill humans.

 I suggest that you  read the whole thing.

 Now yes; " first known piece of computer software designed to kill humans" indicates a lack of understanding of how fire control systems work. But, they're talking about malware here so, all pedantry aside... There is a bit in the article about a particular company's policy not to provide information on the source of the attacks. I have some questions about that for my more technically inclined readers.

I would imagine that it is very difficult to achieve any certainty on where an attack comes from since it would seem likely that routing access through a third party one might want to frame would inherently be well within the capability of entities doing this sort of thing. I'm not particularly tech savvy so I have to ask if this is this even remotely correct.

Is it still considered best practice to have an air gap between one's equipment software and the internet? Obviously this is pretty much thrown out the window by the internet of things, which are all about convenience with little or no thought to security. However if someone's internet connected slow cooker is hacked there is a culinary mishap. If someone's refrigerator is hacked to empty their checking account and order 500 gallons of natto and boiled okra, then one person stupid enough to give his the refrigerator the keys to his Amazon account has learned a lesson.   If these industrial systems are hacked we could have another Bhopal. Why is there a way to access these on site systems from the internet at all? Shouldn't that be on site? 

Of course one needs the ability to send out a general alarm but that interface can be electro-mechanical and therefore nigh un-hackable, at least remotely.  

Anyway, I'm curious what others have to say on this. 
So discuss...


Posted by: The Brickmuppet at 01:19 PM | Comments (2) | Add Comment
Post contains 424 words, total size 3 kb.

1 Yes, anyone who is smart enough to create an attack should be smart enough to make it look like it came from someone else.
And, yes, protecting critical systems with an air gap ought to be effective and easy to enforce. The problem with that is that the number of complex things continually increases and that means that the number of potential interactions between them increases even faster. Consider:
in which an air gap was accidentally breached by a coffee maker. The problem there isn't with air gaps or coffee makers, exactly. It's that no one can foresee all the interactions.
You can (and probably should!) ban wi-fi on the secure side but that won't stop the next problem which will have to do with a wristwatch, a Tesla, and a stuffed panda. Or lightning and brain implants:

Posted by: Matthew Dixon Cowles at Sun May 6 20:14:57 2018 (h8yX6)

2 Many years ago, I worked on a software project where we were gathering data from various electrical generation facilities and storing them in a central database for tracking.  It was actually quite a complex project, since there were about a dozen different kind of plants that could report different values in different ways, and then there was about as many different ways they could send the data, ranging from manual data entry on the receiving end through a direct API call over the internet, which was cutting edge tech at the time.  I recall that after we were done and the software was working, we got heaps of praise for how much manual time and effort was being saved in the reporting of that data.  I don't doubt that there would have been a push a few years later to get the last holdouts reporting via the internet.
So that explains why something like a nuclear power plant or hydroelectric dam is connected to the internet.  They need to report hourly data on usage, load, maintenance, etc back up to the utility... no wait, the utility didn't care, they had the data already without a need for electronic reporting.  This was just repeating the data to the state regulatory agency..

Posted by: David at Mon May 7 00:12:43 2018 (h8yX6)

Hide Comments | Add Comment

What colour is a green orange?

32kb generated in CPU 0.04, elapsed 0.1606 seconds.
68 queries taking 0.1362 seconds, 280 records returned.
Powered by Minx 1.1.6c-pink.