Wifi for the water plant — “At about 1:30 p.m., someone accessed it again, took control of the mouse, directed it to the software that controls water treatment and increased the amount of sodium hydroxide…”
Wifi for the water plant — “At about 1:30 p.m., someone accessed it again, took control of the mouse, directed it to the software that controls water treatment and increased the amount of sodium hydroxide…”
An army is most at risk – not from the enemy – but from its own supplies of water and food.
Well, the general principle of designing any modern computer is to allow everything talk to everything else, with software controlling the allowed flows.
What is wrong with this picture you may ask?
Well, actually everything…
But yet votes couldn’t be changed with the voting machines,,, which are connected to the internet !
That says it all Jolene
The results of THAT hack … are far more toxic than elevated levels of sodium hydroxide in your water
+++J
That is why I only drink bottle spring water.
Nothing can be trusted anymore.
Evil is loose.
Clearly Canadian bottled water came from spring source near Vernon BC. Bottled in a new facility they sold to in Southern California.
One day they caught one of the water tanker truck drivers hooked up to a fire hydrant in a commercial district in Sacramento filling up with water, instead of doing the trip up to Vernon for the refill.
Think you’re drinking clean water. Don’t assume anything.
“Why are you giving me water? I said I’m thirsty, not dirty.”
” took control of the mouse”…
Okay, right there we know this was not a professional entity or a state-sponsored hack. If it were, no one would see that mouse move, and they’d probably see either a blank screen or a screenshot pasted over the screen.
What this does show is the absolute next to zero security at that site and/or failure in proper security behaviour of the employee(s).
Zap, it shows that the system designers have/had no clue as to how to design a secure system. I often rail against engineers because of stupid design parameters. They do not live in the real world and /or test systems were they are personally at risk, just had such a moment last week, could have shot a couple of engineers.
Even the design parameters were bad. Who would allow a change to a value without boundary conditions being checked. There should have been an upper limit on the amount of sodium hydroxide that could be added. This goes for anything to be added to a system.
It’s badly written, but possibly not false. Some applications won’t work without the UI present, and this could be simply a remote access hack with compromised credentials. We don’t know enough about the system architecture to say much about it.
Noting that the writer is out of its depth is fair game, though.
I suspect due to many people working from home because of COVID, there are such openings all over. If COVID was planned, that was part of the plan. Create easy hacking access for anyone because of everyone working from home. The FBI will discover it is one of their Chinese hacking buddies practicing and nothing will happen.
JB, good thinking, I agree that such a thing is possible/probable, but the system design is totally wrong think Fukushima Japan, another design eff up (tho altered at construction time)
The internet of things —IOT (think google nest, your security camera, baby monitor, etc.) and then there is the industrial internet of things—IIOT (sensors, networked control systems, etc.) .
Loss of control of IOT can be troubling (notably this week if your whiz-bang thermostat hands itself to some dipshit or google decides you’re not woke enough to enjoy heat).
Loss of control of the IIOT means you lose water, power, refineries, manufacturing, etc. It takes one bad connection, crappy network design, out of date security, or a sloppy internet using operator and you can get trouble. I recently saw a presentation discussing a small plant in AB which got hit by ransom ware on the control network. The ransom has to be paid to decrypt the site.
I have to explain to people that there isn’t a webcam in their refrigerator so they can look inside it remotely.
“Loss of control of IOT can be troubling…”
Could be more than troubling if somebody managed to shut off the furnace pilot light but leave the gas running.
Scary. In the UK there was an incident about 30 years ago when a delivery driver tipped his load of AlSO4 into the wrong tank affected the water supply around camelford, many people claimed to have life changing illnesses as a result of this mistake.
The skeptical side of me says it’s an employee who effed up.
“Gualtieri said the hacker increased the sodium hydroxide levels in the city’s water from 100 parts per million to 11,100 parts per million.
That’s a rather curious input. That aside…why would you have control systems in place, for something as sensitive as water quality that allows you to plug in dangerous values?
Failing that. Russians.
It is troubling. It’s relatively trivial to code for an acceptable range of values.
Other well-poisoners of history come to mind. The intent may have been to follow up with a ransom demand after the proof-of-concept attack.
They should have used the same software design standards as the election software since we all know that was incapable of being hacked.
Wild speculation alert.
Was it an exercise probing vital systems testing anti-detection techniques?. Or a glitch in the system? Each is equally plausible.
In any event, do those who did it know we know they did it so now the trail to who’s really doing it and why will go cold?
On this subject, Raspbery Pi introduced “phone home to Microsoft” as default in their latest OS release. Without telling anyone.
https://phantomsoapbox.blogspot.com/2021/02/when-techies-have-no-clue-raspberry-pi.html
Now, as a thing in and of itself, pinging a server for updates is nothing exciting. But when you slip it into a home-brew do it yourself kind of thing, and you don’t -tell- anyone, now it’s a pretty big deal. People use Raspberry Pi computers in part because they -don’t- phone home. But one of the founders of the Raspberry Pi Foundation, Eben Upton, had this response:
“Sorry: I can’t understand why you think this was a controversial thing to do. We do things of this sort all the time without putting out a blog post about how to opt out.”
This is the same response we are seeing from water company guy who can’t understand why people are upset they’re running the water systems on wifi. Even -after- there’s a break in with malicious damage done. System security takes a back seat to meeting diversity targets and anti-micro-agression training, head office said so.
This is why COMMON SENSE is important in an engineer and even more important in a policy maker. Two places where I see a very concerted effort in academia to make common sense politically incorrect.
The government is looking after it so we have nothing to worry about.
They’re here to help us. Remember, we didn’t build that and we are all a part of government. Plus, we’re probably racists.
I seem to remember something about some foreign engineering students being apprehended near a water filtration station? a while ago in NY state? It was concluded that it wasn’t anything nefarious.
Weren’t they “art students”?
Bet you won’t hear a word from Biden or the MSN over this.
*****************************
Dr. Stella Immanuel, who was lambasted by the media and establishment medical community after she swore to the effectiveness of hydroxychloroquine at treating COVID-19 in a viral video last year, is now demanding an apology, as much of the medical community and establishment media now agree with her.
“I demand an apology,” wrote Immanuel. “When we said Hydroxychloroquine works we were ridiculed. Now studies are coming out saying it works.”
How many that could have been saved?
It saved somebody I know. Thank you Donald Trump, because I heard it from him first.
How many could have been saved? How about most of them. Unless you had one foot in the grave and the other on a banana peel, HCQ would have helped a lot.
Still banned for use in Ontario, afaik.
Fauchi knew 15 years ago. It was in 2008, I think, where he published a study saying HCQ was effective agains SARS-2. A criminal of the worst kind.
Admittedly without any working knowledge of computer system functions, would it not be a sensible precaution to have such systems that could have “problematic” outcomes, designed to be on a closed circuit system that cannot be hacked from outside. As an aside regarding the safety of bottled water, I bought one of those zero water filtration jugs a couple of years back, and it came with a water purity testing meter. I tested local tap, numerous bottled, and even lake and rain water. Even my local lake water was far purer than any of the six or eight different bottled waters I tested. My local tap water was at 0.9, with the zero water filtration system it is 0.0. Bottled water ranged incredibly, and some were up at unbelievable levels. I even read of stories of high class hotels reusing bottled water bottles and filling them with water from a garden hose. Don’t ever trust that shit without testing it. I would recommend this Zero water system over any bottled water available. I even bought a second unit to add to my small, just in case, prepper kit.
Suspects… China, FBI, CIA, Democrat Party… laws do not apply, see Obamagate… I’m sure the corrupt FBI will get to the bottom of this, probably a right wing “insurrectionist” did it , right assholes ?
A practice run I’m sure.
This is largely a non-story. The Immediately Dangerous to Life and Health value for aqueous NaOH is 6ppm, which means the amount the water treatment plant is injecting into the treatment stream is already an order of magnitude higher than “safe”. That means there’s a hell of a lot of post-processing going on downstream long before that water hits the public supply, and there will absolutely be testing and alerts at multiple points downstream.
the foundation ought to bloody well know better than be surprised when their user community gets outraged at having their OS phone home to Big Tech
You’re going to be really pissed when you find out where most of the Ubuntu and Debian repo mirrors are hosted.
You know your kernel has a ton of stuff in it by default that was contributed by Google, Microsoft and AWS, right?
Yes, I do know that Ubuntu phones home quite a bit to a variety of Big Tech servers and Debian’s update function is hosted on Google/Amazon/Etc. servers. The only way to be -sure- that your Linux install doesn’t phone home is to not put it on the interwebz. Making sure there’s no wifi connection is part of that process.
Just like maybe the addition of too much sodium hydroxide at one station in a water system is no big deal because there are other stations to check it. But maybe those stations are compromised too, which suddenly makes it a big deal. You don’t know if your checks and balances are compromised, given that one station -for sure- is compromised. Should I need to check my friggin’ water at home, coming out of the tap, every single time I turn it on? They actually do that in China. The town water is so hopelessly polluted that every house has a solar still on the roof to DISTILL the drinking water.
Do I need a still on my roof? If the friggin’ water company runs by wifi, I might.
It isn’t that people don’t know these things, Daniel. It’s that these companies consistently do things that damage trust in their systems, and then act surprised when people make a fuss.
This particular case in Raspian was a change added to the default settings. No warning given, no notice given, no opt-out given. And then, the best part, they shut down comments in the Raspian forum instead of addressing the issue. How hard would it have been to put up a blog post explaining the changes to the sometimes paranoid Raspian community? Easier than shutting down the comments section of their forums I think.
How hard would it be to put an opt-in/opt-out panel that lists every service that phones home to a remote server? Not very. Does anyone do that? No. Why don’t they? Is it a nefarious reason or is it just laziness? I can’t tell, so like the Chinese homeowner with the solar still on his roof, anything I’m concerned about I have to lock down. I have to assume harm even when there isn’t any.
That’s why people are enraged that Raspian added a server ping -secretly-. One more frigging thing that doesn’t need to be there, that the user doesn’t want, and they have to DIG for it. That’s a lot of work. And it’s wasted work that the user shouldn’t have to do, but because of the nonchalant attitude of software designers, they do.
Personally I think that an OS should -never- access an external server without explicit user interaction first, but that’s because I’m old and remember when there were no external servers. We did just fine.
If you want your computer systems to be secure, do not connect them to the internet.
Robert, have you noticed that you can’t install Windows or most other things without an internet connection? Part of the installation -requires- connecting to an external server. For “updates” you know.
Is there anything nefarious intended in this? Well, we don’t know, do we? It’s kind of hard to tell. It certainly seems shady to me, but ymmv.
And make sure they are TOTALLY shielded for “stray” RF emissions. That is more involved than one would initially think. EVERYTHING electrical exhibits a variety of “field” emissions when working.
A 100KW hf radio transmitter can be heard around the world. So can a 3W unit with a good antenna, just not quite as clearly, 24/7.
We are all living in a “soup” of electrical emissions, whether we like it or not. ALWAYS remember: “There are three parties to any electronic communication; The Sender, The Receiver and The Interceptor”.
I guess this is what happens when your password is “password”.