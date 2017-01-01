Washington Post Retracts Story About Russian Hackers Penetrating US Electricity Grid (washingtonpost.com) 371
Those anonymous U.S. officials who reported Russian hacking code had been found "within the system" of a Vermont power utility must've been surprised to learn the code was on a laptop that wasn't actually connected to the grid. The Washington Post has updated their original story, which now reports that "authorities" say there's no indication that Russian hackers have penetrated the U.S. electric grid.
The Post's newly-edited version appears below (with their original, now-deleted text preseved inside brackets). A code associated with the Russian hacking operation dubbed Grizzly Steppe by the Obama administration has been detected within the system of a Vermont utility, according to U.S. officials. While the Russians did not actively use the code to disrupt operations of the utility, according to officials who spoke on condition of anonymity in order to discuss a security matter, the discovery underscores the vulnerabilities of the nation's electrical grid... [Was "the penetration of the nation's electrical grid is significant because it represents a potentially serious vulnerability."]
American officials, including one senior administration official, said they are not yet sure what the intentions of the Russians might have been. The incursion [was "penetration"] may have been designed to disrupt the utility's operations or as a test by the Russians to see whether they could penetrate a portion of the grid... According to the report by the FBI and DHS, the hackers involved in the Russian operation used fraudulent emails that tricked their recipients into revealing passwords.
The Vermont utility does report that they'd "detected suspicious Internet traffic" on the laptop, but they believe subsequent news coverage got the story wrong. "It's unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country."
Here we go again. This reminds me of a boy, a boy who loved to cry wolf.
I've noticed that this forum is being overrun by republican and russian operatives; I hope I'm not the only one.
Which one are you?
A Republican or a Russian operative?
Obama didn't say any of this, the entire US intel establishment did, including CIA, FBI, DHS, NSA weighed in briefly but it's not their bailiwic, etc. Obama mentioned what all of them said, that specific malware linked to GRU was used both to track Ukraine artillery assets/units and hack DNC/GOP machines.
If Republicans have no need to learn to read, 2017 will continue being confusing to them. Quelle surprise. Stupid bitches, every last one. Yes, I call you stupid bitches when you act like stupid bitches
If it turns out to be a 400 pound Russian in his mom's basement, then both parties are right.
Russia is still not an existential threat to anyone but her former client states. This isn't a problem that Romney's larger Navy would have solved (and I'm surprised that Russian nationals and domestic rightists are so offended by this throwaway zinger 4 years later). But in retrospect, Obama underestimated Russia's guile. Rather than do catastrophic harm to the United States, Russia (like Al Queda) has done minor harm that led the United States do major harm to itself (the Iraq war, Trump).
Wouldn't it be hilarious if Putin was overheard on recording talking about how he could "grab Trump by the cock" because his hackers were so deep into US infrastructure.
Beyond the obvious fact that you are overlooking Russia's nuclear stockpile, your analysis of US-Russian Naval warfare seems delusional at best. A larger surface fleet was never the answer to the Russians that never focused on that to begin with. It's not our super carriers that matter as much as our ASW capacity.
Like many things... it's not how big it is but how you use it.
Furthermore, our current crop of Destroyers aren't a threat to anyone. Not even Cuba.
You can't use your NSA to break in, spy, and sabotage industries, utilities, and governments, around the world. If you conduct malicious and damaging operations like you have for decades, expect that the world will respond.
Nor does the USA.
And yet if someone even TALKS about expecting other countries to carry fair weight in organizations like NATO, then the US is suddenly evil for not being willing to deal with everything. Do you really think that the world would be a better place if the US simply disengaged across the board? Should Japan and Korea be the only entities in the front line dealing with China's territorial expansionism?
Never mind. Your instinct for moral relativism means the entire topic isn't worth addressing.
Your moral framework derives directly from your value system. If your value system is based on false and or mixed premises, your moral code will either be objectively evil or simply so internally hypocritical and contradictory that it cannot be used to shape a workable bundle of ethics. If you think that living in another country where the environment is different means that one's evaluation of whether or not it's OK to (for example) murder, rape, steal, enslave, lie, etc would be different, then your entire understanding of the matter is so under (or mal) informed, or you are so willing to be disingenuous in the interests of being able to sound like a condescending superior, that you really should excuse yourself from making such lectures. Especially when you decide to trot out words like "cowards" while making such a craven display of your own.
If you can't handle the distinction between murder and killing, then, again, just stop.
You are the immoral one, the government of the USA commits all those atrocities and gives arms and support to others who the same. wake up, quit being blind
..or perhaps you've just fallen for someone else's propanganda. The US government isn't the only guilty party in the world.
Where's the redundancy that protects the world if something happens to the USA?
Excellent question. Why won't other countries agree to shoulder anything at all like their own share of that load? Because Americans are far too generous that way, but do it anyway because not doing so means having to deal with the even more expensive consequences later. We can't totally wash our hands of that chore, no matter how lazy other countries are, because it will end up just like the last two world wars when we hoped to avoid that expensive and deadly work for too long as well, and still had to get involved.
Would you have preferred being left to the russians?
Our posture is fucking horrific. We support Israel even when they blatantly violate international law. We've long sided with Saudi Arabia, the world's largest state sponsor of terrorism. We overthrew Iraq, creating ISIS. We're largely responsible for arming a good chunk of the terrorists in the world. Yeah, Russia does shitty things, but our problems are big enough that our first concern should be fixing our own problems. Not understand that, along with the unbelievable hubris of the Clintonites, is why the Democrats got their asses kicked in this election, and why they've been getting their asses kicked for so long.
As it stands right now, the best thing that could happen for world peace is for the US to go down in flames. I would rather that not happen, but if we listen to people like you instead of behaving like adults, the rational choice for the world at large is to get rid of us.
The U.S. government has many secret and semi-secret agencies. No one, literally no one, knows all of them, or which are badly managed. As we've seen, the secret and semi-secret U.S. government agencies often hire outside consulting companies that often have areas of sloppy management.
The U.S. government is, by some measures, such as money spent, the most violent in the world.
The U.S. government has killed, or caused the death of, an estimated 11,000,000 people since the end of the 2nd world war.
War is extremely profitable for some corporations. See the book, House of Bush, House of Saud [amazon.com], by Craig Unger. Bush and Cheney started a war that was profitable for them.
The U.S. has the largest percentage of its citizens in prison, of any country, in any century. The prison system is hugely profitable for prison corporations. Two of the many articles:
ACLU: With only 5% of the world's population, the U.S. has 25% of the world's prison population [aclu.org].
ThinkProgress: The United States Has The Largest Prison Population In The World -- And It's Growing [thinkprogress.org].
Compared to how many deaths by the Russians? By the Germans? At this point, I don't think any country with any sort of history measured in centuries can claim the high ground on violent acts.
Then you follow with non-sequitur alarmist speak. How are you different than Alex Jones again?
Watching the video "Why We Fight" explains a lot of this.
Eisenhower warned us about the Military Industrial Complex.
Now both parties are dependent upon war for a successful economy.
Notice we're still in Afghanistan.
Why?
the USA has invaded a country that didn't attack it and was no threat to it, causing the death of hundreds of thousands of innocents and caused the creation of ISIS/ISIL with its ham fisted stupidity.
Tthat country was friend of the USA, and so the USA gave it's leader Saddam money and dual use tech to make bioweapons that killed tens of thosands.
Elsewhere in the world,t he CIA of the USA destabilized another country, and so certain ethnic Russians in an area of that country voted to rejoin Russia.
Who is the
the USA has invaded a country that didn't attack it and was no threat to it
What, Afghanistan? That country was taken over by the Taliban, which in turn fed, sheltered, and harbored an organization that deliberately set out to kill thousands of Americans and did. The entity running Afghanistan then refused to turn the leaders of that terrorist organization over for prosecution - even as that group promised ever more killings across the world. You're complaining that multiple countries, including the US, after extensive diplomatic attempts through the Taliban's so-called government
People who can't muster the vertebrae to correctly observe that the US's general posture in the world is wildly preferable to Russia's are the sort of people who, on display, just cost the Democrats another large chunk of political power. If the US stops what they traditionally do, countries like Russian and Iran invade other countries and take them over. If Russia stops what it's doing, cities like Aleppo aren't turned into rubble through indiscriminate bombing by a country that wishes it could resurrect some good old fashioned socialist tyranny, just like the sweet, sweet days of the USSR. If Iran stops what it's doing, thousands of people aren't routinely killed over hair-splitting religious differences by a retrograde medieval theocracy that pours cash into terrorist operations. Yeah, the US is exactly like those things.
Actually, I would say it's Sunni Islam that is hell-bent on destroying any other religion, including "incompatible" versions of Islam. Whenever there is a suicide or otherwise bombing targeting civilians, whenever there is a church, a bar, or a mosque bombed or shot up, it's the work of a Sunni extremist, and practically never of a Shia Islamist. Personally I am a socialist atheist (much like Hitchens) so I don't have any horse in the race, but to me it's plainly clear that the US has been supporting Saudi
As for the notion of asking that all NATO members contribute as recommended, it's certainly fair to point out t
Ours, sowing chaos so the sunnis/shia kick the fight out of each other is _clearly_ the least evil path. They deserve each other, being two sides of the same religion. Just as the Catholics deserved the Protestants, and vice versa, in their days of open war.
if (usa.spies)
usa.get_leverage();
china.spies = true;
russia.spies = true;
For non-programmers, Russia, and especially China, will do this regardless of whether the US does it. In theory, it could be reduced by treating an electronic attack the same as a physical attack; China isn't going to bomb the USA. However in practice it's very difficult to know whether a cyber attack is state-sponsored or not. An attack by Russian
While the phishing attack may have originated in Russia, I find it disingenious to portray everything as state sponsored when the evidence is weak at best. To me its something akin to suggesting we need to retaliate against Australia every time Julian Assange takes a leak.
My company does that. I think it works (Score:3)
I work for an information security company. All of us should really know better, and yet we do occasionally click the phish bait sent out by corporate security. After being caught once, we start being more careful - at least for six months to a year. I think it's a good idea. Corpsec doesn't need to really scold us or anything, just informing us "you clicked on a fake email" is enough to raise our awareness.
Bullshit (Score:5, Informative)
One laptop not on the network had malware.
Fuck the washington post.
http://boingboing.net/2016/12/31/no-russia-didnt-hack-vermon.html
Hardly an attack aimed at the grid, and volume cranked up to 11 by WP as a part of the general current panic to glorify Obama and what his administration has done, and undermine the incoming administration.
Or the WP feels it is simply unimportant to get proper attribution and any of the details right.
Re: (Score:3, Informative)
Err...you link to BoingBoing, who in turn links to Glenn Greenwald who himself is infamous for spinning wildly inaccurate stories. Greenwald asserts:
What’s the problem here? It did not happen.
There was no “penetration of the U.S. electricity grid.” The truth was undramatic and banal. Burlington Electric, after receiving a Homeland Security notice sent to all U.S. utility companies about the malware code found in the DNC system, searched all their computers and found the code in a single laptop that was not connected to the electric grid.
Sadly, the premise of his claim may be true (there is a chance the code wasn't a deliberate attempt by Russia), but rather than simply state that, he makes his own unsubstantiated claim that "it did not happen". He does not know for certain that it wasn't a deliberate attempt from Russia.
There's a lot of words in the Greenwald piece, but it all hinges on this p
It should be deeply concerning, but that's effectively the result of the complete lack of care regarding OpSec and vital infrastructure. We've had reasons to be deeply concerned about that for years, if not decades, but now seems like an awfully convenient time to trot out a fact that would likely have applied at just about any point in time if we did an audit of our power grid.
What is deeply concerning? The bullshit false headline?
The code was found on a laptop at the power station, and it's Russian in origin. It's uncertain if it's deliberate, and they're investigating that aspect of it now. That's the whole story as I can see it, and it doesn't seem like something to dismiss. It's definitely concerning, regardless of where the code came from. The laptop wasn't connected to the power station network, but depending on the malware, it might not have taken much (a USB stick copying some files to a network computer) to change that. So yes, let's keep investigating, and hopefully it was just some 'user viewing a bad website', but we can't say that right now either.
Sure they should investigate it further, but I doubt "Burlington Electric" is high on the Russian target list. Don't assume it 'might not have take much' to transfer to control systems, because those systems are pretty much all isolated from admin systems anymore, I would be very surprised if there were a crossover path via the laptop. Of course we should check to make sure, but it doesn't appear to be a bid deal.
The code was found on a laptop at the power station,
That is not necessarily true. All we know is that it was a company laptop that wasn't connected to grid or power systems, there is no reference I can find to it being in a power station, just as likely to be in a corporate office.
The specific claim he made: "There was no âoepenetration of the U.S. electricity grid."
That is entirely true. It may have been a deliberate attempt by Russia, he doesn't make a claim one way or the other, merely that "[t]here was no âoepenetration of the U.S. electricity grid."
The code was found on a laptop at the power station, and it's Russian in origin. It's uncertain if it's deliberate, and they're investigating that aspect of it now. That's the whole story as I can see it
I agree, and you seem to agree with Greenwald that it doesn't warrant the claim that the _grid_ was "penetrated" in some fashion.
There's a ton of Russian malware/botnets out there. Same for Chinese, etc. The burden is on the person making the assertion this is the work of the Russian government, because the media is hard at work with flimsy, inaccurate stories like this which they end up retracting in part after the big headlines hit (see also: changes to the ODNI report...).
Obama is up there sabotaging diplomacy efforts with Israel & Russia that will compromise our ability to take out Isis. Islamic radicals, incidentally, we
So this is an example of that 'fake news' I keep hearing so much about? Or does that depend entirely on who is spreading the news?
Journalists wonder why people don't trust them, and this story is a good example. Turns out the crap was found on one laptop in the company's possession, which was not connected to their power grid.
(And when will companies/CIOs stop buying computers that contain so many exploitable vulnerabilities? I guess the answer is "Not until there's financial and legal consequence for their failure.")
I'm very happy to come to the comments section and find mostly mocking and people who looked beyond the headline. Would have been nice if the editors did that.
Here is the full takedown on The Intercept of this BS-vending from WaPo: https://theintercept.com/2016/... [theintercept.com]
There have been substantial penetrations of the US Power Grid, but this was -not- one of them. I remember hearing about vulnerabilities in the electrical grid and other SCADA critical infrastructure in the '90s. The one guy who talked about that worked for the EPRI, and ended up getting fired because he continually pointed out how the utilities were -ignoring- the problem.
(Agree, mod parent up, good link!)
(And when will companies/CIOs stop buying computers that contain so many exploitable vulnerabilities? I guess the answer is "Not until there's financial and legal consequence for their failure.")
So you managed to look beyond the headline and realise that the article is bullshit and there was no real security breach, but you're now criticising a company who acted just fine and wish that there were higher penalties on them?
Get a grip man.
1. There clearly was a penetration of a computer.
2. For this to happen, there had to be a vulnerability on that computer.
We _know_ that some systems are much more vulnerable than others. But there's no penalty for that, either for the makers or for the purchasers/specifiers of that.
My 'grip' is to not run Windows.
I don't think they're an arm of the government, they're just creating stories that will sell/get clicks. Clever government officials have figured out how to release information that will cause the story they want out to be the one written.
Why is infrastructure on the public Internet ? It is not like the internet existed when most of the US electric grid was 'designed' and built. It worked quite well for 70 or so years without the internet. And I will say I have experienced more blackouts over the past 10 years than I did in total before 1990.
Worked in the industry for a decade. Wrote simulation shells that did short term forecasts based on on system conditions, did data reductions etc (e.g. This unit IS going down for unscheduled maintenance, how much will it cost to shut it down RTF now vs after afternoon peak?) Went on to 'tech lead' for significant energy trading/risk management platform. Ran on many traders and grid operators desks...don't ask, won't tell. Did once see a bug because grand total on printable VAR only had room for 10 digits plus sign. Assigned to Brahmin coder, week later I fixed it myself, I digress.
What you say isn't really possible. What they typically do have is a secure network, which runs operations, staffed with lots of ex-military actual Engineering school grads. That network is being monitored by redundant data integrators which present integrated (by some time interval, usually hours/half hours or minutes, back when I was up to my nose in it) system data to a second less secure (but still as secure as any corporate) network where routine operations run. That server is usually locked down tight, read only from the less secure network; but that is only software. They also like to run diverse OSs, lots of 'big iron' and Unixes and home brewed binary data formats. These things were mostly architected before Windows was common, particularly on the secure side it's still loaded with 'legacy', likely to remain so until they have a complete staff turnover. Old Dilbert with neckbeard flipping a nickle at Wally and telling him to get a better computer, that's the dude.
Routine operations need access to internet based facilities. To schedule transmission line capacity, trade power, get closing prices from grid operators, weather forecasts and unit availability from neighbors (lots of VPNs). But that part of the operations could more or less crash and burn and it will only cost money (and extra CO2). Operations, more or less, ignores trading at the minute by minute level. Trading gives them trade schedules and operations will try their best. But if 'shit happens' they keep the lights on and let the accountants worry about reconciling to 'what should have happened'. Which is sometimes a bitch of a computational problem, fortunately most everybody involved are engineers and close enough is close enough. Pennies aren't statistically significant; try and explain that to an accountant. Don't recommend it, just say 'not a material difference' and get on with your life, I'm digressing again.
Duh, but the point is that the system will degrade fairly gracefully. It will run less efficiently, but even if regions island, the lights will stay on most places.
Basically, variable weather makes the system be overbuilt for 99% of days. On the remaining 1%, cascade failure is distinctly possible, margins are too tight. The theory (spinning reserve) is that every region should always have margin equal to their biggest single power source, nice theory.
Emergency facilities/Hospitals provide backup power
Not an expert here. Far from it, but it sounds like the electric generation and the grid control systems have the possibility for multiple sites of failure as well as multiple sites for intrusion by bad guys. This sounds like a recipe for disaster. Hopefully critical sites such as the defense department, local police departments, hospitals, etc., have standalone electric generators independent of the grid and web. Then again, a large enough cohort of spies and terrorists could disable those. Maybe we need a system of signal fires, flags, carrier pigeons to keep the grid up in an emergency. If the fuel supply or cooling water to power plants is shut down, why worry about the Internet controls.
At the end of the day, every major electrical generation site has means for some sort of manual control. There are enough "blackstart" (electrical plants that can start up without any external power) units in place to restart the grid in the event of failure. Syncing a generating unit to the grid "by hand" is not that hard (I have done it). You watch your Synchroscope [wikipedia.org] carefully and flip the switch at the right moment. Then you open the steam valves to your turbine and start "pushing" on the grid, if the
Why is infrastructure on the public Internet ? It is not like the internet existed when most of the US electric grid was 'designed' and built. It worked quite well for 70 or so years without the internet. And I will say I have experienced more blackouts over the past 10 years than I did in total before 1990.
Infrastructure does not have to be on the internet to be hacked. The Iranians air-gapped the computers controlling their nuclear centrifuges and Stuxnet still managed to infect and damage them. The interesting thing is that Russian hackers have actually taken down an electricity grid, that of the Ukraine. The Ukrainians brought it back online relatively quickly by manual operation even though their computer control systems remained a mess. The irony of that incident was that the relatively primitive nature of the Ukrainian grid actually worked for the Ukrainians. It is doubtful that the higher tech grids in the west could be brought up that quickly after a major attack. Just because this incident turned out to be an attack of hysteria, I think we can learn from the Ukrainian experience that it pays to be vigilant and just because the US now has a Russophile president who is a paid up member of the Putin fan club does not mean that the Russians will stop probing for weaknesses in US infrastructure systems.
One example of U.S. government mismanagement: (Score:2)
Why is infrastructure on the public Internet ?
Because people only read headlines and not articles.
It is not like the internet existed when most of the US electric grid was 'designed' and built. It worked quite well for 70 or so years without the internet.
Yes but the internet has caused the stupidification of readers, so now they naturally assume every headline means that someone was incompetent and that they are oh so smart, when in reality it is the other way around.
And I will say I have experienced more blackouts over the past 10 years than I did in total before 1990.
Yep I'm sure nothing has changed in the size and demand or the stability of the grid in the past 17 years.
Now I'm mad. (Score:2, Funny)
Somebody should have warned us that something like this was possible.
I mean, clearly if it had been known this was even a possibility, management would have taken effective action to prevent it.
Because people are rational beings who make logical decisions. I learned that in Economics class and if that's not true then the very principles our society is founded upon would be nothing more than wishful thinking.
Why so sarcastic?
[snip] As long as companies aren't held accountable for their lax security...
I think you just answered your own question.
Security experts have been warning of possible foreign hacking for decades. But why this sudden spate of "Russia hacked X" stories now? Why not back when our Secretary of State was running an illegal, private, unsecured email server through which she transmitted classified information [politifact.com]?
Simple: The Washington Post wanted Hillary to win the Presidential election, and reminding people how her action made it easier for Russian hackers to gain access to classified information wouldn't have helped her. But publishing it now helps support the false narrative [theintercept.com] that the Russians were behind the DNC leaks, not disgruntled Democratic Party staffers [washingtontimes.com], and thus supposedly harms President-elect Donald Trump, whom the Washington Post and it's employees almost universally loath. That's the entire reason the story is being written and published now.
Further reading here [battleswarmblog.com] and here [battleswarmblog.com].
What do you think the under/over is for MSM "Russian Hacking" stories between now and January 20?
NSA has failed us again. Instead protecting America, they are wasting their and our time by mass collecting data on citizens. Instead of making sure exploits are fixed to keep our systems secure, they hold onto them so they can use them against us and other countries.
If am I to believe this Russian hacking our systems like the Government is pushing, then the blame goes straight on the NSA and those who backed them.
Amateur-level security will do that... (Score:2)
Apparently, the operators of the US power grid are using cheaper-than-possible security, i.e. they were basically asking for it. Stupid.
In any event Trump thinks he's smart, but he's not
Or perhaps he is. A great real estate developer and dealmaker who has managed to make bundles of money while leaving other investors with the losses from his failed ventures. If you are trying to close the deal on a shithole condo with leaky plumbing in a bad neighborhood, you don't insult prospective buyers. You butter them up by telling them how great they are.
The jury is still out on Trump. But I wouldn't write him off yet.
A code? I suppose we should be grateful there weren't several.
I'd bet small amounts of money:
Some agency (FBI, CIA, DOE, etc) has known about it for over a year.
It was just revealed by order of outgoing administration.
Some numb-nuts had a VNC or RDP firewall rule added so he could monitor/work/help from home.
Russian Hackers Penetrated The US Electricity Grid
Well I sure hope for their sakes they were wearing a rubber!
Internal propaganda for the Democrats. Trying to prevent cynicism from setting in, but only working for the very dumbest most indoctrinated of them.
Seriously this was one laptop with some malware, found by a routine virus scan. It's the Washington Post, no credibility left except with the poor snowflakes that need to be constantly fed a reassuring yet terrifying narrative.
The worst thing about these kinds of efforts, it leaves the Democrats with their army of chanting morons, but those with two working
That didn't work for Iran's centrifuges.
"We detected the malware in a single Burlington Electric Department laptop not connected to our organization’s grid systems."
The headline is complete bullshit. Can the author not even read? The grid was not penetrated, hacked, or comprimised. No report says it was. This is totally a fabrication from the reporters.
"We detected the malware in a single Burlington Electric Department laptop not connected to our organization’s grid systems."
So other sources [cnn.com] say more than just a laptop and last I checked a power station is part of the grid
Your CNN link consistently describes the infection as affecting only a single laptop that was not connected to the systems that control the electric grid. Did CNN change the story since you linked to it?
And what can we do? Hope it doesn't degrade into WW3?
In my opinion, a good indication of Jeff Bezos's management ability is any Amazon web page. Amazon web pages distract you from buying something by trying to sell other things.
Hey I'm like my buddy Bill, I tasted the vodka, but I didn't swallow