Sleepycatz

Access Freedom

Last week Citizen Lab released a kind of everyman guide to circumventing Internet censorship. The guide is by no means exhaustive, but offers some well known and simple methods for bypassing Internet content control systems used by some of the most repressive governments in the world. It has been said that we now live in the information age. Certainly this is what governments around the world believe to be true. The desire to control citizen’s access to information and uncensored media has become prevalent across more then half the globe. In places like China, Saudi Arabia, Ethiopia, and others direct filtering of political and social commentary is common. Most governments seem to believe it is necessary to ‘protect’ their citizens from certain ideas or types of content. Here, in the United States, arguments about COPA and CIPA have lead to numerous court cases — CIPA is currently under review to see if it can be extended to block sites like myspace.com and facebook.

As governments and corporations extend their power and influence, their need to limit access to ideas which contradict theirs will continue to grow. The ability to bypass Internet filters or hide one’s identity will become more and more essential. This guide offers a helpful start for everyone.

DHS Deceit

For the past couple of weeks some friends and colleagues and I have been discussing a CNN story on the vulnerability of SCADA controlled generators. The story fed to CNN by the DHS is that power generators, under SCADA control, can be destroyed via cyber attack by telling or tricking the PLC into over-cycling the generator and thus adversely effecting the local or national power grid . After some discussion, most of us have decided that the story is largely bunk. Even if we ignore the fact that the generator shown in the DHS video appears to in the ~1500 kW size range (significantly smaller then the multi-megawatt generators used for local or regional grid generation), the idea that a critical piece of power generating equipment would lack a something as simple as a mechanical governor - an 18th c. technology - let alone an electronic one to prevent the system from operating beyond safe levels seems patently absurd. An electrical engineering friend has suggested that the current steam turbine generators used by utilities do not currently include deep levels of automatic systems — so any such attack on a utility could never effect online turbine speed. Additionally, even if such a vulnerability did somehow exist is would be very simple to insert PLC programming which did not allow for the system to run out of tolerance.

So why would DHS release such a report — we know why CNN engages in fear mongering where ever it can. The purpose seems to be alluded to near the end of the piece where CNN explains that the DHS cyber-security budget is a scant 100 million dollars. The goal here seems to be to get people riled up to pressure congress to flood DHS with more money. As fear-mongering coup de grâce, CNN finds someone to say that Iran has the same generators, SCADA systems, and passwords as those used in America. This is so appallingly absurd and transparent it simply causes my head to spin.

The problem is, that there are security concerns with SCADA systems and the desire of managers to save money and place them on an Internet connected network. The problems though instead of being related to evil cyber-terrorists are much more mundane. Such as the effect of Viruses, Trojans, and Denial of Service Attacks on these systems. If a virus should interrupt communications with a water filtration control system, for instance, this could cause response problems leading to some contamination. Fighting viruses, however, does not get you billions in taxpayer funding. Nowadays only the most fearful scenarios get the money — regardless of merit.

Hunters - Gatherers

Johannes Ullrich over at SANS, reminded me of an increasing threat to the telecommunications and power infrastructure: copper and fiber theft. Odd as it seems, we have arrived at a point where people are robbing both construction sites and critical infrastructure of copper in order make a few bucks. Over the past few months several people have been hurt or killed while trying to harvest copper wire from live electrical lines. There is, of course, some kind of sad darwinian justice to these injuries, but the overall success of these thieves seems to be quite high.

Recent copper thefts have caused major phone, Internet, and video outages for Time Warner, AT&T, Verizion, and other carriers. It has gotten so bad, that at the beginning of this month AT&T and Time Warner have started offering rewards for information regarding the thefts, and Pennsylvania and other states are working to pass new metallic theft laws.

Copper prices have been at their highest levels for the past couple of years and scrap copper has been hanging around $3.40/lbs. The high prices are primarily due to the construction boom in the US, and infrastructure modernization in China and throughout Asia. Yes, this is the global trading village where one can pillage copper phone lines from one country, re-mold it to new wire, and sell it to another.

There is something both frightening and sad about people ripping apart their own infrastructure for a few dollars a pound. This problem seems much more prevalent then one would imagine and I wonder if it is a sign of the times, or simple a new avenue of common thievery.