Salve FSF-people!
after the BlackOut 2003 the massmedia were only looking for symptomes for the big black out, but not for reasons why it was so big. So I started to do research on Saterday last week and now 7 days later non-stop working on it I fould a lot of facts like - the enegy industrie has a big problem with IT-security - that there have been a Slammer worm attack at the Davis-Besse nuclear power plant on 25.01.2003 inside the control network[1] - there was no firewall between business and control network - power plants use Windows 2000 - SCADA, used for controll and comand case in the energie sector is not secure - SCADA use Port 135, the same as W32.Blaster - the EoD gave hints how to secure SCADA in 21 (!) steps - on 13.08.2003 the NERC anounced a "Cyber Security Standard" - power plants use unencrypted WLAN - there are important SCADA comunications over public internet - The Departemant of Homeland Security has call on blocking port 135 (when it is not realy needed for business) to power plants and ISPs -.....
I will not say why it was - but the energy companies are in big IT-trouble!
On the second look, this big problems are a big trouble for the IT branche, too.
I fear that action which will now takes will conceal only the symptomes and will not solve the reasons. Actions of the Departemant of Homeland Security are also a likely danger that some IT-firms which are friends of the Bush-adminsitration, will influce the "Cyber Security Standard" and other actions in their interest.
My result is that it is needed to call for "More sutainted Software" and IT solutions. I have a 70kB German text with English quotes written to be maby published at the online-magazin telepolis www.heise.de/tp
What are your opinion about this? Would be great if some experiant German-reading person would contact me.
And I would like feedback of a FSF-Speaker to answer me questions for this article.
Greetings rob
[1] -Go to http://www.nrc.gov/reading-rm/adams/web-based.html - Use "Advanced Search" -Search for "Davis-Besse" & Filter with "worm" - Press "Search" - Open " 1. (91) Davis-Besse - Worm Virus Infection E-Mail. ML031040567 2003-04-02 7 05000346 NPF-003 2003-04-02 2003-04-15 --------- FOR INFORMATION ONLY--------- WORM VIRUS INFECTION On January 25, 2003 a server on the Plant Network was thought to be infected with the MS- SQL Server Worm. The consequence of the infection was large amount
Salve FSF-people!
- that there have been a Slammer worm attack at the Davis-Besse nuclear
power plant on 25.01.2003 inside the control network[1]
Please be so kind and wait 2-3 days to forward this news to others. This link is one of the best I found but I haven't released this news yet. My articel will be more than saying a power plant was hit, I want to show that the reasons for the IT unsecurity is based on a non sutainted way to think and solve problems. There are many news today, which don`t explain why thinks are gonig wrong. My call for sustianted software will support free software. So please wait, 2-3 day that this news in my article will make my conclusion more populare, too.
Thank you. rob
On Sat, Aug 23, 2003 at 08:58:23PM +0200, Robert Michel wrote:
Salve FSF-people!
- that there have been a Slammer worm attack at the Davis-Besse nuclear
power plant on 25.01.2003 inside the control network[1]
Please be so kind and wait 2-3 days to forward this news to others. This link is one of the best I found but I haven't released this news yet. My articel will be more than saying a power plant was hit, I want to show that the reasons for the IT unsecurity is based on a non sutainted way to think and solve problems. There are many news today, which don`t explain why thinks are gonig wrong. My call for sustianted software will support free software. So please wait, 2-3 day that this news in my article will make my conclusion more populare, too.
It's already known, see http://theregister.co.uk/content/56/32425.html for example.
Jeroen Dekkers
Salve Jeroen,
Am Samstag, 23. August 2003 21:22 schrieb Jeroen Dekkers:
On Sat, Aug 23, 2003 at 08:58:23PM +0200, Robert Michel wrote:
Salve FSF-people!
- that there have been a Slammer worm attack at the Davis-Besse nuclear
power plant on 25.01.2003 inside the control network[1]
Please be so kind and wait 2-3 days to forward this news to others.
It's already known, see http://theregister.co.uk/content/56/32425.html for example.
Yes, but I sended you the information how to find the official report on the http://www.nrc.gov server. Read it and compare it with theregisters article. Not the article by security-focus but this report is a chance for FSF-PR. Even the report itself is it!
What do you think about my idea of call for "more sutainted Software/IT ? Everybody who is going to build a house must follow rules to avoid fires that could damage the neighbours house, there are so many Norms for nearly everything. Norming means more security, easier construction by charing know-how and more political econopics succsess. What do you think why "Made in Germany" has become ;= Quality? Germany's succsess from 1950-today is based on DIN and ISO norms. These norms are open knowledge for everybody ony the papers are copy-protected, but not the knowledge - this is free to use.
When I read the documents of the NERC, which has announced a "Cyber Security Standard" on the 13.08.2003 ftp://www.nerc.com/pub/sys/all_updl/docs/pressrel/8-13-03-Cyber-Standard-Board-PR.pdf I thougth this could be compared this the §rule in UK, that every house must have a fire alarm bell vs. the §rules in Germany, that rule very restrictive how to build houses with less fire riscs (non-burning material, distance to neighbour houses, non-burning fire-walls...)
The report of the nuclear plant worm-attack consider all reasons why it has happend and all possible action against the unsecurity - but to ask if the used (closed sorce) software MS-Windows 2000 is a reason and what alternativies to it would be possible.
I recomend to see the frontline TV broadcast about Cyberwar (54 minutes) http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/view/ and to know where Bushs words "This is a wake-up call" could come from. And to read about the "Cyber Security Standard" ftp://@www.nerc.com/pub/sys/all_updl/standards/dt/cybersardt-0803a.pdf
Jeroen, what do you think about my idee to call for sutainted software/it?
For those who are interested to going into details, please send me a PM. And again, I would like get respont by a German-reading FSF person.
Greetings rob
Salve FSF, don't fear that I started to bombing you with mails ;), I want just to add a short explaination what I mean with sustained (Nachhaltig) (This should be more importanted than the news about the BlackOut)
Thinker of the "Rocky Mountains Institut" www.rmi.org, the www.wupperinst.org and "factor 4" people are looking for solutions, which are smarter, better for the consumers and better for the enviroment. They have an over 20-year tradition to think about complex systems with human, enviroment, economical, political and technical components.
The shortes example would be to choose frigirators with lower electricaly power consumption - after a short periode they are cheaper than a cheaper that a frigirator with a more worse isolation.
Why FSF-Europe? Because I think the same SCADA technologie is used in Europe too - I think Europeans should not say or think this can`t happend here. There are many example of malfunction of trains, cars, plains,.... based on IT-mistakes. By a growing importance of IT for critical infrastructure as for daily live - there must be change fot IT. The concepts and examples of the RMI, Wupperinst & Co people can train the way to think for getting better sustaned solutions.
I`m not shure if sustained would be the best translation and I think that "sustained software" is still not a populare slogan for IT-people - but I`m shure that it will become. So if you imagine or understud my thoughts, and you would be interested in it, please contact me by PM. news@robertmichel.de
Greetings, rob
On 23 Aug 2003 at 22:48, Robert Michel wrote:
Why FSF-Europe? Because I think the same SCADA technologie is used in Europe too - I think Europeans should not say or think this can`t happend here. There are many example of malfunction of trains, cars, plains,.... based on IT-mistakes. By a growing importance of IT for critical infrastructure as for daily live - there must be change fot IT. The concepts and examples of the RMI, Wupperinst & Co people can train the way to think for getting better sustaned solutions.
Firstly, the power situation in the US is woeful - the infrastructure transporting the power is severely underfunded ever since deregulation under Bush senior. This has been known for some years - look for an article about the matter by a journalist called "Greg Palast".
Secondly, the European power infrastructure is far more tightly regulated than the US except in the UK. Companies are obliged to spend on certain areas where under deregulation they can spend the bare minimum as so to maximise profit.
Thirdly, I think it would be a grave mistake to think that how the US power companies manage their IT projects is somehow representative of everything else. The reason IT projects fail are (in this order) (i) lack of experience in managing, planning and deploying IT solutions (ii) high churn rate of experienced staff (iii) a lack of professionalism by a minority of IT professionals. Because companies rarely have peer review or other (costly) proper quality review schemes, one or two poor programmers can inflict masses of damage to a project. Because of the historic shortage of workers, most companies tolerated any poor programmer rather than fire them.
All these things will improve naturally as software engineering matures. Until then, usually he who pays more gets a better product, and until management understand this they can continue to expect problems.
Cheers, Niall
Salve Niall,
"Years ago, engineers set the pace - today every investment must be profitable" Mr. Eberhad Meller, chief of the association of German Electrical economics (Chef des Verbandes der Elektrizitätswirtschaft) Source: "Die Zeit" 21.8.2003 #35 page 7
Firstly, the power situation in the US is woeful - the infrastructure
..
Secondly, the European power infrastructure is far more tightly
...
Thirdly, I think it would be a grave mistake to think that how the US power companies manage their IT projects is somehow representative of everything else. The reason IT projects fail are (in this order) (i) lack of experience in managing, planning and deploying IT solutions (ii) high churn rate of experienced staff (iii) a lack of professionalism by a minority of IT professionals. Because companies rarely have peer review or other (costly) proper quality review schemes, one or two poor programmers can inflict masses of damage to a project. Because of the historic shortage of workers, most companies tolerated any poor programmer rather than fire them.
All these things will improve naturally as software engineering matures. Until then, usually he who pays more gets a better product, and until management understand this they can continue to expect problems.
Realy? M$ Windows 2000 licence cost more that a Debian distribution. There are more example that paying more means not getting a better product. The money must be invested inteligient. Economic people doesn`t care about long time periode. And the big question is *What is a better product*? The US-"cyber security standard" will be made to go on with the same philosophy and products - and I feare this will not support free software! FSF must raise its voice.
I would like to get a personal mail of a German reading FSF person.
Greetings rob
On 24 Aug 2003 at 13:55, Robert Michel wrote:
All these things will improve naturally as software engineering matures. Until then, usually he who pays more gets a better product, and until management understand this they can continue to expect problems.
Realy? M$ Windows 2000 licence cost more that a Debian distribution. There are more example that paying more means not getting a better product. The money must be invested inteligient.
The majority of world wide software development is bespoke solutions, not off-the-shelf packages. People blinded by pro-free and pro- proprietary ideologies often forget that in the big pool of things, companies such as Microsoft are influential but not all-powerful. For example, Microsoft makes its profit from two things: (i) Office and (ii) Windows. Every other venture it has entered either barely makes a profit or loses sometimes billions a year.
Cheers, Niall