lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <BANLkTik_W8n1cCwKnVjsL6cNxaeS0pn-_g@mail.gmail.com> Date: Sun, 17 Apr 2011 12:36:42 -0400 From: Jeffrey Walton <noloader@...il.com> To: Valdis.Kletnieks@...edu Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED On Sun, Apr 17, 2011 at 10:46 AM, <Valdis.Kletnieks@...edu> wrote: > On Sun, 17 Apr 2011 07:39:58 EDT, Jeffrey Walton said: > >> To pay devil's advocate here: FPL placed those hosts on a public internet. >> In addition, FPL also configured the hosts to advertise services. If FPL did >> not want the services accessed, the company would have removed the hosts >> from the public internet, shut down the services, or used leased [private] >> lines. Where's the leap to a criminal offense? > > You're welcome to go ahead and break into a house, and use the excuse "but the > door facing the street was unlocked". Let is know if the judge is amused. I was thinking more along the lines of an Office Depot, Sports Authority, Verizon Wireless, etc - public businesses which automatically open the sliding glass doors for you. I don't expect these businesses to claim a 'comparison shopper' was trespassing after the fact. > Most of the applicable statutes are worded in such a way that the "but it was > wide open and unsecured" claim won't do any good, as they are phrased in terms > of "exceeding authorized access". One cannot know these things for all public IP addresses 'a priori'. If the network is not meant to be accessed, it should not be advertising services, or it should be on a leased line. > You go in knowing you don't have an > authorized access code, you're screwed. Anonymous logins are available for many services - for example, FTP and WWW. Its a mainstay of the internet, and has been so for many years. > Oh, and many of the statutes *do not* > include "intent" in them. So whether you're a black hat doing something evil, > or a white hat investigating so you can tell them they have a problem, you're > still in trouble. Intent has nothing to do with using public services (I'm not sure how to articulate it as a legal argument - sorry). If they are available and used, don't complain after the fact. If a company does not want them used, they should not advertise the service, or they should purchase a leased line. Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists