52 years ago today, the Oregon Highway Division tried to remove a whale carcass. With dynamite.
Now there's a country music song for just about anything, but not this. The closest I could find was this one from Country Joe McDonald (front man for Country Joe and the Fish). It's very 1970s earnest but that makes it a bit of a time capsule. Looking back, you can see just how much has changed in the last half century.
Dragon's Breath .410 Flame Thrower shotshells. Now I always considered the Judge to be a bit gimmicky, and these incendiary shotshells seemed that way, too - until I watched this video and saw a unique application for property defense come the End Times:
A land mine recently left at a thrift store was authentic -- but luckily inert.I blame the Gun Show Loophole. We clearly need some "Common Sense" Landmine Control laws.
...
A Goodwill employee familiar with military explosive devices found the land mine. An area strip mall was evacuated and a bomb squad called in.
A Canadian idiot has been sentenced to a year behind bars after he was found guilty of calling in a bomb threat because he was running late for his flight.
Michael Howells, 37, pleaded guilty to two counts of criminal mischief and received 12 months in jail along with a fine of CA$3,844.88 (US$3,000, £2,200).
Good idea, Einstein. Click through to read the hilarious story about how Officer Friendly apprehended Our Hero. Snerk.Howells was sentenced for the 2014 hoax when, running late for a flight from Kelowna, BC, he phoned in an anonymous bomb threat to the airport claiming the Calgary-bound plane he was due to fly on had been rigged with explosives. His plan was to cause takeoff to be delayed so he'd make the flight.
I guess it's worth repeating my advice to be very suspicious of any USB stick you find lying in the parking lot.Once a proof-of-concept, the pocket-sized USB stick now fits in any security tester's repertoire of tools and hacks, says the Hong Kong-based company that developed it. It works like this: when the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges -- all in the matter of seconds.On unprotected equipment, the device's makers say it will "instantly and permanently disable unprotected hardware".
There are other types of plants where the consequences would be equally grave - Plexiglas polymerization in the piping would be a Very Bad Thing Indeed, for example. Chemical plants might even go boom.Amid all the noise the Sony hack generated over the holidays, a far more troubling cyber attack was largely lost in the chaos. Unless you follow security news closely, you likely missed it.I’m referring to the revelation, in a German report released just before Christmas(.pdf), that hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage.
The report, issued by Germany’s Federal Office for Information Security (or BSI), indicates the attackers gained access to the steel mill through the plant’s business network, then successively worked their way into production networks to access systems controlling plant equipment. The attackers infiltrated the corporate network using a spear-phishing attack—sending targeted email that appears to come from a trusted source in order to trick the recipient into opening a malicious attachment or visiting a malicious web site where malware is downloaded to their computer. Once the attackers got a foothold on one system, they were able to explore the company’s networks, eventually compromising a “multitude” of systems, including industrial components on the production network.My feeling is that the future will see the segmenting of networks into "ordinary business users" and "mission critical" with no connections whatsoever between them - exactly like the DoD unclassified and classified networks. While this is no panacea, it makes it much, much more difficult to penetrate, and very likely requires physical access. And a shout out to the retail industry: your Point Of Sale terminals should be separated from the rest of the network in exactly this way to avoid a repeat of the Target credit card breech.
The Tybee Island B-47 crash was an incident on February 5, 1958, in which the United States Air Force lost a 7,600-pound (3,400 kg) Mark 15 nuclear bomb in the waters off Tybee Island near Savannah, Georgia, United States. During a practice exercise, the B-47 bomber carrying the bomb collided in midair with an F-86 fighter plane. To protect the aircrew from a possible detonation in the event of a crash, the bomb was jettisoned. Following several unsuccessful searches, the bomb was presumed lost somewhere in Wassaw Sound off the shores of Tybee Island.
 |
| There was supposed to be an Earth-Shattering kaboom ... |
Researchers have found vulnerabilities in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems.The bad news? You can make a big boom taking over a refinery. The good news? The industry may actually be paying attention now ("we demonstrated to owners ...").
The vulnerabilities were discovered by Russian researchers who over the last year probed popular and high-end ICS and supervisory control and data acquisition (SCADA) systems used to control everything from home solar panel installations to critical national infrastructure.
Positive Research chief technology officer Sergey Gordeychik and consultant Gleb Gritsai detailed vulnerabilities in Siemens WinCC software which was used in industrial control systems including Iran's Natanz nuclear plant that was targeted by the US Stuxnet program.
"We don’t have big experience in nuclear industry, but for energy, oil and gas, chemical and transportation sectors during our assessments project we demonstrated to owners how to get full control [of] industrial infrastructure with all the attendant risks," Gordeychik told SC Magazine.
The whole email is worth reading. It presents multiple examples of NSA attempting to weaken the standard. And the conclusion (while polite) is nuclear:Dear IRTF Chair, IAB, and CFRG: I'd like to request the removal of Kevin Igoe from CFRG co-chair. The Crypto Forum Research Group is chartered to provide crypto advice to IETF Working Groups. As CFRG co-chair for the last 2 years, Kevin has shaped CFRG discussion and provided CFRG opinion to WGs. Kevin's handling of the "Dragonfly" protocol raises doubts that he is performing these duties competently. Additionally, Kevin's employment with the National Security Agency raises conflict-of-interest concerns. ... While much is unknown about these activities, the NSA is known to have placed a "back door" in a NIST standard for random number generation [ECDRBG]. A recent report from the President's Review Group recommends that the NSA: - "fully support and not undermine efforts to create encryption standards" - "not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software" [PRESIDENTS] This suggests the NSA is currently behaving contrary to the recommendations.
The Internet community is starting to interpret the NSA as the adversary, and is starting to route around it.While that's of course speculation, it remains baffling that an experienced cryptographer would champion such a shoddy protocol. The CFRG chairs have been silent for months, and haven't responded to attempts to clarify this. Conclusion ---- The position of CFRG chair (or co-chair) is a role of crucial importance to the IETF community. The IETF is in desperate need of trustworthy crypto guidance from parties who are above suspicion. I encourage the IAB and IRTF to replace Kevin Igoe with someone who can provide this.
Angels and Ministers of Grace, defend us ...I have a form that creates a user by entering the username and their password. The code I'm using in php is:shell_exec("sudo useradd -p $encpass -g groupname -s /bin/bash $username");I have used a whoami and have confirmed that it runs as http. In /etc/sudoers I havehttp ALL=(ALL) NOPASSWD: ALL root ALL=(ALL) ALL %wheel ALL=(ALL) NOPASSWD: ALL %sudo ALL=(ALL) ALLI also added http to group wheel. The problem I am having is it's not setting the password correctly. The user is created, just the password isn't set. I know that $encpass has a value because I can display it. I also know the command works because it runs fine in command line. This was working before, but I had to reinstall Arch Linux, so does anyone have an idea for why this doesn't work?
For those not Linux heads, some of the more patient redditers explain it to Our Hero:
You see, this is why we can't have nice things on the Internet. Jimminy Cricket on a motorbike, this is maybe the most colossally boneheaded code I've ever seen. And I've seen rather a lot, sad to say. A number of the redditers accuse him of being a troll, but I think the query was legit. After all, this sort of security fail is so epic that it has its very own xkcd:
