Hacked Florida Water Plant Found To Have Been Using Unsupported Windows 7 Machines And Shared Passwords
Furnished content.
By now, you have likely heard about the recent hack into a Florida water treatment plant which resulted in the attacker remotely raising the levels of sodium hydroxide to 100 times the normal level for the city's water supply. While those changes were remediated manually by onsite staff, it should be noted that this represents an outside attacker attempting to literally poison an entire city's water supply. Once the dangerous part of all of this was over, attention rightfully turned to figuring out how in the world this happened.The answer, as is far too often the case, is poor security practices at the treatment plant.According to an advisory from the state of Massachusetts, employees with the Oldsmar facility used a computer running Windows 7 to remotely access plant controls known as a SCADA—short for “supervisory control and data acquisition”—system. What’s more, the computer had no firewall installed and used a password that was shared among employees for remotely logging in to city systems with the TeamViewer application. If you're not in the IT space, this is base level stuff. Have your computer systems on operating systems that are under active support and are being patched. That is doubly so for any systems that are critical, or which have access to critical systems. And to not have any client security, such as a local software firewall, on such a machine is IT malpractice. On top of the above, it appears that TeamViewer hadn't been actively used by the staff there for nearly six months. So there, again, was poor administration of the environment, with an antiquated remote access application not being removed from the production environment.Instead, the save in all of this came from the meatware that was fortunately sitting at the machine and actively watching.The breach occurred around 1:30pm, when an employee watched the mouse on his city computer moving on its own as an unknown party remotely accessed an interface that controlled the water treatment process. The person on the other end changed the amount of lye added to the water from about 100 parts per million to 11,100ppm. Lye is used in small amounts to adjust drinking water alkalinity and remove metals and other contaminants. In larger doses, the chemical is a health hazard.Christopher Krebs, the former head of the Cybersecurity and Infrastructure Security Agency, reportedly told a House of Representatives Homeland Security committee on Wednesday that the breach was “very likely” the work of “a disgruntled employee.” It's a water treatment plant for an entire city. In an era where there is an extreme lack of trust in government, dumb stuff like this acts as a supercharger.
Read more here
posted at: 12:00am on 13-Feb-2021
path: /Policy | permalink | edit (requires password)
Content Moderation Case Study: Valve Takes A Hands Off Approach To Porn Via Steam (2018)
Furnished content.
Summary: Different platforms have different rules regarding adult content, but they often prove difficult to enforce. Even the US judicial system has declared that there is no easy way to define pornography, leading to Justice Potter Stewart's famous line, I know it when I see it.Many, if not most, internet websites have rules regarding such adult content, and in 2017 Valve's online game platform, Steam, started trying to get more serious about enforcing its rules, leading to some smaller independent games being banned from the platform. Over the next few months more and more games were removed, though some started pointing out that this policy and the removals were doing the most harm to independent game developers.In June of 2018, Valve announced that it had listened to various discussions on this and decided that it was going to take a very hands off approach to moderating content, including adult content. After admitting that there are widespread debates over this, the company said that it would basically allow absolutely anything on the platform, with very, very few exceptions:So we ended up going back to one of the principles in the forefront of our minds when we started Steam, and more recently as we worked on Steam Direct to open up the Store to many more developers: Valve shouldn't be the ones deciding this. If you're a player, we shouldn't be choosing for you what content you can or can't buy. If you're a developer, we shouldn't be choosing what content you're allowed to create. Those choices should be yours to make. Our role should be to provide systems and tools to support your efforts to make these choices for yourself, and to help you do it in a way that makes you feel comfortable.With that principle in mind, we've decided that the right approach is to allow everything onto the Steam Store, except for things that we decide are illegal, or straight up trolling. Taking this approach allows us to focus less on trying to police what should be on Steam, and more on building those tools to give people control over what kinds of content they see. We already have some tools, but they're too hidden and not nearly comprehensive enough. We are going to enable you to override our recommendation algorithms and hide games containing the topics you're not interested in. So if you don't want to see anime games on your Store, you'll be able to make that choice. If you want more options to control exactly what kinds of games your kids see when they browse the Store, you'll be able to do that. And it's not just players that need better tools either - developers who build controversial content shouldn't have to deal with harassment because their game exists, and we'll be building tools and options to support them too. The company admitted that it would likely struggle with this plan, especially given different laws around the globe, but that it wanted to put the onus on end users, rather than itself.Decisions to be made by Valve:- Is it really possible to allow anything that isn't illegal or straight up trolling?
- How do you define straight up trolling?
- How do you make sure that parts of the Steam store are safe for younger users?
- What tools need to be provided to users to set their own filters?
Questions and policy implications to consider:- With more and more pressure from governments to clean up the internet, will taking a hands off approach lead to even more regulatory threats?
- Does taking such a hands off approach create greater legal liability?
- Can a hands off approach make users feel that the company is putting all of the responsibility on them, rather than itself?
Resolution: In the following few months, Valve released more ways to filter content in its store, including an adult filter. It also began approving more explicit games, as suggested by the policy.At around the same time, it did continue to remove games, supposedly for violating its new no trolling policy. The company admitted that the no trolling policy is intentionally vague.It is vague and we'll tell you why. You're a denizen of the internet so you know that trolls come in all forms. On Steam, some are simply trying to rile people up with something we call "a game shaped object" (ie: a crudely made piece of software that technically and just barely passes our bar as a functioning video game but isn't what 99.9% of folks would say is "good"). Some trolls are trying to scam folks out of their Steam inventory items, others are looking for a way to generate a small amount of money off Steam through a series of schemes that revolve around how we let developers use Steam keys. Others are just trying to incite and sow discord. Trolls are figuring out new ways to be loathsome as we write this. But the thing these folks have in common is that they aren't actually interested in good faith efforts to make and sell games to you or anyone. When a developer's motives aren't that, they're probably a troll.Our review of something that may be "a troll game" is a deep assessment that actually begins with the developer. We investigate who this developer is, what they've done in the past, their behavior on Steam as a developer, as a customer, their banking information, developers they associate with, and more. All of this is done to answer the question "who are we partnering with and why do they want to sell this game?" We get as much context around the creation and creator of the game and then make an assessment. A trend we're seeing is that we often ban these people from Steam altogether instead of cherry-picking through their individual game submissions. In the words of someone here in the office: "it really does seem like bad games are made by bad people."This doesn't mean there aren't some crude or lower quality games on Steam, but it does mean we believe the developers behind them aren't out to do anything more than sell a game they hope some folks will want to play. The company has still faced some criticism over these policies. In 2019 an anti-pornography group complained publicly that it was too easy to find adult content on Steam despite the new filters that were put in place, saying that the filters were mere speedbumps.In late 2020, Steam started to experiment with a revamp of how it organizes content, and that may include an explicit games area.Originally published to the Trust & Safety Foundation website.
Read more here
posted at: 12:00am on 13-Feb-2021
path: /Policy | permalink | edit (requires password)
|
|
