Remember, the industry told us we're in a 'zero trust' world now. The network perimeter is an anachronism.
OTOH you know damn well they keep the important stuff airgapped, in which case the title (and your predictable reaction) is just fanning the flames. It could very well be they 'breached' the receptionist's PC she uses to browse Facebook to pass the time.
The decentralized internet is less of a reality today than it was years ago.
The web though I agree isn't very decentralized.
I'm not sure if Oracle would be better.
Why the special treatment for nuclear? Do you really think redlining a dam or storm-levee system would be less damaging?
Also, turning off internet connections means less-capable remote shut shut-off. Less-responsive power plants. Fewer eyes on telemetry.
We should be mindful of what is and isn't connected to the internet, and how it's firewalled and--if necessary--air gapped. That doesn't mean sprinting straight for the end zone.
Why does it have to be remote what's wrong with it being in-house? Besides a shut-off should never be able to be triggered remotely.
The same goes for digital emergency shut off buttons; all should be physical.
> Less-responsive power plants.
What? How is remote any more responsive than physical workers being in-house?
If power-plants operated efficiently back in the 50's without internet, they should be able to now without internet.
Nothing wrong with it being in house. But having a back-up is never bad.
> How is remote any more responsive than physical workers being in-house?
If the on-site workers are incapacitated. It's a remote (hehe) risk. But so is foreign hackers doing anything with our nukes.
> If power-plants operated efficiently back in the 50's without internet, they should be able to now without internet
If you're fine paying 50s power prices again, sure, I'm sure a power company would happily run their plants retro style.
BTW, quite a few of these port scanners are companies that offer to scan your ports for vulnerabilities. Temu pen testing, so to speak.
You want to make everything about a nuclear facility bespoke and subject to air-gapped drift? What about the guard booth that verifies peoples access, the receptionist who schedules meetings, and the janitor who wants to watch YouTube on his break? It seems unrealistic to lump everything that goes on at a nuclear facility under this umbrella.
For hiring and retaining people, yes. It's understood that the "guts" of what's happening at these facilities needs to be locked down to the max. But, for supporting roles you need to be able to bring people in off the street without 1) a bunch of specialized training on your bespoke way of doing things, and 2) making your employees less attractive on the job market.
Just my opinion, though. Maybe I'm completely off base but it doesn't seem like a good idea to me long-term.
Also, the Kansas City Plant is like a watchmaker's factory, not a power plant. They make widgets and gewgaws, not literally split atoms.
https://en.wikipedia.org/wiki/Operation_Olympic_Games#Histor...
> Dutch engineer Erik van Sabben allegedly infiltrated the Natanz nuclear facility on behalf of Dutch intelligence and installed equipment infected with Stuxnet. He died two weeks after the Stuxnet attack at age 36 in an apparent single-vehicle motorcycle accident in Dubai.
https://en.wikipedia.org/wiki/Operation_Olympic_Games
> A programming error later caused the worm to spread to computers outside of Natanz. When an engineer "left Natanz and connected [his] computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed." The code replicated on the Internet and was subsequently exposed for public dissemination. IT security firms Symantec and Kaspersky Lab have since examined Stuxnet. It is unclear whether the United States or Israel introduced the programming error.
Also bearing mention is Flame, which is often left out when Stuxnet comes up, but which was allegedly part of the wider operation.
https://en.wikipedia.org/wiki/Operation_Olympic_Games#Signif...
> The Washington Post reported that Flame malware was also part of Olympic Games.
https://www.washingtonpost.com/world/national-security/us-is... | https://web.archive.org/web/20220322045917/https://www.washi...
> OT cybersecurity specialists interviewed by CSO say that KCNSC’s production systems are likely air-gapped or otherwise isolated from corporate IT networks, significantly reducing the risk of direct crossover. Nevertheless, they caution against assuming such isolation guarantees safety.
This was also not a nuclear facility, however. The article says it makes "non-nuclear components".
In my experience auditing critical infrastructure, most facilities are "air gapped". I put that in quotes because while you can't browse the Internet from the control network(s), there are ways to exfiltrate data. The managers, engineers, regulators, and vendors need to know what is going on in real-time. Back in the day this could've been a serial port connecting two systems for a one-way feed. Now I imagine it's something far more sophisticated and probably more susceptible to abuse.
As an example, you might have a collection of turbines manufactured by GE and GE needs to have real-time data coming from them for safety monitoring and maintenance. The turbines might have one connection for control traffic and another for monitoring. How to secure these vendor connections was always a debate.
Btw, there are strong cybersecurity regulations around critical infrastructure. CIP-005-07 covers security perimeters. You can view them here: https://www.nerc.com/pa/Stand/Reliability%20Standards%20Comp...
The only world where "likely" is a reasonable word is in reference to possible physical taps or a precise enumeration of physical access points that went unaudited, but have reliably followed safe access control/configuration procedures. Anything else is plain incompetence.
This article is full of nonsense and speculation.
It's an answer from talking heads, not from people from the facility.
I'm shocked. Shocked, I tell you.
It has a bug with Solidworks (3D design suite) that sporadically makes files completely un-openable unless you go in and change some metadata. They are aware of this, doesn't seem to be any limitation preventing them from fixing it, and it has sat unfixed for years.
Microsoft's cloud storage as a whole is an insane tangle where you never know where you'll find something you're looking for or whether it will work. Some things work only in browser, some only in the app, zero enumeration of these things anywhere.
Completely unsurprised and I'm sure there are many more vulnerabilities ripe for the picking.
It ended up being easier just to switch to paid Overleaf and teach our non-tech members how to write LaTeX and/or use the built-in editor. The documents are beautiful, Overleaf doesn't miss a beat and we are very happy with their solution.
Microsoft should be ashamed - I don't know how anybody would ever consider using them for any serious production work.
[1] https://learn.microsoft.com/en-us/answers/questions/5216132/...
* Too few people use Firefox to access Office online, they don't care
* Your organization is too small for them to care
"yes, your car exploded, but you were driving on a dirt drive way. it works just fine on the highway"
>Sorry for that we may have no enough resources about the Linux environment.
Recently I tried to configure a new subdomain to handle mail on 365 and even finding their DKIM configuration section was a mission. Once finding it, I learned that their DNS check fails to properly handle subdomains for email, so you have to put their DKIM keys against your root domain. Genius!
I went there to try to find where company meetings got recorded to.
I went to my sharepoint bookmark, which weirdly is www.office.com after some previous nightmare rebrand.
Except what used to be the way into your sharepoint files, is now just a full page copilot screen with no hint of where the fuck your files are.
Even though you've been visiting this bookmark for years, to get to your sharepoint files.
Ok, so you search bing sign into sharepoint.
Top result is office.com . You ignore it.
Next result is:
https://support.microsoft.com/en-gb/office/sign-in-to-sharep...
This links you to https://m365.cloud.microsoft/
Ok great. Nope! Redirects you back to copilot.
I do NOT want to ask copilot to dig out my files every time you want a file. I want to get back to the directory listing so I can find the directory listing to find the company meeting recording.
How does MS not understand that replacing all UX with copilot is not an improvement, and is not helping sell copilot.
Sounds like they need to seriously redesign their security policies.
https://www.paloaltonetworks.com/cyberpedia/what-is-the-purd...
Then according to this report, 'sometime in August' the exploit is used against the Honeywell-managed nuclear facility, since it wasn't patched, if I read correctly? So it really could have been anyone, and it's hardly just Russia and China who have a record of conducting nuclear espionage in the USA using their nation-state cybercapabilities (Israel?). As the article notes:
> "The transition from zero-day to N-day status, they say, opened a window for secondary actors to exploit systems that had not yet applied the patches."
Also this sounds like basically everything that goes into modern nuclear weapons, including the design blueprints. Incredible levels of incompetence here.
> "Located in Missouri, the KCNSC manufactures non-nuclear mechanical, electronic, and engineered material components used in US nuclear defense systems."
I don't see news about that much - but to be fair, I am not looking for it.
What?
Gee, who would have guessed this isn't secure.
Don't use Exchange? Cool, what should we use instead? Does it support 15 people all the way up to 150000 people? I used to run Exchange cluster for 70k people, is there other mail software out there complete with non-shared disk redundancy? Where the users connect to single endpoint and software figures it out from there?
Sharepoint with another 2 RCEs. Not shocked, the software is terrible. However, it's only software that will stand up under load and let us shard it easily. All open-source software is one of those, runs fine in Homelab, likely falls down under load. Few Open Source Developers want to work on this stuff which I get because it's tedious work interfacing with computer illiterate end users. I'd rather chug sewage then do this work for free.
Finally, it's somewhat backwards compatible. Most businesses are filled with ancient software that no one has worked on in 20 years. That Excel document with Macros from 1997. With some registry changes degrading security posture, still works. I doubt you will find Office software with level of backwards compatibility unless they are using Microsoft Office level of compatibility.
Microsoft has real gordian knot here and few solutions besides "Backwards compatibility is OVER. Upgrade to modern or GTFO". Meanwhile, I get hit up by $ThreeJobsAgo over some Exchange Web Services solution I slapped together for them in Python they wanted me to upgrade to GraphAPI since Microsoft turned off Exchange Web Services in Office365.
Or the government could pay people to work on said open source software, providing a benefit to the public along the way. The US government started something like this called "18F" under the Obama administration. It was so effective at making software that was useful to the American public that Trump promptly shut it down 2 months into his second term, in no small part because they had the temerity to develop free-to-use tax filing software.
See
https://handbook.tts.gsa.gov/18f/history-and-values/ https://web.archive.org/web/20250000000000*/https://handbook... https://archive.is/CIXG1
and
https://www.lawfaremedia.org/article/learning-from-the-legac... https://web.archive.org/web/20250000000000*/https://www.lawf... https://archive.is/fmaf6
Just like with Windows, Microsoft has built a moat with Exchange, but the question is why do all the companies buy into their full ecosystem, especially for anything relating to web technologies (you even bring up Exchange Web Services), because this they do really badly, and Sharepoint seems to be the worst.
However, I am certain there are big Postfix/Dovecot installations scaling easily to 150k people, but we probably wouldn't know about them. Eg. here a couple of accounts of people doing that: https://www.reddit.com/r/linuxadmin/comments/32fq67/how_woul...
If they are, it’s enormous personal red flag. MSFT is very popular so I’m only speaking about my own experience, but I have learned over the course of 20 years that an MSFT IT stack is highly correlated with me hating the engineering culture of an organization.
I know I am excluding a lot of companies with great engineering culture where I would thrive and who just happen to use Outlook/Sharepoint/Teams, etc. but it has had such better predictive power of rotten tech culture than any line of questioning I have come up with during interviews that I still use it.
I don’t mean any disrespect to MSFT-centric engineers out there - it’s not you it’s me.
gnabgib•3h ago
(809 points, 447 comments) https://news.ycombinator.com/item?id=44629710
US Nuclear Weapons Agency Breached in Microsoft SharePoint Hack (18 points) https://news.ycombinator.com/item?id=44654869