Category Archives: Technology is Wonderful

That’s All Folks

by

When I moved from Blogger/Blogspot to WordPress, one of the benefits was that WP was better at blogging than Google’s system.

Having used the “New and Improved” Blogger interface, which everyone over there was complaining about, for a few weeks now, I can say that the insanity inflicted on users by WordPress and Automatic have made it much easier – for me anyway – to create stuff over there. YMMV.

Of course the suckage of the new Block Editor isn’t the only reason that I decided to abandon WordPress, even if it was by far the lead reason. Another reason is because I was told, in several places, for different reasons over the past year, to “Shut up and do what we tell you to do.”

You can find me at my new home: 357 Magnum. You should update your links. If you are using the WP reader, see this link.

As for the suckage that is the Block Editor…

I knew things were going to be bad with the “New and Improved” WordPress editor when their Accessibility Team Lead resigned in October of 2018. That was the first indication that they were not listening to feedback from anyone pointing out issues with their new and improved block system. At the time it was styled Gutenberg, but I have been ASSURED by WP dot com support that the New Block Editor is not really Gutenberg, that after spending 3 or more years developing a block-based system for WP they dropped a completely different block-based system on WP dot com. Or something.

Oh, and when Rian Rietveld left the Accessibility team, it wasn’t because she didn’t like the default color scheme. While trying to get the WP development team to address issues of accessibility, they encountered just about every issue of development-management imaginable. Agreed upon functionality would change – regress – with little accountability. No accessibility testers were on the base team. Etc. Can you guess the results?

The results indicated so many accessibility issues that most testers refused to look at Gutenberg again.

When they were not listening to people who were (at least on paper) part of the development team, why do you think that they are ever going to listen to their users?

Biden Reading from a Teleprompter

by

NOTE: Counting down to the end on WordPress. Please see this post and future posts at my new home: 357 Magnum over on Blogspot. And you should update any links. (Posts are in both places right now. That is a small, but not meaningless bit of work on my part, so it will continue for a VERY short time.)

A little hard to keep the telepromter secret when it is bigger than your television. And so there is video of Biden Reading from a Teleprompter.

NOTE: Counting down to the end on WordPress. Please see this post and future posts at my new home: 357 Magnum over on Blogspot. And you should update any links. (Posts are in both places right now. That is a small, but not meaningless bit of work on my part, so it will continue for a VERY short time.)

Not All Infrastructure Has Been Left to Decay

by

Emsworth Locks and DamsSome is getting the needed maintenance. Army Corps of Engineers gives tour of Emsworth Locks and Dams in advance of major rehabilitation project

NOTE: Counting down to the end on WordPress. Please see this post and future posts at my new home: 357 Magnum over on Blogspot. And you should update any links. (Posts are in both places right now, but that is a small, but not meaningless bit of work, so it will go on for a VERY short time.)

The image is via Wikimedia and The US Army Corps of Engineers (USACE). Click for a larger view and some info about the image.

In this case the project is on the Ohio River. The goal of the USACE was to inspect and reinforce a lock in the Pittsburgh area. Like a lot of the locks on the US Inland Waterway, this one is a Panamax lock. It is 110ft wide by 600ft long. The dam and locks in question were built in 1919 through 1922.

The Corps rebuilt and converted the dam to a gated structure between 1935 and 1938. That raised its pool about seven feet to accommodate more modern barges. Its electrical systems, operating machinery and buildings were upgraded in the 1980s, and the gates were upgraded about six years ago.

Given the age of the lock, the work was extensive.

The chamber walls were reinforced with at least 14 metal struts about 6-foot-tall and at least an inch thick to ensure stability.

See this link for the US Army Corps of Engineers page on the Emsworth Locks and Dam, and see this link for a previous posting on Inland Waterway infrastructure.

Twitter versus The Hunter Biden Story

by

Nevermore facepalmSmitty over at The Other McCain notes – Twitter Getting Its Hunter Biden On

The ever increasing effort by Twitter to throttle and otherwise kill the Hunter Biden story is just drawing that much more attention.

The magic laptop with the salacious emails sure got my BabylonBee muse going. Then there was a bunch of time where I could not retweet or post. @Jack’s crack stack’s back in black.

It is pretty funny. Click thru.

For myself I can say that I tried to post an image of the New York Post‘s front page about Hunter B. I had to change the name, so that it did not include “Hunter” and I also scaled the JPEG just to screw with any other checks they were making.

To Err Is Human. To Really Screw Things Up You Need a Computer

by

Why do people think that technology makes everything better? A prison video visitation service exposed private calls between inmates and their attorneys

Fearing the spread of coronavirus, jails and prisons remain on lockdown. Visitors are unable to see their loved ones serving time, forcing friends and families to use prohibitively expensive video visitation services that often don’t work.

But now the security and privacy of these systems are under scrutiny after one St Louis-based prison video visitation provider had a security lapse that exposed thousands of phone calls between inmates and their families, but also calls with their attorneys that were supposed to be protected by attorney-client privilege.

So. Any bets on how long it takes for attorneys to start calling for mistrials, based on violation of their clients’ rights? I’m not a lawyer, so I’m not sure if that is even a thing, but I wouldn’t bet against it.

There are known cases of U.S. prosecutors using recorded calls between an attorney and their incarcerated clients. Last year, prosecutors in Louisville, Ky., allegedly listened to dozens of calls between a murder suspect and his attorneys. And, earlier this year defense attorneys in Maine said they were routinely recorded by several county jails, and their calls protected under attorney-client privilege were turned over to prosecutors in at least four cases.

Because it is not about Justice. It is about winning. And if you have to break the rules, and the law, and in general be a complete asshole to win, well, how do you think the attorneys that work for the prosecution feel about that? You don’t get a raise if you lose.

But it is all OK, you see, it is (mostly) because of the pandemic. Though some jurisdictions were only using video conferencing even before the pandemic.

So how did this happen?

In an email, HomeWAV chief executive John Best confirmed the security lapse.

“One of our third-party vendors has confirmed that they accidentally took down the password, which allowed access to the server,”

Sounds like systems design took a back seat to just about everything. Oh, hey let’s “accidentally” remove password security on everything we do. Security is SO expensive, and SO annoying.

Some day, companies and people will take security seriously. But today is not that day.

Politicians Don’t Like to Spend Money Maintaining Infrastructure

by

Not when they can build flashy new infrastructure. Seattle must prioritize bridge maintenance and basic infrastructure. And even especially if that new stuff has a patina of “green.”

Seattle was flying high before COVID-19 struck. Jobs. Tax revenue. But they couldn’t be bothered to spend money on maintaining bridges and piers. They had better things to spend money on.

In the spring, The West Seattle Bridge was closed due to excessive cracking. That should have been a wake-up call, but it wasn’t.

On September 13th Pier 58 in Seattle partially collapsed. Surveillance video taken from neighboring Seattle Aquarium shows the moment Pier 58 partially collapsed into Elliott Bay on Sunday, September 13, 2020, injuring two. Additional videos will autoplay after the first video completes.

As a result of that collapse, the city closed Pier 57, which is a waterfront destination with a large Ferris Wheel.

Lack of money isn’t an excuse. Seattle’s budget grew 37% since 2015. Voters also approved a $930 million transportation levy in 2015, around 45% of which was for maintenance.

That levy was a red flag, however. It highlighted how City Hall was putting less emphasis on maintenance — the previous levy was 67% for maintenance — and opting to spend more on other things, including bike and bus lanes.

I don’t want to debate the merits of bike lanes, but the city spent money on foot rests for cyclists. And then there is the streetcar. What explains Seattle’s streetcar fixation? Look at who really benefits. That article is from Jan 2019, Pre-COVID-19, which probably makes the point even more effectively.

Because streetcars, no matter how lovable, are slow and inflexible. They’re not mass transit (at least how we run them here). There’s proof of this in studies, as well as from underperforming lines all over the country. But most crucially the proof is right here under our noses.

Since 2007 we’ve been running street cars in Seattle. They have consistently cost more than predicted, and carried far fewer riders than expected. Most importantly, they’re failures as transit by the city’s own data.

For mass transit to make sense, it has to be on its own right-of-way. Someplace like Seattle, that means elevated trains or subways. Both of which are even more expensive than streetcars.

But hey, if we build more of them, that will make it better. Right? Or maybe not.

This past week the Seattle mayor decided to revive our most dubious transportation network, even though building a 1.2-mile connecting trolley link along First Avenue downtown is now projected to cost $286 million — a 100 percent cost overrun.

Because streetcars are green, even if no one uses them.

As for that wake-up call, better late than never I guess. As a result of the Pier Collapse an audit was undertaken of the city’s infrastructure.

This should be a wake-up call for officials who weren’t jolted enough by the West Seattle Bridge failure to reassess spending priorities. Problems the audit identifies weren’t caused by unanticipated concrete failures, but by deliberate decisions to skimp on maintenance and avoid dealing with deteriorating bridges.

The complete audit document can be found at the following link. Seattle Department of Transportation: Strategic Approach to Vehicle Bridge Maintenance is Warranted.

One of the points highlighted in the summary is worth repeating here.

Over the past 14 years, the average amount SDOT spent on bridge maintenance was $6.6 million annually.

Seattle spent $246 million on small expansion of the streetcar system, and $92.4 million maintaining the bridges in the city. Borrowing from Ronald Weasly, they need to sort out their priorities.

On the Arrogance of WordPress Developers

by

So if you read these pages, or the pages of just about anyone working in WordPress lately, you know that we have all been fighting with the “New and Improved” editing solution that WordPress.Org and WordPress.Com are inflicting on everyone. Their new idea, styled “Gutenberg,” is a nightmare for people who just want to write a blog.

Now there is workaround available for the time being, but God only knows how long it will be before the people who are not listening to feedback insist that they really do know better and kill the current means of invoking the Classic Editor.

I think most of the problem is arrogance.

WordPress powers something like 35 percent of the internet. So of course since they did something right 5 or 10 years ago, that must mean everything they do today is right as well. At least it does in their tiny minds. Even if a whole bunch of people tell them they are wrong, those people are just users, and don’t know what they really need, even when they do.

Here are just a few of the reactions to the “New and Improved Editor.”

And it isn’t just us poor schmucks using WordPress.com; the reviews of the “Classic Editor Plugin” at WordPress.org are telling as well. Here’s one example.

Thankfully this is still available on WP. However it states that ‘Classic Editor is an official WordPress plugin, and will be fully supported and maintained until at least 2022’

What’s going to happen after 2022? Am I going to have to rewrite my websites? Maybe I ought to start looking at other options instead of WP?

Gutenberg is really starting to piss me off. I wish I’d never heard of WP and instead just use html/css/js like I used to do.

The following image is from WordPress.Org. If I was seeing this kind of response, I might be willing to consider that I made a mistake. I don’t believe the the folks at WordPress/Automatic will make that admission. They know best.

Gutenberg Reviews from WordPress.org

Gutenberg Reviews from WordPress.org as of about noon, October 5th, 2020

Bear at Random Acts of Gibberish thinks the new system is aimed at clickbait, and in a way, I agree. I think the block from might make sense if you are trying to sell shoes, but most of us are not. But as I stated above, it is all about arrogance. They know better than you do, what you need to get your work done. I can’t begin to tell you how many hours (days?) I spent in meetings with developers convincing them (or trying to) that they were wrong. It was easier in manufacturing because they mostly didn’t know squat about cost accounting, inventory management, or statistical quality control. And it’s been 35 or 40 years since I even heard of anyone doing human-factors analysis on a user interface. Certainly no one applied human-factors to the new WordPress editor.

As a result of all this pain, I’ve been looking into alternatives. At least I don’t have to make a decision in a mad rush. And one of the things I’ve decided is that if I have to end up paying for blog hosting, I am not going to pay for WordPress. They have clearly demonstrated that turning a deaf ear to the complaints of people using their system is now standard operating procedure. There are plenty of other Content Management Systems out there, and they probably aren’t in a position to completely ignore their user community.

I may let you know what are the results of my search as it goes along, and of course if I actually move, well then that will be announced well in advance. While I could live with the current interface at Blogger/Blogspot, I left that platform because Google was being ridiculous about the Second Amendment. Lately they have become even more ridiculous with the WOKE thing. And it has been sometime since, as a search engine, they answered the question that you asked. They insist on answering the question they think you meant to ask, and then they feed you the data they think most appropriate. (e.g. the most woke answers to your question.)

I am currently working my way through the Terms and Conditions at Joomla! which powers about 5 percent of the web, so maybe they feel like they have to work harder to appeal to users. We shall see, as the blind man said, when he picked up his hammer and saw.

And as always, if anyone has suggestions, please leave them in the comments.

What If 911 Was Not Working?

by

What would you do? What was behind the nationwide 911 outage?

While most of the headlines talk about a “Nationwide” outage, most of the stories seem to be out of Minnesota with Arizona next in line.

WCCO first became aware of the outage at about 6:45 p.m. after being alerted by Minneapolis police. By about 7:15 p.m., service was reported being back online by several Minnesota law enforcement agencies.

From The Minnesota Department of Public Safety Emergency Communication Networks:

While the reason for outage is still under investigation, CenturyLink, or Lumen, they may have changed their name recently, says the problem originated on a partnering vendor’s platform when an internal networking component failed to correctly forward traffic. CenturyLink has said that the vendor is conducting an investigation of its own.

There is finally some actual information on the outage. Who’s Behind Monday’s 14-State 911 Outage? — Krebs on Security. First it seems NOT to have been caused by an outage, going on at about the same time, in Microsoft’s Azure Network.

Inquiries made with emergency dispatch centers at several of the towns and cities hit by the 911 outage pointed to a different source: Omaha, Neb.-based Intrado — until last year known as West Safety Communications — a provider of 911 and emergency communications infrastructure, systems and services to telecommunications companies and public safety agencies throughout the country.

So what would you do if you couldn’t call 911? Do you know the non-emergency number for your area’s dispatch center? It used to be hard to remember that stuff, but you can save it in your phone today, so there is no excuse. Of course if you are traveling that won’t help much, but it is a start.

Considering how much we have invested of our lives in the internet, most people are not aware of how fragile it can be. A key piece of hardware fails. A flood or a fire takes out a building at one of the backbone’s locations. A guy with a backhoe digs up a fiber-optic cable. A bit of software is configured incorrectly. An old piece of electronics not even connected to the net. Any of these things can have disastrous consequences.

Calling 911 in an emergency is a fine thing to do. They can send all kinds of help your way. But like every system built by humans it is subject to failure. And even when it doesn’t fail, help will not arrive immediately. You should have a plan aside from “Call 911.”

2 + 2 = 5 means more bridges will collapse

by

Reality is true even if you don’t want it to be. And it has certain characteristics, which includes the fact that you need to do engineering right. Firm blamed for deadly FIU pedestrian bridge collapse suspended from federal contracts.

There has been a lot of talk about how Mathematics is racist, and that Math is sexist. Well, math also describes the way the universe works, and if you want things like electric power, electric vehicles, better internet and computers, and bridges that don’t fall down, someone had better understand the math and the physics.

The FIU pedestrian bridge designed by FIGG Bridge Engineers collapsed in March of 2018 while it was still under construction. Six people died. Faulty design, due to incorrect calculations of load factors, was blamed.

Last month, the Federal Highway Administration placed FIGG on immediate suspension of any projects that involve federal funding. The FHWA also proposes that FIGG be debarred from any federally funded work for 10 years.

The company won’t survive under those conditions.

Texas decided to review work that the same design firm was doing for TxDOT. They didn’t like what they found. Harris County Commissioners vote unanimously to change engineer of $962 million Ship Channel bridge.

I am not an engineer, but clearly there was something wrong with either the design of the FIU bridge or the construction, or both. The other thing wrong was that FIU spent something like 12 million dollars for a bridge that could have been built for less than 1 million. There was a federal grant! I don’t know how to gauge the quality of their designs, but when you get bridges designed incorrectly, they fall down. They usually don’t fall down before they are in use.

Harris County Commissioners voted unanimously Tuesday night to change the engineer of record on the Sam Houston Tollway Ship Channel Bridge after a review found one portion that had not yet been built contained a potential design flaw.

That design was done by FIGG. FIGG is saying it all fine. They were also replaced on another bridge in Texas. New designer named for Corpus Christi’s Harbor Bridge replacement after FIGG fired.

In removing FIGG from the project, TxDOT cited a National Transportation Safety Board investigation of the 2018 Miami bridge collapse. The report released in October cited load and capacity calculation errors by FIGG for the pedestrian bridge’s design.

You can find more info about the FIU bridge collapse at this link. It is what started this whole review process.

If You Think The Internet of Things Isn’t a Problem…

by

That only means you don’t work in hardware or software engineering. This Hacked Coffee Maker Demands Ransom and Demonstrates a Terrifying Implication About the IoT. It isn’t just that they can spy on you. They can. They do. They can do more.

So a security researcher was asked to prove that this kind of thing can be done.

After a week of tinkering, he effectively turned the coffee maker into a ransomware machine. When the user tries to connect it to their home network, it triggers the machine to turn on the burner, spew hot water, endlessly spin the bean grinder, and display a pre-programmed ransom message while beeping incessantly. The only way to get it to stop? Unplugging your now seemingly possessed coffee maker entirely.

Now why anyone needs a smart coffee maker is beyond me, especially if you see the price. And I paid quite a bit for a coffee maker that is certified by the Specialty Coffee Association. But then it is certified to make a good cup of coffee, not talk to my smartphone. And it didn’t cost $250.

So what happens when your door locks get hacked, or your car? But the main problem with the coffee maker in question is as toehold to the rest of your network.

But Hron says the implications of this kind of hack are much more concerning. Through this exploit, attackers could render a smart gadget incapable of receiving future patches to fix this weakness. He also argues that attackers could program the coffee maker or other Smarter appliances with this vulnerability to attack any device on the same network without ever raising any alarm bells. Given the years-long and even decades-long lifespan of traditional appliances, this also begs the question of how long modern IoT device vendors plan on maintaining software support, Hron points out.

The implications of how bad this can be in the long-run explain the image at the top of this post. (Click the image for a look at the fine print.)

Hat tip to Small Dead Animals: I, For One, Welcome Our New Self-Driving Overlords

Lack Of Computer Security Can Kill You

by

The last story presented below is of a ransomware attack on a hospital system that has been listed as being responsible for 4 deaths. By comparison, the other incidents are just annoyances.

First we have Ransomware. And there is a lot of it. The Week in Ransomware – September 25th 2020 – A Modern-Day Gold Rush

Companies still refuse to take security seriously, and as a result, the Forces of Ransomware™ are running amok.

The linked article is dismaying, with how many cases/varieties of Ransomware have been discovered. There was one bright spot, in that the insurance companies are not just blindly underwriting insanity, but insisting on some security.

News also broke this week about how an insurance company utilizes security scans to find exposed and vulnerable devices on clients’ networks. These proactive scans have reduced their ransomware claims by 65%!

They have to do something, or they are going to put themselves out of business insuring companies that have limited security in place.

Then there is the continuing resistance to applying software updates. Over 247K Exchange servers unpatched for actively exploited flaw. I can’t even feel sorry for these people.

The systems in question have not been patched AT LEAST since February of 2020. So 7 months, soon to be 8 months.

Cyber-security firm Rapid7, added an MS Exchange RCE module to the Metasploit penetration testing framework it develops on March 4, after several proof-of-concept exploits surfaced on GitHub.

One week later, both CISA and the NSA urged organizations to patch their servers against the CVE-2020-0688 flaw as soon as possible given that multiple APT groups were already actively exploiting it in the wild.

That was back in March; here’s the situation today.

Rapid7 once again made use of its Project Sonar internet-wide survey tool for another headcount.

And the numbers are almost as grim as they were before, with 61.10% (247,986 out of a total of 405,873) of vulnerable servers (i.e., Exchange 2010, 2013, 2016, and 2019) still being left unpatched and exposed to ongoing attacks.

The company’s researchers found that 87% of almost 138,000 Exchange 2016 servers and 77% of around 25,000 Exchange 2019 servers were left exposed to CVE-2020-0688 exploits, and that roughly 54,000 Exchange 2010 servers “have not been updated in six years.” [My emphasis. Z-Deb]

So you don’t update your systems for 6 freaking years. What exactly do you think is going to happen? I can’t even feel sorry for any of these people.

And finally we have the RYUK attack on Universal Health Services. UHS hospitals hit by reported country-wide Ryuk ransomware attack.

“When the attack happened multiple antivirus programs were disabled by the attack and hard drives just lit up with activity,” one of the reports reads.

“After 1min or so of this the computers logged out and shutdown. When you try to power back on the computers they automatically just shutdown.

“We have no access to anything computer based including old labs, ekg’s, or radiology studies. We have no access to our PACS radiology system.”

And it isn’t just that a bunch of hospital employees can’t access their email, or billing records.

Four deaths were also reported after the incident impacting UHS’ facilities, caused by the doctors having to wait for lab results to arrive via courier. BleepingComputer has not been able to independently corroborate if the deaths were related to the attack.

Look I get that modern medicine is dependent on computers for a whole bunch of stuff, but this incident demonstrates that we are not doing it correctly. Not by half.

The internet was fun while it lasted. (Hat tip Security Now.)

Building Firearms Is Not Rocket Science

by

And Impro Guns tries to document the ones found by law enforcement.

First up, Impro Guns has an in-the-wild sighting of an FGC-9. In Spain no one can hear you print.

FGC-9 is a homemade firearm, where most of the parts are printed on a cheap 3-D printer. The barrel and bolt and a few other parts are not, of course, but made from readily available materials.

It stands for F*#K Gun Control 9mm. It uses standard Glock magazines, though I believe you can 3-D print those as well. There is a 3-D print for a mandrel to enable rifling via electro-machining, and I there were plans to produce a mandrel to aid in winding your own magazine springs, though I don’t know if that was ever finalized or not.

For those who like a more old-school approach, that site also has a story on Illegal PPK copies made in Vietnam.

If you follow the links all the way to the original story, you find that the guy who was building them claims to have taught himself how by watching YouTube videos. (Technology is wonderful!)

And finally an SMG and a revolver from Anapolis, Brazil.

Click thru for an image at each of the links above. They all look like reasonably high-quality firearms, though of course looks can be deceiving.

When You Build a Dam That Can Be Impacted By Vandalism…

by

You should at least try to ensure that vandalism doesn’t happen. From the Association of State Dam Safety Officials, we get Case Study: Maple Grove Dam (Colorado, 1979).

The dam was built in 1955. In 1960 the spillway was redesigned to handle a larger discharge, on the order of 1100 cubic feet per second.

The dam was doing a fine job of controlling floods. This was actually an “unintentional” side effect of the dam, and not part of its original design.

So since more of good thing is a better thing the local powers-that-be decided to see if they couldn’t improve the ability of the dam to deal with flooding. So in the 1970s a decision was made to add two Fabridams in the spillway, to increase the ability of the dam to deal with rare floods.

This new design included the addition of two Fabridams, one 30 foot long by 6 foot diameter and one 40 foot long by 10 foot diameter, placed within the newly enlarged spillway beneath the W. 27th Avenue bridge. The Fabridams were able to be filled with either water, air, or a combination of both and included automatic controls for ease of maintaining desired heights of both dams.

Fabridams are basically long tubes made of neoprene, laminated rubber, and nylon (the sort of material that inflatable boats are made from) that could be changed to increase and then decrease the holding capacity of the reservoir to attenuate floods. But there is a problem with that material, and any boater can tell you if they have an inflatable dinghy. That material can be punctured.

During a routine inspection of the Fabridams on March 17, 1979 around 11:45 PM, personnel of the CMWC noticed one of the Fabridams was collapsing and allowing water in the reservoir to be suddenly released down the spillway. The CMWC personnel immediately contacted the Wheat Ridge Police Department, who began evacuations of approximately 2,000 people from residential units along Lena Gulch in the 2.3 mile river reach immediately below the dam. Approximately 100 acre-feet of water was released during a period of about 2.5 to 3 hours before the spillway flows ceased, lowering the reservoir by about 3 feet.

There was no loss of life, but basements and first floors of homes and businesses were flooded. You can find an image of one of the points where the Fabridam was damaged at this link.

The punctures were determined to be the work of vandals. Temporary repairs were made, and later permanent repairs were made, but that isn’t the what addressed the cause of the failure.

Starting March 18, 1979, personnel surveillance was notched up to half-hour intervals without pattern. Security lighting was installed on March 27, 1979. On April 2, 1979, a seasonal changeover was made filling the Fabridam with water instead of air, a mode of operation less likely to be tampered with. On June 4, 1979, a low pressure monitor and alarm system was put into operation which activated a visual and audio alert in the treatment plant anytime the pressure system in the Fabridams operated for longer than two minutes. Alternative designs for supplying emergency power were initiated on June 14, 1979. On August 1, 1979 fencing was placed on top of the concrete walls of the spillway that included a barbed wire overhang in an effort to deter entry into the property

Apparently before this incident the attitude was “What could go wrong?” No security. No monitoring. No worries. After the incident they knew exactly what could go wrong.

An erodible coffer dam was installed downstream of the Fabridams in 1980, and in 2004 the system was upgraded.

In 2004, the Fabridams in the Maple Grove Reservoir were reaching the end of their service life. A replacement system was put in place that uses hydraulic cylinders to raise and lower two independent steel crest gates. They operate under the same discharge parameters as did the Fabridams, but are less susceptible to vandalism and are simpler to operate and maintain than the Fabridams were, allowing greater confidence in the integrity of Maple Grove Dam and ultimately a safer option for the public.

This isn’t the only example of an inflatable dam being damaged by vandalism. In 2015 a dam that was part of a freshwater system in California was damaged in spite of some security. Nearly 50 million gallons of water lost due to vandalism in East Bay. The video starts with an annoying advertisement.

So what is the moral of the story? Our infrastructure is under attack. And while that may not have been so apparent in 1979, by 2015 it should have been apparent. They make reference to the fact that the security which was in place decades in that California article had worked without incident. “We’ve always done it that way,” should not be your guiding principle.

You should consider how vulnerable any infrastructure you maintain is, to accident, to vandalism, whatever. You should have some security in place and you should review it. You should have monitoring in place, and you should know ahead of time what you are going to do if something goes wrong. And it should go without saying, but you should know what is important, and not just if you own infrastructure, but the stuff you rely on. What would you do in the event of a long-term power outage? What if your communications are disrupted? What if you can’t get back into the office building because of fire or other hazard? In short, you need to plan for what can go wrong.

Espionage Attack on the US Government

by

Password credentials in the hands of hackers that granted access to a US government network. Feds Hit with Successful Cyberattack, Data Stolen

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees’ legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.

“The cyber-threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts,” according to CISA.

So here’s my guess as to the causes: Poor passwords. Reused passwords. No 2-factor authentication. Well done US .gov employees, you have less security on your official government stuff than I do on the email I use mainly to send jokes and memes to my friends.

Of course I could be wrong, and this could all be to a security flaw in a Microsoft Product. It’s not like THAT never happens. (Hat tip to Steve – thanks for the email!)

A Cybersecurity Directive From Dept of Homeland Security Is Usually of Interest

by

When the DHS says “all civilian federal agencies” must take some action relative to security, it usually means something interesting is going on. Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)

To be vulnerable to this issue, you must NOT have applied the patch that was issued by Microsoft in August. That is from more than 6 weeks ago.

Last month, Microsoft patched a very interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.

I assume that folks currently employed in the security arena know about this already, but whenever DHS says do something “Now!” my curiosity is heightened.

Here are the directives from DHS Cybersecurity. Under the law, civilian federal agencies have to do this.

1. Update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020,

  1. Apply the August 2020 Security Update to all Windows Servers with the domain controller role. If affected domain controllers cannot be updated, ensure they are removed from the network.
  2. By 11:59 PM EDT, Monday, September 21, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected domain controller servers are updated before connecting to agency networks.

Now I know that patches on Patch Tuesday can cause problems. But if you have this vulnerability un-patched, you are going to have many more problems than a few disgruntled users.

More F*c*book Spying

by

They didn’t mean to. It was a mistake! Facebook spied on Instagram users through their iPhone cameras, a new lawsuit claims

In July, users noticed that a green FaceTime symbol was showing up when they scrolled through their Instagram feed, per the Independent. The symbol appears on iPhones when the camera is on.

The lawsuit, filed on Thursday by Instagram user Brittany Conditi, claims that Facebook’s intentional access of the camera allows the app to collect “lucrative and valuable data on its users that it would not otherwise have access to,” Bloomberg reported.

The company didn’t respond to a request for comment.

The accusation follows allegations that Facebook illegally holds more than 100 million Instagram users’ biometric data. The social media company offered to pay $650 million in July to settle a lawsuit that accused it of collecting data through the photo-tagging tool available on the app.

Pensacola Bay Bridge Damaged by Barge

by

Known locally as The Three Mile Bridge, it was damaged in Hurricane Sally. Three Mile Bridge suffers massive damage after Hurricane Sally topples crane, section missing

The Pensacola Bay Bridge carries US 98, which a great scenic route to take in the panhandle of Florida. In that part of the world it crosses the from the isthmus of land that includes Oriole Beach, and Gulf Islands National Seashore, over to the mainland and Pensacola. Without that bridge, the detour to get the mainland is probably 20 miles or more, depending on where you start and where you are headed.

Photographs posted on social media are showing damage to the surface of the Pensacola Bay Bridge. The images indicate a crane fell on the bridge and knocked away a section of the road way.

The current bridge is 1/2 of a new bridge under construction. It opened in 2019.

As of the time the article linked above was published, Florida Dept. of Transportation hadn’t been able to inspect the bridge due to Tropical Storm Sally.

The politicians are lying pulling facts out of the air. Hurricane Sally: Pensacola Bay Bridge may be out of commission a month or more

A spokesperson for the DOT said Wednesday afternoon that staff would be inspecting the damage to local structures once conditions were safe to do so and providing updates about their status.

There is no word where that “30 to 60 days” comes from. Yes the contractor that is building the 2nd half of the bridge is onsite, but depending on the extent of the damage it might be that the equipment they need is not immediately available. And several pieces of their equipment have been damaged or destroyed… Like the barge and crane that damaged the bridge. But politicians don’t like to say “I don’t know,” or “We don’t have that information at this time.”

While I expect updates will be forthcoming, I’m not sure I care about this bridge enough to pursue it. It isn’t crumbling infrastructure, it hasn’t been ignored, it was destroy by a hurricane.

Tesla Autopilot in the News

by

This what happens when it is marketed as “Autopilot.” Tesla driver found asleep at wheel of self-driving car doing 150km/h

“The car appeared to be self-driving, traveling over 140km/h, with both front seats completely reclined and both occupants appearing to be asleep,” the RCMP said in a statement.

Charges include dangerous driving.

Because Putting Resources on the Most Severe Problems Is For Suckers

by

Maybe Microsoft just doesn’t give a damn about security. Hands-on with Windows 10’s new Start Menu

So for the past 4 months, Microsoft’s Patch Tuesday fixed more than 120 errors in their products. So where is Microsoft choosing to expend resources?

During a Windows Insider webcast, Microsoft teased its vision for a new Windows 10 Start Menu that features partially transparent theme-aware tiles to showcase the new Fluent-based colorful icons.

Microsoft said it will bring the new Start Menu to your devices with Windows 10 version 20H2, which is expected to arrive in October or November.

Of course they are.

I don’t know about you, but when I am working on my PC, it never occurs to me to think, “If only they would upgrade the start menu…” And that was really not the case when I was fighting thru the issues I encountered BECAUSE of Patch Tuesday.