[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED
- To: Rob Nelson <nexisentertainment@xxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- Date: Sun, 17 Apr 2011 20:10:35 +0000
> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-disclosure-
> bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Rob Nelson
> Sent: Sunday, April 17, 2011 12:05 PM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: Re: [Full-disclosure] Florida Power & Light Company (FPL) Fort
> Sumner Wind turbine Control SCADA was HACKED
>
> Why the hell are we arguing statutes? Look at the big picture: He leaked
> config files to a system that has access to something in a /nuclear power
> plant/. He's going to jail, it's just a matter of time.
Actually, your question deserves a better answer... The reason statues are
being discussed is because they are a governing body's "best guess" at defining
tort and suitable remedy or consequence in a way that encompasses and defines
the action before it actually happens (or course, there is ex post facto
legislation). Discussing statue has some value in my opinion.
Rather the further contribute to the abuse of the quintessential inappropriate
physical continuum analogy of "open doors and windows," I'm interested in what
some of you consider the right "answers" to the following circumstances:
1) What if this is actual leaked data that lead to someone breaching the
systems illustrated in a non-trivial way? Should the poster be punished
appropriately? I feel most would say "yes."
2) What if this is actual leaked data that *could* allow someone to breach the
system, but no one does. Should he be punished appropriately?
3) What is he made the whole thing up and posted bogus data, but someone took
note and started scanning the systems and found/broke something as a matter of
cause? Should he be punished?
4) And finally, what if it is all bogus data, but someone in FL took it as
gospel and pulled a Columbine at the power station for being put at risk of
terrorist attack? The poster *clearly* has the intent of making FPL look like
they are vulnerable (and presumably at fault) for/to SCADA facilities attack.
What then? Did he incite a riot? It the posting of this data in itself a
terrorist act?
This is why the statues are important. If the latter happened, but it was all
a joke, I don't think people would say "it was just public utility access so
it's OK" nor would they say "he hacked the stations so he has to go to jail."
Neither of those things would be true. But something would have to be done.
In the absence of some sort of guiding statute, it we be more difficult to
arrive at a conclusion.
t
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/