

The 'cyber-attack' threat to London's Olympic ceremony - arb99
http://www.bbc.co.uk/news/uk-23195283

======
iuguy
This is being portrayed as an exciting story but lets take a step back shall
we?

A giant intelligence-industrial facility was set up for what is effectively a
large sports-day type event. The opening ceremony was potentially at risk of
having lights turned off due to an unspecified and as yet unqualified threat.

The intelligence-industrial complex went into action to qualify the threat and
it's clear from the butterflies in stomach moment that they didn't realise it
was a false alarm until afterwards.

This tells us a lot about the effectiveness of GCHQ's fibre-splicing 3 day
archiving of all Internet traffic, and of the security services' abilities to
monitor threats through other means in order to determine whether or not they
exist.

In conclusion, it appears that the olympics were chasing their own tails,
supported by a giant security state apparatus and couldn't determine whether
or not the threat was real, let alone any details about the threat until after
the event.

------
toyg
I'm not a small-State supporter, but damn these stories could push me over the
edge. First we paid for a massive sports event (the cost of which obviously
ballooned shortly after winning the bid) which mainly benefited private
corporations, then we spent god-knows-how-much to employ people to "defend"
the event from a "cyber menace" that didn't even exist; and of course, we also
had to put rocket launchers on houses in central London to defend from a "air
menace" that also did not exist! And the day after, we woke up without NHS and
schools "because we can't afford anything anymore", but god forbid we cut the
military-spying complex -- in fact, the beast needs more money because it can
"only" save three days of EVERYTHING. Moar data, MOAR!

Disgusting.

~~~
_mulder_
Or, the event provided thousands of people with jobs, including many builders,
civil engineers, rail engineers, software engineers (BBC iPlayer), broadcast
engineers and the area around the park now has high-speed internet access, new
accomodation, TV studios (that BT have bought cheap for their sports coverage,
thus breaking Sky's stangle-hold on some UK sports coverage) and commercial
space some are touting as the next Shoreditch (TechHub are looking to set up
shop).

As for the military presence, it's debatable about this. Do you deploy the
defences and the Spies so you're able to react and protect, should anything
occur? Or do you take a chance that something won't happen (like the Boston
bombing, 9/11, 7/7, Munich Olympics, Manchester bombing occuring during Euro
'96) but if anything does happen, accept that the damage is likely to be much
higher (potential many people dying in the worlds spotlight)?

Personally, I'm happy to accept that the people making these decisions are
(hopefully) privy to a lot more information than I am and, generally, I'm
happy to trust them with my personal safety allowing me to enjoy the worlds
greatest sporting event.

Also, general point regarding military spending; Military things are generally
so expensive because of all the clever work that goes into designing, testing
and building them. Again, think of how many people the 'military machine'
employs, all that expertise on rocketry, nuclear physics, cyber skills,
communications, etc. As an added bonus, Military organisations, especially
spooks, employ a high percentage of natives, so you're effectively giving jobs
and money to your direct neighbours, friends and relatives and not some
foreign Chinese industrial Goliath.

~~~
toyg
The "spying as stimulus" argument is debatable, considering most of the
"spying infrastructure" (and military as well, these days) is still bought
from abroad; regardless, it's well known that military spending can be a net
positive in economic terms, but do you really want to live in a country where
everyone is directly or indirectly hired by the military? That's basically the
XX-century Nazi/Soviet model, not exactly the happiest societies around.

Regarding actual infrastructure work: if the target was regeneration, surely
it would have been cheaper to build it anyway and just give it away for free,
which wouldn't have required a massive (and massively expensive) security
effort, all the G4S-style jobs-for-cronies and so on?

Personally, I'd rather see the State undertake real infrastructure work on
clear and honest terms, rather than having to wait for some international
sport mafia rolling into town so that money can be spent.

~~~
_mulder_
>Personally, I'd rather see the State undertake real infrastructure work on
clear and honest terms

Yes, I agree with this.

"Waste" is the misallocation of resources whereby you don't get as much
benefit from choosing A and you would from choosing B. I would certainly
rather see money and resources spent on civil engineering projects, like HS2,
broadband rollout, CERN, new Motorways than old military technology.

However, tying to sell this to the public is where it gets hard, selling a
sporting event seems a lot easier than selling a Nuclear power plant.

>but do you really want to live in a country where everyone is directly or
indirectly hired by the military?

This hardly describes the UK, we have an average defence budget that is being
cut more and more almost on a daily basis. It's tiny compared to the US.

>considering most of the "spying infrastructure" (and military as well, these
days) is still bought from abroad

I'm assuming from your comment you're from the UK, in which case we are that
'abroad'. Defence and cyber engineering is one of our few exports, for better
or worse.

~~~
toyg
Unless we manufacture hard drives, I'd say we still buy most stuff from
abroad.

And yes, our defence budget is small compared to the US, but looking at how
this budget is used in the States, I'd say keeping it small is a good choice:
the less bombs we have, the less likely we are of dropping them on random
countries (yes we went to Iraq and Afghanistan, but we also pulled out much
earlier exactly because of budgetary constraints).

This is the problem with weapons, real or cyber: once you make them, you'll
want to use them one way or another.

------
femto
> ... with close to a billion people watching, the impact would have been
> enormous.

So what? A billion people might get bored for five minutes and go on a planet
destroying rampage? More a reflection of the myopic TV world, where a black
screen is a cardinal sin, than any real problem. There would have been no
safety issue, since the stadium would certainly have had battery backed
emergency lights and exit signs, so the people inside would not have been in
pitch black.

It's worth noting that the moving cauldron got jammed for several minutes in
Sydney's opening ceremony, in 2000, and the world didn't end. In fact, it was
one of the best bits of the telecast, watching the guys underneath furiously
belting it with sledge hammers, in an effort to get it moving.

~~~
d4nt
Agreed, the idea that whole teams of people were employed to basically prevent
the government being embarrassed, and that they view their role as critically
important, suggests that the state has grown way to big in the last 100 years
or so.

------
rwmj
If it was possible to turn off the electricity at arbitrary places, then we'd
have DDoS-like attacks happening on companies all the time, with foreign
attackers demanding cash to keep the lights on.

We don't, so either: it's not that easy, or no one has worked out how to do it
yet.

What it _doesn 't_ indicate is that spying on everyone helps at all. What GCHQ
_should_ be doing is working with infrastructure providers to make sure all
their security software is up to date, deploying things like SELinux (one good
thing the NSA has done), doing free pen-testing, advising companies on how to
architect critical networks and so on.

~~~
xyzzy123
Not sure about the UK exactly, but in countries I'm familiar with there are
specific government agencies and initiatives for assisting critical
infrastructure providers. They're doing their best.

The threat isn't _entirely_ hype. Stuxnet basically proved that dropping a
grid is do-able.

Not sure how you'd do individual companies, but the power grid as a whole is a
lot more fragile than you might think.

The industry is taking things seriously, but there are a lot of problems to
sort out. Fixing legacy network architectures takes time, and a lot of
critical systems never get patched. That's before you factor in espionage or
0day.

~~~
arethuza
"Stuxnet basically proved that dropping a grid is do-able."

Didn't Stuxnet target very specific Siemens SCADA systems, unless our grids
all run the same controllers and the same software (which they might well do,
I have no idea) - surely an attack like that would be difficult to scale?

~~~
_mulder_
Yeh, good job Siemens don't make anything to do with power grids.

Oh no... [http://www.energy.siemens.com/hq/en/power-
transmission/](http://www.energy.siemens.com/hq/en/power-transmission/)
[http://www.energy.siemens.com/hq/en/fossil-power-
generation/](http://www.energy.siemens.com/hq/en/fossil-power-generation/)
[http://www.siemens.co.uk/en/news_press/index/news_archive/20...](http://www.siemens.co.uk/en/news_press/index/news_archive/2013/siemens-
and-bam-awarded-major-transmission-network-framework.htm)

~~~
arethuza
Yes, I am rather familiar with Siemens as a company.

What I meant was, how diverse are the control systems for national grids. If
they are highly diverse then they are going to be more difficult to target, if
they are all the same generation kit from the same vendor then the threat will
be higher.

Which one is it?

~~~
xyzzy123
In my limited experience (n = 6) I've not seen the same control system twice.
I believe this is because the systems I looked at were built at quite
different times. This probably varies a lot between countries.

So your point is valid, but diversity doesn't help if the overall resilience
of the grid is so low that attacking a few carefully chosen targets could
cause a massive blackout.

------
SideburnsOfDoom
I heard this non-story puff piece on the radio this morning.

IMHO the Pirate party UK are completely right in thier 140 char summary: "GCHQ
tries to win over public detailing how something didn't happen:
[http://ow.ly/mKqxw](http://ow.ly/mKqxw) #Olympics plan basically turn it off
+ on again"

[https://twitter.com/PiratePartyUK/status/354209267877822465](https://twitter.com/PiratePartyUK/status/354209267877822465)

------
nicholassmith
It's like something out of an awful techno-thriller, 'evil hackers are going
to switch off the power!'. It's a ridiculous, self-promoting fantasy to give
the security services something to do, a waste of time and money. If hackers
_could_ switch the power off and disrupt this massive ceremony they'd be
switching the national grid off at will for fun and profit on a significantly
more regular basis. Unless GCHQ just keeps _those_ incidents quiet.

------
zimpenfish
GCHQ trying to get ahead of the backlash there.

~~~
anon1385
It's pretty funny really, if this is the best PR story they could come up
with. The awful threat to national security that GCHQ is saving us from? The
lights going off at the Olympics.

~~~
smackay
Makes you wonder whether they can tell who the real enemy is. Dr. No or Dr.
Evil ?

~~~
iuguy
Neither, it was Dr. Pepper!

------
ck2
So don't put the lights on the internet?

I really hope some general has not ordered nuclear missiles to be on the
internet.

~~~
objclxt
I think they're talking about the power itself, rather than the lighting
systems. Although modern lighting systems all run over ethernet I've _never_
come across an installation that wasn't closed-loop (before moving into
software engineering I used to work on lighting at live events).

There's a lot of exaggeration in the story. It makes it sound as if the
stadium would have been plunged into darkness, when in fact there's
significant contingency planning at these type of events around power loss,
and there is in nearly all cases a mechanical (rather than computerised)
failover.

A far more interesting (I think, anyway) would be an attack on the actual
lighting control systems themselves. Like I said, they're running over
ethernet on a variety of proprietary and not-so proprietary protocols that
haven't had much attention on the security side of things. And yes, they're
not connected to the internet, but it wouldn't be too difficult to compromise
a lighting unit itself before it was shipped from the rental shop to the
stadium.

------
_k
Didn't this happen during the last Superbowl ? Not sure whether they were able
to find what caused the power to shut down.

------
chrisphonk
I'm not sure I fully understood this article. Was there a threat? And if there
ways, they did nothing about it?

------
biomene
> "And the first reaction to that is, 'Goodness, you know, let's make a strong
> cup of coffee.'"

It was either that or tea.

~~~
contingencies
The same stood out to me. Perhaps to the overburdeningly belaboured English
aristocracy, who are of course dynastically engaged in ineffectually flippant
finger-twiddling, promoting _any_ potential dalliance of discourse toward a
careful coffee from the everpresent 'English' tea is their way of implying the
_... goodness!_ ... gravity of the situation.

------
mtgx
Relevant post:

[http://www.theglobeandmail.com/commentary/cyberspace-is-
not-...](http://www.theglobeandmail.com/commentary/cyberspace-is-not-a-combat-
zone/article13035562/)

