politics
Welcome to the discussion of US Politics!
Rules:
- Post only links to articles, Title must fairly describe link contents. If your title differs from the site’s, it should only be to add context or be more descriptive. Do not post entire articles in the body or in the comments.
Links must be to the original source, not an aggregator like Google Amp, MSN, or Yahoo.
Example:
- Articles must be relevant to politics. Links must be to quality and original content. Articles should be worth reading. Clickbait, stub articles, and rehosted or stolen content are not allowed. Check your source for Reliability and Bias here.
- Be civil, No violations of TOS. It’s OK to say the subject of an article is behaving like a (pejorative, pejorative). It’s NOT OK to say another USER is (pejorative). Strong language is fine, just not directed at other members. Engage in good-faith and with respect! This includes accusing another user of being a bot or paid actor. Trolling is uncivil and is grounds for removal and/or a community ban.
- No memes, trolling, or low-effort comments. Reposts, misinformation, off-topic, trolling, or offensive. Similarly, if you see posts along these lines, do not engage. Report them, block them, and live a happier life than they do. We see too many slapfights that boil down to "Mom! He's bugging me!" and "I'm not touching you!" Going forward, slapfights will result in removed comments and temp bans to cool off.
- Vote based on comment quality, not agreement. This community aims to foster discussion; please reward people for putting effort into articulating their viewpoint, even if you disagree with it.
- No hate speech, slurs, celebrating death, advocating violence, or abusive language. This will result in a ban. Usernames containing racist, or inappropriate slurs will be banned without warning
We ask that the users report any comment or post that violate the rules, to use critical thinking when reading, posting or commenting. Users that post off-topic spam, advocate violence, have multiple comments or posts removed, weaponize reports or violate the code of conduct will be banned.
All posts and comments will be reviewed on a case-by-case basis. This means that some content that violates the rules may be allowed, while other content that does not violate the rules may be removed. The moderators retain the right to remove any content and ban users.
That's all the rules!
Civic Links
• Congressional Awards Program
• Library of Congress Legislative Resources
• U.S. House of Representatives
Partnered Communities:
• News
view the rest of the comments
Ups software probably installed as system so that it can perform script execution and shutdown properly. That software communicates with the UPS directly. UPS vendors wouldn’t be at the top of my list of security-minded companies.
The execution path isn’t impossible.
I mean, the article focuses more on how the UPSes have SNMP enabled network cards.
SNMP is Simple Network Management Protocol, which is for, well, simple network management, not computer administration, which are different things.
SNMP can definitely be an attack vector, so it's generally considered good practice to disable it on any ports it's not absolutely needed. Further, it's mostly able to be abused for DDOS, although there are some possibilities for network penetration. Network, not computer, once again. Controlling the router isn't the same as controlling the Server., although it can help you move towards controlling the Server. Still a lot of hoops to jump through from network to server.
Every election is run on a local level, and this would mean that in enough swing states, one of two things was happening: either the election cybersecurity team in all the states affected was technically incompetent or they were somehow in on it and all kept their mouths shut. Both of those are highly unlikely when it comes to the frequency at which this happened all over the country.
While you generally have a good point about script execution via a UPS, once again, does that mean every single cybersecurity team in every state affected was foolish enough to be giving a UPS administrator script execution capabilities? Because just executing a script doesn't mean the user executing the script has admin rights. Once again, either every team was inept or somehow the famously loose-lipped Trump team was sitting on a zero-day exploit to gain admin access and somehow kept it quiet.
I don’t consider snmp to be a big issue, unless someone set up “public” with write access.
The ups software running on the windows machine would be running as system and would be able to execute whatever it wanted. Usually it’s connecting to the ups through some method (IP, usb serial) to figure out what state it’s in, how much runtime is remaining, and if it needs to execute any stored scripts.
How do you get a compromised UPS to upload scripts to the windows machine? That I’m not too sure about. I don’t think I’ve seen an ups management system that has that capability.