Oldsmar Water Plant Hacked, Authorities Downplay Danger

Andrew Donaldson

Born and raised in West Virginia, Andrew has since lived and traveled around the world several times over. Though frequently writing about politics out of a sense of duty and love of country, most of the time he would prefer discussions on history, culture, occasionally nerding on aviation, and his amateur foodie tendencies. He can usually be found misspelling/misusing words on Twitter @four4thefire and his food writing website Yonder and Home. Andrew is the host of Heard Tell podcast.

Related Post Roulette

35 Responses

  1. Oscar Gordon says:

    How much you want to bet some manager at the plant had a dead simple TeamViewer password, or was in the habit of having the password written down or stored in clear text on their phone?Report

    • Philip H in reply to Oscar Gordon says:

      Well written down is not actually the problem a lot of IT people want it to be, unless you are also in the habit of showing it to people all the time.

      Weak passwords are, however, another issue …Report

      • Dark Matter in reply to Philip H says:


        The more interesting question is who did this? At a guess, disgruntled worker or someone who expects to get more budget from this.

        On a side note passwords are a problem, I have 50+ of them, maybe 100+. They need to be different. They need to be long.Report

        • Oscar Gordon in reply to Dark Matter says:

          I use a password manager, and my employer encourages us to use a different password manager on our work machines.

          I also wonder if the plant workstations are behind a VPN?Report

      • Oscar Gordon in reply to Philip H says:

        Or leaving it on your desk, where it’s easy to see/find (under the keyboard is a great one). Or stored in clear text on your phone (people have strange ideas regarding how secure phones are).Report

        • Oscar Gordon in reply to Oscar Gordon says:

          I use a password manager, and my employer encourages us to use a different password manager on our work machines.

          I also wonder if the plant workstations are behind a VPN?Report

        • Philip H in reply to Oscar Gordon says:

          I have too many friends working in IT security to make those mistakes. Other mistakes, sure.Report

        • Kazzy in reply to Oscar Gordon says:

          Related… what are your thoughts on the following:

          1.) Chrome’s built-in password manager
          2.) Apple’s built-in password manager
          3.) A 3rd party password manager like LastPass (I think I know your feeling on that one because I vaguely remember you recommending it but could be wrong)

          If you have hesitations about any of those, what would you recommend for someone wanting to secure passwords for mostly personal use (e.g., bank accounts, email, etc.).Report

          • Oscar Gordon in reply to Kazzy says:

            Almost all of them are fine, but they are only as strong as your master password. And for that, I refer you to this wonderful XKCD comic.

            Beyond that, it’s all about ease of use and what features you need. I like LastPass because it has features I find useful and I can run it almost everywhere.Report

            • Kazzy in reply to Oscar Gordon says:

              LastPass has been my preferred one, though I have all three turned on and sometimes get annoyed when they start fighting with each other. But that is user error.

              I could probably stand to pick a better master password. I mean, Password69 has worked thus far but…Report

              • Oscar Gordon in reply to Kazzy says:

                Right up there with Maga2020!

                I use phrases for my ‘have to remember it’ password, because it annoys dictionary attacks.

                For instance, a few lines from a poem:

                I took the one less traveled by,
                And that has made all the difference.



                Nice, long, meets all password requirements, and those two lines are easy to remember.Report

              • J_A in reply to Oscar Gordon says:

                Great minds think alike – I do exactly the same, but use song lyrics, and a number that means something to me but to no one else (like my friend growing up -i.e. 35 years ago that I haven’t seen since the mid 80s- birthday)

                And I use hints in my phone to remember like “Holophernes” is a key that I’m using the Hey Jude lyrics (Jude=Judith), and Alexander is a key for I’m using my friend’s birthdayReport

              • Oscar Gordon in reply to J_A says:

                It’s something my old boss told me to do back when I first started in IT. Can’t have network admin passwords that are easy to guess or crack, but you also don’t want to be forgetting it all the time.Report

              • Michael Cain in reply to J_A says:

                Yeah, first letter from the lyrics of an obscure song plus something odd tacked on to the end to make the password-strength checkers happy.Report

          • Chip Daniels in reply to Kazzy says:

            I prefer post-it notes affixed to my monitor.Report

    • fillyjonk in reply to Oscar Gordon says:


      I wonder if it will come out this was a white-hat hacker, showing them their insecurities, and he’d never actually poison people. Or maybe I’m being too PollyannaReport

  2. Philip H says:

    This – right here this – is why the IOT is so worrisome. And don’t think turning it all off won’t be a goal of domestic terrorists at some point.Report

    • fillyjonk in reply to Philip H says:

      I hope there remains a market for things like low-end fridges and that like that DON’T connect to the internet; I have no interest in some goofball being able to turn my house lights off and on for the lulz just because I decided it was easier to control them from my phone than to throw a manual switchReport

      • Michael Cain in reply to fillyjonk says:

        One of my projects this week is to connect the Nest thermostat that came with the townhouse so that my wife can say, “Alexa, turn the temperature up two degrees.” Can you say, “Terrified,” boys and girls?Report

      • Philip H in reply to fillyjonk says:

        This is one of two reasons we have not replaced the side by side refrigerator we have and the wife dislikes.Report

  3. Michael Cain says:

    Back in the 1960s, when the Bell System began deploying switches and other telecommunications gear that could be monitored and controlled remotely, they accepted Bell Labs’ word that the computers doing the control must never be connected to a public network. It’s expensive — in this case, you would have to physically go into the water treatment plant in order to adjust the settings, or have appropriate staff on site 24/7.

    I expect to live long enough to see major utilities crash and burn because remote control over the public internet was cheaper.Report

    • Michael Cain in reply to Michael Cain says:

      My favorite story from my colleagues who administer large internet backbone networks is the guy who mistyped a command — in a Denver suburb — and disconnected most of the UK from the global internet. To reverse that error, someone in the UK got a phone call at 2:00 am local time and had to drive 90 minutes so they could physically touch the router.Report

    • Oscar Gordon in reply to Michael Cain says:

      The lack of awareness regarding IT security at utilities makes me want to line my roof with solar panels and keep a large tank of fresh water in the attic.Report

      • Michael Cain in reply to Oscar Gordon says:

        I have a friend in far western North Carolina who has installed a large genset. During a recent power outage — natural causes — he described their house as “an island of light in the sea of dark.” He has doubled his propane capacity and is now set up to handle a week if they are careful.

        OTOH, I recently moved to an area served by a sizeable municipal power coop, leaving my previous private sector utility. After four months and a bit, the power has been so steady that I haven’t bothered putting the UPS on my desktop Mac.Report

        • Philip H in reply to Michael Cain says:

          Your friend might want to think about his basking in the glow . . . should any of the SHTF scenarios involving massive grid outages come to pass, his lights will attract all sorts of people . . .Report

          • fillyjonk in reply to Philip H says:

            that’s what blackout curtains are for….Report

          • Michael Cain in reply to Philip H says:

            In a SHTF scenario, I’m pretty sure that he won’t be an island of light in the dark. He’ll be down to minimum usage. Keeping the freezer running until it’s empty, etc.

            The genset he got and the propane expansion are overengineering typical of him. What he wants to deal with are the (not revealed at the time they bought the house and land) three or four times per year the power is out for two to twelve hours.

            The municipal utility that provides the power in our new place has the most flawless supply I’ve ever lived with. In the four months we’ve been here, the appliance timers have never reset. Hell, so far as I’ve noticed, the lights have never even flickered. I will put my desktop computer on the UPS one of these days, just to have it on the massive surge protector before the first thunderstorm season gets here.Report

  4. Michael Cain says:

    Ars Technica reports that the computer involved in the attack was running Windows 7 (Microsoft dropped support last month), there was no firewall, and the password was shared by multiple users.Report

    • Oscar Gordon in reply to Michael Cain says:

      OMFG! If that wasn’t so damn scary, I’d be LMFAO! This is the kind of thing people should get fired for.Report

      • Windows 7 was a decent OS. For maximum comedy, they should have run Vista. And stored their most sensitive data in Access.Report

        • Michael Cain in reply to Mike Schilling says:

          Still, I put this in the “Those who do not study UNIX are doomed to reinvent it, badly” category. The control application running on a $40 Raspberry Pi using X Windows over ssh and standard login/password security would have been enormously better. Other than the Pi, that’s all quarter-century old technology.

          I have reconciled myself to the fact that when my utilities’ systems all come crashing down, it will be because it wasn’t running on some form of UNIX.Report

      • Philip H in reply to Oscar Gordon says:

        Oldsmar is a small town. I’d be surprised of the water plant had its own IT manager. They probably get IT support from the larger DPW – and that’s not a large outfit either. They aren’t going to have dozens of people with the latest certificates running this stuff 24/7 the same way DoD does.Report

        • Oscar Gordon in reply to Philip H says:

          You don’t need dozens of folks with the latest certificates to know that’s a disaster waiting to happen.

          It might be too much to ask that they have a VPN. Perhaps a basic firewall is a bridge too far.

          But not allowing shared passwords/accounts is basic fecking IT security. I mean, come on!Report