Thur. May 13, 2021 – Friday the thirteenth is on a Thursday this month…

Cooler, but supposed to clear up. Got some misty light drizzle yesterday, with mostly overcast all day. Today the map is showing clear. It was 64F when I went to bed last night. That’s way down from where we were just a couple of days ago.

Drove across town twice, and the first trip was a total waste. The seller reneged on the auction and wouldn’t release any items to the buyers. The estate auction company was very upset, but not as much as me when they called to give me the news as I was pulling up to the pickup location. Wasted over an hour of my life and gas. No idea what the auction company and the seller will do, they had a contract. Seller thought the prices were way too low. Very strange all around.

The other pickup was parts for my daughter’s closet organizing project, and some light bulbs (really LED replacement tubes for some 8 ft fixtures I can’t get new bulbs for.)

In other selling news, the guy who bought most of my Pokemon cards hasn’t paid yet, and the auctioneer thinks he’s not gonna. She’ll go back to the second highest bidder, but they don’t have to buy at that price. The cards may end up going back into another auction. Not super news, as I was already thinking of ways to spend the money…

I tried to get a Costco Instacart order yesterday but couldn’t make the available delivery times work. I’m expecting it this morning. Limit one on Charmin Blue, and several things on my “buy it again” list were out of stock too. No meat on this purchase, it was all too expensive. I’ve got room in the freezers, but the price hasn’t been right for a while.

Oh, and the new freezer is cold, so it’s time to work on flipping that.

Tax time too, so I have the rest of my recordkeeping to finish. Back pain makes my brain sluggish though, so I’ve only been doing low value, low complexity stuff. Maybe I’ll get more done today.

I’ve certainly got stacking to do, and I’m sure you do too. Get busy.

nick

Author: Nick Flandrey

Mid 50s, stay at home dad, with two elementary school age girls. Love my family and my life.

96 thoughts on “Thur. May 13, 2021 – Friday the thirteenth is on a Thursday this month…”

  1. 64F with 83%RH at 630am.

    Cool and damp so far.

    n

    1
  2. “At a Tuesday press conference, Department of Energy (DOE) Secretary Jennifer Granholm was asked by a reporter about the “feasibility of using rail cars” to transport fuel across the country as the nation faces a gas shortage from a Russian cyber attack.””

    Yup. Idjit.

    A reporter for which media outlet? A Berkshire Hathaway paper, perhaps?

    Again, Buffett supplies all of the rail tanker cars, directly via BNSF trains or indirectly through the subsidiary that leases/sells/maintains the hardware.

  3. Seeing pics of people filling gas into tupperware containers, plastic storage bins, etc.. Lots of folk vying for Darwin awards. Even if the gas doesn’t eat through the plastic (which it generally will), what’s the end game?

    The other night, the local Faux News felt it important to warn the audience that plastic bags are not a good way to store/transport gasoline.

    The end game is arbitrage. Most of the states in hurricane prone areas of the US now have asinine “anti gouging” laws preventing retailers from adjusting prices for supply-demand in situations like what happened this week, but the police are not going to go after individuals taking advantage since the politicians will feel more heat if the Murphy Oil is charging $5/gallon one afternoon up at the WalMart while Joe Bob gets away with selling for $7/gallon out of the back of his Mobile Tigermart at the abandoned BigK lot across the street.

    Given another week, serious creativity would have been employed converting beater trucks into gasoline transportation and/or station poaching platforms for 100+ gallon loads, all heading to North Florida/Georgia. The message boards centered around the “Cannonball” cross-country record alone offer all kinds of discussions about safely adding fuel capacity to vehicles.

    Well, mostly safe. “Cannonball” is highly illegal and, at the current speed records, arguably dangerous.

    I’m wondering what the gasoline sales numbers are this week. During the contrived “shortage” in Texas four years ago, the retailers’ volumes were at least an order of magnitude beyond normal.

  4. Life’s a bitch, then you die. Friday the 13th falls on a Thursday this month. That is all.

  5. Oh, and the new freezer is cold, so it’s time to work on flipping that.

    Walking back from dropping my daughter at the bus stop yesterday, I looked up to see a long Home Depot flatbed truck pulling into my neighborhood with a single mini Chinese-made chest freezer loaded on the back.

    Gotta wonder how long deliveries like that will continue as diesel costs rise. The Brown Truck Mall and Food Court (TM) is ridiculously energy inefficient.

  6. The Brown Truck Mall and Food Court (TM) is ridiculously energy inefficient.”

    Compared to people picking up things at a store, maybe not. Would be interesting to analyze… but not until I get coffee in me, lots of coffee.


  7. Compared to people picking up things at a store, maybe not. Would be interesting to analyze

    It has been analyzed. I read about it a few years ago. IIRC, residential delivery by truck was comfortably more efficient.

     

  8. The other night, the local Faux News felt it important to warn the audience that plastic bags are not a good way to store/transport gasoline.

    There’s several photos and vids on the interwebs now of people filling plastic bags with gasoline. One lady had the entire trunk of her SUV full of large trash bags filled with gasoline. I don’t even know how they lifted them into the car. Also, doesn’t gasoline eat right through certain plastics?

    Life’s a bitch, then you die.

    The funniest/harshest variation I ever saw of that was on a coffee mug owned by a bitter divorced guy I worked with. “Life is bitch and then you marry one.” Pretty savage.

    Compared to people picking up things at a store, maybe not. Would be interesting to analyze

    It has been analyzed. I read about it a few years ago. IIRC, residential delivery by truck was comfortably more efficient.

    Makes sense. Most of the parcel carriers have fairly advanced and time-tested solutions in place to route vehicles and packages in the most efficient manner. So, it’s probably definitely more efficient than all the individuals making special trips just for that stuff.


  9. There’s several photos and vids on the interwebs now of people filling plastic bags with gasoline.

    Yup, Darwin Award coming up. Beyond dumb.

  10. “Life is bitch and then you marry one.”

    –And then you die…. but not soon enough.

    n
    n


  11. “Life is bitch and then you marry one.”

    –And then you die…. but not soon enough.

    That’s an old joke too:
    Q: “Why do men, on average, die before their wives?”
    A: “They want to.”
    lol

  12. “There’s several photos and vids on the interwebs now of people filling plastic bags with gasoline.”

    Yup, Darwin Award coming up. Beyond dumb.

    The 2013 Cannonball record famously used a special plastic “bladder” replacing the back seat of the vehicle to store extra gasoline, with the lookout spending the drive sitting on top of the reservoir. That story went national during what was a slow news week so people may have picked up the idea from there without thinking that some serious shade tree mechanic engineering was involved.

    Even using that container, made from a specific plastic, was beyond dangerous, but everyone involved knew the risks. The three man team who drove the vehicle across country reportedly reeked of gas when they pulled up to the Portofino, the traditional end of the route in Redondo Beach.

  13. I know several of you on here patronize Costco (or Sam’s Club, or BJ’s…) more often and with more attention paid then I do, so perhaps you can offer your observations:

    I’ve seen some commenting and vids out there that inflation is happening now and happening badly, but the reason it isn’t jumping out at most consumers is because retailers are hiding it. Several people point out that products they’ve been buying at Costco for years are suddenly smaller, but the same price. I think one example given was a roll of paper towels that used to be 160 sheets and is now 120 sheets for the same price.

    It’s called “Shrinkflation.”

    1
  14. Yep, I see it in bags of coffee, TP rolls, and other places when I pull out something stored a few years ago.

    “one pound” bags of ground coffee aren’t.

    TP rolls got narrower.

    candy bars change size so often you can’t keep track.

    Cereal boxes are the same height and width, but are half the depth (in the grocery store).

    Bacon comes in odd ounce totals, instead of pound, 1 1/2 #, or 2# increments.

    I’ve noticed other things that used to be in pound increments are now in smaller packages, although nothing leaps to mind atm.

    n

  15. I know several of you on here patronize Costco (or Sam’s Club, or BJ’s…) more often and with more attention paid then I do, so perhaps you can offer your observations:

    I’ve seen some commenting and vids out there that inflation is happening now and happening badly, but the reason it isn’t jumping out at most consumers is because retailers are hiding it. Several people point out that products they’ve been buying at Costco for years are suddenly smaller, but the same price. I think one example given was a roll of paper towels that used to be 160 sheets and is now 120 sheets for the same price.

    I use Costco’s Kirkland shampoo, and I noticed that the bottles disappeared from most of the stores sometime after Christmas, in favor of stocking an equivalent size Pantene bottle at a higher price.

    The Kirkland brand is starting to reappear in a redesigned bottle for $1 more for the same quantity as the stores sell out of Pantene, but, at this point, I’m wondering if the changes went beyond the bottle.

    Previously, the shampoo was rumored to come off the same production line as a high end Revlon brand. Maybe they switched to buying from the Pantene parent company, which would present an allergy problem for me regardless of price.

    I have two more old bottles, about 6-9 months worth, before I have to find out.

    Kirkland bar soap, introduced within the last decade after what was supposedly a p*ssing match between the Lever 2000 parent company management and Issaquah, got a redesign last year, and I swear the bars are softer which translates to shorter lifespan in the shower. I keep one bar in a plastic container in my suitcase, and, since the redesign, that always has to be replaced after every trip longer than a weekend.

    My other warehouse club observation – canned green beans at both Costco and Sam’s have zoomed in price, with both stocking Libby’s at almost $9/12 pack. Even Costco’s organic brand cans weren’t that expensive pre-Covid, and Sam’s ran $6/12 pack of Del Monte pre-pandemic.

  16. Oh, and one more warehouse club observation — Campbell’s Tomato Soup has yet to reappear in Costco or Sam’s since disappearing at the beginning of lockdowns. When I rotate our stash, I have to get replacement cans from HEB.

    1
  17. Compared to people picking up things at a store, maybe not. Would be interesting to analyze

    It has been analyzed. I read about it a few years ago. IIRC, residential delivery by truck was comfortably more efficient.

    Whew, saved me a lot of work. Thanks, Steve, forever in your debt. I will add that intuitively (whatever that  means,) it seems pretty obvious.

    I always question the notion of intuitive. In its popular use, the conclusion seldom seems to agree with mine, but my intuition has always been… different. Reminds me of the scientific method, and the modern thrust to believe in some conclusion. Science always questions a hypothesis; religion asks us to believe in things that are difficult of impossible to prove. Both have their places.


  18. There’s several photos and vids on the interwebs now of people filling plastic bags with gasoline.

    Yup, Darwin Award coming up. Beyond dumb.

    Now, now, no need to discourage them you know…

  19. Regarding retail product price increases, most of the above examples are good, but food items do fluctuate. Some things are still seasonal, even in cans. The only thing I follow is Yuban coffee. Its price seems pretty stable at Costco, but once a year, summer, I think, there are good sales where the 44 oz can that is normally about $9 is on sale for about $6.50. That’s when I stock up.

    I have been experimenting with coffee storage for years. The inside foil flash paperboard Yuban “cans” with the polyester (?) top seals seem to keep OK for about two years, the longest I have kept them. Some have noticeable vacuum, probably from packaging while the contents are hot; others seem to have normal atmospheric pressure. Both seem to keep well. I store them in my basement where the conditions are good.

    I also store wine in my basement. The temperature does not fluctuate much day to day, but the winter temperature is about 68F and the summer temperature is about 73F. This is too warm to store wine long term, but is better than locations where the temperature fluctuates daily. Corks are not good seals, and ullage increases. I have practically no ullage change. I am satisfied with my conditions, and have stored wine for more than ten years with good results.

  20. I saw some coverage of Rand Paul ripping into Anthony Fauci a while back about masks mandates and telling him that if he wants to reduce “vaccine hesitancy” then he needs to stop telling people they need to wear their masks even after being vaccinated. People aren’t going to feel motivated to get vaccinated if after getting their shots nothing changes. Of course, Fauci disagreed. Fast forward a month or so and now Fauci has come to the same conclusion as Paul and is now shifted to telling people to stop wearing masks outdoors if they’re vaccinated. Apparently, it wasn’t a good idea until Fauci thought it up. lol

    4
  21. I am not familiar with that Cannonball gasoline bladder, but am aware that race cars use certified “fuel cells” that are supposed to resist crashes without leaking. These are supposed to be very safe. Plastic bags… not so much.

  22. I am not familiar with that Cannonball gasoline bladder, but am aware that race cars use certified “fuel cells” that are supposed to resist crashes without leaking. These are supposed to be very safe. Plastic bags… not so much. 

    The leader of the 2013 team was a salesman for exotic cars in Atlanta. While still dangerous, the bladder utilized was a specific choice, chosen to be safe for the duration of the run while still offering weight savings over a hard gas tank, not a random Hefty bag from Walmart.

    Plus, as I noted, the lookout had to sit on top of the bladder for the duration.

  23. Monoprice, one of my favorites, has a one day 15% off sale today only. There are many exclusions, but sometimes this can be good for items such as 1000′ boxes of network cable. There are also some clearance items at steeper discounts, limited to stock on hand until later this month. Worth a look.

    Full disclosure, they are about 100 miles from me, and shipping is cheap or sometimes free. Also, they can be fast. When they are good, they are very good, especially cables. I have always been impressed with the quality of their cables, and the prices are hard to beat.

    I only pass this on because general searches don’t often show them as a source. Not sure why. Of course, since I have ordered before, I get direct emails.

  24. The DoD uses bladders for fuel storage, I think they are called blivets in that usage…

    so it can be safe, but the level of stupid shown in the online pix is florida man high.

    So preppers take note. Have at least one tank full on hand. Properly stored and stabilized. Have another tank full in empty cans that you can fill when needed.

    During Ike, I just threw the empty cans in the truck, and if a station was open and had gas, I filled a couple. I was out ANYWAY, and took advantage of opportunity. Same for the last time, which I related here (and when I forgot to bring money with me).

    In fact, I’ve been thinking that I needed to take one of those metal cans of premix gas they sell for yard machines, and fill it with gas and tuck it somewhere on my vehicles.

    The traditional advice to never let your vehicle get below 1/2 is good advice too.

    n

    1
  25. Monoprice has some very good value items for A/V, cams, networking, etc. I don’t think I’ve ever purchased from them directly though.

    n


  26. 300 F-15s out of Germany landed in Tel Aviv and the USA pilots were taken to a waiting destroyer in the harbor.

    100 F-4 Phantoms and 36 or so A-4s. The F-15 wasn’t in service until 3 years later.

    1
    1
  27. win8 stupidity.

    Took more than 10 minutes to resort my downloads folder, with 3800 files, and when I got impatient and clicked out of that folder, it’s now just spinning on rebuilding the whole file manager directory tree.

    Wtf is wrong with windows that it takes so long to do simple file ops?

    n

    1
  28. Monoprice has some very good value items for A/V, cams, networking, etc. I don’t think I’ve ever purchased from them directly though.

    Through Amazon? Did you get a better deal?

  29. Wtf is wrong with windows that it takes so long to do simple file ops?

    Never had that problem, but you reminded I need to get ZTree installed on my new Windows machine. For those who are not familiar, it is the authorized follow-on to XTree. It takes some learning, but is probably the best orthodox file manager available. It is able to log millions of files, and supports persistent tags. You can try it for free, but it has a modest cost, or I think it still does. Don’t judge until you learn it thoroughly.

    For lighter duty, there are Norton Commander look-alikes, and many are free. Most people don’t know that the commander part of the name means there is always a live command line. Great for some of us, but some paople can get into serious trouble. Insert your favorite newbie or command line typo joke here. 😛

  30. @jimb, I don’t recall. It was surveillance camera enclosures last time, and while they are plastic, they have held up well, and were much cheaper than alternatives.

    n

  31. Took more than 10 minutes to resort my downloads folder, with 3800 files, and when I got impatient and clicked out of that folder, it’s now just spinning on rebuilding the whole file manager directory tree.

    Wtf is wrong with windows that it takes so long to do simple file ops?

    The file explorer probably bridges from WinRT to Win32 across some COM nonsense. Realize, Windows 8 is going to get short shrift until it sunsets.

    It could be simpler/lower level, however. How full is the drive? Does the machine successfully complete the weekly defragment?

    I don’t think the defrag makes that much difference on my primary desktop, but if the scheduled weekly run doesn’t complete successfully, that’s a symptom something needs to be checked on the disk.


  32. is wrong with windows that it takes so long to do simple file ops

    Maybe Windows 8 is just the way it is. It’s a really old operating system, after all.

    I’d recommend upgrading to Win10, but you’ve been told that before….. 🙂

    2

  33. The DoD uses bladders for fuel storage, I think they are called blivets in that usage…

    We sling loaded 500gal blivets of jet fuel by Blackhawk all the time to the FAARP (Forward Area Arming and Refuel Point) during exercises. Thick rubbery material with standard closed refuel ports. They are short fat sausages that can be rolled or pulled with a harness.

  34. My preference is Monoprice over others.  I am about 50 miles away and can get next day. or following, without paying for Prime

    I did work at the Long Beach facility when the A-4 Skyhawks were being assembled there.  However, I was always assigned to work on other projects.  Prior to retirement I worked on the C-17 Globemaster III program supporting updates and modificatios in the System Engineering function.

  35. I’m reading Colonial paid $5 million in crypto to their hackers.

    plugs: “No comment”

    Why can’t our goobermint find these guys and drone them. Our goobermint sucks dead bunnies.

    2

  36. Why can’t our goobermint find these guys and drone them.

    That certainly wouldn’t be an act of war. Not.

    The best way to fight those guys is to not pay them. But that requires adequate defenses – hardware, software, and education. And the budget to  pay for those defenses.

    There is plenty of valid and effective guidance to prevent those attacks. And to mitigate the damage if an attack is successful. – like valid and tested and isolated data backup. Most companies just aren’t doing those things, which provides a rich target environment for the attackers.

    It’s only after the fact that a company might realize that spending the funds for a proper defense *before* the attack might have been less costly than recovering from an attack.

    1
    5
    1
  37. I’m reading Colonial paid $5 million in crypto to their hackers.

    plugs: “No comment”

    The current theory in the security community is that the hack went through RDP found by bulk scanning Internet addresses for the open port.

    RDP is an education problem as well as a sign of inappropriate “working” from home situations.

  38. That certainly wouldn’t be an act of war. Not.

    Crossing our border, even electronically, and attacking our infrastructure *is* an act of war. IMHO.

    And, yes, Colonial is a fool for paying.

    3
  39. The last thing I scanned about Colonial was that their office and admin systems were compromised and they took the scada offline to avoid compromising that network….

    And they were “working” on a cold start plan to get everything back up.

    So they didn’t have a cold start plan that was up to date and worked, which is where the delay is coming from…

    could be wrong.
    n

  40. The last thing I scanned about Colonial was that their office and admin systems were compromised and they took the scada offline to avoid compromising that network….

    Scada security is generally pretty bad so companies limit access to systems on internal networks and restrict VPN tunnels.

    That explains the RDP exposure. “It won’t be a problem if I’m the only one …”


  41. Most companies just aren’t doing those things, which provides a rich target environment for the attackers.

    How far down the list do we have to go to find these companies without an adequate backup strategy? Certainly(??) everyone in the Fortune 500, Fortune 1000(?) could recover from a ransomware attack without paying any ransom?

    2
    1
  42. 64F with 83%RH at 630am.

    Cool and damp so far.

    n

    It is freaking May in south Texas. We do not have this weather in May. Usually we are rolling over 90 F every day by now.


  43. Certainly(??) everyone in the Fortune 500, Fortune 1000(?) could recover from a ransomware attack without paying any ransom?

    I suspect less than you think, although I don’t know the stats. Not something they advertise. But, evidently not enough – based on the high-profile attacks you read about.

    Easy enough to scan for low-hanging fruit. And when you scan, you sometimes get a high-profile company – like Colonial. There are several ‘malware/ransomware as a service’ provider out there.

    Ransomware is a billion dollar business. Good money in there, at the risk of being caught. Most are based in eastern Europe (plus Korea/China and others), where enforcement is less of an issue.

  44. @lynn:

    Climate is what you expect, weather is what you get. <grin>

    G.

     


  45. The best way to fight those guys is to not pay them. But that requires adequate defenses – hardware, software, and education. And the budget to pay for those defenses.

    This is what goes on, almost to excess, from my recent experience (Fortune 50). Much time spend on devops, data center exits, data center entry (requiring standardization, containers, docker and so on), app decomms, resiliency tests (hands-off failover to DR, run there for three months then hands-off fall back to Prod), etc. And budget restraints as they are, there is no incremental staff to work to these tasks so much gets absorbed by the Dev teams, who then grumble about falling behind in their Hot Skillz coding.

  46. Certainly(??) everyone in the Fortune 500, Fortune 1000(?) could recover from a ransomware attack without paying any ransom?

    I suspect less than you think, although I don’t know the stats. Not something they advertise. But, evidently not enough – based on the high-profile attacks you read about.

    Easy enough to scan for low-hanging fruit. And when you scan, you sometimes get a high-profile company – like Colonial. There are several ‘malware/ransomware as a service’ provider out there.

    Ransomware is a billion dollar business. Good money in there, at the risk of being caught. Most are based in eastern Europe (plus Korea/China and others), where enforcement is less of an issue.

    You have a failure in risk management by the companies. The risk is not taken seriously enough so no one wants to pay up front for those actions that would prevent a ransomware attack or there is a belief that paying-up is cheaper. This is doubly foolish. Now you have paid a ransom, or rebuilt your network from scratch, and still have probably not established a risk-culture that will take steps to keep this from happening again. Plus the criminal community knows you as fools – it will happen again. This only addresses the internal company costs. The externalities – disruption to everyone if there is no gas, or internet access, or whatever for some time – far exceed the company costs and everyone pays for those.

    If you want the companies to pay attention, regulate them. I know everyone hates big government, but make it the law that companies over a certain size have to report, publicly, that they have been subject to a successful ransomware attack with details. No hiding incompetence – reputational consequences. For companies where an attack would have large public costs, or maybe where reputation does not matter, more explicit regulation. I work for a Canadian bank. A successful attack that exposed client data would be a reputational disaster so there is a lot of time and money spent on cyber security. Even so, the regulator is all over us about data and network security. This approach works but it comes with costs. TANSTAAFL.

    It’s not a perfect analogy (they never are) but: I suppose its ok if you leave stacks of your money on the table and never lock your doors. You get robbed, your problem. If you leave my money on the table – I have a problem with you. If the thief also sets fire to your house and the block burns down? Now everyone has a problem with you. For situations 2 & 3, I want to make sure you buy a lock.

    1

  47. The last thing I scanned about Colonial was that their office and admin systems were compromised and they took the scada offline to avoid compromising that network….

    Of course most of the MSM make it sound almost like the pipeline has been ruptured…and the sky is falling.

    1
  48. How far down the list do we have to go to find these companies without an adequate backup strategy? Certainly(??) everyone in the Fortune 500, Fortune 1000(?) could recover from a ransomware attack without paying any ransom?

    Most of the big companies have a stated security policy and acceptable use of company laptop guidelines, for which an employee can be terminated with cause for violating. However, in my experience, enforcement varies depending on how important the worker is to the organization and/or whether they are a member of one or more protected class. Plus, in a lot of states, terminated with cause voids unemployment, and that can open a big civil court can of worms because the employee then has a demonstrable financial loss as well as an extended statute of limitations on various discrimination complaints, no matter how thin the grounds, with many companies particularly vulnerable on age-related issues in the US right now.

  49. AFK for an hour or so… I was going to cite some OFD comments from a few years ago when he was in a position to address network security, but his employer would not let him do much. I didn’t need to find it, because @TV put it very well. These problems are management, not technical; the technical folks can implement whatever is needed, given the talent and budget. First, there needs to be a mandate from the top to address these issues. Design the system and operating procedures, determine the cost, iterate until a reasonable risk profile is achieved, then implement. This is not rocket surgery. A company competent enough to operate their business can be competent to do security, IF they want to. As said, reputation is at stake. Loss of reputation costs dearly.

  50. Added, when I was working, life was simpler, but we still took precautions, a lot of them. It really was easier then, but any org needs to balance the progress, convenience, and cost savings with the risks. Use some of that savings to reduce risks to an acceptable level. To not do so is folly.

    Enough of my blather. I am retired, and will leave it to others to carry on. Trouble is, in at least some places, they are doing poorly. Shrug.


  51. How far down the list do we have to go to find these companies without an adequate backup strategy? Certainly(??) everyone in the Fortune 500, Fortune 1000(?) could recover from a ransomware attack without paying any ransom?

    Most of the big companies have a stated security policy and acceptable use of company laptop guidelines, for which an employee can be terminated with cause for violating. However, in my experience, enforcement varies depending on how important the worker is to the organization and/or whether they are a member of one or more protected class. Plus, in a lot of states, terminated with cause voids unemployment, and that can open a big civil court can of worms because the employee then has a demonstrable financial loss as well as an extended statute of limitations on various discrimination complaints, no matter how thin the grounds, with many companies particularly vulnerable on age-related issues in the US right now.

    While publishing a policy as regards security, remote, access, etc… is one piece of the puzzle, the company is ultimately responsible for what happened, even if they want to point the finger at one bad apple. They need controls in place to prevent employees from becoming that bad apple. If the problem with Colonial was an RDP the criminals scanned for, why wasn’t Colonial conducting scans for open RDP ports on their network, if not just blocking or disallowing RDP (if that is technically possible)? It is not a perfect world and people are far from perfect, but this should not have happened. The number of times (at least anecdotally) that the vulnerability is not a fancy zero-day attack but something known for years is astounding.

  52. I’d really like to see the whole world follow the New Zealand model: no agricultural subsidies for anyone. If you do it across the board, it’s an even playing field. Sure, food prices will go up, but taxes (should) go down.

    Sorry, no. And no. Americas farmers are being dealt with huge new regulations over the last couple of decades. So expensive that many farmers have quit and sold out to corporations.

    And I am not interested in living through a food shortage.

    3
    1
  53. Where do I buy stock in DarkSide Digital Extortion?

    2

  54. Sorry, no. And no. Americas farmers are being dealt with huge new regulations over the last couple of decades. So expensive that many farmers have quit and sold out to corporations.

    The $80,000 “farm truck” frequently doing everything but farm business probably doesn’t help.

    1

  55. I’d really like to see the whole world follow the New Zealand model: no agricultural subsidies for anyone. If you do it across the board, it’s an even playing field. Sure, food prices will go up, but taxes (should) go down.

    Sorry, no. And no. Americas farmers are being dealt with huge new regulations over the last couple of decades. So expensive that many farmers have quit and sold out to corporations.

    And I am not interested in living through a food shortage.

    I am very sympathetic to the regular difficulties of being a farmer in a world (since the green revolution at least) that has more than enough food. Tough to get a good price for your crops if there are no shortages (and food shortages are a very bad thing: it means starvation for some so I am not in favor of shortages). If you have a bumper crop, it is likely your neighbors do too so now there is additional down pressure on prices. Farmers love ethanol for fuel because of the increased demand for crops not grown for food. I don’t think it possible to have a modern agricultural system without all sorts of subsidies and price controls. Right now there is a lot of talk about bringing home manufacturing and problems with supply chains offshore for materials considered strategic. Who would not consider food a strategic material? Who would not want to have surplus production of food locally, if that was at all possible? So subsidies to farmers to ensure that state of affairs continues are a given.

    2
    1

  56. It is freaking May in south Texas. We do not have this weather in May. Usually we are rolling over 90 F every day by now.

    In Californication, Gov. Newscum says we have “Global Warming”.  Looks like Nick & Lynn have “Texal Cooling”.

    1
  57. If the problem with Colonial was an RDP the criminals scanned for, why wasn’t Colonial conducting scans for open RDP ports on their network, if not just blocking or disallowing RDP (if that is technically possible)? 

    RDP travels over the network to a specific TCP port on the destination. It can be blocked by port or protocol header if necessary, but the problem faced by a security person in a large company or government organization discovering a rogue RDP session is not knowing who is behind the link or why.

    It could be a hacker.

    It could be a VP visiting with his dominatrix on his lunch hour (though TeamViewer is more commonly used for that).

    It could be a tech fighting a crisis from a temporary remote location that could put the company out of business if not resolved.

    -or, increasingly common lately-

    It could be a Work From Home Mommy (and more than a few Daddies) Mafia made member trying to do a complex job from home requiring enterprise-level network access when they should be in the office.

    2
  58. The other night, the local Faux News felt it important to warn the audience that plastic bags are not a good way to store/transport gasoline.

    There’s several photos and vids on the interwebs now of people filling plastic bags with gasoline. One lady had the entire trunk of her SUV full of large trash bags filled with gasoline. I don’t even know how they lifted them into the car. Also, doesn’t gasoline eat right through certain plastics?

    “Gas Shortage Idiots: Florida Man Strikes!”
    https://gunfreezone.net/gas-shortage-idiots-florida-man-strikes/

    “Citrus County Fire Rescue told the Citrus County Chronicle that the driver of the Hummer had just filled five-gallon cans with fuel at a local gas station before the fire broke out.”

    “Hummer Carrying Gas Caught Fire in Florida, Injuring 1 (insider.com)”

    That is one toasty Hummer.

  59. “Our infrastructure is f**ked. Never pay the Dane-geld. – Update. So f**ked.”
    https://gunfreezone.net/our-infrastructure-is-fked-never-pay-the-dane-geld/

    “Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom”
    https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom

    “Colonial Pipeline Co. paid nearly $5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, according to two people familiar with the transaction.”

    “The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. A third person familiar with the situation said U.S. government officials are aware that Colonial made the payment.”

    “Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.”

    I would guess that means that the ransomware got through from the office PCs to the SCADA boxes.

  60. The DoD uses bladders for fuel storage, I think they are called blivets in that usage…

    We sling loaded 500gal blivets of jet fuel by Blackhawk all the time to the FAARP (Forward Area Arming and Refuel Point) during exercises. Thick rubbery material with standard closed refuel ports. They are short fat sausages that can be rolled or pulled with a harness.

    The former USMC son had 8,000 gallon bladders of JP8 in their main camp in Iraq to power the two 1 MW CAT generators. At 3am one very quiet morning, a pilot landed a Blackhawk (big helicopter) on one of the bladders despite my son and a couple of other Marines waving him off. He got the full bladder of course. 8,000 gallons of JP8 went everyone. The son lost another pair of Marine boots. JP8 don’t buff out.
    https://en.wikipedia.org/wiki/Sikorsky_UH-60_Black_Hawk


  61. A company competent enough to operate their business can be competent to do security, IF they want to. As said, reputation is at stake. Loss of reputation costs dearly.

    Not only reputation, but (at least in the financial world) also regulation risk. Not much more fun than a bunch of auditors in suits from the SEC (or pick your favorite agency) showing up unannounced for a tech audit.


  62. It could be a VP visiting with his dominatrix on his lunch hour (though TeamViewer is more commonly used for that).

    Do people still really do that on a work connection? I’ve seen a few people escorted out of the building by security for what turned out to be surfing for pron.


  63. “The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. A third person familiar with the situation said U.S. government officials are aware that Colonial made the payment.”

    “Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.”

    Don’t feed the trolls. What would Colonial have done if, after pocketing the $5M, the hackers turned around and asked for another $5M? Or maybe they wouldn’t risk their A+ rating with the BBB??

    I would guess that means that the ransomware got through from the office PCs to the SCADA boxes.

    @lynn; is there something definitive yet that indicates the SCADA infrastructure was directly impacted by the ransomware?

  64. I would guess that means that the ransomware got through from the office PCs to the SCADA boxes.

    If it was RDP, then the link was probably something a tech set up to allow access to their work desktop with connections to both the SCADA and the corporate LANs. The pipeline company most likely has no clue as to how much further the hackers got beyond the vulnerable PC. RDP is particularly vulnerable to man-in-the-middle attacks and backwards compatibility requirements mean supporting TLS 1.0 for encrypting authentication.

    Work announced today that they are targeting Labor Day for the people near offices to be back at work in the offices, but that date is flexible depending on how much cr*p -er- feedback they get from the WFH Mafia. There are only two of us in Texas.

  65. It could be a tech fighting a crisis from a temporary remote location that could put the company out of business if not resolved.

    No ! No ! No ! You do not attach the SCADA boxen to the intertubes !

    First, the SCADA boxen do not have the cpu cycles to fight off the hakers with. They are busy logging anywhere from 50 to 15,000 data points every few seconds to every few minutes.

    If the tech cannot make it to the plant to fix the problem then fire the tech and hire a new one.

    Air gapping is the only safe way to live with SCADA boxen.

  66. I would guess that means that the ransomware got through from the office PCs to the SCADA boxes.

    @lynn; is there something definitive yet that indicates the SCADA infrastructure was directly impacted by the ransomware?

    Just a SWAG (scientific wild assed guess) on my part.

    Repeated, air gapping solves a lot of problems. If you must have a connection, then an intermediate machine that has read only access to the SCADA boxen is the best of the bad solutions.

    Worst nightmare is an operator viewing porn on a SCADA box. Or playing networked WoW on a SCADA box.

    Several of my customers put our software on their SCADA boxen. I see them during configuration. Then they hit the customer plant site and go away into the dark where they should be.

  67. “The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. A third person familiar with the situation said U.S. government officials are aware that Colonial made the payment.”

    “Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.”

    Don’t feed the trolls. What would Colonial have done if, after pocketing the $5M, the hackers turned around and asked for another $5M? Or maybe they wouldn’t risk their A+ rating with the BBB??

    What is the chance that trolls dropped a new ransomeware on the boxen in their decrypting tool ?

    Ransomware, the new SAAS (software as a service, paid monthly or annually).

    1
  68. 300 F-15s out of Germany landed in Tel Aviv and the USA pilots were taken to a waiting destroyer in the harbor.

    100 F-4 Phantoms and 36 or so A-4s. The F-15 wasn’t in service until 3 years later.

    Just wait until I start toking for my glaucoma. It will be 5,000 F-35s.

  69. “It could be a VP visiting with his dominatrix on his lunch hour (though TeamViewer is more commonly used for that).”

    Do people still really do that on a work connection? I’ve seen a few people escorted out of the building by security for what turned out to be surfing for pron.

    Yes. It is a whole different world for a C-suite exec in a large US company, especially tech or finance.

     

  70. AFK for an hour or so… I was going to cite some OFD comments from a few years ago when he was in a position to address network security, but his employer would not let him do much. I didn’t need to find it, because @TV put it very well. These problems are management, not technical; the technical folks can implement whatever is needed, given the talent and budget. First, there needs to be a mandate from the top to address these issues. Design the system and operating procedures, determine the cost, iterate until a reasonable risk profile is achieved, then implement. This is not rocket surgery. A company competent enough to operate their business can be competent to do security, IF they want to. As said, reputation is at stake. Loss of reputation costs dearly.

    IIRC, OFD was big on air gapping.

  71. No ! No ! No ! You do not attach the SCADA boxen to the intertubes !

    My guess is the attached their work desktop PC to the Internet via RDP thinking it would be safe. Unfortunately, once you have RDP access to a Windows box, the defaults allow for file transfers across the link. Being able to install RDP means the user has Adminstrator access.

    TLS 1.0 has been broken in cryptographic terms for a while. SSL 1/2/3 have been toast for a while.

    The legend is that the only reason it is called TLS 1.0 and not SSL 4.0 is that BillG had a hissy fit about putting “SSL”, a Netscape technology, into Internet Explorer after Marc Andreesen’s comment about Windows’ future as devolving into “a set of poorly debugged device drivers”.

  72. An Instagram video was posted supposedly from Sprouts Farmer Market store that customers will be asked to wear masks, but not required nor harassed about it. I hope H-E-B follows suit and the dominoes tumble.

    3
    1
  73. @greg:

    a set of poorly debugged device drivers

    A future that has now been achieved, in recent versions of Win-10-nic.

    It is my belief that the last stable and usable Windows was Win7 SP1, and there is a case to be made that that accolade should actually be given to Win XP, or even Win 2000. Nearly all the “improvements” since have been the exact opposite, IMNSHO.

    G

    2
    3
  74. It is my belief that the last stable and usable Windows was Win7 SP1, and there is a case to be made that that accolade should actually be given to Win XP, or even Win 2000. Nearly all the “improvements” since have been the exact opposite, IMNSHO.

    I run Windows 8 in Boot Camp/VMware Fusion on my circa-2012 MacBook Pro, and, with Classic Shell installed, that combination is solid with trim support for the SSD when booted directly.

    Windows 7 is out on that system because the Nvidia drivers are garbage on the OS with most of the company’s GPUs made in the last decade.

    Windows 10’s license requires two serial numbers to allow booting under Boot Camp and Fusion. Microsoft considers those to be two separate computers, each requiring a license.

  75. UPS showed yesterday.  Dropped the package over the fence at the gate.  Weird, UPS has always come to the house.

    Anyway.  An eBay purchase.  Packaging was iffy…. but a Squeezebox Radio (black) and a Squeezebox Boom.  Dirty with sticky dust, smell of smoke and what the heck, they both work… flawlessly.   Radio was cleaned up today, rubbing alcohol is the trick to clean the sticky “rubber” stuff off of knobs.  It looks new but for a couple of scratches.

    The Boom gets a scrubbing tomorrow.

    The Boom had a screen last night saying to go to some website because the player is registered to another account.  Meh.  I connected to it via the server web page and clicked “reset to factory” button.  🙂   MY player now.

    I had John Berry’s “Oh Holy Night” playing last night.  Cranked it up loud and zero distortion or speaker rattle.

    So…. I’ve half assed shop for another Boom for a couple three years.  The prices go crazy at the end, to the point of more than I paid for a new unit.  I  just scored a Radio and a Boom for the princely sum of $102, including shipping and tax.

    Win.

     

    1

  76. It is my belief that the last stable and usable Windows was Win7 SP1,

    XP was good. Win98Se was good. Heck, Win95 with IE4 was good. The beta for NT5 was pretty sweet.

    Win8, the couple of boxes I’ve messed with, were just a mess of things seemingly randomly moved around. Win10, yeah, no idea. I’m not going there.


  77. Work announced today that they are targeting Labor Day for the people near offices to be back at work in the offices, but that date is flexible depending on how much cr*p -er- feedback they get from the WFH Mafia. There are only two of us in Texas.

    So the “feedback” goes something like this…
    “Will the company be liable if I get Covid at the office?”
    “Why are/aren’t (pick one) vaccinations required?”
    “How often is the air changed?”
    And on and on…

    1
  78. Work announced today that they are targeting Labor Day for the people near offices to be back at work in the offices, but that date is flexible depending on how much cr*p -er- feedback they get from the WFH Mafia. There are only two of us in Texas.

    So the “feedback” goes something like this…
    “Will the company be liable if I get Covid at the office?”
    “Why are/aren’t (pick one) vaccinations required?”
    “How often is the air changed?”
    And on and on…

    We never went home here. Of course, there are only 7 of us in a 5,200 ft2 building. No masks either. Two of us did have the covid (one imaginary (no test available then) from an engineering conference and the other proven by test infected by his school teacher wife). All but one of us have been vaccinated, the last one is waiting to see if anyone sprouts a third arm. I do have one person working from home but she sleeps with me so she gets carte blanche.

    2
  79. Biden’s First 100 Days Accomplishments:

    – Kill Keystone XL Pipeline
    – Gas Lines
    – $3 Gas (National Avg)
    – Inflation
    – Crumbling Dollar
    – Rising Unemployment
    – Open Border Crisis
    – Antifa Terror Squads
    – Skyrocketing Homicides
    – Israel Burning
    – China Rising
    – Vaccinated Masking

    Stolen from a tweet:
    https://twitter.com/bennyjohnson/status/1392136898173341702

  80. All but one of us have been vaccinated, the last one is waiting to see if anyone sprouts a third arm. I do have one person working from home but she sleeps with me so she gets carte blanche.

    If I have to get a vaccine for any reason, I’ll get the Johnson & Johnson shot. The VA has a stash.

     

    1

  81. New York Yankees have seven cases of COVID-19 among FULLY VACCINATED coaches and staff – but manager Aaron Boone says the injections ‘kind of blunt the effects of the virus’

    The New York Yankees now have seven confirmed cases of coronavirus among coaches and staff — all of whom have been fully vaccinated
    Pitching coach Matt Blake was the latest to be diagnosed, following third-base coach Phil Nevin, first-base coach Reggie Willits, and four unidentified staffers
    All seven received the Johnson & Johnson vaccine, which has only one injection
    New York shortstop Gleyber Torres has not tested positive, but was held out of Wednesday’s 1-0 win in Tampa out of an ‘abundance of caution’
    As of April 15, as many as 5,800 Americans had become infected with COVID-19 after being fully vaccinated, according to the CDC

    https://www.dailymail.co.uk/news/article-9575491/New-York-Yankees-seven-cases-COVID-19-FULLY-VACCINATED-coaches.html

    Huh, what do you call a vaccine that isn’t?

    n

    1
    1
  82. Air gapping is the only safe way to live with SCADA boxen.

    not enough, USB ports, vendors requirements, all they request remote maintenance or logging, all major turbine manufacturers request it too

    we are not in Kansas anymore

    PS Beancounters request interconnection it to perform predictions, enginners to have less work punching data for beancounters and so on, and c suites to show fancy graphics

  83. Air gapping is the only safe way to live with SCADA boxen.

    not enough, USB ports, vendors requirements, all they request remote maintenance or logging, all major turbine manufacturers request it too

    we are not in Kansas anymore

    PS Beancounters request interconnection it to perform predictions, enginners to have less work punching data for beancounters and so on, and c suites to show fancy graphics

    Sure. You put in a box with read only access to the SCADA system.

    What, are you going to allow read / write access to the SCADA system outside the plant ? What if GE decides to upgrade the O/S for you and wrecks the machine ?

  84. there are no such thing as read only, only a physical one direction works, and yes, the pool of worldwide spare parts and turbine optimization requires that from the customer.

    To avoid read only you need to install a messaging system like apache active MQ and a lot of expensive things that management only asks what for?? later, shit happens

    Thinking, is a good line of business, all companies wikk need checks and nobody mixes corporate and scada

     

     

     

     

  85. there are no such thing as read only, only a physical one direction works, and yes, the pool of worldwide spare parts and turbine optimization requires that from the customer.

    Forensics labs buy special certified read only USB to SATA/PATA adapters for gathering evidence used in court, but they are crazy expensive.


  86. Just so we can discuss things based on available info:

    https://www.neowin.net/news/colonial-pipeline-was-using-vulnerable-outdated-version-of-microsoft-exchange/

    It does not really matter what your initial specific vulnerability was. Once you get access you can break anything. ALL vulnerabilities have to be addressed and they were warned about Exchange (Office).

    Air gapping SCADA is another must…

    From the linked article:
    A forensic report of the Colonial Pipeline noted that the “most likely culprit” within the company’s IT infrastructure was the vulnerable Microsoft Exchange services, as noted by New York Times reporter Nicole Perlroth, though there were several other issues that researchers characterized as an overall “lack of cybersecurity sophistication.”

    Unless I’m missing something, this still doesn’t specifically say that the SCADA systems were (or were not) infected by the ransomware. Nor if they were airgapped. Could have been just their MS Office apps/data. Not that anyone from Colonial wants the details to see some sunshine. I’m sure the Colonial C-suite folks are already shining their tap shoes for their appearances at the inevitable Congressional hearings.

  87. From FEMA

    Current Situation: Colonial Pipeline has announced that product delivery has resumed to 80% of
    Colonial Pipeline; Colonial Pipeline expects delivery will resume to 100% of markets serviced this
    afternoon. Currently there are no requests for FEMA assistance.
    Impacts:
    ▪ Approximately 1,800 gas-stations are out of fuel in AL, GA, FL, SC, NC, MD, and VA.
    ▪ Nearly 52% of Virginia’s fuel stations are out of gas. Areas on the pipeline within Virginia
    do not yet have the output to supply the region (CISA as of 4:50 a.m. ET; May 13, 2021)
    ▪ Nearly 68% of North Carolina’s fuel stations report they are out of fuel (gasbuddy.com)
    ▪ Airlines are making fuel stopovers to reach destinations, and have cancelled flights

    n

  88. Popo are back to working street racing tonight. Must be a big weekend coming up.

    n


  89. Huh, what do you call a vaccine that isn’t?

    Plenty of articles out there detailing less than 100% efficacy:

    Clinical trials show that the Pfizer-BioNTech COVID-19 vaccine has a very high efficacy — 95 percent — against symptomatic infection.

    Real-world studies show a similar high effectiveness against all infections, including asymptomatic ones.

    So, very few people fully vaccinated with this vaccine will contract the coronavirus. However, breakthrough infections can occur. This is true of all vaccines.

    “No vaccine is 100 percent effective for every recipient, so we will continue to see rare infections in people who have been vaccinated,” said Dr. S. Wesley Long, an associate professor of pathology and genomic medicine at Houston Methodist, who was not involved in the new study.

    “But many times these infections are mild, and the protection against severe disease and hospitalization is still very robust,” he said.

    https://www.healthline.com/health-news/pfizer-vaccine-still-very-effective-against-coronavirus-variant-despite-small-window-of-risk

  90. “The Best Science Fiction Book Sequels” by Dan Livingston
    https://best-sci-fi-books.com/the-best-science-fiction-book-sequels/

    I have read 9 of the 21. I have two of the other in my SBR, “Ready Player Two” and “Count Zero”.

    The read books are “The Honor of the Queen”, “Broken Angels”, “Caliban’s War”, “The Warrior’s Apprentice”, “A Deepness in the Sky”, “Startide Rising”, “Green Mars”, “To Say Nothing of the Dog”, and “2010: Odyssey Two”.

    In reading order, the wonderful “Shards of Honor” is followed by the marvelous “Barrayar”. One must not miss Cordelia’s shopping trip.
    https://www.amazon.com/Barrayar-Vorkosigan-Saga-McMaster-Bujold/dp/1476781117/?tag=ttgnet-20

  91. Mayoral run off shows our conservative candidate with a small but growing lead. I daren’t feel optimism yet. There’s a lot of prayer happening in Anchorage.

    We are bunny sitting. I promised the little girl we wouldn’t eat her pet.

    Also having new concrete steps installed both sides of the house. And because the price was terrific, the driveway is being redone. Jackhammers are loud and I am no spring chicken.

    There were some political firings at work this week related to current election. Nails that stick up are pulled or hammered down. Not a good time to be a nail.

    life is better with a glass of wine.

  92. “There were some political firings at work this week related to current election.’

    –@jenny, interesting data point. Is it typical of your workplace to fire for personal and political reasons or is this something new? I think there might be a big difference in how to interpret this on a larger scale, depending on that….

    n

    (glad you missed the chop)


  93. It could be a VP visiting with his dominatrix on his lunch hour (though TeamViewer is more commonly used for that).

    Do people still really do that on a work connection? I’ve seen a few people escorted out of the building by security for what turned out to be surfing for pron.

    This behavior, and all the other behaviors listed by @Greg illustrate the problem with a lack of proper risk management, culture, and controls. No one should be able to casually over-ride those controls and while exceptions are sometimes required (@Greg’s remote firefighting case being an example), those are supposed to be temporary, with much oversight and senior management approval. If you have executives asking for exceptions for any old reason and getting them, you have a problem with risk management. As noted by @JimB that is a management, not a technical problem.

Comments are closed.