Re: Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED

["Thor (Hammer of God)" <thor () hammerofgod com>]

> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-
> bounces () lists grok org uk] On Behalf Of Rob Nelson
> Sent: Sunday, April 17, 2011 12:05 PM
> To: full-disclosure () lists grok org uk
> Subject: Re: [Full-disclosure] Florida Power & Light Company (FPL) Fort
> Sumner Wind turbine Control SCADA was HACKED
>
> Why the hell are we arguing statutes? Look at the big picture: He leaked
> config files to a system that has access to something in a /nuclear power
> plant/.  He's going to jail, it's just a matter of time.

Actually, your question deserves a better answer...  The reason statues are being discussed is because they are a 
governing body's "best guess" at defining tort and suitable remedy or consequence in a way that encompasses and defines 
the action before it actually happens (or course, there is ex post facto legislation).   Discussing statue has some 
value in my opinion.

Rather the further contribute to the abuse of the quintessential inappropriate physical continuum analogy of "open 
doors and windows," I'm interested in what some of you consider the right "answers" to the following circumstances:

1) What if this is actual leaked data that lead to someone breaching the systems illustrated in a non-trivial way?   
Should the poster be punished appropriately?  I feel most would say "yes."

2) What if this is actual leaked data that *could* allow someone to breach the system, but no one does.  Should he be 
punished appropriately?

3) What is he made the whole thing up and posted bogus data, but someone took note and started scanning the systems and 
found/broke something as a matter of cause?  Should he be punished?

4) And finally, what if it is all bogus data, but someone in FL took it as gospel and pulled a Columbine at the power 
station for being put at risk of terrorist attack?   The poster *clearly* has the intent of making FPL look like they 
are vulnerable (and presumably at fault) for/to SCADA facilities attack.  What then?   Did he incite a riot?  It the 
posting of this data in itself a terrorist act?  

This is why the statues are important.  If the latter happened, but it was all a joke, I don't think people would say 
"it was just public utility access so it's OK" nor would they say "he hacked the stations so he has to go to jail."  
Neither of those things would be true.  But something would have to be done.  In the absence of some sort of guiding 
statute, it we be more difficult to arrive at a conclusion.

t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/