[HN Gopher] Gas pumps happen to be about as insecure as your typ... ___________________________________________________________________ Gas pumps happen to be about as insecure as your typical router Author : homarp Score : 261 points Date : 2022-03-19 12:49 UTC (10 hours ago) (HTM) web link (myfox8.com) (TXT) w3m dump (myfox8.com) | BuckRogers wrote: | I do believe the 'typical' home router is insecure, but mine is | rather typical and has had great security updates for 4 years | now.[0] It's definitely nothing special, just a $100USD unit. | Asus also has an autoupdate feature so their owners don't even | have to do anything. I haven't used another brand in years, I had | a Buffalo router before this, but I've been following the release | notes on this one and security _seems_ top notch for a low-end | home router. I do run a 3rd party firmware on this, but its | downstream from Asus 's. | | [0]https://www.asus.com/us/Networking-IoT-Servers/WiFi- | Routers/... | [deleted] | syngrog66 wrote: | I've worked on the embedded software inside a major brand/model | of gas pump, so this article will be interesting. | [deleted] | aftbit wrote: | I believe the magic word is "SiteOmat". | prettyStandard wrote: | Once I scanned barcodes from a competing store rewards program | into a PointOfSale terminal of a grocery store. The machine | promptly shutdown. Sometimes I wonder if that was a failure mode | to prevent attacks or a lack of sanitizing inputs. | Mountain_Skies wrote: | Most of the stores where I live allow you to scan other stores | rewards cards. You don't get points on your account but you | still get whatever sale prices that are reserved for reward | card holders. Wonder if in your case the store supported this | function but there was a null or something similar in the | record for that card type. | heywire wrote: | Most retailers use the same ranges for their rewards cards, | UPC-A barcodes starting with 4. So even if not intentional, | if their system is configured to allow an unregistered card | to receive discounts, doesn't validate registration at all, | or the number collides with a legitimate rewards card, you'll | receive the sale pricing. Similarly, if you simply use a | common phone number like xxx-867-5309, 800-555-1212, the | store's phone number, etc., you'll probably get discounts | too. | rhino369 wrote: | At the store I worked at 15 years ago, any 4xxxxxxxxxx code | would give you the loyalty program. No reason to | authenticate, they'll give you the "discount" (hint its not | really a discount) even if you just ask. | myself248 wrote: | Lack of sanitizing inputs. Barcode scanners are hilariously | bad, look up "scan tags" for why. | | Q: This barcode scanner has a million options, how do we | configure them? | | A: By showing configuration barcodes to it! | _pmf_ wrote: | > Barcode scanners are hilariously bad | | Aren't they just USB HID (previously: serial) devices that | literally just output key codes for the numbers detected? | janci wrote: | Yes. And they can send all key scan codes, i.e Win+r cmd | <enter> format c: <enter> or something... | hjadal wrote: | The ones I have used worked like that. They gave wonky | output if you scanned something that was not a bar code. | | I also used a 2D scanner and it worked the same way. | Eduard wrote: | Looked up "scan tags", didn't find anything. Can you clarify? | cliffwarden wrote: | A lot of them are configured by literally scanning | settings. These "settings" barcodes are often left out in | the open, or east to recreate. I used to have a "cheat | sheet" when i managed scanners in a warehouse | | https://downloads.dell.com/manuals/all- | products/esuprt_tab_m... | isaac21259 wrote: | [1] Is what (I believe) they were talking about. Rather | than configuring these in a sane way you just scan | configuration barcodes. I didn't see anything on the list | that was too dangerous but you could change the maximum | input length or allow full ASCII encoding which could be | dangerous if the programmers assumed that the barcode | reader returns a fixed length string of numbers. | | [1] https://cdn.sparkfun.com/assets/b/5/0/e/e/DY_Scan_Setti | ng_Ma... | Groxx wrote: | honestly that sounds like a super-convenient and easy to | use approach. field-configuring in an instant without any | specialized hardware is great. | | ... but yeah, it should require pressing a recessed | button with a pin or something. not allow it all the | time. | isoprophlex wrote: | In the early days of our local rfid-powered public transport | payment system, i tried scanning a random misc rfid card from | my wallet instead of the correct payment card. | | The gate locked up and started screeching its "i scanned a | card" chime on loop. | | It was hilarious... and i guess a matter of poorly sanitized | inputs. | flir wrote: | > The machine promptly shutdown. | | I have a credit card that bluescreens (some) PoS terminals. I | theorize the upstream server is returning a rare error code | when it's used in contactless mode, because that account's | never been approved for contactless. In that case I'm going | with lack of sanitizing inputs. | MBCook wrote: | That's quite strange. There s a very rigorous certification | process such terminals are supposed to go through. | posguy wrote: | Terminals that only supported the first version of tap to | pay in the USA often have this bug when activated by a card | from this first version of tap to pay. | Hamuko wrote: | Sounds like a pretty easy way to do a denial-of-service attack | against a grocery store if you can just shut down a bunch of | terminals with a barcode. I guess you'll stand out a fair bit | if you move from PoS to PoS, scanning a barcode. | flerchin wrote: | I suppose it would be considered vandalism. "but i just | scanned a barcode" will not amuse the judge. | Mountain_Skies wrote: | If nothing else, the store could ban you and have you | arrested for trespass if you ever came back. | fortran77 wrote: | You can shut down all sorts of things with the EICAR string | encoded as a QR code. | | See: https://en.wikipedia.org/wiki/EICAR_test_file | | and this video https://www.youtube.com/watch?v=cIcbAMO6sxo | where all the gates at a parking garage are rendered | inoperable because someone scanned a QR code that encoded | EICAR | pessimizer wrote: | You could stick the barcode on tons of random items in the | store. | Maursault wrote: | The barcode register attack was explored in a episode of The | X-Files titled _Duane Barry_ (2x05; 14 Oct 1994), when | Special Agent Dana Scully scans a chip (that had been found | implanted in her neck and subsequently removed) at a grocery | store checkout scanner, and iirc all the registers went | berserk. So this is definitely a thing. | ct0 wrote: | Similar to airplane phone in the late 90's using a calling | card. While the asked for a calling card number, the system | didn't actually confirm that there was any money on the card | itself and just connected to the person you were calling. | exikyut wrote: | That actually makes sense, the logic there would be that the | on-plane system just captured the card number and an on-the- | ground system was responsible for checking and billing. | | Given that 747s (IIRC) are still using floppy disks | (https://google.com/search?q=747+floppy+disks) the chances | are the billing was probably done by some equally byzantine | process. | | Yes, I'm saying that, despite the fact that | | "capture calling card number for later using on-plane PBX, | establish satellite call directly to dialed number" | | and | | "establish satellite call directly to on-ground PBX, which | asks for calling card number and forwards call" | | both ultimately return TRUE for "but users can trigger our | satellite uplink to initiate connections just by picking up | the phone!!1"... but the latter approach actually blocks | illegitimate use and is thus measurably better, _and_ skips | the need for an on-plane PBX too. | | I can't help but wonder if there was some sort of "capture | the number first before initiating the call" initiative early | on (which totally makes sense), only for the calling-card | billing integration to fall through at some point rendering | the whole approach moot. | | Naturally I'm making a _lot_ of assumptions here, the biggest | being that the plane isn 't just making a direct-to-ground | connection the moment you pick up the phone, with an on- | ground system accepting then forgetting the calling card | number. That would be even more stupefying but I do doubt | that's what was happening. | jedberg wrote: | I'm amused that you linked to a google search for a floppy | disk. | driverdan wrote: | Seems like this is blogspam of https://myfox8.com/news/north- | carolina/high-point/its-appare... | [deleted] | stefan_ wrote: | Which is blocked outside the US: https://archive.is/WFiU4 | exikyut wrote: | FWIW that website loads fine for me in AU. | eru wrote: | Singapore, too. But archive link is always great! | zufallsheld wrote: | Probably just blocked for the EU because they do not comply | with gdpr. | Eduard wrote: | Blocked because they don't understand GDPR | emj wrote: | CNX does have a lot of good embedded news, and this fits the | bill perfectly. | | It's interesting how can we make this easier to secure, as | embedded developer perhaps there should be an security by | default, making it harder to circumvent that and making | installs like this. | dang wrote: | Ok, URL changed to that from https://www.cnx- | software.com/2022/03/19/gas-pumps-insecure-t.... Thanks! | emj wrote: | That's a bad idea, now we can't read it anymore! | jonnycomputer wrote: | So .. | | - should I be depressed at how shoddy our infrastructure is | | - elated that despite the low hanging fruit of these | vulnerabilities, they aren't exploited nearly as often or as | devastatingly as they could be | micromacrofoot wrote: | The payoff isn't worth the risk, you could at best get what? a | thousand bucks of free gas? downside is federal prison | | alternatively you can phish a credit card without leaving your | house and get a way better return for lower exposure | _3u10 wrote: | Exactly. You have to drive up with plates that identify where | the car is from. You ain't stealing shit, unless you already | stole the car in which case steal the guys wallet too. | | Gas and dash isn't a new idea. | oliv__ wrote: | Would be funny if someone figured out a way to remotely set | all gas pumps in the country to "release mode" | simultaneously: I'm sure this would make for a memorable | experience. | xyst wrote: | It would be entertaining. But it wouldn't hurt the O&G | companies. | | The gas is already paid for by the gas stations at X price. | Arbitrarily lowering it to $0.01/gal does not do anything | but hurt the local gas station owner or piss off minimum | wage worker(s) dealing with the fallout. | wincy wrote: | Are they really minimum wage workers? The gas station | near my house starts at $16 an hour at this point. | hedora wrote: | I'm guessing most gas station attendants would either hit | the emergency stop button (which is big and red and | physically cuts power), or put up signs asking people to | record start and stop gallons and pay inside. | kQq9oHeAz6wLLS wrote: | Short term, for the consumer that sounds entertaining. Long | term, I can think of no good outcomes. Stations go | bankrupt, government bailouts with money from where? Etc | xyst wrote: | Going bankrupt is a bit extreme in my opinion. A gas line | company was infiltrated and held for ransom last year | (Colonial Pipeline), yet they are still up and running. | In the end, gas went up a couple of cents nationwide if I | recall correctly (might have been limited to the east | coast?). Company is still in business. The only people | that were really hurt was the Main Street. | oliv__ wrote: | Well yeah, I was saying this in a tongue in cheek manner, | it would definitely be pretty bad for all those | businesses | jonnycomputer wrote: | Reading the article it seemed like there was more potential | vulnerabilities than free gas. | robocat wrote: | > a thousand bucks of free gas? | | You could set up payments via anonymous cryptocurrency. | | From article: "At the time of the study, Kaspersky said | around 29% of gas stations in India, and 27% in the US were | connected to the Internet.". | | That had the potential for a lot more than $1000 before | getting fixed, although you would want your opsec to be | pretty good. | mmh0000 wrote: | The Arizona Petroleum Marketers Association has a pretty good | document[0] on current skimmers and fuel theft methods: | | [0] https://apma4u.org/wp-content/uploads/2012/06/Crompco- | Update... | ultra_nick wrote: | Is my router insecure? | ______-_-______ wrote: | If you haven't flashed OpenWRT or something similar... most | probably yes. | kQq9oHeAz6wLLS wrote: | But my homebrew OpenBSD router isn't supported by OpenWRT! | | /s | hedora wrote: | Did you try unplugging and plugging it back in? | | If that doesn't work, you should be able to find a factory | reset button. Look for a hole you can stick a paper clip | in, and power cycle with the button depressed. | | Once you do that, call your ISP and ask for the default | password. | | /s | wepple wrote: | Yes. And OpenWRT is hardly an improvement. | | Luckily, every other hop you traverse across the internet is | untrustworthy too, so having a bad router shouldn't worry you. | Treat your home wifi like you treat Starbucks wifi. | wait_a_minute wrote: | Good reason to pay for gas with cash! | fulafel wrote: | There's some terminology confusion about internet routers. The | devices that sit in a telco rack and have lots of fibers running | in and out of them and decide what pipe to send your IP packets | down to are the more routery kinds of routers. The wifi ap + nat | box + cable modem thing you have in your house is doing mostly | other things than routing and is called your CPE or Customer | Premises Equipment. (Also NAT is not routing, the router | requirements RFC forbids touching the address fields). | jtsiskin wrote: | https://datatracker.ietf.org/doc/html/rfc2663 | | ctrl +f "NAT router" | zokier wrote: | Router is a device that routes packets between two or more | networks. CPE routes packets between the customers lan and the | isps network, and as such is a router. | fulafel wrote: | Sure, it is technically a trivial one along with other | functions. But it doesn't feel sensible to call it a router | because that's not its defining charcteristic. And the | business of nontrivial routing that goes on in the devices | whose full-time job is to be routers is different, involving | routing protocols and stuff. | yjftsjthsd-h wrote: | I understand it's a little bit dumb that many people think | of a router as a device that does Wi-Fi and maybe has a | modem built-in, just because that's the only kind of router | most people ever encounter. But for all that it's annoying | and technically not quite precise, that is the colloquial | use of the term. | hedora wrote: | Protocols like TCP/IP? | | The term "CPE" seems to be more about device ownership than | technical function. | detaro wrote: | > _The term "CPE" seems to be more about device ownership | than technical function._ | | Not ownership, location. CPE can be owned by the network | provider or by the customer. | | But it indeed doesn't have a clearly defined technical | function. CPE can be just a modem, a consumer all-in-one | device, or a "proper" enterprise-y router from | Cisco/Juniper/... | 0x0000000 wrote: | No, neither TCP nor IP are routing protocols. | fulafel wrote: | Ambiguous parsing! A "routing protocol" here meant | something like OSPF and BGP - vs routing the IP protocol. | zokier wrote: | > Also NAT is not routing The term | "transparent routing" is used throughout the document to | identify the routing functionality that a NAT device provides. | This is different from the routing functionality | provided by a traditional router device in that a | traditional router routes packets within a single | address realm. Transparent routing refers to | routing a datagram between disparate address realms, by | modifying address contents in the IP header to be valid | in the address realm into which the datagram is routed. | Section 3.2 has a detailed description of transparent routing. | | Section 2.2 https://datatracker.ietf.org/doc/html/rfc2663 | | NAT is still routing, even if it is different than | "traditional" routing. | fulafel wrote: | That's an "informational" rfc by an individual that doesn't | represent the IETF position. Whereas the router requirements | is a standards track document. | | (And the reason it's a informational RFC is that IETF didn't | want to encourage NAT) | qualudeheart wrote: | There should be an open source gas station firmware framework | written in Rust. The information security industry must expand to | secure this piece of national security infrastructure. | vineyardmike wrote: | I'd prefer go. Rust just has a bad name for infrastructure. Who | wants rusty infrastructure? Can you imagine the news articles | about rusted gas stations? Go on the other hand has a great | name for vehicle infrastructure. Swift could work too. | | /s | u2077 wrote: | Can this be used to disable auto playing ads and news? | swarnie wrote: | Wait.... Your petrol pumps have adverts on them? | DangitBobby wrote: | A lot of the new ones do, yes. Sometimes having low rates of | vandalism works against you, it turns out. | ip26 wrote: | Switched to electric just in time. | wanderingmind wrote: | So planning to watch an entire episode during recharge on | a long drive? | u2077 wrote: | Yes, and at max volume of course. | bonestamp2 wrote: | Yes, sometimes a really annoying ad will play on the video | screen once you start pumping. Other times, they will show | you a funny clip from a talk show -- it's still an ad but at | least it's entertaining. | whalesalad wrote: | Press the buttons along the right hand side from top to bottom | in sequence. It usually works. Only failed me once at a station | who was clearly intent on wild amenities and overkill | experience. | hereforphone wrote: | It fails a lot more often now. They've caught on. | [deleted] | PaulDavisThe1st wrote: | Same story. 2 years ago, 2nd button from top on right side | was always "mute". Now it never works in any pump I've | tried. Disappointing. | robbedpeter wrote: | Most of the pumps I've interacted with have blank buttons near | the display. In my region, the mute button is second down from | the top right. Mash the unlabeled buttons though, and you'll | probably find mute. | noaheverett wrote: | Can confirm this too, second down from top right is the mute | button (in the south-east US at least) | _wldu wrote: | Gas stations are probably considered 'Critical Infrastructure' by | the US government as they are part of 'Transportation Systems' | infrastructure. Tampering with their computer systems (even just | out of curiosity) is probably a bad idea. | | https://en.wikipedia.org/wiki/Critical_infrastructure | | You could end up with a felony conviction. | [deleted] | [deleted] | amelius wrote: | Or just wear a white hat. | mojosam wrote: | I don't think the Russians are going to care about a felony | conviction. The major security holes in embedded devices that | are part of our critical infrastructure are national security | threats. | | Despite Putin's bluster about nuclear weapons, cyberattacks are | the easiest way for Russia to inflict pain on the US and | Western Europe in response to economic sanctions and our | support for Ukrain militarily. And those could do a lot of | damage, both in terms of our economies and even civilian | American/European lives. | [deleted] | 1-6 wrote: | Virtual Private Networks always existed long before today's | internet VPNs or proxies. It used to be known as a 'Friend in | Russia.' | tormock wrote: | tormock wrote: | I would probably hack the camera system first... | cbanek wrote: | I think this is actually done at least on ATMs. I have read | it's a good way to get the pin number for a card, as you | might be able to see someone typing it in. Some of the | skimmers I want to say even had a camera aimed at the keypad? | tormock wrote: | I don't think that they hack the existing camera system... | they install their own. | kzrdude wrote: | Instead of the punitive angle, if they are critical | infrastructure, what are the authorities of government doing to | protect them? | _wldu wrote: | A lot. Pen tests, red teams, simulations, etc. | | The point is, if they want someone poking around these | systems, they'll contract with them to do that. You should | not tamper with them just out of curiosity. Convicted felons | have a hard time finding jobs. | ClumsyPilot wrote: | 'The point is, if they want someone poking around these | systems, they'll contract with them to do that' | | You plebs have no business poking around and find out what | people in power are doing or find out if they've done their | job properly. If they wanted someone holding them to | account, they'd contract them to do thay' | sha256sum wrote: | > A lot. Pen tests, red teams, simulations, etc | | Okay, I call bullshit. That which can be claimed without | evidence can also be refuted without evidence. | | That said, if you're feeling like finding out do heed | caution because I'm sure the Man will love to make an | example of the first person we figures out how to pump | their gas at $0.01 per gallon. | freedomben wrote: | > _Okay, I call bullshit._ That which can be claimed | without evidence can also be refuted without evidence. | | Aside from the extreme rudeness, what evidence are you | looking for? Do you want GP to attach sensitive or | classified pen tests results here in public forum? | | GP's claim is so obviously true that I don't see why they | would need to provide "evidence," but you can find a | mountain of it yourself with a single duck: https://duckd | uckgo.com/?q=us+government+penetration+tests&at... | | Pen tests are a requirement for any vendor doing business | with the gov. Check out NIST 800-53 and the FedRAMP | security process. It's much more intensive than SOC2 | which is the standard in the commercial world. I think | your information is about 10 to 20 years out of date. | hn_version_0023 wrote: | Calling bullshit on someone isn't rude, necessarily. | Certainly it can be! But passing off bullshit as fact? | That's pretty damned rude. | imwillofficial wrote: | It is absolutely rude and breaks down the conversation | that was being made in good faith. | hn_version_0023 wrote: | We'll have to agree to disagree. Personally I think the | key is to not use the word "bullshit" unless you're | already on good terms with someone. But you can call BS | without using that word, if you're certain your audience | is easily offended. | | Not caring if you offend someone? That's also quite rude! | lupire wrote: | In the context today, someone called someone else | bullshit without evidence. | imwillofficial wrote: | Making a claim based on experience is not "bullshit" | | Not every single thing spoken requires a double blind | study. | | The person "calling bullshit" was wrong. I work in the | industry, and no I'm offering no evidence due to NDAs. | freedomben wrote: | > _I think the key is to not use the word "bullshit" | unless you're already on good terms with someone._ | | Yes, agree 100%. When you're busting balls with your | friends it's perfectly fine, but when it's a stranger | online who doesn't know you at all and is likely from a | very different culture, it's not a good idea to respond | that way, unless you want to offend. | RussianCow wrote: | There is no evidence of any of that happening for _gas | stations_ specifically, which is what I think the OP | meant. I would also call bullshit on that. | imwillofficial wrote: | Don't be lazy, do your own research. | RussianCow wrote: | I don't need to do research because I'm not the one who | made the original assertion. You can't throw around | unsubstantiated claims but require proof from those who | try to refute them; that's not how it works. | imwillofficial wrote: | It is how it works. | | Not every claim is an argument requiring evidence. | | I work in the industry, you are 100% wrong, due to NDAs I | offer no proof of your wrongness. | | Go find it yourself if so inclined. | imwillofficial wrote: | "You can't throw around unsubstantiated claims but | require proof from those who try to refute them" | | I am claiming relevant experience as my insider | knowledge. What experience or proof do you have to back | your refutation? | | That's how this works. When somebody gives you a peek | behind the curtain while chatting, you don't go and | demand proof. You can ask for it nicely of course. That | is the socially acceptable thing to do. | | Your behavior is out of line given the casual and | pleasant discourse before you showed up. | sha256sum wrote: | Yikes, I don't want to live in a world where calling | bullshit is "obviously rude" but I'll bite. | | > Pen tests are a requirement for any vendor doing | business with the gov. | | What does this prove? Solar Winds, Colonial Pipeline | (maybe more relevant here), etc. | | Your search link doesn't include anything about extensive | penetration tests ensuring the security of these devices. | That's the claim. Where is the evidence? | | Also calling someone's knowledge "out of date" is a, dare | I say _rude_ assumption. But judging by your assuring in | the security of government contractors I'd say your | opinions are quite naive :) | freedomben wrote: | > _Yikes, I don't want to live in a world where calling | bullshit is "obviously rude" but I'll bite._ | | Sadly, this is an is/ought problem. I don't want to live | in a world with poverty and war either, but that doesn't | make it fact. | | > _What does this prove? Solar Winds, Colonial Pipeline | (maybe more relevant here), etc._ | | The point of pen tests is not to guarantee perfection. | There are also ways to sweep things under the rug if | those in charge are so inclined. But the existence of | those things doesn't mean pen tests aren't done, or that | nobody cares about security. | | > _Your search link doesn't include anything about | extensive penetration tests ensuring the security of | these devices. That's the claim. Where is the evidence?_ | | Did you look at either of the first two hits? The first | four indeed are evidence that the government does pen | tests. The first hit is a government department that | solely exists _to do penetration tests_ [1]. The second | one called "PENETRATION TEST GUIDANCE" is all the rules | regarding how penetration tests _must be done_ [2]. | | 1: https://www.doi.gov/ocio/customers/penetration-testing | | 2: https://www.fedramp.gov/assets/resources/documents/CSP | _Penet... | | Ok your turn for evidence. What evidence do you have that | all of those things are fake? Or that none of the | compliance officers actually check it? | | > _Also calling someone's knowledge "out of date" is a, | dare I say rude assumption._ | | You're right, I apologize for doing that. I actually | thought that was more charitable than the other | possibilities, but it doesn't add anything to the | discussion so should have been left out. | earleybird wrote: | > Aside from the extreme rudeness . . . | | "I call bullshit" is a colloquialism that derives from | the "Bullshit Game"[0]. | | Learn you some language for a great good. | | [0] https://gamerules.com/rules/bullshit-card-game/ | lupire wrote: | Ironically, making a bullshit that someone is | bullshitting outside of a bullshitting game, is rude. | krnlpnc wrote: | Which is nonsense, what was the purpose of punitive action | (jail) when a person will be punished for the rest if their | life via stigma and ineligibility for jobs. How is that | "correcting" a persons behavior? | hedora wrote: | It makes sure you never stop correcting them. | | Once a customer of the penal system, always a customer. | They've worked hard to get their retention / repeat | business numbers up this high. Why take that away from | them? | mbreese wrote: | The punishment isn't only a punishment for the | individual. It's a deterrent to keep the next person from | doing whatever it was that was illegal. You can argue if | that's right or wrong, but that's one of the points of | many sentences -- to send a "message" to others who might | commit a crime. | MereInterest wrote: | We could also argue whether it is effective or | ineffective. I understand the incentive being introduced, | to tip the scales in a rational decision-making process | against a criminal act. However, that assumes that | criminal acts are the result of a rational decision- | making process, and that the possibility of punishment is | high enough to enter into that process. Given the | recidivism rate of the US, I don't think it is effective. | | You can argue whether a punitive system that effectively | provides a deterrent is right or wrong, but a punitive | system that isn't effective as a deterrent cannot make | the same argument. | akerl_ wrote: | "Don't do crime, but if you do, I guess keep doing crimes | forever because we're going to make it hard for you to | get a real job" isn't really a compelling strategy. | AnthonyMouse wrote: | That's the business model of the prison industrial | complex. | akerl_ wrote: | Let's be clear where the blame sits. The "prison | industrial complex" isn't creating this. Private | enterprise is set up to profit from incarceration rates | and thus recidivism, but the reason that people can't get | jobs after they finish their sentence is the fault of all | of us. Every company that refuses to hire somebody with a | record is contributing to the problem, as is every person | who looks down on somebody for having been incarcerated. | lupire wrote: | If there are fewer jobs than people, some people will not | have jobs and theus be tempted into criminal behavior. | | If there are more jobs than people, felons will be hired. | akerl_ wrote: | This is pretty intensely reductive of the actual state of | the world. It only works if all people are competing for | all jobs, which they are not. | | To pick a boring example, see the multitude of companies | complaining about labor shortages and also the number of | felons who are struggling to find jobs. | lobocinza wrote: | It's optimized for retention and not for reintegration. | indymike wrote: | > Tampering with their computer systems (even just out of | curiosity) is probably a bad idea. | | I don't think the kind of people who are robbing gas really | care about weather this is a bad idea. That's why sometimes the | right answer is to focus on preventing the crime because... | | > You could end up with a felony conviction. | | The crooks really don't care. It's all about not getting | caught. | nsxwolf wrote: | The crooks often already have a felony conviction, and are | already living with the permanent consequences of that. The | only remaining disincentive to crime for them is additional | jail time, which can start to be seen as just a cost of doing | business - X years for Y dollars. | maxerickson wrote: | The way the legal system works, the safe option is to not do | anything with systems that you don't own or have authorization | to use. | | Like public facing websites that advertise they are meant to | have users are pretty safe, but after that, explicit | authorization is a good idea vs deciding for yourself whether | it might be critical infrastructure. | Terry_Roll wrote: | I was going to suggest, why not buy your own gas pump's and | do a hackathon! | astura wrote: | I think the "bladder trucks" used to steal the fuel are the most | interesting part of this story but there's no pictures of one. A | picture of one is here - https://krebsonsecurity.com/2015/11/gas- | theft-gangs-fuel-pum... | neilv wrote: | > _And software and hardware surely have been changed since his | investigation._ | | That phrasing seems to imply to readers that awareness of a | serious/expensive security vulnerability would result in it being | fixed. | neilv wrote: | The post ID for https://news.ycombinator.com/item?id=30733337 is | almost three-leet. | [deleted] | [deleted] | criddell wrote: | Is there a hack to turn off the screen playing ads? | boring_twenties wrote: | The TVs are mildly annoying but the worst part is the stupid | questions many now ask before you can pump any gas. | | When it's freezing cold outside, 1) no, I don't want a fucking | car wash and 2) I really resent having to spend the couple | extra seconds out in the cold to answer that question. | kevin_thibedeau wrote: | Getting in and out of a vehicle when pumping gas is a fire | hazard. In the winter low humidity air makes static discharge | more likely. | boring_twenties wrote: | I'm not sure how that's relevant? | jeffbee wrote: | The same "hack" that has so many other benefits: don't buy gas. | Rebelgecko wrote: | Usually if you push the buttons next to the screen one of them | will mute the ad | SQueeeeeL wrote: | I feel like it's such a shitty opt out system. I wonder if | there's a way to mass disable the ads | hedora wrote: | Boycott those gas station chains (hint: the cheap gas | stations don't pay to upgrade pumps), or buy an EV. | SQueeeeeL wrote: | Gas is a commodity, so boycotts don't work, also that | puts the oneous on the consumer for being annoyed and not | the corporations for literally pumping ads into a | mandatory part of our society (where I live, I can't | function without a car) | vineyardmike wrote: | In populous areas, it can influence the map routing when | you ask your phone to pick a gas station. If there are | many, it may (?) filter out low stars. | criddell wrote: | You can pay google to route people to your gas station. | I'm guess overcoming bad ratings would be just a matter | of paying google. | SQueeeeeL wrote: | Also who tf reviews gas stations. It's a minor annoyance, | that's why they do it, I'd just rather have a state level | solution that banned having ads shoved in my face all the | time | rconti wrote: | Yup. I'll leave it as a 1-star Google review (not that | many people read reviews before choosing a gas station), | and then going elsewhere. My second-closest station has | these TVs. I forgot once or twice and returned by | accident, but now I never forget. | krnlpnc wrote: | You can usually mute them by pressing one of the buttons next | to the screen, often the second down on the right. | jeffbee wrote: | Hard-coded passwords are a very relevant problem in real-world | security. Most of those apartment building entry systems are left | with the factory password, so you can let yourself right in. | darknavi wrote: | If you aren't sold on EVs yet, here is a perk that often isn't | the main spotlight: | | Never go to a gas station again. | digisign wrote: | Unfortunately EV stations make a point to know their customer, | extensively. Is it even possible to pay cash and not have your | car identified by the charger in a significant number of | stations? | fragmede wrote: | Depending on your POV, the main "gas" station in your garage | for an EV has either extensive knowledge of you, or ~zero | knowledge of you. Outside gas stations are for use only for | road trips. | darknavi wrote: | Not that I know of but I don't see anything precluding it. | | Like others have said, most of the "gas station" is at your | residence and is probably via a dumb charger. | TheDong wrote: | > Is it even possible to pay cash and not have your car | identified by the charger in a significant number of | stations? | | The majority of the charging you do will be at your home, | where you already pay for electricity. Unlike gas stations, | which you go to every few weeks, you'll "fill up" away from | home only infrequently, only when traveling multiple hundreds | of miles away. | | When you are away from home, it's sometimes possible to | charge anonymously like you describe. RV campgrounds/RV | parking often has a dumb electric outlet (which you'll need | an adapter for) that can charge you quicker than a regular | household outlet. Any place that has regular electric outlets | can "trickle charge" you. | | That said, you're right that EV charging when you're on a | trip is more tech heavy and less anonymous than filling up at | a gas station. | | If your threat model doesn't allow for certain private | companies to know your rough whereabouts when you're on road | trips, then yeah, don't get an EV, don't use credit cards, | don't use a phone, etc etc. Most people's threat models are | perfectly fine with this though. | Eduard wrote: | > The majority of the charging you do will be at your home | | I'm worried someone will stumble upon the 50 meters of | charging cable I have to hang from the third floor, along | the pedestrian way, towards the car - in case I'm lucky to | get a parking space just in front of the condo. | bonestamp2 wrote: | Some of the chargers can be set so they will only charge | your car (or other cars that you whitelist). | Animats wrote: | _" Researchers also found that many of the systems had "default | credentials," which means they might have similar access codes | unless an employee took the time to change them."_ | | That should be considered gross negligence. Criminal negligence | for anything shipped with default credentials since ransomware | became a thing. ___________________________________________________________________ (page generated 2022-03-19 23:00 UTC)