[HN Gopher] Gas pumps happen to be about as insecure as your typ...
___________________________________________________________________
Gas pumps happen to be about as insecure as your typical router
Author : homarp
Score : 261 points
Date : 2022-03-19 12:49 UTC (10 hours ago)
(HTM) web link (myfox8.com)
(TXT) w3m dump (myfox8.com)
| BuckRogers wrote:
| I do believe the 'typical' home router is insecure, but mine is
| rather typical and has had great security updates for 4 years
| now.[0] It's definitely nothing special, just a $100USD unit.
| Asus also has an autoupdate feature so their owners don't even
| have to do anything. I haven't used another brand in years, I had
| a Buffalo router before this, but I've been following the release
| notes on this one and security _seems_ top notch for a low-end
| home router. I do run a 3rd party firmware on this, but its
| downstream from Asus 's.
|
| [0]https://www.asus.com/us/Networking-IoT-Servers/WiFi-
| Routers/...
| [deleted]
| syngrog66 wrote:
| I've worked on the embedded software inside a major brand/model
| of gas pump, so this article will be interesting.
| [deleted]
| aftbit wrote:
| I believe the magic word is "SiteOmat".
| prettyStandard wrote:
| Once I scanned barcodes from a competing store rewards program
| into a PointOfSale terminal of a grocery store. The machine
| promptly shutdown. Sometimes I wonder if that was a failure mode
| to prevent attacks or a lack of sanitizing inputs.
| Mountain_Skies wrote:
| Most of the stores where I live allow you to scan other stores
| rewards cards. You don't get points on your account but you
| still get whatever sale prices that are reserved for reward
| card holders. Wonder if in your case the store supported this
| function but there was a null or something similar in the
| record for that card type.
| heywire wrote:
| Most retailers use the same ranges for their rewards cards,
| UPC-A barcodes starting with 4. So even if not intentional,
| if their system is configured to allow an unregistered card
| to receive discounts, doesn't validate registration at all,
| or the number collides with a legitimate rewards card, you'll
| receive the sale pricing. Similarly, if you simply use a
| common phone number like xxx-867-5309, 800-555-1212, the
| store's phone number, etc., you'll probably get discounts
| too.
| rhino369 wrote:
| At the store I worked at 15 years ago, any 4xxxxxxxxxx code
| would give you the loyalty program. No reason to
| authenticate, they'll give you the "discount" (hint its not
| really a discount) even if you just ask.
| myself248 wrote:
| Lack of sanitizing inputs. Barcode scanners are hilariously
| bad, look up "scan tags" for why.
|
| Q: This barcode scanner has a million options, how do we
| configure them?
|
| A: By showing configuration barcodes to it!
| _pmf_ wrote:
| > Barcode scanners are hilariously bad
|
| Aren't they just USB HID (previously: serial) devices that
| literally just output key codes for the numbers detected?
| janci wrote:
| Yes. And they can send all key scan codes, i.e Win+r cmd
| <enter> format c: <enter> or something...
| hjadal wrote:
| The ones I have used worked like that. They gave wonky
| output if you scanned something that was not a bar code.
|
| I also used a 2D scanner and it worked the same way.
| Eduard wrote:
| Looked up "scan tags", didn't find anything. Can you clarify?
| cliffwarden wrote:
| A lot of them are configured by literally scanning
| settings. These "settings" barcodes are often left out in
| the open, or east to recreate. I used to have a "cheat
| sheet" when i managed scanners in a warehouse
|
| https://downloads.dell.com/manuals/all-
| products/esuprt_tab_m...
| isaac21259 wrote:
| [1] Is what (I believe) they were talking about. Rather
| than configuring these in a sane way you just scan
| configuration barcodes. I didn't see anything on the list
| that was too dangerous but you could change the maximum
| input length or allow full ASCII encoding which could be
| dangerous if the programmers assumed that the barcode
| reader returns a fixed length string of numbers.
|
| [1] https://cdn.sparkfun.com/assets/b/5/0/e/e/DY_Scan_Setti
| ng_Ma...
| Groxx wrote:
| honestly that sounds like a super-convenient and easy to
| use approach. field-configuring in an instant without any
| specialized hardware is great.
|
| ... but yeah, it should require pressing a recessed
| button with a pin or something. not allow it all the
| time.
| isoprophlex wrote:
| In the early days of our local rfid-powered public transport
| payment system, i tried scanning a random misc rfid card from
| my wallet instead of the correct payment card.
|
| The gate locked up and started screeching its "i scanned a
| card" chime on loop.
|
| It was hilarious... and i guess a matter of poorly sanitized
| inputs.
| flir wrote:
| > The machine promptly shutdown.
|
| I have a credit card that bluescreens (some) PoS terminals. I
| theorize the upstream server is returning a rare error code
| when it's used in contactless mode, because that account's
| never been approved for contactless. In that case I'm going
| with lack of sanitizing inputs.
| MBCook wrote:
| That's quite strange. There s a very rigorous certification
| process such terminals are supposed to go through.
| posguy wrote:
| Terminals that only supported the first version of tap to
| pay in the USA often have this bug when activated by a card
| from this first version of tap to pay.
| Hamuko wrote:
| Sounds like a pretty easy way to do a denial-of-service attack
| against a grocery store if you can just shut down a bunch of
| terminals with a barcode. I guess you'll stand out a fair bit
| if you move from PoS to PoS, scanning a barcode.
| flerchin wrote:
| I suppose it would be considered vandalism. "but i just
| scanned a barcode" will not amuse the judge.
| Mountain_Skies wrote:
| If nothing else, the store could ban you and have you
| arrested for trespass if you ever came back.
| fortran77 wrote:
| You can shut down all sorts of things with the EICAR string
| encoded as a QR code.
|
| See: https://en.wikipedia.org/wiki/EICAR_test_file
|
| and this video https://www.youtube.com/watch?v=cIcbAMO6sxo
| where all the gates at a parking garage are rendered
| inoperable because someone scanned a QR code that encoded
| EICAR
| pessimizer wrote:
| You could stick the barcode on tons of random items in the
| store.
| Maursault wrote:
| The barcode register attack was explored in a episode of The
| X-Files titled _Duane Barry_ (2x05; 14 Oct 1994), when
| Special Agent Dana Scully scans a chip (that had been found
| implanted in her neck and subsequently removed) at a grocery
| store checkout scanner, and iirc all the registers went
| berserk. So this is definitely a thing.
| ct0 wrote:
| Similar to airplane phone in the late 90's using a calling
| card. While the asked for a calling card number, the system
| didn't actually confirm that there was any money on the card
| itself and just connected to the person you were calling.
| exikyut wrote:
| That actually makes sense, the logic there would be that the
| on-plane system just captured the card number and an on-the-
| ground system was responsible for checking and billing.
|
| Given that 747s (IIRC) are still using floppy disks
| (https://google.com/search?q=747+floppy+disks) the chances
| are the billing was probably done by some equally byzantine
| process.
|
| Yes, I'm saying that, despite the fact that
|
| "capture calling card number for later using on-plane PBX,
| establish satellite call directly to dialed number"
|
| and
|
| "establish satellite call directly to on-ground PBX, which
| asks for calling card number and forwards call"
|
| both ultimately return TRUE for "but users can trigger our
| satellite uplink to initiate connections just by picking up
| the phone!!1"... but the latter approach actually blocks
| illegitimate use and is thus measurably better, _and_ skips
| the need for an on-plane PBX too.
|
| I can't help but wonder if there was some sort of "capture
| the number first before initiating the call" initiative early
| on (which totally makes sense), only for the calling-card
| billing integration to fall through at some point rendering
| the whole approach moot.
|
| Naturally I'm making a _lot_ of assumptions here, the biggest
| being that the plane isn 't just making a direct-to-ground
| connection the moment you pick up the phone, with an on-
| ground system accepting then forgetting the calling card
| number. That would be even more stupefying but I do doubt
| that's what was happening.
| jedberg wrote:
| I'm amused that you linked to a google search for a floppy
| disk.
| driverdan wrote:
| Seems like this is blogspam of https://myfox8.com/news/north-
| carolina/high-point/its-appare...
| [deleted]
| stefan_ wrote:
| Which is blocked outside the US: https://archive.is/WFiU4
| exikyut wrote:
| FWIW that website loads fine for me in AU.
| eru wrote:
| Singapore, too. But archive link is always great!
| zufallsheld wrote:
| Probably just blocked for the EU because they do not comply
| with gdpr.
| Eduard wrote:
| Blocked because they don't understand GDPR
| emj wrote:
| CNX does have a lot of good embedded news, and this fits the
| bill perfectly.
|
| It's interesting how can we make this easier to secure, as
| embedded developer perhaps there should be an security by
| default, making it harder to circumvent that and making
| installs like this.
| dang wrote:
| Ok, URL changed to that from https://www.cnx-
| software.com/2022/03/19/gas-pumps-insecure-t.... Thanks!
| emj wrote:
| That's a bad idea, now we can't read it anymore!
| jonnycomputer wrote:
| So ..
|
| - should I be depressed at how shoddy our infrastructure is
|
| - elated that despite the low hanging fruit of these
| vulnerabilities, they aren't exploited nearly as often or as
| devastatingly as they could be
| micromacrofoot wrote:
| The payoff isn't worth the risk, you could at best get what? a
| thousand bucks of free gas? downside is federal prison
|
| alternatively you can phish a credit card without leaving your
| house and get a way better return for lower exposure
| _3u10 wrote:
| Exactly. You have to drive up with plates that identify where
| the car is from. You ain't stealing shit, unless you already
| stole the car in which case steal the guys wallet too.
|
| Gas and dash isn't a new idea.
| oliv__ wrote:
| Would be funny if someone figured out a way to remotely set
| all gas pumps in the country to "release mode"
| simultaneously: I'm sure this would make for a memorable
| experience.
| xyst wrote:
| It would be entertaining. But it wouldn't hurt the O&G
| companies.
|
| The gas is already paid for by the gas stations at X price.
| Arbitrarily lowering it to $0.01/gal does not do anything
| but hurt the local gas station owner or piss off minimum
| wage worker(s) dealing with the fallout.
| wincy wrote:
| Are they really minimum wage workers? The gas station
| near my house starts at $16 an hour at this point.
| hedora wrote:
| I'm guessing most gas station attendants would either hit
| the emergency stop button (which is big and red and
| physically cuts power), or put up signs asking people to
| record start and stop gallons and pay inside.
| kQq9oHeAz6wLLS wrote:
| Short term, for the consumer that sounds entertaining. Long
| term, I can think of no good outcomes. Stations go
| bankrupt, government bailouts with money from where? Etc
| xyst wrote:
| Going bankrupt is a bit extreme in my opinion. A gas line
| company was infiltrated and held for ransom last year
| (Colonial Pipeline), yet they are still up and running.
| In the end, gas went up a couple of cents nationwide if I
| recall correctly (might have been limited to the east
| coast?). Company is still in business. The only people
| that were really hurt was the Main Street.
| oliv__ wrote:
| Well yeah, I was saying this in a tongue in cheek manner,
| it would definitely be pretty bad for all those
| businesses
| jonnycomputer wrote:
| Reading the article it seemed like there was more potential
| vulnerabilities than free gas.
| robocat wrote:
| > a thousand bucks of free gas?
|
| You could set up payments via anonymous cryptocurrency.
|
| From article: "At the time of the study, Kaspersky said
| around 29% of gas stations in India, and 27% in the US were
| connected to the Internet.".
|
| That had the potential for a lot more than $1000 before
| getting fixed, although you would want your opsec to be
| pretty good.
| mmh0000 wrote:
| The Arizona Petroleum Marketers Association has a pretty good
| document[0] on current skimmers and fuel theft methods:
|
| [0] https://apma4u.org/wp-content/uploads/2012/06/Crompco-
| Update...
| ultra_nick wrote:
| Is my router insecure?
| ______-_-______ wrote:
| If you haven't flashed OpenWRT or something similar... most
| probably yes.
| kQq9oHeAz6wLLS wrote:
| But my homebrew OpenBSD router isn't supported by OpenWRT!
|
| /s
| hedora wrote:
| Did you try unplugging and plugging it back in?
|
| If that doesn't work, you should be able to find a factory
| reset button. Look for a hole you can stick a paper clip
| in, and power cycle with the button depressed.
|
| Once you do that, call your ISP and ask for the default
| password.
|
| /s
| wepple wrote:
| Yes. And OpenWRT is hardly an improvement.
|
| Luckily, every other hop you traverse across the internet is
| untrustworthy too, so having a bad router shouldn't worry you.
| Treat your home wifi like you treat Starbucks wifi.
| wait_a_minute wrote:
| Good reason to pay for gas with cash!
| fulafel wrote:
| There's some terminology confusion about internet routers. The
| devices that sit in a telco rack and have lots of fibers running
| in and out of them and decide what pipe to send your IP packets
| down to are the more routery kinds of routers. The wifi ap + nat
| box + cable modem thing you have in your house is doing mostly
| other things than routing and is called your CPE or Customer
| Premises Equipment. (Also NAT is not routing, the router
| requirements RFC forbids touching the address fields).
| jtsiskin wrote:
| https://datatracker.ietf.org/doc/html/rfc2663
|
| ctrl +f "NAT router"
| zokier wrote:
| Router is a device that routes packets between two or more
| networks. CPE routes packets between the customers lan and the
| isps network, and as such is a router.
| fulafel wrote:
| Sure, it is technically a trivial one along with other
| functions. But it doesn't feel sensible to call it a router
| because that's not its defining charcteristic. And the
| business of nontrivial routing that goes on in the devices
| whose full-time job is to be routers is different, involving
| routing protocols and stuff.
| yjftsjthsd-h wrote:
| I understand it's a little bit dumb that many people think
| of a router as a device that does Wi-Fi and maybe has a
| modem built-in, just because that's the only kind of router
| most people ever encounter. But for all that it's annoying
| and technically not quite precise, that is the colloquial
| use of the term.
| hedora wrote:
| Protocols like TCP/IP?
|
| The term "CPE" seems to be more about device ownership than
| technical function.
| detaro wrote:
| > _The term "CPE" seems to be more about device ownership
| than technical function._
|
| Not ownership, location. CPE can be owned by the network
| provider or by the customer.
|
| But it indeed doesn't have a clearly defined technical
| function. CPE can be just a modem, a consumer all-in-one
| device, or a "proper" enterprise-y router from
| Cisco/Juniper/...
| 0x0000000 wrote:
| No, neither TCP nor IP are routing protocols.
| fulafel wrote:
| Ambiguous parsing! A "routing protocol" here meant
| something like OSPF and BGP - vs routing the IP protocol.
| zokier wrote:
| > Also NAT is not routing The term
| "transparent routing" is used throughout the document to
| identify the routing functionality that a NAT device provides.
| This is different from the routing functionality
| provided by a traditional router device in that a
| traditional router routes packets within a single
| address realm. Transparent routing refers to
| routing a datagram between disparate address realms, by
| modifying address contents in the IP header to be valid
| in the address realm into which the datagram is routed.
| Section 3.2 has a detailed description of transparent routing.
|
| Section 2.2 https://datatracker.ietf.org/doc/html/rfc2663
|
| NAT is still routing, even if it is different than
| "traditional" routing.
| fulafel wrote:
| That's an "informational" rfc by an individual that doesn't
| represent the IETF position. Whereas the router requirements
| is a standards track document.
|
| (And the reason it's a informational RFC is that IETF didn't
| want to encourage NAT)
| qualudeheart wrote:
| There should be an open source gas station firmware framework
| written in Rust. The information security industry must expand to
| secure this piece of national security infrastructure.
| vineyardmike wrote:
| I'd prefer go. Rust just has a bad name for infrastructure. Who
| wants rusty infrastructure? Can you imagine the news articles
| about rusted gas stations? Go on the other hand has a great
| name for vehicle infrastructure. Swift could work too.
|
| /s
| u2077 wrote:
| Can this be used to disable auto playing ads and news?
| swarnie wrote:
| Wait.... Your petrol pumps have adverts on them?
| DangitBobby wrote:
| A lot of the new ones do, yes. Sometimes having low rates of
| vandalism works against you, it turns out.
| ip26 wrote:
| Switched to electric just in time.
| wanderingmind wrote:
| So planning to watch an entire episode during recharge on
| a long drive?
| u2077 wrote:
| Yes, and at max volume of course.
| bonestamp2 wrote:
| Yes, sometimes a really annoying ad will play on the video
| screen once you start pumping. Other times, they will show
| you a funny clip from a talk show -- it's still an ad but at
| least it's entertaining.
| whalesalad wrote:
| Press the buttons along the right hand side from top to bottom
| in sequence. It usually works. Only failed me once at a station
| who was clearly intent on wild amenities and overkill
| experience.
| hereforphone wrote:
| It fails a lot more often now. They've caught on.
| [deleted]
| PaulDavisThe1st wrote:
| Same story. 2 years ago, 2nd button from top on right side
| was always "mute". Now it never works in any pump I've
| tried. Disappointing.
| robbedpeter wrote:
| Most of the pumps I've interacted with have blank buttons near
| the display. In my region, the mute button is second down from
| the top right. Mash the unlabeled buttons though, and you'll
| probably find mute.
| noaheverett wrote:
| Can confirm this too, second down from top right is the mute
| button (in the south-east US at least)
| _wldu wrote:
| Gas stations are probably considered 'Critical Infrastructure' by
| the US government as they are part of 'Transportation Systems'
| infrastructure. Tampering with their computer systems (even just
| out of curiosity) is probably a bad idea.
|
| https://en.wikipedia.org/wiki/Critical_infrastructure
|
| You could end up with a felony conviction.
| [deleted]
| [deleted]
| amelius wrote:
| Or just wear a white hat.
| mojosam wrote:
| I don't think the Russians are going to care about a felony
| conviction. The major security holes in embedded devices that
| are part of our critical infrastructure are national security
| threats.
|
| Despite Putin's bluster about nuclear weapons, cyberattacks are
| the easiest way for Russia to inflict pain on the US and
| Western Europe in response to economic sanctions and our
| support for Ukrain militarily. And those could do a lot of
| damage, both in terms of our economies and even civilian
| American/European lives.
| [deleted]
| 1-6 wrote:
| Virtual Private Networks always existed long before today's
| internet VPNs or proxies. It used to be known as a 'Friend in
| Russia.'
| tormock wrote:
| tormock wrote:
| I would probably hack the camera system first...
| cbanek wrote:
| I think this is actually done at least on ATMs. I have read
| it's a good way to get the pin number for a card, as you
| might be able to see someone typing it in. Some of the
| skimmers I want to say even had a camera aimed at the keypad?
| tormock wrote:
| I don't think that they hack the existing camera system...
| they install their own.
| kzrdude wrote:
| Instead of the punitive angle, if they are critical
| infrastructure, what are the authorities of government doing to
| protect them?
| _wldu wrote:
| A lot. Pen tests, red teams, simulations, etc.
|
| The point is, if they want someone poking around these
| systems, they'll contract with them to do that. You should
| not tamper with them just out of curiosity. Convicted felons
| have a hard time finding jobs.
| ClumsyPilot wrote:
| 'The point is, if they want someone poking around these
| systems, they'll contract with them to do that'
|
| You plebs have no business poking around and find out what
| people in power are doing or find out if they've done their
| job properly. If they wanted someone holding them to
| account, they'd contract them to do thay'
| sha256sum wrote:
| > A lot. Pen tests, red teams, simulations, etc
|
| Okay, I call bullshit. That which can be claimed without
| evidence can also be refuted without evidence.
|
| That said, if you're feeling like finding out do heed
| caution because I'm sure the Man will love to make an
| example of the first person we figures out how to pump
| their gas at $0.01 per gallon.
| freedomben wrote:
| > _Okay, I call bullshit._ That which can be claimed
| without evidence can also be refuted without evidence.
|
| Aside from the extreme rudeness, what evidence are you
| looking for? Do you want GP to attach sensitive or
| classified pen tests results here in public forum?
|
| GP's claim is so obviously true that I don't see why they
| would need to provide "evidence," but you can find a
| mountain of it yourself with a single duck: https://duckd
| uckgo.com/?q=us+government+penetration+tests&at...
|
| Pen tests are a requirement for any vendor doing business
| with the gov. Check out NIST 800-53 and the FedRAMP
| security process. It's much more intensive than SOC2
| which is the standard in the commercial world. I think
| your information is about 10 to 20 years out of date.
| hn_version_0023 wrote:
| Calling bullshit on someone isn't rude, necessarily.
| Certainly it can be! But passing off bullshit as fact?
| That's pretty damned rude.
| imwillofficial wrote:
| It is absolutely rude and breaks down the conversation
| that was being made in good faith.
| hn_version_0023 wrote:
| We'll have to agree to disagree. Personally I think the
| key is to not use the word "bullshit" unless you're
| already on good terms with someone. But you can call BS
| without using that word, if you're certain your audience
| is easily offended.
|
| Not caring if you offend someone? That's also quite rude!
| lupire wrote:
| In the context today, someone called someone else
| bullshit without evidence.
| imwillofficial wrote:
| Making a claim based on experience is not "bullshit"
|
| Not every single thing spoken requires a double blind
| study.
|
| The person "calling bullshit" was wrong. I work in the
| industry, and no I'm offering no evidence due to NDAs.
| freedomben wrote:
| > _I think the key is to not use the word "bullshit"
| unless you're already on good terms with someone._
|
| Yes, agree 100%. When you're busting balls with your
| friends it's perfectly fine, but when it's a stranger
| online who doesn't know you at all and is likely from a
| very different culture, it's not a good idea to respond
| that way, unless you want to offend.
| RussianCow wrote:
| There is no evidence of any of that happening for _gas
| stations_ specifically, which is what I think the OP
| meant. I would also call bullshit on that.
| imwillofficial wrote:
| Don't be lazy, do your own research.
| RussianCow wrote:
| I don't need to do research because I'm not the one who
| made the original assertion. You can't throw around
| unsubstantiated claims but require proof from those who
| try to refute them; that's not how it works.
| imwillofficial wrote:
| It is how it works.
|
| Not every claim is an argument requiring evidence.
|
| I work in the industry, you are 100% wrong, due to NDAs I
| offer no proof of your wrongness.
|
| Go find it yourself if so inclined.
| imwillofficial wrote:
| "You can't throw around unsubstantiated claims but
| require proof from those who try to refute them"
|
| I am claiming relevant experience as my insider
| knowledge. What experience or proof do you have to back
| your refutation?
|
| That's how this works. When somebody gives you a peek
| behind the curtain while chatting, you don't go and
| demand proof. You can ask for it nicely of course. That
| is the socially acceptable thing to do.
|
| Your behavior is out of line given the casual and
| pleasant discourse before you showed up.
| sha256sum wrote:
| Yikes, I don't want to live in a world where calling
| bullshit is "obviously rude" but I'll bite.
|
| > Pen tests are a requirement for any vendor doing
| business with the gov.
|
| What does this prove? Solar Winds, Colonial Pipeline
| (maybe more relevant here), etc.
|
| Your search link doesn't include anything about extensive
| penetration tests ensuring the security of these devices.
| That's the claim. Where is the evidence?
|
| Also calling someone's knowledge "out of date" is a, dare
| I say _rude_ assumption. But judging by your assuring in
| the security of government contractors I'd say your
| opinions are quite naive :)
| freedomben wrote:
| > _Yikes, I don't want to live in a world where calling
| bullshit is "obviously rude" but I'll bite._
|
| Sadly, this is an is/ought problem. I don't want to live
| in a world with poverty and war either, but that doesn't
| make it fact.
|
| > _What does this prove? Solar Winds, Colonial Pipeline
| (maybe more relevant here), etc._
|
| The point of pen tests is not to guarantee perfection.
| There are also ways to sweep things under the rug if
| those in charge are so inclined. But the existence of
| those things doesn't mean pen tests aren't done, or that
| nobody cares about security.
|
| > _Your search link doesn't include anything about
| extensive penetration tests ensuring the security of
| these devices. That's the claim. Where is the evidence?_
|
| Did you look at either of the first two hits? The first
| four indeed are evidence that the government does pen
| tests. The first hit is a government department that
| solely exists _to do penetration tests_ [1]. The second
| one called "PENETRATION TEST GUIDANCE" is all the rules
| regarding how penetration tests _must be done_ [2].
|
| 1: https://www.doi.gov/ocio/customers/penetration-testing
|
| 2: https://www.fedramp.gov/assets/resources/documents/CSP
| _Penet...
|
| Ok your turn for evidence. What evidence do you have that
| all of those things are fake? Or that none of the
| compliance officers actually check it?
|
| > _Also calling someone's knowledge "out of date" is a,
| dare I say rude assumption._
|
| You're right, I apologize for doing that. I actually
| thought that was more charitable than the other
| possibilities, but it doesn't add anything to the
| discussion so should have been left out.
| earleybird wrote:
| > Aside from the extreme rudeness . . .
|
| "I call bullshit" is a colloquialism that derives from
| the "Bullshit Game"[0].
|
| Learn you some language for a great good.
|
| [0] https://gamerules.com/rules/bullshit-card-game/
| lupire wrote:
| Ironically, making a bullshit that someone is
| bullshitting outside of a bullshitting game, is rude.
| krnlpnc wrote:
| Which is nonsense, what was the purpose of punitive action
| (jail) when a person will be punished for the rest if their
| life via stigma and ineligibility for jobs. How is that
| "correcting" a persons behavior?
| hedora wrote:
| It makes sure you never stop correcting them.
|
| Once a customer of the penal system, always a customer.
| They've worked hard to get their retention / repeat
| business numbers up this high. Why take that away from
| them?
| mbreese wrote:
| The punishment isn't only a punishment for the
| individual. It's a deterrent to keep the next person from
| doing whatever it was that was illegal. You can argue if
| that's right or wrong, but that's one of the points of
| many sentences -- to send a "message" to others who might
| commit a crime.
| MereInterest wrote:
| We could also argue whether it is effective or
| ineffective. I understand the incentive being introduced,
| to tip the scales in a rational decision-making process
| against a criminal act. However, that assumes that
| criminal acts are the result of a rational decision-
| making process, and that the possibility of punishment is
| high enough to enter into that process. Given the
| recidivism rate of the US, I don't think it is effective.
|
| You can argue whether a punitive system that effectively
| provides a deterrent is right or wrong, but a punitive
| system that isn't effective as a deterrent cannot make
| the same argument.
| akerl_ wrote:
| "Don't do crime, but if you do, I guess keep doing crimes
| forever because we're going to make it hard for you to
| get a real job" isn't really a compelling strategy.
| AnthonyMouse wrote:
| That's the business model of the prison industrial
| complex.
| akerl_ wrote:
| Let's be clear where the blame sits. The "prison
| industrial complex" isn't creating this. Private
| enterprise is set up to profit from incarceration rates
| and thus recidivism, but the reason that people can't get
| jobs after they finish their sentence is the fault of all
| of us. Every company that refuses to hire somebody with a
| record is contributing to the problem, as is every person
| who looks down on somebody for having been incarcerated.
| lupire wrote:
| If there are fewer jobs than people, some people will not
| have jobs and theus be tempted into criminal behavior.
|
| If there are more jobs than people, felons will be hired.
| akerl_ wrote:
| This is pretty intensely reductive of the actual state of
| the world. It only works if all people are competing for
| all jobs, which they are not.
|
| To pick a boring example, see the multitude of companies
| complaining about labor shortages and also the number of
| felons who are struggling to find jobs.
| lobocinza wrote:
| It's optimized for retention and not for reintegration.
| indymike wrote:
| > Tampering with their computer systems (even just out of
| curiosity) is probably a bad idea.
|
| I don't think the kind of people who are robbing gas really
| care about weather this is a bad idea. That's why sometimes the
| right answer is to focus on preventing the crime because...
|
| > You could end up with a felony conviction.
|
| The crooks really don't care. It's all about not getting
| caught.
| nsxwolf wrote:
| The crooks often already have a felony conviction, and are
| already living with the permanent consequences of that. The
| only remaining disincentive to crime for them is additional
| jail time, which can start to be seen as just a cost of doing
| business - X years for Y dollars.
| maxerickson wrote:
| The way the legal system works, the safe option is to not do
| anything with systems that you don't own or have authorization
| to use.
|
| Like public facing websites that advertise they are meant to
| have users are pretty safe, but after that, explicit
| authorization is a good idea vs deciding for yourself whether
| it might be critical infrastructure.
| Terry_Roll wrote:
| I was going to suggest, why not buy your own gas pump's and
| do a hackathon!
| astura wrote:
| I think the "bladder trucks" used to steal the fuel are the most
| interesting part of this story but there's no pictures of one. A
| picture of one is here - https://krebsonsecurity.com/2015/11/gas-
| theft-gangs-fuel-pum...
| neilv wrote:
| > _And software and hardware surely have been changed since his
| investigation._
|
| That phrasing seems to imply to readers that awareness of a
| serious/expensive security vulnerability would result in it being
| fixed.
| neilv wrote:
| The post ID for https://news.ycombinator.com/item?id=30733337 is
| almost three-leet.
| [deleted]
| [deleted]
| criddell wrote:
| Is there a hack to turn off the screen playing ads?
| boring_twenties wrote:
| The TVs are mildly annoying but the worst part is the stupid
| questions many now ask before you can pump any gas.
|
| When it's freezing cold outside, 1) no, I don't want a fucking
| car wash and 2) I really resent having to spend the couple
| extra seconds out in the cold to answer that question.
| kevin_thibedeau wrote:
| Getting in and out of a vehicle when pumping gas is a fire
| hazard. In the winter low humidity air makes static discharge
| more likely.
| boring_twenties wrote:
| I'm not sure how that's relevant?
| jeffbee wrote:
| The same "hack" that has so many other benefits: don't buy gas.
| Rebelgecko wrote:
| Usually if you push the buttons next to the screen one of them
| will mute the ad
| SQueeeeeL wrote:
| I feel like it's such a shitty opt out system. I wonder if
| there's a way to mass disable the ads
| hedora wrote:
| Boycott those gas station chains (hint: the cheap gas
| stations don't pay to upgrade pumps), or buy an EV.
| SQueeeeeL wrote:
| Gas is a commodity, so boycotts don't work, also that
| puts the oneous on the consumer for being annoyed and not
| the corporations for literally pumping ads into a
| mandatory part of our society (where I live, I can't
| function without a car)
| vineyardmike wrote:
| In populous areas, it can influence the map routing when
| you ask your phone to pick a gas station. If there are
| many, it may (?) filter out low stars.
| criddell wrote:
| You can pay google to route people to your gas station.
| I'm guess overcoming bad ratings would be just a matter
| of paying google.
| SQueeeeeL wrote:
| Also who tf reviews gas stations. It's a minor annoyance,
| that's why they do it, I'd just rather have a state level
| solution that banned having ads shoved in my face all the
| time
| rconti wrote:
| Yup. I'll leave it as a 1-star Google review (not that
| many people read reviews before choosing a gas station),
| and then going elsewhere. My second-closest station has
| these TVs. I forgot once or twice and returned by
| accident, but now I never forget.
| krnlpnc wrote:
| You can usually mute them by pressing one of the buttons next
| to the screen, often the second down on the right.
| jeffbee wrote:
| Hard-coded passwords are a very relevant problem in real-world
| security. Most of those apartment building entry systems are left
| with the factory password, so you can let yourself right in.
| darknavi wrote:
| If you aren't sold on EVs yet, here is a perk that often isn't
| the main spotlight:
|
| Never go to a gas station again.
| digisign wrote:
| Unfortunately EV stations make a point to know their customer,
| extensively. Is it even possible to pay cash and not have your
| car identified by the charger in a significant number of
| stations?
| fragmede wrote:
| Depending on your POV, the main "gas" station in your garage
| for an EV has either extensive knowledge of you, or ~zero
| knowledge of you. Outside gas stations are for use only for
| road trips.
| darknavi wrote:
| Not that I know of but I don't see anything precluding it.
|
| Like others have said, most of the "gas station" is at your
| residence and is probably via a dumb charger.
| TheDong wrote:
| > Is it even possible to pay cash and not have your car
| identified by the charger in a significant number of
| stations?
|
| The majority of the charging you do will be at your home,
| where you already pay for electricity. Unlike gas stations,
| which you go to every few weeks, you'll "fill up" away from
| home only infrequently, only when traveling multiple hundreds
| of miles away.
|
| When you are away from home, it's sometimes possible to
| charge anonymously like you describe. RV campgrounds/RV
| parking often has a dumb electric outlet (which you'll need
| an adapter for) that can charge you quicker than a regular
| household outlet. Any place that has regular electric outlets
| can "trickle charge" you.
|
| That said, you're right that EV charging when you're on a
| trip is more tech heavy and less anonymous than filling up at
| a gas station.
|
| If your threat model doesn't allow for certain private
| companies to know your rough whereabouts when you're on road
| trips, then yeah, don't get an EV, don't use credit cards,
| don't use a phone, etc etc. Most people's threat models are
| perfectly fine with this though.
| Eduard wrote:
| > The majority of the charging you do will be at your home
|
| I'm worried someone will stumble upon the 50 meters of
| charging cable I have to hang from the third floor, along
| the pedestrian way, towards the car - in case I'm lucky to
| get a parking space just in front of the condo.
| bonestamp2 wrote:
| Some of the chargers can be set so they will only charge
| your car (or other cars that you whitelist).
| Animats wrote:
| _" Researchers also found that many of the systems had "default
| credentials," which means they might have similar access codes
| unless an employee took the time to change them."_
|
| That should be considered gross negligence. Criminal negligence
| for anything shipped with default credentials since ransomware
| became a thing.
___________________________________________________________________
(page generated 2022-03-19 23:00 UTC)