Slashdot Mirror
Fermi Lab Compromised by Pirate
tttonyyy writes "The US Department of Energy sounded a full scale alert after machines were compromised at the Fermi National Accelerator Laboratory, according to this BBC article. It turns out that the hacker was a student using the machines to download and store music and movies."
used to store MP3's and DIVX's.
...
:-D
Shock Horror
Now if he'd accessed the controls for particle accelerator and was able to spin it up then thats news.
Worst
The China Syndrome
re*ac*tor by Neil Young
Duke Nukem Platinum Edition
Christmas at Ground Zero by Weird Al
The Atomic Cafe
Everyone's favorite video clip of Janet Jackson's right breast
Don't blame Durga. I voted for Centauri.
Um. This happened in 2002 according to the article. I think we've missed the boat on this one... the actual new information is the sentence handed down to the culprit.
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
The kid could have picked a less prominent host to save money on a hard drive.
Given that he probably did it for the self-boast rather than space, he should be roasted.
There's got to be a better use for that kind of skill. ;)
An attacker who comprises Fermi Lab's systems has usually also access to the control of the large hadron collider they have there.
A manipulation can destroy important experiments. Even worse, they can't be sure whether the hacker has tampered the collider data. So they have to repeat all experiments from the last weeks.
Furthermore the hacker can do more than just tampering data. Indeed it can overload the collider resulting in an explosion. This would set off a cloud of toxic material threatening the surrounding villages.
Over 90 years and counting !
"Judge Andrew Goymer decided against sending McElroy behind bars as he had not accessed classified material on the network and had not intended to cause harm." This is quoted from the article, but in my opinion, I dont care what your intentions are, you hack into a place like that you should be thrown in jail even if its just to show everyone else how serious you are.
what kind of twit takes the space at a sensitive research facility for MP3s and divx stuff? he should also count himself lucky he wasn't in the US: he'd be halfway to [remote prison facility] within hours.
serves as proof that hackers aren't necessarily smart.
ed
This hacker could have inadvertaintly invented cold fusion just before Morgan Freeman destoyed chicago in an attempt to keep him from hooking up with Kate Winslet on his super-sonic 50cc Kawasaki.
I know for a fact this could have been worse. I saw it at the theater. Full price.
he gets 200 hours for hacking into a national laboratory, but will probably have to pay every last penny he owns to the RIAA and MPAA for having illegal copies of music. hrmm....
Some kiddie finds an open FTP server to stash warez != hacking!
Why only one movie? There's hundereds of good movies to save on their systems. Did he run out of space?
It lives up to it's name: http://www.sanspoint.com
I wanted to see someone write "1 4m 1337" using an electron accelerator.
Arrr ... matey ... I reckon 'tis gold in dem particle collectors!
Seems pretty obvious that senstive computers should be physically separated from any connection to the internet?
"Computers are an important feature of life in the 21st century," said Judge Goymer.
"Government, industry and commerce, as well as a whole variety of other institutions, depend upon the integrity and reliability of their computers in order that their proper and legitimate activities can be carried on."
And that's the problem, in a nutshell. Dependency on technology that's flawed. But the judge, nor anyone running Fermi, seems to realize this.
We need crackers because without them there would be no one to point out how incredibly vulnerable these systems really are. I'd rather have a crack root a box to download mp3s now then have a real threat root a box and perform much more covert and dubious actions.
Obviously testing isn't enough.
Oh well. Let's lock up all those crackers. Lets keep the sploits in the hands of the real bad guys. Who cares about security.
This person has gotta find something better to do with their time, how about oh I don't know, Science? Think if this person actuly learned some science instead of downloaded this stuff on these PCs. He might actuly be able to afford to pay for the stuff instead of steal it! -Joe Kavanagh
Shame on the facility for having such weak security.
Now if we need a definition of what it means to be 31337, this is certainly it.
;)
Though perhaps it wouldn't been 313373|2 to have never been caught... and use the compromised host as a public filesharing server.
The national labs have done a good job at firewalling off the non-professionaly administered machines where feasible, but the academics really don't like anything that slows down collaboration. Thus there are lots of open machines, ftp and telnet still abound and give lots of opportunities to swipe usernames/passwords in the clear even though ssh and scp are available, etc.
Most (but not all) machines running the accelerator and the detectors are on their own mostly-private subnets.
In a surprise announcement from Fermi Labs, it would seem that the basic building blocks of matter, created from our accelerator tests is in fact, pr0n.
In fact there seemed to be quite a lot of it in our reports, as well as some indication that the sound of the big bang was in fact a Britney Spears mp3...
My first thought on reading the headline was that someone dressed in a pirate suit had managed to get inside and was forcing researchers to walk the plank.
"Arr, I'll supercollide ye!"
Common sense is what tells you the world is flat.
They probably took one look at this guy and decided he wouldnt last a second in prison. The media definately would have found him adorable enough to make some bad press for the lab.
;)
In a case like this they should make him do community service for the lab. Like build web pages and the like. Static HTML only of course (you dont want such a l33t hacker working with scripts
The Ro Factor - Jeep/Linux Weblog
I've worked at Fermi National Accelerator Lab (fnal.gov) for 4 years, so perhaps I could troll a bit: since they have so many Linux machines (nearly all on Internet accessable IP) and no firewall (recently there are some firewalled ports) this is not a unique occurance, this happens *all* the time.
On the other hand, FermiLab does no defense/weapon work or any kind or any classified work as far as I know, a lot of people confuse it with Argonne National Lab (and be really glad Argonne wasn't named an Accelerator Lab, otherwise we'd have anal.gov)
-frin
Probably the stupidest thing to hack is a government computer. Probably the dumbest thing to put on stolen drivespace is pirated movies. Add the two and you're asking to get slapped with terrorism accusations for something stupid like a pirated copy of "Finding Nemo."
Esoteric reference.
Here's what really happened. Users in one of the labs are all given web space on a web server. Now, the IT staff is low on manpower, with government funding behind diverted to the war in Iraq. So, security (among other things) is kind of lax.
Basically, McElroy ran Jack the Ripper on the password file. We're using an SGI 1400L from 1997. He got the root password, and removed the limits of his disk quota. Then, he stored a bunch of ripped DVD's and MP3's in his webspace.
Now you ask, why isn't the government making a big deal about this? They know their security policy is weak, and they just ramped it up. The 'alert' is really just a few days for them to get things back they way they should be. If they said "well, we won't prosecute him because if people really know what happened, it'd make us look bad", what would the American public (and rest of the world) think?!
It could have been worse. He could have been caught smuggling atoms out of the place in his pockets.
"See? He's got atoms in his pockets! Call the local constabulary, Smithers!"
Don't blame Durga. I voted for Centauri.
If I did this at work I'd be canned. Someone should teach this little turd to respect other peoples' property!
Blar.
not Kate Winslet.
Joseph McElroy used the lab's computers for films and music taken from the net.
Southwark Crown Court waived a demand for 21,000 in damages as it ruled that McElroy could not pay the fine.
The June 2002 intrusion by the Exeter University student sparked a full-scale alert at the Chicago laboratory, which researches high-energy particles.
Fearing a terrorist attack, the computer was closed down for three days and the US Department of Energy, which oversees the safety of the country's nuclear
weapons, sounded a full-scale alert.
'Green light'
The 19-year-old from east London had admitted hacking into the Fermi National Accelerator Laboratory.
He took advantage of a flaw in the lab's authentication system and used the company's network bandwidth to download and store hundreds of gigabytes of copyrighted film and music files.
Judge Andrew Goymer decided against sending McElroy behind bars as he had not accessed classified material on the network and had not intended to cause harm.
He told the student he ought to "think yourself lucky" he was not going to prison.
"Computers are an important feature of life in the 21st century," said Judge Goymer.
"Government, industry and commerce, as well as a whole variety of other institutions, depend upon the integrity and reliability of their computers in order that their proper and legitimate activities can be carried on."
The judge said it was important that the "wrong message is not sent out to anybody else who is tempted to behave in this way".
But security experts have expressed disappointment at the leniency of the verdict.
"The McElroy hacking case highlights an increasingly common practice in the online world - unfortunately for him, he picked the wrong bandwidth to steal," said David Williamson, director of sales at security firm Ubizen.
"It is very worrying that appropriate compensation or a custodial sentence has not been issued in this case.
"Hacking is still illegal and as a self-confessed serial hacker, McElroy and the hacker community at large will view this outcome as a green light to break the law."
"It turns out that the hacker was a student using the machines to download and store music and movie."
I'm not gonna put it past anyone, because you never know... but one must wonder why anyone with the knowledge necessary to do such a thing would waste it on downloading crap when they could just go to a WiFi hotspot, or hack into any random user's account. It seems a lot more likely that it would provide an innocuous cover for whatever it was they were really doing, and account for large volumes of bandwidth...
There's a Register article too.
Let's hear it for hackers from Woodford Green (come on, there must be more than just me and this guy).Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
It sounds like he was just a student who had access to those machines. Does knowing the root password make you a hacker?
How about a new headline: Student abuses Lab's computers.
Probably angry at his politicians for backing the US in Iraq so he's doing what he can to give the USA the finger. Poor boy can't pay the fine? Since when was that an excuse!?
Blar.
When I saw that headline the first thing that popped into my head was the image of a big, bearded sailor with an eyepatch menacing a crowd of cowering scientists with a cutlass.
heh, do you really think you can /. the bbc?
Have a look here to see their traffic. Totals are here. They can handle 2gb/sec. Thats some monster pipe, and it will take some severe slashdotting.
On the count of three, hit refresh like a mofo. If all 600,000 of us do it we might just create a tiny lump on that graph.
You deserve a head exam. Think here - how many people really believe that the control system for the collider is housed on a machine that was compromised (and is thus exposed to the internet at large)? Admittedly, there's a chance, but no moron would set up a network in this way. And who believes there aren't HARDWARE issues that would prevent an explosion - maybe even safeguards? What a freakin thought, considering this is a US DOE site. And what is this toxic material? The collider is basically a bunch of metal. Not sure what he'd overload, but usually heavy atoms or light atoms are slammed together to see what happens and measure particle/energy emissions. Where's the toxic material and explosive?
Oh, and what villages? They're 45 miles outside Chicago - not the smallest place. Don't worry though. Unless top quarks, CP violation experiments, and Boson experimentation threaten explosion, I think we're ok. Just try researching the subject. "fermilab" I'm feeling lucky gets you there.
I, for one, welcome our new atomic mutant rapping' heavy metal MP3 overlords.
Arr! There they be mayties! pillage the lot and rape the cattle! The rest of you grab the booty! Arr!
Oh yeah, I'm sure it was a pirate...
ya gotta love the stupidity that is the press these days.
Do not look at laser with remaining good eye.
This happened last year, he's only just been sentenced (by the british, not the americans). And this had nothing to do with the Patriot act. The reason he chose Fermi Labs is that he mistakenly thought it was a academic facility and so would not pay bandwidth fees (unis etc in England don't pay for bandwidth)
I'm not condoning his actions, just trying to clear up some of the FUD
Sorry but the Large Hadron Collider is being built at CERN in Europe. It is not at Fermilab, and even if it were the "controls" for it would not be on the same network as the experiments, each of which would have its own authentication hosts, etc. anyway.
Someone figured out how to bypass weak authentication? And then used a university/government system with huge bandwidth and storage to keep files on? Gee I never heard of that before. Isn't this the system that made warez what it is?
If one gains access to Fermi lab the first thing youd do is store pirated software.. Silly person
There are thousands of computers at Fermilab, the vast majority which are desktop workstations running linux (logins are through Kerberos). Being your typical office computers sitting on a desk, they are connected to the internet via fairly high bandwidth. As we know, the WWW was invented in order for high-energy physicists to share data throughout the world, so not only does it not make sense for these machines to be cut off from the internet, it is an essential part of scientific research. Any machine that actually controls an aspect of an experiment (connected to any sort of particle accelerator or detector) is not likely to be connected to the internet.
So, yes, physicists and other scientists do depend on flawed technology, mostly because its the easiest way to be able to keep connected when you're dealing with large collaborations stretched across the world. The downside may be the occasional kid (wrongfully) taking advantage of a desktop machine attached to a T1 line. Where security is more vital, it is present. But its simply impossible to insure that everyone's desktop machine is secure or not.
(AP) "Area police have warned residents in the Fermi area to be in the lookout for rampaging mutant MP3 files and DIVX rips. These were said to be innocent p2p files until they were stored in servers deep inside Fermilab. They were inadvertantly released when someone opened the server with a hacked open Grokster client.
Anyone who sights one of these monsters on their property is urged to contact either the RIAA or the Nuclear Regulatory Commission immediately. If you hear a wailing 'Ooops. I did it agaAAAIN!!' outside, do not open the door."
Don't blame Durga. I voted for Centauri.
He did what anyone would do if they hacked into Fermilab and got access to large amounts of diskspace and a fat('phat') pipe: Pr0n and warez!!! He was probably running an IRC server on there too with 'sweet virtual hostnames'
...but if I had a say as the lawyer for the U.S., I would have demanded a harsher sentence. Whether or not this guy intended any harm, he still broke the law (as far as I know, blah blah blah), and should be punished.
The judge seemed to let him off the hook because he was unable to pay, and indeed, he'll be unable to pay for another three years or more. However, the judge could have sentenced him to work co-op terms (for the U.S. Government, reparing their security), or even deferred the payment plan until after graduation, but at LEAST get him to pay something, because he's GUILTY.
Now even slashdot is falling into line with this stuff.
The Slashdot *I* know would have a headline of "So-Called Hacker at Fermilab is Just a Student Warez Pirate".
Hmmmph.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
Southwark Crown Court waived a demand for 21,000 in damages as it ruled that McElroy could not pay the fine.
That is the fine by britian. I wonder what british law he broke??
But he obviously broke USA law. I wonder if the FBI can arrest him and force his export.
I do not understand the culture of people thinking that they own everything. What gave this guy the right to steal bandwith from someone else? What gave him the right to steal the storage space? What gave him the right to break into someone elses pc?
The anwser is tougher laws and more extradition treaties. And by comparison, what ever happened to that phillapino kid who was caught writing viruses? I thought they threw the book at him. Why will the british kid get an easier sentance?
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
If you're bent on sharing movies or other types of files, you use your own hardware. Not everything in this world is free for the taking.
Is "community service" really really punishing or something? They were going to fine him 21,000 dollars, but instead chose to give him 200 hours of community service... That's $105 an hour.. can I find some community service like that? Please?
If you can read this, you are most likely close enough.
While we're on the topic of particle accelerators, mark your calendars for 2007 -- that's when the Large Hadron Collider will be completed in Switzerland, marking a significant step forward in particle physics.
Here's a brief description from the CERN website:
What is LHC? The Large Hadron Collider (LHC) is a particle accelerator which will probe deeper into matter than ever before. Due to switch on in 2007, it will ultimately collide beams of protons at an energy of 14 TeV . Beams of lead nuclei will be also accelerated, smashing together with a collision energy of 1150 TeV.
A TeV is a unit of energy used in particle physics. 1 TeV is about the energy of motion of a flying mosquito. What makes the LHC so extraordinary is that it squeezes energy into a space about a million million times smaller than a mosquito.
The LHC is the next step in a voyage of discovery which began a century ago. Back then, scientists had just discovered all kinds of mysterious rays, X-rays, cathode rays, alpha and beta rays. Where did they come from? Were they all made of the same thing, and if so what? These questions have now been answered, giving us a much greater understanding of the Universe. Along the way, the answers have changed our daily lives, giving us televisions, transistors, medical imaging devices and computers. On the threshold of the 21st century, we face new questions which the LHC is designed to address. Who can tell what new developments the answers may bring?
How does storing media on a foreign server make someone a "pirate"? Has this term been abused to also include stealing disk space?
Or...does he look like this?
So GW can DP him ! "DP for all MP3 pir8, and GW for president" ;-)
:o)
Might help people to forgot about the "mass-destruction weapons imediate threat from super evil axis dictator"
the people in charge of the security at the lab?
Which do you consider more dangerous:
#1 Script Kiddie being hacking server to store films on.
#2 Running a nuclear lab with so little security a script kiddie can break in.
As a Pirate-American, I take offense at the use of the term "pirate" for a simple hacker or cracker. Where are his sea legs, his parrot/monkey, his eye patch or pegleg?
I'm not defending that little hacker guy (erm, what kind of hacker is he anyway exploiting a known weakness to gain bandwidth and storage for MP3 and DivX files... I'd rather make him manually punch one of these files into punch tape instead of those 200 hours civil service which he might find even interesting), but if you run a high-security network infrastructure, then you better be up-to-date with the latest patches and countermeasures. It's not done with applying the latest IE "security update" every Tuesday...
Now calling for a more drastic punishment and considering the current (IMO fair) one as a green light, just shows what's wrong with some people: If hijacking company computers and networks for bandwidth and storage abuse becomes an increasingly common practice in the online world than those "security experts" should probably do their homework and fix the systems instead of calling the cops.
If you leave your car open and someone steals your car hifi, it's entirely your fault. (Go ask your insurance...) Whose car it is shouldn't play a role when sentencing the thief.
Fermi Lab Compromised by Pirate
Damn it. I was expecting a bit of coastal raiding action from this story. Maybe black flags with the skull and crossbones. A little rapine and pillaging of the Fermi Lab.
Damn corruption of the English language.
I'm surprised it's not a dupe.
You sly dog: you got me monologuing! - Syndrome
sounds like you need hire a better net security guy.. there are ways to allow many desktops to the net without letting evil hackers in.
That is the fine by britian. I wonder what british law he broke??
Most likely the computer misuse act (1990). Full text here
Have a nice day.
I remember reading the original news (early 2003 i think :P) He thought he would hack the university that the ip range had been assigned to. Did you know how the lab found out that they had been hacked? The backups took longer to run than usual :) Yes, they were backing up the files the hacker stored there. A total of 16 Windows PCs had been compromised iirc, and only after a week access had been blocked.
If the hacker had really been after the data handled by the lab, he would have had more than enough time. I just wonder why systems involved with nuclear shit were (and are?) be connected to the internet in the first place?
Shiver me timbers.. under which flag does the Fermi sail?
Why does everybody seem to think that Fermilab is some kind of sensitive facility? News flash: Fermilab is a basic research facility, not a top secret weapons lab. Their security is lax because they really don't have anything to hide. All their results are available to the public anyway. After all, that is sort of the whole point of basic research. And it's not like the compromised computer was part of the control system or anything. Fermilab has a lot of computers. The place is huge.
Besides which, if you actually read about the case you'd realize that this guy had access to the computers anyway and all he did was crack the root password to increase his disk quota. Now, I'm not saying that's a good thing but it's more like abuse of a computer lab than anything.
Physics is good
Have a look here to see their traffic. Totals are here. They can handle 2gb/sec.
McElroy's note to self: next time store music and video on BBC computers, not FermiLab.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
This Just In...
Fermi Labs announced the production of a new supersized sub-atomic particle, boxons. Boxons were created by smashing oxygen with bosons (another sub-atomic particle).
Examined through the most powerful microscope in the world, the boxon appears to be a cardboard box, with the words "Shroedinger's Cat" written on the side. Sadly, the box is empty.
If I break into your house is it your fault you didn't have iron bars on the windows? How about I smash in the window of your car and steal your stereo? Just because it's possible to do something illegal, does not mean your not responsible and shouldn't be punished. If I had my way I'd send him to Saudi Arabia for punishment, they cut they hands off hackers!
Definitely.
The US should extradite him and CANE his ass... that'll
teach 'em.
And I won't even mind paying the bill to involve
the FBI, Attorney General and the State Department
to make it happen.
This is clearly the biggest threat the US has ever known.
The authorities should simply "let it be known" that he had stored GBs of:
-Chicks With Dicks: Get Down To Brown Town, and
-Lions And Tigers And Bears: Cock Fight At Guy's Night...
Problem solved.
Fermi Lab: Not Fair!
Student: Pirate
Either that or those links are b0rked
a) well I guess Morgan Freeman succeeded then didn't he?
and
b) like anyone but their mothers can tell the difference.
They're both british brunettes with bountiful blessings that assure at least three stars from ebert regaurdless of how good their films actually are.
On the count of three, hit refresh like a mofo. If all 600,000 of us do it we might just create a tiny lump on that graph.
This could be the world's first 'flash slash-dotting'...
All your base are belong to us!
If I got my hands on that root password ..
We know you'd fill the drives and tape if available up with Japanese Henti 'dating' games. Which wouldn't be nearly so sad if you could read japanese.
No, that was the sound of Britney getting her record deal.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
"How about a new headline: Student abuses Lab's computers."
Hey, bub! Get a room.
Does this look like a twit? Seriously, though, this sort of thing happens all the time. We had this going on our server a few years ago. I seriously doubt that he had any conception that this was a sensitive facility. Hell, scratch that - I doubt this was in any way a sensitive break-in, likely just marginal computers that happen to be at the lab, with diskspace and bandwith. His punishment is quite in contrast with the RIAA suits however (and yes, the British equivalent has threatened the same tactics).
Part of the reason our community has such a bad image is because of the word hacker.
Call him what he is: a cracker.
If we don't get the terminology right how, is the rest of the world supposed to get it right?
Bruce Perens was on here a while ago talking about how the SCO DDoS made us look bad to the mainstream press. I think the hacker/cracker confusion is a bigger problem.
I've posted this unpopular sentiment before and I guess I am still on the pedestal.
Those machines, and many others are just as open to our enemies the likes of which include Osama Bin Laden, Saddam Hussein (before he was captured) and many others. Had they cracked in (which they may well have done and may well be doing), the machines will probably not be used as a receptical for kiddie porn.
Were it not for kids that are just mucking about poking their collective digits where the authorities would rather not be poked - our authorities would remain FAT DUMB and HAPPY dreaming their collective bliss.
We live in the real world where we have many real enemies. We need secure systems that we can count on. Each time some kid pokes his finger into a vulnerable spot it helps to educate the masses that they really do need to pay attention.
Perhaps the judge in this case realises this. 200 hours is a suitable punishment, even if it is perhaps a little severe.
One thing that I think needs to be recognised is that there are many would be very competant systems admins who frequent slash dot. Many of these people would relish a well paying job and could be gainfully employed closing these security holes. Perhaps our authorities and joe sixpack in general should open their eyes and smell the coffee here.
I think you're just a poser - a *Real* Pirate - American would have concluded his sentences with a proper "Yarrrrrrrrrrrr!"
The only way I used to be able to tell the difference was to check her genitals. If I saw James Cameron's dick in there I knew it wasn't Rachel.
Hacker is not right word for criminals, they don't deserve that.
What a fucking troll.
I got bored and decided to see if anyone would mod this up.
Fucking mods. Pathetic losers.
-serge
He can install a program, and run a password cracker. Wow man I must be 1337 cause I can run Snort and nmap. Come on people this is not a hacker. You could teach youer grandmother in a matter of minutes how to use a passwoerd cracker that someone else already wrote and has a GUI. Hacker...no...pirate...maybe.
Creative Demolition
Your comments are Naive!
Look - I live in an area where we don't need much security. I have no bars on my windows. I have no deadbolts on my doors. I have locks that can be picked rather easily. When my kids were young they used to leave the windows open so that if they lost their keys they could crawl in.
Lax security is not necessarily an invitation for theift.
HOWEVER...
If security starts to became an issue in this area and B&E started to become a serious consern, then someone criticising my lax security as a possible reason my property walks out the front door would be quite justified.
Suppose I am the first person in the area to experiance a theift. Suppose my car drives down the street one day. Someone who points out that the fact that I left it unlocked, running with the keys in the ignition, parked on the street, while I causally ate my eggs for breaky might have a point that I maybe deserve what came my way! eh?
Well - the above example may sound ludicrous - but the average joe sixpack and unfortunately many corporate managers are simply so naive about securing their computer networks that the analogy of leaving the keys in the ignition is more apt than many people care to admit.
Most people are basically quite honest. But if you leave your wallet in the middle of a parking lot do you really expect to get it back with the money intact?
----------
BTW - I actually did find a wallet in the parking lot one day and it was returned with the money intact... so there! I do not condone theift and dishonesty and I am not trying to justify it. I'm trying to be a realist ok?
RIAA and MPAA set to file lawsuits against the US govt. for piracy and dstribution of MP3's and Movies...
Kids these days. Just lookin for someplace to store their music files.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Imagine a beowulf cluster of these?
Well, he did, and went a step further...
First of all, it is not possible to log into any service at Fermilab without a Kerberos principal. ftp and telnet are not permitted, and there is an active security eam that scans ports on a continuous basis and will shut down any offending machine. There is no firewall because all traffic must be either outgoing web and data services or kerberized if incoming.
I have personally seen Windows machines shut down within minutes and their wireless cards confiscated when brought onto the site if a virus is detected. These scans are not optional to the user and are automatically performed. The fact that this user was caught and security tightened to prevent recurrences is proof that there is good security there. The comments above are almost all completely uneducated.
Finally, as noted above by some (few) intelligent readers, the story is old and is really about sentencing. there has been no recent compromise.
Troll-prevention note and disclaimer: For those who think the above or the story itself is an invitation to hack, I can point out that several such attempts occur per day, keeping the security team busy and alert, but that essentially all of them fail and the rare successful ones earn the attention of the FBI.
At least at Brookhaven NL, all the computers have a paragraph at login, "WARNING: The system you are using is property of the Department of Energy, it's not for use beyond your job, unautorized access == crucifixion, yadda yadda"...you'd have to be beyond retarded to not realize you're where you're not supposed to be. Machines on the internal network don't usually have .gov hostnames, though - just an IP, or the machine name.
Facts do not cease to exist because they are ignored. - Aldous Huxley
I hope you get anal warts, or get caught at work looking at horse porn.
I wonder how many employees have collections of MP3's and video files on thier hard drives, in the FermiLab offices.
Hmm... Strange sense of justice.
mindslip
We need crackers because without them there would be no one to point out how incredibly vulnerable these systems really are. I'd rather have a crack root a box to download mp3s now then have a real threat root a box and perform much more covert and dubious actions.
We need burglars because without them there would be no one to point out how incredibly vulnerable these houses really are. I'd rather have a crackhead burgle my house to by drugs now than have the CIA break in and plant bugs in my house.
Doesn't make much sense, does it?
"All your boson are belong to us."
Nicely put. I'd mod you up if I could.
This guy is way out there
Fair enough, the kid couldn't pay it... but for a 21,000 fine, you'd think the kid would be doing a heckuva lot more than just 200 hours of service.
That works out to over a hundred pounds every hour... man, who says crime doesn't pay?
File under 'M' for 'Manic ranting'
More interesting than the actual act of hacking into a US DoE network is the legal precedent set by the Judge in the UK. Although he found the kid guilty and sentenced him to 200 hours of community service, he failed to make him pay the roughly $38,000 in damages he cost the DoE as they took 17 computers down for 3 days to clean up the mess he made.
i n.hacker.reut/index.html the justification for failing to make the kid pay the actual financial damages he caused was that no classified information was compromised. This sets a legal precedent that is simply outstanding for budding young international hackers both in the US and the UK, because it means that as long as they do not compromise classified information, they can cause as much financial loss as they want and not be held liable for it beyond public service outside of the country they caused the damage in. For US script kiddies, this should mean that if they're caught hacking into UK government systems, the UK government should not ask the US to recover any financial damages unless classified information was compromised.
According to CNN http://www.cnn.com/2004/TECH/internet/02/03/brita
See, the US and UK really ARE allies in the war against... ummm... are we FOR or AGAINST script kiddies this week?
"cracker...."
yeah, what a nobel hacker, downloading Gb's of copyrighted materials
Aside from this being old news, the guy actually had access to the server already because of a university collaboration. He did hack, just not externally--he just elevated his privledges on an unimportant machine (that's since been packed up and sent to England for evidence).
As we know, the WWW was invented in order for high-energy physicists to share data throughout the world, so not only does it not make sense for these machines to be cut off from the internet, it is an essential part of scientific research.
In fact, enabling data sharing among academics, especially researchers, was one of the initial goals of the invention of the Internet itself. (The other big one: researching fault-tolerant data communication with military-grade reliability.)
(All this spam and pr0n got tacked on after Al Gore legalized commercial use. B-) )
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Nothing.
Nothing, aside from the notoriety of this trial, which may not even follow him that far - a google search on his name (Joseph McElroy) doesn't even turn up stuff referring to him in the first page. (That what he gets for sharing his name with a famous author)
The judge decided against jail time because "he had not accessed classified material on the network and had not intended to cause harm". Also, the monetary claim for damages against him was waived on the grounds that he wouldn't be able to pay it.
"not intended to cause harm"? "not intended to cause harm"? Tell me, can I bypass the metal detectors at Heathrow simply because I'm not carrying any weapons, and even if I were, intend to cause no harm with them? What if I just want to drive to the store and back, but would rather hotwire your car instead of walking?
Sure, I understand that the US has some truly brutal criminal trespass laws that are probably way out of proportion to the act they supposedly punish, and that therefore a UK judge might be more lenient in this case than a US one would, but... nothing?
I somehow missed the section in bold at the top of the article.
200 hours of community service.
I guess that's better than nothing, and it's not like they caught him controlling a worldwide botnet and so could only charge him with infiltrating one system. Still seems like an amazingly light sentence.
should have never named that machine sco.fnal.gov
I do not understand the culture of people thinking that they own everything. What gave this guy the right to steal bandwith from someone else? What gave him the right to steal the storage space? What gave him the right to break into someone elses pc?
He's a script kiddie who stored some mp3s and movies on a poorly-secured machine in an unclassified lab.
He used some bandwidth and storage space for his personal convenience. He didn't delete anyone's files, set up a spam relay, break into (or try to break into) more sensitive systems, or do any real harm. At worst, he should be on the hook for bandwidth costs and a nominal charge for the use of storage space; he also owes some apologies.
He's a not-particularly-bright college kid who didn't cause any lasting harm, nor physical injury.
So--would it be appropriate to take from this kid the years of his life that extradition, an American trial, and the American prison system would take...for downloading some mp3s? Is it worth the cost of transporting him, housing him, and trying him?
Don't you think the FBI should have better things to do? They won't generally get involved even in the United States unless a million dollars or a kidnapping are involved.
~Idarubicin
An entire lab that fits in a 1 femtometer cubed box.
Eat at Joe's.
So what? Fermilab is not a nuke facility. They get probed and prodded every second. So do you! So this miscreant accessed a machine with a weak password during the influx of Windows break-ins, and everyone learned their lesson about MS products. He setup a Warez site. Big deal. He didn't steal any classified or sensitive data (all of their data is public). It happens every day, everywhere. Yes, he should be prosecuted since he did hack, but this type of breakin happens almost anywhere. Most times, it quietly gets covered up. NASA and JPL are 60%-80% owned at any given time. Many banks and on-line merchants have had hack jobs without any external reporting. I am sure at least someone at your company connects to your corporate network with a trojaned PC (ever have to deal with a split-tunneled VPN connection). Heck, even your grandmother is probably owned on her DSL connection. I will even bet that you have a machine or 2 compromised in your environment at any given time (assuming a large enough install base), be it a Warez site, IRC server or spambot. There is always a way into a network. It is just finding it. Look at your own backyard before you judge others. If you think you are secure, you are a fool!! Your Norton Firewall or Linksys will NOT protect you (but do a fairly good job). You want to be secure? Get rid of your computer, change your name to John Doe and live in the woods.
One can use a proxy to allow access to a web w/out direct connection to the Internet.
You don't need to allow incoming connections on nearly all ports in order to browse or serve web.
-frin
I think you will find that UK Universities DO pay bandwidth costs for traffic that goes outside of ja.net (maybe they are charged for ja.net traffic too these days). Prices are especially steep if you generate transatlantic traffic. Caching of data has become very important in an effort to cut costs and it's rare that you are allowed to make www connections without going through some sort of Uni proxy.
Take a look at the network charging page for more details.
Why on earth would the bandwidth be free? Just because it's "academic"?
The kid broke the law, and undoubtedly did so deliberately (his DivX and MP3z didn't magically appear on their computers).
That said, I agree that it's prudent to ask why, and if there were any extenuating circumstances... if he was a persecuted chinese dissident hiding incriminating materials so he wouldn't be executed... well, that's different from a warez d00d.
The law allows for extenutation, and also considers circumstances, ala the "doctrine of competing harms." If you cross the center line of the highway, but do so to avoid a jaywalking pedestrian, you have a defense if some nit-picking highway patrolman decides to give you a citation for crossing left-of-center. Also, what your "chipmunk" example fails to take into account is premeditation versus behaving negligently or recklessly (do a legal search on culpable mental states, and you'll see what I mean).
But whatever, the kid broke the law, did so delibarately, and is thus guilty. Punishment is where his age, foolishness, and general but-he's-a-good-boyness might save him a few lashes.
Innocent? No way. Worthy of jail? Wellll... that's up to the judge; there's always wiggle room.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
I wonder what Robert Rathbun Wilson would have to say about this. After all, he wanted FermiLab to be open to everyone; there is no front security gate to the entrance.
Fermilab is within walking distance of my house, and this is the first I've heard of this!
I was just trying to make the point that if the lab authorities intend to blow this up as a huge problem (i.e. servers shut down, pressing charges etc) then they have they must take responsibility for running a badly protected server in a critical environment.
I suspect this was just a badly protected, semi-forgotten server of little importance and it was all a massive over reaction.
It's Fermilab policy that none of the critical systems are controlled by computer. A hacker might be able to get at the monitoring software but would not be able to "turn on" the particle accelerator. Anyhow, the idea that there's one switch to flip the thing on is ridiculous. It takes multiple teams of experts to get it going.
This kid just wanted at the bandwidth (fast enough to service hundreds of users around the world with )and storage space (terabytes, petabytes).
Seems pretty obvious that senstive computers should be physically separated from any connection to the internet?
Fermilab is attached to the Internet because the benefits of having it attached to the Internet exceed the risks.
The research done at Fermilab is of a very basic nature -- nothing classified is done there, and I'd even take issue with the BBCs (and your) description of it as "sensitive," for that matter.
The most "sensitive" systems would be the ones that control the accelerator and beamlines, but all you are likely to do with those is to steer a beam into one of the berms.
Balance that against the fact that high-energy (particle) physics research is highly collaborative, and hundreds of researchers at the Lab use Internet on a daily basis to communicate with other researchers, download preprints of research papers, and other stuff, and you'll see that access to the Internet is nothing to give up lightly.
We need crackers because without them there would be no one to point out how incredibly vulnerable these systems really are. I'd rather have a crack root a box to download mp3s now then have a real threat root a box and perform much more covert and dubious actions.
"We need robbers because without them there would be no one to point out how easy it would be to be murdered. I'd rather have someone rob me now, than to have someone else murder me later."
What's your address, and what brand of lock do you use? I'd like to give you a security lesson.
Make me aerodynamic in the evening air
But, he wasn't an evil hacker. He was a student with a pr0n addiction who happened to work there. What was the security guy supposed to do besides catch him? They had to trust him in order for him to get his work done, so, when he abused it, he was punished. It sounds pretty much on the up and up at ol FermiLab.
you know whats even cooler? when the pirate gets totally uppercut by a ninja out of somewhere just because he downloaded music and divx! now thats real ultimate power!
http://www.realultimatepower.net
It's the Bison experimentation I'm more worried about.
Heh, heh.
My other car is a 1984 Nark Avenger.
[o]_O
fucker deserves a fine just for that smirk
I'm confused. What does a program to spy on, harass, and incriminate domestic individuals suspected of Communist leanings that ended thirty years ago have to do with the FBI's current work?
And why does that imply that the FBI would get involved in the abuse of an academic computer by a dumb script kiddie that incurred essentially miniscule costs and did didn't damage any data? If the kid had been in the States, there's a slim chance that the FBI would have gotten involved, but since he's in the UK--and has already been tried and punished--it's just not worth their while.
A government agency that did something stupid, deceptive, and unconstitutional thirty years ago. Film at eleven.
~Idarubicin
Yes.
CAn'T CompreHend SARcaSm?
Um, it never stopped. Try this: call up the FBI, tell them that coworker you don't like has been distributing "subversive literature" (use those words exactly), give them the address of your company, then hang up. Doesn't matter if your coworker is a choir boy who's never been in trouble w/ the law before, he will be picked up and his family will be paid a visit by gun-toting agents.
Alternatively, you can take a close look at the weapons of mass destruction they just found in Texas. Plans to lob chemical bombs capable of killing hundreds of people in under a minute all over the country foiled by the local police, but it still took forever to get the FBI involved. You see John Ashcroft touting this as a victory in the war on terror? Now if those guys had been Muslim, "Whoo boy, we nailed us some brown-skin folk!! Yeeeeeeehaw!"
The FBI has plenty of things to do that would be worth their while and would be worth the amount of money that we pay them, but they're far too busy doing dirty work for the people in charge to give a damn.
[o]_O