Slashdot Mirror
Fermi Lab Compromised by Pirate
tttonyyy writes "The US Department of Energy sounded a full scale alert after machines were compromised at the Fermi National Accelerator Laboratory, according to this BBC article. It turns out that the hacker was a student using the machines to download and store music and movies."
Not True. I work at IT another accelerator lab in the US, and the control network is on an entirely different network firewalled off, MAC restricted, etc. Even the software engineers responsible for the control system have to be wired behind the firewall.
On a not unrelated note, we have been hacked several times by people uploading movies, MP3s, etc. The system was never rebuilt and the files were simply deleted. In general accelerator labs are not staffed for the super-anal security that you would expect (to say nothing of the number of MP3s, etc. that legitimate users have on the server)...
I've worked at Fermi National Accelerator Lab (fnal.gov) for 4 years, so perhaps I could troll a bit: since they have so many Linux machines (nearly all on Internet accessable IP) and no firewall (recently there are some firewalled ports) this is not a unique occurance, this happens *all* the time.
On the other hand, FermiLab does no defense/weapon work or any kind or any classified work as far as I know, a lot of people confuse it with Argonne National Lab (and be really glad Argonne wasn't named an Accelerator Lab, otherwise we'd have anal.gov)
-frin
Here's what really happened. Users in one of the labs are all given web space on a web server. Now, the IT staff is low on manpower, with government funding behind diverted to the war in Iraq. So, security (among other things) is kind of lax.
Basically, McElroy ran Jack the Ripper on the password file. We're using an SGI 1400L from 1997. He got the root password, and removed the limits of his disk quota. Then, he stored a bunch of ripped DVD's and MP3's in his webspace.
Now you ask, why isn't the government making a big deal about this? They know their security policy is weak, and they just ramped it up. The 'alert' is really just a few days for them to get things back they way they should be. If they said "well, we won't prosecute him because if people really know what happened, it'd make us look bad", what would the American public (and rest of the world) think?!
heh, do you really think you can /. the bbc?
Have a look here to see their traffic. Totals are here. They can handle 2gb/sec. Thats some monster pipe, and it will take some severe slashdotting.
On the count of three, hit refresh like a mofo. If all 600,000 of us do it we might just create a tiny lump on that graph.
That's not to say that massive damage/downtime can't be done by breaking into the right machines.
This happened last year, he's only just been sentenced (by the british, not the americans). And this had nothing to do with the Patriot act. The reason he chose Fermi Labs is that he mistakenly thought it was a academic facility and so would not pay bandwidth fees (unis etc in England don't pay for bandwidth)
I'm not condoning his actions, just trying to clear up some of the FUD
There are thousands of computers at Fermilab, the vast majority which are desktop workstations running linux (logins are through Kerberos). Being your typical office computers sitting on a desk, they are connected to the internet via fairly high bandwidth. As we know, the WWW was invented in order for high-energy physicists to share data throughout the world, so not only does it not make sense for these machines to be cut off from the internet, it is an essential part of scientific research. Any machine that actually controls an aspect of an experiment (connected to any sort of particle accelerator or detector) is not likely to be connected to the internet.
So, yes, physicists and other scientists do depend on flawed technology, mostly because its the easiest way to be able to keep connected when you're dealing with large collaborations stretched across the world. The downside may be the occasional kid (wrongfully) taking advantage of a desktop machine attached to a T1 line. Where security is more vital, it is present. But its simply impossible to insure that everyone's desktop machine is secure or not.
Instead he ends up doing community service. Exeter is about half an hour from here. The community service in this part of the UK is an incredibly harsh and difficult punishment. I'll describe it for those who have not come across its horrors before.
Its likely that he will end up being forced to sit in a sunny field in the middle of the Devon countryside smoking joints and drinking cans of extra strong lager with all the other community service peeps, while they supposedly dig some ditch that doesn't need to be dug so nobody will ever care about it actually being done or not.
That'll learn 'im.
Why does everybody seem to think that Fermilab is some kind of sensitive facility? News flash: Fermilab is a basic research facility, not a top secret weapons lab. Their security is lax because they really don't have anything to hide. All their results are available to the public anyway. After all, that is sort of the whole point of basic research. And it's not like the compromised computer was part of the control system or anything. Fermilab has a lot of computers. The place is huge.
Besides which, if you actually read about the case you'd realize that this guy had access to the computers anyway and all he did was crack the root password to increase his disk quota. Now, I'm not saying that's a good thing but it's more like abuse of a computer lab than anything.
Physics is good
First of all, it is not possible to log into any service at Fermilab without a Kerberos principal. ftp and telnet are not permitted, and there is an active security eam that scans ports on a continuous basis and will shut down any offending machine. There is no firewall because all traffic must be either outgoing web and data services or kerberized if incoming.
I have personally seen Windows machines shut down within minutes and their wireless cards confiscated when brought onto the site if a virus is detected. These scans are not optional to the user and are automatically performed. The fact that this user was caught and security tightened to prevent recurrences is proof that there is good security there. The comments above are almost all completely uneducated.
Finally, as noted above by some (few) intelligent readers, the story is old and is really about sentencing. there has been no recent compromise.
Troll-prevention note and disclaimer: For those who think the above or the story itself is an invitation to hack, I can point out that several such attempts occur per day, keeping the security team busy and alert, but that essentially all of them fail and the rare successful ones earn the attention of the FBI.