Slashdot Mirror
Fermi Lab Compromised by Pirate
tttonyyy writes "The US Department of Energy sounded a full scale alert after machines were compromised at the Fermi National Accelerator Laboratory, according to this BBC article. It turns out that the hacker was a student using the machines to download and store music and movies."
The kid could have picked a less prominent host to save money on a hard drive.
Given that he probably did it for the self-boast rather than space, he should be roasted.
what kind of twit takes the space at a sensitive research facility for MP3s and divx stuff? he should also count himself lucky he wasn't in the US: he'd be halfway to [remote prison facility] within hours.
serves as proof that hackers aren't necessarily smart.
ed
he gets 200 hours for hacking into a national laboratory, but will probably have to pay every last penny he owns to the RIAA and MPAA for having illegal copies of music. hrmm....
Seems pretty obvious that senstive computers should be physically separated from any connection to the internet?
"Computers are an important feature of life in the 21st century," said Judge Goymer.
"Government, industry and commerce, as well as a whole variety of other institutions, depend upon the integrity and reliability of their computers in order that their proper and legitimate activities can be carried on."
And that's the problem, in a nutshell. Dependency on technology that's flawed. But the judge, nor anyone running Fermi, seems to realize this.
We need crackers because without them there would be no one to point out how incredibly vulnerable these systems really are. I'd rather have a crack root a box to download mp3s now then have a real threat root a box and perform much more covert and dubious actions.
Obviously testing isn't enough.
Oh well. Let's lock up all those crackers. Lets keep the sploits in the hands of the real bad guys. Who cares about security.
Shame on the facility for having such weak security.
The article isn't very specific about the level of access he had gained. I'm guessing the classified information was firewalled off from the network which he broken into for its internet bandwidth. At the very least, I'd expect (false hope?) that the actual particle accelerator controls aren't accessible from any internet-connected computer.
You deserve a head exam. Think here - how many people really believe that the control system for the collider is housed on a machine that was compromised (and is thus exposed to the internet at large)? Admittedly, there's a chance, but no moron would set up a network in this way. And who believes there aren't HARDWARE issues that would prevent an explosion - maybe even safeguards? What a freakin thought, considering this is a US DOE site. And what is this toxic material? The collider is basically a bunch of metal. Not sure what he'd overload, but usually heavy atoms or light atoms are slammed together to see what happens and measure particle/energy emissions. Where's the toxic material and explosive?
Oh, and what villages? They're 45 miles outside Chicago - not the smallest place. Don't worry though. Unless top quarks, CP violation experiments, and Boson experimentation threaten explosion, I think we're ok. Just try researching the subject. "fermilab" I'm feeling lucky gets you there.
Mod this insightful.
Kids need to learn that downloading is not entirely free. You could have done something constructive in the time it takes you to cozy up to some release group on IRC, find a usable pub, looking for fills, fixing files with CRC errors, etc.
Not to mention the obsessive compulsive facet of downloading where you feel a need to keep your machine downloading at all times for fear of letting perfectly good bandwidth go to waste, at which point you go out to scour the net for something -- anything -- to download.
It is a big time commitment and, like channel surfing, hours fly by like minutes without you having seen anything interesting.
Or so I heard...
Hehe, kinda like the defense "Yeah, I broke into the house but hey, I didnt steal anything so I dont deserve to be classed as a 'proper criminal'". Bollocks, you're a criminal.
This could spawn a whole thread on rehabilitation, but I'm actually glad the judge didn't send him to prison. This bucks the trend in the states where any computer crime is practically considered terrorism.
It was a non-violent crime and I don't think society would be one bit safer with him behind bars.
Intend to cause harm or not, he did break security. And this wasn't SCO's website, it was a fucking lab! I cannot realy understand the decision taken in this case.
They could at the very least fine him for downloading and/or sharing copyrighted material. Not that I am pro-RIAA (far from it!), it's just that we've seen people fined for less than that in the US. Now that judge just looks dumb.
On the other hand, I always find it stupid when someone hacks into a computer, tells the company there's a security flaw, and then gets busted for being a major terrorist malicious hacker.
Now it's the other way around. What he did was malicious (he did not inform the lab of any security breach after he hacked in), and he downloaded music and movies, which is the uttermost heretic act anyone can commit these days.
Weird.
You are more than the sum of what you consume. Desire is not an occupation.
Southwark Crown Court waived a demand for 21,000 in damages as it ruled that McElroy could not pay the fine.
That is the fine by britian. I wonder what british law he broke??
But he obviously broke USA law. I wonder if the FBI can arrest him and force his export.
I do not understand the culture of people thinking that they own everything. What gave this guy the right to steal bandwith from someone else? What gave him the right to steal the storage space? What gave him the right to break into someone elses pc?
The anwser is tougher laws and more extradition treaties. And by comparison, what ever happened to that phillapino kid who was caught writing viruses? I thought they threw the book at him. Why will the british kid get an easier sentance?
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
Is "community service" really really punishing or something? They were going to fine him 21,000 dollars, but instead chose to give him 200 hours of community service... That's $105 an hour.. can I find some community service like that? Please?
If you can read this, you are most likely close enough.
There is no "classified" information at Fermilab, other than payroll information, HR documents, etc. It's a purely scientific, basic energy laboratory.
the people in charge of the security at the lab?
Which do you consider more dangerous:
#1 Script Kiddie being hacking server to store films on.
#2 Running a nuclear lab with so little security a script kiddie can break in.
Please. He's a dumb script kid. His crime is more analogous to breaking into a building and having a party in it. Jail time is hardly appropriate, and is more likely to turn him into a hardcore criminal.
The sentence does seem a bit light though. I think he should probbably have been forced to pay the 21K pounds restitution over a period of years (it's not _that_ much money).
AccountKiller
I'm not defending that little hacker guy (erm, what kind of hacker is he anyway exploiting a known weakness to gain bandwidth and storage for MP3 and DivX files... I'd rather make him manually punch one of these files into punch tape instead of those 200 hours civil service which he might find even interesting), but if you run a high-security network infrastructure, then you better be up-to-date with the latest patches and countermeasures. It's not done with applying the latest IE "security update" every Tuesday...
Now calling for a more drastic punishment and considering the current (IMO fair) one as a green light, just shows what's wrong with some people: If hijacking company computers and networks for bandwidth and storage abuse becomes an increasingly common practice in the online world than those "security experts" should probably do their homework and fix the systems instead of calling the cops.
If you leave your car open and someone steals your car hifi, it's entirely your fault. (Go ask your insurance...) Whose car it is shouldn't play a role when sentencing the thief.
I remember reading the original news (early 2003 i think :P) He thought he would hack the university that the ip range had been assigned to. Did you know how the lab found out that they had been hacked? The backups took longer to run than usual :) Yes, they were backing up the files the hacker stored there. A total of 16 Windows PCs had been compromised iirc, and only after a week access had been blocked.
If the hacker had really been after the data handled by the lab, he would have had more than enough time. I just wonder why systems involved with nuclear shit were (and are?) be connected to the internet in the first place?
I've posted this unpopular sentiment before and I guess I am still on the pedestal.
Those machines, and many others are just as open to our enemies the likes of which include Osama Bin Laden, Saddam Hussein (before he was captured) and many others. Had they cracked in (which they may well have done and may well be doing), the machines will probably not be used as a receptical for kiddie porn.
Were it not for kids that are just mucking about poking their collective digits where the authorities would rather not be poked - our authorities would remain FAT DUMB and HAPPY dreaming their collective bliss.
We live in the real world where we have many real enemies. We need secure systems that we can count on. Each time some kid pokes his finger into a vulnerable spot it helps to educate the masses that they really do need to pay attention.
Perhaps the judge in this case realises this. 200 hours is a suitable punishment, even if it is perhaps a little severe.
One thing that I think needs to be recognised is that there are many would be very competant systems admins who frequent slash dot. Many of these people would relish a well paying job and could be gainfully employed closing these security holes. Perhaps our authorities and joe sixpack in general should open their eyes and smell the coffee here.
Yea, because as we all know there are no colors but black and white.
That said, you're obviously not very intelligent, so you must be a total idiot.
Oh, what's that? I don't know anything about you other than that post? It doesn't matter, that post was stupid, and therefore you deserve to be classified as stupid, right? There's only black or white, so you must either be smart or stupid, and I think the post was pretty dumb, so you must be pretty dumb, correct?
Or, to put a more "on topic" spin on it, obviously, if you swerve to avoid a chipmunk and run over a child on a tricycle coming out of a blind driveway, it's clear that you are a horrendous murderer and therefore must be given the death penalty immediately. After all, there is no excuse for swerving onto the sidewalk whether you meant to or not, so you must be punished appropriately. You should be held just as responsible for your heinous crime as Ted Bundy was for his, becase you are obviously a "proper criminal" just like him.
The idea that you should be sentenced based on some rigid defintion of a crime rather than on your actual impact and your intended impact is so abysmally stupid that I have to call into question the intelligence of anyone who would try to support such a ridiculous idea. If he didn't do any damage and nobody can prove he intended to, he should be sentenced as a minor vandal and a moron. He should in no way, shape, or form be sentenced as if he had stolen sensitive information, damaged any of the equipment, etc. The idea of turning people into "examples" like that serves no purpose other than to deteriorate respect in the legal system. People need to be sentenced accordingly. He was an idiot, and he needs to be sentenced as one. He was not some undercover spy stealing sensitive information, so he shouldn't be sentenced as one. He wasn't even a hacker of any note and it doesn't appear that he was trying to be one, so, again, he shouldn't be sentenced as one.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
I do not understand the culture of people thinking that they own everything. What gave this guy the right to steal bandwith from someone else? What gave him the right to steal the storage space? What gave him the right to break into someone elses pc?
He's a script kiddie who stored some mp3s and movies on a poorly-secured machine in an unclassified lab.
He used some bandwidth and storage space for his personal convenience. He didn't delete anyone's files, set up a spam relay, break into (or try to break into) more sensitive systems, or do any real harm. At worst, he should be on the hook for bandwidth costs and a nominal charge for the use of storage space; he also owes some apologies.
He's a not-particularly-bright college kid who didn't cause any lasting harm, nor physical injury.
So--would it be appropriate to take from this kid the years of his life that extradition, an American trial, and the American prison system would take...for downloading some mp3s? Is it worth the cost of transporting him, housing him, and trying him?
Don't you think the FBI should have better things to do? They won't generally get involved even in the United States unless a million dollars or a kidnapping are involved.
~Idarubicin
Here's the lesson:
Hacking into a national research laboratory with a particle accelerator, attempting to unlock the secrets of the universe = 200 hours community service
Hacking into a Fortune 500 company, with a dedicated legal team and a public image to maintain = 3-5 years in a federal pound-you-in-the-ass prison.
Are we taking notes?
-Hentai [in vita non pacem est]
Teaching him not to commit crimes will of course make society safer. However, I don't think you can show that sending him to jail will teach him that lesson.
In Australia at least, 41 per cent of all inmates who had served a prison term [are] returning to jail within two years. I don't think any other country can boast of significantly better numbers (unless, of course, they immediately execute people found guilty.)
Rehabilitation is a subject that some people spend their whole lives studying, so I really can't suggest better methods of handling this kid. Maybe a week or two behind bars would suffice to scare this kid straight. On the other hand, it might also teach him the lesson that he needs to be more devious and ruthless the next time he commits a crime. He can certainly meet plenty of mentors for that during his stint. I would just like to encourage a little thought behind sentencing.
Crime isn't a single variable equation (criminal | !criminal) that can be adjusted solely by length of time in jail. If more of the public believed this, fewer legislators would feel the need to appear tough on crime by mandating jail time.