Fermi Lab Compromised by Pirate

tttonyyy writes "The US Department of Energy sounded a full scale alert after machines were compromised at the Fermi National Accelerator Laboratory, according to this BBC article. It turns out that the hacker was a student using the machines to download and store music and movies."

Old news?

[iapetus]

Um. This happened in 2002 according to the article. I think we've missed the boat on this one... the actual new information is the sentence handed down to the culprit.

This is dangerous.

[Samuel+Duncan]

An attacker who comprises Fermi Lab's systems has usually also access to the control of the large hadron collider they have there.
A manipulation can destroy important experiments. Even worse, they can't be sure whether the hacker has tampered the collider data. So they have to repeat all experiments from the last weeks.
Furthermore the hacker can do more than just tampering data. Indeed it can overload the collider resulting in an explosion. This would set off a cloud of toxic material threatening the surrounding villages.

Re:This is dangerous.

[Lumpy]

not always the case. the Muskegon Michigan water filtration plant has it's control computers on the network that has internet access so the paranoid supervisor can PC anywhere to spy on his employees. they have been infected several times with random viruses and trojans only because the idiot in charge of the plant wont listen to experts that that kind of stuff needs to be isolated.

one medium skilled cracker could easily cause insane damage/havoc by getting into those systems.

does the management care? nope. and if this is for a important thing like a water filtration plant, there is a very GOOD chance that their "critical" systems are just as open.

Important systems need to be disconnected completely. there is no reason to read your email or surf the net on the control Pc's.

Not put in jail?!

[seidleroniman]

"Judge Andrew Goymer decided against sending McElroy behind bars as he had not accessed classified material on the network and had not intended to cause harm." This is quoted from the article, but in my opinion, I dont care what your intentions are, you hack into a place like that you should be thrown in jail even if its just to show everyone else how serious you are.

Re:Not put in jail?!

Why is a place like that connected to the Internet, anyway?

Re:Not put in jail?!

[j-turkey]

I dont care what your intentions are, you hack into a place like that you should be thrown in jail even if its just to show everyone else how serious you are.

I completely disagree. Furthermore, I think that yours may be the same kind of thinking that US legislators have when creating laws to cover new technology. Such black-and-white thinking seems pretty irresponsible to me. It does not allow for judges to use discretion, as this one has.

Let's take a look at it from a harm perspective. How much trouble did this really cause? Some kid cracking files to steal someone else's bandwidth -- this is akin to petty larceny -- maybe breaking and entry at worst. I can understand a judge opting for leniency in this case, the same way they may be inclined to opt for leniency for a breaking and entry case. Just because very few people understand the crime, doesn't necessarily mean that it should carry a requisite absolute punishment. That's just an overreaction -- no different from mandatory minimum sentencing for drug offenders. All that will do is overcrowd prisons and turn part-time petty criminals into full-time criminals. I don't know about English prisons, but I've seen US prisons -- from what I read in the article, this kid doesn't belong there.

Now, if McElroy had caused any real damage (like viewing classified material, etc) -- then an appropriate penalty shuold have been levied. However, unless our DoE computer centers are run by complete morons, there's probably a really good chance that classified materials were not available to McElroy. If this was apparent, it adds far more credibility to the argument that a 17-year-old kid (this was 2 years ago) was just screwing around.

On another note:

Fearing a terrorist attack, the computer was closed down for three days

If there actually was classified material at stake, it begs the question: What asshole puts a network like this on the public Internet? Isn't that asking for a terrorist attack? It brings to mind another law: In some US states, it's illegal to leave your car idling with the key in it. It's ticketable and adds points to your license. Sure, if some asshole steals the car, it's far more illegal -- but it shares some of the responsibility wity the operator. Shouldn't someone at Fermi lab be held responsible for this as well? This is a DoE computer that my tax dollars paid for. I say that we should forget about creating more anti-terrorism laws. If someone makes the collosal fuck-up of making a classified system accessible on the public Internet, in any way, they should be penalized for negligently putting millions of lives at risk (allowing for flexible sentencing as the judge sees fit, of course).

Machines admin'ed by postdocs and grad students

[shoppa]

Realistically, many of the machines at Fermilab are admin'ed by physics postdocs and grad students. Their first priority is science, of course, and few have had any "official" training in setting up secure machines.

The national labs have done a good job at firewalling off the non-professionaly administered machines where feasible, but the academics really don't like anything that slows down collaboration. Thus there are lots of open machines, ftp and telnet still abound and give lots of opportunities to swipe usernames/passwords in the clear even though ssh and scp are available, etc.

Most (but not all) machines running the accelerator and the detectors are on their own mostly-private subnets.

Re:twit

[gl4ss]

well I wouldn't be surprised if he didn't even know it was the fermi labs.

these type of guys scan just vast numbers of servers for flaws(open your apache log and you'll see a few) then open up some space on ftp and fxp some stuff to it from another(sometimes) similar ftp and then go post the thing on some list for fame(or tell it to some group of theirs). most companies never bother to raise hell over this, and most of the time it would be very difficult too as the ftp might have been used by hundreds of people all over from the globe.

Compromised? Hacker? Pirate?

[freeze128]

It sounds like he was just a student who had access to those machines. Does knowing the root password make you a hacker?

How about a new headline: Student abuses Lab's computers.

Particle Colliders

[solarlux]

While we're on the topic of particle accelerators, mark your calendars for 2007 -- that's when the Large Hadron Collider will be completed in Switzerland, marking a significant step forward in particle physics.

Here's a brief description from the CERN website:

What is LHC? The Large Hadron Collider (LHC) is a particle accelerator which will probe deeper into matter than ever before. Due to switch on in 2007, it will ultimately collide beams of protons at an energy of 14 TeV . Beams of lead nuclei will be also accelerated, smashing together with a collision energy of 1150 TeV.

A TeV is a unit of energy used in particle physics. 1 TeV is about the energy of motion of a flying mosquito. What makes the LHC so extraordinary is that it squeezes energy into a space about a million million times smaller than a mosquito.

The LHC is the next step in a voyage of discovery which began a century ago. Back then, scientists had just discovered all kinds of mysterious rays, X-rays, cathode rays, alpha and beta rays. Where did they come from? Were they all made of the same thing, and if so what? These questions have now been answered, giving us a much greater understanding of the Universe. Along the way, the answers have changed our daily lives, giving us televisions, transistors, medical imaging devices and computers. On the threshold of the 21st century, we face new questions which the LHC is designed to address. Who can tell what new developments the answers may bring?

Legal precedent set with punishment

[eagl]

More interesting than the actual act of hacking into a US DoE network is the legal precedent set by the Judge in the UK. Although he found the kid guilty and sentenced him to 200 hours of community service, he failed to make him pay the roughly $38,000 in damages he cost the DoE as they took 17 computers down for 3 days to clean up the mess he made.

According to CNN http://www.cnn.com/2004/TECH/internet/02/03/britai n.hacker.reut/index.html the justification for failing to make the kid pay the actual financial damages he caused was that no classified information was compromised. This sets a legal precedent that is simply outstanding for budding young international hackers both in the US and the UK, because it means that as long as they do not compromise classified information, they can cause as much financial loss as they want and not be held liable for it beyond public service outside of the country they caused the damage in. For US script kiddies, this should mean that if they're caught hacking into UK government systems, the UK government should not ask the US to recover any financial damages unless classified information was compromised.

See, the US and UK really ARE allies in the war against... ummm... are we FOR or AGAINST script kiddies this week?

And that sentence is...

[fizbin]

Nothing.

Nothing, aside from the notoriety of this trial, which may not even follow him that far - a google search on his name (Joseph McElroy) doesn't even turn up stuff referring to him in the first page. (That what he gets for sharing his name with a famous author)

The judge decided against jail time because "he had not accessed classified material on the network and had not intended to cause harm". Also, the monetary claim for damages against him was waived on the grounds that he wouldn't be able to pay it.

"not intended to cause harm"? "not intended to cause harm"? Tell me, can I bypass the metal detectors at Heathrow simply because I'm not carrying any weapons, and even if I were, intend to cause no harm with them? What if I just want to drive to the store and back, but would rather hotwire your car instead of walking?

Sure, I understand that the US has some truly brutal criminal trespass laws that are probably way out of proportion to the act they supposedly punish, and that therefore a UK judge might be more lenient in this case than a US one would, but... nothing?

Re:OK then - but what about

[hildaur]

Except, of course, that Fermilab does no classified or weapons related research at all.

-Hil