Fermi Lab Compromised by Pirate

tttonyyy writes "The US Department of Energy sounded a full scale alert after machines were compromised at the Fermi National Accelerator Laboratory, according to this BBC article. It turns out that the hacker was a student using the machines to download and store music and movies."

Education/Resach network

[tr0llb4rt0]

used to store MP3's and DIVX's.

Shock Horror ...

Now if he'd accessed the controls for particle accelerator and was able to spin it up then thats news. :-D

Re:Education/Resach network

[PYves]

In relation to the title of this article, it would also be news if an actual pirate (eyepatch and wooden leg included) had compromised the lab, since pirates are really cool. Yarrrrrr.

Hacker's download list

[AtariAmarok]

On the hacker's download list:

The China Syndrome

re*ac*tor by Neil Young

Duke Nukem Platinum Edition

Christmas at Ground Zero by Weird Al

The Atomic Cafe

Everyone's favorite video clip of Janet Jackson's right breast

Re:Hacker's download list

[SuiteSisterMary]

And somewhere, there is a hacker feverishly writing a visualization plugin for WinAmp to make use of that particle accelerator to make some really bitchin diplays.

Old news?

[iapetus]

Um. This happened in 2002 according to the article. I think we've missed the boat on this one... the actual new information is the sentence handed down to the culprit.

Dept. of Entertainment facility

[Gyan]

The kid could have picked a less prominent host to save money on a hard drive.

Given that he probably did it for the self-boast rather than space, he should be roasted.

Re:Dept. of Entertainment facility

[leerpm]

More than likely, he probably did not even know that the computer was government owned, or that it was that important. He probably was just a script kiddie who was looking for a fast remote host, to share out movies.

twit

[ed.han]

what kind of twit takes the space at a sensitive research facility for MP3s and divx stuff? he should also count himself lucky he wasn't in the US: he'd be halfway to [remote prison facility] within hours.

serves as proof that hackers aren't necessarily smart.

ed

Re:twit

[gl4ss]

well I wouldn't be surprised if he didn't even know it was the fermi labs.

these type of guys scan just vast numbers of servers for flaws(open your apache log and you'll see a few) then open up some space on ftp and fxp some stuff to it from another(sometimes) similar ftp and then go post the thing on some list for fame(or tell it to some group of theirs). most companies never bother to raise hell over this, and most of the time it would be very difficult too as the ftp might have been used by hundreds of people all over from the globe.

Re:twit

[ThomK]

serves as proof that hackers aren't necessarily smart.

Then they shouldn't be called a hacker

It could have been worse.

This hacker could have inadvertaintly invented cold fusion just before Morgan Freeman destoyed chicago in an attempt to keep him from hooking up with Kate Winslet on his super-sonic 50cc Kawasaki.

I know for a fact this could have been worse. I saw it at the theater. Full price.

now will the entertainment industry get him?

[sonarniche]

he gets 200 hours for hacking into a national laboratory, but will probably have to pay every last penny he owns to the RIAA and MPAA for having illegal copies of music. hrmm....

Damnit...

[JoeLinux]

I wanted to see someone write "1 4m 1337" using an electron accelerator.

Pirates?

[Bob+Loblaw]

Arrr ... matey ... I reckon 'tis gold in dem particle collectors!

Machines admin'ed by postdocs and grad students

[shoppa]

Realistically, many of the machines at Fermilab are admin'ed by physics postdocs and grad students. Their first priority is science, of course, and few have had any "official" training in setting up secure machines.

The national labs have done a good job at firewalling off the non-professionaly administered machines where feasible, but the academics really don't like anything that slows down collaboration. Thus there are lots of open machines, ftp and telnet still abound and give lots of opportunities to swipe usernames/passwords in the clear even though ssh and scp are available, etc.

Most (but not all) machines running the accelerator and the detectors are on their own mostly-private subnets.

Theoretical News Flash from Fermi Labs

[E-Tigger]

In a surprise announcement from Fermi Labs, it would seem that the basic building blocks of matter, created from our accelerator tests is in fact, pr0n.

In fact there seemed to be quite a lot of it in our reports, as well as some indication that the sound of the big bang was in fact a Britney Spears mp3...

Re:This is dangerous.

Not True. I work at IT another accelerator lab in the US, and the control network is on an entirely different network firewalled off, MAC restricted, etc. Even the software engineers responsible for the control system have to be wired behind the firewall.

On a not unrelated note, we have been hacked several times by people uploading movies, MP3s, etc. The system was never rebuilt and the files were simply deleted. In general accelerator labs are not staffed for the super-anal security that you would expect (to say nothing of the number of MP3s, etc. that legitimate users have on the server)...

Re:This is dangerous.

[vijayiyer]

The article isn't very specific about the level of access he had gained. I'm guessing the classified information was firewalled off from the network which he broken into for its internet bandwidth. At the very least, I'd expect (false hope?) that the actual particle accelerator controls aren't accessible from any internet-connected computer.

Silly

I've worked at Fermi National Accelerator Lab (fnal.gov) for 4 years, so perhaps I could troll a bit: since they have so many Linux machines (nearly all on Internet accessable IP) and no firewall (recently there are some firewalled ports) this is not a unique occurance, this happens *all* the time.

On the other hand, FermiLab does no defense/weapon work or any kind or any classified work as far as I know, a lot of people confuse it with Argonne National Lab (and be really glad Argonne wasn't named an Accelerator Lab, otherwise we'd have anal.gov)

-frin

As a fellow user in the same lab:

Here's what really happened. Users in one of the labs are all given web space on a web server. Now, the IT staff is low on manpower, with government funding behind diverted to the war in Iraq. So, security (among other things) is kind of lax.

Basically, McElroy ran Jack the Ripper on the password file. We're using an SGI 1400L from 1997. He got the root password, and removed the limits of his disk quota. Then, he stored a bunch of ripped DVD's and MP3's in his webspace.

Now you ask, why isn't the government making a big deal about this? They know their security policy is weak, and they just ramped it up. The 'alert' is really just a few days for them to get things back they way they should be. If they said "well, we won't prosecute him because if people really know what happened, it'd make us look bad", what would the American public (and rest of the world) think?!

Smuggling Atoms

[AtariAmarok]

It could have been worse. He could have been caught smuggling atoms out of the place in his pockets.

"See? He's got atoms in his pockets! Call the local constabulary, Smithers!"

Compromised? Hacker? Pirate?

[freeze128]

It sounds like he was just a student who had access to those machines. Does knowing the root password make you a hacker?

How about a new headline: Student abuses Lab's computers.

Re:FULL TEXT

[pacman+on+prozac]

heh, do you really think you can /. the bbc?

Have a look here to see their traffic. Totals are here. They can handle 2gb/sec. Thats some monster pipe, and it will take some severe slashdotting.

On the count of three, hit refresh like a mofo. If all 600,000 of us do it we might just create a tiny lump on that graph.

who the hell modded this insightful?

[casuist99]

You deserve a head exam. Think here - how many people really believe that the control system for the collider is housed on a machine that was compromised (and is thus exposed to the internet at large)? Admittedly, there's a chance, but no moron would set up a network in this way. And who believes there aren't HARDWARE issues that would prevent an explosion - maybe even safeguards? What a freakin thought, considering this is a US DOE site. And what is this toxic material? The collider is basically a bunch of metal. Not sure what he'd overload, but usually heavy atoms or light atoms are slammed together to see what happens and measure particle/energy emissions. Where's the toxic material and explosive?
Oh, and what villages? They're 45 miles outside Chicago - not the smallest place. Don't worry though. Unless top quarks, CP violation experiments, and Boson experimentation threaten explosion, I think we're ok. Just try researching the subject. "fermilab" I'm feeling lucky gets you there.

Re:This is dangerous.

[shoppa]

There is no classified information at Fermilab. Phsycial security has been stepped up since 9/11 but there's no bombs built there, just some mildly radioactive metal in the beamline and lots of little radioactive sources for testing/calibration.

That's not to say that massive damage/downtime can't be done by breaking into the right machines.

From someone at Exeter Uni

[AlistairGroves]

This happened last year, he's only just been sentenced (by the british, not the americans). And this had nothing to do with the Patriot act. The reason he chose Fermi Labs is that he mistakenly thought it was a academic facility and so would not pay bandwidth fees (unis etc in England don't pay for bandwidth)

I'm not condoning his actions, just trying to clear up some of the FUD

Re:Why is Fermi's network attached to the Internet

[n0mad6]

Speaking as someone who works at Fermilab...

There are thousands of computers at Fermilab, the vast majority which are desktop workstations running linux (logins are through Kerberos). Being your typical office computers sitting on a desk, they are connected to the internet via fairly high bandwidth. As we know, the WWW was invented in order for high-energy physicists to share data throughout the world, so not only does it not make sense for these machines to be cut off from the internet, it is an essential part of scientific research. Any machine that actually controls an aspect of an experiment (connected to any sort of particle accelerator or detector) is not likely to be connected to the internet.

So, yes, physicists and other scientists do depend on flawed technology, mostly because its the easiest way to be able to keep connected when you're dealing with large collaborations stretched across the world. The downside may be the occasional kid (wrongfully) taking advantage of a desktop machine attached to a T1 line. Where security is more vital, it is present. But its simply impossible to insure that everyone's desktop machine is secure or not.

Re:Not put in jail?!

[pacman+on+prozac]

Instead he ends up doing community service. Exeter is about half an hour from here. The community service in this part of the UK is an incredibly harsh and difficult punishment. I'll describe it for those who have not come across its horrors before.

Its likely that he will end up being forced to sit in a sunny field in the middle of the Devon countryside smoking joints and drinking cans of extra strong lager with all the other community service peeps, while they supposedly dig some ditch that doesn't need to be dug so nobody will ever care about it actually being done or not.

That'll learn 'im.

OK then - but what about

[goldcd]

the people in charge of the security at the lab?
Which do you consider more dangerous:
#1 Script Kiddie being hacking server to store films on.
#2 Running a nuclear lab with so little security a script kiddie can break in.

Pirate? How about hacker?

[widderslainte]

As a Pirate-American, I take offense at the use of the term "pirate" for a simple hacker or cracker. Where are his sea legs, his parrot/monkey, his eye patch or pegleg?

And what's the fine...

[Angstroem]

...for the sysop who let open an obviously well-known security hole?

I'm not defending that little hacker guy (erm, what kind of hacker is he anyway exploiting a known weakness to gain bandwidth and storage for MP3 and DivX files... I'd rather make him manually punch one of these files into punch tape instead of those 200 hours civil service which he might find even interesting), but if you run a high-security network infrastructure, then you better be up-to-date with the latest patches and countermeasures. It's not done with applying the latest IE "security update" every Tuesday...

Now calling for a more drastic punishment and considering the current (IMO fair) one as a green light, just shows what's wrong with some people: If hijacking company computers and networks for bandwidth and storage abuse becomes an increasingly common practice in the online world than those "security experts" should probably do their homework and fix the systems instead of calling the cops.

If you leave your car open and someone steals your car hifi, it's entirely your fault. (Go ask your insurance...) Whose car it is shouldn't play a role when sentencing the thief.

Re:Not put in jail?!

[the_mad_poster]

Yea, because as we all know there are no colors but black and white.

That said, you're obviously not very intelligent, so you must be a total idiot.

Oh, what's that? I don't know anything about you other than that post? It doesn't matter, that post was stupid, and therefore you deserve to be classified as stupid, right? There's only black or white, so you must either be smart or stupid, and I think the post was pretty dumb, so you must be pretty dumb, correct?

Or, to put a more "on topic" spin on it, obviously, if you swerve to avoid a chipmunk and run over a child on a tricycle coming out of a blind driveway, it's clear that you are a horrendous murderer and therefore must be given the death penalty immediately. After all, there is no excuse for swerving onto the sidewalk whether you meant to or not, so you must be punished appropriately. You should be held just as responsible for your heinous crime as Ted Bundy was for his, becase you are obviously a "proper criminal" just like him.

The idea that you should be sentenced based on some rigid defintion of a crime rather than on your actual impact and your intended impact is so abysmally stupid that I have to call into question the intelligence of anyone who would try to support such a ridiculous idea. If he didn't do any damage and nobody can prove he intended to, he should be sentenced as a minor vandal and a moron. He should in no way, shape, or form be sentenced as if he had stolen sensitive information, damaged any of the equipment, etc. The idea of turning people into "examples" like that serves no purpose other than to deteriorate respect in the legal system. People need to be sentenced accordingly. He was an idiot, and he needs to be sentenced as one. He was not some undercover spy stealing sensitive information, so he shouldn't be sentenced as one. He wasn't even a hacker of any note and it doesn't appear that he was trying to be one, so, again, he shouldn't be sentenced as one.

Re:Not put in jail?!

[j-turkey]

I dont care what your intentions are, you hack into a place like that you should be thrown in jail even if its just to show everyone else how serious you are.

I completely disagree. Furthermore, I think that yours may be the same kind of thinking that US legislators have when creating laws to cover new technology. Such black-and-white thinking seems pretty irresponsible to me. It does not allow for judges to use discretion, as this one has.

Let's take a look at it from a harm perspective. How much trouble did this really cause? Some kid cracking files to steal someone else's bandwidth -- this is akin to petty larceny -- maybe breaking and entry at worst. I can understand a judge opting for leniency in this case, the same way they may be inclined to opt for leniency for a breaking and entry case. Just because very few people understand the crime, doesn't necessarily mean that it should carry a requisite absolute punishment. That's just an overreaction -- no different from mandatory minimum sentencing for drug offenders. All that will do is overcrowd prisons and turn part-time petty criminals into full-time criminals. I don't know about English prisons, but I've seen US prisons -- from what I read in the article, this kid doesn't belong there.

Now, if McElroy had caused any real damage (like viewing classified material, etc) -- then an appropriate penalty shuold have been levied. However, unless our DoE computer centers are run by complete morons, there's probably a really good chance that classified materials were not available to McElroy. If this was apparent, it adds far more credibility to the argument that a 17-year-old kid (this was 2 years ago) was just screwing around.

On another note:

Fearing a terrorist attack, the computer was closed down for three days

If there actually was classified material at stake, it begs the question: What asshole puts a network like this on the public Internet? Isn't that asking for a terrorist attack? It brings to mind another law: In some US states, it's illegal to leave your car idling with the key in it. It's ticketable and adds points to your license. Sure, if some asshole steals the car, it's far more illegal -- but it shares some of the responsibility wity the operator. Shouldn't someone at Fermi lab be held responsible for this as well? This is a DoE computer that my tax dollars paid for. I say that we should forget about creating more anti-terrorism laws. If someone makes the collosal fuck-up of making a classified system accessible on the public Internet, in any way, they should be penalized for negligently putting millions of lives at risk (allowing for flexible sentencing as the judge sees fit, of course).