South Pole Research Station Hacked Twice

Marda writes "It's been known for a while that Romainian cyber extortionists cracked the computer network at the Amundsen-Scott South Pole Station last year. Now SecurityFocus is reporting that another computer intruder penetrated the station just two months before, and cracked the data acquisition system for the Degree Angular Scale Interferometer (DASI), a radiotelescope that measures properties of the cosmic microwave background. It turns out the station was insecure 'purposely, to allow for our scientists at this remotest of locations to exchange data under difficult circumstances,' according to internal reports."

??????WTF??????

[Anubis350]

insecure purposely? what about SSH? what about VPN? jesus, arent these scientist smart? cant they use some tools for that matter, cant someone creat a gui so the dont have to?
this is the most riddiculous thing I've ever heard.

Re:??????WTF??????

insecure purposely? what about SSH? what about VPN? jesus, arent these scientist smart?

Dude, chill out .. they're scientists not computer programmers. So maybe they hired a bad IT person for their computers .. I dont see you willing to go out there and hook them up.

Re:??????WTF??????

[urlgrey]

This has got to be among the all-time lamest excuses I've ever heard uttered.

For Pete's sake HIRE A CONSULTANT or better yet ASK FOR VOLUNTEERS. I'm sure there are plenty of folks out there who'd LOVE to have something like this on their resume.

C'mon. How about: we were cracked because we were lazy. Now that I'll buy--the first time.

Re:??????WTF??????

[fireman+sam]

Why is this a troll?

It is a valid point. If you do not have the skills to do something, pay someone to do it. If you don't have the funds, ask for a volunteer.

These people have screwed around with their system until the data transfer did what they wanted. What they didn't realize (I hope) is that they have opened up their system to these sorts of attacks.

If business did this sort of thing, imagine what the web would be like now...

Re:??????WTF??????

[Bi()hazard]

No, of course not. If they could, they would be computer scientists, or hackers. Instead they are physicists.

Exactly. Those of us immersed in the information technology world often have little or no exposure to the disciples of pure science. And undergraduate physics students don't count. Traditional scientists don't think the way IT people or even computer scientists do. We see a system, and the goal is to optimize that system to perform correctly and efficiently. Traditional scientists have no interest in applied technology. Their goal is to gather knowledge, and to hell with everything that gets in the way. Typing in a tough password, applying patches, and following "best practices" gets in the way.

To make matters worse, these people are highly educated and are often the resident lords of their specialties. Academic types tend to have swollen egos. Poke something swollen, and it hurts-these guys will be pissed off if you try to tell them what to do, and more pissed off if what you're telling them to do doesn't clearly further their scientific goals. They simply don't take the computer security threat seriously, and they refuse to worry about it until they get burned.

It's hard for you to understand rational people saying, "ha, who in their right mind would hack into our secret antarctic lab full of data?" But most slashdotters would have the same attitude towards other things they don't have experience with. How many of you fear the consequences of unsecured eyelash curlers? Yes, eyelash curlers, which so befuddle the opposite sex and are an essential in many ladies' makeup boxes double as a lethal instrument of pain and torture - as my best friend can testify.

Last week as she was getting glammed up for a party she was trying to do 25 million things at once and not concentrating on any of them. What exactly happened though remains a bit of mystery-all I know is that moments after whatever did happen, she was screaming in pain, bruised and bleeding, with lashes no longer in lids but in the curlers. Suffice to say she shan't be using eyelash curlers ever, ever, ever, EVER again.

She's not the only one who has been incapacitated as the result of a cosmetic catastrophe and it is actually more common than one would suppose. Another friend had a very unfortunate accident on the night of a May Ball last summer. She was rushing around straightening her hair, helping a friend with her makeup, making a phone call, and trying to decide which bag to take when she encountered the upturned business end of her electric hair straighteners. You could her the screams from across the street!

So now you know! which is like half the battle. Trying to do your lashes can land you in the hospital, a fiendish fate not "faced" by hacker victims! Girls will always want their makeup but for our peace of mind and for the longevity of your eyelashes and more importantly, your eyesight, I implore you to throw away your eyelash curlers. They are veryvery dangerous.

Now if you'll excuse me, I have to go wash up..this foundation doesn't cause cancer..right?

Re:??????WTF??????

[zurab]

Those of us immersed in the information technology world often have little or no exposure to the disciples of pure science. And undergraduate physics students don't count. Traditional scientists don't think the way IT people or even computer scientists do. We see a system, and the goal is to optimize that system to perform correctly and efficiently. Traditional scientists have no interest in applied technology. Their goal is to gather knowledge, and to hell with everything that gets in the way. Typing in a tough password, applying patches, and following "best practices" gets in the way. ...
But most slashdotters would have the same attitude towards other things they don't have experience with.

I am not a car mechanic or an electrician, but if my car alarm and door locks stop working, I take it to a mechanic who can fix it. I don't park the car on public street at night where it may get stolen. The excuse that since they know and care little about security, they can skip it altogether, is - as others pointed out - lame. A computer network containing sensitive or important data connected to the Internet requires security, whether you are a 3-time Nobel prize laureate or a warehouse janitor.

And as far as things that "get in the way" - security practices, or lack thereof - could easily get in the way of collecting and keeping valuable scientific data.

Re:??????WTF??????

[bbuR_bbuB]

There are a limited amount of people who may occupy the South Pole at any one time due to humans' impact on the environment down there. Why waste a bed on a sysadmin when you could have more important people doing more important work?

Re:??????WTF??????

[gravytas]

I am not a car mechanic or an electrician, but if my car alarm and door locks stop working, I take it to a mechanic who can fix it.

Clearly you're not a physicist. Most of the ones I've worked for, some of whom are also at the pole, are convinced that:
since physics is one bad mamajama of a difficult subject, and as they've kicked that bad mamajama's ass, they are gods among men, seemingly privy to the unknown secrets of the universe.

They hire IT people not because IT is too difficult for them to do on their own, but too mundane. Please don't make the mistake of telling them how things should be done.

Re:??????WTF??????

[dargaud]

it wouldn't work in your favor that your resume is a Word file

Well, you are a bit naive if you think HR depts take anything else than Word files...

This is disgusting behavior

[AKAImBatman]

Some people are just plain jerks. Sure, I want to know if my financial information is safe. But why should hackers take the time to bother scientific equipment?

I can just see it now. A buoy in the ocean with millions of dollars in scientific instruments and sensors, collecting data for good of all mankind. Then some hacker finds his way in through the radio connection and manages to burn out or blow up the equipment by playing with the settings. His excuse? "See! It should have been secure! Next time you'll know better!" Way to miss the point, jack.

Re:This is disgusting behavior

[DramaGeek]

They'll do it because it's a fairly good target. It's one-of-a kind, and hacking it got them at least an article at Securityfocus and a mention here. Sure, they don't really gain anything from it, but since when has that been a requirement of hacking?

Re:This is disgusting behavior

[AKAImBatman]

And I hope the law throws the *#@$ing book at them! It's all very funny until someone is seriously hurt by this type of hacking. "Oh, hah, hah! I broke their toy! They've got lots of money! No biggie!" That sort of thinking is absolute bull. Scientists have to work VERY hard to secure funds for their endevours. It can take literally YEARS to secure the funding for a SINGLE project! If they've built something that costs 1 million, you can bet that they only had money enough to build ONE.

The worst part is that the scientist is doing it so that that jack*$$ who broke his system has new technologies and knowledge available to him! Yet this punk goes around trashing other people's stuff because it makes him "hip and cool", and he's "doing the scientists a favor by testing their systems". He has NO F###ING CLUE what kind of conditions this equipment has to operate under!

Take the South Pole station in the article. They only get unreliable and intermittent Internet access from retired satellites that have had their orbits moved to support the South Pole! Only a FEW HOURS A DAY! And some hacker kid vandalizes them for trying to get work done.

Re:This is disgusting behavior

[Draknor]

Scientists have to work VERY hard to secure funds for their endevours. It can take literally YEARS to secure the funding for a SINGLE project! If they've built something that costs 1 million, you can bet that they only had money enough to build ONE.

I hate to say it, but then the scientists need to find someone WITH A COMPUTER SECURITY CLUE!

I don't expect physicists to know how to secure a network. But I would expect that, if they are dealing with precious data and networks, that they would hire or find volunteers to help protect that data. Too bad it doesn't sound like that's the case.

Re:This is disgusting behavior

[Cliff+Stoll]

True. And sad.

-Cliff

It's a different field of knowledge.

[Short+Circuit]

Scientists are generally knowledgable, but only in their field of specialization. You don't expect a particle physicist to know about macro biology, and you don't expect an ornithologist to know about particle physics.

Computer security is another one of those fields that requires its own study time to be competent in, and most people aren't interested or don't want to spend the time.

Re:On purpose for a reason...

Because if you had some brain you'd figure out that geosync orbit has to be straight above the equator.

Put it in perspective...

[riptide_dot]

FTA:

"Given the fact that no financial records or systems were compromised, no safety or loss of life was threatened, and no critical system corrupted, we need to balance legitimate security needs with the legitimate needs of our scientists at the Pole," the memo reads.

...Other documents show that less than two months earlier the NSF's security team was plunged into a similar fire drill when a computer intruder named "PoizonB0x" penetrated the primary and backup data acquisition servers for a radio telescope at the station called the Degree Angular Scale Interferometer (DASI), which measures properties of the cosmic microwave background radiation -- the afterglow of the Big Bang. The intruder, rated a prolific website defacer by tracking site Zone-H, used his moment of cosmic access to erect a webpage on the servers proclaiming, "I love my angel Laura."

Now, I'm not one for people snooping around in my stuff when they're not invited or anything, but consider this: The first hack modified a web page on a system that collects monitoring data (but most likely does not contain other meaningful data, like formulas), and the second intruder accessed no financial data, did not threaten safety, and did not corrupt any critical systems.

Isn't it possible that the systems that were compromised were actually left insecure, not necessarily "on purpose", but because they felt that there wasn't much of a need to secure them in the first place? They probably calculated the possible risks and decided that, if both systems did in fact only contain informational webpages or data collected from their equipment, that there wasn't much point in worrying a lot about securing them (after all, who would really care about the data besides them?).

Leave your front door open on the internet....

[syousef]

...and expect to get net burgaled. Really is that simple. Regardless of the technical or budgetary constraints that's the way it is. The internet is a nice borderless place and even if everyone at your base station is nice and honest, that doesn't mean there aren't criminals within reach of your data.

The correct way to deal with this is to have a DMZ - a nice public facing internet machine that isn't as security critical as your primary experiment instrument. This may mean a compromise in terms of budget and/or data availability.

Re:Bah!

Fix it yourself? Will you now?

Let's see. The hardware in the field is specialized ASICs chips driving custom built sensors. No linux distro will run on it. Even if you do write some custom ssh for the chips, you need to make sure they have enough power to do to prime exponentiation operations--expensive in terms of power. Likely, you're little offer to "fix it yourself" will be laughed at by the men who built the devices, under budgets, and tough enough to operate at 100 below zero.

Look, it's not your mother's E-machine. It's custom hardware that needs to talk to machines that have to be left insecure. Otherwise, the cost of doing science down there goes up, and some experiments just can't be run.

Heck, if they'll buy me the books

What? Do you think there's an OReilly book on the one-of-a-kind ASICS chips they have? Sounds more like they'd have to buy you an education. Come to think of it, I think they're better off sending down qualified scientists. As it is, I don't think you're even qualified to teach high school science. No offense.

slashdotters don't have a fucking clue, as usual

[maxpublic]

The Amundsen-Scott station is very expensive to maintain. During the winter the entire base population can be as low as 17 individuals; this can increase significantly during a few months out of the summer, but with cuts in funding the total personnel at the station remains low.

The station is designed for one thing: scientific research. With that in mind, the people you send to the station are those capable of doing the research, or those that are capable of maintaining the station so that others can do their research. Most of the folks there are conversant in a half-dozen jobs - *because they have to be*. There isn't enough funding for critical positions, much less a position like 'computer network administrator' which is nothing more than dead weight 99% of the time. A person who, if they can't also fix tractor engines, maintain the fuel-based heating system, and help calibrate various pieces of astronomical equipment, is nothing more than a waste of space, food, and energy.

No doubt the Amundsen-Scott folks decided to do business 'as usual', e.g., in a not very secure manner, because a) who the hell would want to hack the system when there's nothing to gain?, and b) there isn't anyone there who's life work is system security.

(In fact, I'm willing to bet they *could* secure the system in a decent manner, but never saw the point of it since they couldn't conceive of why anyone would want to mess with it in the first place. Frankly, I can't either; it takes a real jack-off to do something like this.)

All those clueless gits out there who scream "they should have a network administrator!" might want to keep in mind that a network administrator isn't worth his weight in fuel to ship out there, much less keep around during the eight months of the year they're pretty much cut off from the outside world. And yes, that means *you*; if all you know is network administration/security then you're useless waste of good oxygen at Amundsen-Scott, and the people there neither want or need you cluttering up the cramped base, eating their food and using their heat.

Max

Ease of use != Insecure

[losttoy]

Ease of use does not mean it has to be insecure!! Strong passwords and patched applications do not make usage difficult!!

Re:Ease of use != Insecure

[Mika_Lindman]

Ease of use does not mean it has to be insecure!! Strong passwords and patched applications do not make usage difficult!!

Complex things require complex computer systems. Complex computer systems are complex to keep secure, more so when you need to maintain some kind of level of usability.

Re:Bah!

[spudgun]

has anyone here on /. considered that it might be a link which goes up and down alot ?

have you seen what happens when your encrypted link keeps dropping ....

Re:Security is against scientific spirit!

[saiha]

Hmm, I haven't seen this documentary but there is a difference between sharing scientific knowledge (read access) and modifying that information with disreguard to authority (read/write access).

I don't think a researcher would appreciate it if another, even a scientist, updated the research without the approval of the researcher. Reading that same information and giving feedback however, is different.

Re:What's the big deal

[NerveGas]

You come home, someone's obviously been inside your house. Your door is open, they've gone through everything in the house.

After days of searching everything in the house, it's determined that they didn't actually take anything. What's the big deal?

steve

Re:slashdotters don't have a fucking clue, as usua

[NerveGas]

It's easy to say the words "remote access", isn't it?

Call your local provider, ask them about getting a line to the South Pole. Keep calling until you find someone who can provide it. Once you do, ask them how much it will cost. Now, calculate how many slaves you'd have to keep working in full-time positions to be able to afford any decent amount of bandwidth.

steve

Re:Spelling....

[pdamoc]

With the risk of being OT here, the situation is rather simple. Think of the news as one giant magnifying glass. When a .ro cracker breaks and steals something news break and "Romanians did it again". There is no such thing as a cracking hype in my country but the news make the association between Romanians and cracking look so BIG, so strong, so people stop thinking that this might be just some poor smuck trying to get ahead in a country where people like my mom earn something like 100$ after 30 years of public service. This kind of crackers are present everywhere. Ok some of the .ro crackers were ingenious enough to crack some pretty tight servers but this doesn't justify generalizing.

People should STOP thinking that the world is black and white and START seeing the shades of gray. Good and Evil are in each and every one of us and the side the people see is often highly dependent on the angle of view.

Here is an example: Is Nicolae Paulescu EVIL or GOOD? If he is EVIL will you kill him if you have the chance to go back in time, if he is GOOD how come that he is such an anonymous considering what he has done for humanity?

Re:slashdotters don't have a fucking clue, as usua

[Mika_Lindman]

If they are smart enough to use packet or satellite, then they can use BSD or Linux.

Many measurement devices don't have required software ported for [insert your *nix].

OOo doesn't have the same capabilities as Excel, essential in many enviroments.

And who is going to pay for porting that Excel/VBA/Access/MS SQL/etc stuff to BSD/Linux?

Re:You gotta wonder...

[saiha]

If the transmission time is what is vital, then have it go through a proxy system which is only unsecured on the one end. Then locally it goes through sanity checks and any unsafe or strange actions are flagged. If no computer speciallists are availible then a scientist can go through a predefined process to resolve the difficulty.

I know the scientists would rather work on their research but they are living in the 21st century just like the rest of us and security is a concern. If the hacking was important enough to involve the FBI then it is important enough to protect with at least the minimal amount of security.

Re:slashdotters don't have a fucking clue, as usua

[maxpublic]

What is the cost of replacing a trashed system?

RTFA. The system wasn't trashed. Very little was done to it.

How much does downtime cost you?

Considering that they only have communication access to the outside world for a few hours a day, very little.

What does it cost to get someone to your site to fix your system?

When the fuel could be used to ship needed equipment, food, or just used for heating, a whole hell of a lot.

What POTENTIAL expenses/risks do you face if someone uses your equipment to do damage to another site.

Considering the equipment on-base and the very limited daily access, this amounts to a big, fat zero. Or did you think they had cable?

People that have heard you rant about how "worthless" sys admins are start to wonder how credible the rest of your statements are.

A system administrator IS worthless at Amundsen-Scott, compared to a mechanic, a scientist, or an electrician. Do a bit of research on the subject before talking out of your ass.

Max

Re:You gotta wonder...

[isorox]

Fine, have the unsecured link over the link, but have it secured at the northern end. The only way to access the link would be to use VPN or ssh to the machine at the uplink place.