Slashdot Mirror
South Pole Research Station Hacked Twice
Marda writes "It's been known for a while that Romainian cyber extortionists cracked the computer network at the Amundsen-Scott South Pole Station last year. Now SecurityFocus is reporting that another computer intruder penetrated the station just two months before, and cracked the data acquisition system for the Degree Angular Scale Interferometer (DASI), a radiotelescope that measures properties of the cosmic microwave background. It turns out the station was insecure 'purposely, to allow for our scientists at this remotest of locations to exchange data under difficult circumstances,' according to internal reports."
Why can't they just leave our unsecured network alone? Next we'll have to secure that WiFi network so the Australians stop leeching.
all your base belong to us!
Must be the penguins out tehre.
That's cold, man... that's cold!
I almost had FP, but the latency out here on the south pole is horrible.
Some people are just plain jerks. Sure, I want to know if my financial information is safe. But why should hackers take the time to bother scientific equipment?
I can just see it now. A buoy in the ocean with millions of dollars in scientific instruments and sensors, collecting data for good of all mankind. Then some hacker finds his way in through the radio connection and manages to burn out or blow up the equipment by playing with the settings. His excuse? "See! It should have been secure! Next time you'll know better!" Way to miss the point, jack.
Javascript + Nintendo DSi = DSiCade
yeah, but VPN?
besides, there are a lot of remote montiroing tools out there that use various forms of encryption. Leaving your network umprotected is just asking for trouble. For that matter, why is it news worthy if they get hacked then? after all, its already wide open
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
This has got to be among the all-time lamest excuses I've ever heard uttered.
For Pete's sake HIRE A CONSULTANT or better yet ASK FOR VOLUNTEERS. I'm sure there are plenty of folks out there who'd LOVE to have something like this on their resume.
C'mon. How about: we were cracked because we were lazy. Now that I'll buy--the first time.
Running 'Nix is like owning a Lightsaber. It's "a more elegant weapon for a more civilized time."
that pure blocks of ice a firewall does not make.
Come on, physical location means nothing now!!!
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
There used to be a machine at McMurdo Station called mcmvax.mcmurdo.gov. I remember back in, oh, 1994 or so, sending finger requests to their machine and using the VMS equivalent of talk(1) (can't remember what it was called...) to send text messages to the folks logged on. I don't remember ever getting a response, though. It was also kind of fun to do traceroutes and pings to the machine. The network path was insane...apparently it went over satellite and the latency was usually at least 800ms+. Ah, memories...I miss the days when almost everyone ran open finger and talk/ntalk daemons.
Scientists are generally knowledgable, but only in their field of specialization. You don't expect a particle physicist to know about macro biology, and you don't expect an ornithologist to know about particle physics.
Computer security is another one of those fields that requires its own study time to be competent in, and most people aren't interested or don't want to spend the time.
tasks(723) drafts(105) languages(484) examples(29106)
The main reason for running unsecure, is that the data pipe running to the South Pole is only open for just a few seconds at a time. You have to be able to transfer your data packet in little bitty windows of opportunity. If you have your data packaged in nice large security packets it will take forever to transfer your files, if at all. As soon as they come up with a better way to communicate with those stations I think they will be the first to secure there data.
Some days I get the sinking feeling Orwell was an optimist.
CowboyNeal! You have just slashdotted an insecure server running the lifeline of dedicated scientists, far far away in Antartica! You insensitive clod!
This is my sig. There are thousands more, but this one is mine.
Sadly, this happens fairly often in research groups, and it's often hard to convince them to tighten things up. On the one hand, they say there's nothing commercially valuable on the machine, and that tightening security would lower productivity (usually false). On the other, they are often hard to convince that since much of the work and data is on the computers, they should have a good and tested backup system.
Sooooo... They get cracked, and when they do, it causes major data loss and takes a long time to return the machines to full service as there are no recent backups. And somehow, it's the fault of the security type whose advice they ignored/derided.
Been there, done that, wanted to strangle several research group leaders/members with the t-shirt.
South Pole. Chilled. Check.
FTA:
"Given the fact that no financial records or systems were compromised, no safety or loss of life was threatened, and no critical system corrupted, we need to balance legitimate security needs with the legitimate needs of our scientists at the Pole," the memo reads.
...Other documents show that less than two months earlier the NSF's security team was plunged into a similar fire drill when a computer intruder named "PoizonB0x" penetrated the primary and backup data acquisition servers for a radio telescope at the station called the Degree Angular Scale Interferometer (DASI), which measures properties of the cosmic microwave background radiation -- the afterglow of the Big Bang. The intruder, rated a prolific website defacer by tracking site Zone-H, used his moment of cosmic access to erect a webpage on the servers proclaiming, "I love my angel Laura."
Now, I'm not one for people snooping around in my stuff when they're not invited or anything, but consider this: The first hack modified a web page on a system that collects monitoring data (but most likely does not contain other meaningful data, like formulas), and the second intruder accessed no financial data, did not threaten safety, and did not corrupt any critical systems.
Isn't it possible that the systems that were compromised were actually left insecure, not necessarily "on purpose", but because they felt that there wasn't much of a need to secure them in the first place? They probably calculated the possible risks and decided that, if both systems did in fact only contain informational webpages or data collected from their equipment, that there wasn't much point in worrying a lot about securing them (after all, who would really care about the data besides them?).
I was in the park the other day wondering why frisbees get bigger and bigger the closer they get - and then it hit me.
Why is this a troll?
It is a valid point. If you do not have the skills to do something, pay someone to do it. If you don't have the funds, ask for a volunteer.
These people have screwed around with their system until the data transfer did what they wanted. What they didn't realize (I hope) is that they have opened up their system to these sorts of attacks.
If business did this sort of thing, imagine what the web would be like now...
it is only after a long journey that you know the strength of the horse.
You have not dealt with academentia from a system managements perspective I guess. If you had you would have heard the phrase: "I am a professor and you are not even a PhD, you will not tell me what to do".
In btw, I am speaking out of experience here.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
As someone who's set up Internet servers in the high Arctic and who quite recently found himself posting 'I'm still alive' updates to my blog as the remote South Pacific island I was on was being battered by a hurricane, I STILL made sure to use ssh/ssl to connect to remote servers.
I was dialed in over a microwave link running at about 10Kbps. Even pathetic bandwidth is no excuse not to use simple security measures.
P.S. I'm posting from yet another Pacific Island, where I regularly use an ssh tunnel to connect to my home IMAP server, over a modem line that I share with 12 other computers on our local network.
Crumb's Corollary: Never bring a knife to a bun fight.
I just found Big Dead Place a couple days ago, and read their account of one of these 'hacker attacks' and Raytheon Polar Services' (RPSC) reaction to it.
Short version: Everyone at the pole was pissed. Denver (RPSC headquarters) took away their porn^H^H^H^Hnet access, and thus made a bunch of already deprived individuals even more deprived.
There's a ~500 K newsletter-spoof PDF on the site that expresses some of their feelings.
- "Kudos to the Denver IT staff for quickly responding to a hacker attack on South Pole Station. The attack occurred Friday night Denver time and our crack professional team denied the attacker access by immediately pulling the plug on Pole. They got back to dealing with the aftermath of this knee jerk response sometime Wednesday shortly after the last chocolate sprinkle donut had been eaten but shortly before nap time."
There's also: Top Ten Reasons South Pole Can't Access the InternetSome other interesting things on the site:
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
Ease of use does not mean it has to be insecure!! Strong passwords and patched applications do not make usage difficult!!
Seriously, if you're setting up a network for a long term project, you set it up once, and move it all over there with everythig ready to go... (which means the Amundsun base might have been permanently been stuck with a network of 386's, had things worked that way.) Of course, my guess is that the computers wandered over there one at a time, with no coordinated plan - and no through beyond "we need a few computers, which people in the states need access too, located at the south pole!)
The key issue is that if an academic is given a computer, they're not going to have the faintest idea of what's required security wise. [In fact, I've seen academics go out and buy really big (30") screens and fancy macintoshs just to run email and a browser, if that gives you an idea of the mindset of many in the scientific community.] - and other than the penguins (who only work for herrings and probably don't want to pay tax), there aren't any "neighborhood geeks" nearby to help them with their machines.
I just spent two years in a science laboratory in North America at a VERY large institution. Of the two hundred or so scientists in that department alone, maybe ten or fifteen knew enough about computers to write HTML - and probably not a lot further. As the department evolved over time, computers were added in one at a time, by whom ever felt like putting in a computer. Thus, there wasn't a single coordinated plan , and some of the computers were left completely vulnerable intentionally! If there's no one in charge, no structure to coordinate the addition of computers, and no one able to make the decisions to put an infrastructure in place, there's no one to insist on security standards. Can you say welcome mat to hackers?
I'd be willing to bet that that's exactly what happened at the South Pole. Someone decided they wanted to be able to share files with another scientist, and I'd doubt either had ever heard of SSH. Net result: they intentionally put a hole in the flimsy security they had to begin with. I can imagine the thought process: "I need to share a file with someone 30000km away.. lets just create an annonymous ftp to c:\, that way I won't have to worry about them not having access to anything they need!"
Finally, the key point is that if you have computers at the south pole, it's going to cost an exorbitant amount to send someone out to mantain them, and the only alternative is to have the scientists call "tech support" back in the states (or is india closer?), which is probably like talking my father through a computer problem. It's bad enough when you're there, but 100x worse when you're at opposite ends of the country. Of course, if you leave a few "holes" open intentionally, someone back home can log in and maintain it for you. (-;
Sorry for the overlong rant!
The more you know, the more you know you don't know.
No, of course not. If they could, they would be computer scientists, or hackers. Instead they are physicists.
Exactly. Those of us immersed in the information technology world often have little or no exposure to the disciples of pure science. And undergraduate physics students don't count. Traditional scientists don't think the way IT people or even computer scientists do. We see a system, and the goal is to optimize that system to perform correctly and efficiently. Traditional scientists have no interest in applied technology. Their goal is to gather knowledge, and to hell with everything that gets in the way. Typing in a tough password, applying patches, and following "best practices" gets in the way.
To make matters worse, these people are highly educated and are often the resident lords of their specialties. Academic types tend to have swollen egos. Poke something swollen, and it hurts-these guys will be pissed off if you try to tell them what to do, and more pissed off if what you're telling them to do doesn't clearly further their scientific goals. They simply don't take the computer security threat seriously, and they refuse to worry about it until they get burned.
It's hard for you to understand rational people saying, "ha, who in their right mind would hack into our secret antarctic lab full of data?" But most slashdotters would have the same attitude towards other things they don't have experience with. How many of you fear the consequences of unsecured eyelash curlers? Yes, eyelash curlers, which so befuddle the opposite sex and are an essential in many ladies' makeup boxes double as a lethal instrument of pain and torture - as my best friend can testify.
Last week as she was getting glammed up for a party she was trying to do 25 million things at once and not concentrating on any of them. What exactly happened though remains a bit of mystery-all I know is that moments after whatever did happen, she was screaming in pain, bruised and bleeding, with lashes no longer in lids but in the curlers. Suffice to say she shan't be using eyelash curlers ever, ever, ever, EVER again.
She's not the only one who has been incapacitated as the result of a cosmetic catastrophe and it is actually more common than one would suppose. Another friend had a very unfortunate accident on the night of a May Ball last summer. She was rushing around straightening her hair, helping a friend with her makeup, making a phone call, and trying to decide which bag to take when she encountered the upturned business end of her electric hair straighteners. You could her the screams from across the street!
So now you know! which is like half the battle. Trying to do your lashes can land you in the hospital, a fiendish fate not "faced" by hacker victims! Girls will always want their makeup but for our peace of mind and for the longevity of your eyelashes and more importantly, your eyesight, I implore you to throw away your eyelash curlers. They are veryvery dangerous.
Now if you'll excuse me, I have to go wash up..this foundation doesn't cause cancer..right?
I am not a car mechanic or an electrician, but if my car alarm and door locks stop working, I take it to a mechanic who can fix it. I don't park the car on public street at night where it may get stolen. The excuse that since they know and care little about security, they can skip it altogether, is - as others pointed out - lame. A computer network containing sensitive or important data connected to the Internet requires security, whether you are a 3-time Nobel prize laureate or a warehouse janitor.
And as far as things that "get in the way" - security practices, or lack thereof - could easily get in the way of collecting and keeping valuable scientific data.
There are a limited amount of people who may occupy the South Pole at any one time due to humans' impact on the environment down there. Why waste a bed on a sysadmin when you could have more important people doing more important work?
RTFA. The life support systems weren't controlled by the hacked system. That was added by the US department of propaganda to make the threat of cyber-terrorism sound scarier.
Great job...
...
:)
Mission : go to Antartica, maintain email services. Duration 6 months.
Week 1 : upgrade and patch all machines.
Week 2 : make snowman, look at machines, plat solitaire.
Week 3 : blizzard, look at machines
Week 4 : play solitaire, start drinking beer
week 5 : remember about the pinball game, install pinball game play pinball
week 6 : Got lost for 3 days in the blizzard when making a snowman
week 7 : can't play pinball because of bitefrost bandages, drinking bourbon, watching blinkenlights on hub
week 8 : poured bourbon in file server so I had something to fix, got scolded by director of base who saw me
week 9 : tried drinking kerosene
week 12 : woke up in infirmary when doctor was about to start autopsy
It seems doctor had been smoking joints, asked him if he had any left
week 13 : shagged a penguin. Finished last of bourbon
week 14 : damn pengion follows me everywhere 11 more weeks to go. Found an AOL cd in the mailbox yesterday, no idea how it got there.
Great job indeed.
May contain traces of nut.
Made from the freshest electrons.
Clearly you're not a physicist. Most of the ones I've worked for, some of whom are also at the pole, are convinced that:
since physics is one bad mamajama of a difficult subject, and as they've kicked that bad mamajama's ass, they are gods among men, seemingly privy to the unknown secrets of the universe.
They hire IT people not because IT is too difficult for them to do on their own, but too mundane. Please don't make the mistake of telling them how things should be done.