Slashdot Mirror
Another NASA Hacker Indicted
eldavojohn writes "Earlier this year, UK citizen & hacker of NASA Gary KcKinnon was extradited to the United States (also interviewed twice). Now, another hacker has been indicted for hacking more than 150 U.S. government computers. Victor Faur, 26, of Arad, Romania claims to have led a 'white hat team' to expose flaws in U.S. government computers. It seems everyone else has been busy hacking into government systems while I've been wasting my time playing Warcraft." From the article: "The breached computers were used to collect and process data from spacecraft. Because of the break-ins, systems had to be rebuilt and scientists and engineers had to manually communicate with spacecraft, resulting in $1.36 million in losses for NASA and nearly $100,000 in losses for the Energy Department and the Navy, prosecutors said. Several suspected NASA hackers have been dealing with law enforcement recently."
For extradition, there's often a minimum amount of damage (in $$$) that is required before someone can be extradited.
Read Bruce Sterling's "The Hacker Crackdown" for how these spurious figures are calculated. The examples are old but so is the mindset behind this. The author has put the entire book online.
If a system is that important, and only has a single task, such as communicating with a spacecraft, why would it be accessible from outside sources?
i ve.html
Indeed. The article is pretty thin on what was actually compromised and what "manually communicating with spacecraft" really meant. Rule number 1 with mission critical systems at NASA (I work for them, but not at the locations attacked) is that they are *completely* walled off from the outside.
Now, there are some mission associated systems that are accessible from the internet which are storing spacecraft data. Here's one that has datasets from the acceleration system on the International Space Station:
http://pims.grc.nasa.gov/html/ISSAccelerationArch
It's out there because that's the easiest way to get the data to researchers, many of whom are at universities around the world. I suppose if that server ended up hacked, it would hit the news as "Hacker brings down Space Station support system!". Sounds bad, but it's not like you can actually gain control of the spacecraft. I suspect the machines affected were used for this sort of purpose.
Worst...sig...ever!
It was fully of typos
Oh, teh inory!
http://www.gutenberg.org/etext/101
Various US Government Agencies have been slow to pick up information security. With few notable exceptions, the US Government just doesn't get infosec. But what the US Government does understand is law. Law is a relatively slow process compared to the hack. Some of these cases take years before the Feds are knocking on doors. If you're a script kiddie who's keen on a *.gov address for your IRC bot, keep that in mind. In the short term you may be successful. But you have no idea if the US Government actually did notice and are taking the long, drawn out process to bring you down via whatever Law allows it.
I once attended an infosec meeting at a NASA center several years ago. The initial presentation was an analysis of an incident involving some Oganization's lab systems. It was well done and full of very handy technical information, lessons learned, and advice to other Orgs on how to avoid a simular incident. I looked around the room. Most eyes were well glazed over. Obviously the information was lost on an audience who should be taking notes. The next presentation came from our FBI representative. The rep. basically talked about the lab equipment that was confiscated... what was happening to the HDs during analysis... and the process of "getting the bad guys." The crowd lit up. Everyone was rather excited. They were going to get the bad guys. Few there seemed to realize that this was not "good news". Rather, it was a failure as the lab systems compromised represented lossess to already-tight budgets.
Things have changed since that time. Infosec is changing... at least at NASA. There are new attitudes, new requirements, new regulations. I've still got my own concerns and criticisms of the state of things. It's far from perfect, to say the least. But there is change. We'll see how well it holds.
You could manually compile a list of commands and type them into the command encoder. Normally, most of the work is automated.
Mea navis aericumbens anguillis abundat
Good summary. I worked at Nasa in a lab doing mostly data analysis a long time ago, and all the system administration at the time was handled by student (full time in summer, part time the rest of the year). While many of those are dedicated and talented, it's an understatement to say that experience was lacking. Heck, I was 16 at the time ! Then again it was a long time ago in a non-mission critical lab, so things are different. But the reason was the same: funding, or rather, lack of it. Another thing I noticed is that most of the full time researchers were old, dating back to the Apolo days. Many of them had stayed through the starving years after that but with little to no new blood pouring in. So you had basically two populations: old researchers whose main job was to secure funding for the next year, and students on temp jobs. Not the best situation. Now most of those guys must have retired, so I don't know how the situation has changed.
Non-Linux Penguins ?