Slashdot Mirror
Greek Hackers Target CERN's LHC
Doomsayers Delight writes "The Telegraph reports that Greek hackers were able to gain momentary access to a CERN computer system of the Large Hadron Collider (LHC) while the first particles were zipping around the particle accelerator on September 10th. 'Scientists working at CERN, the organization that runs the vast smasher, were worried about what the hackers could do because they were "one step away" from the computer control system of one of the huge detectors of the machine, a vast magnet that weighs 12,500 tons, measuring around 21 meters in length and 15 meters wide/high. If they had hacked into a second computer network, they could have turned off parts of the vast detector and, said the insider, "it is hard enough to make these things work if no one is messing with it."'"
My understanding is they have the LHC linked to universities/research firms/supercomputers all over Europe simply in order to process the massive amount of data that thing generates. I might have read that wrong though. I've had nothing but trouble finding good information between the "BLACK HOLES, WE'RE ALL GONNA DIE!", the idiot reporters doing "human interest" style pieces about it, and the incomprehensible (to me) physics-babble.
remember: everything PhDs do is art. everything. including using their alma mater's mascot name as their password. art, i tell you!
Years ago (when I still worked in science) I got a call from the US military. It seems one of our scientists was attacking one of their systems.
Since the scientist in question was on the other side of the world on a field trip at the time, it seemed likely that someone had compromised his account, and I shut it down.
When I eventually asked the scientist if was using a strong password, he was proud to recite a long dog-latin linnean binomial. It was very difficult to spell or pronounce.
Of course, that was also the first word you saw if you searched for his name on the Internet (using WAIS, since this was before commercial search engines). This particular scientist was the world's foremost authority on the organism with that difficult name, and had published dozens of papers on it.
To put it in modern geek terms, it was like this guy was Bill Gates, his userid was gates, and his password was microsoft.
The idea that criminal hackers might actually look up his name came as a total surprise to this world-famous scientist with multiple PhDs...
Don't you know it.
Several years ago, I was working on tightening up our password system in a university department of Electrical Engineering and Computer Science (i.e. people who should definitely know better).
I was running crack on our userbase, to identify users with weak passwords so we could require them to change their password. One of the options was to look for passwords in .signature files. It seemed really silly to me. Who would be foolish enough to put his/her password in his/her email signature?
One of the first hits (right after someone with "password", I think) was a signature hit. It turns out, it was indeed one of our Ph.D. professors who did indeed have his password in his .signature file.
How? The password was his ham radio call sign, which, of course, he proudly listed in his email signature.....
Computers are useless. They can only give you answers. -- Pablo Picasso
I have the excuse I wrote part of the code for one of the LHC's predecessors. In this case, the grid software is very generic. ShibGrid doesn't care if it's securing a particle accelerator or a wide-area distributed MMORPG, but I bet you anything that if WoW was a part of the Grid Gaming consortium, ShibGrid would be more audited than OpenBSD by more anal coders than Theo ever thought of being. There may be only one LHC, but anybody can run a Globus module through a static code checker and fix "obvious" coding errors.
True, the LHC has limited staff and can't check every patch people send to them. But the same problem is faced by OpenBSD, Linux, X.Org, the GCC developers, and a thousand and one other mega-coding projects. They seem to solve the problem without too much strain, so what do they do that the LHC guys aren't? I don't have to be a genius to solve the LHC's security issues, I merely have to know where the geniuses are and see what they do different.
Also true, the size of the code base makes the idea of bug-free code laughable. The middleware alone is HUGE. However, that's deceptive. There's a fascinating paper on Trusted Software. Not "trustworthy", "Trusted". As in A1 Orange Book Trusted. The paper basically states that buggy software is not the issue. So long as you have a small, tightly-written security kernel within key components, where that security kernel can be proven correct, bugs elsewhere can never pose a security risk. They can do lots of other nasty things, but they can never compromise the security of the system.
As the paper in question (which I've linked to previously, on the issue of security) is written by one of those aforementioned geniuses, and as this is something those geniuses do differently, it follows that this is a factor in what makes the difference between secure software and insecure software. MPI, a common message-passing system, usually uses RSH to start applications across a cluster or grid. Since MPI is generally not going to have any means of providing passwords, this means you're looking at .rhosts files, which means you've a wide-open security hole right there. And, yes, having worked at such facilities I can tell you that they often don't use SSH or a Kerberos-hardened RSH, just the vanilla form that no sane person would use in a million years. (This goes to show that, yes, scientists truly are mad.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
"If they had hacked into a second computer network, they could have turned off parts of the vast detector "
"We have several levels of network, a general access network and a much tighter network for sensitive things that operate the LHC," said Gillies.
Basically they defaced a web page which is hosted on a server which is nothing to do with the LHC control network. Haven't we had enough ridiculous LHC scare stories yet?
"Physics is to math as sex is to masturbation." -R. Feynman