Slashdot Mirror
Greek Hackers Target CERN's LHC
Doomsayers Delight writes "The Telegraph reports that Greek hackers were able to gain momentary access to a CERN computer system of the Large Hadron Collider (LHC) while the first particles were zipping around the particle accelerator on September 10th. 'Scientists working at CERN, the organization that runs the vast smasher, were worried about what the hackers could do because they were "one step away" from the computer control system of one of the huge detectors of the machine, a vast magnet that weighs 12,500 tons, measuring around 21 meters in length and 15 meters wide/high. If they had hacked into a second computer network, they could have turned off parts of the vast detector and, said the insider, "it is hard enough to make these things work if no one is messing with it."'"
Why can anyone get to the control systems for a piece of equipment like that from the internet?
Windows updates.
Any chance they had a Trojan Horse at the ready?
but some jackasses decided to mess with things they knew nothing about.
I'll get my towel.
Work Safe Porn
See? See? Computer security is harder than building 27km ring with enough precision to smash single protons!
Extreme Programming - Redundant Array of Inexpensive Developers
Can't geeks just be happy for society's scientific accomplishments and not try to screw up a good thing just because it's possible? Like the guy says, it's hard enough to make these things work when everyone's working together. Assholes.
I am a geek attorney, but not your geek attorney unless you've already retained me. This is not legal advice.
I found an interesting video feed for the system they were accessing.
http://www.cyriak.co.uk/lhc/lhc-webcams.html
Watch it for a minute, you can see the effects the hackers are having on them.
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
I was told I could download Spore without DRM from that IP.
I've nothing of importance to say, now go away before I taunt you with a second sig!
What could have been:
Cracker1: Cool, looks like we got into the outer network, let's try the inner one.
Cracker2: OK, try this...
Cracker1: What's this program "/staff/sfalken/games/Tictacto.exe"
Cracker2: I don't know, let's try it.
Cracker1: OK.
*EARTH-SHATTERING BOOM*
God: It's the end of the world as I made it, and I feel fine.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Portable harddrives to move the data?
http://www.nsf.gov/discoveries/disc_summ.jsp?cntn_id=111420
This thing will generate 28000 TB of data per hour! Imagine the number of grad students it would take to transfer all those hard drives back and forth.
I'm with you on the nomenclature issue. Such an important experiment and mankind in general offers far too many whack jobs who want to shut it down.
The logic of the 'we're all gonna die' crowd eludes me. If nothing happens, all is good. If the world ends, doesn't matter anyway. All those that think they will go to meet their maker should be happy either way, right? WTF?
Support NYCountryLawyer RIAA vs People
Just wondering if they used a trojan to gain access.
Sneaky Greeks.
Wondering why the LHC is connected to the Internet 'at all'...
Why was the Web even developed? Why was HTTP even thought of? Why was a graphical browser of any interest?
CERN. Ask Mr. Berners-Lee. And then contemplate the irony of wondering this at all.
Sadly, it looks like CERN needs to work on the security more, but hey, that's in the spirit of the World-Wide Wild Web, eh?
deleting the extra space after periods so i can stay relevant, yeah.
How can we be sure they were Greek hackers? What if they were agents of the TechnoCore "performing experiments on farcasters" while pretending to be Greek hackers? <_<
Ross Denton: Hello, hello, I'm Ross Denton, head of public relations for the Two Mile nuclear facility. First, I'd like to welcome all members off the press to Two Mile Island. I hope you enjoy your stay here and that you'll come back again real soon. Now, there will be box lunches at air cooling tower #1 after the briefing, and later the buses will take you back to the motel for a special screening of the Jane Fonda film, "Barbarella".
Male Reporter #1: What about the accident here at the plant?
Ross Denton: That what? Oh yes, yes, the accident. Uh, let me give you a little uh, technical, uh, background here. [ shows a diagram of a nuclear reactor pointing to nuclear energy, pointing to a toaster. ] This is a nuclear reactor. Now, the nuclear fuel here is used to generate energy here, which is sent to your homes to make toast.
Male Reporter #2: But what about the accident?
Ross Denton: I was getting to that. Sometime yesterday afternoon we experienced what we like to call a surprise. And, well, we had to release some radioactive steam.
Female Reporter #1: Well, how much radiation are we being exposed to right now?
Ross Denton: Well, I'm sure all of us here have been to the doctor and had our chest x-ray, haven't we? Well, it's just like that, only it's as if the doctor had to give you the chest x-ray over, and over, and over again. Or, it's like falling asleep under a sun lamp for a week or two! Or, it's like drying your hair in a microwave oven! And to give you some idea of how little danger there actually is, President Carter will be here tomorrow. Now, gentlemen, I'm sorry, I'm sorry. Yes, I'm sorry I have to cut this press conference short, but now I'd like to hand the stage over to the Two Mile players! They're a pro-nuclear mime troope, and they're going to perform a little skit for you, kids!
*** Ross Denton: Good afternoon, good afternoon, ladies and gentleman of the press. First, as to the president's condition, let me say that the president is feeling certainly "stronger" than he's ever felt. And he would like to be with us right here, in this room if he could. I think now I'll just open the door to questions-
Female Reporter #1: Yes, is it true that the president is 100 feet tall?
Ross Denton: Nooooo! Absolutely not!
Male reporter #3: Is the president 90 feet tall?
Ross Denton: No comment.
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
That their IT security team "sucks bosons."
Hey, tell ya what. I'll pay you a $100 if you play Russian roulette and win.
By manual entry, copying this data across the air gap (120wpm) would take:
15,000,000,000,000,000 characters /(120 words/minute * 6 characters/word) = 4*10^7 years.
Even passing that back and forth on hard drives means shutting about (15Pb/365/24 = ) 1.7 Terabytes per hour. (24 hours a day.)
At some point, you have to admit that just connecting this thing to the internet and securing it is the right thing to do.
The more you know, the more you know you don't know.
All these machines have connections to the internet. This allows on-call technicians to ssh in to debug a problem remotely, and for facilities management to make checks on the performance of the machine.
It's not like connecting to the control software will present you with a big red button labelled "Black Hole Generator". You'll be presented with a bash prompt, and, if you can figure out the right command, possibly a control screen that you don't understand.
These machines are stunningly complex, and the most likely outcome of some random script kiddie fucking with things is that *nothing* will happen. Someone more knowledgable (or lucky) might be able to find something that will be prevented by the machine protection system, or cause the machine to shut down for a while. Bad, but not as scary as you suggest.
Seriously. Anyone who thinks that random "hackers" can do any real damage, or that these machines shouldn't be on the internet, doesn't know anything about them.
(PS: I'm an accelerator physicist who has worked with several of these machines.)
Yes, sending the data is very important, however I am sure that the sensors used to collect university data are not the same sensors that are used by the control system. Do what-ever you want with the data-collection sensors, but DO NOT connect the bloody control system to the internet. If an airplane can keep the entertainment system separate from the control system, I'm sure the greatest minds in the world can do the same.
yes, yes, I remember the airplane story, no need to bring that up...
Maybe if IBM had been in the LHC business rather than the computer business in the 70s, they'd have been right to dismiss the personal LHC in favor one or two LHCs worldwide that everyone uses.
or somesuch.
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
Are they anticipating researchers waking up at 1am and thinking "hey, I want to run one more experiment from home before I go to bed..."?
I know you were trying to joke... but the answer is probably "yes."
I've never worked at CERN, but it may be similar to large-scale science user facilities (e.g. x-ray synchrotrons) that I have worked at. Specifically, you want to be able to control the instruments remotely for a variety of reasons. Part of it is safety (in order to minimize time spent near radiation sources and industrial equipment). Part of it is convenience (to check on the status before driving all the way to the actual facility). Part of it is for collaboration (allowing an instrument scientist to log into the machine and change a setting for you, show you how to do something, etc.).
At many facilities, you can change samples, alter instrument settings, re-align, etc.; all without actually going to the facility. Scientists doing those kinds of experiments do indeed appreciate the ability to log into the machine at 1am and check on the status.
There are of course safeguards in place (e.g. hardware safety triggers that cannot be remotely over-ridden)... but it is sometimes possible to break something with remote commands. Now, most of the facilities that work like this are running samples, and need remote manipulation to switch samples and re-align and so forth. LHC doesn't have the same set of requirements... but there are indeed a variety of legitimate reasons why a scientist might need to remotely log into the system and change some settings.
Large facilities are designed to "do science" 24/7. Remote control is one thing that helps scientists maximize the usefulness of equipment. (Such as waking up at 1 am, checking on an experiment you started before leaving work, realizing the data is no good, fixing a few parameters, and running a new more useful experiment.)
remember: everything PhDs do is art. everything. including using their alma mater's mascot name as their password. art, i tell you!
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
You could make the same argument about most computers in an office -- why are they even on the Internet? It's just unnecessary risk. Why do you have someone move an external hard drive from the public mail server to the internal mail server and visa versa every hour? The few people that actually need live Internet access can use one of the dedicated systems on another physical network.
And even the totally impractical air gap doesn't really provide the protection you think it does -- it prevents interactive attacks, but it doesn't actually stop the flow of information to the Internet and back, it just make it asynchronous.
But hey, why let facts and pragmatism get in the way of your system design bashing.
Confucius Say "large toroidal machine always have security hole in middle."
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
If you think there's bugs in the security, you are able to fix it. That's the brilliant thing about Open Source. We don't have to just complain, we can actually send them the necessary patches. Now, the lack of publicity regarding the source is a concern. If Arthur Dent found getting the demolition plans for his house was bad, the notices regarding what software is available and where from are even worse.
They've had TWENTY YEARS to circulate the designs, prototypes and implementations. Yes, there are fewer software engineers interested in high-energy physics than there are software engineers into bomb-proofing OpenBSD, but if you don't tell any of them what's out there, it wouldn't matter if it was one coder or a million. You can't fix what you don't know exists to fix.
These control systems are mission-critical. The particle stream can't do "extensive" damage, but it can write-off the magnets, and those are multi-million-dollar toys. It could also shut down the accelerator for years, if a hacker goes drilling holes in the mountainside. (The hole would be small, but politicians aren't interested in paying for high-energy landscaping, and CERN isn't infinitely rich.)
Ignoring for a moment that the front-line defenses should have kept intruders out (though I'll bet that they're not using IPSec VPNs, they've got firewall holes for rsh and rlogin, and use .hosts files everywhere), the bulk of grid-enabled software these days can use Kerberos V or SAML 2.0 for security. They're probably not doing anything remotely that's time-critical so an in-line active intrusion detection and countermeasures system (there's plenty of them) could have been installed. Those cost a damn sight less than the detector array.
Since they were worried about someone getting onto an internal network, they must also believe that shell access was possible, so this isn't simply a matter of someone being able to ping a machine or SNMP query a server. This was a case of CERN violating some very serious standard protocols for ensuring code safety and system safety.
The "open secret" mentality, though, is probably the most dangerous part, though. By making the source available but not telling anyone, it is most available to those of malicious intent. Obscurity is not security, guys! That includes obscuring your announcements, it's not confined to merely obscuring the code itself. If you're going to release source (which is a Good Thing), you want to broadcast that fact to as WIDE an audience as possible. (In fact, if it's network-related, WIDE would be a good place to start announcing.) Get ALL the eyes you possibly can onto that code, for a comprehensive, rigorous audit. And if you're worried you can't get enough eyes, use static code checkers and test harnesses. Bet you anything none of the coders for the LHC have been using such resources beyond a superficial level, if at all.
All in all, I am impressed by the fact that the code is out there, and can be fixed, but I am NOT impressed with the secrecy mentality that created this utterly unnecessary security fiasco. If I'd wanted my tax money to go into security holes, I'd have paid Group Four to build the LHC. I want INTELLIGENT people to be doing the work.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If you're interested to know, the text the hackers left is a childish rant against others that they claim pretend to be l33t but are not unlike them. Pretty stereotypical hacker/cracker message since the dawn of machines. Probably every hacking group in history has written such a message claiming superiority over lazy, unskilled pretenders. It actually has nothing to do with the LHC. The only reason they hacked this site was because as they state was going to be popular, thus a good place to advertise their rant and group.
This thing will generate 28000 TB of data per hour!
Not to start a pissing contest over how much data the LHC will produce, but I got this directly off of the CERN web site:
The Large Hadron Collider will produce roughly 15 petabytes (15 million gigabytes) of data annually - enough to fill more than 1.7 million dual-layer DVDs a year!
That is closer to 1.7 TB per hour.
I just KNEW these damned Greek Aristotelians with their 4-elements theories wouldn't let it go.
2300 years later and they STILL carry a grudge against atomic theories.
Can't you just let it go guys? We're not made up out of earth, wind, fire and air. Not even if you succeed at blowing the LHC to Hades.
I don't know if anyone has pointed this out yet, but if so, it bears saying again: the control system in question belongs to the CMS detector, not to the LHC. These are two entirely different beasts.
Legalize it.
"If they had hacked into a second computer network, they could have turned off parts of the vast detector "
"We have several levels of network, a general access network and a much tighter network for sensitive things that operate the LHC," said Gillies.
Basically they defaced a web page which is hosted on a server which is nothing to do with the LHC control network. Haven't we had enough ridiculous LHC scare stories yet?
"Physics is to math as sex is to masturbation." -R. Feynman
yeah, because there has NEVER been an SSH exploit or man-in-the-middle attack. EVER.
Comment removed based on user account deletion