FAA Network Hacked

coondoggie writes "The Federal Aviation Administration has joined the growing list of government agencies that have had their supposedly safe systems hacked. The agency this week notified about 45,000 employees that one of its servers was hacked into and employee personal identity information was stolen. The FAA was quick to say the server that was accessed was not connected to the operation of the air traffic control system or any other FAA operational system. It did say two of the 48 files on the breached computer server contained personal information about more than 45,000 FAA employees and retirees who were on the FAA's rolls as of the first week of February 2006."

Uhh Ohh!

Hope they find that CIP device soon!

Re:Uhh Ohh!

Hope they don't find my CP soon

Re:Uhh Ohh!

[Bobfrankly1]

Slashdot is always behind the times...the CIP device was destroyed over a week ago....or if we still believe that events occur in real time, it was over an hour ago.

Re:Uhh Ohh!

[ManuelH]

Tic, tic, tic, tic Previously on 24...

Re:Uhh Ohh!

[rob1980]

Ike Dubaku must have a backup somewhere. Maybe one of the leaks in the White House secured another one for him!

Re:Uhh Ohh!

[Praedon]

Considering how outrageously corrupt the government is in the world of 24, there's no doubt in my mind a CIP replacement will be found.

Re:Uhh Ohh!

Hope they find that CIP device soon!

... or President Obama can change his foreign policy on Sangala and pull back our naval forces - of course per the hacker's demands.

Re:Uhh Ohh!

[edsousa]

Only in the world of 24? The representation of the governments made in 24 could be the most authentic ever made...

Re:Uhh Ohh!

[herbierobinson]

Right...

Of course in the real FAA (not the one in 24), the ATC computers aren't new enough to support the Internet (at least as of 2-3 years ago). In other words, you can't hack into them because there is essentially nothing to hack!

Re:Uhh Ohh!

[Praedon]

Never said only :P But I'm not touching that topic with a ten foot pole.. for all I know they coul.... [CONNECTION LOST]

24?

[soconn]

Arghhh... Call Jack Bauer!!!!

Re:24?

Just make sure he gets a dd for the trip.

Re:24?

[yyr]

Our top priority is recovering the CIP device!!

Re:24?

Informative? Really?

Re:24?

[AndrewNeo]

dd if=/dev/null of=/dev/bauer?

Oh noes!

Has the CIP device been recovered yet? Should we call in Jack Bauer?

NOTE: This is NOT the ATC network

[wiredog]

It's the office/business network.

Re:NOTE: This is NOT the ATC network

[Arthur+Grumbine]

I've always wondered how often I can get modded informative for repeating a statement in the summary...maybe it's time for a broad experiment...

1. Post a re-iteration of something in the summary
2. Piss people off by getting modded "Informative"
3. ???
4. Profit!!

Re:NOTE: This is NOT the ATC network

[Bearhouse]

It's intereresting that people feel it necessary to point things out that are actually in the summary:

"The FAA was quick to say the server that was accessed was not connected to the operation of the air traffic control system or any other FAA operational system."

I mean, we'fre not supposed to read TFA, but c'mon, the summary!?

Still, you actually got modded 'informative' for it, so I guess the mods don't read the summary either...so, good call!

Re:NOTE: This is NOT the ATC network

[Svartalf]

Indeed. But how careful have they been maintaining the office network and are there any known/unknown access points INTO the ATC network that they're not telling us about?

Security is about a way of thinking as well as deploying tech to seal up things. As often as not, someone did something "convenient" for themselves or others and did something that weakened or completely compromised the security somewhere.

Re:NOTE: This is NOT the ATC network

[rezalas]

Where do you think big airlines get pilots from? Thats right, the private sector. Other than the military, the private sector is the only place you can rack up a few thousand hours needed to fly an air bus for morons like yourself.

Re:NOTE: This is NOT the ATC network

Yes, but if they delete the memo that says "DON'T CRASH THE PLANES!" then the planes could crash...

Re:NOTE: This is NOT the ATC network

The two are much more tightly coupled then you might be comfortable knowing about, and they have had crossover problems between the two networks in the recent past.

Re:NOTE: This is NOT the ATC network

[radtea]

I'm sure that will be a great comfort to the people who are subject to identity theft because of this breach.

Re:NOTE: This is NOT the ATC network

I don't care. They can train out over unpopulated areas or in other countries or something. There is no reason I should be subjected to noise and environmental pollution over my own land for someone else's benefit with no compensation.

If they want to fly over my land they should compensate me for the inconvenience.

Re:NOTE: This is NOT the ATC network

[causality]

I've always wondered how often I can get modded informative for repeating a statement in the summary...maybe it's time for a broad experiment... 1. Post a re-iteration of something in the summary 2. Piss people off by getting modded "Informative" 3. ??? 4. Profit!!

It's just an example of poor-quality moderation. Much of moderation involves subjective judgment calls and the like, but in this case, I can say with confidence that there is nothing "Insightful" about repeating what I just read. I'd really like to see just one discussion that doesn't include such blatantly "WTF were you thinking?" low-quality moderation (again, not referring to judgment calls). Just one -- is that so much to ask? Slashdot badly needs to bring back the old metamoderation system. The one where your mods getting marked as "Unfair" influenced how often you received mod points again and you were informed of your score. In my opinion, Idle and the new metamod system are evidence that they had a good thing going and just had to keep fucking with it, like they couldn't resist.

Re:NOTE: This is NOT the ATC network

[DrLang21]

The most noise pollution I have ever witnessed from private pilots is from helicopters. The skies are safest they have been since the advent of airplanes, with even more planes in the sky. If you're having noise pollution problems, it's probably from one big headed jockey, and you should take it up with him. Those numbers on the side of the plane are equivalent to a license plate. Get a set of binoculars, write down the numbers, take a video of him being an ass hat, and submit a complaint to the FAA. Trust me, the FAA is a real pain in the ass for pilots to deal with.

Re:NOTE: This is NOT the ATC network

[toiletbowl]

In my opinion, Idle and the new metamod system are evidence that they had a good thing going and just had to keep fucking with it, like they couldn't resist.

As if resistance was futile?

Re:NOTE: This is NOT the ATC network

[StikyPad]

Pfft.. they should be pulling new pilots from the pool of Flight Sim junkies. Pick me!!! I have a 5-piece controller setup, including the flight stick, a throttle with 4 separate levers, rudder pedals (and NOT those shitty Mad Katz ones repurposed from some arcade driving game), plus a helmet, an FAA certified Aviation Pilot Headset that I use with Ventrilo. I've got a 17 monitor setup, and an actual working ejection seat! I'm SO READY!!! Just let me disconnect my five-point harrrrr........

Re:NOTE: This is NOT the ATC network

[DrLang21]

How is it anymore absurd and excessive than a private boat? SUVs are more excessive than a private Cessna since you drive the SUV everywhere, whereas most private pilots fly for a couple hours a week or even less often. Are you seriously trying poke at the fuel consumption of private aviation? I don't have any numbers to go on here, but from the pilots I know, and the inefficient use of cars that I see (including my own), private aviation has nothing on the excessive fuel consumption of private vehicles. As it is, the cost of fuel has grounded a lot of private pilots (as well as historical aircraft associations who can no longer afford to fly their fuel hogging aircraft for your education). If you want to make an argument that they're all part of the air pollution problem, that's fine. But there are lots of people in your own back yard who are far bigger contributors to that problem than private aviation.

Re:NOTE: This is NOT the ATC network

You don't own the sky above your land. And you are just greedy and want a handout, don't pretend to be concerned about "environmental pollution".

Re:NOTE: This is NOT the ATC network

[GooberToo]

This is why we need to move to the new secure NextGen satellite based ATC that AOPA and the other corporate jet jockeys are fighting against.

No one wants it because it is too expensive and provides little to no value. There are already better solutions available. Which is exactly what AOPA is pushing.

And using your own words to make you look like an even bigger idiot, this article isn't about securing ATC. The article is about the FAA. The FAA does a lot more than ATC.

Made worse, you're completely uninformed. The majority of GA pilots are not "rich corporate fatcats".

If you are truly interested in "SAFE skies", make the FAA do their job by allowing safer technologies into planes by allowing competition for certified technology, rather than getting in bed with airlines and working hard to get out from under Congress' oversight while still unable to account for millions and millions of dollars. The only thing holding back safer skies is the FAA.

Hmmm...looking at your post again, it is pretty clear you didn't have anything of value, or even correct information, to add to the subject.

And in case you missed it, you need to read this reply again so you completely understand why you're completely ignorant on everything you posted about. I guess it is easy to see why you posted anonymously.

Re:NOTE: This is NOT the ATC network

[Ironica]

You don't own the sky above your land.

Well, not all of it... but some of it, you do.

Reminds me of...

[sammaverick]

Reminds me of this season of 24. (and also Die Hard 2 and 4 Fire Sale anyone?)

I'm pretty sure in the end Cowboy Neal will come and save the day though.

They may have told the current employees...

[Oswald]

...but they have said nothing to me or my wife or any of the other dozen people I know who are blissfully retired from that shit hole. Typical.

Re:They may have told the current employees...

[timeOday]

Blissfully retired, no kidding. Air traffic controllers retire with full pay after only 25 years, don't they? It's like a military pension without having to move every 3 years and risk getting shot.

Re:They may have told the current employees...

[Oswald]

It's 20 years at age 50 or 25 at any age. I was only 23 when I hired on, so for me it was 25.0000000 years.

Re:They may have told the current employees...

Blissfully retired, no kidding. Air traffic controllers retire with full pay after only 25 years, don't they? It's like a military pension without having to move every 3 years and risk getting shot.

I retired after 24 years at 50%. Pretty good anyway. I feel lucky. Yes, no one shot at me. All kinds of things didn't happen to me. Did I earn my money and pension? I think so. But I wasn't shot at, so who knows? I'm also one who those who wasn't notified about this security breach.

Re:They may have told the current employees...

[Em+Emalb]

Interesting to me that you call it a "shit hole" and still spent 25 years employed there.

Was it always a "shit hole" or has it declined over the years?

Here in DC they're running all kinds of negative "campaign" ads regarding the FAA and their treatment of the ATC union.

I imagine both sides are responsible, as usual, but all I'm hearing is the traffic controllers side.

The latest one consists of "The government is running ATC like a Wall Street company. WTH does that even mean?

Re:They may have told the current employees...

From the FAA ATO (Air Traffic Organization) web site: "Febraury 10 -- An FAA computer system containing the names and social security numbers of employees and retirees was breached by a hacker last week. All current and former employees affected will receive a letter shortly alerting them to this event. Two of the 48 files breached contained names and social security numbers. One of them contained information on more than 45,000 employees and retirees who were on FAA rolls as of the first week of February 2006. Medical information from the hacked files was encrypted and not identifiable. Most of the breached files were test files used for application development. "We are moving swiftly to identify short-term and long-term measures -- procedural and technological -- to prevent such incidents from recurring," said acting FAA Administrator Lynne Osmus. More information will be available soon on the FAA employee and public Web sites. A toll-free hotline to answer employee calls related to this event is also being established. "We will continue our efforts to further protect our computer security systems and will keep you informed as the investigation continues," said Osmus." And from Federal Computer Week: "In January [2009], the Office of Management and Budget named the FAA as one of four agencies to provide services to certify and accredit computer systems to assist other agencies to fulfill information security requirements under the Federal Information Security Management Act. "

Re:They may have told the current employees...

[Oswald]

I think it's supposed to mean that the FAA is being run like a profit-seeking enterprise when its job is to make sure that actual profit-seeking enterprises (i.e. the airlines) have a safe environment to work in (and that they don't pinch so many pennies trying to eke out a profit that safety suffers). The union, in their usual drama-queen fashion, is trying to say that the FAA is being run on a shoestring by people who think it's their job to blow happy smoke up Congress's collective ass rather than tell them the truth.

As for your first question, the place went from high-intensity, challenging, and interesting to flat-out miserable over the course of my career due to gross mismanagement by the government and the greed of controllers. I have never been so excited to start something as I was my ATC career, and never so happy to see something end (well, maybe my first marriage). I stayed for the retirement package.

Re:They may have told the current employees...

[DNS-and-BIND]

Yes, because everyone who works at a shithole job is capable of changing in a flash, uprooting the kids from school, moving to a new city where the weather is uncomfortable, and finding a new, good job elsewhere. A lot of people work shithole jobs, because the alternatives are even worse. I've even had a few myself.

Re:They may have told the current employees...

[Em+Emalb]

I make a simple statement, in this case "Interesting to me that you call it a "shit hole" and still spent 25 years employed there." and then followed it up with a question: "Was it always a "shit hole" or has it declined over the years?"

But rather than see that, you instantly go for the knee-jerk (surprised you didn't hit your face with your knee) reaction which is to assume something and then go off on it.

Anyway, sorry your work-life has sucked in the past. Hope it doesn't now.

Re:They may have told the current employees...

[Em+Emalb]

Yeah, I've heard that in the past that the job used to be pretty fun but has slowly morphed into "just another government job" over the years.

Kudos to you though, for finding a field where you can actually spend 25 years employed by the same "company" and not get surplussed, fired, or let go. It's really rare these days.

Christ, slashdot, you suck with this 2 minute posting shit. Seriously, LAME. No wonder I haven't posted here in a long time. I'd forgotten how retarded some of this stuff can be.

Re:They may have told the current employees...

[The+End+Of+Days]

Kudos to you though, for finding a field where you can actually spend 25 years employed by the same "company" and not get surplussed, fired, or let go.

Stagnation is a desirable job characteristic? If your attitude is prevalent, it's no wonder the economy is fucked.

Re:They may have told the current employees...

[Just+Some+Guy]

Stagnation is a desirable job characteristic?

Who said that longevity means stagnation? If your attitude is prevalent, we're all screwed.

Re:They may have told the current employees...

Stagnation is a desirable job characteristic? If your attitude is prevalent, it's no wonder the economy is fucked.

Nice false dichotomy there. Being at the same organization 25 does not necessitate that you work in the exact same position, doing the exact same thing all that time. Just because there hasn't been much job security for professionals since 1980's, doesn't mean the lack of it is always a good thing.

operation of the air traffic control system

[captainpanic]

I'm assuming that the operation of the air traffic control system is not connected to the internet in ANY way at all?

Some questions:
1. Is being offline a guarantee for not being hacked? (How else than through the cable / wifi can you hack into a network)?
2. Is the FAA indeed offline?

Re:operation of the air traffic control system

[HungryHobo]

Well someone who really wanted to could physically enter the building and either set up their own wireless access point or use some other setup to allow themselves to acess the network.

Re:operation of the air traffic control system

FAA also has 100's of subcontracters that have some access to internal systems. I remember a while back someone hacked into MITRE office somewhere then in turn was able to get to a SUPERCOMPUTER!! Critical systems are NOT online. They don't need to check facebook.

Re:operation of the air traffic control system

[captainpanic]

Well... that's then my question:
Does such a network use the same plugs, and systems so that anyone who actually is able to break into the building can also access the network?
Are such important networks using wifi, or normal utp cable networks, so that anyone who can break in can access the network? (I'm ignoring the whole encryption here, just wondering if it's physically possible to even send one byte of data to such a network without having to use a megaton EMP device)?

I mean, breaking into a building isn't hard, you just have to steal the keys... which is also what hacking comes down to.

Re:operation of the air traffic control system

[eln]

If you can gain physical access, network security is essentially meaningless. I would hope FAA air traffic control facilities have more security than a simple key and lock.

Re:operation of the air traffic control system

[cyberprophet]

The FAA Air Traffic equipment is never connected to any of the administrative LANs, in fact by policy any computer that is going to be connected to operational equipment is not supposed to be used on a public network.

Re:operation of the air traffic control system

[cyberprophet]

Physical Access to ATC facilities is tightly regulated, unless an employee set up the access point or allowed it to be set up this is very unlikely. Also, the FAA does periodically sweep facilities for wireless devices. That said the FAA administrative LANs are connected to the internet through various firewalls and proxy servers, so with some ingenuity and time someone could gain access. The real question is, what is the FAA going to do about the breech of their employees privacy and security?

Re:operation of the air traffic control system

[HungryHobo]

What I was more refering to was.

1:
You walk in the front door into the guest/public area.
Lean down and plug something into a network port which acts as a wireless repeater.
Of course it would be stupid to have live network ports in the public areas.

2:
Bullshit your way into the office area one way or another.
Do the same.

3:
Bullshit your way into the server room.
At this point you have full physical access and the game is over.

Re:operation of the air traffic control system

A couple of things.

The FAA has been in a broad transition to becoming more secure. This is mainly pointed at the administration network, as ATC and all operations run on an internal network that in no way touches the outside world.

Some things that have happened and are happening on the admin network.

-Wirless intrusion detection (complete, alarms go off if any new wireless devices are detected)
-Network access control (will be completed soon, anything that is not registered will not touch the network)
-Encryption (all laptops are currently encrypted, workstations will be in the future)
-ID Cards (Cards readers will be used to access any machine, in progress)
-Centralized secure proxies (Proxies that were run separately and with different rules will be homogenized and secured)

I know this sounds like standard security features, but trust me...five years ago none of this stuff was standard. They (we) are getting there.

Re:operation of the air traffic control system

Your rogue AP wouldn't last 2 minutes inside the FAA because AirDefense is on the job. HA! You people and your theories make me laugh!

Re:operation of the air traffic control system

[Tekfactory]

80% of all security incidents are Insider Threat.

I assume most of those numbers are users deleting files, and bringing in virus infected media from home, but still its something to think about.

What protects your data from authorized users already inside your perimeter?

Being off-the-grid reduces drive by attacks from worms, but not dedicated attackers, or insiders.

Re:operation of the air traffic control system

[HungryHobo]

It's good to know they have something like that.

Re:operation of the air traffic control system

[pasv]

It doesn't matter I'm afraid. The system is compromised because the people operating it are. The reason for this is simple, every piece of identifying information on those employees is leaked... Imagine what a decent social engineer could do with this information. Hell, with that information you wouldn't even need much talent to control the aviation systems. It's probably more stupid to attack this system from the network/computer vector because it's the most likely to be targeted.

Re:operation of the air traffic control system

[RiotingPacifist]

wait so if any point on a network is insecure, everything on the network is unsafe?
And nobody ever developed a protocol to allow two known safe computer to connect over such an unsafe network?

Re:operation of the air traffic control system

1. Guard shack. Every facility has one, you must have an FAA ID or at least be escorted. Plugging in a wireless repeater will immediately have the port blocked as it is an unknown wireless device detected as such. It should be noted that there is some wireless in most facilities, on a seperate open network, but you'll have to talk to the union about that.

2. Yeah, maybe. Again, getting by the guards will be interesting.

3. A little crazy, but I guess it could happen. If said administrator allowed access to server room without monitoring. It ain't happening at this facility.

Re:operation of the air traffic control system

[Greyfox]

The FAA network security is enforced through obscurity. To successfully hack it you have to be a retired COBOL programmer.

Re:operation of the air traffic control system

Do I really have to retire first? I'm only 20 :(

Neat Trick

[DynaSoar]

Someone should ask the FAA how they managed to get an entire network (see: article title) onto one server (see: article summary). Was it a server, or a single work station? A server can dispense data, but dispensing data does not make it a server. Servers tend to act as the dispenser for data bearing machines, no?

What's the matter, wouldn't an article that said "One FAA Computer Hacked - Employee Data Stolen" be sexy enough? Probably not. The title as is misleads people into wondering if the ATC network was implicated.

Re:Neat Trick

[causality]

Someone should ask the FAA how they managed to get an entire network (see: article title) onto one server (see: article summary). Was it a server, or a single work station? A server can dispense data, but dispensing data does not make it a server. Servers tend to act as the dispenser for data bearing machines, no?

What's the matter, wouldn't an article that said "One FAA Computer Hacked - Employee Data Stolen" be sexy enough? Probably not. The title as is misleads people into wondering if the ATC network was implicated.

If you own or administer the equipment in question, you'd have to assume that an attacker getting into the server is the same thing as an attacker getting into the network until proven otherwise. That's for the simple reasons that the attacker has already proven their ability to compromise at least one of your systems and that server can now be used as a platform to attack any other machine with which that server can communicate (i.e. that network). Incidentally, am I the only one who still says "proven"?

It's still possible that the Slashdot summary has a sensationalist title, but for those reasons it's not absurd to believe otherwise. As for your question about the ATC (air traffic control) network, you don't even need to read the fine article; the summary does specifically state:

The FAA was quick to say the server that was accessed was not connected to the operation of the air traffic control system or any other FAA operational system.

This is about what you would expect because such critical systems should not be Internet-accessible unless there were some incredibly strong overruling need for it that could not be addressed any other way. I don't know anything about the FAA or their systems but this is simply common sense. Any administrator who doesn't understand this should not be trusted with such important networks.

Re:Neat Trick

[anss123]

I don't know anything about the FAA or their systems but this is simply common sense. Any administrator who doesn't understand this should not be trusted with such important networks.

You cannot rule out the cost factor. It's for instance not economically feasible to link up all power stations to a separate secure network, so they use the internet.

Facing the Internet is not necessarily insecure. It is possible to make 100% hack proof computers - not counting DOS and physical attacks. Similarly, a secure network can still be compromised so that is not always the best way for securing networked computers.

Re:Neat Trick

[causality]

I don't know anything about the FAA or their systems but this is simply common sense. Any administrator who doesn't understand this should not be trusted with such important networks.

You cannot rule out the cost factor. It's for instance not economically feasible to link up all power stations to a separate secure network, so they use the internet. Facing the Internet is not necessarily insecure. It is possible to make 100% hack proof computers - not counting DOS and physical attacks. Similarly, a secure network can still be compromised so that is not always the best way for securing networked computers.

That's a rather verbose way of saying that my statements are intentionally general and therefore might not describe every possible specific application. I hope we already knew that.

By the way, you quoted me slightly out of context because you left out the one previous sentence that addressed your concern. This is the full block of text:

This is about what you would expect because such critical systems should not be Internet-accessible unless there were some incredibly strong overruling need for it that could not be addressed any other way. I don't know anything about the FAA or their systems but this is simply common sense. Any administrator who doesn't understand this should not be trusted with such important networks.

All I'm saying is that the limiting of potential exposure is a valid security practice. It's one of the more common-sense approaches and it would occur to a competent administrator. Further, a good administrator would do it (would limit exposure) unless there were some overriding need not to. Do I really need to also say that it is one practice among many valid practices? I don't mean to be rude when I say that I doubt anyone who is knowledgable about the subject needs to have such a basic and obvious thing explained to them.

I mean no offense and I'm not trying to berate you. I just can't see why you made your post or what you thought you were telling me that I didn't already cover. If I really did miss something and you are able to fill me in, you'll find me an eager audience, but I don't feel like you've given me much to work with.

Re:Neat Trick

[anss123]

This is about what you would expect because such critical systems should not be Internet-accessible unless there were some incredibly strong overruling need for it that could not be addressed any other way.

(Emphasis mine). In my example there is "another way", even so they use the internet. If you had just said "critical systems should not be Internet-accessible unless it's impractical" I would have understood you better.

Re:Neat Trick

[causality]

I did have one other response to you, for what it's worth. At first, you may think this is just semantics but I hope you don't feel that way after you read my full response.

Facing the Internet is not necessarily insecure. It is possible to make 100% hack proof computers - not counting DOS and physical attacks.

I think we'll have to agree to disagree on this part. The whole problem is that you'd never be able to actually prove that a computer is 100% secure (no one has found a way to do that), only that it hasn't been compromised yet and even that might be much tougher than you think, so I'd personally never make a claim like this. Then there's the network to which the computer is attached, which you also cannot actually prove is 100% secure. The best that you can do is to compare various systems in order to establish relative terms like "more secure" and "less secure" to eventually arrive at a concept of "reasonably secure", which is often abbreviated as "secure".

There's also the consideration that computers are part of a system and your security could potentially be compromised at any point in the entire system. Let's say you have incredibly secure computers and networks. Do you think attackers will just give up? No, they'll start going after your users with various social engineering techniques. At some point finding a clueless or overly trusting user is much easier than directly attacking the machines. A person who is knowledgable about security has to understand that the situation favors the attacker. That is, to secure the system, you have to prevent every possible avenue of attack; to break into the system, the attacker just has to find one thing you missed. This is why concepts like default-deny and least-privilege are so helpful.

There is absolutely nothing you can do to make a computer "100% hack proof" against a clueless user who thinks that the attacker is one of your legitimate administrators. What you can do is form a comprehensive plan that takes the entire system, including users, into account. You take reasonable measures and you avoid unnecessary exposure. Ultimately, what you can accomplish is a system that is secure enough that the effort required to break into it far exceeds any value that would be gained by doing so. The rest is damage control.

Re:Neat Trick

[anss123]

A system can indeed be "100% hack proof" from attacks originating from the Internet. The problem with desktop systems, servers, etc, is complexity. Get that complexity down to manageable levels and you can have your hack proof system.

For a system, for instance, that just reports power usage over the Internet the complexity is at so a low level that it's possible to validate all possible inputs and outputs. The biggest complexity in this example is actually the TCP/IP protocol.

Ultimately, what you can accomplish is a system that is secure enough that the effort required to break into it far exceeds any value that would be gained by doing so. The rest is damage control.

In theory everything is hackable through some means, even your brain... but no one is going to hack into your brain over the internet despite the fact that you are "connected" through your display and keyboard. The brain might indeed be hackable through this means though as it's way too complex for us to ever validate all inputs.

At some point finding a clueless or overly trusting user is much easier than directly attacking the machines.

True enough. Not disagreeing here. It's possible that you convince me to install some software on that 100% hack proof system and then send secret information over the Internet - which you would not have been able to do if there was no connection to the internet.

Re:Neat Trick

[causality]

This is about what you would expect because such critical systems should not be Internet-accessible unless there were some incredibly strong overruling need for it that could not be addressed any other way.

(Emphasis mine). In my example there is "another way", even so they use the internet. If you had just said "critical systems should not be Internet-accessible unless it's impractical" I would have understood you better.

That's a funny thing that happens to me from time to time. For a moment it will appear that there is a disagreement or a debate and then I'll find that the other person and I were actually saying (more or less) the same thing, just in different ways or from different perspectives. That most often happens when the other person and I are both knowledgable about the subject. I appreciate you taking the time to clear that up for me :-).

Whatever

[SatanicPuppy]

We know the air traffic control computers weren't hacked...There hardly are any, which is in itself a problem.

But being sloppy with data is a bad sign in any organization. If you can't keep your secure data secure, then what other important things are you also letting slide?

Having worked at the USDOT..

[bleh-of-the-huns]

Of which the FAA is apart of, I can say, with absolute certainty, that like every other major entity, there are literally dozens and dozens of systems that are in no way connected to the ATC, or any other network for that matter. Yes they are networked, but so is every desktop and every camera, that does not mean they are not well isolated and secure from each other.

FAA has well over 10k hosts (desktops, servers, etc etc), its unfortunate, but expected that many of those hosts are probably vulnerable to something. But at the same time, critical systems (ATC for example), are generally isolated from the basic FAA backbone, and on a closed network.

Not found

[UnixUnix]

Windows cannot find Control Tower. Hit any key to continue.

Re:Not found

[causality]

Windows cannot find Control Tower. Hit any key to continue.

"Where's the 'any' key?"

Am I the only one who remembers the "ANY" stickers that were usually placed on the ENTER key and were specifically designed for (l)users who kept asking that question? When I first saw them, someone had to explain to me that yes it's a serious product, it's not a joke item or a gag gift. I think I looked at the world a bit differently after that.

If I ever marvel at how even otherwise intelligent people sometimes shut down all common sense and ability to reason when they are in front of a computer, this is an example of what I'm talking about. That they wouldn't even consider whether "any" might be an adjective, or that the sentence should be written differently if it were intended to mean a key bearing the label of "ANY" just blows my mind.

Re:Not found

[MadKeithV]

Control Tower - Alt - Delete to log in.

Re:Not found

[tlhIngan]

Am I the only one who remembers the "ANY" stickers that were usually placed on the ENTER key and were specifically designed for (l)users who kept asking that question? When I first saw them, someone had to explain to me that yes it's a serious product, it's not a joke item or a gag gift. I think I looked at the world a bit differently after that.

If I ever marvel at how even otherwise intelligent people sometimes shut down all common sense and ability to reason when they are in front of a computer, this is an example of what I'm talking about. That they wouldn't even consider whether "any" might be an adjective, or that the sentence should be written differently if it were intended to mean a key bearing the label of "ANY" just blows my mind.

Well, you have to remember that computers also have buttons people have never seen before - especially on a keyboard. Think keys like "Ctrl", "Alt", "PrtSc", "SysRq", "NumLk", "ScrLk" and the like. It's entirely possible believe that "ANY" refers to some computer-y term rather than literally, any (and in most cases, any key won't work - keys like Shift, Ctrl, Alt, the locks, other modifiers (Windows, Menu, AltGr, Compose, blah blah blah) probably won't make the message go away). A slightly better wording might be "Press a key co continue". The literalists will probably type "a", the pedants will try the modifiers and complain, and the rest of us will hit space or something.

Re:Not found

[causality]

Am I the only one who remembers the "ANY" stickers that were usually placed on the ENTER key and were specifically designed for (l)users who kept asking that question? When I first saw them, someone had to explain to me that yes it's a serious product, it's not a joke item or a gag gift. I think I looked at the world a bit differently after that.

If I ever marvel at how even otherwise intelligent people sometimes shut down all common sense and ability to reason when they are in front of a computer, this is an example of what I'm talking about. That they wouldn't even consider whether "any" might be an adjective, or that the sentence should be written differently if it were intended to mean a key bearing the label of "ANY" just blows my mind.

Well, you have to remember that computers also have buttons people have never seen before - especially on a keyboard. Think keys like "Ctrl", "Alt", "PrtSc", "SysRq", "NumLk", "ScrLk" and the like. It's entirely possible believe that "ANY" refers to some computer-y term rather than literally, any (and in most cases, any key won't work - keys like Shift, Ctrl, Alt, the locks, other modifiers (Windows, Menu, AltGr, Compose, blah blah blah) probably won't make the message go away). A slightly better wording might be "Press a key co continue". The literalists will probably type "a", the pedants will try the modifiers and complain, and the rest of us will hit space or something.

I don't think you're appreciating how deep the lack of common sense really is.

If what you're saying were the crux of the problem, then such a user might have this problem one time. It wouldn't take very long to exhaustively perform a visual search of the keyboard and conclude that there is no key labelled "ANY". At that point, this theory that the prompt refers to a specific key has been falsified and it's time to abandon it. Isn't that simple? The only possible remaining explanation is that "any" is an adjective. Even this need not be taken on faith but can be tested by pressing an arbitrary key to see if the machine will proceed. This entire process should take a few minutes at the most.

A user who does not abandon common sense and ability to reason might go through this process one time. After that one time, they would never need to repeat this experience so there is no reason to purchase an "any key" sticker. The problem-solving involved here is really simple and does not even begin to approach what I could call advanced reasoning with a straight face. Yet, these users refused to apply it. I maintain that they are without excuse; that this amounts to willful helplessness. I will add that by making excuses for them, you are not really doing them any favors because by believing you, they will not become less helpless.

Re:Not found

[FatdogHaiku]

Making a Blue Screen of Death a much more meaningful phrase...

Re:Not found

[The+End+Of+Days]

You're equating hard-won esoteric knowledge with common sense. Common sense as a concept is bankrupt - it doesn't exist in isolation, it is simply learned behavior which is not in any way universal. Dragging the term out derisively is a merely a rhetorical crutch.

Re:Not found

[Quest4RelativeTruth]

Actually they call tech support and ask "where is the "any" key, I can't find it". I've had the joy of answering one or two of those calls.

Re:Not found

[causality]

You're equating hard-won esoteric knowledge with common sense. Common sense as a concept is bankrupt - it doesn't exist in isolation, it is simply learned behavior which is not in any way universal. Dragging the term out derisively is a merely a rhetorical crutch.

A basic process of elimination, which is the only specific instance of common sense that I mentioned, is "hard-won esoteric knowledge"? I just can't go along with that.

I'm not really deriding anyone. I'm expecting better of them. There's a difference and it's a huge one. Derisive would amount to believing that they can't handle basic problem-solving because they are inferior to me; even when it appears to be humorous, derision always has this type of negative comparison as a core component. Instead, I am saying that if I can perform childishly simple problem-solving without using any special skills, so can they, which means that any obstacles they encounter are not only surmountable but worth overcoming. That is a statement of equality.

Maybe calling it "common sense" was a stumbling block for you. There are multiple terms that could be used to describe the basic faculty that I am describing so there's no need to get hung up on the verbiage or diction.

When you say that there is anything at all esoteric or hard-won about the most basic reasoning and problem-solving, there are two implications of that statement that come to my mind. The first is that you are ignoring the element of personal choice and how strongly it determines who will do what it takes to observe these simple principles and who won't. If you ignore the element of choice, then you are left with a sort of "lottery" that results in a minority of the population being able to solve basic problems and a majority that wasn't standing in line when that ability was being handed out, so to speak. The second implication is that if any literate adult lacks this understanding, that's okay and it's beyond their control because after all, it's "esoteric", so therefore it follows that they should make no effort to remedy this situation. This is a somewhat subtle rejection of personal responsibility.

The fact is, I did not wait around for someone to come along and teach me how to think and reason. I consider those matters far too important to trust to anyone else. I read, I wrote, I engaged in debate, I studied logic and other things, and so that I would not be easily mislead I also studied propaganda techniques and logical fallacies. No one made me do this. No one was looking when I did it. This wasn't for some school project or because anyone asked me to. It's because my life is mine and no one can live it for me, certainly not in any healthy fashion. I look around me and I see a world full of people to whom this sort of personal responsibility, this sort of "giving a damn", is an alien concept. They are choosing to be that way and they can choose differently any time they want. This is why I refer to their inability to solve the most basic problems as "willful helplessness". To say otherwise would amount to telling them that it's hopeless and they shouldn't bother trying and I've seen far too much evidence to the contrary.

So, you can tell me that there is anything esoteric about this process even though all of the needed information is "out there", available, and waiting to be studied by anyone who can use Google. You can watch me express deeply held beliefs that have withstood both the test of time and the test of various hardships and then tell me that they are merely "a rhetorical crutch." Perhaps that will make you feel better about your own personal shortcomings or those belonging to someone close to you or maybe it'll make you feel better about living in a world where most people just don't care. It will not work on me, and nor should it. What I can tell you is that the excuse is worse than the shortcoming because it makes sure that these things are accepted instead of identified and changed. I want something better than that for myself and I also want something better than that for you.

Re:Not found

[Ironica]

If what you're saying were the crux of the problem, then such a user might have this problem one time. It wouldn't take very long to exhaustively perform a visual search of the keyboard and conclude that there is no key labelled "ANY". At that point, this theory that the prompt refers to a specific key has been falsified and it's time to abandon it. Isn't that simple?

If users' general experience with computers was that software and hardware were universally compatible and all computers had the same interface design, then it would be that simple. But what of the user who is told to use the right mouse button when he's on a Mac? Or to use the Windows key when his keyboard predates that invention? Or to use the number pad on a laptop?

Users have, sadly, been trained to jump to the conclusion that, when the hardware or software doesn't perform according to their initial expectation, there's something wrong with either the software or the hardware... or they just don't have the information they need. The idea that they may have made a *semantic* misinterpretation is pretty far down the list of the usual suspects.

Hacked? Or Cracked?

[ZxCv]

If the readership and editors of /. can't seem to correctly grasp the difference between 'hacked' and 'cracked', how do we expect the mainstream press to ever come even close to getting it?

Re:Hacked? Or Cracked?

Unfortunately, 'hacked' now means 'cracked' to the majority of English speakers and since language is consensus based, that's what it now means.

Re:Hacked? Or Cracked?

When are people going to stop posting this drivel? No one really cares, and those that do need to stop feeling sorry for themselves.

Re:Hacked? Or Cracked?

[ShinmaWa]

Oh get off your 133tist high-horse.

You know, or should know at any rate, that language changes over time. The correct definition of a word is the one that people actually understand. Like it or not, when people say "hacked" in this context, people understand that it means "illicitly and illegally accessing a computer system". I understand that, everyone else understands that, and therefore -- like it or not -- it is now the definition of the word.

When are YOU ever going to get that the definition has evolved and changed? YOU are the one clinging to a deprecated and archaic definition of the word that only a very small percentage of the population knows, and an even smaller percentage actually cares about.

P.S. Same goes for "piracy".

Re:Hacked? Or Cracked?

[Macrat]

The movie "Hackers" had the wrong title?

Re:Hacked? Or Cracked?

[causality]

I should preface this by saying that I agree with you, and that if a person is going to expend energy trying to change the consensus view of something, there are far more worthy challenges than "hacker vs. cracker". What I will mention here is related to your point but does not directly address it; this is more of a side issue.

You know, or should know at any rate, that language changes over time. The correct definition of a word is the one that people actually understand. Like it or not, when people say "hacked" in this context, people understand that it means "illicitly and illegally accessing a computer system". I understand that, everyone else understands that, and therefore -- like it or not -- it is now the definition of the word.

When are YOU ever going to get that the definition has evolved and changed? YOU are the one clinging to a deprecated and archaic definition of the word that only a very small percentage of the population knows, and an even smaller percentage actually cares about.

That the word "hacker" had a more specific meaning that it has now lost is not really Newspeak because it arose out of the general public's apathy towards these issues and not, to my knowledge, out of any sort of propaganda effort. The word "conversative" is a good example of real Newspeak. The only unfortunate side-effect is that there was a distinction between someone who has strong interests and talents relating to technology versus someone who has a strong interest in attacking other people's systems. The result is that to many people, there can be an assumption that anyone who is technologically highly skilled must be using (or must have used) that skill in a harmful way because that's all they hear about in the media. "Honest security researcher maintains systems that haven't been successfully attacked" doesn't exactly make headlines. That the knowledge required to fully understand security issues and effectively safeguard systems is quite similar to the knowledge that could be abused to do harm does not help matters.

This is the sort of thing that sounds like mere semantics and doesn't seem to matter until politicians start getting interested in regulating their country's use of the Internet. Public perception is very important to politicians; it is often more important to them than unbiased fact. Look at Germany, which has outlawed many security-related tools that can be used to legitimately secure systems. It's silly to think that this will have any real effect on the black hats because they have already demonstrated a willingness to break the law. What this will do is hamstring legitimate security professionals and will cause them to be less equipped than their opponents. It also carries the message that "you are not to be trusted" and is generally a step away from the free exchange of ideas. I submit that this could not have been possible without the public perception that "hackers" are all a bunch of criminals.

I think the word "hacker" has changed and that it's pointless and counterproductive to try to wind back the clock so I am definitely not disagreeing with you. I just think more emphasis needs to be placed on the positive uses of this sort of knowledge or else we risk following Germany's example. It's just the sort of thing that doesn't seem to matter until it bites you in the ass, so to speak.

P.S. Same goes for "piracy".

I agree here, too. I don't think the semantics surrounding copyright infringement are worth debating except for when the claim is made that copyright infringement is the same thing as stealing, which it is not. Stealing is a criminal offense and it deprives the rightful owner of his or her property. Copyright infringement is generally a civil tort and does not deprive the rightful owner of the work that was infringed, but only of the exclusive right to distribute copies of that work. Equating the two is intellectually dishonest and so the distinction is worth making.

tag MICROSOFT WINDOWS

[toby]

Thanks Bill - enjoy your retirement.

Re:tag MICROSOFT WINDOWS

[n0084ever]

Thanks Bill - enjoy your retirement.

yes, and please accept our gratitude for your inventiveness and security consciousness, and this token of free flights anywhere.

Were the intruders looking for...

Existence of UFO's? Like a certain UK hacker...
If there was any place that might have this stuff its the ATC systems

Opps. There goes the doorbell. I wonder if it is the Feds trying to find their way out of a paper bag?

Re:Were the intruders looking for...

[v1]

Opps. There goes the doorbell.

The Feds use the doorbell? I thought they used a needle and a gunnysack?

More of W's nice work

When W got in, his admin pushed the gov to move towards Windows. What a nightmare. Hopefully, Obama will be a bit more sane than this.

The true solution to this problem

There's only one way to solve all these identity thefts: store everything (personal information, financial data, emails, etc) in just ONE single place. It is easier to protect one place instead of 100. Perhaps the RFID chip is the true solution to all our security problems, starting with identity theft, email spam, terrorism, credit card mess, etc.

This is clearly a job done by those gay muslim communist terrorists that did the 9/11 attack and from which we need to protect our children at any cost, even if that cost is our own freedom.

God. 9/11. Terrorists. National Security.

You forgot the links!

[wiredog]

Teh Fatal Death Killer Remote Control Module of Deadly Doom.

More Erudite 24 Commentary

The real problem is

that if they are using windows AND somebody connects a laptop with a worm, then it can grab data and send it back. It is Amazing how insecure systems are that are ASSUMED not to be on the net.

The FAA is taking this VERY SERIOUSLY

...and recommends that all employees purchase this credit monitoring service to protect against identity theft.

Here's the e-mail the FAA sent out to Employees

Dear Colleagues: I want to alert you that the Cyber Security Management Center identified some unusual activity from an FAA administrative server last week. An investigation revealed that the server was breached by a hacker. Most of the 48 breached files were test files used for application development. Two of these files contained names and social security numbers. One of them contained information on more than 45,000 employees and retirees who were on FAA rolls as of the first week of February 2006. Medical information from the hacked files was encrypted and not identifiable. We are moving swiftly to identify short-term and long-term measures â" procedural and technological â" to prevent such incidents from recurring. All current and former employees who are affected will receive a letter shortly alerting them to this event. In addition, we are posting information in the form of FAQs on the employee and public web sites, and we will update that information, via the web and other channels, should the investigation reveal more information. We also are setting up a toll-free hotline to answer employee calls related to this event. We will continue our efforts to further protect our computer security systems and will keep you informed as the investigation continues. Lynne Osmus Acting FAA Administrator

Congres made us safe :)

[yl_mra]

Another illustration of how safe our government made the internet by making it a major crime to hack our networks. It used to be that we could find our way into networks and heckle the administrators. By the rules of the game, we let the admins know what we did and how. That was fun :) and kept our networks secure. Now, it can land you in prison. With all of this safety, how many of you know of middle school kids that got caught hacking into 'secure' systems within the past 10 years? What will happen if a hostile agency really wants to steal our data our bring us down?

FFA hacked?

[AioKits]

I really should get off my butt and get those glasses/contacts like I keep saying I will. For a second there I thought some foreign entity discovered our method of raising young kids to be farmers and how to determine if your cow had been eating from onion patches by merely drinking the milk the cow produces.
Vote for Pedro!

Coincidence?

[legirons]

This is on the same day Microsoft announced you could take control of an Exchange server by sending an email to it?

Re:Coincidence?

Except FAA is Lotus. DOT is still Exchange from what I understand.

My first thought

[StupiderThanYou]

Why would anyone want to hack FAAngband ?