Slashdot Mirror
Hack Targets NASA's Earth Observation System
Gunkerty Jeb writes "A hacker is claiming that a security hole in a server at NASA's Goddard Space Flight Center has exposed data related to a satellite-based Earth observation system used to aid in disaster relief. The hacker, who uses the handle 'Tinkode,' has published a screen capture from what he claims is an FTP (File Transfer Protocol) server at NASA's Goddard Center. The hack comes exactly a month after the same hacker exposed a similar hole in a server operated by the European Space Agency."
Somebody is running an FTP server on a computer that has a screen? Also, the obligatory "SFTP Motherfucker! Why don't you use it?"
When FTP needs to be explained on /. it's time to find another "News for Nerds" site.
FTP (File Transfer Protocol)
News for people who don't know what FTP means?
Someone over at NASA, and government agencies in general, need to seriously step-up their security team.
Hire people that can effectively put a system in place to secure their networks, data, and disposition of old equipment. Monitor your networks and data, put systems and people place that can predict and respond to security issues.
My assumption is that NASA is so budget-constrained, and has so many wasteful expenditures that security gets left to the wayside and then things like this happen (if it indeed DID happen.)
Time to abort the mission until we can verify the mission's security has not been compromised.
He who knows best knows how little he knows. - Thomas Jefferson
Hack Targets NASA's Earth Observation System [...] The hack comes exactly a month after the same hacker exposed a similar hole in a server operated by the European Space Agency.
Now _this_ is a hacker who knows how to aim high!
This Space Intentionally Left Blank
Could you please stop spamming facebook??
DUDE! CHECK OUT THIS FTP SERVER THAT I COULD JUST WALK INTO! OMG I HACK IT!
ALL I HAD TO DO WAS PUT IN MY EMAIL ADDRESS AS THE PASSWORD! MY GOD I COULD HAVE PUT IN ANYTHING!
bmo@owlcomm:~$ ftp ftp.linux.org.uk
Connected to ftp.linux.org.uk.
220 (vsFTPd 2.2.0)
Name (ftp.linux.org.uk:bmo): anonymous
331 Please specify the password.
Password:
230-Welcome to ZenIV
230-
230-The software on this site is made available for free without warranty or
230-other right of recourse implied or otherwise. No statement save one in
230-writing by the owner of the system changes this usage agreement. This
230-software is provided in the United Kingdom for United Kingdom users,
230-any export download is at your own risk and liability.
230-
230-Many parts of this archive are mirrors of other sites. While we try not
230-to mirror any inappropriate material we do not have editorial control over
230-such mirrors and cannot make such a guarantee.
230-
230-There is no other user agreement, should your local law make such an
230-agreement invalid you are prohibited from using this site, and may be
230-committing an offence under the computer misuse act by continuing.
230-
230-By downloading any file from this site you agree to these terms and
230-conditions, disconnect now if you do not.
230-
fucking lameness filter
230-* *
230-* If you are having problems accessing this site, then please use *
230-* "passive" transfer mode rather than "port" transfer mode. Thanks. *
230-* *
fucking lameness filter
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
--
BMO
Agreed. Although, someone hacking into the SERVIR computers has to be a real goddamn low-life sub-human sack of shit and should be ashamed to even post that they even attempted such a thing.
What next assholes? Breaking into the UNICEF servers or something to delay help to needy children? Do you fucks go around kicking puppies and kittens?
You're not "cool". You're not "l33t" or whatever the fuck you losers call yourselves.
You wanna be "l33t" and "cool"? Invent something that helps humanity, makes a billion, or both. At least if you make a billion you'll be creating jobs - even you blow your money and go all Charlie Sheen, it'll be more respectable.
Hackers Blog: http://tinkode27.baywords.com/nasa-goddard-space-flight-center-ftp-access/
Insert signature here...
Tinkcode learns that there is a peer to peer method to transfer files called ftp, and it is way faster than bittorrent!
NASA science missions often place data in easily accessed servers, because they are required to by law. Websites like weather.com and spaceweather.com download "their" data from NOAA and NASA servers. The ACE mission has an entire infrastructure maintained on a shoestring to do this for safeguarding satellites from solar storms. I would be more impressed with Tinkcode if he applied his l33t skillz to a public service FOSS project. Since he is so smart, I am sure he can find a need and solve the problem.
Now, get off of my lawn!
Cue James Bond theme! At least it doesn't shoot frickn lasers that can melt the ice caps
www.awkwardengineer.com
It seems like a sad day when a Slashdot article find it necessary to spell out what FTP stands for.
"he"? I'd be asking where spaceyhackerlady is and whether she's Tinkode. :)
So is disaster preparedness information now considered "classified" and only able to be disseminated to the highest bidder. Was Tinkode trying to show a dangerous lack of security on the part of NASA that would just allow anyone to log in and get the information needed to track tsunamis? Shouldn't this be what we want government to be doing?
Was the hole exposed a black hole?
EOS Data is free to the public and is mandated to be free to the public.
The EOS project has many FTP servers hosting free data that anyone can download.
Finding what you are looking for is the challenging part, not nearly as easy as Google maps.
Disaster data is also free and mandated to be free and shared with other satellite projects.
I see that there are 30 comments on this article, but I cannot see them! Pressing "Get More Comments" does nothing, and neither does the javascript slider! Slashpot, fix your website! It's been broken for a few months, since the last update!
Kubuntu 11.04, Firefox 4
It is dangerous to be right when the government is wrong.
So this proof is a screenshot in a browser?!
I can show you such screenshot proof of whatever you wish. Its just plain simple - open html editor, list some dirs paste them, edit address,name whatever you want, open the page in browser, change the path in address bar, take a screenshot, make an really clever nick and you are in the news.
What's the point of hacking NASA if you're not going to download their superTopSekreT UFO pictures? Anybody can modify an FTP login screenshot, but clear pictures of UFOs close up, now that's the money shot!
No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
Well, BFD.
This is hardly data that is soopersekret national security info.
The ftp server is now down on that machine, but who knows. For all I can see, it may have even been open for read only anonymous ftp access and he just didn't know it for what it was.
Otherwise he may have guessed an obscure login like "data" with password "data". Or, if it was running something unpatched from way long ago, used an existing hack. ftp buffer overflows were a dime a dozen at one point.
Not everything is worth heavily securing especially when you want a broad and diverse audience to have access to it.
Let me guess, the poor sob logged into a public FTP server running to aid the organizations involved disaster relief. Next we hear about an internet renegade who made a trolling usenet post, oh the horror. And no, with this kind of a summary I didn't read the article.
Next BIG question is - did he have RO access, or RW access? TFS says nothing, so I RTFA - still nothing. Look at the screen shots, still nothing. Not even a claim of a RW access.
So far, the guy has found a FTP server that looks like it contains data which is likely public domain already. BFD.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"