Stolen NASA Laptop Had Space Station Control Code

astroengine writes "NASA had 5,408 computer security lapses in 2010 and 2011, including the March 2011 loss of a laptop computer that contained algorithms used to command and control the International Space Station, the agency's inspector general told Congress Wednesday. According to his statement (PDF), 'These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives.'"

Set your controls

to the heart of the first post!

Re:Set your controls

Careful with that downmod, Eugene.

Re:Set your controls

[forkfail]

To most folks, that reference will make about as much sense as someone typing ummagumma.

Re:Set your controls

[ibutsu]

Most folks aren't worth paying attention to.

Re:Set your controls

One of these days they'll get it.

Re:Set your controls

[silverspell]

Careful with that downmod, Eugene.

Yes, one of these days our fearless mods will learn not to meddle. Me, I remember a day when things were different -- and it would be so nice if we could let there be more light humor and, well, free-for-all (when you're in the mood, anyway), and have fewer people burning bridges wherever they go. I'm just biding my time until then.

Re:Set your controls

And relaxing in San Tropez...

Re:Set your controls

[tunapez]

ahhh, sounds like several species of small furry animals gathering in a cave with a pict
 
on lsd
 
that is all

Re:Set your controls

[tunapez]

'gathered together in a cave and grooving with a pict'

damn!

Cue HAL 9000...

[Okomokochoko]

Coming soon to the ISS: "I'm afraid I can't do that, Dave."

Re:Cue HAL 9000...

All your space are belong to us

Meh, just some source code

[ShooterNeo]

I would say that losing the source code to some of the embedded control systems in the ISS is just about the LEAST valuable theft of source code, ever. That code is most likely extremely specialized, designed JUST for whatever system on the ISS in question, and probably had millions of dollars put into refining, optimizing, and debugging it. I bet the code is completely unsuitable for any other purpose for that reason (one way to reduce bugs is to make the code as specific as possible in a low level language).

And, whatever system we are talking about : ventilation, communications, power, water recycling : you can safely bet that the way NASA designed it is TOTALLY unsuitable for commercial use. It probably uses the most expensive possible parts, made by hand, for crucial components of the systems.

Re:Meh, just some source code

[Samantha+Wright]

I believe you're missing the "evil supervillain holding the world for ransom by manipulating bugs" part. In 5,408 security breaches, surely someone found the password? And has a target in mind that they'd like to drop a space station on?

Re:Meh, just some source code

[Andy+Dodd]

Yeah... Wonderful how the article makes it sounds like this was some horrible loss when, in fact, it was code that is likely nearly worthless to anyone outside of NASA.

The worst impact of a lot of government source code leaks is likely to be embarassment - "That system is THAT primitive?" or "How the hell is this thing actually usable?"

Re:Meh, just some source code

[v1]

I would say that losing the source code to some of the embedded control systems in the ISS is just about the LEAST valuable theft of source code, ever.

Reuse of the code is probably not what they're worried about. Give any sufficiently large amount of code to a group of skilled hackers and they are very likely to find a few exploitable bugs. It's just a matter of playing against the odds in the long run. They may discover a few buffer overflows in obscure places, and after a lot of research, find a way to turn one of them into a privilege escalation via a very complex sequence of steps. And further find a way to abuse that, all the way up to something genuinely dangerous remotely. Systems of this complexity and review typically are only compromised by using a combination of different bugs to "chain" in from the front door to the kernel, and starts with a deep knowledge of the system, and that's exactly what they have now.

Anyone that thinks any large, complex chunk of code is 100% bug-free is delusional. There was a story here on /. recently about a kernel escalation bug that had been committed for years without anyone noticing it, despite all the kernel hackers and that "many eyes make for shallow bugs" theory. Look at all the review that code had over the years.

Re:Meh, just some source code

[tlhIngan]

I would say that losing the source code to some of the embedded control systems in the ISS is just about the LEAST valuable theft of source code, ever. That code is most likely extremely specialized, designed JUST for whatever system on the ISS in question, and probably had millions of dollars put into refining, optimizing, and debugging it. I bet the code is completely unsuitable for any other purpose for that reason (one way to reduce bugs is to make the code as specific as possible in a low level language).

And, whatever system we are talking about : ventilation, communications, power, water recycling : you can safely bet that the way NASA designed it is TOTALLY unsuitable for commercial use. It probably uses the most expensive possible parts, made by hand, for crucial components of the systems.

Not to mention that given the requirements of the systems (safety-critical) there's probably a ton of work and documentation that has to go into even doing a checkin, so even having the code doesn't mean you can check it into NASA's code repository unnoticed.

The only real value is if the theft consisted of other stuff like datasheets and documentation of the various parts and how they work moreso than the code itself. At least with the latter you have the designs of the system which has commercial value.

Or if there was other classified data on it.

The source code? Not so much. I know, some of us like to run the old Apollo code (which is readily available) on our PCs just for kicks, but that's really all it is.

Re:Meh, just some source code

[geekoid]

But do they have the technology to implement the control codes?

I can have them all on my computer right now, and I couldn't really do squat with them.

And good luck hitting anything smaller then Australia with it. The thing entry orbit would change radically as parts fell off in unpredictable ways..

Re:Meh, just some source code

[ColdWetDog]

So they're going to find an alien fighter in the bowels of Area 51, fly it up to the ISS and upload a virus?

Sounds like the plot of a dumb science fiction movie.

Re:Meh, just some source code

crucial components would be machined, no?

Re:Meh, just some source code

[steelfood]

This is why you decentralize and compartmentalize. The life support doesn't talk to the food dispenser. The boosters responsible for orbital adjustments don't talk to the communications array. Likewise, the solar panel controls are separated, even from each other. Communication happens via a human. Validation that the communication was properly passed on can happen using a passive third system that only accepts input and does not send output.

Centralization and consolidation are cost-savings measures. They give up protections and redundancy in favor of efficiency. Sometimes, it's appropriate, and sometimes, it's not. In cases where lives are dependent on the proper functioning of the system, I'd say it's not.

Re:Meh, just some source code

Regardless, I don't think that algorithms that control the ISS are of any value to anyone. Hacking the ISS or even crashing it would receive international condemnation from everyone, even countries that normally don't agree with each other.

Re:Meh, just some source code

IT IS NOT SOURCE CODE!!!!! What was lost were "codes" sent to the station to control its systems.

Re:Meh, just some source code

[CohibaVancouver]

The life support doesn't talk to the food dispenser. The boosters responsible for orbital adjustments don't talk to the communications array. Likewise, the solar panel controls are separated, even from each other. Communication happens via a human.

Just like The Old Man's Battlestar!

Re:Meh, just some source code

[lightknight]

That depends. There are a number of things you can do with it, as highlighted by others earlier. Probably even more useful than controlling a satellite.

Had I access to the thing, and were I in a particularly dark mood (complete with super villain costume), I'd try to calculate some re-entry trajectories that would put the thing somewhere where people would care, with a quiet fax to NASA asking for more "ammunition."

I mean, it would probably take a super-computer to calculate the re-entry to the point where you could get it within 100 hundred miles of your target, but yeah, a pissed off power might be able to pull it off. And hey, if you somehow manage to slap the Eiffel Tower or the Statue of Liberty with it, people will care.

Or I guess I could just find a way to remotely disconnect + pilot that Russian re-entry vehicle. Not quite the ISS, but easier to fly. There's a fair chance that if I hooked up the feeds to something approaching real-time, and had a general idea of what I was doing, you could actually hit something with it.

Or I could remotely vent the ISS atmosphere to space. You know how much NASA hates losing astronauts.

Or, if I controlled a space-faring power, I could dock my own vehicle to the ISS.

Or I could introduce intermittent errors to the ISS, to slowly drive the astronauts insane. They'll never know if there's a wiring fault, or someone screwing with them, when it comes to the lamps frying their experiments (gotta sleep sometime, and there's too much to do to task one of your friends to watch them) and what not.

Long list of things you could do with it, had you enough time, motivation, and general resources. Hell, NASA could trash the thing themselves, if they prescribed to the Machiavellian way of doing things, claim it's a national tragedy, and demand that Congress put a newer, bigger one into orbit, or "the terrorists will win." Just be sure to keep the wheels on the boat (ISS) long enough for your lone astronaut to get off that day (30 seconds to make it to the lifeboat).

And yes, while many countries will condemn the action, a fair number of smaller ones / various freedom fighter groups would probably cherish the outcome. But it's unlikely any of this will ever happen: you need a closet full of Einsteins & Feynmans to do it, and those kinds of people already have competitive bides for their services (window office, nice pay, no persistent fear of G-men knocking down their doors and saying "There he is!").

Am I a mal-adjusted individual? No, I've just worked in IT for too long. It's always amazing to me how some people manage to get new laptops, every 6 months, almost to the dot.

Re:Meh, just some source code

[V!NCENT]

The simpler and more 'primative' the better. And it's codes; not source code.

So what I'd do is the most 'primative' and effective thing there is; unhook the reciever from any actuators and unhook the neutral stuff, attached to actuators (except transmittors), from any actuators too.

Let some gifted minds go at a interim system for a week and send a technician with the interim device to the ISS. After that only the most basic stuff should be handled for interim survival of the station and the crew.

While the interim stuff is going on; let the On-board Shuttle Group rework the system along with the NSA, send that shit to the ISS and restart normal operations.

And while the NSA is there anyway; let them fix the damn security problem on the ground.

$0,02

Re:Meh, just some source code

As one who wrote SS command and control code (well, some of it :), you are quite correct. There is nothing special about it relative to other C2 software other than its specificity for the SS.

Re:Meh, just some source code

[Concerned+Onlooker]

Nice try, but I think everyone here has latched onto the "source code" idea. Knowing the opcodes are very, very different indeed.

Re:Meh, just some source code

[ShooterNeo]

The catch is, what happens if the astronauts become incapacitated or are forced to abandon the station without flipping a switch to put the station on to remote ground control? More than likely, there is a way for the station on the ground to remotely broadcast commands to control the crucial systems on the station. (the power systems and all of the rocket engines, as well as perhaps cooling and life support)

Re:Meh, just some source code

[Rich0]

I doubt the space station has sufficient propulsion to actually de-orbit. Plus, it de-orbits on its own anyway due to drag - it needs re-boosts to keep it up there, from spacecraft.

You probably could put it into a spin and burn up all the propellant, making it almost impossible to recover. Maybe you could even get it to fly apart that way. However, a controlled de-orbit is likely not possible except over the course of years.

So?

[Thanshin]

It's a physical object so, if there was no consequence before they discovered the theft, there won't be one after.

Unless that control code allowed the user to manipulate the space station and hide the manipulation, which would be kind of retarded on NASA's side.

Stop using the LCARS Operating System

[jfalcon]

Seriously, what do you expect for security when a 8 year old can "override the security protocols" at a whim? The engineers who designed that system need to get bitch slapped - repeatedly.

Ah,,,

[Extremus]

Now I can be all the time under a good shade during the summer.

Time for Dumb Terminals?

Maybe it's time to store everything in NASA's own cloud, might be easier to control access, instead of leaving *very* important projects on unprotected hard drives?

Algorithm != control

[mbone]

This doesn't sound like much of an actual threat. If you can't physically access the machine, what good does having its "algorithms" do you ? What, is Elon Musk going to carry this up to the ISS on the Dragon and take over the air handling system ?

Re:Algorithm != control

[jfalcon]

It could mean the Command and Control authentication for remote administration of the station. I'm sure there are SATCOM pirates who would love to screw with the attitude controls of something like the space station.

Profit motive

Examine source code, take control of systems, lock out everyone else, demand $100,000,000 for the password to unlock it.

Hmmm...

[wbr1]

This laptop I bought on craigslist with the JPL asset tag and wallpaper is starting to look interesting.
What is this "Plumbing Subroutines" folder? And why does ZoneAlarm have it allowed to connect to ISS.nasa.gov?
Whoops...

Re:Hmmm...

[MartinSchou]

Could be worse. Could be MUCH worse.

So what if space aliens stole it?

[oakgrove]

What if space aliens stole it as part of their nefarious plot of taking it over and killing us all? Just a thought. Too bad nuclear bombs are banned in space or we could just nuke it in orbit. You know, just to be sure.

Re:So what if space aliens stole it?

[Macrat]

Too bad nuclear bombs are banned in space....

That we know of...

Re:So what if space aliens stole it?

[youn]

I believe to aliens that got here all the way from the blahtopian galaxy, the ISS looks like an expensive space dumpster with technology so 1000 years ago... I would not worry about them :)... If they did anything to the ISS control code, they would probably improve it and maybe we could use the station to finally go to mars - with all due respect to Nasa engineers, which after all have built a huge house in freaking space.... the only thing I launch into space is ugly farts... to be fair, people need space suits to survive that :p

Re:So what if space aliens stole it?

[cellocgw]

That we know of...>

Oh, they're banned all right. That just didn't stop MLB from putting them up in their spy satellites.

Two words: interstellar aerobatics!

[theoriginalturtle]

This could be spectacular! Tossing water droplets around in zero-G pales in comparison to getting that thing twirling like a baton at a Texas halftime show...

Let me explain something to you!

YOu see, hackers could get a hold of that code and design a worm and virus around it. Then, by uplinking to a satellite and hacking into the ISS' control systems from that, they could implant the virus and take over the ISS. Then from there, they order the ISS to fire its thrusters and crash into the Whitehouse. BUT, it will be stopped because Chris Pine, after getting his ass kicked by oen of the Russian astronauts, will get up there and stop it with some clever out witting of the astronauts.

So, don't you see?! This has some serious reprocussions in regards to some really really shitty Hollywood script being written and causing all of us much SciFi or SyFy pain. Actually, if it were SyFy, there's be ghosts involved.

lost

The quote in the article says that the laptop was lost rather than saying it was stolen. Also this is discovery news which carries such charming stories as identifying a chupacabra candidate and anuther one that tries to make a mystery out of a "space ball" that fell to earth.

Big Bang

[Laser_47]

Somehow, I think Wolowitz is responsible....

Re:Big Bang

[Kozar_The_Malignant]

No, Wolowitz only has the toilet control codes.

So what?

[Hentes]

Why are the control algorithms of the ISS so secret?

Re:So what?

[NoNonAlphaCharsHere]

Because someone could use them to override the security protocols, obviously.

Re:So what?

[Hentes]

Only if they rely on security through obscurity.

Another of the thousand grains of sand

http://www.strategypage.com/htmw/htintel/articles/20061110.aspx

Just like how they targeted the US's nuclear weapons research programs for the previous couple decades, they are now targeting NASA and aerospace contractors as they build up their own space program. Hell, this theft probably just gave them a good head start on the control systems for their own private space station.

God forbid someone hacks 40 year old tech

[alen]

seriously, how old is the tech in the space station? i bet my iphone is faster than most of the computers on there

Re:God forbid someone hacks 40 year old tech

[steelfood]

Bet your iPhone would have trouble surivivng a class M flare too.

You have got to be kidding me

When are these companies going to learn. Your critical data has no reason being connected to the web. There is also no reason to let anyone near the computer that has such critical data on it and is untrustworthy. If you are doing these things then you must not care about your data.

Easy: we ask Jeff Goldblum...

...to hack the aliens back with a Mac

Who cares...

A thin-walled tin can in low Earth orbit... It's not exactly Star Trek here folks. It's not like a rogue nation can now point the ISS's phasers at enemy cities! Oh no!!!

Simple Solution

I really don't understand why some agencies such as NASA, or the VA can't use TrueCrypt on their Laptops. Full drive encryption and a strong password to protect it, creates excellent peace of mind. I work for a medical facility, and all of our laptops are encrypted this way. Maybe I'm just being paranoid, or maybe.... the command codes to the ISS are 'just' as important as protecting someones personal health data.

Handcuffs

Perhaps these things would stop getting lost or stolen if our government made it a requirement when people took these things out of or away from positive physical control at/in a government facility, they were required to be handcuffed to the arm of the person removing it, and that person did not have a key, and moreover, I'm not talking generic handcuffs, but special NASA ones that you couldn't remove without removing the hand of the person wearing it, without the key.

Mostly, I think many of these "stolen" laptops might actually have been sold by the person from whom they were "stolen"... that's the only explanation I can think of for THAT many losses. But what the hell do I know... try the handcuff thing, see if that doesn't reduce losses. If it does, problem solved, and you're welcome.

Re:Handcuffs

Oh, and if they come back later without the laptop, they'll be missing either one of their hands, or their jobs. 'Nuff said.

Re:Handcuffs

[mlts]

Instead of the handcuffs, why not take the humble BitLocker functionality with a TPM chip available in business line laptops, desktops, and servers, and add a smart card reader to that for a CAC.

Then, when the laptop boots up, it asks for the CAC, the passphrase for that, and boots up. No authorized public key, the laptop won't boot.

PGP Whole Disk Encryption had this functionality with cryptographic tokens like Safenet's eTokens. This way, a thief would have to not just steal the laptop, but steal the token, and beat up the token's holder for the PIN (a la the XKCD strip) in order to get access.

Realistically, I just wonder why NASA just didn't go with a Citrix or remote access solution, so laptops can just have a plain OS on them and the Citrix Receiver with nothing else.

Re:Handcuffs

[postbigbang]

Realistically, like managers of the big banks, the NASA employee in charge of the laptop will go unpunished.

Using Citrix or VMware or Microsoft or other kvm solutions aren't as secure as you might think. Yes, their transports can be pretty tough to crack, but that's after the initial authentication process, which still has those messy humans involved.

One of those messy humans, irresponsible, allowed the machine to be lost. This particular human ought to be waiting without bond on Rikers Island, awaiting arraignment on US Federal charges. I hope no one kicked the living crap out of him on the way for jeopardizing the lives and missions up there by allowing the machine to be "lost".

Whoever dreamed up the protocols for asset management ought to be sweating in front of a Congressional committee this morning, explaining exactly how THOSE worked. And the people whose lives and livings depend on the security of the lost information, well, I hope they get pretty damn vocal about the matter.

These are engineers for the costliest space effort we have going? Ye gawds what a mess we're in.

Who cares?

Who cares? Russia has control of the station anyway since we don't have our own launch craft.

Re:Who cares?

[ndege]

I wish I could mod this comment +5

Oh Great!

[Kozar_The_Malignant]

Now we'll have to deal with Dr. Evil running the place.

What's the worst that could happen?

[viperidaenz]

Someone else builds a space station and uses the stolen algorithms to control it? Oh No! IP violations!

Re:What's the worst that could happen?

[Maow]

Someone else builds a space station and uses the stolen algorithms to control it? Oh No! IP violations!

Then the RIAA & MPIA bring their full influence to bear on the US Government and next thing we all know, it's WWIII.

Yes, IP violations *are* the worse thing in the whole history of forevar .

At least according to the current way of thinking in some parts...

The Usual Suspect

I am looking at you, Wolowitz.

Not a phone

[xded]

Do you realize that space stations are not sold in stores? And do you realize that you do not want to hack one to jailbreak it, but to potentially gater intelligence or hold it to ransom?

Not Source Code!

The testimony was about "control codes", not source code. The word "code" can mean many things, folks.

Control Codes...

I can guess what the "control codes" are... Up, Up, Down, Down, Left, Right, Left, Right, B, A, B, A, Select, Start

Re:Control Codes...

[cashman73]

CPE-1704-TKS? Let's play global thermonuclear war.

Ohhhh space station source code!!

You almost make it sound cool/useful/dangerous/valuable.

Control code = 123456?

Is the ISS control code 123456? That's the combo to my luggage!

It's coming through, now.

[cstacy]

You've got to learn WHY things work on an international space station...

The ISS Control code

The ISS control code is 16309

Re:Set your controls to whoosh

[TheInternetGuy]

That makes perfect sense, ummagumma (ãã¾ãã¾ã or é¦çS) means bearhorse in Japanese.

Re:Set your controls to whoosh

[TheInternetGuy]

That would have been funnier if Slashdot would have supported Unicode in posts. Oh well, live and learn ... . (and then forget).

Laptop Encryption?

[gravis777]

All I can say is, big deal. So what, they lost a few laptops. The laptops were most likely encrypted - seriously, every govenrment agency and contractor for years has been encrypting laptops. Even if they used a weak encryption scheme, when the thief realized they were encrypted, he probably just formatted the harddrive, installed a bootlegged OS, and sold it on ebay. I think the bigger issue is here that NASA needs to teach their employees to take better care of their laptops - this probably cost NASA a whole $1,000! :-)