Slashdot Mirror
AnonSec Attempts To Crash $222m Drone, Releases Secret Flight Videos (ibtimes.co.uk)
An anonymous reader writes with an excerpt from IBTimes that says it's not just governments that have proven themselves capable of hacking into drones: Hackers from the AnonSec group who spent several months hacking NASA have released a huge data dump and revealed they tried to bring down a $222m Global Hawk drone into the Pacific Ocean. The hack included employee personal details, flight logs and video footage collected from unmanned and manned aircraft. The 250GB data dump contained the names, email addresses and phone numbers of 2,414 NASA employees, 2,143 flight logs and 631 videos taken from Nasa aircraft and radar feeds, as well as a self-published paper (known as a 'zine') from the group explaining the extensive technical vulnerabilities that the hackers were able to breach.
Among these: the group discovered that the flight paths uploaded into each drone could be replaced with their own.
AnonSec found that the administrator credentials for securely controlling Nasa computers and servers remotely were left at default
Hmm ..
According to Infowars, which was alerted to the zine's existence by AnonSec, the hackers' main purpose in hacking Nasa was to highlight the fact that the US government is using climate engineering methods such as cloud seeding and geo-engineering to manipulate the climate and cause more rain to fall in order to combat the effects of carbon emissions.
Well...? Are they?
How much of a hack is it, when the basic understanding of their servers, is bought from someone from either within or a former member of the I.T. team? "AnonSec explains that it purchased an "initial foothold" from a hacker with knowledge of Nasa's servers in 2013"
They're not terrorists. They're criminals, yes, and idiots too, but their intent was not to cause terror. Yes they should be arrested, but let's stop labeling every extreme action "terrorism" when that's obviously not the intent.
names, email and phone numbers of all NASA employees are public, and on the web at people.nasa.gov. tens of thousands of em, free for the taking. There's also an x.500 directory.
It seems clear the ability to keep nearly anything secure wanes exponentially with the amount of effort the infiltrator is willing to expend.
TFA mentions some of the Anonsec members had reservations about crashing the $222 million UAV, so there's no way we can know for certain that didn't play a role, but ground control was able to take control back manually through satellite connection. There is likely some additional redundancy to foil takeover attempts. "Wait... not that button, idiot!"
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
I don't know, but I'd say they crossed a line trying to crash that drone; everything before that was relatively non-destructive. I don't see why they didn't do something like modify the drone's flight path to spell out "AnonSec" or something rather than trying to crash it, I think people would be more impressed.
The circumstance appears to be that we can advance technology faster than we can advance technology to secure the products of progress. So how do we get security out front, instead of releasing devices and then trying to figure out how to secure them? I suggest that part of the problem rests in having that human link to the drones. If we used technology similar to what exists in the Cruise missiles it becomes a launch it and leave it alone type of device instead of needing humans to continue its mission.
Not terrorists, just a bunch of asshats that couldn't actually hack anything of value so instead they directed their attention at NASA. Smacks of releasing credit card details to the internet to "protect us" from big corporate greed. Or something.
The problem is they couldn't actually do either action. This is a bunch of hype trying to claim greater "hacking" capability than they actually have. Hell, even the article says they gained access by purchasing it from someone else.
Having worked on those aircraft for the better part of 10 years, these guys didn't do a damn thing. The mission plans would have been noticed immediately as using the wrong waypoints and been corrected, manually or from known-good files. These guys didn't have a chance of actually crashing anything except maybe a couple of servers at NASA, which would have done nothing.
NASA clearly needs to update some of their Network security protocols and probably fire a couple of people, but this is a non-story with respect to the drones. It's FUD trying to drive site clicks.
"Growing old is inevitable; growing up is optional."
More or less. There is no acceptable or even pseudo-acceptable justification for this attack.
There's no secret conspiracy uncovered, no risk to national security the government won't admit to or fix, just NASA doing what they're supposed to be doing.
And these idiots deciding to try and fuck it up as best they can because they can. A lengthy stay in prison without access to electronics might just be what they need to smarten up. If not, at least they'll have less opportunity to cause trouble for a while.
What an ignorant comment. NASA is using these drones for scientific missions. Among other things, they take measurements of the ozone layer, collect data on transport of aerosols and pollutants over the Pacific (which undoubtedly impacts the weather on the west coast), and collects data on developing Atlantic hurricanes. Just because something isn't particularly secure doesn't mean you should hack it. I'd bet that the signals sent to the Voyager spacecraft and probably the Mars rovers don't use strong encryption. I'd bet if someone put their mind to it, they could spoof the signals sent to them. It would also be a dick move to interfere with valuable scientific missions just because you want to hack something. I understand the concept of hacktivism but this isn't it. That you consider NASA's atmospheric research your enemy says more than enough about you.
Your being naive if you think crashing NASA's servers and getting thousands of employees personal information was nothing. That's a crime potentially in the millions of dollars, perhaps not 200 million, but still serious enough. The story is not the drone, the story is the hack. Your perspective is just on the drone because you worked on them. Keep your eye on the ball man. They hack these things just because they can and release the info to show off these glaring security holes and how far they got into the system. Crashing it would have just been better PR for them in the lulz world, but hacking it and NASA's data is still a big deal. Also, not crashing it probably plays off better in the real world where people still like NASA and would probably prefer hackers not to fly 200 million tax dollars into the ground to prove they can.
Still, our security is far too weak, the point has been made yet again. I think that's what you supposed to be getting out of this. Just because this time they didn't crash a drone doesn't mean it's ok we let them hack in so easily. I think you also underestimate how a well timed hack could affect flight.
You have anger issues, seek help.
Excute them, and their families and friends and cats and dogs.
Same goes for spammers. Why should a spammer who causes more than a billion dollars in lost productivity NOT be called what he is? A terrorist.
I remember a time when /. was mostly filled with mentally stable people.
"Old man yells at systemd"
Call them idiot criminals if you want. They should still be rounded up by law enforcement and executed.
Why execute them? Because they make you angry?
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
More high quality products developed by private industry for the US Govt...
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
If the standard is that people who do things that through several links of causality are guilty of murder, probably everyone is guilty of murder. Economic crimes cause excess deaths because of opportunity costs. Do any of the companies you invest in do financially dodgy stuff? How about companies invested in by your mutual funds? Loaned money by your bank?
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Troll is right.
Why does a drone cost as much as a Boeing 747?
If telephones are outlawed, then only outlaws will have telephones.
It wasn't the private-sector-built aircraft that was hacked - it was the government network that was hacked.
I know, right? What kind of a sick maniac holds that much anger toward dogs?
Same goes for spammers. Why should a spammer who causes more than a billion dollars in lost productivity NOT be called what he is? A terrorist.
Wait, now loss of productivity is terrorism? I think we are stretching that term just a wee bit.
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
They've admitted their crime. All that's needed is the sentencing.
Just another day in Paradise
LMOL and how built the network? What products are used for the network? And who maintains the network? Moron...
You're not anonymous,
We're the real real anonymous.
Those "original real anonymous" guys are a bunch of posers.
Who built it? Irrelevant. What products were used? Irrelevant. It was shown to be secured by simply changing the default passwords, and leaving default passwords intact was a failure of management. So what kind of network is it, anyway? Oh, yeah, it's a .gov network. Management is controlled by the .gov entity, even if contractors are used for the keypresses and network cable enplugginations. The .gov entity is responsible for regular security audits on their systems. They failed on that management aspect.
Maybe because they're run by a secret cabal of Osiris worshipers.
HA HA...
heh...
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Why would anonsec be interested in hacking this? It's a scientific mission, not a military one. It may use the same drone platform as the predator drone, but its still for a purely scientific purpose.
http://github.com/gbook/nidb
I hope that thing is insured because 200+million bucks isn't [sic] lol.
Your being naive if you think crashing NASA's servers and getting thousands of employees personal information was nothing
Names, work email and phone numbers of government employees are not considered "personal information", and are generally available through published directories, and certainly FOIA requests (so says me, a former Records Custodian for the Air Force). As well, many are saying that all these idiots accessed were honeypots.
If you want news from today, you have to come back tomorrow.
What's the big deal? The drone cost 22.2 cents? They probably have a closet full of them. Are they made of copier paper and office supplies? Dang, those guys at NASA sure are creative, making a working drone from office supplies for a little over twenty-two cents each? USA! USA! USA!
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
They contract all of this stuff out to the private sector (the network and the monitoring of the network).
Northrup Grumman runs many government networks. (Not just NASA, also Defense, CDC, etc.)
I don't read your sig. Why are you reading mine?
I'm still going to point out that it is irrelevant. There are plenty of government employees. If they don't have enough employees to oversee the contractors, that is a fault of the government.
And if the government turned these functions over to contractors with no way of assuring that they were secure or manageable, that is still the government's fault.
Yes, if the contractors screwed up, they certainly share responsibility and if there was some sort of cover-up by the contractor, that would also mitigate it.
However, default passwords? Anyone could have audited that. The government did not. The contractor should be fired, but so should the people supposed to be doing the "oversight".
$220M per drone is not the fly-away cost that is the total cost of the project including R&D and ground equipment divided by the number of Global Hawk drones produced. Yes a real number of dollars spent but much of the R&D cost is applicable to follow on systems. Produce more Global Hawks and that $220M per Drone figure actually goes down. Not advocating for more Global Hawks but the fly-away cost is probably closer to $30M per drone.
The same cost calculation inflate the cost of a B-2 because when we originally anticipated the R&D spread over 100 planes it looked reasonable but when you reduce the buy to 16 planes you raise the per plane R&D cost by a factor of 6.5.
Oh and how many 747s have been produced to spread R&D costs over?
Well, then by your logic, it's the entire US's fault. They're responsible for who's running the government. It's irrelevant how much PACs or corporations or such donate, it's ultimately the people who vote. They may be easily led morons, but I've yet to see a corporation actually walk in a check the boxes on a ballot.
a bunch of immature losers living in their parents' basements
Yeah, that pretty much says "terrorist" to me.
Why the fuck did they target NASA?? I mean NASA is a civilian organization with limited funding and mostly non military projects so why did they try to drop a research drone into the ocean?
If they wanted to make a point about how easy a drone was to hack why didn't they go after the DoD? Oh, that's right, the DoD actually has better security in place (not perfect I know, but better) and AnonSec probably couldn't even get a phone number to call.
I usually side with the Hackers and Hacktivists but this time I just can't.
You could just blame it on Obama.
I don't read your sig. Why are you reading mine?
More high quality products developed by private industry for the US Govt...
You are taking these script kiddies at their word that this is what they have done to systems that are as they claim. Yet this is extremely unlikely.
Names, work email and phone numbers of government employees are not considered "personal information", and are generally available through published directories, and certainly FOIA requests (so says me, a former Records Custodian for the Air Force), and much of the other "data" is hardly "secret". As well, many are saying that all these idiots accessed were honeypots.
Please take note that these script kiddies believe in the Chemtrail Conspiracy, which more or less immediately invalidates everything they say.
If you want news from today, you have to come back tomorrow.
Well, they do make me angry but execution is kind of pointless and unnecessarily expensive. It takes ages to put one of these little assholes down even if it was legal to do so for this crime. People always want to jump to executing those who transgress but I think nobody gives long-term incarceration its due. Say one of these "scamps" was in his early 20's. 40 years without the possibility of parole would be a whole lot cheaper when you take into account all the money spent on appeals and he'd leave prison (assuming he survived it) in his 60's. His life would mostly be over at that point. With no employment history or experience, most likely outdated abilities and a criminal record he'd be pretty much unemployable beyond anything but the most meager of jobs. He'd get to live out his retirement mopping floors at night and (if he was lucky) living on some kind of welfare stipend if he lived in country that gives a crap. If he's American I don't think (but I'm not entirely certain) that people who spend their lives in prison earn any kind of Social Security benefit. The government should put forth a lot of effort to find these people, drag them to the states kicking and screaming if necessary, and then throw them in jail for the majority of the rest of their lives. Much worse than executing them if you ask me.
Appended to the end of comments you post. 120 chars.
Watch yourself there man. Questioning charges of terrorism is pretty darn close to terrorism itself. You trying to start up some kind of term-stretching-jihaad or something boy?
Appended to the end of comments you post. 120 chars.
And you're right to be angry. But being angry doesn't justify killing someone else, even if that other person is at fault for making you angry. Nor does it justify inflating the magnitude of punishment, especially to the point that the consequences of that punishment become a burden on society. That's just using the legal system as the instrument of an emotional temper tantrum.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
>> $220M per drone is not the fly-away cost that is the total cost of the project
So if someone downs one, we're not actually out $220M, right? (The replacement cost should be much, much less...)
Granted and I got into a level of detail that probably wasn't necessary. I really meant to make the point that incarceration is a damned awful thing to do to someone and that they have to live with the consequences of that for the rest of their lives. Thinking of how the government has reacted in the past I could honestly see a 30-40 years without parole sentence happening in a case like this. If they'd brought something down it would be nothing to get that. Death is easy to throw out there as a "Worst thing we could possibly do to them" answer but it really isn't. There are plenty of potentially worse fates.
Appended to the end of comments you post. 120 chars.
http://csrc.nist.gov/publicati...
Name and phone number together are considered PII. (Page 2-2)
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
You won't like me when I'm hungry - Bruce Banner
https://www.youtube.com/watch?...
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
At least have the balls to your real account.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
There's a follow-up to the NASA hack story - 10,000 machines in NASA's internal network are broadcasting malware signatures, and over 30 databases are exposed to the public web: http://www.ibtimes.co.uk/nasa-...
You're so dense you're about 3 replies away from achieving fission.
Risk the lives of pilots to gather the same damn info that can be gathered without risk of life?
and
You refer to their research plane...you know...the one that was a former military plane just like the re-purposed Globalhawks
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
You're AC. Who gives a damn what your opinion is if you're too scared to put your name next to it.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
additionally, there seems to be the assumption that there were contractors involved; while many government operations may and sometimes do employ contractors, not all government IT work is done by contractors, and there wasn't an indication in TFA that a contractor was to blame. I was unable to find a publicly available accounting of NASA's network, so I didn't point it out earlier, but I daresay that in my rather limited experience with government contractors, most of them are eager to do audits for government work, since it means they get paid for the audit and paid to fix anything they find as well, even if it was their fault to begin with.
Then the phone book must be the work of a massive terrorist conspiracy..................
There is a difference between your work phone / email / address and your home phone / email / address. These script kiddies released work phone / email / address, which *IS* public information. The document you quote is talking about personal phone / email / address, and indeed also says "may", not "is".
If you want news from today, you have to come back tomorrow.
I remember a time when /. was mostly filled with mentally stable people.
That's funny, I don't.
There have always been a nice minority of saner folks, but madness has been par for the course as long as I've been around. Don't let them get to you, just gesture with your shotgun at the "off my lawn" notice.
WALSTIB!
Well, the thing is, if this guy was a terrorist we (or rather, you, I am not in the USA) would be going after him with a drone. Which often does include blowing up his house and killing his wife, his children and his dogs. So what is different?
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
Refer to it as "economic damage" and you will get the same result. Some of the spammers and virus writers DO cause more economic damage than Al Queda, unless you count the cost of the rather expensive War on Terror.
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
I don't get it...
Why in the world would a drone carry employee data?