Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
The Military Security

US Military 'Hacked' by Emails 141

Posted by Zonk from the watch-before-you-click dept.
An anonymous reader writes "Two of the US Military's most important science labs were apparently 'hacked'. Phishing mail was sent to a pair of research labs, where trojan programs allowed interlopers access to the otherwise secure networks. One of the sites was the infamous Los Alamos, which has been discussed many times here at Slashdot for its string of security breaches. 'Los Alamos has a checkered security history, having suffered a sequence of embarrassing breaches in recent years. In August of this year, it was revealed that the lab had released sensitive nuclear research data by email, while in 2006 a drug dealer was allegedly found with a USB stick containing data on nuclear weapons tests. "This appears to be a new low, even drug dealers can get classified information out of Los Alamos," Danielle Brian, executive director of the Project On Government Oversight (POGO), said at the time. Two years earlier, the lab was accused of having lost hard disks.'"
This discussion has been archived. No new comments can be posted.

US Military 'Hacked' by Emails More

US Military 'Hacked' by Emails

Comments Filter:

  • shut er down! (Score:2, Interesting)

    by ILuvRamen ( 1026668 )
    Is it really worth pouring more money into this idiotville if every bit of scientific progress they make is practically public knowledge soon after? Just shut the stupid place down!

    • Re: (Score:1, Funny)

      by Anonymous Coward
      If only Area 51 would follow suit...

    • Re: (Score:3, Insightful)

      by graphicsguy ( 710710 )
      Wait. Is public knowledge good or bad this week?

    • Re:shut er down! (Score:5, Informative)

      by gardyloo ( 512791 ) on Friday December 07, 2007 @06:26PM (#21618655)

      Is it really worth pouring more money into this idiotville if every bit of scientific progress they make is practically public knowledge soon after?
      Yes. I work at LANL; very many of us work on unclassified projects, and we're happy if the progress we make is public knowledge. It wouldn't be of very much use otherwise.

            Note that the /. summary is technically correct (yes, the Lab was accused -- do some research if you want to know why I italicized that -- of losing hdds years ago), but not very illuminative.

            More recently, we're moving to some different networking configurations to help cut down on some of these breaches. It may help; it may not. Foreign nationals are losing administrator priveleges on their own (unclassified, mind you) computers, which is causing LOTS of headaches and won't solve a damned thing. Many of them have sent messages saying, "Yeah, remove my access, and see how much work gets done." If we had a moderation system here, those would be +5 Damned Right.

      • Agreed. (Score:5, Interesting)

        by pavon ( 30274 ) on Friday December 07, 2007 @06:40PM (#21618823)
        I've worked with a couple of the National Laboratories, and where Los Alamos really shines is basic research, while the others are better at engineering and have (somewhat) better security track records. This makes some sort of sense given the fact that they were operated by a university for so long while Sandia and Livermore have been over-seen by corporate entities. While it may make sense to move some of the more sensitive stock-pile stewardship programs away from there if they can't improve their security, it would be an absolute shame to shut the lab down altogether.

        • Re: (Score:1, Informative)

          by Anonymous Coward
          This makes some sort of sense given the fact that they were operated by a university for so long while Sandia and Livermore have been over-seen by corporate entities.

          Huh? LLNL has been managed by UC until this October (LANL went corporate before LLNL).
      • Obviously we can't take your word for it. I bet your passwords are all "password1" or "monkey". If you know any different, prove it!

    • Re:shut er down! (Score:4, Funny)

      by 4D6963 ( 933028 ) on Friday December 07, 2007 @06:34PM (#21618751)

      Is it really worth pouring more money into this idiotville if every bit of scientific progress they make is practically public knowledge soon after?

      Exactly, because scientific progress is so worthless if it's made public.

    • Re: (Score:2)

      by ArcherB ( 796902 ) *
      Is it really worth pouring more money into this idiotville if every bit of scientific progress they make is practically public knowledge soon after? Just shut the stupid place down!

      I agree. However, I wouldn't be surprised if it were not already shut down as a research facility and now only exists as a huge honeypot [wikipedia.org]. Well, with all the stuff that's been going on there, I HOPE that is the case.

    • Re: (Score:3, Insightful)

      by merreborn ( 853723 )

      Is it really worth pouring more money into this idiotville if every bit of scientific progress they make is practically public knowledge soon after? Just shut the stupid place down!


      Some would argue that the purpose of scientific progress is the advancement of the human race. Not just advancement of those members of the human race who happen to live within the borders of the U.S. of A.

      • Is it really worth pouring more money into this idiotville if every bit of scientific progress they make is practically public knowledge soon after? Just shut the stupid place down!

        Some would argue that the purpose of scientific progress is the advancement of the human race. Not just advancement of those members of the human race who happen to live within the borders of the U.S. of A.

        That may well be the case, but that doesn't account for why U.S. taxpayers should be footing the bill. I'm all for putting the results out in public and letting anybody who wants to use them (because, frankly, it would be difficult and counter-productive to try and restrict them just to U.S. citizens), but I don't think it's in any way improper for a country to take care of its own citizens first. In fact, that's pretty much what I want my government to do. Other people (should) have their own governments

  • !news (Score:3, Insightful)

    by Anonymous Coward on Friday December 07, 2007 @06:08PM (#21618423)
    Unclassified networks get viruses and trojans often, this is not really news. Nor is it "omg huge security breach" that an unclassified network would get a virus. That is the the whole reason classified and unclassified networks and physically separated.

    • The distinction between "classified" and "unclassified" networks parent is referring to comes from The Register's [theregister.co.uk] coverage of the same story. The PCWorld link in the original submission makes no mention of whether or not the networks were classified or not.

      • Re: (Score:3, Insightful)

        by Llywelyn ( 531070 )
        It doesn't necessarily come from that article--which thankfully does make the distinction--it could have just been a guess based on knowledge of how these things are set up.

      • Re: (Score:2, Informative)

        by Anonymous Coward
        The LANL network tht got hacked was unclassified.

        Here is an official email to the employees (sorry, but the links don't work outside the lab):

        To/MS: All Employees
        From/MS: Michael R. Anastasio, DIR, A100
        Phone/Fax: 7-5101/5-2679
        Symbol: DIR-07-324
        Date: November 9, 2007

        SUBJECT: RECENT HACKING EVENT A REMINDER TO BE CYBER SECURITY
        AWARE

        For years the Laboratory has been the target of daily, relentless
        attacks by hackers by means of SPAM, random pinging, robotic
        campaigns, and various other determined, focused,

  • Hmph (Score:3, Insightful)

    by moogied ( 1175879 ) on Friday December 07, 2007 @06:11PM (#21618471)
    This simply further illustrates the need for better IT proffessionals. Most IT departments are looked at like maintence departments(In non IT firms). Something they are REQUIRED to have but not greatly to there advantage. Yes we introduce newer better software to increase productivity but we do it at a cost. So when it comes to IT security the budget is always smaller then should be. No one wants to pay more for the janitors to clean the locks every week. The locks still require keys and that is good enough. No one cares that the locks can be picked in 2 seconds.. as long it needs a key its fine. The same with IT. No one cares that you can be hacked because you send all you're data through unencrypted ethernet and that same network segment has a wifi-AP. You can't access either without a username or password.. right?!

    • Re: (Score:2, Interesting)

      by moogied ( 1175879 )
      Also.. I said we need better IT pro's because they need to push security more.. that wasn't clear at all. Sorry.

    • Re: (Score:3, Interesting)

      by IAR80 ( 598046 )
      I onestly belive that such incidents are in a way unavoidable and making the security buget bigger is not going to solve this. More rulles, regulations and paranoia are going to lead to even worse security at the end of the day. One of the examples for this was company that decided that user passwords need to be at least 12 caracters long contain small caps, big caps, numbers and punctuation signs, non dictionary words, no sequences .... The result was that everybody had their passwords writen down and most

  • Flipside (Score:3, Funny)

    by SlipperHat ( 1185737 ) on Friday December 07, 2007 @06:14PM (#21618511)

    "even drug dealers can get classified information out of Los Alamos"
    Well, even overworked scientists need drugs! It's not as if science just pops out of thin air you know? You need to get high.. I mean think!

    I kid.

    • Re: (Score:2, Funny)

      by Facetious ( 710885 )
      Exactly! Where else could quantum mechanics come from?
    • I'd like to know how exactly this worked out...."Yo, dude, I'm totally sorry, but I don't have the cash on me for tonight's eight-ball...would you take some classified nuclear secrets instead?"

      If that's how it went down, I don't know what's funnier...that someone would try that or that the dealer accepted.
    • I for one enjoy an extra eye's worth of perception...

      Anyway, I believe these types of incidents are due to a technologically defunct generation working in a technologically advanced world, and soon the iGeneration will take the reins and bring to the work force basic computing knowledge (and no, knowing how to use MS Word is NOT enough). I work as a student tech to get me through college and all I ever find are 40+ year old staffies with absolutely no idea about what is going on. I literally have to force

      • Re: (Score:2)

        by jbengt ( 874751 )
        "Anyway, I believe these types of incidents are due to a technologically defunct generation working in a technologically advanced world, and soon the iGeneration will take the reins and bring to the work force basic computing knowledge"

        It may take you 5 or 10 years or more, but eventually you'll realize how far from reality that statement was.
        • Maybe you don't understand what I was trying to say, maybe I said it wrong, or maybe you haven't ever worked in IT. I should have made it clear that I have a very limited view of the IT world, but the world I see is sad. But I am a very optimistic person, and I like to believe a younger, more technologically savvy generation is on the rise (or maybe even already in the work force!). There is evidence to support my claim also. Everyone (yes I know, not EVERYONE) seems to have a computer these days which must

  • Thank god.... (Score:4, Funny)

    by Schnoogs ( 1087081 ) on Friday December 07, 2007 @06:15PM (#21618525)
    those ICBMs don't have ethernet jacks for their firmware updates ;)

  • Minor bureacratic technicality to point out... (Score:5, Insightful)

    by idontgno ( 624372 ) on Friday December 07, 2007 @06:17PM (#21618549) Journal

    Both labs in question are actually U.S. Department of Energy, not Department of Defense. Technically, they're not "military" labs.

    More to the point, if they were military labs, the schlubs responsible for the security cockups would have been in the brig and awaiting a court-martial long ago. The knowledge that your "employer" can clap you in prison and then have you shot for almost a trivial incident is, to borrow a phrase, tremendously attention-focusing.

    Yeah, yeah, I know, nuclear weapons and technology, blah, blah, blah... but really. Historically, these labs have always been run a little bit like the average academic research lab at any mainline university, and the stereotypes about egghead scientist types hating military-style regimentation (including security processes) rings very true. Read up about the Manhattan Project. (Which is fitting, since these labs are the direct descendants of that program.)

    • Re:Minor bureacratic technicality to point out... (Score:5, Informative)

      by momerath2003 ( 606823 ) * on Friday December 07, 2007 @06:31PM (#21618711) Journal
      You are correct that they're run by the DoE -- and it's not merely a technicality.

      I've worked at Oak Ridge -- it's not a weapons lab. A huge fraction of the work that goes on there is related to energy sustainability and production. This includes materials research and reactor simulation for next-generation nuclear reactors, but it also includes solar energy, wind power, coal, oil, hydrogen, etc. It does do homeland security-related stuff, specifically with detectors (to monitor ports for incoming reactor materials, etc.) but it's definitely not a military lab. I've worked at a weapons lab before -- it's a completely different environment. There was no military-style regimentation at ORNL.
      • Oak Ridge isn't a weapons lab NOW. My Grandfather, Charles Thompson, was pretty high muckety muck there. He's told me about how he had to send the cops and military out to take care of the local yockel cops who were harassing scientist's wives and things like that. Some people also "wandered off" during the war. There was also the situation of lots of young women and very few eligible men which led to some pretty interesting encoutners with the guards.

        Regarding loading firmware into ICBMS, I was a Missileer

    • Re:Minor bureacratic technicality to point out... (Score:4, Insightful)

      by Orthuberra ( 1145497 ) on Friday December 07, 2007 @06:36PM (#21618765)

      More to the point, if they were military labs, the schlubs responsible for the security cockups would have been in the brig and awaiting a court-martial long ago. The knowledge that your "employer" can clap you in prison and then have you shot for almost a trivial incident is, to borrow a phrase, tremendously attention-focusing.
      Security at many DOD installations isn't much better to be honest. Didn't we have an article month or two back about the Secretary of Defense having his pc broken into?

      My personal experience with the NMCI project (Navy-Marine Corps Intranet) is that it isn't very secure. A cheap social engineering hack such as a phone call to the tech guys will pretty much guarantee you a password to access the network. No ones getting shot or being court-martialed because the government in question is fairly incompetent to begin with.

      Didn't we also have a story a little while back about Homeland Security's networks getting hacked a couple hundred times in the last two years. This isn't just a few labcoats who don't value security, the military fares no better, and neither do the Homeland Security guys.
      • 1) Any network connected to the internet can be hacked given enough time. Some of these institutions are extremely attractive to hackers all over the world and it's inevitable they will be hacked. Classified material should never be stored or accessible to computers that are connected to the internet in any way. The lab in question is not a military lab so they probably have significantly more lax standards regarding the handling of such material. 2) People like to talk about a lack of military security
    • "More to the point, if they were military labs, the schlubs responsible for the security cockups would have been in the brig and awaiting a court-martial long ago."

      I believe this is incorrect. As far as I know, only military personnel can be court martialled. Many, if not most, employees at military labs are PhD researchers or engineers. A mix of civil servants and contractors. There are military personnel there as well, of course.

  • People in a company I was working for awhile ago received a phishing email that was targeted to us and our environment. I, and a few other people noticed something weird. I did research and realized it was phishing fairly quickly and got the network people to immediately block that site and send out mail to everybody asking anybody who visited that site before it was blocked to have their computer fully checked for malware.

    I think we narrowly avoided disaster that day, and I suspect none of the security people (I was not among them) quite realized exactly what happened. I was immensely surprised by how targeted it was.

    I can easily understand why a user might've been taken in, and I don't blame them at all. I found the whole thing very unsettling.

    • I was working for awhile ago received a phishing email that was targeted to us and our environment.
      FWIW, this sort of attack is becoming increasingly common to the point where it has a name of its own -- "spear phishing."

    • Re:A company I worked for was specifically targett (Score:1, Funny)

      by Anonymous Coward

      My dearest Omnifarious.

      Compliments of the day. My name is Mr.Moses Odiaka.I work in the credit and accounts department of Union Bank of NigeriaPlc,Lagos, Nigeria. I write you in respect of a foreign customer with a Domicilliary account. His name is Engineer Manfred Omnifarious. He was among those who died in a plane crash here in Nigeria during the reign of late General Sani Abacha.

      Since the demise of this our customer, Engineer Manfred Omnifarious, who was an oil merchant/contractor, I have kept a clos

    • People in a company I was working for awhile ago received a phishing email that was targeted to us and our environment. I, and a few other people noticed something weird. I did research and realized it was phishing fairly quickly and got the network people to immediately block that site and send out mail to everybody asking anybody who visited that site before it was blocked to have their computer fully checked for malware.

      Check each computer to see if it is running Windows, and it it is, remove it. There you go, no more phishing problems.

      • Actually, that isn't a solution. People working on Linux desktops can be tricked into entering their logins and passwords just as readily as people working on Windows desktops. Also, if you know the environment well enough, Firefox has enough holes that PCs can still become infected with malware. With the way most corporations standardize applications and rollout you can learn what version of various things everybody's desktop is likely to have and specifically target your malware at it.

        Something you ca

  • Guns just not enough to defend their turf (Score:5, Funny)

    by ackthpt ( 218170 ) on Friday December 07, 2007 @06:17PM (#21618557) Homepage Journal

    This appears to be a new low, even drug dealers can get classified information out of Los Alamos,"

    Mushroom clouds be in order, beeyach!

    • Re: (Score:1, Funny)

      by deftones_325 ( 1159693 )
      Word. Nothing says "bling" like a platinum plated tactical nuke mounted to ones pimp-cane. Holla back, son.
    • No no, burning mushrooms destroys the psilocybin. Those defensive clouds of yours wouldn't do much good.
  • they were using Linux!

  • the information almost certainly wasn't classified (Score:5, Informative)

    by Brett Buck ( 811747 ) on Friday December 07, 2007 @06:23PM (#21618617)
    No one can hack into a classified (Secret or above) network from the outside by sending them emails or anything else - *because classified networks are not connected to the outside world*.

            Brett
    • That's not a universally implemented security mechanism, even within the DoD.
      • Yeah, it is. Classified networks are not hooked up to the internet.
        • No it isn't. I have lived with somebody who has top security clearance and works as defense contractor for the DoD, and their laptop (on which most of their work, some of which is classified, is done) is connected to the internet from a static IP address at home every day.

          Oh, and I have full access to it.
          • That computer never has any classified on it. If it does your friend/roommate is guilty of a serious security breach. Now just because they work on classified information does not mean it happens on that machine. It is not uncommon to find an unclass machine sitting next to a classified machine, it shouldn't happen in a TS environment but it most likely does. The classfied work occurs on the classified machine, the unclass work happens on the unclass machine.

            And I guarentee that unclassified laptop n

        • Yeah, it is. Classified networks are not hooked up to the internet.
          That's true. However, classified != secret.
      • Now, who knows what kind of stuff is rated less than secret. It's probably somewhere in sensitivity between the bills for the Coke machines and Osama bin Laden's cell phone number.

        But most likely the article is some activist trying to stir up FUD, or just the usual sloppy, lazy journalism.

        • Re: (Score:2)

          by Tacvek ( 948259 )

          Now, who knows what kind of stuff is rated less than secret. It's probably somewhere in sensitivity between the bills for the Coke machines and Osama bin Laden's cell phone number.

          But most likely the article is some activist trying to stir up FUD, or just the usual sloppy, lazy journalism.

          Actually Osama's satellite phone number is not secret at all. But he has not used it in a long time, some sources indicate it was last used in 1998. The number is 00 873 682 505 331. He may have a regular cell phone that he uses now (assuming he is still alive) but if so, I'm not sure even the DoD knows it.

    • No one can hack into a classified (Secret or above) network from the outside by sending them emails or anything else - *because classified networks are not connected to the outside world*.

      Of course it takes just one wise guy to bring his laptop home, hook it up to the Internet, get pwned, then re-attach it to the classified network again, and presto -- your malware has access to the classified network! Now it can collect "interesting" information to its heart's content, and the next time the guy brings his

    • Re:the information almost certainly wasn't classif (Score:1, Interesting)

      by Anonymous Coward
      No one can hack into a classified (Secret or above) network from the outside by sending them emails or anything else - *because classified networks are not connected to the outside world*.

      I think you mean:

      *because classified networks are supposed not connected to the outside world*

      As other people have already said, policy and reality are 2 different things. I've done some contract work for my state police headquarters and was shocked to find an unsecured, dhcp enabled wireless gateway accessible from outsid

      • Re: (Score:2)

        by Rich0 ( 548339 )
        Yes, but in the federal government costing money to fix is considered a good point. It means overtime, contractor selection (translate - kickbacks), increased budget, and maybe an opportunity for the computer security guys to expand their turf slightly. The only issue is whether after spending this money they'll actually fix the problem - if they don't then they have an execuse to repeat the whole exercise the next year...
  • If you know your history, our government and military have always used campaigns of disinformation against our enemies. Maybe sensitive information was stolen, but there is an equal chance they simply recognized the attack and allowed "sensitive information" to be compromised. That's just my opinion, I guess we'll never really know.

  • Speaking for the competition... (Score:4, Informative)

    by Artifakt ( 700173 ) on Friday December 07, 2007 @06:37PM (#21618793)
    I live fairly near the Oak Ridge (TN) area. The National Labs there have done the same sort of work as Los Alamos since both sites were founded in the 40's. Contracts keep tending to go preferentially to Los Alamos - it currently gets roughly 4 times the government dollars overall, 5 times the spending on specifically Nuclear Deterrent related research, and is getting over 10 times the historical preservation funding to preserve its historic buildings. (That's just from the public record, without taking black budget spending into account. I don't know if that distorts the figures or not, obviously).
            The Oak Ridge labs safety and security records are both far superior to Los Alamos. (While neither location has a perfect record, even non-serious rated incidents at ORNL have averaged many years apart. There has never been a security incident involving the ORNL facilities that didn't end up with the FBI at least knowing exactly what information was compromised, who did it, and who got it in the end, while there are three incidents on record for LA that no investigator can tell the congressional oversight committee just what may have been stolen, if they are confident they found everyone who did it or not, or if a particular hostile foreign government may possibly have ended up getting the info.).
            There's also the Argonne labs in the Chicago area. Arguably, if there's some reason not to transfer more of LAs work to OR, they are also a better prospect if the US really cares about security. Los Alamos has had several opportunities to clean up their act - the problems are apparently systemic, and nothing short of major funding losses seems at all likely to motivate them at this point.

           

    • Mod Asshat down (Score:1)

      by Anonymous Coward

      The Oak Ridge labs safety and security records are both far superior to Los Alamos
      What glib unsubstantiated bullshit. How would you know? The last major incident in the Nuclear complex was at oakridge. Some guy selling parts from uranium purifiers. That's a lot worse that claims that ahrd drives were lost, when it turns out they were just mislabled. You're an asshat. As for claiming the work at Oak ridge is on par with LANL. Get real.

    • Re: (Score:1)

      by Anonymous Coward

      The Oak Ridge labs safety and security records are both far superior to Los Alamos. (While neither location has a perfect record, even non-serious rated incidents at ORNL have averaged many years apart. There has never been a security incident involving the ORNL facilities that didn't end up with the FBI at least knowing exactly what information was compromised, who did it, and who got it in the end, while there are three incidents on record for LA that no investigator can tell the congressional oversight c

      • Let's see. ORNL's phishing attacks began OCT 29th, a bit more than a month ago. over 1,100 distinct attacks resulted in possibly as many as 11 persons biting (a less than 1% failure rate for what began as a social engineering scam, although it appears it also involved attempts to directly infiltrate the machines). Data released included no classified information at all, but may well have included Social Security numbers and/or DOB's of some visitors to the lab (not regular employees. The only database that

    • Re:Speaking for the competition... (Score:5, Interesting)

      by wolvesofthenight ( 991664 ) on Friday December 07, 2007 @07:56PM (#21619563)
      Knowing a large number of people that work at Los Alamos National Lab (LANL) I can tell you that cutting the funding won't solve the problem. That would be a lot like trying to make a football team win games by cutting the legs off of a few team members. It just won't solve the problem. Yes, some projects should not be funded, just as other projects need more funding. And don't forget that many of the wasteful projects are ones that congress told them to work on. Some of the problems: 1) They are a big name. Whenever something bad happens it is all over the news. When something good happens it might or might make the news, and it will never be as big of a news item as a minor bad thing. Fork lift accident at Oak Ridge? Nobody hears about it. At LANL it makes national news. This is a huge factor in everyone saying that LANL is so poorly run. They hear about every bad thing there, but very little about the problems elsewhere. On top of that the news tends to give only part of the story. We hear on the news that someone at LANL buys a sports car on a LANL credit card. What they don't bother mentioning is that the order was a paperwork mix-up when they were ordering something else that cost just as much but was legit business. They also don't tell us that as soon as they found out there was a mix-up they actually corrected the order, returned the car, and got the money back. We hear "your tax dollars wasted by LANL" when the real story was "LANL makes paperwork error and then fixes it." 2) Because of 1 they get micro-managed by the DOE and congress. Congress has no clue how to run a large, secure, scientific lab and the DOE is not much better. 3) Congress & the DOE will tell them to do something and not provide the funding for the proper things. Recently they switched the management contract to a different agency and decided to pay them a lot more to manage the lab. The idea was that paying more would bring in better management. Well, the cost of the contract went from about 10 million to 90 million. Then congress said that the labs budget would stay the same. The net result? A 80 million budget cut. Are there problems at LANL? Yes. Will yelling about how bad things are fix it? No. Congress and the DOE need to get good management there and then give them the power and money to get the job done instead of giving them more rules to follow whenever something makes the news. Don't tell them that a forklift accident can't be allowed. Instead tell them that they have to have 30% fewer construction accidents than industry. Don't tell them that they can never loose a hard drive; tell them that they can never let weapons designs leak. Don't tell them how to run their security. Give them the money for good security and the ability to do it.
  • So, hackers using Web2.0 bricked Los Alamos by spearphishing, to get all the inappropriate buzzwords out of the way... but is social engineering really cracking the system? If you convince someone to give you the keys to the car and then you steal the car, that's nothing wrong with the car. In this case, it's possible that a better design might make it impossible for someone to give the keys to the wrong people, but nobody else has a flawless solution for that, either.
    • People are a part of the system, too.
      • But they're not a part of the system that programmers have much control over, and when programmers write stuff that tries to take some control, the users go *insane* -- see "allow or deny", for instance.

  • A call for a bit of sanity (Score:4, Informative)

    by madscientistgirl ( 1200027 ) on Friday December 07, 2007 @07:14PM (#21619145)
    I will grant that cybersecurity problems at national labs should be taken seriously. But there are at least 10,000 people doing at least part of their research at national labs, much of it inherently internet-based and hardly any of it has military applications. It is unreasonable to expect that no computers at a national lab will ever get hacked. Any computer that is connected to a network has a non-zero probability of getting hacked. I am doing my doctoral research at a national lab (Brookhaven) and have been in far too many meetings where we had to figure out how to work with security measures implemented in response to stories like this, which tend to paper over important details. The story says nothing about what information was actually acquired through the attack, for instance. And it neglected to mention that the "drug dealer" didn't actually have the USB stick with classified information, but rather lived with a person who worked at LANL and had illegally brought it home. He didn't even know he had anything classidied. (As usual, *people* are the weakest point in security, not computers.) As someone already commented, this is a Department of Energy Lab, not a "military" lab. Much, if not most, of the research at LANL is not classified. Just because someone at LANL got hacked does not mean classified information got hacked, nor does it mean that the computers that got hacked were remotely related to anything with the word "nuclear" in the subject. Among the measures which were proposed to remedy Brookhaven's "problems" with cybersecurity were banning all non-US citizens from logging in to any computer outside of BNL. There is a collider at BNL which has, overall, cost about $1B to build and run. This rule would have essentially stop this collider from running, costing the government about $1B, along with ending a promising scientific program. There were other rules proposed that we had to password-protect every computer - which is very dangerous if that computer controls an apparatus that operates at high voltage so someone who forgets or doesn't know the password can't turn it off. The slew of cyber-security updates imposed on BNL by DOE in response the the hysteria over cyber security caused me personally to lose two weeks of productivity because it was so hard to get into the computer clusters I needed to use for my research. There were about 1000 scientists affected by the same thing - we easily lost 20 person-years of labor, if not more. Even if you assume that everyone earned a grad student salary, that's $500,000. Overall, I have been in meetings which consumed about 40 hours of roughly 20 PhD scientists' time trying to figure out how to work around these rules. None of this includes the lost time because all of our computer experts were working on security instead of supporting the research goal of the lab. And what is at risk at Brookhaven? Data on relativistic heavy ion collisions. I personally think that if someone were really interested enough in our data to try to steal it, it would be a major development for the field. Oh man, and if they analyzed it - find those lambda baryons! - it would really decrease the work load in our collaboration. Please, take our data and analyze it for us! There's essentially no risk of permanent data loss because of multiple backups on various types of media in different geographical locations - you'd have to take out everything at once. The biggest real risk is that we would get hacked and turned into a porn server. Embarrassing, yes. Catastrophic? No. It happens to servers all the time. And indeed the one time I'm aware of BNL getting hacked, at least while I've been there, and all they did was sneak links to porn sites into an obscure webpage, not host porn on any BNL computers. (Which none of the stories mentioned... They all said BNL was hosting porn.) So what am I saying? 1. Simply because of the size and number of national labs, it is unreasonable to expect that national labs will never get hacked. 2. The response needs to be proportional to the risk. If the rules are too strict, this costs money, with no benefit.
  • the Transformers [imdb.com] to hack the military? Phht! Hollywood, so unrealistic these days...
  • Lets hope it doesn't get so easy that cavemen can build nukes, or we'll never recover from WW3.
  • Quoth the headline: "Los Alamos has a checkered security history" ...

    Hey, where I work we don't talk like that. I interpret that to be a politically correct, human resources filtered, public official sanctioned version of the statement: "They're about as secure as a hooker's panties on New Years Eve in Times Square."

    I could be wrong, of course.

  • LANL and ORNL aren't "military" labs. They are Department of Energy labs. ORNL doesn't even deal with weapons. > ...even drug dealers can get > classified information out of Los Alamos Jessica the Q wasn't a drug dealer. It was her roomate.
    • Well crap. I posted that "HTML formatted" when I wanted "Plain Old Text".
      ---
      LANL and ORNL aren't "military" labs.
      They are Department of Energy labs. ORNL doesn't even deal with weapons.

      > ...even drug dealers can get
      > classified information out of Los Alamos

      Jessica the Q wasn't a drug dealer. It was her roomate.
  • POGO? Couldn't be more perfect.

  • Not defense labs (Score:3, Informative)

    by Sir Holo ( 531007 ) * on Friday December 07, 2007 @08:05PM (#21619639)

    These labs are run by the Department of Energy, not Defense.

    They are not defense labs, they are scientific research institutes.

    They also provide several large experimental facilities (>$200M) that universities could never afford to run, that give free access to profs who want to use them.

    • DOE labs have more important secret GOV info than the DOD does. These are the people who test and design our Nukes and create other technologies most of us will never hear about.

      Our enemies would much rather hack the DOE than the DOD.

  • POGO have a political ax to grind, in that they represent the Luddites who are scared of anything that might be related to "nuclear".

  • Drug dealers fund terrorists! It was all over the commercials after 9/11...
  • It still amazes me that anyone could believe any of the conspiracy theories, the U.S. Govt couldn't successfully keep anything secret.

    UFO Conspiracies?, Kennedy Assassination Conspiracy?, Secret Commissions Directing Foreign Policy?, Bah phoey!

    Lets face it, nothing as big as the Atomic bomb, or as small as Monica Lewinsiki's cigar stays secret for long.

    We might as well do nuclear research live on CSPAN, at least then only 5 or 6 people will see it.
    • I've got news for you: America does direct foreign policey, but we do it in the open, and noone stateside seems to understand why telling a sovereign nation what to do is wrong. We are imperialists.
  • why the hell are attachments allowed to be delivered via email at all? It makes it just too easy to get infected. For example, on my own system incoming attachments are removed and placed into a user folder on a network drive. The email itself has an addendum that tells the user that the attachment cannot be accessed from within the email client, and provides the location of the file on the network (no hyperlink, nothing to click on.) That simple action makes it impossible for a user to stupidly click on an

  • According to ABC News and several other news outlets, authorities have tracked the hacker attacks [go.com] back to China.

    This is not too surprising, since several recent high profile hacker attacks have originated from china targeting [arstechnica.com] various countries [timesonline.co.uk] around the world. [news.com.au] It's nothing new that China is continuing to hack into our top secret and sensitive installations.

    In the coming days, you can expect China to adamantly deny any involvment, just as they have when earlier this year the German, UK, Australian and US

  • Who in their right mind connects ANY computer with access to important data to the Internet? Of course we know that answer is most businesses and GOV agencies.

    The offices I'm tasked with securing have 2+ unconnected networks - 1+ for LAN access, and 1 for Internet access. NONE of the computers are connected to the LAN(s) and the Internet. Bridging your network to the outside World is how all these fools get hacked.

    This is NOT Rocket Science.

  • and answer some small questions for us!
  • All your nuclear secrets are belong to us.

Slashdot Top Deals

"What man has done, man can aspire to do." -- Jerry Pournelle, about space flight

Close