Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Space

European Space Agency Records Leaked For Amusement, Attackers Say (csoonline.com) 74

itwbennett writes: A weekend data breach at the European Space Agency (ESA) by hackers calling themselves "Anonymous" has resulted in the release of 8,107 names, email addresses, and passwords of ESA supporters and researchers. "The leaked data highlights a troubling problem with regard to passwords used on the compromised domains," writes CSO's Steve Ragan. "Of the 8,107 passwords exposed, 39 percent (3,191) of them were just three characters long (e.g. 'esa', '469', '136', etc.)."
This discussion has been archived. No new comments can be posted.

European Space Agency Records Leaked For Amusement, Attackers Say

Comments Filter:
  • by U2xhc2hkb3QgU3Vja3M ( 4212163 ) on Monday December 14, 2015 @10:21AM (#51114287)

    Three characters is not enough for my luggage.

    • by Adriax ( 746043 )

      I think that's the point of this piece. Our rocket scientists still can't match the password length of space fairing societies with planetary scale shielding, mega-ships capable of stripping the atmosphere off a planet in minutes, casual space travel, and speeds that are frankly ludicrous.

      But there is a glimmer of hope. We are at 60%. Over half way there.

      • by Anonymous Coward

        It's "faring", my good man, not "fairing". A "fairing" is an aerodynamic cover fitted, for example, over a high-performance motorbike to reduce drag. Perhaps this is why all those scientists use three-character passwords; because the doubt their own ability to spell anything longer.

        • by Adriax ( 746043 )

          Fail on my part. I wrote it as faring first but apparently derped when I rewrote the sentence.

        • by Anonymous Coward

          A "fairing" is an aerodynamic cover fitted, for example, over a high-performance motorbike to reduce drag.

          Or like, you know, over the payload at the top of a rocket. Like the ESA uses.

      • by Anonymous Coward

        Like the mega-ships capable of stripping the atmosphere off a planet in minutes, the ESA is surrounded by assholes.

        • the ESA is surrounded by assholes

          Clearly. I can't even find a shop on the ESA website. I was looking to buy some merchandise.

          They should get into that, it's where the real money is made.

    • It still horrifies me that everyone's ATM Pin is just 4 characters!! Though the article does smack of "Scientists too dumb to use computers"
      • by Anonymous Coward

        It simply doesn't matter how long your PIN is because all current ways of stealing your card info include stealing your PIN, too.

      • Re: (Score:2, Insightful)

        AFAIK, in Canada, banks require five numbers. It's 25% more secure!

        • by Quirkz ( 1206400 )

          I dunno. When the first four digits of the PIN are 1, 1, 1, and 1, what are the odds that the fifth digit is going to be something else?

        • by ChoGGi ( 522069 )

          I'm not sure of the minimum in Canada, but I do know my PIN is 8 chars (and no it doesn't work in the USA).

      • While it's not untrue that the passwords in question are 4 or fewer characters long, it is far more significant (about 500 times more significant per digit, not that I've completely memorised my log(10) tables) that they are digits, not general purpose characters.
    • by Nutria ( 679911 )

      Aren't Europeans supposed to be oh so much smarter than us rube Americans and our "they'll suck up the Sun's rays" idiocy?

    • by mwvdlee ( 775178 )

      Yeah, they should atleast require some special characters like numbers and upper case to make it extra safe.
      Nobody will ever guess "E5a".

  • by Anonymous Coward

    Before you get all hysterical over weak passwords, please consider that three letter passwords are usually open secrets. In these cases security isn't desired, but because of policy, still needs to paid lip service. It happens at EVERY organization.

    The question is whether the policy is reasonable and necessary.

    • Most of the Fortune 500 companies I've worked at that had a shared user account still required a password with a minimum of eight characters, one upper character, one lower character, and one symbol. The ESA examples shows no minimum requirements whatsoever.
      • by mlts ( 1038732 )

        Even operating systems have a minimum character password demand for over a decade. Windows Server 2008 and newer have always required password complexity rules (uppercase, lower case, number, symbol), and at least 8 characters by default. Similar with non-root users and Linux.

  • My college instructor for Linux Admin informed the class that the password to his Redhat Linux server was 26 characters long, doesn't start with the letter 'a' and doesn't end with the letter 'z'. Bonus points for creating an algorithm that prints out all the possible variations with permissible characters. Automatic expulsion if anyone attempts to login into server. During his ten years of teaching Linux, only one student took him up on the challenge to write an algorithm and his password was in the result
    • But after paying the cost of the printout, the student went bankrupt and had to quit his studies

      • The student submitted his algorithm and the resulting printout in text files on a floppy disk. No trees were sacrifice for this academic exercise.
  • by Crowd Computing ( 4269575 ) on Monday December 14, 2015 @10:51AM (#51114517)

    Perhaps more damaging is the claim it was done for amusement: "Claiming the name Anonymous, those responsible for a weekend data breach at the European Space Agency (ESA) said the act was one of pure amusement (lulz) and not part of a larger scheme or protest."

    ISIS and Trump at least deserved some sort of mass attack.

    • by Solandri ( 704621 ) on Monday December 14, 2015 @01:26PM (#51115915)

      ISIS and Trump at least deserved some sort of mass attack.

      ISIS deserves to be hacked because they are out there killing innocent people.

      Trump, for all the stupid things he's said, has not committed a crime. The moment you start dehumanizing people who haven't committed a crime, deciding that it's OK to do bad things to them just because you disagree with them, and they're not worthy of the same rights and protections you give to people you agree with, you've started using the same reasoning ISIS uses to justify what they do.

      The acid test for supporting the First Amendment isn't whether you'll stand up to defend the right of people you agree with to speak their opinion. It's whether you'll stand up to defend the right of people saying things you find reprehensible to speak their opinion. When I was growing up, the concept behind the First Amendment was often summarized as, "I disagree with what you say, but I will defend to the death your right to say it." At some point this has morphed into, "I disagree with what I say, and I will do everything I can to stop you from saying it as long as I don't get in trouble for it." That's a very dangerous slippery slope to start sliding down.

      • Trump, for all the stupid things he's said, has not committed a crime.

        Lol, yea right. He's committed crime, lots of it. He's just never been convicted for any of it.

      • Trump, for all the stupid things he's said, has not committed a crime. The moment you start dehumanizing people who haven't committed a crime, deciding that it's OK to do bad things to them just because you disagree with them, and they're not worthy of the same rights and protections you give to people you agree with, you've started using the same reasoning ISIS uses to justify what they do.

        Like the things Trump has been saying about and proposing to do with/to Mexicans and Muslims? Or was that your point?

      • by bmo ( 77928 )

        The moment you start dehumanizing people who haven't committed a crime, deciding that it's OK to do bad things to them just because you disagree with them, and they're not worthy of the same rights and protections you give to people you agree with, you've started using the same reasoning ISIS uses to justify what they do.

        So you mean that TRUMP saying that we should "take out" the families of suspected terrorists is a bad thing, right?

        "I would do my best, absolute best â" I mean, one of the problems we

    • by rtb61 ( 674572 )

      As 'Anonymous' can be anyone who chooses to act in an activist sense, anonymously, in the name of 'Anonymous'. It could just be a pissed off security BOFH https://en.wikipedia.org/wiki/... [wikipedia.org], always having to work extended hours due to crappy passwords. Seriously, how hard are three word passwords, no spaces and minimum word length of four characters and with varying length words, as a nonsense string preferable eg 'crankyBOFHgoesnuts' is good. When anyone can be 'Anonymous', all sorts of interesting and oft

  • ..were obviously not rocket scientists.

    Oh, wait.....

  • Anonymous (Score:2, Insightful)

    European Space Agency Records Leaked For Amusement, Attackers Say

    Bruce Wayne: Targeting me won't get their money back. I knew the mob wouldn't go down without a fight, but this is different. They crossed the line.

    Alfred Pennyworth: You crossed the line first, sir. You squeezed them, you hammered them to the point of desperation. And in their desperation, they turned to a man they didn't fully understand.

    Bruce Wayne: Criminals aren't complicated, Alfred. Just have to figure out what he's after.

    Alfred Pennyworth: With respect Master Wayne, perhaps this is a man that *you*

  • by dohzer ( 867770 ) on Monday December 14, 2015 @03:50PM (#51117063)

    Does anyone have some more examples of three letter passwords? I'm having trouble understanding the concept.

  • I've used 4 digit passwords on sites that store nothing besides my email, name, corp address and nothing of true significance. On the otherhand I'll use the maximum allowed digits for banking and commerce sites. What blows my mind, is a site that doesn't allow unicode character set and more than 12 digits.
  • The ESA is publicly funded - as are most of it's collaborating institutions. Quite likely a significant number of the people intended to have read-write access to their data systems are aware that they information they contain are the property of the people who paid for the data. i.e., everyone. So the only sensible reason for using passwords is to prevent vandalism of the databases. and nobody in their right mind is going to be interested in vandalising a "public good" such as the records that may help our

Never test for an error condition you don't know how to handle. -- Steinbach

Working...