×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hack Targets NASA's Earth Observation System

CmdrTaco posted more than 2 years ago | from the even-nasa-ain't-safe dept.

NASA 45

Gunkerty Jeb writes "A hacker is claiming that a security hole in a server at NASA's Goddard Space Flight Center has exposed data related to a satellite-based Earth observation system used to aid in disaster relief. The hacker, who uses the handle 'Tinkode,' has published a screen capture from what he claims is an FTP (File Transfer Protocol) server at NASA's Goddard Center. The hack comes exactly a month after the same hacker exposed a similar hole in a server operated by the European Space Agency."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

45 comments

Wait... (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#36165006)

Somebody is running an FTP server on a computer that has a screen? Also, the obligatory "SFTP Motherfucker! Why don't you use it?"

Re:Wait... (2, Funny)

Anonymous Coward | more than 2 years ago | (#36165208)

Jules Winnfield: What do NASA computers look like?
Brett: What?
Jules Winnfield: What OS do they run?!?
Brett: What?
Jules Winnfield: What ain't no OS I ever heard of!! They have SFTP on What?!?
Brett: What?
Jules Winnfield: SFTP Motherfucker! Do they use it?!?
Brett: Yes!
Jules Winnfield: Then you know what I'm transferring?!
Brett: Yes!
Jules Winnfield: Describe what NASA computers look like!!

Re:Wait... (0)

Anonymous Coward | more than 2 years ago | (#36165616)

Jules Winnfield: What do NASA computers look like?
Brett: What?
Jules Winnfield: What OS do they run?!?
Brett: What?
Jules Winnfield: What ain't no OS I ever heard of!! They have SFTP on What?!?
Brett: What?
Jules Winnfield: SFTP Motherfucker! Do they use it?!?

Someone actually did this in 1998. Cyberpunk Fiction [prescient-thought.com]. Industrial bands covered the soundtrack, and they even parodied the dialogue bits ("All right, everybody, be cool! I'm your new systems administrator! Any of you fucking Ewoks move and I'll terminate every motherfucking last job on the mainframe!") .

I think "Electro Body Music", which starts out with a discussion of "the telnet thing", staying in your home directory, and so on, would be just about perfect here. The PC-vs-Mac crowd would love "User Friendliness Goes a Long Way". ("The OS may run like a wet dream, but I wouldn't know, 'cos I won't use the complicated motherfuckers!")

Re:Wait... (1)

Kompressor (595513) | more than 2 years ago | (#36166232)

This.

That link right there is some brilliant stuff!

Zed: "Bring out the Hack!"
Maynard: "The Hack's not online."
Zed: "Then I guess you'll just have to page him, won't you?"

---

Jules:
"FAQ 25.17: The righteous higher resolution modes require correspondingly more system memory in order to run..."
"Blessed are such modes that are not listed in the video modes menu, for they would only slow down the microprocessor."

---

Fabienne: Whose synthesizer?
Butch: It's not a synthesizer, it's a sampler.
Fabienne: Whose sampler?
Butch: Chemlab's.
Fabienne: Who's Chemlab?
Butch: Chemlab's dead, baby. Chemlab's dead.

Dumbing down (3, Insightful)

Anonymous Coward | more than 2 years ago | (#36165052)

When FTP needs to be explained on /. it's time to find another "News for Nerds" site.

Re:Dumbing down (3, Insightful)

DanTheStone (1212500) | more than 2 years ago | (#36165210)

It's because our submitters and editors are too lazy to write a summary, so they just copy-paste a chunk of the article (which may be intended for a less-technical audience).

Re:Dumbing down (3)

symes (835608) | more than 2 years ago | (#36165218)

I would say defining FTP is just being polite - anyone can come here and browse, some might even want to stay a little while. What's the problem?

Re:Dumbing down (3, Funny)

migla (1099771) | more than 2 years ago | (#36165434)

I, for one, am grateful they explained the acronym, because until I read the next words, I thought NASA had a fuck-the-police server, which didn't make much sense, but that's what the kids writing/spraying FTP around here mean. Unless, of course, this is a neighbourhood of poor geeks...

Re:Dumbing down (1)

SETIGuy (33768) | more than 2 years ago | (#36170526)

It's understandable that it needs to be explained. Nobody except the government and anonymous FTP sites use it anymore. And nobody including the government should be using it.

I've worked on unclassified DOD and NASA projects in the past, and FTP is the default for uploads and downloads. I've never been on a project where personnel would act on an upload without voice confirmation usually involving commands coded in the ICAO phonetic alphabet. I don't know this site, so I don't know if there's anything particularly sensitive there, or if it's just data distribution.

There's a reason they don't want to use SFTP. SFTP is just something that looks like FTP tunneled over SSH. SSH usually means a local account, and that's often not allowed even if shell access is disabled.

Government FTP sites tend to be poorly administered, sometimes with a single username and a guessable password given to all that need access. If there were a satellite named PRJ, the username would probably be prjuser and the password might be prjrules!!.

For my group access sites, I use https, with user changeable passwords for all users, a password reset that requires admin intervention, and custom upload/download code. I don't work for the government, though.

News for... (0)

Anonymous Coward | more than 2 years ago | (#36165230)

FTP (File Transfer Protocol)

News for people who don't know what FTP means?

relief from constant holycostal disaster coming (-1)

Anonymous Coward | more than 2 years ago | (#36165272)

still waiting? then we won't have to watch ourselves dissolve from above. more stand-up talknician routines. more threatening now? will the FSF guys be arrested for sex crimes too? julians, adrians, everybody's at risk, of being arrested, or worse. scary? 13 year old tagged by ss.gov at school for unapproved tweeting. so we're safe from him now. the key to the bells & whistles of just one city is way to much trust to put in one human. our/our planet's fate however, is different?

same old; how many 1000 babys going up in smoke again today? how many 1000's of just folks to be killed or displaced again today? hard to put $$ on that. the cost of constant deception, to our spirit? paying to have ourselves constantly spied on & lied to by freaky self chosen neogod depopulationers? the biblically styled fatal distraction holycost is all encompassing, & never ends while we're still alive, unless we cut them/ourselves off at the wmd. good luck with that, as it's not even a topic anywhere we get to see, although in real life it's happening everywhere as our walking dead weapons peddlers are being uncontracted. you can call this weather if it makes you feel any better. no? read the teepeeleaks etchings.

so, once one lie is 'infactated', the rest becomes just more errant fatal history.

disarm. tell the truth. the sky is not ours to toy with after all?

  you call this 'weather'? what with real history racing up to correct
itself, while the chosen one's holycostal life0cider mediots continually
attempt to rewrite it, fortunately, there's still only one version of the
truth, & it's usually not a long story, or a confusing multiple choice
fear raising event.

wouldn't this be a great time to investigate the genuine native elders social & political leadership initiative, which includes genuine history as put forth in the teepeeleaks etchings. the natives still have no words in their language to describe the events following their 'discovery' by us, way back when. they do advise that it's happening again.

who has all the weapons? who is doing MOST of the damage? what are the motives? are our intentions & will as the ones who are supposed to be being represented honestly & accurately, being met? we have no reference to there being ANY public approval for the current mayhem & madness pr firm regime style self chosen neogod rulership we've allowed to develop around us, so we wouldn't have to stop having fun, & doing things that have nothing to do with having to defend from the smoke&mirrors domestic frenetics, of the unproven genocides. rockets exploding in syria fired from Libya? yikes?

  the zeus weather weapon is still being used indiscriminately against the population, our rulers' minions are fleeing under fire.

the whore of babylon has been rescued by the native elders. she has the papers of challenge authored by the hymenical council, & is cooperating wholeheartedly with the disarmament mandate.
disarm. thank you.

censorship, or convenience?
Due to excessive bad posting from this IP or Subnet, anonymous comment
posting has temporarily been disabled. You can still login to post.
However, if bad posting continues from your IP or Subnet that privilege
could be revoked as well. If it's you, consider this a chance to sit in
the timeout corner or login and improve your posting. If it's someone
else, this is a chance to hunt them down. If you think this is bogus, you are right moderation@slashdot.org with your MD5'd IPID and SubnetID, (which have been maliciously edited from time to time for effect by /.censory)
which are always changing, you butthead

Houston, we have a serious security problem... (2)

digitaldc (879047) | more than 2 years ago | (#36165276)

Someone over at NASA, and government agencies in general, need to seriously step-up their security team.
Hire people that can effectively put a system in place to secure their networks, data, and disposition of old equipment. Monitor your networks and data, put systems and people place that can predict and respond to security issues.
My assumption is that NASA is so budget-constrained, and has so many wasteful expenditures that security gets left to the wayside and then things like this happen (if it indeed DID happen.)
Time to abort the mission until we can verify the mission's security has not been compromised.

Hacking assholes. (1)

Anonymous Coward | more than 2 years ago | (#36165430)

Agreed. Although, someone hacking into the SERVIR computers has to be a real goddamn low-life sub-human sack of shit and should be ashamed to even post that they even attempted such a thing.

What next assholes? Breaking into the UNICEF servers or something to delay help to needy children? Do you fucks go around kicking puppies and kittens?

You're not "cool". You're not "l33t" or whatever the fuck you losers call yourselves.

You wanna be "l33t" and "cool"? Invent something that helps humanity, makes a billion, or both. At least if you make a billion you'll be creating jobs - even you blow your money and go all Charlie Sheen, it'll be more respectable.

Re:Hacking assholes. (2)

Steauengeglase (512315) | more than 2 years ago | (#36166744)

This is nothing new: http://en.wikipedia.org/wiki/WANK_(computer_worm) [wikipedia.org]

For whatever reason, NASA is like flame for hacker's moths. They have interesting, groundbreaking research, a budget and lets be honest, they have things in orbit, but they aren't going to shoot you in the head like other agencies who may or may not have things up there. .

Re:Hacking assholes. (0)

Anonymous Coward | more than 2 years ago | (#36169132)

What next assholes? Breaking into the UNICEF servers or something to delay help to needy children?

If it was UNICEF Japan, I would gladly make the computers kill their local users.

Re:Houston, we have a serious security problem... (2)

camperdave (969942) | more than 2 years ago | (#36165652)

I thought there was a whole three letter agency (sharing many of the same letters as NASA), whose job it was to secure US government databases and communications. Maybe they're fixing things alphabetically and they're only up to the Ms.

On the other hand, this data is on a server accessed by "scientists, educators, project managers and policy implementers to better respond to a range of issues including disaster management, agricultural development, biodiversity conservation and climate change"... with "a strong emphasis is placed on partnerships to fortify the availability of searchable and viewable earth observations, measurements, animations, and analysis." The SERVIR project is endorsed by governments of Central America and Africa and principally supported by NASA and the US Agency of International Development (USAID). So, hiding the data behind restrictive protocols counterproductive to the intended purpose of the site. Furthermore, some of the organizations who use the site may be prevented from using more secure protocols by ITAR restrictions.

Re:Houston, we have a serious security problem... (2)

_Sprocket_ (42527) | more than 2 years ago | (#36166274)

Someone over at NASA, and government agencies in general, need to seriously step-up their security team.

To outsiders, NASA looks like a big monolithic Government agency. The reality is that NASA is schizophrenic. It is really a collection of entities that operate at different levels of control and coordination depending on what particular issue is at hand. When you quote "Houston, we have a serious security problem", I'm inclined to point out that it isn't Houston's problem.

Hire people that can effectively put a system in place to secure their networks, data, and disposition of old equipment. Monitor your networks and data, put systems and people place that can predict and respond to security issues.

Sounds so easy when you put it down on paper like that.

My assumption is that NASA is so budget-constrained, and has so many wasteful expenditures that security gets left to the wayside and then things like this happen (if it indeed DID happen.)

I would say your assumption is mostly incorrect. It is more about NASA's bureaucracy than squandering limited resources; though budget constraints are certainly a fundamental issue. The CAIB Report hinted at a culture that was broken within NASA in general. And years later, despite best efforts to change that culture, many of the same problems echo throughout NASA's daily business.

Re:Houston, we have a serious security problem... (2)

CBM (51233) | more than 2 years ago | (#36167300)

I would also like to add that over the past ten years, "security" has gotten much much tighter at NASA. NASA has many roles that involve interfacing with the industrial community, the scientific community, and the public community at large. It is often difficult to reconcile those roles with the additional goal of "more security!" In fact, in the interests of blanket security, I would say that NASA's ability to interact with communities, and lead through good example, have been partially stifled in the name of security.

Another thing to mention is that often-times, large institutions like NASA are dealing with legacy systems that do not have the latest security. The common knee-jerk reaction is to say, "just upgrade it!" But the reality is that there can be knock-on effects that prevent upgrading or make it cost-prohibitive. Critical systems that have been running for years often do not have the funds or staff expertise to execute a major upgrade. But as I said, this is a problem with most large institutions, it's just that "NASA" in the title of an article makes it higher profile.

This post has my personal opinions only.

Re:Houston, we have a serious security problem... (2)

_Sprocket_ (42527) | more than 2 years ago | (#36167802)

I would also like to add that over the past ten years, "security" has gotten much much tighter at NASA. NASA has many roles that involve interfacing with the industrial community, the scientific community, and the public community at large. It is often difficult to reconcile those roles with the additional goal of "more security!" In fact, in the interests of blanket security, I would say that NASA's ability to interact with communities, and lead through good example, have been partially stifled in the name of security.

That's a fair point. Security has been an even bigger issue over the past 10 years. Although unfortunately a fair amount of that effort has been around feeding the bureaucracy of compliance rather than actual technical security practices. Which is boon and bane. At least the compliance drive is pushing technical issues that in the past would be entirely ignored by some organizations within NASA.

Another thing to mention is that often-times, large institutions like NASA are dealing with legacy systems that do not have the latest security. The common knee-jerk reaction is to say, "just upgrade it!" But the reality is that there can be knock-on effects that prevent upgrading or make it cost-prohibitive. Critical systems that have been running for years often do not have the funds or staff expertise to execute a major upgrade. But as I said, this is a problem with most large institutions, it's just that "NASA" in the title of an article makes it higher profile.

The problem is that security impacts productivity. So much of what is done in IT is done without security issues in mind. Which eventually means disruption of services as security issues are addressed. The challenge has always been to catch security issues early in to a project's development or find the most graceful path to addressing a project's security issues. Those who drive infosec aren't always good at doing these things.

This post has my personal opinions only.

These are my own personal opinions as well. :)

Re:Houston, we have a serious security problem... (3, Insightful)

AMuse (121806) | more than 2 years ago | (#36168400)

Hi all; I actually work for NASA as an IT Security guy.

While I can't answer specifics about this incident, you should remember that a great many things done by NASA are "General Science", and the data output from them is specifically and consciously made public.

It's possible that the FTP server is meant to be serving those files "to the public".

Why FTP instead of SFTP? Usually when you choose to make data public to the world, you don't bother implementing crypto on the data. And just because it's available via FTP for distribution, does not mean insecure FTP was used to *place* the data on the server.

Re:Houston, we have a serious security problem... (1)

tyldis (712367) | more than 2 years ago | (#36169556)

And I work for a company that deals a great deal with NASA, and they are happy to lose satellite data while waiting for a replacement demodulator to pass their security scans on an internal network.

They do make an effort, but personally I think they strive to achieve perfect security and in the process people has to poke holes in it in order to make it work :)

Re:Houston, we have a serious security problem... (1)

sysrammer (446839) | more than 2 years ago | (#36170478)

+1

Thank you. This was my thought exactly. If it's read-only data, no problem.

sr

Choosing your targets (1)

Daetrin (576516) | more than 2 years ago | (#36165332)

Hack Targets NASA's Earth Observation System [...] The hack comes exactly a month after the same hacker exposed a similar hole in a server operated by the European Space Agency.

Now _this_ is a hacker who knows how to aim high!

Re:Choosing your targets (0)

Anonymous Coward | more than 2 years ago | (#36165372)

*badum-tish!*

Daetrin will be here all week. Try the fish.

OMGWTFBBQ I FOUND ANOTHER ONE!!!!! (1)

bmo (77928) | more than 2 years ago | (#36165394)

DUDE!  CHECK OUT THIS FTP SERVER THAT I COULD JUST WALK INTO!  OMG I HACK IT!

ALL I HAD TO DO WAS PUT IN MY EMAIL ADDRESS AS THE PASSWORD!  MY GOD I COULD HAVE PUT IN ANYTHING!

bmo@owlcomm:~$ ftp ftp.linux.org.uk
Connected to ftp.linux.org.uk.
220 (vsFTPd 2.2.0)
Name (ftp.linux.org.uk:bmo): anonymous
331 Please specify the password.
Password:
230-Welcome to ZenIV
230-
230-The software on this site is made available for free without warranty or
230-other right of recourse implied or otherwise. No statement save one in
230-writing by the owner of the system changes this usage agreement. This
230-software is provided in the United Kingdom for United Kingdom users,
230-any export download is at your own risk and liability.
230-
230-Many parts of this archive are mirrors of other sites. While we try not
230-to mirror any inappropriate material we do not have editorial control over
230-such mirrors and cannot make such a guarantee.
230-
230-There is no other user agreement, should your local law make such an
230-agreement invalid you are prohibited from using this site, and may be
230-committing an offence under the computer misuse act by continuing.
230-
230-By downloading any file from this site you agree to these terms and
230-conditions, disconnect now if you do not.
230-
fucking lameness filter
230-*                                                                     *
230-*   If you are having problems accessing this site, then please use   *
230-*  "passive" transfer mode rather than "port" transfer mode.  Thanks. *
230-*                                                                     *
fucking lameness filter
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

--
BMO

Re:OMGWTFBBQ I FOUND ANOTHER ONE!!!!! (1)

Kompressor (595513) | more than 2 years ago | (#36166296)

Holy crap! Anonymous has hacked the kernel servers and left a backdoor?

What FTP server will they hit next, sunsite?

Re:OMGWTFBBQ I FOUND ANOTHER ONE!!!!! (1)

JWW (79176) | more than 2 years ago | (#36166494)

I have to concur with this sentiment. NASA data policy states that they give quite a bit of their data away freely.

I appears that ASAR data is freely available. So this could be as simple as this hacker logging into the ftp server that distributes the data, which, as you've show is not exactly a "hack".

Please revise the headline ... (0)

Anonymous Coward | more than 2 years ago | (#36165888)

Tinkcode learns that there is a peer to peer method to transfer files called ftp, and it is way faster than bittorrent!

NASA science missions often place data in easily accessed servers, because they are required to by law. Websites like weather.com and spaceweather.com download "their" data from NOAA and NASA servers. The ACE mission has an entire infrastructure maintained on a shoestring to do this for safeguarding satellites from solar storms. I would be more impressed with Tinkcode if he applied his l33t skillz to a public service FOSS project. Since he is so smart, I am sure he can find a need and solve the problem.

Now, get off of my lawn!

Encrypt that Shit! (0)

Anonymous Coward | more than 2 years ago | (#36165928)

Cue James Bond theme! At least it doesn't shoot frickn lasers that can melt the ice caps

www.awkwardengineer.com [awkwardengineer.com]

Uhh Why is this a problem (1)

harrytuttle777 (1720146) | more than 2 years ago | (#36166362)

So is disaster preparedness information now considered "classified" and only able to be disseminated to the highest bidder. Was Tinkode trying to show a dangerous lack of security on the part of NASA that would just allow anyone to log in and get the information needed to track tsunamis? Shouldn't this be what we want government to be doing?

on the security side.... (0)

Anonymous Coward | more than 2 years ago | (#36166384)

Was the hole exposed a black hole?

EOS Data is Free (0)

Anonymous Coward | more than 2 years ago | (#36166454)

EOS Data is free to the public and is mandated to be free to the public.
The EOS project has many FTP servers hosting free data that anyone can download.
Finding what you are looking for is the challenging part, not nearly as easy as Google maps.
Disaster data is also free and mandated to be free and shared with other satellite projects.

I can not read the comments! (1)

dotancohen (1015143) | more than 2 years ago | (#36166652)

I see that there are 30 comments on this article, but I cannot see them! Pressing "Get More Comments" does nothing, and neither does the javascript slider! Slashpot, fix your website! It's been broken for a few months, since the last update!

Kubuntu 11.04, Firefox 4

screenshot as a proof?! (0)

Anonymous Coward | more than 2 years ago | (#36166678)

So this proof is a screenshot in a browser?!
I can show you such screenshot proof of whatever you wish. Its just plain simple - open html editor, list some dirs paste them, edit address,name whatever you want, open the page in browser, change the path in address bar, take a screenshot, make an really clever nick and you are in the news.

And the UFO pictures? (1)

Adeptus_Luminati (634274) | more than 2 years ago | (#36167930)

What's the point of hacking NASA if you're not going to download their superTopSekreT UFO pictures? Anybody can modify an FTP login screenshot, but clear pictures of UFOs close up, now that's the money shot!

Summary: He got into an ftp server: big whooptedo: (1)

Hartree (191324) | more than 2 years ago | (#36167984)

Well, BFD.

This is hardly data that is soopersekret national security info.

The ftp server is now down on that machine, but who knows. For all I can see, it may have even been open for read only anonymous ftp access and he just didn't know it for what it was.

Otherwise he may have guessed an obscure login like "data" with password "data". Or, if it was running something unpatched from way long ago, used an existing hack. ftp buffer overflows were a dime a dozen at one point.

Not everything is worth heavily securing especially when you want a broad and diverse audience to have access to it.

Satellite information? (0)

Anonymous Coward | more than 2 years ago | (#36169672)

Let me guess, the poor sob logged into a public FTP server running to aid the organizations involved disaster relief. Next we hear about an internet renegade who made a trolling usenet post, oh the horror. And no, with this kind of a summary I didn't read the article.

RO or RW access? (1)

RockDoctor (15477) | more than 2 years ago | (#36197052)

So I RTFS and think "Big Fucking Deal, someone can use FireFox to get into an FTP server that appears to carry data for some Earth Observation satellites. So far so BFD."

Next BIG question is - did he have RO access, or RW access? TFS says nothing, so I RTFA - still nothing. Look at the screen shots, still nothing. Not even a claim of a RW access.

So far, the guy has found a FTP server that looks like it contains data which is likely public domain already. BFD.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...