Re: [ISN] For NASA Whiz Kid, Busting Hackers Isn't Rocket Science

From: mea culpa (jerichoat_private)
Date: Sun Aug 30 1998 - 09:26:20 PDT

  • Next message: mea culpa: "[ISN] Another free country bites the dust"

    From: <anonymousat_private>
    > And apparently he's built a better mousetrap. But it seems like he just
    > reinvented Cliff Stoll's old hack attack pager notification system? 
    On the contrary.  Yes, this gentleman built a mousetrap, but not a better
    one.  He merely had the proper "connections" to make NASA believe that a
    mousetrap was, in fact, a mousetrap.
    > For NASA Whiz, Busting Hackers Isn't Rocket Science 
    Nothing gives one's opponent a greater advantage than one's own hubris.
    > There's a new sheriff at NASA. 
    There had better be.  The current ones are a joke.
    > Possibly the youngest GS-14 at the space agency, 23-year-old Dan Ridge
    > has become a computer crimebuster for NASA Inspector General Roberta L.
    > Gross.  While the other agents "have to wear guns and bulletproof vests
    > and get to work at 6:30 a.m.," he said, "I don't have to wear a gun, I
    > get to wear jeans, and I don't come in before 10."
    Computer Specialists, by definition, are not issued guns.  Only agents in
    criminal investigations are issued firearms and granted permits to carry
    concealed weapons.
    And I personally do not see what is so great about wearing jeans and not
    coming in before 10 o'clock.  I do it all the time.  Its benefits are
    vastly overrated.
    > Gross and other NASA officials hail Ridge as the whiz who built a
    > "smaller, cheaper, better, faster" computer system  based on a design
    > called Beowulf  to detect computer intrusions agency-wide. Beowulf is
    > so good, they say, that NASA is touting it to the rest of the
    > government, to universities, to law enforcement and virtually any
    > organizations with big computational needs and small budgets. 
    The system in question is based on generalities that will be out of date
    and out of use within six months (barring pathetically stupid
    scriptkiddies and 'Happy Hackers').  Furthermore, its implementation
    requires a complete redesign of NASA center intranets such that they need
    to be bottlenecked through a single proxy, thus making them ripe for smurf
    attacks.  Now, instead of smacking several systems, you just constipate
    one bottleneck. 
    Thus, instead of making the systems more secure, only two things have been
    accomplished: [a] the networks will now be more vulnerable to DoS attacks
    and [b] the truly original and clever intruders will continue to
    effortlessly slip past Mr. Ridge's "invention."  It should be no surprise
    when anti-Beowulf class attack methodologies come into play; ones that
    trigger false positives to the point where that detection is rendered
    useless and disabled; only to be followed by a genuine attack.
    > "We brought over a 23-year-old genius and he built us a computer system
    > for $56,000," Gross said with a big smile. It is almost embarrassingly
    > cheap, she added, noting that such a concept isn't even on the screen of
    > some huge departments, which automatically budget millions for such an
    > operation. "We all love him."
    I think I am going to be unwell.  (Novices take note: this means I am
    going to vomit explosively.)
    > Ridge, in turn, loves his job. But there is a touch of culture shock.
    > "It's very, very strange," he said. "There's nobody here like me. . . .
    > I'm probably the only civil servant around here who was not alive for
    > any of the moon landings."
    There are countless people across every center who are much younger than
    Ridge.  I happen to have the pleasure of knowing several who are also much
    more skilled.
    > He confessed to feeling mild discomfort recently when he found himself
    > giving seminars  to 100 scientists and engineers in a lecture hall at
    > Caltech, for example, and to a group at Edwards Air Force Base working
    > on NASA's next-generation space plane, the X-33. "It's really something,
    > to be the only one with no PhD, hoping the question of my degree doesn't
    > come up." 
    I have addressed similar audiences with absolutely no discomfort.  Why? 
    Because any fool knows that, while these scientists and engineers are
    skilled in their disciplines, they would not know a system vulnerability
    if it bit them.
    > Actually, he got so caught up in his computer work, he confessed, that
    > he has neglected to graduate from the University of Maryland, where he
    > had switched from aerospace engineering (his father's field) to computer
    > sciences. A senior, he has just a few more credits to go, when he can
    > find the time. But for now he's working 12 or more hours a day for NASA. 
    I wonder if he is approved for extended workweek pay during this time of
    outsourcing, downsizing and "better, faster, cheaper" mantra-chanting.  It
    would not make sense for him to get 20 hours of overtime every week under
    such a model.  GS-14 pay is not peanuts.
    > Ridge has been enlisted in a war on the sort of crimes many people still
    > associate with bored but harmless teenage nerds. But experts say hacker
    > attacks on federal agencies have increased in frequency and
    > sophistication, keeping pace with the remarkable progress in information
    > technology. The number of people who use the Internet, as well as the
    > volumes of data seized as evidence of crimes, have exploded in recent
    > years, making it ever more difficult to maintain an open flow of
    > information and yet guard against criminal  or terrorist  intruders.
    Once again, alarmist propaganda.  What's next?  Jackboots in the night?
    > In the most alarming recent intrusion involving NASA, the Pentagon and
    > other government assets, Ehud Tenenbaum, an 18-year-old Israeli who
    > called himself "Analyzer," was arrested in March for allegedly
    > orchestrating an unprecedented assault that, officials said, could have
    > disrupted global military communications.
    And much to the government's consternation, "Analyzer" and his minions
    were little more than a media whore script kiddies.
    > "Bells are going off all of a sudden about how vulnerable we are," said
    > Thomas J. Talleur, who heads the IG's advanced technology programs. And
    > if a technology-oriented agency such as NASA has been slow in
    > confronting the problems, Talleur added, "what about everybody else?"
    Perhaps the best way to solve that problem is to get rid of all of the old
    school backwards-thinking neanderthals who are running the administration?
    No.  No, that would be too simple.
    > When Gross became NASA's IG in 1995, she was concerned that its
    > information systems, which include vital communications with the manned
    > space shuttle and other spacecraft, lacked adequate security. NASA was
    > one of the four government agencies that founded the Internet and it is
    > the agency with the most broadly distributed worldwide connections.
    > Moreover, the agency is leading the government in a move toward
    > paperless electronic contracting, and will soon channel all its
    > communications through a single Internet address.
    The agency is most definitely NOT leading the government toward paperless
    electronic contracting!  They do not even allow for contracts to be in
    electronic format because "they cannot guarantee authenticity" that way.
    Yet when one mentions digital signatures, the automatic response back is,
    "We cannot use cryptographic tools."
    No, the above paragraph is nothing more than pure media relations bullshit.
    > "I get to participate in their world without a lot of the baggage they
    > have to carry," Ridge said. As a result, he is free to work 12 hours a
    > day at headquarters, then carry his laptop to the officers club at a
    > nearby military base where he can work some more, undisturbed, into the
    > night.
    Secure that laptop.  Enough said.
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated []

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:02:43 PDT