From: <anonymousat_private> > And apparently he's built a better mousetrap. But it seems like he just > reinvented Cliff Stoll's old hack attack pager notification system? On the contrary. Yes, this gentleman built a mousetrap, but not a better one. He merely had the proper "connections" to make NASA believe that a mousetrap was, in fact, a mousetrap. > For NASA Whiz, Busting Hackers Isn't Rocket Science Nothing gives one's opponent a greater advantage than one's own hubris. > There's a new sheriff at NASA. There had better be. The current ones are a joke. > Possibly the youngest GS-14 at the space agency, 23-year-old Dan Ridge > has become a computer crimebuster for NASA Inspector General Roberta L. > Gross. While the other agents "have to wear guns and bulletproof vests > and get to work at 6:30 a.m.," he said, "I don't have to wear a gun, I > get to wear jeans, and I don't come in before 10." Computer Specialists, by definition, are not issued guns. Only agents in criminal investigations are issued firearms and granted permits to carry concealed weapons. And I personally do not see what is so great about wearing jeans and not coming in before 10 o'clock. I do it all the time. Its benefits are vastly overrated. > Gross and other NASA officials hail Ridge as the whiz who built a > "smaller, cheaper, better, faster" computer system à based on a design > called Beowulf à to detect computer intrusions agency-wide. Beowulf is > so good, they say, that NASA is touting it to the rest of the > government, to universities, to law enforcement and virtually any > organizations with big computational needs and small budgets. The system in question is based on generalities that will be out of date and out of use within six months (barring pathetically stupid scriptkiddies and 'Happy Hackers'). Furthermore, its implementation requires a complete redesign of NASA center intranets such that they need to be bottlenecked through a single proxy, thus making them ripe for smurf attacks. Now, instead of smacking several systems, you just constipate one bottleneck. Thus, instead of making the systems more secure, only two things have been accomplished: [a] the networks will now be more vulnerable to DoS attacks and [b] the truly original and clever intruders will continue to effortlessly slip past Mr. Ridge's "invention." It should be no surprise when anti-Beowulf class attack methodologies come into play; ones that trigger false positives to the point where that detection is rendered useless and disabled; only to be followed by a genuine attack. > "We brought over a 23-year-old genius and he built us a computer system > for $56,000," Gross said with a big smile. It is almost embarrassingly > cheap, she added, noting that such a concept isn't even on the screen of > some huge departments, which automatically budget millions for such an > operation. "We all love him." I think I am going to be unwell. (Novices take note: this means I am going to vomit explosively.) > Ridge, in turn, loves his job. But there is a touch of culture shock. > "It's very, very strange," he said. "There's nobody here like me. . . . > I'm probably the only civil servant around here who was not alive for > any of the moon landings." There are countless people across every center who are much younger than Ridge. I happen to have the pleasure of knowing several who are also much more skilled. > He confessed to feeling mild discomfort recently when he found himself > giving seminars à to 100 scientists and engineers in a lecture hall at > Caltech, for example, and to a group at Edwards Air Force Base working > on NASA's next-generation space plane, the X-33. "It's really something, > to be the only one with no PhD, hoping the question of my degree doesn't > come up." I have addressed similar audiences with absolutely no discomfort. Why? Because any fool knows that, while these scientists and engineers are skilled in their disciplines, they would not know a system vulnerability if it bit them. > Actually, he got so caught up in his computer work, he confessed, that > he has neglected to graduate from the University of Maryland, where he > had switched from aerospace engineering (his father's field) to computer > sciences. A senior, he has just a few more credits to go, when he can > find the time. But for now he's working 12 or more hours a day for NASA. I wonder if he is approved for extended workweek pay during this time of outsourcing, downsizing and "better, faster, cheaper" mantra-chanting. It would not make sense for him to get 20 hours of overtime every week under such a model. GS-14 pay is not peanuts. > Ridge has been enlisted in a war on the sort of crimes many people still > associate with bored but harmless teenage nerds. But experts say hacker > attacks on federal agencies have increased in frequency and > sophistication, keeping pace with the remarkable progress in information > technology. The number of people who use the Internet, as well as the > volumes of data seized as evidence of crimes, have exploded in recent > years, making it ever more difficult to maintain an open flow of > information and yet guard against criminal à or terrorist à intruders. Once again, alarmist propaganda. What's next? Jackboots in the night? > In the most alarming recent intrusion involving NASA, the Pentagon and > other government assets, Ehud Tenenbaum, an 18-year-old Israeli who > called himself "Analyzer," was arrested in March for allegedly > orchestrating an unprecedented assault that, officials said, could have > disrupted global military communications. And much to the government's consternation, "Analyzer" and his minions were little more than a media whore script kiddies. > "Bells are going off all of a sudden about how vulnerable we are," said > Thomas J. Talleur, who heads the IG's advanced technology programs. And > if a technology-oriented agency such as NASA has been slow in > confronting the problems, Talleur added, "what about everybody else?" Perhaps the best way to solve that problem is to get rid of all of the old school backwards-thinking neanderthals who are running the administration? No. No, that would be too simple. > When Gross became NASA's IG in 1995, she was concerned that its > information systems, which include vital communications with the manned > space shuttle and other spacecraft, lacked adequate security. NASA was > one of the four government agencies that founded the Internet and it is > the agency with the most broadly distributed worldwide connections. > Moreover, the agency is leading the government in a move toward > paperless electronic contracting, and will soon channel all its > communications through a single Internet address. The agency is most definitely NOT leading the government toward paperless electronic contracting! They do not even allow for contracts to be in electronic format because "they cannot guarantee authenticity" that way. Yet when one mentions digital signatures, the automatic response back is, "We cannot use cryptographic tools." No, the above paragraph is nothing more than pure media relations bullshit. > "I get to participate in their world without a lot of the baggage they > have to carry," Ridge said. As a result, he is free to work 12 hours a > day at headquarters, then carry his laptop to the officers club at a > nearby military base where he can work some more, undisturbed, into the > night. Secure that laptop. Enough said. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:02:43 PDT