NASA Hacked

I was watching Al Jazeera, one of my regular news feeds, when I saw the news crawler say “NASA Hacked”.

Well, after a momentary “So What? So they get Hansen’s bogus cooked history of temperatures. So what?” I decided that maybe I’d not had so much Pinot Grigio as to block thinking critically… ( I’ve found that enough mix of alcohol and antihistamines, such as Benadryl, Chlorpheniramine Maleate [aka Allerest], or even the psychoactive “Elavil” or amitriptyline HCl can make me more or less “normal”… don’t ask, it’s not my prescription and I’ll not explore how or why… for legal reasons. I do it so that I can “have a rest” from the Hungry Mind some times…) So I’d heard this crawl by and thought? Wha?…

http://www.orlandosentinel.com/features/consumer/sns-rt-us-nasa-cyberattacktre8211g3-20120302,0,5323181.story

Reuters 7:56 p.m. EST, March 2, 2012

(Reuters) – NASA said hackers stole employee credentials and gained access to mission-critical projects last year in 13 major network breaches that could compromise U.S. national security.

National Aeronautics and Space Administration Inspector General Paul Martin testified before Congress this week on the breaches, which appear to be among the more significant in a string of security problems for federal agencies.

The space agency discovered in November that hackers working through an Internet Protocol address in China broke into the -network of NASA’s Jet Propulsion Laboratory, Martin said in testimony released on Wednesday. One of NASA’s key labs, JPL manages 23 spacecraft conducting active space missions, including missions to Jupiter, Mars and Saturn.

He said the hackers gained full system access, which allowed them to modify, copy, or delete sensitive files, create new user accounts and upload hacking tools to steal user credentials and compromise other NASA systems. They were also able to modify system logs to conceal their actions.

Stewed, Screwed, and Tatooed…

So I’ve thought for a while that “I’d never want to be responsible for preventing a hacking today.” for the simple reason that I have a Spotless Record with a zero penetration of sites I ran. Since then Microsoft and other have managed to poke so many holes in security that I can’t see any reasonable way to maintain a 100% success record; other than the “air gap” (which leaves me wondering why critical systems are NOT “Air Gap Security” at NASA)…

But, even with that, how can it be that NASA got hacked?

I mean, I hired away from NASA Ames some of my best folks. Then again, the ones left behind were not the best…

Unencrypted notebook computers that have been lost or stolen include ones containing codes for controlling the International Space Station as well as sensitive data on NASA’s Constellation and Orion programs and Social Security numbers, Martin said.

Well, that’s gonna be a problem…

Ah well, it’s only NASA… with any luck the stuff they try to copy will set back their science by a 1/4 century; after all, that’s what I’d estimate Hansen et. al. have accomplished for us…

“Our review disclosed that the intruders had compromised the accounts of the most privileged JPL users, giving the intruders access to most of JPL’s networks,” he said. (http://bit.ly/yQFSB8)

In another attack last year, intruders stole credentials for accessing NASA systems from more than 150 employees. Martin said the his office identified thousands of computer security lapses at the agency in 2010 and 2011.

He also said NASA has moved too slowly to encrypt or scramble the data on its laptop computers to protect information from falling into the wrong hands.

Well that’s got to be a problem…

Were it my site and we’d been hacked that badly, we’d have:

1) Air Gap Security to any critical system and / or any critical user who was hacked
2) Complete top to bottom security review.
3) A honey pot / hacker disinformation op.
4) A new Director of I.T.
5) Top to bottom encryption policy. (Heck, my hard disk is now mostly encrypted and only decrypted if I need something from it (and I often push the ‘network disconnect’ button when I give the pass phrase… )

Oh well, it’s only NASA. They stopped doing anything that mattered about the time Nixon killed the last Apollo missions…

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , . Bookmark the permalink.

46 Responses to NASA Hacked

  1. Jeff Alberts says:

    Can you explain the “air gap”? I’m not familiar with it. Without Googling it I might guess it means no direct internet connectivity.

  2. The expression “air gap” no longer means the security it once implied. Wireless routers have become de rigeur — and a major weakness. And as soon as a wireless router lights up, people start rearranging their facilities so that it becomes more and more difficult to go back to the days of hooking up to the CAT5 (or 10Base-T for us old guys). (Not to mention RS232 or IEE 488 or 20 milliamp current loop…)

    In order to talk to wireless desktops, laptops and PDAs, you have a host … of security challenges.

    ===|==============/ Keith DeHavelle

  3. That is startling news!

    If we ever get to the bottom of the global climate scandal, it will be interesting to see if serious compromises of NASA since ~1971 are confirmed.

    http://dl.dropbox.com/u/10640850/Climategate_Roots.pdf

    Yesterday (Friday) a friend suggested that I might be dreaming the impossible dream of “The Man from La Mancha”

    http://en.wikipedia.org/wiki/Man_of_La_Mancha

  4. Serioso says:

    Gentlemen do not read each other’s mail.

    But today sin has become fashionable. Breaking into another’s private exchanges is now applauded. I have myself been the subject of attacks. Tolerating or approving such attacks is not something we should cheer.

    How far we have fallen!

  5. George says:

    “Ah well, it’s only NASA”

    Maybe not. The Dept. of Defense has had the Pentagon and many other networks off the internet for a few days while they “fix” something.

    Also, “air gap” is useless once someone brings in a “thumb drive”. What you do is

    #1: run critical systems on a different operating system and CPU architecture than “personal” systems run. In other words, don’t use Windows on Intel processors. Use Linux on M68k or something.

    #2: if you aren’t using a port for something, shut off the service of block the port. Better, block ALL ports and open only what is needed and only to whom it is needed to be opened to. Instead of using the “firewall” approach, you use a “fire suit” approach where each machine is protected with its own set if filter rules.

    #3: Machines that take connections from the Unwashed Masses on the Internet sit with another firewall between them and the rest of your internal network and they don’t initiate connections into your net. Even if someone manages to hack in, they can’t then use that as a jumping off point to get to other stuff.
    #4: Layer passwords. Gear in different security zones should have different passwords. Gear directly on the Internet should have different passwords than gear in your internal network. Firewalls exposed to the Internet have different passwords from firewalls between different security zones inside your network.

    #5 NEVER let a packet from the Internet land directly on a server. At the very least they should go through a proxy ahead of the real server (that has different passwords than the real server) and most likely through a proxy AND a load balancer. I generally put something like a Citrix Netscaler ahead of the servers. That thing doesn’t even HAVE an IP address on a physical interface facing the Internet. It has service IPs that live only in software. When it hears an ARP for one of its service IPs, it responds with its MAC address but it has no IP address on that interface. When it replies to traffic, it hands the reply back to the same MAC address that handed it the first packet of the session. It operates at layer 2 … which can’t be spoofed across the Internet and since there is no IP address on the internet facing interface, it can’t be hacked into. There is no IP address for a potential attacker to target. For the service IPs, the unit establishes a new TCP connection to the real server behind it and simply transfers the data from an incoming session packet to an outgoing packet on the other TCP session. Any fiddling of headers and options in the packets never reach the real server. A malformed packet or malformed request designed to tickle a buffer overflow on the server never makes it to the server in the first place. If the query string is invalid, it gets dropped right at the edge.

    One major problem these days is VPN connectivity. Users sit at home telecommuting connected to a VPN and can act as a door to the internal network from the Internet.

    Never type passwords for sensitive systems and network gear into the keyboard. Use something like Password Safe or one of the many clones (Password Gorilla for Linux, for example) keeps your passwords encrypted. You cut/paste them rather than typing them so keyloggers have a harder time intercepting them.

    NEVER type passwords on someone else’s computer! Everything you type might be logged and maybe they don’t even know it.

    If a network isn’t supposed to be able to talk to the Internet, make sure that can’t physically happen. For example if you have front end servers that talk to a back end database and that database network should never send traffic outside of that subnet, don’t create a routing interface in that subnet. In such cases I will have two interfaces on the database servers, one for the database listeners that the front end servers talk to, and one administrative interface that uses a firewall as its default gateway. Those two nets appear in my network gear at layer 2 only, no routing interfaces on either the DB or the Admin interface. The default gateway for the DB machines goes out the admin interface to the firewall. So even if someone does create a router interface on the DB net, if someone attempts to connect to that database from outside the local subnet, the reply goes to the firewall and is dropped on the floor because the firewall won’t pass the reply when it never say the initial SYN packet to begin with.

    You would be surprised at how absolutely nuts people are when it comes to security when things could be much more secure and yet not impact the ability of people to work at all. Most networks are like a Tootsie Pop … hard on the outside with a soft, chewy center and that hard shell is pretty thin in many of them. I like to make mine like a hard shell on the outside, with a collection of jawbreakers on the inside. Maybe some of those jawbreakers have a soft chewy center, but getting through the main outer shell still leaves you having to get through the shell of every single one of the compartments inside.

    IPv6 will help somewhat if people use it properly. But I will bet you people are going to number addresses sequentially in many cases or put gateway IPs at the :1 IP of each subnet or something where they can be easily found and targeted. I just added some v6 addresses to some gear today in one network at an office of ours. In that particular case, the gateway IP ends in :ad40:84f0:8155:165e so someone will be scanning the subnet for a few decades before they find that one. When you have a 64-bit host address space, you can generate psuedo-random IP addresses for things. But I don’t have to memorize that IP address either because it isn’t really random, it is an algorithm that is based on the router’s name, so I run a little program, enter the router’s name, and it spits that number at me which is the host portion of the IP address. The subnet part I CAN memorize because I know which subnets I am routing through that router. So I concatenate the four quads of the subnet with the four quads that program spits out, and I can find the IP address of that router even if DNS is busted. The address space on one single subnet is the size of the entire global ipv4 internet address space squared. I don’t use the modified EUI-64 addressing because MAC addresses fall in certain ranges by vendor and that greatly reduces the range one must scan for hosts. Just limit your scan for the range for Intel network cards, for example. My mechanism is nearly random, for the most part in that changing the name by even a single character changes the entire IP address. For example, the IP above was for router #1 of a redundant pair. The interface for the second router in that same subnet ends with :718a:cd37:34ec:9f01 so rather than .1 and .2 (or .3 and .4 with a .1 shared between them with some high-availability mechanism) I have :ad40:84f0:8155:165e and :718a:cd37:34ec:9f01 which are neither sequential or intuitive but I can generate it in a second by simply typing the hostname into host address generator. Someone would literally have to scan my network for ages to find them and hope I didn’t notice them scanning and block their IP.

  6. George says:

    Actually, considering how many CPUs the govt buys each year, they could probably get a government version of the IA-64 with a modified microcode so “civilian” binaries won’t even run.

    You would have to recompile all the software for their CPU, but it would prevent anyone dragging any programs in and trying to run them. They would simply be gibberish. But all the source code would still compile and run as usual so you could have all of your usual operating systems and productivity tools, but your average run of the mill malware won’t spread from the intenet to the machine.

  7. George says:

    And that is such a simple idea that I don’t understand why they don’t do that for critical infrastructure. Someone could break in, maybe, bit their “rootkit” isn’t going to run.

  8. w.w.wygart says:

    “Well, its only NASA”. Yes, but I’m awfully tired by now of funding the Chinese space program this way.

    BTW Chiefio, you have to be careful of the amitriptyline, that one is fairly easy to OD on. I was on that one for a few weeks last year when I had ophthalmic shingles, mostly it helped me sleep when I wanted to pluck my eyeball out of my head.

    http://en.wikipedia.org/wiki/Amitriptyline#Overdose

    W^3

  9. R. de Haan says:

    I’m not surprised at all.
    NASA has been highjacked by Humanus Retardus.
    Not only NASA suffers from a Humanus Retardus infestation, so does the Pentagon, Lockheed Martin, Stratfor, Sony, IBM, Apple, a long list of Government, university and research institutions.

    The Pentagon site was down yesterday including all internet communication.
    http://www.myfoxdc.com/dpps/news/internet-outage-at-pentagon-dpgonc-20120301-to_18314337#ixzz1nuwRVHy0

    In the Netherlands a hacker managed to enter a site that was used to control the water level.
    Without any problem the hacker was able to open or close gates, bridges and tunnel access.

    And what to think about the security of our financial institutions and our banks.

    One of the high ranking military IT specialist who was ordered o investigate the drone hacks
    http://www.wired.com/dangerroom/2011/10/drone-virus-kept-quiet/ concluded that it was impossible to create 100% secure networks thus giving a free card to Humanus Retardus to continue the path of decline.

    The big risk that I see here is that one day a hack attack will be hyped to the level of a “Van der Lubbe Event, the guy who set fore the Reichstag which triggered the NAZI power grab to a level where “Houston we have a problem” becomes our problem.

    I think the rule of Humanus Retardus is not only limited to the IT world.
    In Germany this week a hospital was closed because of a MRSA strain infestation running out of control.
    Investigators found samples of the strain responsible for the infection dating back six years ago.
    All this time the hospital management took no appropriate action and covered up a rising number of people who died from the infection.

    BIGGS thinks he knows why Humanus Retardus rules:
    http://jubalbiggs.wordpress.com/2011/01/02/washington-wants-us-to-die/

  10. R. de Haan says:

    As we have experienced for years now Humanus Retardus also infested cimate science and science, sience in general and of course our media.

    Here is a great example:
    http://www.myfoxorlando.com/dpp/news/scitech/science/030212-japan-invents-speech-jamming-gun-that-silences-people-mid-sentence

    As truth and common sense is the biggest threat for to Humanus Retardus this i”invention” must be a wet dream come true.

  11. Tregonsee says:

    Some things don’t change. Around 1985, NASA had an early network based on a DEC system. The computer down the hall from my office was hacked by a high school student, since one of the contract employees used his last name as both user name and password. It also turned out that some NASA HQ computers on the system only required a user name to access. Fortunately it was test system, with only scientific rather than operational or engineering information.

  12. adolfogiurfa says:

    @R.de Haan This is what “Apocalypse” is all about:Apocalypse (Greek: ἀποκάλυψις apokálypsis; “lifting of the veil” or “revelation”) is a disclosure of something hidden from the majority of mankind in an era dominated by falsehood and misconception, i.e. the veil to be lifted.

  13. adolfogiurfa says:

    Just tell me: Is it there anything there with enough value to be hacked?

  14. Richard deSousa says:

    Did the hackers also cracked GISS? That’s where James Hansen and his group of catastrophic anthropogenic warmers work. I’d love to see Wikileaks publish the Hansen group’s emails.

  15. E.M.Smith says:

    @Keith DeHavelle:

    One can ‘air gap’ the desktop boxes. For laptops and phones it’s a different issue. There are ways to suppress the connectivity (install local ‘nodes’ that capture the traffic) but the “user community’ demand for risky behaviours usually causes management to demand connectivity and then demand that it be fully secure too, and not via application of much money…

    The inevitable result is folks get hacked…
    “Fast, good, cheap. Pick any two. -E.M.Smith”

    Users and management typically pick “fast and cheap” when it comes to security.

    @George:

    Nice list. Nice idea on the microcode too.

    @W.W.Wygart:

    I had started with tabs that were 1/2 to 1/4 of the normal dose and worked down from there.

    I’m doing ‘microdoses’. The intent is to get a modest effect from the minimal material. Yeah, a bit alien compared to what most folks do. Basically, it takes about 1 to 2 bottles of wine to be “still”. I can get to the same point on about 1/3 bottle with Benadryl. The amitriptyline dose is a very small one and seems to have the same effect. On my “to do” list is check the list of all things it does. It is also a contact anesthetic (like benadryl, under the tongue makes numb…) but of longer persistence. In addition to use for migrains, it is used for kids with ADHD. It’s the ADHD part that interests me…

    Basically, I’m doing an ‘on label’ use, but deliberately exploiting an interaction for the express purpose of reducing the dose level as much as possible. ( I hope to eventually reach some set of things such that a glass of wine with dinner – of things like high Omega-3 level that reduces inflammation effects – could result in being more ‘still’ for a while…)

    Why? Well, because drinking a whole bottle of wine is not so good for the liver… and I’m unwilling to “go there” very often for just that reason. I generally lean toward a behaviour of zero drugs (even being resistant to taking Tylenol due to the rate of liver failure from it and Aspirin due to the rate of stomach bleeds). I’m a strong “minimalist”.

    Well, some years ago a friend and I sat down to a keg of Harp Beer. Expecting my usual “many mugs” and watching others “go down” I had a couple of mugs. I then proceeded to go take a nap… That was when I learned that the warning on Allerest “May cause drowsiness. Alcohol may intensify this effect” worked the other direction too. A bit of Allerest mixed with beer and I was “drunk under the table” before most anyone else… Which started me on the notion of finding a ‘minimal mix’ to get the ‘desired effect’ of “Awake but still”. Which lead to ‘trying different things’.

    The amitriptyline seemed to ‘fit the bill nicely’ – in fact, too nicely. The tabs are already about the size of a lentil. Trying to cut one into 1/4 bits is nearly impossible. So at that point it was back to benadryl as the tabs are easier to physically manage while the effect is about the same (at the very low doses involved). As near as I can tell, Benadryl does the same things as amitriptyline but with a larger less persistent dose. So it is now my 1st choice antihistamine.

    In the end, the OTC anti-histamines are both easier to get and physically much easier to get into a ‘cut down dose’. Mixing a ‘tiny’ with the beer / wine means I can cut both down by about 1/2 to 1/4 size; and that IMHO is a good thing. Saves a lot on the wine bill too ;-)

    In short: I’m so far from the ‘overdose’ range that it’s silly, so “no worries”. The goal state is even further away, not closer.

    @Serioso:

    There are no gentlemen left today.

    When I ran corporate email systems we had a very strict morality about the mail. It was absolutely private and never divulged. Once delivered any intermediate servers would scrub their copy so as to reduce risk of it being read by “others”. As of today it is, by law, saved for years for the express purpose of being handed over to dozens of other folks and agencies for them to dredge through at their leisure. Many companies have folks assigned to read other folks mail for “risk mitigation”.

    We come from different times than now.

    As mail postmaster, I saw things in email that were potentially very damaging to high ranking folks (typically because something was ‘stuck’ in the mail server and I had to go into it to find out what and fix things.) I required of myself that I treat all such as secret and as though I had never seen them. Like Doctor / Patient privacy or the lawyer / client privacy. There was a moral obligation to protect the individual privacy.

    That, too, is now archaic. Email is now moving out to remote servers at other companies and perhaps in foreign hands. How will they treat an email showing a ‘date’ being set up between a V.P. and someone not his spouse? Time will tell…

    National governments are ‘dredging’ all communications to ever higher extent. The US Govt has issued a request for proposal for software to dredge all tweets, posts, etc. It is time for everyone to move to encrypted email, but they don’t. ( I’m still waiting for someone to offer a clean ‘encrypted end to end painlessly’ email client – though I haven’t looked in a while. But automatic exchange of public keys would be a good start).

    Ah, well. I suppose the ancient Knights felt the same way about the loss of chivalry…

    @Jeff Alberts:

    “Air Gap” comes from the old days when wires connected all machines. You could assure a particular computer was secure by checking that there was a gap, filled with only air and no communications wire, between the machine and the network. Look at the ethernet connector of the box and make sure no wire is attached.

    Today one would need to also assure that critical machine had no “Wireless Network Card” in it. That ALL the various communications means were cut.

    Somewhere at NASA there is a computer that can control a satellite. Right now it has a wire connecting it to all the other computers at NASA. That network inside NASA, through a ‘boundary router’ connects to the Internet. This means some guy in China can hack in to the NASA network, then get to that machine and control the satellite.

    At any point in that chain you can interrupt the connectivity and assure security.

    Most folks today depend on various very complicated testing and inspection of the network traffic to assure only the “right stuff” gets through. Thanks to various “holes” in software from common providers ( often deliberately inserted to provide “features” that are based on security being weak) and thanks to every more people demanding those “features”, it is now much more difficult to assure a network is ‘unhackable’. (One minor example: At one time getting a person to launch a foreign program on their computer was hard to do and it was an obvious activity when it happened. As of now, we launch all sorts of programs just by opening a web browser to display a page. It is possible to put a ‘hot pixel’ on a page that looks exactly like all the other pixels around it, but simply passing your mouse over that pixel launches that program…)

    Just pulling the wire stops all that stuff. At the expense of not being able to do things like open web pages…

    So, WHY is a computer that controls a spacecraft connected to a network at all?

    The I.T. staff will want it so that they can install software and fix bugs remotely, without effort to go to the site.

    Management will want it so they don’t have to pay travel costs for I.T. staff and / or have a guy “on site” to fix things.

    Folks using the box will want it so that they can “get to the box” from their own desktop, laptop, or perhaps even from home.

    Mission Managers will want it so that if something goes “bump in the night” the guy who is at home and knows what to do can “connect remotely” and do it.

    and on and on…

    Connectivity is convenient and a frequent positive event. Hacking is rare and easily forgotten… so we connect everything and hope. “But hope is not a strategy. -E.M.Smith”

    I fought this battle for years. I ran an absolutely secret site at Apple. Even that project could not have direct connectivity to the rest of the Engineering Department. I “took rocks” regularly from users wanting to be seamlessly connected to the rest of Engineering. From Engineering wanting to be seamlessly connected to the ROApple. From lots of folks wanting integration with the Internet.

    Each time I’d have another review: Was the technology available to allow that level of connectivity without compromising our security mission. As long as the answer was “yes” we would add connectivity. One a “no” we would add ‘security education’.

    On the “secret side” we added a second desktop machine so folks had their secret computer and their private company computer. Email was via isolating relay servers. We instituted a sort of schizophrenia in the Cray with chroot such that there were two different levels. General Engineering folks saw 1/2 the Cray, secret side saw the whole thing. Etc etc etc

    Basically, it takes one heck of a lot of work to make a secure facility and keep it secure. It takes even more to do it while internet connected. (For example we had a ‘token based access’ before they were common: You had to present a credential that changed every minute in order to gain access to the private network (and different from the secret one). Some folks would lose their token and be locked out until we got a new one to them. Money and time…)

    Today most folks just wire everything in, put up a commercial firewall box and install some virus software and call it done. That stops “the usual suspects” but is not enough for a truly secure site. But at this point everyone is so conditioned to letting any vendor out there change the software on their computer “over the internet” and at random times than any attempt to enforce software and network lock down is doomed. As long as your software is subject to external change and you are internet connected there is a giant security hole to exploit.

    The user base now expects ALL of the internet ALL THE TIME on every machine. Heck, even the I.T. guys are getting lazy and expect to never need to actually go visit a machine to do anything. Remote support is the standard (and Microsoft has added all sorts of remote control “hacker welcome mats” such that you can “share” not only your files, but your screens and keyboards as well. Security? Who needs security?… So in many sites the “remote control ‘feature'” is left on.

    This means that, typically, things like computers controlling water release from dams are networked to other computers that have a human interface (i.e. the dam manger’s desktop) that is itself ‘wide open’ to remote install of software and remote control over a network that runs (perhaps even over the internet) to all sorts of remote sites and remote companies that provide various “services”. Meaning for some folks, a guy in India can do just about anything to that box by design. ( The last contract I was on, in Florida, was largely coordinating the Indian support staff with the USA demands for service… changing and updating just about every core server in that major company in the USA.)

    So how secure is that Indian Desktop from penetration by a Foreign Agency? Well, how good a resume can they present to the manager and how cheaply will they work?

    Yeah, it’s that bad.

    Basically, “you get what you pay for” has run smack into “I want it cheap and I want full connectivity”, with a token “Oh, and secure things” tacked on right after the hacking happens…

    In that kind of environment, and with “modern” software, IMHO, the most immediate way to secure “mission critical” things is to pull the network plug. Go to an “Air Gap”.

    So the desktop that controls the satellite sits in a locked office in a secure NASA room. It has connectivity to the satellite and nothing else. The guy who drives the satellite sits in the room.

    Want to have 3 guys who can do that scattered around the world? You put them on a secure network together that does not connect to anything else. We used to do this with leased lines. Today I could do it with VPN tunnels (at some minor decrease in security). It will take a server or two to provide some core levels of services and control (things like DNS service and time service). As soon as you have that, you have a policing function. The I.T. staff has to assure no ‘backdoor’ is connected from that private ‘secret’ network to the corporate net or the internet. You also have risks via the boundary router / tunnel forming router being hacked, so much hangs on them being locked down. Still, while it’s not as secure as a workspace in a locked room, a secret net can be very secure. (The Military uses such networks).

    One trick I’ve used is the Illegal IP Number. (Don’t toss rocks… I inherited it) The site was numbered with a number that I think belonged to H.P. This meant that anyone on site could not contact H.P. internal computers (as our DNS said “it is inside here” not “out there”. As we had no connectivity to inside HP, that didn’t matter. It also meant that anyone trying to connect to our inside computers had numbers that the outside world would route to HP (who would drop them on the floor…) So anyone outside trying to route to our site routed to the wrong place…

    There are a hundred and one such “tricks” that get stacked to provide real security. Substantially all of them bypassed or neutralized once you accept the ‘Microsoft Remote Support Internet Connection Mandatory’ model of life…

    One last point:

    In my shops, we start with the Air Gap and add services (reducing security) one at a time until there are enough services (and not too many risks). The “model today” is to start as a fully open internet connected remoted box, depending entirely on the boundary router / firewall security; and then hope…

  16. Jason Calley says:

    @ E.M. I do not think it is very likely, but suppose that the effect of the anti-histamine and the alcohol combined was not something inheirent in the anti-histamine, but was a result of the anti-histamine’s actions? In other words, what if the calming effect was a combination of the lack of histamine in your body, combined with the alcohol. If that were the case, then anything that rids you of histamine would work; just do it before the alcohol. I am thinking about the old trick of taking a VERY hot shower to use up your body’s histamine; the effect lasts a couple of hours. Or perhaps a good dosre of niacin to make a histamine flush, and then, after the flush dies down a bit, some alcohol.

    Yes, it’s a long shot, probably not the case… but the experiment is free!

  17. E.M.Smith says:

    @Jason Calley:

    Golly. Somehow I’d never heard about the hot shower and histamine… That explains a lot. ( I’m often ‘still’ for a while after a hot shower / long soak. I’d always just figured it was psychological…)

    Would explain the folks who soak in the hot tub a bit sozzled and pass out, slip under, and drown..

    Hmmm…

    But back at theory:

    My working thesis is that the RedHead Gene comes with a higher histamine level or a more active kind of histamine. Thus the “more irritable” reputation of RedHeads and their reputation for more allergies and having a ‘reactive’ metabolism. My R.H. MIL was notorious for reacting to things, even having reactions to many common food dyes. Vitamin pills with die caused problems. My spouse and I are both somewhat ‘reactive’. My son had a tendency to migrains and the occasional Eczema (that is also found at higher rates in ADHD kids). So you have the same drugs that treat one, seem to treat the other… Hmmmm….

    I’ve tried antihistamines all on their own. They do OK, but the side effects can be an annoyance. (More sleepy, less ‘still’, and the benadryl ‘numb tongue’ if dissolved in the mouth; the quality of the effect is more ‘stupid blanket’ than ‘me, just more centered’). So I then started looking for ways to get the “best effect”.

    Oddly, one early success was Irish Coffee. Nicely alert and focused, but the “flighty OHHH a Shiny Thing!!!” more dampened. Some problems: It wears off fast. It takes a lot of whiskey. It is expensive. Any time before noon and I’m trashed.

    I think it is related to my wider body temperature swings than most. I can be 97.5 F in the morning and 99.4 F that evening… but at ‘low’ temps alcohol and me are worst enemies. I just get a ‘hangover’ on the first drink or two and ‘no joy’ at any time. Having a sudden case of the ‘stupids’ and a hangover is not my idea of a good start to the day. I did no experiments to learn this as I had no desire for anything but coffee in the mornings; however, several companies I’ve been at had “events”… Bus trips to the beach, loading at 8 am with Screwdrivers and Bloody Marys. Sales events at 10 AM with suits and champaign. I learned pretty quickly that ‘before noon’ was bad juju for me. So part of the ‘thesis’ is that dampening temperature swings is part of the effect. The direct metabolic depression, that is so unwelcome before noon…

    Also RedHeads have a “Drink ’em under the table” reputation for being able to drink a lot. (Frankly, anything under a bottle of wine and I’m barely noticing it. I get a little more “still of mind”, but not drunk. At about the 1 to 2 range is the crossover. At 2, I’m drunk. Somewhere beyond that is “non-functional”, but it’s far enough out that I’ve had trouble reaching it (as the stomach insists on dumping any more before that point). Yes, I ‘toss my cookies’ before I’m “gonners”. Likely it was a survival advantage at some point (drink your enemies under the table, toss cookies, do in enemies, stagger home…) now it’s just a PITA. Everyone else gets to party, I get a large bar bill and not much else… I think this is related to a thinner cell wall.

    ALL Anesthesia works by dissolving into the cell wall and changing the thickness. Alcohol too.

    So a bit of anesthesia would get rid of a lot of the ‘overactive nerves’ effect. (Autistics are often very sensitive to textures. I hate wool. Drives me nuts with the scratching – that is worse than drawing blood to me.)

    So I think that the two together are what gives complete relief. Thicken up the cell walls so nerve conductivity and speed becomes normal, fewer ‘quick jumps to tangential ideas’, less irritation at environmental stimulations (like noises that are too loud even when quiet…) Add some antihistamine (and if one that is a mild anesthetic like benadryl, all the better) to further quell any metabolic ‘reactiveness’ and with both of the drugs depressing metabolism broadly so getting that “when you’re hot you’re hot” 99+F back down closer to normal when done in the late afternoon.

    All acting to move the “out of spec” parameters back toward the accepted normal values.

    I’ve never tried the “mix” in the mornings nor at the noon transition as I have had no need nor desire. I suspect that “before noon” would likely make me ill. I’m usually looking for hot showers to raise body temperature and hot coffee / tea to make my brain stop misfiring ;-) Left to my own devices, I just sleep until a bit before noon and wake up ‘normal’ … then heat up into the evening…

    So, to your point:

    I suspect that histamine alone is only part of the mix (though a significant part and perhaps even more of a point for ADHD kids who do not have wide daily temp swings); and that direct anesthetic effects dampening nerve conductivity and propensity for the synapse to fire is another large part. Likely the temperature relationships are idiosyncratic to me.

    A ‘dig here’ would be to what extent histamine interacts with anesthesia… RedHeads have a reputation for being ‘anesthesia resistant’… I had a proctoscopy where they gave me something that was supposed to put me completely out. I was “drunk off my butt” and by closing one eye could focus enough with the other eye to watch the monitor showing inside my intestines… I had my eardrum rebuilt and was given 3 cycles of anesthesia. A Demerol, Nembutol, Valium mix. On the third dose the Doctor said to the others in the theatre “If we give him any more it will kill him”. They then asked me if I could be still while they did the surgery. I said yes. The Doctor took a scalpel to my skull and asked if I was feeling anything. I told him I was feeling “no pain” and to “do what he wanted”. I then got to examine the experience of having an electric drill taken to my ear canal… while quite aware… but feeling no pain.

    Three DAYS later the drugs wore off. I think that I was on the edge of liver shutdown from the high dose… So I was effectively so drunk I could not sit up and prone to dry heaves for 3 days… Yeah, I’d call that drug resistant…

    I’ve never been put ‘fully under’ by any anesthesia I’ve been given in the several times folks have tried. I have gotten bored with observing the process and chosen to go to sleep (often near the last 1/3 of the process while prepping to head to ‘recovery’, such as after the colonoscopy) but that is a different step.

    So I think a key part is the cell wall thickness changing effect of anesthetics indicating that “normal” is toward the direction of a thicker cell wall. As the preferred anti-histamines also have an anesthetic effect (numb tongue… benadryl can be used an emergency topical anesthetic for ‘field expedient surgery’…) there may be some cross effects involved… One bit I’ve not figure out, though, is how I can be completely insensitive to pain from anesthesia yet the brain does not react as much. There’s a bit of detail there to work out… An open question would also be “Does histamine counteract anesthesia”? that would help with the connections. or “Does histamine change cell wall thickness”.

    Hope that helps explain something to someone ;-)

    The major feature for me was realizing that I could, in fact, experience “normal” with a modest degree of shifting of cell wall thickness and nerve sensitivity / reaction rates. It is a much more peaceful place, even if I am a bit uninspired then. I even find wool doesn’t bother me so much… which might explain a lot about Red Headed Irishmen in woolen kilts looking for a drink ;-)

  18. @E.M.Smith

    The more we focus on our problems, the worse they get.

    Rx: Forget your problems and use your talents (computer skills and the intellectual capacity) to help society out of its current despair.

  19. George says:

    Back in the day of ARPANet when DCA ran “the Internet” there was a very real spot where the civilian and the military sections of the “internet” met. It was a specific piece of cable. The cable went through a device with a weighted wedge suspended over it. When the US went to a particular defense condition (DEFCON), that wedge dropped and physically cut the military MILNET from ARPANET.

  20. E.M.Smith says:

    @George:

    Love the way they foiled competing hackers to claim the prize…

    FWIW, while on contract to Schwab (FBI fingerprints and all) I worked with some folks on a very secure version of Unix with some name like SecOS (that present web searches show being used for other things). We went through one heck of a lot of contortions with it.

    Two things:

    1) It did test as secure in every thing we tried.

    2) It was from an Israeli company, so we all figured it likely WAS secure, and that we’d not find the “back door” even with a lot of looking, but one was probably built in…

    Don’t know what, if anything, they ever did with it. Most of there stuff all ran on IBM proprietary kit and was not connected to anything outside. “Proprietary and Airgap”… gee, and as near as I can tell never been hacked… The Government needs to get a clue…

    I want my ballot on PAPER and I want it hand audited then stored for a decade. NO electronic anything at any step, with the possible exception of a scanner / dot-counter as long as IT has no network connectivity of any kind and only makes a tally of dots in fields…

    With the rate of decay of security, I figure that in a couple of more election cycles China, Russia and / or Iran will be picking our president depending on which of THEM beats the others to the system and locks them out….

    FWIW, for things I’m really worried about, I boot off a CD with a disposable OS and have a ‘write only’ OS image… seems to work OK ;-) I also like having write protected binary file systems for executables. None of this “dynamic library” stuff either if I can arrange it. Compile, link and LOCK IT DOWN. Burn to a CD. Then I can feel confident that it isn’t hacked… (that does not prevent break ins, but does prevent leaving lots of kit behind…)

    Ah well. I’m a dinosaur now. Everything is all open and dynamic. I figure it will take a few more years for something really big to happen and make it clear why I don’t do electronic stuff much. (NO ATM card, NO Online bill pay, etc.) Saw a show last night where a company was saying that they had their bank account emptied of about $1/4 Million via a transaction oriented virus. Zeus? Something like that. Were I the CEO / CFO of the company I’d never have that much money with “online access” permissions. But it was his company, and he wasn’t a computer guy…

    Oddly, a lot of the computer guys I know don’t trust online banking…

  21. adolfogiurfa says:

    “They” can hack anything but our soul. Intelligence is ours not theirs.

  22. George says:

    If you ever see something like this in one of your networks, you’re screwed:

    http://www.wired.com/wiredenterprise/2012/03/pwnie/

  23. George says:

    “a lot of the computer guys I know don’t trust online banking”

    I certainly don’t. Nor do I trust “anti-virus” software. I have never once in my life had my anti-virus software alarm on anything. I do have NOD32 on my system but it’s never seen anything nor did McAfee before. I do have Norton Antivirus on the kids computers. Don’t really trust it, though.

  24. Jeff Alberts says:

    @E.M. Smith, re Air Gap.

    Thanks. That’s what I thought.

    Keith DeHavelle says:
    3 March 2012 at 4:53 am

    Didn’t understand a word you said. Can you make that into Iambic or haiku? ;)

  25. E.M.Smith says:

    @Jeff:

    He said, roughly, ~”Once you support wireless ports, folks stop using {list of wired standards and types} and become addicted to wireless. Then you have guys in the parking lot with sniffers to cope with and other wireless issues.” and, btw, “air gap” doesn’t work if the box has a wireless card in it…

  26. @Jeff Alberts:
    *chuckle*
    Be careful what you wish for. Here is the book process for Linux.
    In iambic pentameter.
    The Kernel Gets the Boot into the Core

    But yes, I have been having some fun on ClimateAudit recently.

    ===|==============/ Keith DeHavelle

  27. Jason Calley says:

    @ E.M. “Somehow I’d never heard about the hot shower and histamine… ”

    Yes, it can be a useful thing to know! If you ever have a bad case of poison ivy or a lot of insect bites and no access to antihistamines. A hot, hot shower releases a flood of histamines to the skin and depletes the body supply. Use water hot enough to be somewhat uncomfortable. You can get at least a few hours of itch relief after you get out.

    You may be on to something about red heads being sensitive to various stimuli. Think of military fighter planes. The best ones are inherently unstable. Who wants a stable fighter? After all “stable” is just another word that means “does not respond quickly to small inputs”. Perhaps red heads illustrate stochastic resonance http://en.wikipedia.org/wiki/Stochastic_resonance_%28sensory_neurobiology%29 in biological systems. :)

  28. Jeff Alberts says:

    Serioso says:
    3 March 2012 at 5:57 am

    Gentlemen do not read each other’s mail.

    Gentlemen don’t expect others to merely take their word for it. Gentlemen help others replicate their results, not obfuscate and lie.

  29. Jeff Alberts says:

    @EM

    hehe, I understood him, I was just having him on for not making a poem out of it. ;)

  30. The survival of society with the basic rights that Americans had prior to 2011 may require a few brave souls to use their intellectual talents and computer skills unselfishly, for the public good. They will need the courage to dream the impossible dream of “The Man from La Mancha.”
    http://en.wikipedia.org/wiki/Man_of_La_Mancha

    Why? World leaders were seriously frightened for their own lives by
    1. The atomic bomb that vaporized Hiroshima on 6 August 1945, and
    2. The threat of nuclear annihilation during the 1962 Cuban missile crisis.

    Fear convinced convinced them to
    a.) Form the United Nations (24 Oct 1945) to reduce nationalism, and
    b.) Hide information on nuclear energy [Efforts to block normal publication of self-sustaining nuclear chain reactions in nature, P. K. Kuroda, J. Chem. Phys. 25, 781 & 1295 (1956)]
    http://www.springerlink.com/content/n556224311414604/

    In 1969-1972, Richard Nixon and Henry Kissinger worked to end the Cold War:
    http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB145/index.htm
    http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB66/

    EPA was formed in Dec 1970 to start replacing nationalism with environmentalism. Henry Kissinger went secretly to China in 1971 to unite nations against a common enemy, Global Climate Change, and avoid the threat of mutual nuclear destruction by converting the entire world population into one single peace-loving, community guided by consensus post-modern science and politically-correct attitudes.

    http://dl.dropbox.com/u/10640850/Climategate_Roots.pdf
    http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB66/bcp01.html

    I would appreciate information on how to encrypt two documents that I plan to update before reposting them as pdf documents with workable hyperlinks:
    1. “Neutron repulsion”
    2. “Deep roots of the global climate scandal”

  31. Jeff Alberts says:

    Quick question, E. M. What do you use for hard drive encryption?

  32. Jim says:

    I have to agree with you WRT Microsoft. They have done more to kill security than any other group on Earth.

  33. Jim says:

    Also, consider the damage a “Smart Grid” (dumb idea) could do.

  34. E.M.Smith says:

    @Jeff Alberts:

    I use Truecrypt

    http://www.truecrypt.org/

    based on a recommendation from others are reading what their web site said they do. Seems to work as advertized.

    gnuPG looks like it is doing the right things too:

    http://gnupg.org/

    A decent overview of PGP and cryptography:

    http://www.pgpi.org/doc/pgpintro/

    A windows version of GNUpg

    http://gpg4win.org/

    @Oliver:

    If you don’t find what you want in that list, say what you need that isn’t there and I’ll see what I can dig up. (For example, you don’t say if you want a private encrypted archive copy – but published clear text; or, a private encrypted working disk; or, a published copy that is encrypted where you can then share a key with selected folks for them to decrypt…

    Symantec has a commercial product and you can find more with a simple search:

    http://www.symantec.com/products/purchasing.jsp?pcid=pcat_info_risk_comp&pvid=wd_encryption_1

    http://duckduckgo.com/?q=pgp+document+encryption

  35. adolfogiurfa says:

    The best encryption: We know…they don´t , and fortunately it will be so until the end of times.

  36. adolfogiurfa says:

    Or…do you know how to decrypt symbols?. Just imagine how frustrated may feel our forefathers!!

  37. E.M.Smith says:

    @Adolfo:

    There is a technical difference between encrypted and encoded. Codes are, by definition, not ‘crackable’ without the code book (or a very crappy code that reuses symbols for easily guessed things…) Basically, you can “decode” a code with enough information about what happened and then what was sent, but you can’t “decrypt it”. (And now I’m using a circular argument…)

    The Navajo Code Talkers never had their code broken as it was both in a language few folks new, but even a Navajo speaker could only say “They said the turtles were dying in the sun”… Unless you know that “turtles” was the word for tanks and what “sun” coded for, you had no way to know what it meant. Not analytical attack can get past that point.

    Now, if you have a native Navajo who regularly gets “The Eagles have arrived” and every time that happens, the P-51 Mustangs are chewing up your troops… you might guess that “Eagle” was “fighter plane”… but it takes a long time, a large corpus, and a keen sense of pattern matching… And some good Navajo talkers…

    An encryption or cypher can be attacked in many analytical ways. So, for example, for English the letter “e” is the most common. A simple ‘substitution cypher’ can be broken with a population count of letters and enough text for a reasonable standard normal letter count distribution. (The Enigma Machine of W.W.II was cracked in part thanks to the Germans reliably ending their transmissions in the Politically Required “Heil Hitler”. Gave them a body of fairly reliable text to see how it mutated on different messages, then they could back-figure some of the wheels… There was also one guy used the same settings for his machine a lot – his girlfriends name or some such. Let them compare one message in two encipherments fairly reliably… then it’s just a LOT of math and statistics and some really good guesses…)

    The decoding of Hieroglyphics was just such a process of ‘guessing the encodings’. A cartouch was guessed to probably contain the name of a Roman Emperor. That gave sounds to a couple of ‘letters’ that lead to more guesses on more cartouches. Eventually they were able to ‘guess’ what some of they symbols coded for (and eventually figure out that some are coded for a thought / whole word, while others code for the sound of the letter… and others, called a ‘determinant’ let you sort out possible alternative meanings…) They had a very large body of text to work from, but needed the parallel text of the Rosetta Stone to even have a start on it.

    There are many encode messages that have never been broken. Linear-A is one of them… The Phaistos disk is another.

    So if you want to have completely secure communications, use a shared ‘code book’ and only send a few messages before changing codes. (Oh, and you need to destroy the old code books or if they are ever found your old messages become readable…)

    One easy variation on this is the use of a shared common text. Then you just send, for example, the number groups for page, sentence, word. Works with any agreed text. The Bible is a common one, but Joy Of Cooking would also work… Or Websters ;-) It works great as long as nobody notices that you spend a lot of time flipping around in the Joy Of Cooking ;-)

    BTW, I have a fascination with encryption, encoding, cyphers, et. al…. bet you never would have guessed ;-)

    (On old Roman technique was to spiral wrap a ribbon on a staff. Write your message on it, then unwrap it. The letters end up scattered along the length… they only make words again when wound back on an equal sized staff… That method worked for far longer than one would have expected… )

  38. adolfogiurfa says:

    What I really meant is that kind of “encryption” which is rejected by its own nature: As the following: A global warmer will never accept arguments made by a skeptic. That kind of “encryption” is like transmitting at a certain wavelength and a radio receiver only capable of tuning a quite different wavelength.

  39. E.M.Smith says:

    @Adolfo:

    Ah, got it! I’m transmitting in ASCII and they are listening in Baudot (while others are speaking EBCDIC ;-)

    Though really that’s different encoding rather than different encryption… “I’m going skip 3 substitution and they are doing Enigma A4GR3L decryption”?

  40. George says:

    http://www.contactmusic.com/news/hackers-steal-michael-jacksons-unreleased-tracks_1300070

    The entire catalog of Michel Jackson’s tracks including many not released have been stolen over the Internet. This happened in the Spring of 2011 but is only now being announced by Sony.

  41. Larry Geiger says:

    “Somewhere at NASA there is a computer that can control a satellite. Right now it has a wire connecting it to all the other computers at NASA. That network inside NASA, through a ‘boundary router’ connects to the Internet. This means some guy in China can hack in to the NASA network, then get to that machine and control the satellite.”

    Not generally true. Controller may have separate hardware, side by side. One for business (timecard, browsing the net, etc) and one for work (controlling satellites, etc). But generally the networks are completely separate.

    NASA does a lot of business stuff and most of it is done by contractors. Normal NASA systems are no more secure that any other average government agency or corporation.

    Just because they broke into computers at JPL “where satellites are controlled” doesn’t mean that the control network was accessed. Even if they were able to access credentials. NASA is fairly picky about those kinds of systems and an “air gap” is usually in place (with no wireless connections either).

    Also, some of those control systems are so old no one has ever invested the time or energy to connect them to modern networks. I’m sure that the Voyager control system that just got shut down was about as inscrutable to it’s operators as anyone from the outside world.

    At the ROC at Cape Canaveral, the control systems are isolated and personnel are not even allowed inside the building with cell phones, flash drives or any computer media. I don’t think it’s likely a hacker can access a satellite control system from the internet.

  42. E.M.Smith says:

    @Larry Geiger:

    So the news was misleading? I’m shocked ;-)

    Nice to hear some folks still appreciate the Air Gap…

  43. @E.M

    I also use TrueCrypt. It has a deniabilty feature which thankfully I have no need for as IIRC Bruce Schneier has stated that it isn’t really deniable.

    You may be interested in a personal security experiment I tried using FreeNX server and NoMachines NX client. It allows a traveler to use a netbook via public wifi to securely run applications on a home desktop with near local desktop performance. To be more clear, my browser, for example, ran on my remote desktop, not my local netbook.

    I had swapped out the 2.4 kernel in Damn Small Linux with 2.6 (so as to use newer libraries required by the netbook) and booted the DSL NX client from an SD flash switched to r/o mode. When DSL went defunct, I built a Tiny Core replacement. But with my poorer vision, I eventually couldn’t deal with the freedesktop.org display anymore, so I gave it up. Today I am traveling with my desktop! Maybe I’ll revisit this experiment tonight using the latest Xorg.

Comments are closed.