Re: NASA's OIG (Orbit Information Group?)

Neil Clifford (n.clifford1@physics.oxford.ac.uk)
Thu, 31 Aug 1995 09:22:39 +0100 (BST)

Joe A. Dellinger scribbles:

|>      Can this be true? Surely not!

Unfortunately it is.

|>	You realize that giving OIG's computer your host name, username, and
|>password as you describe would be a HORRIBLE security risk... are they
|>collecting host/username/password triplets or something?!

This is exactly what I was about to point out. For my transfers I have
the luxury of being able to use disposable accounts on machines where I
am not at risk from attack (any more from any other machine on the net).

|>	Even if the people at OIG are completely trustworthy, what if THEY
|>get cracked? It's a cracker's dream, an internet-accessible machine that
|>people log into from all over the world and freely provide all the information
|>needed to break into their home accounts!!! If the crackers knew about this
|>machine it would make a MOST tempting target for them.

Absolutely. 

|>	Are you really SURE that's what is required? If so this is deserving
|>of a "comp.risks" posting. I would hope people at NASA would think ahead more
|>clearly than that...!!!!

I would strongly suggest petitioning NASA, OIG etc to change the system
first (oh when will they find the web? [I know I've said this before on
this list]). A large scale public 'scare' would possibly lead to
withdrawl of the service which is still valuable in its present from
(well there is no other such source!), worse thoise in charge might be
so slow to react that the system will have been heavily abused before
they lift a finger (NB I am not an advocate of 'security through
obscurity'). This was why it would have been nice if I could have
grabbed a daily full (ie all object) tle file and put it on
ftp.physics.ox.ac.uk for everyone to grab. A simple cgi-bin on the web
server could have searched it if people only wanted one or two tle's.

|>	If what you say is true and you really need to use this dangerous
|>service I would recommend having the OIG ftp the material to an anonymous ftp
|>site that allows incoming files. Then you could safely download the material
|>from there.

If there is demand for this from subscribers to this list I can of
course make this facility available on the ftp archive. Bear in mind
though that having uploaded the files you will not be able to delete
them, thus you must choose unique names each time as you would not be
able to overwrite previous files until I got round to deleting them.
This then raises the problem of 'when do I know you've finished with
them?' It would also be open to abuse from the types you mention below.
It really is not the ideal solution at all. 

|>	If I sound paranoid to you, then I'd hazard that you haven't yet had
|>to spend hours cleaning up a system that has been maliciously trashed by
|>invaders from the internet... (not to mention redoing all the work that was
|>lost).

I am paranoid ;-)

regards,

Neil.