A worm on the space station

I'm not making this up. A computer worm has been found on some astronaut's laptop on the International Space Station, and NASA says it isn't the first time malware has infected one of their space missions!

The news has been covered by the international press, technology blogs, space Web sites, and mass-market technology magazines, among many others.

The worm, known as Gammima or Taterf, was discovered last July, and is a generic password-stealing trojan. NASA spokespeople want to reassure us that the trojan didn't access any mission data, disrupt any missions, or do anything we should be worried about. Besides, it's happened before.

I don't know where to start. Hey, maybe I can't completely trust the spokesperson of the organization that allowed malware to spread in space. There seems to be a long-term change control issue. How is malware getting anywhere near the International Space Station? Even if the detected malware didn't access any systems' critical data or harm a mission, how are we to know that other, more devious malware hasn't been installed, used, and then silently removed without a trace? The answer is, we and they, can't give that assurance.

It's like recovering a lost or stolen laptop and then claiming that none of the data was accessed. You can't guarantee that. You can determine that the data was accessed, but you can't do the reverse. In the stolen laptop scenario, who's to say the attacker didn't open up the laptop, remove its hard drive, clone it, and put it back in?

And NASA is telling us to relax; that it's happened before. Boy, they don't know when to leave out additional information that just makes the problem even worse.

We have no way of knowing whether malicious intruders copied sensitive data or accessed sensitive systems. Let's even suppose that bad hackers never got to the space station's critical systems. Maybe they only stayed on the astronaut's personal laptop, which perhaps only has the astronauts' e-mail, personal data, and (I'm on a pure speculation run here), maybe some scientific experiment data?

Even supposing that I as an evil doer couldn't access critical systems, I can still learn a lot of information and cause a lot of harm. First, no matter how much I'm told that the astronaut's laptop didn't contain critical systems information, there is almost always sensitive information leakage between the secure and non-secure systems, especially with the controls that seem to be in place in this scenario.