back to article Stolen NASA laptop had Space Station control codes

A NASA laptop stolen last year had not been encrypted, despite containing codes used to control and command the International Space Station, the agency's inspector general told a US House committee. NASA IG Paul Martin said in written testimony (PDF) to the House Committee on Science, Space and Technology that a laptop was …

COMMENTS

This topic is closed for new posts.
Coat

Drax!

and double Drax!

6
0
Silver badge
Devil

Or maybe Operation British?

There goes Australia!

0
0

Re: Drax!

I was thinking the same thing.

I wonder if anyone has counted the shuttle's to make sure none have been stolen.

Or made sure there aren't any biological warfare research labs just off Piazza San Marco in Venice.

Worth a check, do we think?

1
0
Silver badge
Coat

C'mon, guys!

It's not exactly rocket science!

14
0

Rocket science

isn't exactly NASA's forte these days, anyway...

8
0
Bronze badge
FAIL

Re: Rocket science..isn't exactly NASA's forte these days, anyway...

We know, just ask the Russians and SpaceX.

Most appropriate icon for this news item.

1
0
Facepalm

Unencrypted lost laptops

Was the user of the laptop who lost it previously employed by one of the security services?

They seem to make losing laptops with sensitive data a speciality.

1
0
Anonymous Coward

If the stuff is so sensitive and critical, why is it stored somewhere on-line, and why is it on laptops that staff wander off-site with in the first place?

2
0
Silver badge

Because...

...no matter how well you guard access, once SOMEONE has access to it, they may think they'll forget it later on when they'll need it again. And since high-security computers are likely to be air-gapped, no remote connection is possible, so they'll copy the data (even if they have to do it MANUALLY or BY ROTE--kinda hard to safeguard against biological memory). Obfuscating the codes so no one sees them won't work if the person involved is the one who actually has to handle the codes, and then we get back to where we started.

To turn an old phrase for a new purpose, ask yourself, "How do you safeguard a secret code against the code writer?"

2
1
Silver badge

Re: Because...

Apply the Vetinari Solution, vis: take your incredibly smart person, find out their favourite hobby and lock them in a light, airy room with unlimited supplies, then ask them to make the codes in their spare time.

3
0
Happy

I thought that the Vetinari Solution was...

...Tax the rat farms.

1
0
Anonymous Coward

Re: Because...

'To turn an old phrase for a new purpose, ask yourself, "How do you safeguard a secret code against the code writer?"'

Poke his eyes out for taking sensitive data off-site?

2
0
Boffin

While its not a panacea...

One has to wonder why NASA, or any government agency, would not be using whole drive encryption on all PC, much less laptops, by now.

2
0
Silver badge

Re: While its not a panacea...

It may have been an older laptop that didn't have support, and NASA's budget is among the ones being tightened, so they may fire back, "How are we supposed to replace them for more secure ones without the money to requisition them?"

3
1
Facepalm

Re: Re: While its not a panacea...

Truecrypt is Open Source and multi-platform.

There really is absolutely no excuse whatsoever for not having encryption on a laptop that contains sensitive data. Preferably whole volume encryption.

5
1
Anonymous Coward

Re: Re: Re: While its not a panacea...

Someone else brought up TC a few days ago and I meant to comment on it then. Truecrypt is a great solution floss and all that. But it doesn't have the ability to deal with forgetting your password or when someone dies; there's no recourse. For us to remember that's manageable if the data is gone. What happens when that data is something like black budget NRO work and now nobody can access it? So there needs to be a way to deal with password resets.

Personally I think it's a security flaw, but people (including me) forget passwords all the time. They shouldn't forget this one, because they should have to enter it every day but users are what they are.

0
1
Anonymous Coward

Re: While its not a panacea...

1) That assumes that they can get the appropriate signoffs from involved groups. Like most big government departments, from what I understand NASA is fragmented into little fiefdoms and getting them all to agree to come to work at the same time, let alone implement standard policies about security, is like saying that Labour and the Tories should have all their polices in common

2) Various bits of NASA IT are outsourced AFAIK (e.g. http://www.odin.nasa.gov/ ), so unless drive encryption was in the original contract for services it'd be an addendum which would come with additional cost, even for free solutions like TrueCrypt. Again, getting sign off from involved parties would be difficult

3) from what I understand ODIN is a fixed cost contract so the contractor gets more $$$ by hiring people for cheap, which again makes it difficult to implement stuff like full disk encryption.

1
0
Silver badge
Flame

"The committee pointed out that it was all very well for Washington to be debating government involvement in private sector cybersecurity issues"

Did you mean "debasing"?

3
0

Feet and meters, bits and bytes...

The obvious reason they haven't implemented encryption is the issue with bits and bytes... not unlike the issue with feet and meters... after all ROCKET SCIENTISTS made that mistake...

0
1
Facepalm

Re: Feet and meters, bits and bytes...

Well... Really they're aerospace engineers, not rocket scientists.

Also, it was a programmer that made that boner, and they are typically kept tucked away from the actual hardware. I'm not sure, but I'd hope that anyone that works on an international project like that is forced to sleep with a meter stick, now.

0
0
Thumb Up

Re: Feet and meters, bits and bytes...

I sleep with a meter stick.

Geometry joke five!

0
0
Headmaster

Re: Feet and meters, bits and bytes...

Metres please!!!!!!

0
0
Anonymous Coward

Space Station control - there's an app for that

Or could be, now. This'll put those iPhone-controlled helicopters firmly in their place

1
0
Anonymous Coward

The moron in charge of those laptops should be fired.

1
0
Silver badge

On a rocket, into the sun?

1
0
Trollface

Brilliant!

Imagine you're a supervillan and you want to steal this valuable data. Your plan would probably be as follows:

1. steal the laptop containing the data;

2. decrypt data:

3. wreak havoc!

With the drive not being encrypted, the supervillan can't get past step two! Genius!

3
0
Black Helicopters

whats the charge ?

So from this reasonable sample size, over 5400 incidents, we can say that a fair estimate for the cost of an unauthorized intrusion at a government establishment is around $1300.

1
0
Silver badge

'codes' doesn't mean codes

In a lot of science and engineering "Codes" mean programs or algorithms

You have "fluid dynamics codes", "smooth particle hydro codes" - so in Nasa speak, space station codes could be the thermal models of the structure or the orbit empheris.

It's not the root password to make the ISS crash into Belgium

1
0
Silver badge
Joke

I wonder

Sometimes, about how many of those laptops lost, in different countries, are not simply given to the wife, children and grandchildren and them simply reported as stolen.

Would this be positive or negative thinking or simply a joke.

1
0
Anonymous Coward

Who cares?

It's Russia's space station now, seeing how the US does not even have its own launch vehicle.

0
0
Anonymous Coward

NASA Hardware

I work for a company that recycles "retired" NASA computers and other bits and bobs. One of the recent systems that I had to process was an Osborne 1. With a sticker on it denoting that it had a role in the ISS. Yes, and Osborne 1. I'll guarantee you that Truecrypt doesn't work on that.

Also, many of the systems I see from them are unique or 'one-offs' that again cannot run Truecrypt or any currently available software...

Anon so I don't get fired....

2
0
Anonymous Coward

Re: NASA Hardware

I think you may have give your employer enough information to figure out exactly who you are... Unless a bunch of you worked on that Osbourne...

0
1
Silver badge
Coat

Adding to the problem

of lost civil servant laptops.

Perhaps it is the only way to get an up to date laptop or perhaps when it starts to behave randomly and each time you try to show how badly it behaves to the tech people it performs nicely like they tend to do. Perhaps the lost "solution" is then the only clever one.

Then again, perhaps, those who loose their computer should pay, personally, +20% for their new computer. Perhaps the number of lost stuff would decrease.

Or, perhaps, it is fine the way it is, or, perhaps, I am wrong altogether.

0
0
FAIL

Love the fact that so much taxpayer money is going to this. So let me get this straight you have some of the smartest people around working for you, and basically everything you do depends on a computer at some point, so if everyone there is so damn smart why does no one think to buy encrypted hard drives hmm? Simply amazing.

2
0
Silver badge

Two things.

First, hard drives with built-in encryption are a bit new and have their quirks (for example, finding a 2.5" inch that fit a laptop was tricky because you couldn't use any ordinary 2.5" HD in it--you needed to cram a 1.6" drive and the encryption chips into a 2.5" form factor. That means compromises that may or may not be acceptable for the job in question.

Second, secure devices are expensive, and government budgets are getting tighter and tighter. Less spending and more security are clashing at this point.

Plus no solution on the market at the moment can completely alleviate the possibility of stealing the device "hot": while it is still running (kinda like sneaking in during those times when the front door is legitimately open).

1
1
FAIL

Re: Two things.

I have to disagree with you. DELL laptops have encryption available for HD, any size, for many years now. Free. It is on the BIOS settings and it is a very strong encryption. So your first two statements are incorrect. Second, your third statement is absurd. Any network policy, even the most relaxed one, can have the option of asking for HD encryption password after a few minutes idle. I am assuming that to steal the device HOT someone will take at least 3 minutes to grab it and get out of the building. Physical access is part of IT security policies too.

There is no excuse for this FAIL. Whoever is responsible for IT administration at NASA, is very bad in what he/she does. VERY BAD.

2
2
Silver badge

Re: Two things.

You're talking BIOS encryption which as mentioned before may not have been available (depends on the laptop, and if it isn't, good luck getting money out of NASA's tightened budget for a new one). I was talking drive encryption (like a secure disk-on-module) can be transparent to the OS and therefore useable even on older laptops.

Second, give me about a minute with the laptop and I can have it thrashing for as long as needed (think something like a defrag program). Since it's automatic but keeps the HD moving, it never idles long enough to lock. As there are ways to keep the laptop from going to sleep once the lid's closed. And physical access can be difficult if something like a laptop has to be able to go OUTSIDE (which is usually why laptops are being used; otherwise, a physically-locked-down remote workstation would be preferable).

As for hiring someone better, who's got the budget for someone better?

1
0
Anonymous Coward

The "smartest people" are too busy doing important stuff and don't have time to think about anything mundane - so, when the proles that provide the IT services start talking about security and encryption, they are told to shut up because none of them have PhDs in Astrophysics or Mathematics. When one of the smart people does something stupid, like losing a notebook containing a load of sensitive documents, the IT proles have to fight not to smirk during the various "WTF happened / who to blame" meetings that follow.

1
0

This post has been deleted by its author

Re: Two things.

I am not talking about BIOS encryption. I am talking about HD encryption that can be select in the BIOS.....COMPLETELY DIFFERENT THING. All my laptops have it. It doesn't matter how hard you try to break through this encryption, you simply can't. Even the FBI cannot currently break that encryption.

0
2
Gold badge
Unhappy

*key* management is a pretty big issue here.

As others have pointed out what happens if you *forget* your password?

Did you choose it in the first place (and is someone *responsible* for logging it for data recovery? If so how do you notify them in a *secure* way?)

Are you told it and it's *your* job to find some way to remember it?

Had to happen sometime.

Sooner or later one of these would go missing which actually had *live* data on them, rather than another couple of dozen Powerpoints for projects that are unworkable and unfundable.

But yes Truecrypt *does* look like a pretty good idea *except* for the key management and the outsourced maintenance contracts.

What would Trevpott do?

0
0
This topic is closed for new posts.

Forums