and double Drax!
A NASA laptop stolen last year had not been encrypted, despite containing codes used to control and command the International Space Station, the agency's inspector general told a US House committee. NASA IG Paul Martin said in written testimony (PDF) to the House Committee on Science, Space and Technology that a laptop was …
and double Drax!
There goes Australia!
I was thinking the same thing.
I wonder if anyone has counted the shuttle's to make sure none have been stolen.
Or made sure there aren't any biological warfare research labs just off Piazza San Marco in Venice.
Worth a check, do we think?
It's not exactly rocket science!
isn't exactly NASA's forte these days, anyway...
We know, just ask the Russians and SpaceX.
Most appropriate icon for this news item.
Was the user of the laptop who lost it previously employed by one of the security services?
They seem to make losing laptops with sensitive data a speciality.
If the stuff is so sensitive and critical, why is it stored somewhere on-line, and why is it on laptops that staff wander off-site with in the first place?
...no matter how well you guard access, once SOMEONE has access to it, they may think they'll forget it later on when they'll need it again. And since high-security computers are likely to be air-gapped, no remote connection is possible, so they'll copy the data (even if they have to do it MANUALLY or BY ROTE--kinda hard to safeguard against biological memory). Obfuscating the codes so no one sees them won't work if the person involved is the one who actually has to handle the codes, and then we get back to where we started.
To turn an old phrase for a new purpose, ask yourself, "How do you safeguard a secret code against the code writer?"
Apply the Vetinari Solution, vis: take your incredibly smart person, find out their favourite hobby and lock them in a light, airy room with unlimited supplies, then ask them to make the codes in their spare time.
...Tax the rat farms.
'To turn an old phrase for a new purpose, ask yourself, "How do you safeguard a secret code against the code writer?"'
Poke his eyes out for taking sensitive data off-site?
One has to wonder why NASA, or any government agency, would not be using whole drive encryption on all PC, much less laptops, by now.
It may have been an older laptop that didn't have support, and NASA's budget is among the ones being tightened, so they may fire back, "How are we supposed to replace them for more secure ones without the money to requisition them?"
Truecrypt is Open Source and multi-platform.
There really is absolutely no excuse whatsoever for not having encryption on a laptop that contains sensitive data. Preferably whole volume encryption.
Someone else brought up TC a few days ago and I meant to comment on it then. Truecrypt is a great solution floss and all that. But it doesn't have the ability to deal with forgetting your password or when someone dies; there's no recourse. For us to remember that's manageable if the data is gone. What happens when that data is something like black budget NRO work and now nobody can access it? So there needs to be a way to deal with password resets.
Personally I think it's a security flaw, but people (including me) forget passwords all the time. They shouldn't forget this one, because they should have to enter it every day but users are what they are.
1) That assumes that they can get the appropriate signoffs from involved groups. Like most big government departments, from what I understand NASA is fragmented into little fiefdoms and getting them all to agree to come to work at the same time, let alone implement standard policies about security, is like saying that Labour and the Tories should have all their polices in common
2) Various bits of NASA IT are outsourced AFAIK (e.g. http://www.odin.nasa.gov/ ), so unless drive encryption was in the original contract for services it'd be an addendum which would come with additional cost, even for free solutions like TrueCrypt. Again, getting sign off from involved parties would be difficult
3) from what I understand ODIN is a fixed cost contract so the contractor gets more $$$ by hiring people for cheap, which again makes it difficult to implement stuff like full disk encryption.
"The committee pointed out that it was all very well for Washington to be debating government involvement in private sector cybersecurity issues"
Did you mean "debasing"?
The obvious reason they haven't implemented encryption is the issue with bits and bytes... not unlike the issue with feet and meters... after all ROCKET SCIENTISTS made that mistake...
Well... Really they're aerospace engineers, not rocket scientists.
Also, it was a programmer that made that boner, and they are typically kept tucked away from the actual hardware. I'm not sure, but I'd hope that anyone that works on an international project like that is forced to sleep with a meter stick, now.
I sleep with a meter stick.
Geometry joke five!
Or could be, now. This'll put those iPhone-controlled helicopters firmly in their place
The moron in charge of those laptops should be fired.
On a rocket, into the sun?
Imagine you're a supervillan and you want to steal this valuable data. Your plan would probably be as follows:
1. steal the laptop containing the data;
2. decrypt data:
3. wreak havoc!
With the drive not being encrypted, the supervillan can't get past step two! Genius!
So from this reasonable sample size, over 5400 incidents, we can say that a fair estimate for the cost of an unauthorized intrusion at a government establishment is around $1300.
In a lot of science and engineering "Codes" mean programs or algorithms
You have "fluid dynamics codes", "smooth particle hydro codes" - so in Nasa speak, space station codes could be the thermal models of the structure or the orbit empheris.
It's not the root password to make the ISS crash into Belgium
Sometimes, about how many of those laptops lost, in different countries, are not simply given to the wife, children and grandchildren and them simply reported as stolen.
Would this be positive or negative thinking or simply a joke.
It's Russia's space station now, seeing how the US does not even have its own launch vehicle.
I work for a company that recycles "retired" NASA computers and other bits and bobs. One of the recent systems that I had to process was an Osborne 1. With a sticker on it denoting that it had a role in the ISS. Yes, and Osborne 1. I'll guarantee you that Truecrypt doesn't work on that.
Also, many of the systems I see from them are unique or 'one-offs' that again cannot run Truecrypt or any currently available software...
Anon so I don't get fired....
I think you may have give your employer enough information to figure out exactly who you are... Unless a bunch of you worked on that Osbourne...
of lost civil servant laptops.
Perhaps it is the only way to get an up to date laptop or perhaps when it starts to behave randomly and each time you try to show how badly it behaves to the tech people it performs nicely like they tend to do. Perhaps the lost "solution" is then the only clever one.
Then again, perhaps, those who loose their computer should pay, personally, +20% for their new computer. Perhaps the number of lost stuff would decrease.
Or, perhaps, it is fine the way it is, or, perhaps, I am wrong altogether.
Love the fact that so much taxpayer money is going to this. So let me get this straight you have some of the smartest people around working for you, and basically everything you do depends on a computer at some point, so if everyone there is so damn smart why does no one think to buy encrypted hard drives hmm? Simply amazing.
First, hard drives with built-in encryption are a bit new and have their quirks (for example, finding a 2.5" inch that fit a laptop was tricky because you couldn't use any ordinary 2.5" HD in it--you needed to cram a 1.6" drive and the encryption chips into a 2.5" form factor. That means compromises that may or may not be acceptable for the job in question.
Second, secure devices are expensive, and government budgets are getting tighter and tighter. Less spending and more security are clashing at this point.
Plus no solution on the market at the moment can completely alleviate the possibility of stealing the device "hot": while it is still running (kinda like sneaking in during those times when the front door is legitimately open).
I have to disagree with you. DELL laptops have encryption available for HD, any size, for many years now. Free. It is on the BIOS settings and it is a very strong encryption. So your first two statements are incorrect. Second, your third statement is absurd. Any network policy, even the most relaxed one, can have the option of asking for HD encryption password after a few minutes idle. I am assuming that to steal the device HOT someone will take at least 3 minutes to grab it and get out of the building. Physical access is part of IT security policies too.
There is no excuse for this FAIL. Whoever is responsible for IT administration at NASA, is very bad in what he/she does. VERY BAD.
You're talking BIOS encryption which as mentioned before may not have been available (depends on the laptop, and if it isn't, good luck getting money out of NASA's tightened budget for a new one). I was talking drive encryption (like a secure disk-on-module) can be transparent to the OS and therefore useable even on older laptops.
Second, give me about a minute with the laptop and I can have it thrashing for as long as needed (think something like a defrag program). Since it's automatic but keeps the HD moving, it never idles long enough to lock. As there are ways to keep the laptop from going to sleep once the lid's closed. And physical access can be difficult if something like a laptop has to be able to go OUTSIDE (which is usually why laptops are being used; otherwise, a physically-locked-down remote workstation would be preferable).
As for hiring someone better, who's got the budget for someone better?
The "smartest people" are too busy doing important stuff and don't have time to think about anything mundane - so, when the proles that provide the IT services start talking about security and encryption, they are told to shut up because none of them have PhDs in Astrophysics or Mathematics. When one of the smart people does something stupid, like losing a notebook containing a load of sensitive documents, the IT proles have to fight not to smirk during the various "WTF happened / who to blame" meetings that follow.
I am not talking about BIOS encryption. I am talking about HD encryption that can be select in the BIOS.....COMPLETELY DIFFERENT THING. All my laptops have it. It doesn't matter how hard you try to break through this encryption, you simply can't. Even the FBI cannot currently break that encryption.
As others have pointed out what happens if you *forget* your password?
Did you choose it in the first place (and is someone *responsible* for logging it for data recovery? If so how do you notify them in a *secure* way?)
Are you told it and it's *your* job to find some way to remember it?
Had to happen sometime.
Sooner or later one of these would go missing which actually had *live* data on them, rather than another couple of dozen Powerpoints for projects that are unworkable and unfundable.
But yes Truecrypt *does* look like a pretty good idea *except* for the key management and the outsourced maintenance contracts.
What would Trevpott do?