back to article NASA's crap infosec could be 'significant threat' to space ops

NASA's Office of the Inspector General has once again concluded the American space agency's tech security practices are "not consistently implemented". Confirmation that the US government department's infosec abilities are not up to scratch was a repeat of last year's federally mandated security audit, which also found that …

  1. bombastic bob Silver badge
    Devil

    apparently too small of a budget

    just thinking, maybe, if they had enough $, they could at LEAST hire some contractors...

    (I blame Con-Grab for that)

    then again, since WHEN has any gummint agency decided that SECURITY was an important line item on the budget?

    But if they kept their existing budget, and spent WAY LESS money on chasing after the POLITICALLY MOTIVATED HOAX called "man made climate change", maybe they could FIND the money...

    (drain the swamp)

    1. Mark 85 Silver badge

      Re: apparently too small of a budget

      then again, since WHEN has any gummint agency decided that SECURITY was an important line item on the budget?

      They seem to be following the corporate theology on this.: "Save some money now, we'll deal with it when we get breeched."

      1. bombastic bob Silver badge
        Meh

        Re: apparently too small of a budget

        unfortunately, more like "accountant thinking" or "lawyer thinking". but yeah.

      2. Flocke Kroes Silver badge

        Re: Save some money now, we'll deal with it when we get breeched

        Easy to understand. First forget any computing knowledge you may have and replace it with: "Getting infected with computer malware is completely random and there is nothing anyone can do about it". All of a sudden, the do nothing policy makes sense.

        Back to the real world: If you can somehow get across the message that over 99% of malware infections are caused by the user clicking on something clearly identifiable as malware (like: "Install our free pornvid viewer") then there is some hope of progress.

        1. Peter2 Silver badge

          Re: Save some money now, we'll deal with it when we get breeched

          Back to the real world: If you can somehow get across the message that over 99% of malware infections are caused by the user clicking on something clearly identifiable as malware (like: "Install our free pornvid viewer") then there is some hope of progress.

          I personally think that IT staff have about 99% of the responsibility there when it relates to work computers. Software Restriction Policies have been (freely) available in Windows now since XP, which is what, eighteen years ago now?

          SRP's allow an administrator to easily select what executable code a user can and cannot run. Changing the security defualt level from "unrestricted" to "disallowed" radically changes the security landscape. Instead of the user being able to run any program from any location the user is then only able to run programs from allowed locations, which by defualt is to only allow the windows system files to run.

          If you lock the user to only be able to run programs from locations that they can't write to, then it becomes impossible for a normal user to run any form of unauthorised file containing executable code. (while still allowing them to open word docs, etc) Authorising files is easy, you can do it via a hash of the file or by path. Doing it by path is the easiest way of proceeding; just put policy rules for "unrestricted" to allow any programs to run from %program files% and from %authorised network share%

          Hey presto, users can now only run programs that an admin has installed, assuming that you have taken the basic precaution of not letting the users write to the location they can run programs from.

          Combine this with locking down other very notorious security holes (only run authorised signed macros) and lock flash down, set Adobe Reader not to download or run stuff via the GPO they provide that barely anybody uses and your attack profile starts shrinking. If you start systematically securing the remaining holes then it doesn't take long before the available attack surface becomes vanishingly small.

          1. Rich 11 Silver badge

            Re: Save some money now, we'll deal with it when we get breeched

            I like the way some random person on the internet thinks they've got a simple but near-total solution for an entire highly technical organisation of hundreds of thousands of people, especially when the description of the solution is peppered with words like 'only', 'easily' and 'just'. Are you 17? Have you met the real world yet?

          2. Anonymous Coward
            Anonymous Coward

            Re: Lock user to run programs they can't write to

            Best to not give those end users computers, only terminals. Locked down laptops is often the best choice with todays workers.

            Early on I worked in a place where end users were restricted as to what we could or couldn't do with their computers. Those laptops were useless bricks for anything other than basic word processing, several began collecting dust under desks.

            So my department bought their own laptops, we installed our own software. We used laptops to interface with test equipment and machines and to modify programs for various equipment and without restrictions one laptop per worker was enough. There were no bricks under desks, we gave them back and never missed them. Of course the daily calls to the help desk ended so they liked that.

            Years later I'm handing out new laptops, pre-installed with all the required software and so locked down the workers couldn't install or change anything. Sad really because the generations before was expected to understand what they were working on but then they got paid a lot more even though the education requirements were far less.

            Today giving the average worker access to change anything can be asking for trouble.

    2. John Brown (no body) Silver badge

      Re: apparently too small of a budget

      "(drain the swamp)"

      He's had two years to that. Doesn't seem to be working so far.

      1. Anonymous Coward
        Anonymous Coward

        Re: apparently too small of a budget

        It looks like he has made the swamp much worse. Trump and his ilk are the problem. I do give Trump credit for being able to identify what much of the American working class view as their problems and playing into those issues so skilfully and his being a pathological liar doesn't make Trump stupid. It helped get him elected. I suspect that he doesn't understand a lot of the nuances of governing or government and that can create its own dangers. The destruction of the American educational system over 40+ years is, I think, ultimately what got Trump elected.

    3. Kane Silver badge
      Black Helicopters

      Re: apparently too small of a budget

      "then again, since WHEN has any gummint agency decided that SECURITY was an important line item on the budget?"

      The NSA I would imagine. I mean, it's part of their name.

      1. MAF

        Re: apparently too small of a budget

        Ever read "The Cuckoo's egg" by Clifford Still? German hacker was in several military & scientific systems and the NSA just sat there sipping on authors information and did sweet FA...

      2. Carpet Deal 'em Bronze badge

        Re: apparently too small of a budget

        Given the Snowden leaks, even that's questionable.

    4. mutin

      Re: apparently too small of a budget

      If seriously, moving federal systems in cloud Obama was promising saving money on that. Of course, such moves never save money. Fed budget for information systems did not decrease of course. Curios people can either read my article on that matter (cloud, politics, money) on www.rubos.com or check themselves. Fed budget is public info and easy to check. It has special part for fed IT. So, do not worry. They have a plenty of money to waste. Sorry, to move in big pockets of IT giants. And in "Cloud First".

    5. TheVogon Silver badge

      Re: apparently too small of a budget

      "and spent WAY LESS money on chasing after the POLITICALLY MOTIVATED HOAX called "man made climate change"

      Or maybe the US could spend some of the ~ $ 600 billion a year it spends on subsidising fossil fuels instead?

      "A 2016 IMF working paper estimated that global fossil fuel subsidies were $5.3 trillion in 2015, which represents 6.5% of global GDP. The study found that "China was the biggest subsidizer in 2013 ($1.8 trillion), followed by the United States ($0.6 trillion)"

    6. hplasm Silver badge
      Paris Hilton

      Re: apparently too small of a budget

      (drain the swamp)

      aka Trepanning...

  2. Mark C 2

    "...chasing after the POLITICALLY MOTIVATED HOAX called "man made climate change" "

    Don't tell me, you have been listening to the fossil fuel industry shills like the ex-EPA director or Trump again? I am not a climate expert so will have to rely on the opinion of the experts, like every single credible climate scientist in the World.

    Bob - sometimes it is better to stay silent and let people think you are a fool than open your mouth and confirm it. And the Flat Earth society is over that way, you will be in good company --->

    1. Robert Carnegie Silver badge

      I think the plan was to drain the swamp into the sea. For some reason, it's taking a while. Hmm.

      1. Anonymous Coward
        Anonymous Coward

        All well and good until you realize that swamps are a good thing and are an effective way of dealing with all kinds of effluent.

        Now cesspools have their place but shouldn't be a model for government.

        I say keep the swamps and drain the politicians.

        1. CrazyOldCatMan Silver badge

          swamps are a good thing

          Ayup. So all those areas where we[1] have removed the coastal[2] marshes and swamps are now coming back to bite us - especially as it's been proven that marshes and swamps are also really, really good at absorbing and locking down CO2..

          [1] In this context the UK. Norfolk - I'm looking at you..

          [2] Also marshes like the Somerset Levels. Since those have been drained and made into farmland they now flood every time we have a bad winter or rainy spring.

    2. bombastic bob Silver badge
      Boffin

      "flat earth" - be careful you are not pointing fingers at the wrong target

      I avoid pejoratives, and will gladly debate the SCIENCE in another forum. Usually it's just an info-dump consisting of copy/pasta of what I've said before. Pretty easy, really, like a slam dunk.

      1. Anonymous Coward
        Anonymous Coward

        I [...] will gladly debate the SCIENCE in another forum.

        I look forward to your forthcoming publications, no doubt to shortly appear in a range of highly prestigious journals that publish paper on climate science. Do let us know when the next one is coming out.

        Oh, and if you could just give us a few pointers to your best already published work, I'd be grateful - I can't seem to find anything under "bombastic bob" when I do a literature search.

        1. arctic_haze Silver badge

          Re: I [...] will gladly debate the SCIENCE in another forum.

          It would be Bob B. et al. :)

          1. Anonymous Coward
            Anonymous Coward

            Re: I [...] will gladly debate the SCIENCE in another forum.

            >Bob B. et al.

            He calls the voices in his head Al?

            Must be channeling Paul Simon then.

  3. overunder Bronze badge

    Back... Doors

    "Jim Morrison, assistant inspector general for audits within NASA's OIG, said in a letter:"

    Break on through to the other side!

    1. Mike Moyle Silver badge

      Re: Back... Doors

      He had to shorten it because "James James Morrison Morrison Weatherby George Dupree" wouldn't fit on the business cards.

      1. Anonymous Coward
        Anonymous Coward

        Re: Back... Doors

        A thumbs up because I am old enough to get the reference, and have eclectic enough music tastes to have even listened to it.

  4. Anonymous Coward
    Anonymous Coward

    NASA uses a lot of contractors and their contract agencies have no means of qualifying employees. Most of the software contractors I met were unable to perform basic coding tasks correctly and they had no concerns at all about quality. I'd reject pull requests due to extreme security vulnerabilities and they'd be merged anyways. It was a dark, life-draining place that I couldn't leave fast enough.

  5. Conundrum1885 Bronze badge

    Re. Security

    NASA are using outdated technology because they have to.

    Many of the legacy systems won't run XP let alone 7 and its not a simple matter to just rewrite decades old software so it works on a later OS.

    I did hear that they are looking into buying in some old 2011 issue Macs as these are of very similar architecture (DDR3, Core II etc)

    The main reason for delays on the SLS is due to using Shuttle era hardware as its been tested in space: to recertify takes ages.

    Somewhere there are pictures of warehouses full of 8088's and old motherboards with nice new shiny capacitors.

    They even bought up all the old unused boards of a specific type (pretty sure it was S370) because it had a specific chipset.

    1. Anonymous Coward
      Anonymous Coward

      Re: "To re-certify takes ages"

      No! Or at least - not necessarily so.

      The problem with the NASA systems (I have been told by someone who used to work there) is that they were not designed for reuse.

      If you are reusing a self-contained item (software or hardware) its INTERNAL certification artefacts do not need to be redone for each use. In fact, if you wanted to resell the items for aircraft there is an FAA recognised method for doing this - a TSO.

      Modern software systems such as WindRiver VxWorks even have build methods (IBLL) to facilitate the limiting of recertification activities to just small sections, otherwise replacing the old federated systems with Integrated Modular Avionics would just not be practicable.

  6. Korev Silver badge
    Joke

    Well Jupiter notebooks can be a PITA to secure...

    1. Conundrum1885 Bronze badge

      RE. Jupiter

      One good thing about having "Friends in really high places" is you get to see all the antique hardware.

      If NASA can use them I have in my collection some really prehistoric boards including some ancient SBCs, old ceramic chips circa 1980 and what appears to be some 8088s.

      One day soon I may get around to building a DSKY running the original software from the actual LM. That would be badass and have value for historical research, as well as letting people actually play with working hardware. "Uh whats a 12:01?"

      1. Glen 1 Bronze badge

        Re: RE. Jupiter

        We are go on that alarm

  7. mutin

    Obama, Kundra, cloud and continuing failing

    Failed audit is not a surprise. That crap started when Obama came in and with new Federal CIO Kundra (now in SalesForce) originated Cloud First program without, of course, any NIST guidance existing and their heads also lacking any knowledge. NASA was chosen first to begin with. And of course, it failed in first implementation audit. Since that it is continuing to be like started in Obama era. No security actually. Even having inconsistent papers ... Where is expected cloud security, which should (?) be better than local enterprise based?

    Frankly, I doubt that many of US government agencies have adequate security either local or cloud.

    Many thanks to black hats who somehow appreciate space business and not touching poor buddy.

  8. Joe Gurman

    Did anyone bother to read the report?

    It's not about cybersecurity, it's about the numerical classification of cybersecurity job postings. (Cue the Sir Humphrey clips....)

    NASA's response was, yeah, but no: We still list some generic job descriptions with 000's in the instead of numerical gobbledegook because we want to keep the final classifications open until we actually have a need to hire, so we can tailor those postings to the work that's actually needed. And oh, we make that decision at the NASA field center level, not the Washington DC one. Imagine that much agility and adaptability in a government agency.

  9. Beachrider

    Air-gapping IS Security, but...

    NASA still relies on air-gapping for the highest security. If the 'gap' is SOLID, then great, but there are always tendrils...

  10. Yet Another Anonymous coward Silver badge

    Anybody check the actual systems?

    It seems that the report reports that Nasa's reports didn't report the right reporting terms in their reports

    I seem to remember a space telescope where NASA quality teams carefully examined the quality reports of the manufacture's quality teams - but nobody looked at the actual mirror.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019