back to article Stolen NASA laptop had Space Station control codes

A NASA laptop stolen last year had not been encrypted, despite containing codes used to control and command the International Space Station, the agency's inspector general told a US House committee. NASA IG Paul Martin said in written testimony (PDF) to the House Committee on Science, Space and Technology that a laptop was …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Coat

    Drax!

    and double Drax!

    1. Destroy All Monsters Silver badge
      Devil

      Or maybe Operation British?

      There goes Australia!

    2. chr0m4t1c

      Re: Drax!

      I was thinking the same thing.

      I wonder if anyone has counted the shuttle's to make sure none have been stolen.

      Or made sure there aren't any biological warfare research labs just off Piazza San Marco in Venice.

      Worth a check, do we think?

  2. Steve Knox
    Coat

    C'mon, guys!

    It's not exactly rocket science!

    1. Aaron Em

      Rocket science

      isn't exactly NASA's forte these days, anyway...

      1. Fatman
        FAIL

        Re: Rocket science..isn't exactly NASA's forte these days, anyway...

        We know, just ask the Russians and SpaceX.

        Most appropriate icon for this news item.

  3. Blunderbuss
    Facepalm

    Unencrypted lost laptops

    Was the user of the laptop who lost it previously employed by one of the security services?

    They seem to make losing laptops with sensitive data a speciality.

  4. Anonymous Coward
    Anonymous Coward

    If the stuff is so sensitive and critical, why is it stored somewhere on-line, and why is it on laptops that staff wander off-site with in the first place?

    1. Charles 9 Silver badge

      Because...

      ...no matter how well you guard access, once SOMEONE has access to it, they may think they'll forget it later on when they'll need it again. And since high-security computers are likely to be air-gapped, no remote connection is possible, so they'll copy the data (even if they have to do it MANUALLY or BY ROTE--kinda hard to safeguard against biological memory). Obfuscating the codes so no one sees them won't work if the person involved is the one who actually has to handle the codes, and then we get back to where we started.

      To turn an old phrase for a new purpose, ask yourself, "How do you safeguard a secret code against the code writer?"

      1. Graham Dawson Silver badge

        Re: Because...

        Apply the Vetinari Solution, vis: take your incredibly smart person, find out their favourite hobby and lock them in a light, airy room with unlimited supplies, then ask them to make the codes in their spare time.

        1. Quxy
          Happy

          I thought that the Vetinari Solution was...

          ...Tax the rat farms.

      2. Anonymous Coward
        Anonymous Coward

        Re: Because...

        'To turn an old phrase for a new purpose, ask yourself, "How do you safeguard a secret code against the code writer?"'

        Poke his eyes out for taking sensitive data off-site?

  5. The Man Who Fell To Earth Silver badge
    Boffin

    While its not a panacea...

    One has to wonder why NASA, or any government agency, would not be using whole drive encryption on all PC, much less laptops, by now.

    1. Charles 9 Silver badge

      Re: While its not a panacea...

      It may have been an older laptop that didn't have support, and NASA's budget is among the ones being tightened, so they may fire back, "How are we supposed to replace them for more secure ones without the money to requisition them?"

      1. AbortRetryFail
        Facepalm

        Re: Re: While its not a panacea...

        Truecrypt is Open Source and multi-platform.

        There really is absolutely no excuse whatsoever for not having encryption on a laptop that contains sensitive data. Preferably whole volume encryption.

        1. Anonymous Coward
          Anonymous Coward

          Re: Re: Re: While its not a panacea...

          Someone else brought up TC a few days ago and I meant to comment on it then. Truecrypt is a great solution floss and all that. But it doesn't have the ability to deal with forgetting your password or when someone dies; there's no recourse. For us to remember that's manageable if the data is gone. What happens when that data is something like black budget NRO work and now nobody can access it? So there needs to be a way to deal with password resets.

          Personally I think it's a security flaw, but people (including me) forget passwords all the time. They shouldn't forget this one, because they should have to enter it every day but users are what they are.

    2. Anonymous Coward
      Anonymous Coward

      Re: While its not a panacea...

      1) That assumes that they can get the appropriate signoffs from involved groups. Like most big government departments, from what I understand NASA is fragmented into little fiefdoms and getting them all to agree to come to work at the same time, let alone implement standard policies about security, is like saying that Labour and the Tories should have all their polices in common

      2) Various bits of NASA IT are outsourced AFAIK (e.g. http://www.odin.nasa.gov/ ), so unless drive encryption was in the original contract for services it'd be an addendum which would come with additional cost, even for free solutions like TrueCrypt. Again, getting sign off from involved parties would be difficult

      3) from what I understand ODIN is a fixed cost contract so the contractor gets more $$$ by hiring people for cheap, which again makes it difficult to implement stuff like full disk encryption.

  6. Destroy All Monsters Silver badge
    Flame

    "The committee pointed out that it was all very well for Washington to be debating government involvement in private sector cybersecurity issues"

    Did you mean "debasing"?

  7. Xenobyte

    Feet and meters, bits and bytes...

    The obvious reason they haven't implemented encryption is the issue with bits and bytes... not unlike the issue with feet and meters... after all ROCKET SCIENTISTS made that mistake...

    1. DryBones
      Facepalm

      Re: Feet and meters, bits and bytes...

      Well... Really they're aerospace engineers, not rocket scientists.

      Also, it was a programmer that made that boner, and they are typically kept tucked away from the actual hardware. I'm not sure, but I'd hope that anyone that works on an international project like that is forced to sleep with a meter stick, now.

      1. Lockwood
        Thumb Up

        Re: Feet and meters, bits and bytes...

        I sleep with a meter stick.

        Geometry joke five!

        1. cosymart
          Headmaster

          Re: Feet and meters, bits and bytes...

          Metres please!!!!!!

  8. Anonymous Coward
    Anonymous Coward

    Space Station control - there's an app for that

    Or could be, now. This'll put those iPhone-controlled helicopters firmly in their place

  9. Anonymous Coward
    Anonymous Coward

    The moron in charge of those laptops should be fired.

    1. Graham Dawson Silver badge

      On a rocket, into the sun?

  10. E_Nigma
    Trollface

    Brilliant!

    Imagine you're a supervillan and you want to steal this valuable data. Your plan would probably be as follows:

    1. steal the laptop containing the data;

    2. decrypt data:

    3. wreak havoc!

    With the drive not being encrypted, the supervillan can't get past step two! Genius!

  11. arrbee
    Black Helicopters

    whats the charge ?

    So from this reasonable sample size, over 5400 incidents, we can say that a fair estimate for the cost of an unauthorized intrusion at a government establishment is around $1300.

  12. Yet Another Anonymous coward Silver badge

    'codes' doesn't mean codes

    In a lot of science and engineering "Codes" mean programs or algorithms

    You have "fluid dynamics codes", "smooth particle hydro codes" - so in Nasa speak, space station codes could be the thermal models of the structure or the orbit empheris.

    It's not the root password to make the ISS crash into Belgium

  13. Lars Silver badge
    Joke

    I wonder

    Sometimes, about how many of those laptops lost, in different countries, are not simply given to the wife, children and grandchildren and them simply reported as stolen.

    Would this be positive or negative thinking or simply a joke.

  14. Anonymous Coward
    Anonymous Coward

    Who cares?

    It's Russia's space station now, seeing how the US does not even have its own launch vehicle.

  15. Anonymous Coward
    Anonymous Coward

    NASA Hardware

    I work for a company that recycles "retired" NASA computers and other bits and bobs. One of the recent systems that I had to process was an Osborne 1. With a sticker on it denoting that it had a role in the ISS. Yes, and Osborne 1. I'll guarantee you that Truecrypt doesn't work on that.

    Also, many of the systems I see from them are unique or 'one-offs' that again cannot run Truecrypt or any currently available software...

    Anon so I don't get fired....

    1. Anonymous Coward
      Anonymous Coward

      Re: NASA Hardware

      I think you may have give your employer enough information to figure out exactly who you are... Unless a bunch of you worked on that Osbourne...

  16. Lars Silver badge
    Coat

    Adding to the problem

    of lost civil servant laptops.

    Perhaps it is the only way to get an up to date laptop or perhaps when it starts to behave randomly and each time you try to show how badly it behaves to the tech people it performs nicely like they tend to do. Perhaps the lost "solution" is then the only clever one.

    Then again, perhaps, those who loose their computer should pay, personally, +20% for their new computer. Perhaps the number of lost stuff would decrease.

    Or, perhaps, it is fine the way it is, or, perhaps, I am wrong altogether.

  17. m00seman645
    FAIL

    Love the fact that so much taxpayer money is going to this. So let me get this straight you have some of the smartest people around working for you, and basically everything you do depends on a computer at some point, so if everyone there is so damn smart why does no one think to buy encrypted hard drives hmm? Simply amazing.

    1. Charles 9 Silver badge

      Two things.

      First, hard drives with built-in encryption are a bit new and have their quirks (for example, finding a 2.5" inch that fit a laptop was tricky because you couldn't use any ordinary 2.5" HD in it--you needed to cram a 1.6" drive and the encryption chips into a 2.5" form factor. That means compromises that may or may not be acceptable for the job in question.

      Second, secure devices are expensive, and government budgets are getting tighter and tighter. Less spending and more security are clashing at this point.

      Plus no solution on the market at the moment can completely alleviate the possibility of stealing the device "hot": while it is still running (kinda like sneaking in during those times when the front door is legitimately open).

      1. Rombizio
        FAIL

        Re: Two things.

        I have to disagree with you. DELL laptops have encryption available for HD, any size, for many years now. Free. It is on the BIOS settings and it is a very strong encryption. So your first two statements are incorrect. Second, your third statement is absurd. Any network policy, even the most relaxed one, can have the option of asking for HD encryption password after a few minutes idle. I am assuming that to steal the device HOT someone will take at least 3 minutes to grab it and get out of the building. Physical access is part of IT security policies too.

        There is no excuse for this FAIL. Whoever is responsible for IT administration at NASA, is very bad in what he/she does. VERY BAD.

        1. Charles 9 Silver badge

          Re: Two things.

          You're talking BIOS encryption which as mentioned before may not have been available (depends on the laptop, and if it isn't, good luck getting money out of NASA's tightened budget for a new one). I was talking drive encryption (like a secure disk-on-module) can be transparent to the OS and therefore useable even on older laptops.

          Second, give me about a minute with the laptop and I can have it thrashing for as long as needed (think something like a defrag program). Since it's automatic but keeps the HD moving, it never idles long enough to lock. As there are ways to keep the laptop from going to sleep once the lid's closed. And physical access can be difficult if something like a laptop has to be able to go OUTSIDE (which is usually why laptops are being used; otherwise, a physically-locked-down remote workstation would be preferable).

          As for hiring someone better, who's got the budget for someone better?

          1. This post has been deleted by its author

          2. Rombizio

            Re: Two things.

            I am not talking about BIOS encryption. I am talking about HD encryption that can be select in the BIOS.....COMPLETELY DIFFERENT THING. All my laptops have it. It doesn't matter how hard you try to break through this encryption, you simply can't. Even the FBI cannot currently break that encryption.

    2. Anonymous Coward
      Anonymous Coward

      The "smartest people" are too busy doing important stuff and don't have time to think about anything mundane - so, when the proles that provide the IT services start talking about security and encryption, they are told to shut up because none of them have PhDs in Astrophysics or Mathematics. When one of the smart people does something stupid, like losing a notebook containing a load of sensitive documents, the IT proles have to fight not to smirk during the various "WTF happened / who to blame" meetings that follow.

  18. John Smith 19 Gold badge
    Unhappy

    *key* management is a pretty big issue here.

    As others have pointed out what happens if you *forget* your password?

    Did you choose it in the first place (and is someone *responsible* for logging it for data recovery? If so how do you notify them in a *secure* way?)

    Are you told it and it's *your* job to find some way to remember it?

    Had to happen sometime.

    Sooner or later one of these would go missing which actually had *live* data on them, rather than another couple of dozen Powerpoints for projects that are unworkable and unfundable.

    But yes Truecrypt *does* look like a pretty good idea *except* for the key management and the outsourced maintenance contracts.

    What would Trevpott do?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021