Drax!
and double Drax!
A NASA laptop stolen last year had not been encrypted, despite containing codes used to control and command the International Space Station, the agency's inspector general told a US House committee. NASA IG Paul Martin said in written testimony (PDF) to the House Committee on Science, Space and Technology that a laptop was …
...no matter how well you guard access, once SOMEONE has access to it, they may think they'll forget it later on when they'll need it again. And since high-security computers are likely to be air-gapped, no remote connection is possible, so they'll copy the data (even if they have to do it MANUALLY or BY ROTE--kinda hard to safeguard against biological memory). Obfuscating the codes so no one sees them won't work if the person involved is the one who actually has to handle the codes, and then we get back to where we started.
To turn an old phrase for a new purpose, ask yourself, "How do you safeguard a secret code against the code writer?"
Someone else brought up TC a few days ago and I meant to comment on it then. Truecrypt is a great solution floss and all that. But it doesn't have the ability to deal with forgetting your password or when someone dies; there's no recourse. For us to remember that's manageable if the data is gone. What happens when that data is something like black budget NRO work and now nobody can access it? So there needs to be a way to deal with password resets.
Personally I think it's a security flaw, but people (including me) forget passwords all the time. They shouldn't forget this one, because they should have to enter it every day but users are what they are.
1) That assumes that they can get the appropriate signoffs from involved groups. Like most big government departments, from what I understand NASA is fragmented into little fiefdoms and getting them all to agree to come to work at the same time, let alone implement standard policies about security, is like saying that Labour and the Tories should have all their polices in common
2) Various bits of NASA IT are outsourced AFAIK (e.g. http://www.odin.nasa.gov/ ), so unless drive encryption was in the original contract for services it'd be an addendum which would come with additional cost, even for free solutions like TrueCrypt. Again, getting sign off from involved parties would be difficult
3) from what I understand ODIN is a fixed cost contract so the contractor gets more $$$ by hiring people for cheap, which again makes it difficult to implement stuff like full disk encryption.
Well... Really they're aerospace engineers, not rocket scientists.
Also, it was a programmer that made that boner, and they are typically kept tucked away from the actual hardware. I'm not sure, but I'd hope that anyone that works on an international project like that is forced to sleep with a meter stick, now.
In a lot of science and engineering "Codes" mean programs or algorithms
You have "fluid dynamics codes", "smooth particle hydro codes" - so in Nasa speak, space station codes could be the thermal models of the structure or the orbit empheris.
It's not the root password to make the ISS crash into Belgium
I work for a company that recycles "retired" NASA computers and other bits and bobs. One of the recent systems that I had to process was an Osborne 1. With a sticker on it denoting that it had a role in the ISS. Yes, and Osborne 1. I'll guarantee you that Truecrypt doesn't work on that.
Also, many of the systems I see from them are unique or 'one-offs' that again cannot run Truecrypt or any currently available software...
Anon so I don't get fired....
of lost civil servant laptops.
Perhaps it is the only way to get an up to date laptop or perhaps when it starts to behave randomly and each time you try to show how badly it behaves to the tech people it performs nicely like they tend to do. Perhaps the lost "solution" is then the only clever one.
Then again, perhaps, those who loose their computer should pay, personally, +20% for their new computer. Perhaps the number of lost stuff would decrease.
Or, perhaps, it is fine the way it is, or, perhaps, I am wrong altogether.
Love the fact that so much taxpayer money is going to this. So let me get this straight you have some of the smartest people around working for you, and basically everything you do depends on a computer at some point, so if everyone there is so damn smart why does no one think to buy encrypted hard drives hmm? Simply amazing.
First, hard drives with built-in encryption are a bit new and have their quirks (for example, finding a 2.5" inch that fit a laptop was tricky because you couldn't use any ordinary 2.5" HD in it--you needed to cram a 1.6" drive and the encryption chips into a 2.5" form factor. That means compromises that may or may not be acceptable for the job in question.
Second, secure devices are expensive, and government budgets are getting tighter and tighter. Less spending and more security are clashing at this point.
Plus no solution on the market at the moment can completely alleviate the possibility of stealing the device "hot": while it is still running (kinda like sneaking in during those times when the front door is legitimately open).
I have to disagree with you. DELL laptops have encryption available for HD, any size, for many years now. Free. It is on the BIOS settings and it is a very strong encryption. So your first two statements are incorrect. Second, your third statement is absurd. Any network policy, even the most relaxed one, can have the option of asking for HD encryption password after a few minutes idle. I am assuming that to steal the device HOT someone will take at least 3 minutes to grab it and get out of the building. Physical access is part of IT security policies too.
There is no excuse for this FAIL. Whoever is responsible for IT administration at NASA, is very bad in what he/she does. VERY BAD.
You're talking BIOS encryption which as mentioned before may not have been available (depends on the laptop, and if it isn't, good luck getting money out of NASA's tightened budget for a new one). I was talking drive encryption (like a secure disk-on-module) can be transparent to the OS and therefore useable even on older laptops.
Second, give me about a minute with the laptop and I can have it thrashing for as long as needed (think something like a defrag program). Since it's automatic but keeps the HD moving, it never idles long enough to lock. As there are ways to keep the laptop from going to sleep once the lid's closed. And physical access can be difficult if something like a laptop has to be able to go OUTSIDE (which is usually why laptops are being used; otherwise, a physically-locked-down remote workstation would be preferable).
As for hiring someone better, who's got the budget for someone better?
This post has been deleted by its author
I am not talking about BIOS encryption. I am talking about HD encryption that can be select in the BIOS.....COMPLETELY DIFFERENT THING. All my laptops have it. It doesn't matter how hard you try to break through this encryption, you simply can't. Even the FBI cannot currently break that encryption.
The "smartest people" are too busy doing important stuff and don't have time to think about anything mundane - so, when the proles that provide the IT services start talking about security and encryption, they are told to shut up because none of them have PhDs in Astrophysics or Mathematics. When one of the smart people does something stupid, like losing a notebook containing a load of sensitive documents, the IT proles have to fight not to smirk during the various "WTF happened / who to blame" meetings that follow.
As others have pointed out what happens if you *forget* your password?
Did you choose it in the first place (and is someone *responsible* for logging it for data recovery? If so how do you notify them in a *secure* way?)
Are you told it and it's *your* job to find some way to remember it?
Had to happen sometime.
Sooner or later one of these would go missing which actually had *live* data on them, rather than another couple of dozen Powerpoints for projects that are unworkable and unfundable.
But yes Truecrypt *does* look like a pretty good idea *except* for the key management and the outsourced maintenance contracts.
What would Trevpott do?