Slashdot Mirror
NASA To Encrypt All of Its Laptops
pev writes "After losing another laptop containing personal information, NASA wants to have all of its laptops encrypted within a month's time with an intermediate ban on laptops containing sensitive information leaving its facilities. Between April 2009 and April 2011 it lost or had stolen 48 'mobile computing devices.' I wonder how long it will be before other large organizations start following suit as a sensible precaution?"
They waited this long because? First?
Why is this not done already? Between truecrypt and (ack) bitlocker,it s relatively easy. Add in a robust backup system, which any organization should have already, and it is cheap and fairly easy to implement.
Silence is a state of mime.
For the lazy it does the job well. No need spend budget on it.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
I worked for a major technology vendor. A few years back they mandated full disk encryption on all laptops (Good idea right) Problem was they went with some company i never heard of and the stuff would randomly corrupt and all data would be lost. Certain people (executives) lost a lot of data because the only copy were on the laptops. This was all sorts of fun for the IT group.
I'm quite close to a different national lab type of federal facility and all of their laptops have been encrypted for at least a few years now. The stuff here isn't any more sensitive than the stuff there - it's just under an actual cabinet position. Bureaucracy may sometimes be a headache - but enforcing common sense policies is one of it's strong suits. Besides - is NASA really benefiting in it's efficiency from it's "bureaucratic freedom"?
Encrypting everything on a device just seems so stupid to me.
It slows down overall performance. It does provide greater security than just encrypting the sensitive files.
But really what's the need to have your OS and application files, which are going to be the same on every device, encrypted? It would seem that, if you can collect enough samples of encrypted disks that have enough of these files on them that would in and of itself provide an attack vector to decrypt the desired "sensitive" information.
For many years.
will they encrypted?? will they be forced over to windows?
They must have been waiting years for something like this.
In space no-one can hear your vuvuzela.
This large company in the defense sector has been encrypting all laptops and desktops for a couple years now. It's pretty painless so far. Whatever you do, make your security transparent to the end user and life will be good.
NASA is a huge bureaucracy that is behind the curve in this aspect. The sad part is that they apparently have more laptops to lose with HR type information on them than they do ITAR. Which pretty much sums up NASA right now.
You know? Endpoint encryption is trivial. There are so many products that do it effectively and easily. Why is this being done so late? Where I work, we do that to EVERY computer a user touches, not just laptops. If it isn't locked behind a server room door, it's locked to a desk and the HDD encrypted. Even the receptionist machine is encrypted.
What the hell are these people even thinking?
Sure... data recovery is more expensive or more impossible. I get that. But you know? It's kind of worth it. Also, if it's important data that lives ONLY on the endpoint machine? Well, that's another thing they are doing wrong.
Jesus, the small company I worked for (400 employees or so) had all but the desktop machines encrypted many years ago. I can't remember what they used before the built in windows encryption, but at least they had something there.
It's insane to hear that large companies don't have their machines encrypted though it's a mouseclick away for their IT-dept while prepping the computer for deployment.
*face palm*
Wait, NASA doesn't encrypt its laptops? Why not?
Just use Bitlocker, it's enforced by GPO where I work. Or if on another system, truecrypt or just CryptFS.
Why is this an issue?
That seems like a project that will take longer than a month. Full disk encryption on a large scale is a PITA.
I work for A Very Large Health Plan, and it is policy that all work laptops use encrypted harddrives and USB drives.
The laptops that are issued out to us workers already come encrypted, and also with the software that only allows writing to USB drives if you allow the software to encrypt the USB drive.
So far, seems to work, but does make a new laptop seem to be modest at boot/read/write times.
Uh, Linux geek since 1999.
You know, we've been doing this for four years where I work. And yes, I know everyone here is going to espouse Truecrypt as the one true solution, but the simple fact is NASA is run as a corporation... as such they'll probably go for a solution that's vendor supported. The fact that they're NASA will probably mean they'll get a pretty decent price on the software too.
Now, the downside of full-disk encryption (which many lazy corporations do instead of home directory only) is that it does increase the load on your system, slow it down and make recovery if/when it breaks a royal pain. Our helpdesk has an almost constant stream of laptops coming and going through their hands that they have to decrypt and re-encrypt because something got out of sync. Time consuming, and leads to downtime for the users. I've often suggested home folder only encryption... but the higher ups want it all encrypted... right up to the point that their laptop is down for two days because they've broken it.
By the way, another horrible side effect of whole disk encryption is that our experience says that it'll kill SSD's pretty rapidly. Our average SSD life is less than a year at this point because there doesn't seem to be a good full-disk encryption software that properly implements TRIM... so spinning disk or hybrid disk is the way to go.
Between April 2009 and April 2011 it lost or had stolen 48 'mobile computing devices.'
Why would NASA need to steal 48 'mobile computing devices'??
Many companies already do this. All notebooks where I work (a large Si company) have encrypted hard drives. With a SSD and a reasonably modern CPU there is very little performance impact. My 2 year old notebook with SSD and encryption is much faster than the previous model which had no SSD and no encryption.
What's surprising is that the majority of companies and government agencies don't do this. The cost of implementation is very low compared to the value of the data that could be lost.
They started the paperwork for it 12 years ago, but it only just approved.
How about an actual conversation about encrypting laptops? What tools do you prefer? What is your workflow?
They are worried that Aliens might steal their technology
Somebody might find out they aleady stole alien technology
They are worried that the FBI might hack into their emails and find out who they are having affairs with
Sheldon Addison might wonder where the money he gave Newt went
The security laws in the US after 9/11 force alot of big corps to encrypt. As far as I tell it slow down boot time and forces IT to take 2 days to turn around anything as there is 12hrs to decrypt the hdd and then 12 to re-crypt.This month we got told to put stickers on all documents to state it security level...I'm really sure those stickers "CORP. INTERNAL ONLY" will really slow down those outsider eyes. Soon I'm sure we will have to us a secret de-coder ring to read the print out. Really have you guys read most internal documents? They are of little interest to the people who are PAID to read them.
Life is like untied shoe laces; it always tripping you up and getting in your way.
I'm surprised that this is not already standard procedure. If it were up to me I'd probably disable all the USB ports as well. If you've got the best firewall in the world it won't be worth a plug nickel if someone takes a flash drive with a virus on it and plugs it into a PC in the office. Now you're inside the firewall and it spreads like wildfire.
A known problem since the first laptop was issued, but ignored until today.
Now that the shit hits the fan they want it done yesterday.
Love many, trust a few, do harm to none.
That is done simply because it makes things simpler (that's the upside) and it's essentially "free" (there's virtually no downside). Even with low-end 2004 tech (a single core 800 MHz Transmeta CPU) I could barely notice dm-crypt having a significant effect on performance or battery life. With modern hardware people would need to use benchmarking tools just to be able to see the extra percent of overhead that one of their many cores has to endure. It's just too cheap to worry about.
I'm not sure if this is a 1970s thing or more generally a "post-WW2" thing, but most crypto these days tends to be resistant to "known plaintext attacks".
I was in charge of testing/verification of full disk crypto when my then-employer (Hydro) mandated it almost 20 years ago:
At that time 5 vendors made it through our pre-qualification tests, among these I was able to trivially break 3 of them (replace a conditional branch with its opposite), one took 20 minutes and only Utmaco's SafeGuard Easy had done a proper security design, where the user password was used as (part of) the seed for the key used to decrypt a copy of the master disk key.
I.e. the system _must_ be safe against attack from anyone, including the vendor!
I wrote a longer post about this the previous time the same issue came up on /.
Terje
"almost all programming can be viewed as an exercise in caching"
This.
At this point, why not have them VPN in to a central server, and keep all work materials there?
Between the trendy "cloud" and the availability of high-speed internet and most computers having encryption cycles to spare, our machines are now souped-up thin clients.
The idea that people need to take gigabytes or even megabytes (640k is ok though) of confidential data home with them on their laptops needs to be questioned. What are you doing with all of that? At home? On the subway?
Forget it: keep the data under control, and make the laptops worthless to foreign espionage.
I work for the Federal Government and every laptop has to have FDE in order to leave the building. This policy has been in place for years. NASA is just behind the times of every other federal agency. Too busy playing with robots, I assume.
sudo make me a sandwich
NONONNONONONO
This is not how you deal with an incident like this. You have to reexamine your infrastructure and find out *why* that info was on an endpoint to begin with. This is teh same BS kneejerk reaction that makes for bad IT planning. Just go and wallpaper of it with a band-aid and look all betterer.
HULK SMASH!!!!
NASA should do what my employer has done, and start utilizing to McAfee Endpoint Encryption. If you attempt to break the encryption, your computer gets high on bath salts and tries to kill you. Seems secure to me.
They're leased from HP as part of the NASA ACES contract :
http://www.nasa.gov/home/hqnews/2010/dec/HQ_C10-080_ACES.html
Prior to that, there was a contract with Lockheed Martin.
They have to put out a specification of what they want the machine configuration to look like, and then HP gives 'em a cost per month for it.
And the 'devices' lost aren't necessarily laptops ... it could be cell phones or tablets, which are also leased through ACES.
There *are* ways around this, but you have to do more paperwork, and then you can buy stuff off SEWP, and they're maintained by different groups of sysadmins (assigned to the mission, project or division).
And to make it more fun -- if you sign all of the paperwork to take a government furnished computer off site as a contractor, you're liable for the full original purchase price, no depreciation. (this might not be true for ACES) ... so I know a few people who brought their work-assigned laptops back and said they'd rather buy their own ... which means there's then *NO* control over them ... although they're not supposed to put SBU / ACI on it.
Build it, and they will come^Hplain.
I thought NASA was ordered to be completely open and no information was to be considered sensitive. This was ordered at its inception when it was created to provide the space program, in order to NOT be military in nature so that the Russians would not be worried. Sure they have shared information over the years but nothing NASA has done has been military in nature.
It seems to me then, that nothing NASA can have can be 'sensitive' in nature, and these encryption efforts run counter to t heir chartered openness.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Most businesses would have shit after a few devices were lost or stolen. Seriously, how do you lose a laptop or smartphone like that? Do thieves rove the NASA parking lot in packs? Is there a mugger riding up and down in the elevator?
My employers in my last two jobs have given me a total of three encrypted laptops, the oldest going back to the middle of 2008. If you choose an appropriate h/w vendor, an encrypted disk won't slow down the typical laptop user.
Encryption didn't seem to affect the Dell laptop; not true for the ThinkPad, it was slower than Christmas.
Circle the wagons and fire inward. Entropy increases without bounds.
I work in Gov't, state level. EVERY SINGLE laptop is encrypted. You plug in a USB, before you can move data to it, it has to be encrypted (you can move data off to computer without encrypting). You burn CD it get's encrypted.
They just this year started encrypting desktops also.
What I don't understand is why is it not a Fed Gov't rule that every agency that has portable media (tablets/laptops/usb/etc) has to be encrypted? This should just be standard now. Esp after having 48 incidents in 3 years? WTF, after first incident they should have started working on a plan to encrypt stuff.
What's NASA trying to hide? It looks to me like they're a bunch of terrorists...
"Grab them by the pussy" -- President of the United States of America
My company has been doing this for ages. It just makes sense and I'm really surprised NASA does not do it already.
On the practical surface of it, this should have been done long ago.
On a more theoretical basis, what's the justification for doing it at all? NASA is a publically-funded research organization. Maximizing public benefit would call for every detail of NASA's activities to be publically available, and "misplaced data" seems more like a happy-accident additional distribution mechanism.
The "right to be secure in one's papers" is a right of the citizen, not of the government. So what's the downside here? "Other countries might learn how to do our stuff"? They already can.
We've been doing this at my work for a few years now. Any organization that is at all concerned with data loss should already be doing this to all user workstations, portable AND desktop. Anything less is bordering on malpractice.
deleting the extra space after periods so i can stay relevant, yeah.
... most crypto these days tends to be resistant to "known plaintext attacks".
/.ers care to comment?
256-bit AES is generally considered safe for geologic time, with geologic time possibly being reduced by orders of magnitude for the NSA. Any NSA
Circle the wagons and fire inward. Entropy increases without bounds.
http://xkcd.com/538/
.nosig
Boeing did this 6 years ago.
An awful lot of people in this thread have quick and simple "just do this" solutions for NASA's data encryption challenges.
NASA isn't your standard corporate environment - there are serious challenges to any "Just do X" solution. They DO need to encrypt everything but its not a simple single-answer thing. They have to accommodate every scenario from "HR newbie with PII data in an office envrionment" to "Laptop collecting data on a C-130 as it flies through hurricanes" to "Laptops controlling robots in the desert during field tests sulating Martian environments".
In many of those cases a laptop with broken
encryption software means millions of wasted dollars if the experiment is a wash.
In other cases NOT having crypto means serious secrecy issues.
Anyway, there's no excuse for this loss but could we please stop pretending that NASA literally never considered DAR on mobile devices, and that simply doing {your favorite product} on everything would solve all the problems?
Thanks....
An encrypted laptop is not a be all and end all. I wonder what program they are using for their FDE encryption, since some are better than others, especially when it comes to recovering data.
I have used one commercial program which, if the MBR gets hosed, the drive is worthless. No way to recover, period. Other utilities like TrueCrypt allow for backup CDs to be made so one has a good chance at recovery.
I'm assuming the laptops are running Windows. If so, humble old BitLocker is pretty good. With the TPM, it protects against a good amount of attacks. It also can use a USB flash drive and/or a PIN. Recoverability is easy -- either use a file saved off, use the entries stored in AD, or a data recovery agent.
I use this on laptops I use -- if I'm holding the USB flash drive and the laptop is off, then I know a blackhat will score hardware if it is stolen, but the contents of the laptop are definitely not theirs. I also use a HDD password just so the drive is not usable in any shape or form.
Do you think the laptops were really lost or stolen or maybe some people that work there just needed a 'new' computer to use at home
Any NSA /.ers care to comment?
Are you prepared to die? ;-)
People in cars cause accidents....accidents in cars cause people
Large corporations already do this, and have been for years.
I wonder how it will be before other large organizations start following suit as a sensible precaution?
I'm pretty sure that laptop encryption IS the standard at most big businesses these days. It is in the company that writes my paychecks, anyway. I think NASA was just behind the times on this issue.
wait... you can put a rover on mars, use the rockets to counter balance the gravity, use weights on one side of the delivery vessel to deal with cold or hot weather and drag created by the atmosphere... but you waited till 2012 to encrypt laptops... that has to be the dumbest group of smart people ive ever met.
I work for a large corp whose own screw ups with lost un-encrypted PC has been duly noted here on Slashdot. It is corporate policy to encrypt every hard drive that is not locked up. With Win7 and bitlocker its simple to get encryption for 80%+ of normal users.
depends.
Do you define 'Geologic time' as the time it takes to beat a password out of someone? Or the time it takes to ask the corporation to turn the key over?
The Kruger Dunning explains most post on
As a Ontario Public Health unit we've had to have all of our Mobile devices fully encrypted for some time now. If planned right and the right tools are used the encryption doesn't add that much burden to IT, except for when you deploy systems. Although if you go for 2 factor Auth, 1 password for encryption, another for the domain/computer access then you have extra password resets coming your way.
With a lot of the new developments in SED's (self encrypting drives) you can cut the time to encrypt down to seconds.
I was in charge of testing/verification of full disk crypto when my then-employer (Hydro) mandated it almost 20 years ago
Because 20 years ago, the resources that it took were extreme so an extreme need was required to even consider it. A bit less than a decade ago, the resource usage became light enough to where most anyone could consider it and, not surprisingly, we are seeing it done more often. This is not rocket science... pun only slightly intended.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
I've personally been using LUKS for 4-5 years but I've also taken a power/performance hit for doing so.
Just ordered a new laptop with an i5 in it, and even within the i5 family I had to be careful to order a chip with AES-NI in it (the unit with the other specs I wanted winds up being mid-market due to limited configuration choice). But at least now the top 50% of the market has AES-NI built-in and those trade-offs are something to not-so-fondly remember.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
This will only stop data thieves who are too stupid to turn the laptop over and read the password off the owner's Post-It note.
No, the resource usage was not "extreme":
We did measure some slowdown of applications, but mostly in the single-digit percentage range.
This was simply because most applications those days did all their work in memory, only Microsoft's virtual disk swapper would use the disk during normal operation, and then only in case you suddenly needed a lot of free memory space.
Bulk load of application and data files did slow down a bit, but significantly less than 50%, i.e. the hard drive did not suddenly become half as fast even for bulk transfers.
When I was involved in the AES process more than 10 years ago, one of our targets was to optimize the crypto code so that a 1996 vintage PentiumPro could handle a 100 Mbit/s full-duplex communication line, or correspondingly about 20 MB/s of disk en/de-cryption.
Today full disk crypto is effectively free, except in power usage, since all computers have multiple cores, most of which are idle even when an application is working hard, and a single core can keep up with the fastest available (spinning) hard drive. A modern i7 core with the AES extensions can do the crypto without getting hot. :-)
Terje
"almost all programming can be viewed as an exercise in caching"
but then again..its not rocket science.
I come to Slashdot only to read sigs. One you are reading is mine.
I work for a fairly large university. It's been part of our IT standard that all laptops must have full-disk encryption for a few years now.
No need to beat - threats and bribery, or just cuteness and heavy breathing, will generally work fine. In red team tests back in 1999 (IIRC) a Navy group found that the average cost to bribe a sys admin to let 'bad guys' into the data center and provide passwords to get in was about $7000. With inflation, maybe that's $10,000 now.
I'm sure that 90% of workers would give up the password with merely a threat of pain, although I like to think that most would resist bribing.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
This.
In other words, nothing.
Where I work, all laptops are required to have full disk encryption. These are windows laptops, and includes the swap file. And this includes developer machines. Building large source trees on a machine with this encryption just isn't realistically feasible, but its what were expected to do...
The security people tested it out first of course - on some support machines that do nothing more than email and word. And because it worked well enough there it was rolled out compony-wide...
FDE is only effective if the laptop is turned off... do you guys really always shut your laptops down? I can't think of the last time I actually powered off my personal OR work laptop. Basically what I'm saying is... there's not much gain here, though it is relatively easy to implement.
All my laptops have an encrypted /home... it doesn't take a genius to think of such a precaution, does it?
There's a lot of people who bemoan unencrypted laptops as being dangerous and irresponsible. The problem is that the management will require that the IT guys only use certain big corporate encryption solutions that have bits of paper saying their 'secure' which as we all know means nothing of the sort. Plus, those big corporate systems are usually so badly implemented that they cause a nice, new, nippy laptop to slow down so far you'd be better off typing a document on a typewriter. Corporate encryption and security software tends to suck the big one. Much better to leave PCs unencrypted but to require people to store everything on something like a secure external HDD or Ironkey-type USB drive.
to tell employees not to put personal information on government owned computers?