Slashdot Mirror
NASA To Encrypt All of Its Laptops
pev writes "After losing another laptop containing personal information, NASA wants to have all of its laptops encrypted within a month's time with an intermediate ban on laptops containing sensitive information leaving its facilities. Between April 2009 and April 2011 it lost or had stolen 48 'mobile computing devices.' I wonder how long it will be before other large organizations start following suit as a sensible precaution?"
They waited this long because? First?
Why is this not done already? Between truecrypt and (ack) bitlocker,it s relatively easy. Add in a robust backup system, which any organization should have already, and it is cheap and fairly easy to implement.
Silence is a state of mime.
For the lazy it does the job well. No need spend budget on it.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
I worked for a major technology vendor. A few years back they mandated full disk encryption on all laptops (Good idea right) Problem was they went with some company i never heard of and the stuff would randomly corrupt and all data would be lost. Certain people (executives) lost a lot of data because the only copy were on the laptops. This was all sorts of fun for the IT group.
I'm quite close to a different national lab type of federal facility and all of their laptops have been encrypted for at least a few years now. The stuff here isn't any more sensitive than the stuff there - it's just under an actual cabinet position. Bureaucracy may sometimes be a headache - but enforcing common sense policies is one of it's strong suits. Besides - is NASA really benefiting in it's efficiency from it's "bureaucratic freedom"?
They must have been waiting years for something like this.
In space no-one can hear your vuvuzela.
NASA is a huge bureaucracy that is behind the curve in this aspect. The sad part is that they apparently have more laptops to lose with HR type information on them than they do ITAR. Which pretty much sums up NASA right now.
You know? Endpoint encryption is trivial. There are so many products that do it effectively and easily. Why is this being done so late? Where I work, we do that to EVERY computer a user touches, not just laptops. If it isn't locked behind a server room door, it's locked to a desk and the HDD encrypted. Even the receptionist machine is encrypted.
What the hell are these people even thinking?
Sure... data recovery is more expensive or more impossible. I get that. But you know? It's kind of worth it. Also, if it's important data that lives ONLY on the endpoint machine? Well, that's another thing they are doing wrong.
Jesus, the small company I worked for (400 employees or so) had all but the desktop machines encrypted many years ago. I can't remember what they used before the built in windows encryption, but at least they had something there.
It's insane to hear that large companies don't have their machines encrypted though it's a mouseclick away for their IT-dept while prepping the computer for deployment.
*face palm*
Wait, NASA doesn't encrypt its laptops? Why not?
Just use Bitlocker, it's enforced by GPO where I work. Or if on another system, truecrypt or just CryptFS.
Why is this an issue?
That seems like a project that will take longer than a month. Full disk encryption on a large scale is a PITA.
I work for A Very Large Health Plan, and it is policy that all work laptops use encrypted harddrives and USB drives.
The laptops that are issued out to us workers already come encrypted, and also with the software that only allows writing to USB drives if you allow the software to encrypt the USB drive.
So far, seems to work, but does make a new laptop seem to be modest at boot/read/write times.
Uh, Linux geek since 1999.
You know, we've been doing this for four years where I work. And yes, I know everyone here is going to espouse Truecrypt as the one true solution, but the simple fact is NASA is run as a corporation... as such they'll probably go for a solution that's vendor supported. The fact that they're NASA will probably mean they'll get a pretty decent price on the software too.
Now, the downside of full-disk encryption (which many lazy corporations do instead of home directory only) is that it does increase the load on your system, slow it down and make recovery if/when it breaks a royal pain. Our helpdesk has an almost constant stream of laptops coming and going through their hands that they have to decrypt and re-encrypt because something got out of sync. Time consuming, and leads to downtime for the users. I've often suggested home folder only encryption... but the higher ups want it all encrypted... right up to the point that their laptop is down for two days because they've broken it.
By the way, another horrible side effect of whole disk encryption is that our experience says that it'll kill SSD's pretty rapidly. Our average SSD life is less than a year at this point because there doesn't seem to be a good full-disk encryption software that properly implements TRIM... so spinning disk or hybrid disk is the way to go.
They are worried that Aliens might steal their technology
Somebody might find out they aleady stole alien technology
They are worried that the FBI might hack into their emails and find out who they are having affairs with
Sheldon Addison might wonder where the money he gave Newt went
The security laws in the US after 9/11 force alot of big corps to encrypt. As far as I tell it slow down boot time and forces IT to take 2 days to turn around anything as there is 12hrs to decrypt the hdd and then 12 to re-crypt.This month we got told to put stickers on all documents to state it security level...I'm really sure those stickers "CORP. INTERNAL ONLY" will really slow down those outsider eyes. Soon I'm sure we will have to us a secret de-coder ring to read the print out. Really have you guys read most internal documents? They are of little interest to the people who are PAID to read them.
Life is like untied shoe laces; it always tripping you up and getting in your way.
I'm surprised that this is not already standard procedure. If it were up to me I'd probably disable all the USB ports as well. If you've got the best firewall in the world it won't be worth a plug nickel if someone takes a flash drive with a virus on it and plugs it into a PC in the office. Now you're inside the firewall and it spreads like wildfire.
A known problem since the first laptop was issued, but ignored until today.
Now that the shit hits the fan they want it done yesterday.
Love many, trust a few, do harm to none.
I was in charge of testing/verification of full disk crypto when my then-employer (Hydro) mandated it almost 20 years ago:
At that time 5 vendors made it through our pre-qualification tests, among these I was able to trivially break 3 of them (replace a conditional branch with its opposite), one took 20 minutes and only Utmaco's SafeGuard Easy had done a proper security design, where the user password was used as (part of) the seed for the key used to decrypt a copy of the master disk key.
I.e. the system _must_ be safe against attack from anyone, including the vendor!
I wrote a longer post about this the previous time the same issue came up on /.
Terje
"almost all programming can be viewed as an exercise in caching"
It is not stupid by any means, the system stores information all over the place. It would be to hard to try and encrypt each one by itself. It is far easier to just encrypt the whole thing. You would be surprised how little of a hit you take in performance. I used TrueCrypt for a good while and I never notices any slow down at all. Encryption like AES are extremely fast.
System encryption provides the highest level of security and privacy, because all files, including any temporary files that Windows and applications create on the system partition (typically, without your knowledge or consent), hibernation files, swap files, etc., are always permanently encrypted (even when power supply is suddenly interrupted). Windows also records large amounts of potentially sensitive data, such as the names and locations of files you open, applications you run, etc. All such log files and registry entries are always permanently encrypted too.
http://www.truecrypt.org/docs/
At this point, why not have them VPN in to a central server, and keep all work materials there?
Between the trendy "cloud" and the availability of high-speed internet and most computers having encryption cycles to spare, our machines are now souped-up thin clients.
The idea that people need to take gigabytes or even megabytes (640k is ok though) of confidential data home with them on their laptops needs to be questioned. What are you doing with all of that? At home? On the subway?
Forget it: keep the data under control, and make the laptops worthless to foreign espionage.
I work for the Federal Government and every laptop has to have FDE in order to leave the building. This policy has been in place for years. NASA is just behind the times of every other federal agency. Too busy playing with robots, I assume.
sudo make me a sandwich
NONONNONONONO
This is not how you deal with an incident like this. You have to reexamine your infrastructure and find out *why* that info was on an endpoint to begin with. This is teh same BS kneejerk reaction that makes for bad IT planning. Just go and wallpaper of it with a band-aid and look all betterer.
HULK SMASH!!!!
They're leased from HP as part of the NASA ACES contract :
http://www.nasa.gov/home/hqnews/2010/dec/HQ_C10-080_ACES.html
Prior to that, there was a contract with Lockheed Martin.
They have to put out a specification of what they want the machine configuration to look like, and then HP gives 'em a cost per month for it.
And the 'devices' lost aren't necessarily laptops ... it could be cell phones or tablets, which are also leased through ACES.
There *are* ways around this, but you have to do more paperwork, and then you can buy stuff off SEWP, and they're maintained by different groups of sysadmins (assigned to the mission, project or division).
And to make it more fun -- if you sign all of the paperwork to take a government furnished computer off site as a contractor, you're liable for the full original purchase price, no depreciation. (this might not be true for ACES) ... so I know a few people who brought their work-assigned laptops back and said they'd rather buy their own ... which means there's then *NO* control over them ... although they're not supposed to put SBU / ACI on it.
Build it, and they will come^Hplain.
I thought NASA was ordered to be completely open and no information was to be considered sensitive. This was ordered at its inception when it was created to provide the space program, in order to NOT be military in nature so that the Russians would not be worried. Sure they have shared information over the years but nothing NASA has done has been military in nature.
It seems to me then, that nothing NASA can have can be 'sensitive' in nature, and these encryption efforts run counter to t heir chartered openness.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
1. I don't think there will be much chance of a laptop being carelessly knocked off a window sash onboard the ISS any time soon.
2. If such a thing were to happen, solar radiation and cosmic rays on bare electronics would likely take care of any data.
3. If the laptop does survive that, it's unlikely to survive re-entry.
4. If it does survive re-entry, it'll likely still be travelling at several hundred miles per hour and be uncomfortably hot by the time it falls *through* the hands of some nefarious individual.
Operation Guillotine is in effect.
My employers in my last two jobs have given me a total of three encrypted laptops, the oldest going back to the middle of 2008. If you choose an appropriate h/w vendor, an encrypted disk won't slow down the typical laptop user.
Encryption didn't seem to affect the Dell laptop; not true for the ThinkPad, it was slower than Christmas.
Circle the wagons and fire inward. Entropy increases without bounds.
I work in Gov't, state level. EVERY SINGLE laptop is encrypted. You plug in a USB, before you can move data to it, it has to be encrypted (you can move data off to computer without encrypting). You burn CD it get's encrypted.
They just this year started encrypting desktops also.
What I don't understand is why is it not a Fed Gov't rule that every agency that has portable media (tablets/laptops/usb/etc) has to be encrypted? This should just be standard now. Esp after having 48 incidents in 3 years? WTF, after first incident they should have started working on a plan to encrypt stuff.
My company has been doing this for ages. It just makes sense and I'm really surprised NASA does not do it already.
Or could just go with someone other than Macrapy. Ubuntu I believe gives the option to encrypt the whole drive or just the home folder in the install wizard, and windows 7 enterprise has full disk encryption as a option if my memory serves me.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
We've been doing this at my work for a few years now. Any organization that is at all concerned with data loss should already be doing this to all user workstations, portable AND desktop. Anything less is bordering on malpractice.
deleting the extra space after periods so i can stay relevant, yeah.
Yep, they seem to be 90% Mac from what I see on the TV news. So I take it OS X's built-in FireVault won't do the trick. So what else is out there in the World of OS X security packages?
Why would they be forced to Windows? Any time I've installed a Linux distro recently, it's at least asked if I want to encrypt my home folder.
which is totally what she said
i thought that to
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
... most crypto these days tends to be resistant to "known plaintext attacks".
/.ers care to comment?
256-bit AES is generally considered safe for geologic time, with geologic time possibly being reduced by orders of magnitude for the NSA. Any NSA
Circle the wagons and fire inward. Entropy increases without bounds.
That can be addressed via things like vpro.
Charter Member of The Committee Group For The Elimination And Eradication Of Repetitive Redundancy
Boeing did this 6 years ago.
http://www.space.com/14531-nasa-mars-missions-budget-cuts-2013.html
Rich
An awful lot of people in this thread have quick and simple "just do this" solutions for NASA's data encryption challenges.
NASA isn't your standard corporate environment - there are serious challenges to any "Just do X" solution. They DO need to encrypt everything but its not a simple single-answer thing. They have to accommodate every scenario from "HR newbie with PII data in an office envrionment" to "Laptop collecting data on a C-130 as it flies through hurricanes" to "Laptops controlling robots in the desert during field tests sulating Martian environments".
In many of those cases a laptop with broken
encryption software means millions of wasted dollars if the experiment is a wash.
In other cases NOT having crypto means serious secrecy issues.
Anyway, there's no excuse for this loss but could we please stop pretending that NASA literally never considered DAR on mobile devices, and that simply doing {your favorite product} on everything would solve all the problems?
Thanks....
Chief reason is to encrypt the swap file. If the swap file is not encrypted, keys and data could be potentially retrieved.
The world's burning. Moped Jesus spotted on I50. Details at 11.
That's the biggest suckage for us. We went to fully encrypted laptops and desktops this spring as a requirement of a government contract we won. Used Truecrypt, which is pretty painless, but it's pretty much killed remote work on our branch office machines. Now someone has to be there to fire it back up again.
Oh what I would give for Truecrypt to build in remote password entry like I can do with dmcrypt on *nix.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Any NSA /.ers care to comment?
Are you prepared to die? ;-)
People in cars cause accidents....accidents in cars cause people
I wonder how it will be before other large organizations start following suit as a sensible precaution?
I'm pretty sure that laptop encryption IS the standard at most big businesses these days. It is in the company that writes my paychecks, anyway. I think NASA was just behind the times on this issue.
I work for a large corp whose own screw ups with lost un-encrypted PC has been duly noted here on Slashdot. It is corporate policy to encrypt every hard drive that is not locked up. With Win7 and bitlocker its simple to get encryption for 80%+ of normal users.
depends.
Do you define 'Geologic time' as the time it takes to beat a password out of someone? Or the time it takes to ask the corporation to turn the key over?
The Kruger Dunning explains most post on
Do you now the send electronic signals to the Space Station? I know, amazing, right?
Did you know electronic signals can be used to get into a computer by a person who isn't even in the same room? I know,. shocking!
The Kruger Dunning explains most post on
I was in charge of testing/verification of full disk crypto when my then-employer (Hydro) mandated it almost 20 years ago
Because 20 years ago, the resources that it took were extreme so an extreme need was required to even consider it. A bit less than a decade ago, the resource usage became light enough to where most anyone could consider it and, not surprisingly, we are seeing it done more often. This is not rocket science... pun only slightly intended.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
I've personally been using LUKS for 4-5 years but I've also taken a power/performance hit for doing so.
Just ordered a new laptop with an i5 in it, and even within the i5 family I had to be careful to order a chip with AES-NI in it (the unit with the other specs I wanted winds up being mid-market due to limited configuration choice). But at least now the top 50% of the market has AES-NI built-in and those trade-offs are something to not-so-fondly remember.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
No, the resource usage was not "extreme":
We did measure some slowdown of applications, but mostly in the single-digit percentage range.
This was simply because most applications those days did all their work in memory, only Microsoft's virtual disk swapper would use the disk during normal operation, and then only in case you suddenly needed a lot of free memory space.
Bulk load of application and data files did slow down a bit, but significantly less than 50%, i.e. the hard drive did not suddenly become half as fast even for bulk transfers.
When I was involved in the AES process more than 10 years ago, one of our targets was to optimize the crypto code so that a 1996 vintage PentiumPro could handle a 100 Mbit/s full-duplex communication line, or correspondingly about 20 MB/s of disk en/de-cryption.
Today full disk crypto is effectively free, except in power usage, since all computers have multiple cores, most of which are idle even when an application is working hard, and a single core can keep up with the fastest available (spinning) hard drive. A modern i7 core with the AES extensions can do the crypto without getting hot. :-)
Terje
"almost all programming can be viewed as an exercise in caching"
Would you be willing to work for NASA if your Social Security number were posted on a publicly available website?
Wouldn't a rubber hose be better than a wrench? If you hit people upside the head with wrenches, they're not going to be able to give you much information.
but then again..its not rocket science.
I come to Slashdot only to read sigs. One you are reading is mine.
I work for a fairly large university. It's been part of our IT standard that all laptops must have full-disk encryption for a few years now.
No need to beat - threats and bribery, or just cuteness and heavy breathing, will generally work fine. In red team tests back in 1999 (IIRC) a Navy group found that the average cost to bribe a sys admin to let 'bad guys' into the data center and provide passwords to get in was about $7000. With inflation, maybe that's $10,000 now.
I'm sure that 90% of workers would give up the password with merely a threat of pain, although I like to think that most would resist bribing.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
Where I work, all laptops are required to have full disk encryption. These are windows laptops, and includes the swap file. And this includes developer machines. Building large source trees on a machine with this encryption just isn't realistically feasible, but its what were expected to do...
The security people tested it out first of course - on some support machines that do nothing more than email and word. And because it worked well enough there it was rolled out compony-wide...
Do you now the send electronic signals to the Space Station? I know, amazing, right?
Did you know electronic signals can be used to get into a computer by a person who isn't even in the same room? I know,. shocking!
Do you know that encrypting the disk is a way of protecting against getting data from machines that are turned off and provides no protection at all against being hacked by remote access?
Watch this Heartland Institute video
Most businesses would have shit after a few devices were lost or stolen. Seriously, how do you lose a laptop or smartphone like that? Do thieves rove the NASA parking lot in packs? Is there a mugger riding up and down in the elevator?
For an organization of that size with a fair share of mobile users, I do not think the number is very high. Our organization has all policies and training in place to avoid laptop theft, but there are still quite a few of them. Most happen during travel. Airports are bad. Then again, most organizations keep their numbers internal, so we will not know if NASA lose more than the average.