Slashdot Mirror
NASA To Encrypt All of Its Laptops
pev writes "After losing another laptop containing personal information, NASA wants to have all of its laptops encrypted within a month's time with an intermediate ban on laptops containing sensitive information leaving its facilities. Between April 2009 and April 2011 it lost or had stolen 48 'mobile computing devices.' I wonder how long it will be before other large organizations start following suit as a sensible precaution?"
They waited this long because? First?
Why is this not done already? Between truecrypt and (ack) bitlocker,it s relatively easy. Add in a robust backup system, which any organization should have already, and it is cheap and fairly easy to implement.
Silence is a state of mime.
I'm quite close to a different national lab type of federal facility and all of their laptops have been encrypted for at least a few years now. The stuff here isn't any more sensitive than the stuff there - it's just under an actual cabinet position. Bureaucracy may sometimes be a headache - but enforcing common sense policies is one of it's strong suits. Besides - is NASA really benefiting in it's efficiency from it's "bureaucratic freedom"?
NASA is a huge bureaucracy that is behind the curve in this aspect. The sad part is that they apparently have more laptops to lose with HR type information on them than they do ITAR. Which pretty much sums up NASA right now.
You know? Endpoint encryption is trivial. There are so many products that do it effectively and easily. Why is this being done so late? Where I work, we do that to EVERY computer a user touches, not just laptops. If it isn't locked behind a server room door, it's locked to a desk and the HDD encrypted. Even the receptionist machine is encrypted.
What the hell are these people even thinking?
Sure... data recovery is more expensive or more impossible. I get that. But you know? It's kind of worth it. Also, if it's important data that lives ONLY on the endpoint machine? Well, that's another thing they are doing wrong.
Jesus, the small company I worked for (400 employees or so) had all but the desktop machines encrypted many years ago. I can't remember what they used before the built in windows encryption, but at least they had something there.
It's insane to hear that large companies don't have their machines encrypted though it's a mouseclick away for their IT-dept while prepping the computer for deployment.
*face palm*
You know, we've been doing this for four years where I work. And yes, I know everyone here is going to espouse Truecrypt as the one true solution, but the simple fact is NASA is run as a corporation... as such they'll probably go for a solution that's vendor supported. The fact that they're NASA will probably mean they'll get a pretty decent price on the software too.
Now, the downside of full-disk encryption (which many lazy corporations do instead of home directory only) is that it does increase the load on your system, slow it down and make recovery if/when it breaks a royal pain. Our helpdesk has an almost constant stream of laptops coming and going through their hands that they have to decrypt and re-encrypt because something got out of sync. Time consuming, and leads to downtime for the users. I've often suggested home folder only encryption... but the higher ups want it all encrypted... right up to the point that their laptop is down for two days because they've broken it.
By the way, another horrible side effect of whole disk encryption is that our experience says that it'll kill SSD's pretty rapidly. Our average SSD life is less than a year at this point because there doesn't seem to be a good full-disk encryption software that properly implements TRIM... so spinning disk or hybrid disk is the way to go.
For the lazy it does the job well. No need spend budget on it.
There is a reason to spend budget if you are an enterprise or have a need for centralized key recovery. While you don't want to leak data if your laptop falls in the wrong hands, you also don't want to lose data if your employee forgets their decryption key (either by accident or as a malicious action.)
Easy to understand for someone with experience, totally impossible concept to grasp for people who never had this problem with larger networks.
Love many, trust a few, do harm to none.
I was in charge of testing/verification of full disk crypto when my then-employer (Hydro) mandated it almost 20 years ago:
At that time 5 vendors made it through our pre-qualification tests, among these I was able to trivially break 3 of them (replace a conditional branch with its opposite), one took 20 minutes and only Utmaco's SafeGuard Easy had done a proper security design, where the user password was used as (part of) the seed for the key used to decrypt a copy of the master disk key.
I.e. the system _must_ be safe against attack from anyone, including the vendor!
I wrote a longer post about this the previous time the same issue came up on /.
Terje
"almost all programming can be viewed as an exercise in caching"
At this point, why not have them VPN in to a central server, and keep all work materials there?
Between the trendy "cloud" and the availability of high-speed internet and most computers having encryption cycles to spare, our machines are now souped-up thin clients.
The idea that people need to take gigabytes or even megabytes (640k is ok though) of confidential data home with them on their laptops needs to be questioned. What are you doing with all of that? At home? On the subway?
Forget it: keep the data under control, and make the laptops worthless to foreign espionage.
I work for the Federal Government and every laptop has to have FDE in order to leave the building. This policy has been in place for years. NASA is just behind the times of every other federal agency. Too busy playing with robots, I assume.
sudo make me a sandwich
NONONNONONONO
This is not how you deal with an incident like this. You have to reexamine your infrastructure and find out *why* that info was on an endpoint to begin with. This is teh same BS kneejerk reaction that makes for bad IT planning. Just go and wallpaper of it with a band-aid and look all betterer.
HULK SMASH!!!!
They're leased from HP as part of the NASA ACES contract :
http://www.nasa.gov/home/hqnews/2010/dec/HQ_C10-080_ACES.html
Prior to that, there was a contract with Lockheed Martin.
They have to put out a specification of what they want the machine configuration to look like, and then HP gives 'em a cost per month for it.
And the 'devices' lost aren't necessarily laptops ... it could be cell phones or tablets, which are also leased through ACES.
There *are* ways around this, but you have to do more paperwork, and then you can buy stuff off SEWP, and they're maintained by different groups of sysadmins (assigned to the mission, project or division).
And to make it more fun -- if you sign all of the paperwork to take a government furnished computer off site as a contractor, you're liable for the full original purchase price, no depreciation. (this might not be true for ACES) ... so I know a few people who brought their work-assigned laptops back and said they'd rather buy their own ... which means there's then *NO* control over them ... although they're not supposed to put SBU / ACI on it.
Build it, and they will come^Hplain.
That's why it's a lot better to be pro-active about it and handle it pre-deploy. A month to play catch up isn't actually all that bad. Then again I think it'll probably take them longer anyways.
I thought NASA was ordered to be completely open and no information was to be considered sensitive. This was ordered at its inception when it was created to provide the space program, in order to NOT be military in nature so that the Russians would not be worried. Sure they have shared information over the years but nothing NASA has done has been military in nature.
It seems to me then, that nothing NASA can have can be 'sensitive' in nature, and these encryption efforts run counter to t heir chartered openness.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
1. I don't think there will be much chance of a laptop being carelessly knocked off a window sash onboard the ISS any time soon.
2. If such a thing were to happen, solar radiation and cosmic rays on bare electronics would likely take care of any data.
3. If the laptop does survive that, it's unlikely to survive re-entry.
4. If it does survive re-entry, it'll likely still be travelling at several hundred miles per hour and be uncomfortably hot by the time it falls *through* the hands of some nefarious individual.
Operation Guillotine is in effect.
Any NSA /.ers care to comment?
Are you prepared to die? ;-)
People in cars cause accidents....accidents in cars cause people
depends.
Do you define 'Geologic time' as the time it takes to beat a password out of someone? Or the time it takes to ask the corporation to turn the key over?
The Kruger Dunning explains most post on
I've personally been using LUKS for 4-5 years but I've also taken a power/performance hit for doing so.
Just ordered a new laptop with an i5 in it, and even within the i5 family I had to be careful to order a chip with AES-NI in it (the unit with the other specs I wanted winds up being mid-market due to limited configuration choice). But at least now the top 50% of the market has AES-NI built-in and those trade-offs are something to not-so-fondly remember.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)