NASA To Encrypt All of Its Laptops

← Back to Stories (view on slashdot.org)

NASA To Encrypt All of Its Laptops

Posted by timothy on Thursday November 15, 2012 @03:51AM from the violators-will-be-employed-with-social-security dept.

pev writes "After losing another laptop containing personal information, NASA wants to have all of its laptops encrypted within a month's time with an intermediate ban on laptops containing sensitive information leaving its facilities. Between April 2009 and April 2011 it lost or had stolen 48 'mobile computing devices.' I wonder how long it will be before other large organizations start following suit as a sensible precaution?"

21 of 226 comments (clear)

Min score:

Reason:

Sort:

They waited this long because? by Liquidretro · 2012-11-15 03:55 · Score: 3, Interesting

They waited this long because? First?
1. Re:They waited this long because? by baoru · 2012-11-15 03:56 · Score: 5, Funny
  
  Obviously it took them this long because it's not rocket science.
2. Re:They waited this long because? by jonnyj · 2012-11-15 04:03 · Score: 4, Informative
  
  In the UK, the Information Commissioner has for many years routinely fined any company that loses an unencrypted laptop - even, in one famous case, where the laptop was stolen in a burglary at an employee's own home. It's unheard of for any large organisation over here to _not_ have encryption on all portable devices. I'm gobsmacked that NASA has been so slack.
3. Re:They waited this long because? by Rootbear · 2012-11-15 04:29 · Score: 5, Interesting
  
  This is not a new policy. The implementation of full disk encryption has been underway for some time. We are doing laptops first, then desktops. The current fire drill is because a laptop with PII was stolen at NASA HQ and it was one that had not yet had full disk encryption installed.
  NASA IT staff are as overworked and under appreciated as anywhere. If NASA had wanted full disk encryption done sooner, they could have added the resources to make it happen. And that would have taken resources from missions, like Curiosity and the James Webb telescope. It's all about priorities.
4. Re:They waited this long because? by Culture20 · 2012-11-15 04:43 · Score: 5, Insightful
  
  Resources == salaries. Do you pay two IT guys or an engineer/scientist?
5. Re:They waited this long because? by NumenMaster · 2012-11-15 04:57 · Score: 4, Insightful
  
  Funny enough right? How is it not STANDARD practice? I work for a really small state agency and that's the FIRST thing we do after imaging our laptops. It's been our policy for years. I'm so awestruck at the news.
  
  --
  Where's my sock? There it is...
6. Re:They waited this long because? by geekoid · 2012-11-15 05:50 · Score: 4, Insightful
  
  They have a finite pool of money. Putting something in IT takes money from the finite pool.
  The poster is correct, ti's about priorities.
  Since that vast majority of information NASA has is useless to anyone not in a space agency, it seems this was a good priority of limited funds.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
7. Re:They waited this long because? by mrchaotica · 2012-11-15 05:54 · Score: 3, Funny
  
  That's amazing! I have the same combination on my luggage!
  (Don't blame me; somebody had to say it!)
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
8. Re:They waited this long because? by ae1294 · 2012-11-15 06:13 · Score: 3, Informative
  
  Because the typical end user is stupid and forgets their password.
  On a normal laptop, this means a bit of inconvenience.
  On an encrypted laptop, this means a loss of all data.
  You have to have solutions for this problem in place before you can roll it out.
  No it doesn't. You add a second admin key to all the laptops.. It's not rocket science..
9. Re:They waited this long because? by luis_a_espinal · 2012-11-15 06:38 · Score: 5, Insightful
  
  This is not a new policy. The implementation of full disk encryption has been underway for some time. We are doing laptops first, then desktops. The current fire drill is because a laptop with PII was stolen at NASA HQ and it was one that had not yet had full disk encryption installed.
  NASA IT staff are as overworked and under appreciated as anywhere. If NASA had wanted full disk encryption done sooner, they could have added the resources to make it happen. And that would have taken resources from missions, like Curiosity and the James Webb telescope. It's all about priorities.
  But therein lies the problem. It should not be underway for some time. It should have been in place as an iron-fist de-factor rule a long time ago.
  I sympathize with you and the other IT folks. Underfunded and under appreciated IT and dev folks alike. It is shitty, and I know what it's like (been there, don't that.) But, to not have laptops encrypted? To furnish unencrypted laptops? There is some serious break-ups there man. Why? Because, however overworked your team might be, I have a hard time believing that IT will furnish an un-imaged laptop, as-is from the vendor/supplier, to the user. I'm sure IT images the laptops, so it stands to reason that the imaging will include encryption.
  If the laptops are being furnished as-is from the vendors, that's a fuck-up.
  If the laptops do get imaged, but do not get encryption, that's also a fuck-up.
  Any government agency has some type of security and information assurance program and guidelines. And in them, encryption of laptops must be there somewhere. If that is the case, then it is a IT fuck-up. If it is not, then it is a IA fuck-up.
  I'm not necessarily blaming you or any specific IT person, but this is a serious crap-o-lah that goes against what is pretty much standard practice with any agency or defense contractor (I work for one), or even for commercial companies. It's simply crazy.
10. Re:They waited this long because? by Darinbob · 2012-11-15 08:03 · Score: 4, Insightful
  
  Well, many want to. There are some issues though that cause inertia. Not just issues with forgetting passwords.
  - Older systems that may need upgrading before being able to have encryption, or they're able to encrypt files but not whole partitions, or they don't even run IT approved operating systems. Having some machines that don't fit into a global policy can often often slow down an IT policy to a crawl, especially when the management refuses to make an exception.
  - Reliability. Sometimes this encryption is not very stable. Seriously. Our whole department stopped cold on encryption when many of the macbooks started dying and had to be replaced within a month of being encrypted (ie, second IT passwords don't help), with about a week of downtime before the user is back up and running full speed again. Put things on hold until Lion was released (which was it's own freigh train full of breakage, though at least the encryption worked).
  - Performance. Maybe the average user doesn't care, or the exec with an expensive computer. But encryption really can slow things down tremendously. Compile times, email searches, etc, can all take a very noticeable hit, sometimes more than twice as long. Do this on an older computer or a production system and it really hurts.
  - Scheduling and availability. Not everyone is able to come in and see IT at a moment's notice. Sales people may not even live in the same state or country, and they purchase and install their own computers. IT has a tendency to want to do encryptions or upgrades at exactly the same time as a major product release.
A bit of a misconception. by sunking2 · 2012-11-15 04:00 · Score: 4, Interesting

NASA is a huge bureaucracy that is behind the curve in this aspect. The sad part is that they apparently have more laptops to lose with HR type information on them than they do ITAR. Which pretty much sums up NASA right now.
Herp Derp... why wait so long?! by erroneus · 2012-11-15 04:00 · Score: 4, Informative

You know? Endpoint encryption is trivial. There are so many products that do it effectively and easily. Why is this being done so late? Where I work, we do that to EVERY computer a user touches, not just laptops. If it isn't locked behind a server room door, it's locked to a desk and the HDD encrypted. Even the receptionist machine is encrypted.
What the hell are these people even thinking?
Sure... data recovery is more expensive or more impossible. I get that. But you know? It's kind of worth it. Also, if it's important data that lives ONLY on the endpoint machine? Well, that's another thing they are doing wrong.
[shrug] by Thumper_SVX · 2012-11-15 04:01 · Score: 5, Interesting

You know, we've been doing this for four years where I work. And yes, I know everyone here is going to espouse Truecrypt as the one true solution, but the simple fact is NASA is run as a corporation... as such they'll probably go for a solution that's vendor supported. The fact that they're NASA will probably mean they'll get a pretty decent price on the software too.

Now, the downside of full-disk encryption (which many lazy corporations do instead of home directory only) is that it does increase the load on your system, slow it down and make recovery if/when it breaks a royal pain. Our helpdesk has an almost constant stream of laptops coming and going through their hands that they have to decrypt and re-encrypt because something got out of sync. Time consuming, and leads to downtime for the users. I've often suggested home folder only encryption... but the higher ups want it all encrypted... right up to the point that their laptop is down for two days because they've broken it.

By the way, another horrible side effect of whole disk encryption is that our experience says that it'll kill SSD's pretty rapidly. Our average SSD life is less than a year at this point because there doesn't seem to be a good full-disk encryption software that properly implements TRIM... so spinning disk or hybrid disk is the way to go.
1. Re:[shrug] by sribe · 2012-11-15 04:38 · Score: 4, Interesting
  
  I've often suggested home folder only encryption... but the higher ups want it all encrypted...
  And they're absolutely correct. A laptop gets stolen that contains information which you are legally obligated to keep confidential, and you are threatened with a lawsuit over the breach of confidentiality, do you prefer:
  A) being able to say "the entire disk was encrypted"
  B) having to argue that having the user's home folder encrypted was sufficient, and potentially having to prove that no confidential data was stored outside the home folder, but having to prove that without the actual disk in your possession as evidence
Re:i don't understand... by Nos. · 2012-11-15 04:07 · Score: 3, Informative

Because there's no enterprise management behind Truecrypt, which pretty much eliminates it. I haven't looked at BitLocker for a while, but I seem to recall it had its share of issues as well. I've used Safeboot, and its not terrible.
Regardless, its not as simple as saying, "here, install this".
This is amazing: Why didn't they do it 10+ years a by Terje+Mathisen · 2012-11-15 04:13 · Score: 4, Interesting

I was in charge of testing/verification of full disk crypto when my then-employer (Hydro) mandated it almost 20 years ago:
At that time 5 vendors made it through our pre-qualification tests, among these I was able to trivially break 3 of them (replace a conditional branch with its opposite), one took 20 minutes and only Utmaco's SafeGuard Easy had done a proper security design, where the user password was used as (part of) the seed for the key used to decrypt a copy of the master disk key.
I.e. the system _must_ be safe against attack from anyone, including the vendor!
I wrote a longer post about this the previous time the same issue came up on /.
Terje

--
"almost all programming can be viewed as an exercise in caching"
AAARRRRGHHH by MrLint · 2012-11-15 04:19 · Score: 4, Insightful

NONONNONONONO
This is not how you deal with an incident like this. You have to reexamine your infrastructure and find out *why* that info was on an endpoint to begin with. This is teh same BS kneejerk reaction that makes for bad IT planning. Just go and wallpaper of it with a band-aid and look all betterer.
HULK SMASH!!!!
Re:i don't understand... by TechyImmigrant · 2012-11-15 04:24 · Score: 4, Insightful

>Yep, you've got to have a documented practice to keep track of the recovery keys encryption programs generate.
No. I work in a big corp. If I die, my FDE password dies with me and the data is gone. Real data is held on servers and managed. A PC is just an access device.

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Horses and Barn Doors... by Mr.+Sanity · 2012-11-15 04:42 · Score: 4, Informative

Too bad they didn't do that before I had to recieve this email this week:

OFFICE OF THE DIRECTOR
November 14, 2012
TO: JPL Employees and Contractor Personnel
FROM: Charles Elachi
SUBJECT: NASA Laptop Security Breach
On Tuesday November 13, we were all notified that a NASA laptop and official NASA documents issued to a Headquarters employee were stolen. The laptop contained records of sensitive, personally identifiable information (PII) for a large number of NASA employees, contractors and others. NASA is assessing and investigating the incident and taking every possible action to mitigate therisk of harm and/or inconvenience to affected employees.
We at Caltech/JPL are extremely concerned about the potential implications of this incident to our employees and affiliates. We have been in contact with NASA Headquarters, and they advise us that they intend to mail letters beginning this week to affected or potentially affected individuals as they are identified. NASA has not provided us with thelist of individuals whowill be notified.
In the meantime, a good resource of protective measures is the Federal Trade Commission's website, Facts for Consumers, Identity Theft: What to Know, What to Do, at: http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt01.shtm. The State of California also has information at www.privacy.ca.gov. Click on "Consumer Information Sheets" on the left-hand column and you will find several Consumer Information Sheets that may be helpful.
We call your attention to this portion of NASA's message:
"NASA has contracted with a data breach specialist, ID Experts, who will be sending letters to affected individuals, informing them that their sensitive PII was stored on the stolen laptop and they could be impacted by the breach. This notification also will provide them information on how to protect their identity using the fully managed services of ID Experts at no cost to the individual. These services will include a call center and website, credit and identity monitoring, recovery services in cases of identity compromise, an insurance reimbursement policy, educational materials, and access to fraud resolution representatives. If you receive a notification letter in the mail, follow the directions to activate your services as soon as possible.
All employees should be aware of any phone calls, emails, and other communications from individuals claiming to be from NASA or other official sources that ask for personal information or verification of it. NASA and ID Experts will not be contacting employees to ask for or confirm personal information. If you receive such a communication, please do not provide any personal information."
We will issue further relevant information as we learn more. We are committed to assisting our employees who may be impacted by this incident. If you have questions, please feel free to contact JPL Human Resources at x4-7506.
Re:NASA Transparency drirective by SecurityGuy · 2012-11-15 05:33 · Score: 4, Interesting

NASA has employees. Those employees have things like SSNs and disabilities and other such things that go in personnel files. It's one thing to say that all NASA's mission data should be completely open, and quite another to say that means everyone who works there should expect the public to be pawing through their data when that data would be afforded protection at any other employer.