NASA To Encrypt All of Its Laptops

pev writes "After losing another laptop containing personal information, NASA wants to have all of its laptops encrypted within a month's time with an intermediate ban on laptops containing sensitive information leaving its facilities. Between April 2009 and April 2011 it lost or had stolen 48 'mobile computing devices.' I wonder how long it will be before other large organizations start following suit as a sensible precaution?"

Herp Derp... why wait so long?!

[erroneus]

You know? Endpoint encryption is trivial. There are so many products that do it effectively and easily. Why is this being done so late? Where I work, we do that to EVERY computer a user touches, not just laptops. If it isn't locked behind a server room door, it's locked to a desk and the HDD encrypted. Even the receptionist machine is encrypted.

What the hell are these people even thinking?

Sure... data recovery is more expensive or more impossible. I get that. But you know? It's kind of worth it. Also, if it's important data that lives ONLY on the endpoint machine? Well, that's another thing they are doing wrong.

Re:They waited this long because?

[jonnyj]

In the UK, the Information Commissioner has for many years routinely fined any company that loses an unencrypted laptop - even, in one famous case, where the laptop was stolen in a burglary at an employee's own home. It's unheard of for any large organisation over here to _not_ have encryption on all portable devices. I'm gobsmacked that NASA has been so slack.

Re:i don't understand...

[Nos.]

Because there's no enterprise management behind Truecrypt, which pretty much eliminates it. I haven't looked at BitLocker for a while, but I seem to recall it had its share of issues as well. I've used Safeboot, and its not terrible.

Regardless, its not as simple as saying, "here, install this".

Horses and Barn Doors...

[Mr. Sanity]

Too bad they didn't do that before I had to recieve this email this week:

OFFICE OF THE DIRECTOR
November 14, 2012
TO: JPL Employees and Contractor Personnel
FROM: Charles Elachi
SUBJECT: NASA Laptop Security Breach
On Tuesday November 13, we were all notified that a NASA laptop and official NASA documents issued to a Headquarters employee were stolen. The laptop contained records of sensitive, personally identifiable information (PII) for a large number of NASA employees, contractors and others. NASA is assessing and investigating the incident and taking every possible action to mitigate therisk of harm and/or inconvenience to affected employees.
We at Caltech/JPL are extremely concerned about the potential implications of this incident to our employees and affiliates. We have been in contact with NASA Headquarters, and they advise us that they intend to mail letters beginning this week to affected or potentially affected individuals as they are identified. NASA has not provided us with thelist of individuals whowill be notified.
In the meantime, a good resource of protective measures is the Federal Trade Commission's website, Facts for Consumers, Identity Theft: What to Know, What to Do, at: http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt01.shtm [ftc.gov]. The State of California also has information at www.privacy.ca.gov. Click on "Consumer Information Sheets" on the left-hand column and you will find several Consumer Information Sheets that may be helpful.
We call your attention to this portion of NASA's message:
"NASA has contracted with a data breach specialist, ID Experts, who will be sending letters to affected individuals, informing them that their sensitive PII was stored on the stolen laptop and they could be impacted by the breach. This notification also will provide them information on how to protect their identity using the fully managed services of ID Experts at no cost to the individual. These services will include a call center and website, credit and identity monitoring, recovery services in cases of identity compromise, an insurance reimbursement policy, educational materials, and access to fraud resolution representatives. If you receive a notification letter in the mail, follow the directions to activate your services as soon as possible.
All employees should be aware of any phone calls, emails, and other communications from individuals claiming to be from NASA or other official sources that ask for personal information or verification of it. NASA and ID Experts will not be contacting employees to ask for or confirm personal information. If you receive such a communication, please do not provide any personal information."
We will issue further relevant information as we learn more. We are committed to assisting our employees who may be impacted by this incident. If you have questions, please feel free to contact JPL Human Resources at x4-7506.

Re:They waited this long because?

[ae1294]

Because the typical end user is stupid and forgets their password.

On a normal laptop, this means a bit of inconvenience.

On an encrypted laptop, this means a loss of all data.

You have to have solutions for this problem in place before you can roll it out.

No it doesn't. You add a second admin key to all the laptops.. It's not rocket science..