Forgot your password?
typodupeerror
NASA Encryption Government Privacy Security IT

NASA To Encrypt All of Its Laptops 226

Posted by timothy
from the violators-will-be-employed-with-social-security dept.
pev writes "After losing another laptop containing personal information, NASA wants to have all of its laptops encrypted within a month's time with an intermediate ban on laptops containing sensitive information leaving its facilities. Between April 2009 and April 2011 it lost or had stolen 48 'mobile computing devices.' I wonder how long it will be before other large organizations start following suit as a sensible precaution?"
This discussion has been archived. No new comments can be posted.

NASA To Encrypt All of Its Laptops

Comments Filter:
  • by Liquidretro (1590189) on Thursday November 15, 2012 @11:55AM (#41992007)
    They waited this long because? First?
    • by baoru (1023479) on Thursday November 15, 2012 @11:56AM (#41992023)
      Obviously it took them this long because it's not rocket science.
      • by NumenMaster (618275) <calcmandan@gmai[ ]om ['l.c' in gap]> on Thursday November 15, 2012 @12:57PM (#41992799)
        Funny enough right? How is it not STANDARD practice? I work for a really small state agency and that's the FIRST thing we do after imaging our laptops. It's been our policy for years. I'm so awestruck at the news.
        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Because encrypting data is like putting it in a black hole, from which it might never return. If you lose your password, THAT'S IT! GONE!

          For a technically competant user base, like (i'd like to assume) NASA employees probably are, go for it!

          But for people who struggle with Microsoft Word and basic e-mail? Well... uh... let's just say an organization might want to perform an analysis of how many times their employees call in for password resets. There will likely be a strong correlation between data loss and

    • by jonnyj (1011131) on Thursday November 15, 2012 @12:03PM (#41992117)
      In the UK, the Information Commissioner has for many years routinely fined any company that loses an unencrypted laptop - even, in one famous case, where the laptop was stolen in a burglary at an employee's own home. It's unheard of for any large organisation over here to _not_ have encryption on all portable devices. I'm gobsmacked that NASA has been so slack.
      • by JosKarith (757063)
        I work for a financial services company and any portable device is encrypted as a matter of course. That's just a basic security measure, and I'm amazed NASA have waited so long.
        • by jeffmeden (135043)

          Because management is under the impression that anyone on Earth can figure out how to get to the moon; I mean that was so 40 years ago amiright? Why encrypt it when Nasa can't copyright anything anyway?

    • by robot256 (1635039)
      They finished encrypting all the laptops at my center earlier this year. I was also amazed to learn that headquarters is behind the curve.
    • by Rootbear (9274) on Thursday November 15, 2012 @12:29PM (#41992475) Homepage

      This is not a new policy. The implementation of full disk encryption has been underway for some time. We are doing laptops first, then desktops. The current fire drill is because a laptop with PII was stolen at NASA HQ and it was one that had not yet had full disk encryption installed.

      NASA IT staff are as overworked and under appreciated as anywhere. If NASA had wanted full disk encryption done sooner, they could have added the resources to make it happen. And that would have taken resources from missions, like Curiosity and the James Webb telescope. It's all about priorities.

      • by luis_a_espinal (1810296) on Thursday November 15, 2012 @02:38PM (#41993931) Homepage

        This is not a new policy. The implementation of full disk encryption has been underway for some time. We are doing laptops first, then desktops. The current fire drill is because a laptop with PII was stolen at NASA HQ and it was one that had not yet had full disk encryption installed.

        NASA IT staff are as overworked and under appreciated as anywhere. If NASA had wanted full disk encryption done sooner, they could have added the resources to make it happen. And that would have taken resources from missions, like Curiosity and the James Webb telescope. It's all about priorities.

        But therein lies the problem. It should not be underway for some time. It should have been in place as an iron-fist de-factor rule a long time ago.

        I sympathize with you and the other IT folks. Underfunded and under appreciated IT and dev folks alike. It is shitty, and I know what it's like (been there, don't that.) But, to not have laptops encrypted? To furnish unencrypted laptops? There is some serious break-ups there man. Why? Because, however overworked your team might be, I have a hard time believing that IT will furnish an un-imaged laptop, as-is from the vendor/supplier, to the user. I'm sure IT images the laptops, so it stands to reason that the imaging will include encryption.

        If the laptops are being furnished as-is from the vendors, that's a fuck-up.

        If the laptops do get imaged, but do not get encryption, that's also a fuck-up.

        Any government agency has some type of security and information assurance program and guidelines. And in them, encryption of laptops must be there somewhere. If that is the case, then it is a IT fuck-up. If it is not, then it is a IA fuck-up.

        I'm not necessarily blaming you or any specific IT person, but this is a serious crap-o-lah that goes against what is pretty much standard practice with any agency or defense contractor (I work for one), or even for commercial companies. It's simply crazy.

    • Re: (Score:3, Interesting)

      by oneandoneis2 (777721)

      Because the typical end user is stupid and forgets their password.

      On a normal laptop, this means a bit of inconvenience.

      On an encrypted laptop, this means a loss of all data.

      You have to have solutions for this problem in place before you can roll it out.

      • by ae1294 (1547521) on Thursday November 15, 2012 @02:13PM (#41993621) Journal

        Because the typical end user is stupid and forgets their password.

        On a normal laptop, this means a bit of inconvenience.

        On an encrypted laptop, this means a loss of all data.

        You have to have solutions for this problem in place before you can roll it out.

        No it doesn't. You add a second admin key to all the laptops.. It's not rocket science..

        • No it doesn't. You add a second admin key to all the laptops.. It's not rocket science..

          No, the second key you add is the user's.

      • by mk1004 (2488060)

        Because the typical end user is stupid and forgets their password.

        On a normal laptop, this means a bit of inconvenience.

        On an encrypted laptop, this means a loss of all data.

        You have to have solutions for this problem in place before you can roll it out.

        No, a real IT department will have an admin account so that they can get into the machine and reset the lost password. That technique is not rocket science either.

        I suspect that most people don't encrypt their home computers because 1) They don't know that they should do it. 2) They don't know how to do it. 3) They probably wouldn't set up a back up admin account for a forgotten password. 4) Consumer versions of XP and Vista don't have encryption built-in. Not sure about Win 7 and 8.

    • by Patch86 (1465427)

      Came here to express the same surprise.

      I wonder how it will be before other large organisations start following suit as a sensible precaution?

      My company has been doing full hard-disk encryption since before I joined, and so does every one of our partners who I've asked (and we usually do; if you're going to have a sniff of any of our customer data, you need to take at least a basic interest in keeping it safe). Do many major organisations not encrypt at least MOST things these days?

      • by Darinbob (1142669) on Thursday November 15, 2012 @04:03PM (#41995073)

        Well, many want to. There are some issues though that cause inertia. Not just issues with forgetting passwords.

        - Older systems that may need upgrading before being able to have encryption, or they're able to encrypt files but not whole partitions, or they don't even run IT approved operating systems. Having some machines that don't fit into a global policy can often often slow down an IT policy to a crawl, especially when the management refuses to make an exception.

        - Reliability. Sometimes this encryption is not very stable. Seriously. Our whole department stopped cold on encryption when many of the macbooks started dying and had to be replaced within a month of being encrypted (ie, second IT passwords don't help), with about a week of downtime before the user is back up and running full speed again. Put things on hold until Lion was released (which was it's own freigh train full of breakage, though at least the encryption worked).

        - Performance. Maybe the average user doesn't care, or the exec with an expensive computer. But encryption really can slow things down tremendously. Compile times, email searches, etc, can all take a very noticeable hit, sometimes more than twice as long. Do this on an older computer or a production system and it really hurts.

        - Scheduling and availability. Not everyone is able to come in and see IT at a moment's notice. Sales people may not even live in the same state or country, and they purchase and install their own computers. IT has a tendency to want to do encryptions or upgrades at exactly the same time as a major product release.

    • Meanwhile, the Chinese thank NASA for taking their time in implementing this.

    • They thought they had it, but realized they were not converting the units correctly. One group was using MebiBytes, and the other was using MegaBytes..

  • by wbr1 (2538558) on Thursday November 15, 2012 @11:56AM (#41992019)
    Why is this not done already? Between truecrypt and (ack) bitlocker,it s relatively easy. Add in a robust backup system, which any organization should have already, and it is cheap and fairly easy to implement.
    • Re: (Score:3, Informative)

      by Nos. (179609)

      Because there's no enterprise management behind Truecrypt, which pretty much eliminates it. I haven't looked at BitLocker for a while, but I seem to recall it had its share of issues as well. I've used Safeboot, and its not terrible.

      Regardless, its not as simple as saying, "here, install this".

    • by thoth (7907)

      I realize people want to shit themselves in excitement railing on the incompetent government, but seriously, how many corporations fully encrypt ALL notebooks/laptops? Because private corps never lose data, right? Plus with this loss, it is only going to be NASA employee PII (not that that is better, but a lot more contained), not say a credit card or store breach where YOUR data might be lost.

      Besides, implementing encryption involves handling passwords, keys, protecting the data-at-rest in the first place

  • truecrypt (Score:2, Insightful)

    by X0563511 (793323)

    For the lazy it does the job well. No need spend budget on it.

    • by Nkwe (604125)

      For the lazy it does the job well. No need spend budget on it.

      There is a reason to spend budget if you are an enterprise or have a need for centralized key recovery. While you don't want to leak data if your laptop falls in the wrong hands, you also don't want to lose data if your employee forgets their decryption key (either by accident or as a malicious action.)

      • by Krneki (1192201)

        Easy to understand for someone with experience, totally impossible concept to grasp for people who never had this problem with larger networks.

      • by X0563511 (793323)

        True enough, but such things cost money. Something 'simple' like Truecrypt isn't a perfect fit but you can deploy it (at risk, as you state) without having to fork over cash.

        I only state this because we should all be aware of the budget nightmare NASA has been living lately.

        • by geekoid (135745)

          Becasue they don't pay people to set it up? run it? maintain it?

          Clue: Software is almost ALWAYS the cheapest part of a solution. Manpower is expensive. SO, yeah that software is free, and that's cute and all but that is a minor part of the cost.

      • easy fix make them save the encryption key to a text file on a key server at NASA when they forget simply ask the IT guy to go get they key. this computer should have NO network connection and all of the input ports (not counting the 1 for the keyboard) filled filled with epoxy. it should have its drive encrypted with several people who know they decryption key so there is no one person that can forget it and screw everyone.

        • by Nkwe (604125)

          easy fix make them save the encryption key to a text file on a key server at NASA when they forget simply ask the IT guy to go get they key. this computer should have NO network connection and all of the input ports (not counting the 1 for the keyboard) filled filled with epoxy. it should have its drive encrypted with several people who know they decryption key so there is no one person that can forget it and screw everyone.

          Easy fix for a small deployment, but if you are talking about enterprise level deployments (tens of thousands of desktops) you would have to have several "IT guys" whose job is maintaining this database - both keeping it up to date and retrieving lost keys on a 24/7 basis. It is very hard to "make" tens of thousands of employees do anything, so unless your key escrow system is automated, it won't be reliable at that scale. Sure you could develop programs or scripts to manage all of this, but doing so has a

  • by Defenestrar (1773808) on Thursday November 15, 2012 @11:57AM (#41992033)
    I'm quite close to a different national lab type of federal facility and all of their laptops have been encrypted for at least a few years now. The stuff here isn't any more sensitive than the stuff there - it's just under an actual cabinet position. Bureaucracy may sometimes be a headache - but enforcing common sense policies is one of it's strong suits. Besides - is NASA really benefiting in it's efficiency from it's "bureaucratic freedom"?
  • by sunking2 (521698) on Thursday November 15, 2012 @12:00PM (#41992077)
    NASA is a huge bureaucracy that is behind the curve in this aspect. The sad part is that they apparently have more laptops to lose with HR type information on them than they do ITAR. Which pretty much sums up NASA right now.
  • by erroneus (253617) on Thursday November 15, 2012 @12:00PM (#41992079) Homepage

    You know? Endpoint encryption is trivial. There are so many products that do it effectively and easily. Why is this being done so late? Where I work, we do that to EVERY computer a user touches, not just laptops. If it isn't locked behind a server room door, it's locked to a desk and the HDD encrypted. Even the receptionist machine is encrypted.

    What the hell are these people even thinking?

    Sure... data recovery is more expensive or more impossible. I get that. But you know? It's kind of worth it. Also, if it's important data that lives ONLY on the endpoint machine? Well, that's another thing they are doing wrong.

    • data recovery is more expensive or more impossible. I get that. But you know? It's kind of worth it.

      That depends on what the data is and how valuable it is to competitors, etc. If you get so paranoid that you are literally chaining PCs to desks and encrypting them, do you also disable or physically incapacitate USB ports, make sure that nobody is sending out files via email, FTP, etc, etc? Or are you doing this more to protect from opportunist thieves?

    • by tlhIngan (30335)

      Well, IT has to deploy it - and there are VERY strange interactions that can happen.

      One common one was after being issued new laptops, about half of them started getting "Delayed write failure" errors on Windows and subsequently, corrupted files. No one ever figured it out - a combination of BIOS updates, Windows upgrades (from XP to 7), etc., seemed to have minimized the problems.

      Other ones included very odd daily BSODs as well - they just started happening and was linked to the FDE conflicting with the an

    • by Beorytis (1014777)
      At my 6,000-person employer, all laptops have required endpoint encryption for several years now. The reason it became necessary? To comply with federal regulations for contractors. We couldn't work on NASA (or FEMA or EPA) projects without it.
  • by Picardo85 (1408929) on Thursday November 15, 2012 @12:00PM (#41992085)
    Jesus, the small company I worked for (400 employees or so) had all but the desktop machines encrypted many years ago. I can't remember what they used before the built in windows encryption, but at least they had something there.

    It's insane to hear that large companies don't have their machines encrypted though it's a mouseclick away for their IT-dept while prepping the computer for deployment.

    *face palm*
    • Jesus, the small company I worked for (400 employees or so)
      [...]

      It's insane to hear that large companies don't

      Scale. Hindsight. Legacy Systems. Easier said than done.

      Sometimes you want to do the "right thing"(tm) but need some sort of cluster fsck to show those higher ups that the cost v benefit analysis preventing you from doing so is wrong. Notice it was personal info, not science & engineering stuff. Which would be more effective to lose if you want an org-wide policy approval? Just sayin'

    • by geekoid (135745)

      great, now do it for 10,000 people, not all of whom are using the same OS version, across the world. Plan the maintenance for that. the history, roll out time. and so on.

      400 people, how...quaint

    • If it makes you feel any better, many corps and agencies do indeed have full disk encryption already. It takes time for this kind of thing to filter through to everywhere. As you grow older, you will see time differently and begin to understand why some are ready and others are not yet ready. It has been less than a decade that this has even been a realistic goal.

  • Wait, NASA doesn't encrypt its laptops? Why not?

    Just use Bitlocker, it's enforced by GPO where I work. Or if on another system, truecrypt or just CryptFS.

    Why is this an issue?

  • I work for A Very Large Health Plan, and it is policy that all work laptops use encrypted harddrives and USB drives.

    The laptops that are issued out to us workers already come encrypted, and also with the software that only allows writing to USB drives if you allow the software to encrypt the USB drive.

    So far, seems to work, but does make a new laptop seem to be modest at boot/read/write times.

    • I work for A Very Large Retailer, and we've had all our laptops encrypted for years, as a Safe Harbor requirement, and a requirement of auditing by the payment card industry.

      Good to know that government is catching up to where business has been half a decade ago.

  • [shrug] (Score:5, Interesting)

    by Thumper_SVX (239525) on Thursday November 15, 2012 @12:01PM (#41992101) Homepage
    You know, we've been doing this for four years where I work. And yes, I know everyone here is going to espouse Truecrypt as the one true solution, but the simple fact is NASA is run as a corporation... as such they'll probably go for a solution that's vendor supported. The fact that they're NASA will probably mean they'll get a pretty decent price on the software too.

    Now, the downside of full-disk encryption (which many lazy corporations do instead of home directory only) is that it does increase the load on your system, slow it down and make recovery if/when it breaks a royal pain. Our helpdesk has an almost constant stream of laptops coming and going through their hands that they have to decrypt and re-encrypt because something got out of sync. Time consuming, and leads to downtime for the users. I've often suggested home folder only encryption... but the higher ups want it all encrypted... right up to the point that their laptop is down for two days because they've broken it.

    By the way, another horrible side effect of whole disk encryption is that our experience says that it'll kill SSD's pretty rapidly. Our average SSD life is less than a year at this point because there doesn't seem to be a good full-disk encryption software that properly implements TRIM... so spinning disk or hybrid disk is the way to go.
    • by ltcdata (626981)

      You know, we've been doing this for four years where I work. And yes, I know everyone here is going to espouse Truecrypt as the one true solution, but the simple fact is NASA is run as a corporation... as such they'll probably go for a solution that's vendor supported. The fact that they're NASA will probably mean they'll get a pretty decent price on the software too. Now, the downside of full-disk encryption (which many lazy corporations do instead of home directory only) is that it does increase the load on your system, slow it down and make recovery if/when it breaks a royal pain. Our helpdesk has an almost constant stream of laptops coming and going through their hands that they have to decrypt and re-encrypt because something got out of sync. Time consuming, and leads to downtime for the users. I've often suggested home folder only encryption... but the higher ups want it all encrypted... right up to the point that their laptop is down for two days because they've broken it. By the way, another horrible side effect of whole disk encryption is that our experience says that it'll kill SSD's pretty rapidly. Our average SSD life is less than a year at this point because there doesn't seem to be a good full-disk encryption software that properly implements TRIM... so spinning disk or hybrid disk is the way to go.

      I run a Lenovo X220 with hardware accelerated AES on a Core I5. The increased load is NON-EXISTENT. Also if you run a SSD with sandforce controller (which compresses data), the performance will be poor, and the wear very high. I run a samsung 830 SSD. Fastest ssd for encrypted disks (does not compress data on the fly). Also, i use DiskCryptor. It does have TRIM enabled for encrypted disks.

    • by Nimey (114278)

      It should only slow down old/cheap computers whose CPUs don't support the AES instructions, and TrueCrypt now supports TRIM... and AES instructions.

      It'd be nice if someone would write a front-end for TrueCrypt that supports enterprise-type manageability.

    • So much for using mod points on this discussion... 3-4 years ago, I was the technical lead on a project to encrypt all laptops (mobile data, but not handhelds... *shrug*). The original project team had selected a solution (home directory only encryption) and then commenced to hit the skids. I was brought in to turn the project around. I found security weaknesses on the directory encryption (Hiram's boot cd could easily bypass it). We decided to test a whole disk solution, and went with it. For an envi
    • Re:[shrug] (Score:5, Interesting)

      by sribe (304414) on Thursday November 15, 2012 @12:38PM (#41992599)

      I've often suggested home folder only encryption... but the higher ups want it all encrypted...

      And they're absolutely correct. A laptop gets stolen that contains information which you are legally obligated to keep confidential, and you are threatened with a lawsuit over the breach of confidentiality, do you prefer:

      A) being able to say "the entire disk was encrypted"

      B) having to argue that having the user's home folder encrypted was sufficient, and potentially having to prove that no confidential data was stored outside the home folder, but having to prove that without the actual disk in your possession as evidence

    • by geekoid (135745)

      I look forward in getting your keys and password out of your swap file.

  • They are worried that Aliens might steal their technology
    Somebody might find out they aleady stole alien technology
    They are worried that the FBI might hack into their emails and find out who they are having affairs with
    Sheldon Addison might wonder where the money he gave Newt went

  • I'm surprised that this is not already standard procedure. If it were up to me I'd probably disable all the USB ports as well. If you've got the best firewall in the world it won't be worth a plug nickel if someone takes a flash drive with a virus on it and plugs it into a PC in the office. Now you're inside the firewall and it spreads like wildfire.

  • A known problem since the first laptop was issued, but ignored until today.

    Now that the shit hits the fan they want it done yesterday.

    • by Pontiac (135778)

      More likely is that it's been a revolving budget request from IT for years and years but upper management keeps pushing it down the list to fund high visibility pet projects to pad their resumes with.

      Only when the shit hits the fan to these low profile projects get funding and suddenly need to be done ASAP without any proper selection process.
      The bid ends up not with the best product but in the hands of the sales drone the boos is cozy with.

      The lesson here is.. If you have an important project that keeps ge

  • by Terje Mathisen (128806) on Thursday November 15, 2012 @12:13PM (#41992237)

    I was in charge of testing/verification of full disk crypto when my then-employer (Hydro) mandated it almost 20 years ago:

    At that time 5 vendors made it through our pre-qualification tests, among these I was able to trivially break 3 of them (replace a conditional branch with its opposite), one took 20 minutes and only Utmaco's SafeGuard Easy had done a proper security design, where the user password was used as (part of) the seed for the key used to decrypt a copy of the master disk key.

    I.e. the system _must_ be safe against attack from anyone, including the vendor!

    I wrote a longer post about this the previous time the same issue came up on /.

    Terje

    • I was in charge of testing/verification of full disk crypto when my then-employer (Hydro) mandated it almost 20 years ago

      Because 20 years ago, the resources that it took were extreme so an extreme need was required to even consider it. A bit less than a decade ago, the resource usage became light enough to where most anyone could consider it and, not surprisingly, we are seeing it done more often. This is not rocket science... pun only slightly intended.

  • by concealment (2447304) on Thursday November 15, 2012 @12:17PM (#41992295) Homepage Journal

    At this point, why not have them VPN in to a central server, and keep all work materials there?

    Between the trendy "cloud" and the availability of high-speed internet and most computers having encryption cycles to spare, our machines are now souped-up thin clients.

    The idea that people need to take gigabytes or even megabytes (640k is ok though) of confidential data home with them on their laptops needs to be questioned. What are you doing with all of that? At home? On the subway?

    Forget it: keep the data under control, and make the laptops worthless to foreign espionage.

  • by Sparticus789 (2625955) on Thursday November 15, 2012 @12:19PM (#41992317) Journal

    I work for the Federal Government and every laptop has to have FDE in order to leave the building. This policy has been in place for years. NASA is just behind the times of every other federal agency. Too busy playing with robots, I assume.

  • AAARRRRGHHH (Score:5, Insightful)

    by MrLint (519792) on Thursday November 15, 2012 @12:19PM (#41992319) Journal

    NONONNONONONO

    This is not how you deal with an incident like this. You have to reexamine your infrastructure and find out *why* that info was on an endpoint to begin with. This is teh same BS kneejerk reaction that makes for bad IT planning. Just go and wallpaper of it with a band-aid and look all betterer.

    HULK SMASH!!!!

    • by Beorytis (1014777)
      Planning is great and rules are great, but you need to be ready for the inevitable cases when plans are not followed and rules are broken.
  • by oneiros27 (46144) on Thursday November 15, 2012 @12:23PM (#41992373) Homepage

    They're leased from HP as part of the NASA ACES contract :
            http://www.nasa.gov/home/hqnews/2010/dec/HQ_C10-080_ACES.html [nasa.gov]

    Prior to that, there was a contract with Lockheed Martin.

    They have to put out a specification of what they want the machine configuration to look like, and then HP gives 'em a cost per month for it.

    And the 'devices' lost aren't necessarily laptops ... it could be cell phones or tablets, which are also leased through ACES.

    There *are* ways around this, but you have to do more paperwork, and then you can buy stuff off SEWP [nasa.gov], and they're maintained by different groups of sysadmins (assigned to the mission, project or division).

    And to make it more fun -- if you sign all of the paperwork to take a government furnished computer off site as a contractor, you're liable for the full original purchase price, no depreciation. (this might not be true for ACES) ... so I know a few people who brought their work-assigned laptops back and said they'd rather buy their own ... which means there's then *NO* control over them ... although they're not supposed to put SBU / ACI on it.

  • by scorp1us (235526) on Thursday November 15, 2012 @12:24PM (#41992381) Journal

    I thought NASA was ordered to be completely open and no information was to be considered sensitive. This was ordered at its inception when it was created to provide the space program, in order to NOT be military in nature so that the Russians would not be worried. Sure they have shared information over the years but nothing NASA has done has been military in nature.

    It seems to me then, that nothing NASA can have can be 'sensitive' in nature, and these encryption efforts run counter to t heir chartered openness.

    • by SecurityGuy (217807) on Thursday November 15, 2012 @01:33PM (#41993179)

      NASA has employees. Those employees have things like SSNs and disabilities and other such things that go in personnel files. It's one thing to say that all NASA's mission data should be completely open, and quite another to say that means everyone who works there should expect the public to be pawing through their data when that data would be afforded protection at any other employer.

    • by pavon (30274)

      I thought NASA was ordered to be completely open and no information was to be considered sensitive.

      While very little of NASA's work is classified, the vast majority of their technical work is covered by ITAR and export control laws, and has to be protected from dissemination outside of the US. Export control can be very over-reaching, and needs to have a major overhaul, however some of the restrictions are on things that could easily be militarized.

  • I work in Gov't, state level. EVERY SINGLE laptop is encrypted. You plug in a USB, before you can move data to it, it has to be encrypted (you can move data off to computer without encrypting). You burn CD it get's encrypted.

    They just this year started encrypting desktops also.

    What I don't understand is why is it not a Fed Gov't rule that every agency that has portable media (tablets/laptops/usb/etc) has to be encrypted? This should just be standard now. Esp after having 48 incidents in 3 years? WTF,

    • by denobug (753200)

      I work in Gov't, state level. EVERY SINGLE laptop is encrypted. You plug in a USB, before you can move data to it, it has to be encrypted (you can move data off to computer without encrypting). You burn CD it get's encrypted.

      They just this year started encrypting desktops also.

      What I don't understand is why is it not a Fed Gov't rule that every agency that has portable media (tablets/laptops/usb/etc) has to be encrypted? This should just be standard now. Esp after having 48 incidents in 3 years? WTF, after first incident they should have started working on a plan to encrypt stuff.

      Because like so many trivial things in life, it gets political. Worse for federal government, since not only do they have to deal with office politics, they also have to deal with the OTHER politics when it comes to how to run an agency with the appropriate ideology, down to if it fits the ideological view of certain people whether to encrypt a stupid harddrive or not.

  • My company has been doing this for ages. It just makes sense and I'm really surprised NASA does not do it already.
  • We've been doing this at my work for a few years now. Any organization that is at all concerned with data loss should already be doing this to all user workstations, portable AND desktop. Anything less is bordering on malpractice.

  • by Mr. Sanity (1161283) on Thursday November 15, 2012 @12:42PM (#41992639)
    Too bad they didn't do that before I had to recieve this email this week:

    OFFICE OF THE DIRECTOR
    November 14, 2012
    TO: JPL Employees and Contractor Personnel
    FROM: Charles Elachi
    SUBJECT: NASA Laptop Security Breach
    On Tuesday November 13, we were all notified that a NASA laptop and official NASA documents issued to a Headquarters employee were stolen. The laptop contained records of sensitive, personally identifiable information (PII) for a large number of NASA employees, contractors and others. NASA is assessing and investigating the incident and taking every possible action to mitigate therisk of harm and/or inconvenience to affected employees.
    We at Caltech/JPL are extremely concerned about the potential implications of this incident to our employees and affiliates. We have been in contact with NASA Headquarters, and they advise us that they intend to mail letters beginning this week to affected or potentially affected individuals as they are identified. NASA has not provided us with thelist of individuals whowill be notified.
    In the meantime, a good resource of protective measures is the Federal Trade Commission's website, Facts for Consumers, Identity Theft: What to Know, What to Do, at: http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt01.shtm [ftc.gov]. The State of California also has information at www.privacy.ca.gov. Click on "Consumer Information Sheets" on the left-hand column and you will find several Consumer Information Sheets that may be helpful.
    We call your attention to this portion of NASA's message:
    "NASA has contracted with a data breach specialist, ID Experts, who will be sending letters to affected individuals, informing them that their sensitive PII was stored on the stolen laptop and they could be impacted by the breach. This notification also will provide them information on how to protect their identity using the fully managed services of ID Experts at no cost to the individual. These services will include a call center and website, credit and identity monitoring, recovery services in cases of identity compromise, an insurance reimbursement policy, educational materials, and access to fraud resolution representatives. If you receive a notification letter in the mail, follow the directions to activate your services as soon as possible.
    All employees should be aware of any phone calls, emails, and other communications from individuals claiming to be from NASA or other official sources that ask for personal information or verification of it. NASA and ID Experts will not be contacting employees to ask for or confirm personal information. If you receive such a communication, please do not provide any personal information."
    We will issue further relevant information as we learn more. We are committed to assisting our employees who may be impacted by this incident. If you have questions, please feel free to contact JPL Human Resources at x4-7506.

    • Yes, but don't worry: that massive amount of info they're collecting on you as part of HSPD-12[*] is perfectly safe.

      [*] Where NASA said we all had to submit to unrestricted background investigations -- where they could gather any data they wanted on you, from any source, whether it be your doctor, your lawyer, your priest, your ISP, or whatever -- and then a secret, unappealable tribunal would decide if we could keep our jobs. I and others sued them over this, and lost. But don't worry, we can all see that

  • An awful lot of people in this thread have quick and simple "just do this" solutions for NASA's data encryption challenges.

    NASA isn't your standard corporate environment - there are serious challenges to any "Just do X" solution. They DO need to encrypt everything but its not a simple single-answer thing. They have to accommodate every scenario from "HR newbie with PII data in an office envrionment" to "Laptop collecting data on a C-130 as it flies through hurricanes" to "Laptops controlling robots in th

  • I wonder how it will be before other large organizations start following suit as a sensible precaution?

    I'm pretty sure that laptop encryption IS the standard at most big businesses these days. It is in the company that writes my paychecks, anyway. I think NASA was just behind the times on this issue.

  • I work for a large corp whose own screw ups with lost un-encrypted PC has been duly noted here on Slashdot. It is corporate policy to encrypt every hard drive that is not locked up. With Win7 and bitlocker its simple to get encryption for 80%+ of normal users.

  • by bill_mcgonigle (4333) * on Thursday November 15, 2012 @02:48PM (#41994053) Homepage Journal

    I've personally been using LUKS for 4-5 years but I've also taken a power/performance hit for doing so.

    Just ordered a new laptop with an i5 in it, and even within the i5 family I had to be careful to order a chip with AES-NI in it (the unit with the other specs I wanted winds up being mid-market due to limited configuration choice). But at least now the top 50% of the market has AES-NI built-in and those trade-offs are something to not-so-fondly remember.

The study of non-linear physics is like the study of non-elephant biology.

Working...