NASA To Encrypt All of Its Laptops 226
pev writes "After losing another laptop containing personal information, NASA wants to have all of its laptops encrypted within a month's time with an intermediate ban on laptops containing sensitive information leaving its facilities. Between April 2009 and April 2011 it lost or had stolen 48 'mobile computing devices.' I wonder how long it will be before other large organizations start following suit as a sensible precaution?"
They waited this long because? (Score:3, Interesting)
Re:They waited this long because? (Score:5, Funny)
Re:They waited this long because? (Score:4, Insightful)
Re: (Score:2, Insightful)
Because encrypting data is like putting it in a black hole, from which it might never return. If you lose your password, THAT'S IT! GONE!
For a technically competant user base, like (i'd like to assume) NASA employees probably are, go for it!
But for people who struggle with Microsoft Word and basic e-mail? Well... uh... let's just say an organization might want to perform an analysis of how many times their employees call in for password resets. There will likely be a strong correlation between data loss and
Re:They waited this long because? (Score:5, Informative)
Re: (Score:3)
Re: (Score:2)
Because management is under the impression that anyone on Earth can figure out how to get to the moon; I mean that was so 40 years ago amiright? Why encrypt it when Nasa can't copyright anything anyway?
Re: (Score:2)
Re:They waited this long because? (Score:5, Interesting)
This is not a new policy. The implementation of full disk encryption has been underway for some time. We are doing laptops first, then desktops. The current fire drill is because a laptop with PII was stolen at NASA HQ and it was one that had not yet had full disk encryption installed.
NASA IT staff are as overworked and under appreciated as anywhere. If NASA had wanted full disk encryption done sooner, they could have added the resources to make it happen. And that would have taken resources from missions, like Curiosity and the James Webb telescope. It's all about priorities.
Re:They waited this long because? (Score:5, Insightful)
This is not a new policy. The implementation of full disk encryption has been underway for some time. We are doing laptops first, then desktops. The current fire drill is because a laptop with PII was stolen at NASA HQ and it was one that had not yet had full disk encryption installed.
NASA IT staff are as overworked and under appreciated as anywhere. If NASA had wanted full disk encryption done sooner, they could have added the resources to make it happen. And that would have taken resources from missions, like Curiosity and the James Webb telescope. It's all about priorities.
But therein lies the problem. It should not be underway for some time. It should have been in place as an iron-fist de-factor rule a long time ago.
I sympathize with you and the other IT folks. Underfunded and under appreciated IT and dev folks alike. It is shitty, and I know what it's like (been there, don't that.) But, to not have laptops encrypted? To furnish unencrypted laptops? There is some serious break-ups there man. Why? Because, however overworked your team might be, I have a hard time believing that IT will furnish an un-imaged laptop, as-is from the vendor/supplier, to the user. I'm sure IT images the laptops, so it stands to reason that the imaging will include encryption.
If the laptops are being furnished as-is from the vendors, that's a fuck-up.
If the laptops do get imaged, but do not get encryption, that's also a fuck-up.
Any government agency has some type of security and information assurance program and guidelines. And in them, encryption of laptops must be there somewhere. If that is the case, then it is a IT fuck-up. If it is not, then it is a IA fuck-up.
I'm not necessarily blaming you or any specific IT person, but this is a serious crap-o-lah that goes against what is pretty much standard practice with any agency or defense contractor (I work for one), or even for commercial companies. It's simply crazy.
Re:They waited this long because? (Score:5, Insightful)
Re:They waited this long because? (Score:5, Insightful)
They have a finite pool of money. Putting something in IT takes money from the finite pool.
The poster is correct, ti's about priorities.
Since that vast majority of information NASA has is useless to anyone not in a space agency, it seems this was a good priority of limited funds.
Re: (Score:3, Interesting)
Because the typical end user is stupid and forgets their password.
On a normal laptop, this means a bit of inconvenience.
On an encrypted laptop, this means a loss of all data.
You have to have solutions for this problem in place before you can roll it out.
Re:They waited this long because? (Score:4, Informative)
Because the typical end user is stupid and forgets their password.
On a normal laptop, this means a bit of inconvenience.
On an encrypted laptop, this means a loss of all data.
You have to have solutions for this problem in place before you can roll it out.
No it doesn't. You add a second admin key to all the laptops.. It's not rocket science..
Re: (Score:3)
No it doesn't. You add a second admin key to all the laptops.. It's not rocket science..
No, the second key you add is the user's.
Re: (Score:3)
Because the typical end user is stupid and forgets their password.
On a normal laptop, this means a bit of inconvenience.
On an encrypted laptop, this means a loss of all data.
You have to have solutions for this problem in place before you can roll it out.
No, a real IT department will have an admin account so that they can get into the machine and reset the lost password. That technique is not rocket science either.
I suspect that most people don't encrypt their home computers because 1) They don't know that they should do it. 2) They don't know how to do it. 3) They probably wouldn't set up a back up admin account for a forgotten password. 4) Consumer versions of XP and Vista don't have encryption built-in. Not sure about Win 7 and 8.
Re: (Score:2)
Came here to express the same surprise.
I wonder how it will be before other large organisations start following suit as a sensible precaution?
My company has been doing full hard-disk encryption since before I joined, and so does every one of our partners who I've asked (and we usually do; if you're going to have a sniff of any of our customer data, you need to take at least a basic interest in keeping it safe). Do many major organisations not encrypt at least MOST things these days?
Re:They waited this long because? (Score:5, Insightful)
Well, many want to. There are some issues though that cause inertia. Not just issues with forgetting passwords.
- Older systems that may need upgrading before being able to have encryption, or they're able to encrypt files but not whole partitions, or they don't even run IT approved operating systems. Having some machines that don't fit into a global policy can often often slow down an IT policy to a crawl, especially when the management refuses to make an exception.
- Reliability. Sometimes this encryption is not very stable. Seriously. Our whole department stopped cold on encryption when many of the macbooks started dying and had to be replaced within a month of being encrypted (ie, second IT passwords don't help), with about a week of downtime before the user is back up and running full speed again. Put things on hold until Lion was released (which was it's own freigh train full of breakage, though at least the encryption worked).
- Performance. Maybe the average user doesn't care, or the exec with an expensive computer. But encryption really can slow things down tremendously. Compile times, email searches, etc, can all take a very noticeable hit, sometimes more than twice as long. Do this on an older computer or a production system and it really hurts.
- Scheduling and availability. Not everyone is able to come in and see IT at a moment's notice. Sales people may not even live in the same state or country, and they purchase and install their own computers. IT has a tendency to want to do encryptions or upgrades at exactly the same time as a major product release.
Re: (Score:2)
Meanwhile, the Chinese thank NASA for taking their time in implementing this.
Re: (Score:3)
They thought they had it, but realized they were not converting the units correctly. One group was using MebiBytes, and the other was using MegaBytes..
Re:They waited this long because? (Score:4, Funny)
That's amazing! I have the same combination on my luggage!
(Don't blame me; somebody had to say it!)
i don't understand... (Score:3, Insightful)
Re: (Score:3, Informative)
Because there's no enterprise management behind Truecrypt, which pretty much eliminates it. I haven't looked at BitLocker for a while, but I seem to recall it had its share of issues as well. I've used Safeboot, and its not terrible.
Regardless, its not as simple as saying, "here, install this".
Re: (Score:2)
I realize people want to shit themselves in excitement railing on the incompetent government, but seriously, how many corporations fully encrypt ALL notebooks/laptops? Because private corps never lose data, right? Plus with this loss, it is only going to be NASA employee PII (not that that is better, but a lot more contained), not say a credit card or store breach where YOUR data might be lost.
Besides, implementing encryption involves handling passwords, keys, protecting the data-at-rest in the first place
Re: (Score:3)
Yep, you've got to have a documented practice to keep track of the recovery keys encryption programs generate. Also, my two cents is they were probably recommending encrypting the laptops, so anybody who wasn't a complete newb with computers did so, everybody else ignored it. Also, it's kind of hard to lose a laptop, I understand burglary is out of your control, but leaving it at a coffee shop is a testament to the lack of attention of the individual user.
Re:i don't understand... (Score:5, Insightful)
>Yep, you've got to have a documented practice to keep track of the recovery keys encryption programs generate.
No. I work in a big corp. If I die, my FDE password dies with me and the data is gone. Real data is held on servers and managed. A PC is just an access device.
Re: (Score:2)
No. I work in a big corp. If I die, my FDE password dies with me and the data is gone. Real data is held on servers and managed. A PC is just an access device.
I suspect that most corporations don't want their IP to die along with, or be held ransomed by, their employees.
Re: (Score:2)
I think you are missing the ACs point - the important data on the laptop should be in sync with the servers. All of the other stuff is probably crud anyway.
Or at least it should be....
Re: (Score:2)
Wow, do you bring the servers with you when you go do field tests of your robot in the desert? Or on the plane when you're doing hurricane fly-through ops?
Wait, you don't have those kinds of complexities in your corp? Interesting.
I wonder if NASA is a really complicated and nuanced sort of place and how that might provide challenges for these sorts of seemingly trivial things.
Re: (Score:2)
All my data is on servers as well, not on my laptop, though my laptop is encrypted. And so long as I can get a cell phone signal, I can convert that to wifi and VPN in to the data. I can even do that with free tools.
This is so complicated that NASA can't figure it out with a budget of billions and brilliant engineers?
Re: (Score:2)
Yeah, there is a ton if good signals in a hurricane.
Or in the middle of no where.
And sometime the data is extremely large, making cell based network pretty useless.
Yes all the engineers or IT engineers and experts.
Protip: 'Engineer' covers MANY disciplines. I wouldn't want the engineer that works on robots building a bridge and visa versa.
The issue isn't NASA, it's your lack of experiences and over inflated ego.
Re: (Score:2)
NASA engineers need employee data on an unencrypted laptop in the middle of a hurricane? In what scenario? And even in hurricane-affected areas, cell phone signals usually work. One of the laptops that was lost was carrying personnel data which should NEVER be on a laptop, especially an unencrypted laptop in any scenario. We're not talking about field data here.
LTE networks are faster than home broadband in many cases. And you're not transferring all the data across the network to your laptop, which is prec
Re: (Score:3)
I was actually wondering about that. I have Win7 Pro, an i5 and TPM but can't quite believe it would be '100% transparent' ?!?
I do quite a bit of development on my machine. If anyone would "find" it, at worst they'd have access to my mail, documents, photos and a big bunch of code that is unlikely to be useful for anyone but me or my colleagues who have the same access to the repositories anyway.
None of that is going to be interesting to 99.999% of the population.
The ONLY thing that might be annoying is tha
Re: (Score:3)
Do I have to [truecrypt.org]?
Would you like to start backpedalling now, or should I just make up some extra caveats about enterprise management and vendor support contracts for you?
truecrypt (Score:2, Insightful)
For the lazy it does the job well. No need spend budget on it.
Re: (Score:3)
For the lazy it does the job well. No need spend budget on it.
There is a reason to spend budget if you are an enterprise or have a need for centralized key recovery. While you don't want to leak data if your laptop falls in the wrong hands, you also don't want to lose data if your employee forgets their decryption key (either by accident or as a malicious action.)
Re: (Score:3)
Easy to understand for someone with experience, totally impossible concept to grasp for people who never had this problem with larger networks.
Re: (Score:2)
True enough, but such things cost money. Something 'simple' like Truecrypt isn't a perfect fit but you can deploy it (at risk, as you state) without having to fork over cash.
I only state this because we should all be aware of the budget nightmare NASA has been living lately.
Re: (Score:2)
Becasue they don't pay people to set it up? run it? maintain it?
Clue: Software is almost ALWAYS the cheapest part of a solution. Manpower is expensive. SO, yeah that software is free, and that's cute and all but that is a minor part of the cost.
Re: (Score:2)
easy fix make them save the encryption key to a text file on a key server at NASA when they forget simply ask the IT guy to go get they key. this computer should have NO network connection and all of the input ports (not counting the 1 for the keyboard) filled filled with epoxy. it should have its drive encrypted with several people who know they decryption key so there is no one person that can forget it and screw everyone.
Re: (Score:2)
easy fix make them save the encryption key to a text file on a key server at NASA when they forget simply ask the IT guy to go get they key. this computer should have NO network connection and all of the input ports (not counting the 1 for the keyboard) filled filled with epoxy. it should have its drive encrypted with several people who know they decryption key so there is no one person that can forget it and screw everyone.
Easy fix for a small deployment, but if you are talking about enterprise level deployments (tens of thousands of desktops) you would have to have several "IT guys" whose job is maintaining this database - both keeping it up to date and retrieving lost keys on a 24/7 basis. It is very hard to "make" tens of thousands of employees do anything, so unless your key escrow system is automated, it won't be reliable at that scale. Sure you could develop programs or scripts to manage all of this, but doing so has a
Space age? (Score:3)
Re: (Score:3)
Re: (Score:2)
You may have made Geoffroy Tory turn over in his grave`
Re: (Score:3)
Actually, the use of "it's" as a possessive is constitutional, as it literally occurs in the (US) Constitution.
A bit of a misconception. (Score:5, Interesting)
Herp Derp... why wait so long?! (Score:5, Informative)
You know? Endpoint encryption is trivial. There are so many products that do it effectively and easily. Why is this being done so late? Where I work, we do that to EVERY computer a user touches, not just laptops. If it isn't locked behind a server room door, it's locked to a desk and the HDD encrypted. Even the receptionist machine is encrypted.
What the hell are these people even thinking?
Sure... data recovery is more expensive or more impossible. I get that. But you know? It's kind of worth it. Also, if it's important data that lives ONLY on the endpoint machine? Well, that's another thing they are doing wrong.
Re: (Score:2)
data recovery is more expensive or more impossible. I get that. But you know? It's kind of worth it.
That depends on what the data is and how valuable it is to competitors, etc. If you get so paranoid that you are literally chaining PCs to desks and encrypting them, do you also disable or physically incapacitate USB ports, make sure that nobody is sending out files via email, FTP, etc, etc? Or are you doing this more to protect from opportunist thieves?
Re: (Score:2)
Re: (Score:2)
*face palm* (Score:3)
It's insane to hear that large companies don't have their machines encrypted though it's a mouseclick away for their IT-dept while prepping the computer for deployment.
*face palm*
Re: (Score:3)
Scale. Hindsight. Legacy Systems. Easier said than done.
Sometimes you want to do the "right thing"(tm) but need some sort of cluster fsck to show those higher ups that the cost v benefit analysis preventing you from doing so is wrong. Notice it was personal info, not science & engineering stuff. Which would be more effective to lose if you want an org-wide policy approval? Just sayin'
Re: (Score:2)
great, now do it for 10,000 people, not all of whom are using the same OS version, across the world. Plan the maintenance for that. the history, roll out time. and so on.
400 people, how...quaint
Re: (Score:2)
If it makes you feel any better, many corps and agencies do indeed have full disk encryption already. It takes time for this kind of thing to filter through to everywhere. As you grow older, you will see time differently and begin to understand why some are ready and others are not yet ready. It has been less than a decade that this has even been a realistic goal.
Encryption mandatory (Score:2)
Wait, NASA doesn't encrypt its laptops? Why not?
Just use Bitlocker, it's enforced by GPO where I work. Or if on another system, truecrypt or just CryptFS.
Why is this an issue?
Re: (Score:2)
I know that a lot of people working on NASA doesn't use Windows.
Re: (Score:2)
Wait, NASA doesn't encrypt its laptops?
What's even more shocking is that they steal laptops
good idea (Score:2)
I work for A Very Large Health Plan, and it is policy that all work laptops use encrypted harddrives and USB drives.
The laptops that are issued out to us workers already come encrypted, and also with the software that only allows writing to USB drives if you allow the software to encrypt the USB drive.
So far, seems to work, but does make a new laptop seem to be modest at boot/read/write times.
Re: (Score:2)
I work for A Very Large Retailer, and we've had all our laptops encrypted for years, as a Safe Harbor requirement, and a requirement of auditing by the payment card industry.
Good to know that government is catching up to where business has been half a decade ago.
[shrug] (Score:5, Interesting)
Now, the downside of full-disk encryption (which many lazy corporations do instead of home directory only) is that it does increase the load on your system, slow it down and make recovery if/when it breaks a royal pain. Our helpdesk has an almost constant stream of laptops coming and going through their hands that they have to decrypt and re-encrypt because something got out of sync. Time consuming, and leads to downtime for the users. I've often suggested home folder only encryption... but the higher ups want it all encrypted... right up to the point that their laptop is down for two days because they've broken it.
By the way, another horrible side effect of whole disk encryption is that our experience says that it'll kill SSD's pretty rapidly. Our average SSD life is less than a year at this point because there doesn't seem to be a good full-disk encryption software that properly implements TRIM... so spinning disk or hybrid disk is the way to go.
Re: (Score:2)
You know, we've been doing this for four years where I work. And yes, I know everyone here is going to espouse Truecrypt as the one true solution, but the simple fact is NASA is run as a corporation... as such they'll probably go for a solution that's vendor supported. The fact that they're NASA will probably mean they'll get a pretty decent price on the software too. Now, the downside of full-disk encryption (which many lazy corporations do instead of home directory only) is that it does increase the load on your system, slow it down and make recovery if/when it breaks a royal pain. Our helpdesk has an almost constant stream of laptops coming and going through their hands that they have to decrypt and re-encrypt because something got out of sync. Time consuming, and leads to downtime for the users. I've often suggested home folder only encryption... but the higher ups want it all encrypted... right up to the point that their laptop is down for two days because they've broken it. By the way, another horrible side effect of whole disk encryption is that our experience says that it'll kill SSD's pretty rapidly. Our average SSD life is less than a year at this point because there doesn't seem to be a good full-disk encryption software that properly implements TRIM... so spinning disk or hybrid disk is the way to go.
I run a Lenovo X220 with hardware accelerated AES on a Core I5. The increased load is NON-EXISTENT. Also if you run a SSD with sandforce controller (which compresses data), the performance will be poor, and the wear very high. I run a samsung 830 SSD. Fastest ssd for encrypted disks (does not compress data on the fly). Also, i use DiskCryptor. It does have TRIM enabled for encrypted disks.
Re: (Score:3)
It should only slow down old/cheap computers whose CPUs don't support the AES instructions, and TrueCrypt now supports TRIM... and AES instructions.
It'd be nice if someone would write a front-end for TrueCrypt that supports enterprise-type manageability.
Re: (Score:2)
Re:[shrug] (Score:5, Interesting)
I've often suggested home folder only encryption... but the higher ups want it all encrypted...
And they're absolutely correct. A laptop gets stolen that contains information which you are legally obligated to keep confidential, and you are threatened with a lawsuit over the breach of confidentiality, do you prefer:
A) being able to say "the entire disk was encrypted"
B) having to argue that having the user's home folder encrypted was sufficient, and potentially having to prove that no confidential data was stored outside the home folder, but having to prove that without the actual disk in your possession as evidence
Re: (Score:2)
I look forward in getting your keys and password out of your swap file.
Reasons (Score:2)
They are worried that Aliens might steal their technology
Somebody might find out they aleady stole alien technology
They are worried that the FBI might hack into their emails and find out who they are having affairs with
Sheldon Addison might wonder where the money he gave Newt went
Really? (Score:2)
I'm surprised that this is not already standard procedure. If it were up to me I'd probably disable all the USB ports as well. If you've got the best firewall in the world it won't be worth a plug nickel if someone takes a flash drive with a virus on it and plugs it into a PC in the office. Now you're inside the firewall and it spreads like wildfire.
Good old fashioned IT management (Score:2)
A known problem since the first laptop was issued, but ignored until today.
Now that the shit hits the fan they want it done yesterday.
Re: (Score:2)
More likely is that it's been a revolving budget request from IT for years and years but upper management keeps pushing it down the list to fund high visibility pet projects to pad their resumes with.
Only when the shit hits the fan to these low profile projects get funding and suddenly need to be done ASAP without any proper selection process.
The bid ends up not with the best product but in the hands of the sales drone the boos is cozy with.
The lesson here is.. If you have an important project that keeps ge
This is amazing: Why didn't they do it 10+ years a (Score:5, Interesting)
I was in charge of testing/verification of full disk crypto when my then-employer (Hydro) mandated it almost 20 years ago:
At that time 5 vendors made it through our pre-qualification tests, among these I was able to trivially break 3 of them (replace a conditional branch with its opposite), one took 20 minutes and only Utmaco's SafeGuard Easy had done a proper security design, where the user password was used as (part of) the seed for the key used to decrypt a copy of the master disk key.
I.e. the system _must_ be safe against attack from anyone, including the vendor!
I wrote a longer post about this the previous time the same issue came up on /.
Terje
Re: (Score:2)
I was in charge of testing/verification of full disk crypto when my then-employer (Hydro) mandated it almost 20 years ago
Because 20 years ago, the resources that it took were extreme so an extreme need was required to even consider it. A bit less than a decade ago, the resource usage became light enough to where most anyone could consider it and, not surprisingly, we are seeing it done more often. This is not rocket science... pun only slightly intended.
Why keep data on the laptops at all? (Score:3)
At this point, why not have them VPN in to a central server, and keep all work materials there?
Between the trendy "cloud" and the availability of high-speed internet and most computers having encryption cycles to spare, our machines are now souped-up thin clients.
The idea that people need to take gigabytes or even megabytes (640k is ok though) of confidential data home with them on their laptops needs to be questioned. What are you doing with all of that? At home? On the subway?
Forget it: keep the data under control, and make the laptops worthless to foreign espionage.
My work laptop (Score:3)
I work for the Federal Government and every laptop has to have FDE in order to leave the building. This policy has been in place for years. NASA is just behind the times of every other federal agency. Too busy playing with robots, I assume.
AAARRRRGHHH (Score:5, Insightful)
NONONNONONONO
This is not how you deal with an incident like this. You have to reexamine your infrastructure and find out *why* that info was on an endpoint to begin with. This is teh same BS kneejerk reaction that makes for bad IT planning. Just go and wallpaper of it with a band-aid and look all betterer.
HULK SMASH!!!!
Re: (Score:2)
NASA doesn't own most of their computers (Score:3)
They're leased from HP as part of the NASA ACES contract :
http://www.nasa.gov/home/hqnews/2010/dec/HQ_C10-080_ACES.html [nasa.gov]
Prior to that, there was a contract with Lockheed Martin.
They have to put out a specification of what they want the machine configuration to look like, and then HP gives 'em a cost per month for it.
And the 'devices' lost aren't necessarily laptops ... it could be cell phones or tablets, which are also leased through ACES.
There *are* ways around this, but you have to do more paperwork, and then you can buy stuff off SEWP [nasa.gov], and they're maintained by different groups of sysadmins (assigned to the mission, project or division).
And to make it more fun -- if you sign all of the paperwork to take a government furnished computer off site as a contractor, you're liable for the full original purchase price, no depreciation. (this might not be true for ACES) ... so I know a few people who brought their work-assigned laptops back and said they'd rather buy their own ... which means there's then *NO* control over them ... although they're not supposed to put SBU / ACI on it.
NASA Transparency drirective (Score:3)
I thought NASA was ordered to be completely open and no information was to be considered sensitive. This was ordered at its inception when it was created to provide the space program, in order to NOT be military in nature so that the Russians would not be worried. Sure they have shared information over the years but nothing NASA has done has been military in nature.
It seems to me then, that nothing NASA can have can be 'sensitive' in nature, and these encryption efforts run counter to t heir chartered openness.
Re:NASA Transparency drirective (Score:5, Interesting)
NASA has employees. Those employees have things like SSNs and disabilities and other such things that go in personnel files. It's one thing to say that all NASA's mission data should be completely open, and quite another to say that means everyone who works there should expect the public to be pawing through their data when that data would be afforded protection at any other employer.
Re: (Score:2)
I thought NASA was ordered to be completely open and no information was to be considered sensitive.
While very little of NASA's work is classified, the vast majority of their technical work is covered by ITAR and export control laws, and has to be protected from dissemination outside of the US. Export control can be very over-reaching, and needs to have a major overhaul, however some of the restrictions are on things that could easily be militarized.
Why did it take so Long? (Score:2)
I work in Gov't, state level. EVERY SINGLE laptop is encrypted. You plug in a USB, before you can move data to it, it has to be encrypted (you can move data off to computer without encrypting). You burn CD it get's encrypted.
They just this year started encrypting desktops also.
What I don't understand is why is it not a Fed Gov't rule that every agency that has portable media (tablets/laptops/usb/etc) has to be encrypted? This should just be standard now. Esp after having 48 incidents in 3 years? WTF,
Re: (Score:2)
I work in Gov't, state level. EVERY SINGLE laptop is encrypted. You plug in a USB, before you can move data to it, it has to be encrypted (you can move data off to computer without encrypting). You burn CD it get's encrypted.
They just this year started encrypting desktops also.
What I don't understand is why is it not a Fed Gov't rule that every agency that has portable media (tablets/laptops/usb/etc) has to be encrypted? This should just be standard now. Esp after having 48 incidents in 3 years? WTF, after first incident they should have started working on a plan to encrypt stuff.
Because like so many trivial things in life, it gets political. Worse for federal government, since not only do they have to deal with office politics, they also have to deal with the OTHER politics when it comes to how to run an agency with the appropriate ideology, down to if it fits the ideological view of certain people whether to encrypt a stupid harddrive or not.
Surprised (Score:2)
Yes, why the wait? (Score:2)
We've been doing this at my work for a few years now. Any organization that is at all concerned with data loss should already be doing this to all user workstations, portable AND desktop. Anything less is bordering on malpractice.
Horses and Barn Doors... (Score:5, Informative)
Re: (Score:2)
Yes, but don't worry: that massive amount of info they're collecting on you as part of HSPD-12[*] is perfectly safe.
[*] Where NASA said we all had to submit to unrestricted background investigations -- where they could gather any data they wanted on you, from any source, whether it be your doctor, your lawyer, your priest, your ISP, or whatever -- and then a secret, unappealable tribunal would decide if we could keep our jobs. I and others sued them over this, and lost. But don't worry, we can all see that
Why doesn't NASA Just.... (Score:2)
An awful lot of people in this thread have quick and simple "just do this" solutions for NASA's data encryption challenges.
NASA isn't your standard corporate environment - there are serious challenges to any "Just do X" solution. They DO need to encrypt everything but its not a simple single-answer thing. They have to accommodate every scenario from "HR newbie with PII data in an office envrionment" to "Laptop collecting data on a C-130 as it flies through hurricanes" to "Laptops controlling robots in th
ehm what? (Score:2)
I wonder how it will be before other large organizations start following suit as a sensible precaution?
I'm pretty sure that laptop encryption IS the standard at most big businesses these days. It is in the company that writes my paychecks, anyway. I think NASA was just behind the times on this issue.
Duh... (Score:2)
I work for a large corp whose own screw ups with lost un-encrypted PC has been duly noted here on Slashdot. It is corporate policy to encrypt every hard drive that is not locked up. With Win7 and bitlocker its simple to get encryption for 80%+ of normal users.
Right Time (Score:3)
I've personally been using LUKS for 4-5 years but I've also taken a power/performance hit for doing so.
Just ordered a new laptop with an i5 in it, and even within the i5 family I had to be careful to order a chip with AES-NI in it (the unit with the other specs I wanted winds up being mid-market due to limited configuration choice). But at least now the top 50% of the market has AES-NI built-in and those trade-offs are something to not-so-fondly remember.
Re: (Score:3)
That's why it's a lot better to be pro-active about it and handle it pre-deploy. A month to play catch up isn't actually all that bad. Then again I think it'll probably take them longer anyways.
Re: (Score:3)
1. I don't think there will be much chance of a laptop being carelessly knocked off a window sash onboard the ISS any time soon.
2. If such a thing were to happen, solar radiation and cosmic rays on bare electronics would likely take care of any data.
3. If the laptop does survive that, it's unlikely to survive re-entry.
4. If it does survive re-entry, it'll likely still be travelling at several hundred miles per hour and be uncomfortably hot by the time it falls *through* the hands of some nefarious individua
Re: (Score:2)
Do you now the send electronic signals to the Space Station? I know, amazing, right?
Did you know electronic signals can be used to get into a computer by a person who isn't even in the same room? I know,. shocking!
Re: (Score:2)
Why would they be forced to Windows? Any time I've installed a Linux distro recently, it's at least asked if I want to encrypt my home folder.
Re: (Score:2)
Or could just go with someone other than Macrapy. Ubuntu I believe gives the option to encrypt the whole drive or just the home folder in the install wizard, and windows 7 enterprise has full disk encryption as a option if my memory serves me.
Re: (Score:2)
That's the biggest suckage for us. We went to fully encrypted laptops and desktops this spring as a requirement of a government contract we won. Used Truecrypt, which is pretty painless, but it's pretty much killed remote work on our branch office machines. Now someone has to be there to fire it back up again.
Oh what I would give for Truecrypt to build in remote password entry like I can do with dmcrypt on *nix.
Re: (Score:2)
i thought that to
Re: (Score:2)
http://www.space.com/14531-nasa-mars-missions-budget-cuts-2013.html [space.com]
Re: (Score:2)
Chief reason is to encrypt the swap file. If the swap file is not encrypted, keys and data could be potentially retrieved.
Re: (Score:3)
Any NSA /.ers care to comment?
Are you prepared to die? ;-)
Re: (Score:3)
depends.
Do you define 'Geologic time' as the time it takes to beat a password out of someone? Or the time it takes to ask the corporation to turn the key over?