Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NASA To Encrypt All of Its Laptops

timothy posted about a year and a half ago | from the violators-will-be-employed-with-social-security dept.

NASA 226

pev writes "After losing another laptop containing personal information, NASA wants to have all of its laptops encrypted within a month's time with an intermediate ban on laptops containing sensitive information leaving its facilities. Between April 2009 and April 2011 it lost or had stolen 48 'mobile computing devices.' I wonder how long it will be before other large organizations start following suit as a sensible precaution?"

cancel ×

226 comments

They waited this long because? (3, Interesting)

Liquidretro (1590189) | about a year and a half ago | (#41992007)

They waited this long because? First?

Re:They waited this long because? (5, Funny)

baoru (1023479) | about a year and a half ago | (#41992023)

Obviously it took them this long because it's not rocket science.

Re:They waited this long because? (4, Insightful)

NumenMaster (618275) | about a year and a half ago | (#41992799)

Funny enough right? How is it not STANDARD practice? I work for a really small state agency and that's the FIRST thing we do after imaging our laptops. It's been our policy for years. I'm so awestruck at the news.

Re:They waited this long because? (4, Informative)

jonnyj (1011131) | about a year and a half ago | (#41992117)

In the UK, the Information Commissioner has for many years routinely fined any company that loses an unencrypted laptop - even, in one famous case, where the laptop was stolen in a burglary at an employee's own home. It's unheard of for any large organisation over here to _not_ have encryption on all portable devices. I'm gobsmacked that NASA has been so slack.

Re:They waited this long because? (2)

JosKarith (757063) | about a year and a half ago | (#41992427)

I work for a financial services company and any portable device is encrypted as a matter of course. That's just a basic security measure, and I'm amazed NASA have waited so long.

Re:They waited this long because? (1)

Anonymous Coward | about a year and a half ago | (#41992123)

No kidding. From the summary:

I wonder how it will be before other large organisations start following suit as a sensible precaution?

Oh, 8 or 9 years ago when California passed the law requiring disclosure. That's when it became cheaper for most large organizations to encrypt rather than deal with the fall out.

Re:They waited this long because? (1)

robot256 (1635039) | about a year and a half ago | (#41992151)

They finished encrypting all the laptops at my center earlier this year. I was also amazed to learn that headquarters is behind the curve.

Re:They waited this long because? (5, Interesting)

Rootbear (9274) | about a year and a half ago | (#41992475)

This is not a new policy. The implementation of full disk encryption has been underway for some time. We are doing laptops first, then desktops. The current fire drill is because a laptop with PII was stolen at NASA HQ and it was one that had not yet had full disk encryption installed.

NASA IT staff are as overworked and under appreciated as anywhere. If NASA had wanted full disk encryption done sooner, they could have added the resources to make it happen. And that would have taken resources from missions, like Curiosity and the James Webb telescope. It's all about priorities.

Re:They waited this long because? (-1, Troll)

Mr. Freeman (933986) | about a year and a half ago | (#41992537)

"they could have added the resources to make it happen. And that would have taken resources from missions, like Curiosity and the James Webb telescope. It's all about priorities."

Bullshit. These two things are entirely unrelated. IT does not dictate the timeline for mars rovers and space telescopes.

Re:They waited this long because? (5, Insightful)

Culture20 (968837) | about a year and a half ago | (#41992647)

Resources == salaries. Do you pay two IT guys or an engineer/scientist?

i don't understand... (2, Insightful)

wbr1 (2538558) | about a year and a half ago | (#41992019)

Why is this not done already? Between truecrypt and (ack) bitlocker,it s relatively easy. Add in a robust backup system, which any organization should have already, and it is cheap and fairly easy to implement.

Re:i don't understand... (-1)

Anonymous Coward | about a year and a half ago | (#41992141)

They're an arm of the government, they don't get to do anything, even wipe their own arse, without numerous hearings and committee meetings to insure that the Public has had their input, and that they are being appropriate guardians of the public trust.

Plus they probably need to be sure that it's legal for them to do, and that they have ways to recover information. That last is especially important, so they cna be audited.

Re:i don't understand... (2)

Synerg1y (2169962) | about a year and a half ago | (#41992305)

Yep, you've got to have a documented practice to keep track of the recovery keys encryption programs generate. Also, my two cents is they were probably recommending encrypting the laptops, so anybody who wasn't a complete newb with computers did so, everybody else ignored it. Also, it's kind of hard to lose a laptop, I understand burglary is out of your control, but leaving it at a coffee shop is a testament to the lack of attention of the individual user.

Re:i don't understand... (4, Insightful)

TechyImmigrant (175943) | about a year and a half ago | (#41992391)

>Yep, you've got to have a documented practice to keep track of the recovery keys encryption programs generate.

No. I work in a big corp. If I die, my FDE password dies with me and the data is gone. Real data is held on servers and managed. A PC is just an access device.

Re:i don't understand... (1)

jader3rd (2222716) | about a year and a half ago | (#41992567)

No. I work in a big corp. If I die, my FDE password dies with me and the data is gone. Real data is held on servers and managed. A PC is just an access device.

I suspect that most corporations don't want their IP to die along with, or be held ransomed by, their employees.

Re:i don't understand... (2)

UnresolvedExternal (665288) | about a year and a half ago | (#41992657)

I think you are missing the ACs point - the important data on the laptop should be in sync with the servers. All of the other stuff is probably crud anyway.

Or at least it should be....

Re:i don't understand... (0)

Anonymous Coward | about a year and a half ago | (#41993021)

why is he an AC he has an account.

Re:i don't understand... (0)

Anonymous Coward | about a year and a half ago | (#41992689)

I suspect you failed to read his first line, third sentence.

Re:i don't understand... (1)

AMuse (121806) | about a year and a half ago | (#41992727)

Wow, do you bring the servers with you when you go do field tests of your robot in the desert? Or on the plane when you're doing hurricane fly-through ops?

Wait, you don't have those kinds of complexities in your corp? Interesting.

I wonder if NASA is a really complicated and nuanced sort of place and how that might provide challenges for these sorts of seemingly trivial things.

Re:i don't understand... (1)

Enderandrew (866215) | about a year and a half ago | (#41992881)

All my data is on servers as well, not on my laptop, though my laptop is encrypted. And so long as I can get a cell phone signal, I can convert that to wifi and VPN in to the data. I can even do that with free tools.

This is so complicated that NASA can't figure it out with a budget of billions and brilliant engineers?

Re:i don't understand... (3, Informative)

Nos. (179609) | about a year and a half ago | (#41992177)

Because there's no enterprise management behind Truecrypt, which pretty much eliminates it. I haven't looked at BitLocker for a while, but I seem to recall it had its share of issues as well. I've used Safeboot, and its not terrible.

Regardless, its not as simple as saying, "here, install this".

Re:i don't understand... (1)

cigawoot (1242378) | about a year and a half ago | (#41992571)

My company uses Check Point FDE. Its good software, provides an easy way for the helpdesk to provide either a one time login or a password reset if needed in order to allow and end user into the system. OTLs and Password Resets can be audited, if needed.

truecrypt (1, Insightful)

X0563511 (793323) | about a year and a half ago | (#41992021)

For the lazy it does the job well. No need spend budget on it.

Re:truecrypt (2)

Nkwe (604125) | about a year and a half ago | (#41992133)

For the lazy it does the job well. No need spend budget on it.

There is a reason to spend budget if you are an enterprise or have a need for centralized key recovery. While you don't want to leak data if your laptop falls in the wrong hands, you also don't want to lose data if your employee forgets their decryption key (either by accident or as a malicious action.)

Re:truecrypt (2)

Krneki (1192201) | about a year and a half ago | (#41992221)

Easy to understand for someone with experience, totally impossible concept to grasp for people who never had this problem with larger networks.

Re:truecrypt (1)

X0563511 (793323) | about a year and a half ago | (#41992313)

True enough, but such things cost money. Something 'simple' like Truecrypt isn't a perfect fit but you can deploy it (at risk, as you state) without having to fork over cash.

I only state this because we should all be aware of the budget nightmare NASA has been living lately.

Re:truecrypt (1)

lister king of smeg (2481612) | about a year and a half ago | (#41992459)

easy fix make them save the encryption key to a text file on a key server at NASA when they forget simply ask the IT guy to go get they key. this computer should have NO network connection and all of the input ports (not counting the 1 for the keyboard) filled filled with epoxy. it should have its drive encrypted with several people who know they decryption key so there is no one person that can forget it and screw everyone.

Now they also need to learn good backup habbits (1)

Anonymous Coward | about a year and a half ago | (#41992031)

I worked for a major technology vendor. A few years back they mandated full disk encryption on all laptops (Good idea right) Problem was they went with some company i never heard of and the stuff would randomly corrupt and all data would be lost. Certain people (executives) lost a lot of data because the only copy were on the laptops. This was all sorts of fun for the IT group.

Re:Now they also need to learn good backup habbits (0)

Anonymous Coward | about a year and a half ago | (#41992197)

We had similar problems with McAfee Endpoint. Recovery tools would SOMETIMES resolve the issue. Everyone who gets a laptop signs off that all important documents must be saved to their home folder (synced across VPN). Because syncing a 200 MB contract or DB dump is SOOO easy at dsl speeds...

Local IT issued encrypted thumb drives for the higher-ups. That saved a few, but not all.

Now they are moving to BitLocker.

Space age? (2)

Defenestrar (1773808) | about a year and a half ago | (#41992033)

I'm quite close to a different national lab type of federal facility and all of their laptops have been encrypted for at least a few years now. The stuff here isn't any more sensitive than the stuff there - it's just under an actual cabinet position. Bureaucracy may sometimes be a headache - but enforcing common sense policies is one of it's strong suits. Besides - is NASA really benefiting in it's efficiency from it's "bureaucratic freedom"?

Re:Space age? (2)

Defenestrar (1773808) | about a year and a half ago | (#41992061)

I feel so ashamed - the apostrophe protection society is going to hunt me down.

Re:Space age? (0)

Anonymous Coward | about a year and a half ago | (#41992157)

Defenestrar:

I feel so ashamed - the apostrophe protection society is going to hunt me down.

And we're going to throw you out the window.

Hammer to kill a swarm of flies (0)

Anonymous Coward | about a year and a half ago | (#41992045)

Encrypting everything on a device just seems so stupid to me.

It slows down overall performance. It does provide greater security than just encrypting the sensitive files.

But really what's the need to have your OS and application files, which are going to be the same on every device, encrypted? It would seem that, if you can collect enough samples of encrypted disks that have enough of these files on them that would in and of itself provide an attack vector to decrypt the desired "sensitive" information.

When you have a billion hammers, flies ARE nails (0)

Anonymous Coward | about a year and a half ago | (#41992199)

But really what's the need to have your OS and application files, which are going to be the same on every device, encrypted?

That is done simply because it makes things simpler (that's the upside) and it's essentially "free" (there's virtually no downside). Even with low-end 2004 tech (a single core 800 MHz Transmeta CPU) I could barely notice dm-crypt having a significant effect on performance or battery life. With modern hardware people would need to use benchmarking tools just to be able to see the extra percent of overhead that one of their many cores has to endure. It's just too cheap to worry about.

It would seem that, if you can collect enough samples of encrypted disks that have enough of these files on them..

I'm not sure if this is a 1970s thing or more generally a "post-WW2" thing, but most crypto these days tends to be resistant to "known plaintext attacks".

Re:When you have a billion hammers, flies ARE nail (1)

NikeHerc (694644) | about a year and a half ago | (#41992623)

... most crypto these days tends to be resistant to "known plaintext attacks".

256-bit AES is generally considered safe for geologic time, with geologic time possibly being reduced by orders of magnitude for the NSA. Any NSA /.ers care to comment?

Re:Hammer to kill a swarm of flies (1)

amiller2571 (2571883) | about a year and a half ago | (#41992257)

It is not stupid by any means, the system stores information all over the place. It would be to hard to try and encrypt each one by itself. It is far easier to just encrypt the whole thing. You would be surprised how little of a hit you take in performance. I used TrueCrypt for a good while and I never notices any slow down at all. Encryption like AES are extremely fast.

System encryption provides the highest level of security and privacy, because all files, including any temporary files that Windows and applications create on the system partition (typically, without your knowledge or consent), hibernation files, swap files, etc., are always permanently encrypted (even when power supply is suddenly interrupted). Windows also records large amounts of potentially sensitive data, such as the names and locations of files you open, applications you run, etc. All such log files and registry entries are always permanently encrypted too.

http://www.truecrypt.org/docs/ [truecrypt.org]

We've done it (0)

Anonymous Coward | about a year and a half ago | (#41992049)

For many years.

what about laptops on the ISS? (0)

Anonymous Coward | about a year and a half ago | (#41992059)

will they encrypted?? will they be forced over to windows?

Re:what about laptops on the ISS? (2)

Tastecicles (1153671) | about a year and a half ago | (#41992395)

1. I don't think there will be much chance of a laptop being carelessly knocked off a window sash onboard the ISS any time soon.
2. If such a thing were to happen, solar radiation and cosmic rays on bare electronics would likely take care of any data.
3. If the laptop does survive that, it's unlikely to survive re-entry.
4. If it does survive re-entry, it'll likely still be travelling at several hundred miles per hour and be uncomfortably hot by the time it falls *through* the hands of some nefarious individual.

Re:what about laptops on the ISS? (0)

Anonymous Coward | about a year and a half ago | (#41992551)

Laptops are already running Windows on the ISS. NASA is (usually) a pragmatic organization, it uses the tools that work for them.

Re:what about laptops on the ISS? (1)

somersault (912633) | about a year and a half ago | (#41992619)

Why would they be forced to Windows? Any time I've installed a Linux distro recently, it's at least asked if I want to encrypt my home folder.

Good job someone just invented encryption... (1)

M4n (1472737) | about a year and a half ago | (#41992063)

They must have been waiting years for something like this.

Large Company in Defense Sector (0)

Anonymous Coward | about a year and a half ago | (#41992065)

This large company in the defense sector has been encrypting all laptops and desktops for a couple years now. It's pretty painless so far. Whatever you do, make your security transparent to the end user and life will be good.

Re:Large Company in Defense Sector (0)

Anonymous Coward | about a year and a half ago | (#41992163)

open problem is remote admin requiring reboots now includes "wait for people to show up and type in their macafee passwords"

Re:Large Company in Defense Sector (1)

lister king of smeg (2481612) | about a year and a half ago | (#41992569)

Or could just go with someone other than Macrapy. Ubuntu I believe gives the option to encrypt the whole drive or just the home folder in the install wizard, and windows 7 enterprise has full disk encryption as a option if my memory serves me.

Re:Large Company in Defense Sector (1)

Ensign_Expendable (1045224) | about a year and a half ago | (#41992617)

Yep, they seem to be 90% Mac from what I see on the TV news. So I take it OS X's built-in FireVault won't do the trick. So what else is out there in the World of OS X security packages?

Re:Large Company in Defense Sector (1)

Atrox Canis (1266568) | about a year and a half ago | (#41992659)

That can be addressed via things like vpro.

A bit of a misconception. (4, Interesting)

sunking2 (521698) | about a year and a half ago | (#41992077)

NASA is a huge bureaucracy that is behind the curve in this aspect. The sad part is that they apparently have more laptops to lose with HR type information on them than they do ITAR. Which pretty much sums up NASA right now.

Herp Derp... why wait so long?! (4, Informative)

erroneus (253617) | about a year and a half ago | (#41992079)

You know? Endpoint encryption is trivial. There are so many products that do it effectively and easily. Why is this being done so late? Where I work, we do that to EVERY computer a user touches, not just laptops. If it isn't locked behind a server room door, it's locked to a desk and the HDD encrypted. Even the receptionist machine is encrypted.

What the hell are these people even thinking?

Sure... data recovery is more expensive or more impossible. I get that. But you know? It's kind of worth it. Also, if it's important data that lives ONLY on the endpoint machine? Well, that's another thing they are doing wrong.

Re:Herp Derp... why wait so long?! (1)

somersault (912633) | about a year and a half ago | (#41992371)

data recovery is more expensive or more impossible. I get that. But you know? It's kind of worth it.

That depends on what the data is and how valuable it is to competitors, etc. If you get so paranoid that you are literally chaining PCs to desks and encrypting them, do you also disable or physically incapacitate USB ports, make sure that nobody is sending out files via email, FTP, etc, etc? Or are you doing this more to protect from opportunist thieves?

Re:Herp Derp... why wait so long?! (1)

tlhIngan (30335) | about a year and a half ago | (#41993057)

Well, IT has to deploy it - and there are VERY strange interactions that can happen.

One common one was after being issued new laptops, about half of them started getting "Delayed write failure" errors on Windows and subsequently, corrupted files. No one ever figured it out - a combination of BIOS updates, Windows upgrades (from XP to 7), etc., seemed to have minimized the problems.

Other ones included very odd daily BSODs as well - they just started happening and was linked to the FDE conflicting with the antivirus software.

Of course, I suppose the issue is the company was paranoid enough to use FDE, computer management/deployment, and computer monitoring suite at the same time (monitors which files get transferred externally, etc. Basically legit spyware).

I suppose the problem is partly Windows - after installing all that stuff, the whole system gets rather fragile...

*face palm* (2)

Picardo85 (1408929) | about a year and a half ago | (#41992085)

Jesus, the small company I worked for (400 employees or so) had all but the desktop machines encrypted many years ago. I can't remember what they used before the built in windows encryption, but at least they had something there.

It's insane to hear that large companies don't have their machines encrypted though it's a mouseclick away for their IT-dept while prepping the computer for deployment.

*face palm*

Re:*face palm* (2)

VortexCortex (1117377) | about a year and a half ago | (#41992841)

Jesus, the small company I worked for (400 employees or so)
[...]

It's insane to hear that large companies don't

Scale. Hindsight. Legacy Systems. Easier said than done.

Sometimes you want to do the "right thing"(tm) but need some sort of cluster fsck to show those higher ups that the cost v benefit analysis preventing you from doing so is wrong. Notice it was personal info, not science & engineering stuff. Which would be more effective to lose if you want an org-wide policy approval? Just sayin' maybe their "IT-dept" is actually working as intended.

Encryption mandatory (1)

Fackamato (913248) | about a year and a half ago | (#41992091)

Wait, NASA doesn't encrypt its laptops? Why not?

Just use Bitlocker, it's enforced by GPO where I work. Or if on another system, truecrypt or just CryptFS.

Why is this an issue?

Re:Encryption mandatory (1)

ulzeraj (1009869) | about a year and a half ago | (#41992273)

I know that a lot of people working on NASA doesn't use Windows.

Re:Encryption mandatory (0)

Anonymous Coward | about a year and a half ago | (#41993017)

What does this have to do with anything? Linux has cryptsetup, FreeBSD has geli, Solaris now has ZFS encryption and probably more tools. There are drives that encrypt in hardware that are either for laptops or in the whole SCSI/SAS arena that I'm not lucky enough to be in...but there is a hard drive shortage in play.

My issues with the software side of encryption are these:

a) Reliable key management and recovery. It's easy with cryptsetup and geli, as well as file-based solutions like GPG. eCryptFS looked rather unpleasant, and I was somewhat lost with EFS on Windows XP. I think this way: If there are too many hoops to jump through to get key recovery, data will be lost.

b) Performance. Without any hardware crypto helpers, expect a noticeable overall loss of performance. Sometimes it's a 5% loss, sometimes it's a 30% loss, it depends on what you're doing. Keep in mind, computers that are fast enough for 24/7 crypto are fairly new. If you don't mind going slow for the sake of safety, that's fine, but I can't convince many people to do that.

c) Testing takes more time than usual. For my own deployment on a spare 32-bit Linux server, I thought I did well with cryptsetup and XFS until it ran out of vmalloc space to allocate files for backup. After much pecking through stale Internet answers and unfriendly mailing lists, I stumbled upon the problem myself: When I set up Linux to see more than 864 MB of memory, the kernel dropped my vmalloc space from 256 MB to 128 MB, and that was fine for XFS by itself but not with cryptsetup. After setting vmalloc to 384 MB, the problem went away, but to make sure it didn't come back, I went for the highly-not-recommended kernel 2G/2G split of address space...and it worked perfectly. When it comes to file systems and crypto, advice on the Internet is poor and getting worse. I tested, and tested, and tested, and I have trustworthy crypto solutions that I can use wherever I go, even if it's just GPG and flash keys. However, I can't recall anything that I *had* to test so much. GPG key management was child's play next to this. So was my experience with C, VB, and SQL Server.

d) Backups must be done. When you don't do crypto, you might let a backup slide for a few days extra. If there's a disaster, there are plenty of recovery and forensics tools around for plaintext drives. There's less of an option here when dealing with crypto.

I take this as law: When somebody asks you, "You can get my data back, right? Right?" then your answer has to be better than, "uhhhhh..." and once you say, "yes," you must back up that with action. "It depends" is a really bad answer, and there's a lot of "it depends" in crypto.

Crypto simply adds hassle and wastes time for the benefits it provides. If NASA saw that data on some of their laptops was not worth encrypting because they trusted the people that operated the laptops, I can see that quite easily. Bad results, but it's understandable. If I thought that we were going to have something important like another space shuttle or an astronaut on Mars, I might be worried a little more about plans on a NASA laptop.

Re:Encryption mandatory (1)

tukang (1209392) | about a year and a half ago | (#41992445)

Wait, NASA doesn't encrypt its laptops?

What's even more shocking is that they steal laptops

A months time? (1)

HideyoshiJP (1392619) | about a year and a half ago | (#41992097)

That seems like a project that will take longer than a month. Full disk encryption on a large scale is a PITA.

Re:A months time? (2)

Synerg1y (2169962) | about a year and a half ago | (#41992375)

That's why it's a lot better to be pro-active about it and handle it pre-deploy. A month to play catch up isn't actually all that bad. Then again I think it'll probably take them longer anyways.

good idea (1)

mrflash818 (226638) | about a year and a half ago | (#41992099)

I work for A Very Large Health Plan, and it is policy that all work laptops use encrypted harddrives and USB drives.

The laptops that are issued out to us workers already come encrypted, and also with the software that only allows writing to USB drives if you allow the software to encrypt the USB drive.

So far, seems to work, but does make a new laptop seem to be modest at boot/read/write times.

Re:good idea (1)

MachineShedFred (621896) | about a year and a half ago | (#41992359)

I work for A Very Large Retailer, and we've had all our laptops encrypted for years, as a Safe Harbor requirement, and a requirement of auditing by the payment card industry.

Good to know that government is catching up to where business has been half a decade ago.

[shrug] (5, Interesting)

Thumper_SVX (239525) | about a year and a half ago | (#41992101)

You know, we've been doing this for four years where I work. And yes, I know everyone here is going to espouse Truecrypt as the one true solution, but the simple fact is NASA is run as a corporation... as such they'll probably go for a solution that's vendor supported. The fact that they're NASA will probably mean they'll get a pretty decent price on the software too.

Now, the downside of full-disk encryption (which many lazy corporations do instead of home directory only) is that it does increase the load on your system, slow it down and make recovery if/when it breaks a royal pain. Our helpdesk has an almost constant stream of laptops coming and going through their hands that they have to decrypt and re-encrypt because something got out of sync. Time consuming, and leads to downtime for the users. I've often suggested home folder only encryption... but the higher ups want it all encrypted... right up to the point that their laptop is down for two days because they've broken it.

By the way, another horrible side effect of whole disk encryption is that our experience says that it'll kill SSD's pretty rapidly. Our average SSD life is less than a year at this point because there doesn't seem to be a good full-disk encryption software that properly implements TRIM... so spinning disk or hybrid disk is the way to go.

Re:[shrug] (2)

ltcdata (626981) | about a year and a half ago | (#41992323)

You know, we've been doing this for four years where I work. And yes, I know everyone here is going to espouse Truecrypt as the one true solution, but the simple fact is NASA is run as a corporation... as such they'll probably go for a solution that's vendor supported. The fact that they're NASA will probably mean they'll get a pretty decent price on the software too. Now, the downside of full-disk encryption (which many lazy corporations do instead of home directory only) is that it does increase the load on your system, slow it down and make recovery if/when it breaks a royal pain. Our helpdesk has an almost constant stream of laptops coming and going through their hands that they have to decrypt and re-encrypt because something got out of sync. Time consuming, and leads to downtime for the users. I've often suggested home folder only encryption... but the higher ups want it all encrypted... right up to the point that their laptop is down for two days because they've broken it. By the way, another horrible side effect of whole disk encryption is that our experience says that it'll kill SSD's pretty rapidly. Our average SSD life is less than a year at this point because there doesn't seem to be a good full-disk encryption software that properly implements TRIM... so spinning disk or hybrid disk is the way to go.

I run a Lenovo X220 with hardware accelerated AES on a Core I5. The increased load is NON-EXISTENT. Also if you run a SSD with sandforce controller (which compresses data), the performance will be poor, and the wear very high. I run a samsung 830 SSD. Fastest ssd for encrypted disks (does not compress data on the fly). Also, i use DiskCryptor. It does have TRIM enabled for encrypted disks.

Re:[shrug] (2)

Nimey (114278) | about a year and a half ago | (#41992331)

It should only slow down old/cheap computers whose CPUs don't support the AES instructions, and TrueCrypt now supports TRIM... and AES instructions.

It'd be nice if someone would write a front-end for TrueCrypt that supports enterprise-type manageability.

Re:[shrug] (0)

Anonymous Coward | about a year and a half ago | (#41992405)

Full disk encryption is prefered because it is hard to ensure that users or applications don't leak information from protected directories to unprotected directories.

Did you look for self-encrypting drives? I don't know if SSD offer this feature yet but you can get HDDs which do the encryption in the drive itself and give access only when provided with the key.

Re:[shrug] (1)

MufasaZX (790614) | about a year and a half ago | (#41992441)

I implemented Seagate hybrid drives and PGP Whole Disk Encryption on all my company's laptops a year or two ago and it works very well, and only once had a funky out-of-sync explosion that required a call to Symantec support to resolve. If you pull out a drive that has an OS issue and try to slap it into a USB dock, as long as the other computer also has PGP it'll just ask for the password and then away you go.

One minor thing that doesn't work is boot-sector based BIOS updates (Dell in particular), but getting around this with a bootable Windows98 USB key is easy enough.

Another problem with SSDs...some of them (SandForce) use compression to reduce the write cycles to the flash chips and boost performance, which is all well and good until your data is encrypted and totally uncompressable. It still works fine, but the stunning SSD performance from SF's controller comes down to more mortal levels. Hence we use the Seagate hybrid drives, they are cheap, large, and fast enough.

Re:[shrug] (2)

IT.luddite (1633703) | about a year and a half ago | (#41992525)

So much for using mod points on this discussion... 3-4 years ago, I was the technical lead on a project to encrypt all laptops (mobile data, but not handhelds... *shrug*). The original project team had selected a solution (home directory only encryption) and then commenced to hit the skids. I was brought in to turn the project around. I found security weaknesses on the directory encryption (Hiram's boot cd could easily bypass it). We decided to test a whole disk solution, and went with it. For an environment that had 800+ laptops, ~25% being field crew devices (shared devices, assigned to a truck with crews then assigned to trucks on a daily basis), full deployment took 6 weeks and a dedicated team of 6 people. During the 6 weeks, we trained the IT Support staff on how to support systems w/ whole disk encryption including the decrypt process as well as continuing the roll out for new hardware deployments. Does it add to overhead on support and cause situations where data is "unrecoverable" when otherwise there would be a reasonable chance to recover? Yes. The business determined it was worth it due to the number of laptops lost/stolen. As a side note, not one user complained about additional system latency. Password sync was easily achieved via LDAP and the keys to the kingdom is held in an enterprise cert that can decrypt/access all devices. PGP WDE is the current solution. So far, so good. No linux support though.

Re:[shrug] (4, Interesting)

sribe (304414) | about a year and a half ago | (#41992599)

I've often suggested home folder only encryption... but the higher ups want it all encrypted...

And they're absolutely correct. A laptop gets stolen that contains information which you are legally obligated to keep confidential, and you are threatened with a lawsuit over the breach of confidentiality, do you prefer:

A) being able to say "the entire disk was encrypted"

B) having to argue that having the user's home folder encrypted was sufficient, and potentially having to prove that no confidential data was stored outside the home folder, but having to prove that without the actual disk in your possession as evidence

Budget Cuts? (0)

Anonymous Coward | about a year and a half ago | (#41992139)

Between April 2009 and April 2011 it lost or had stolen 48 'mobile computing devices.'

Why would NASA need to steal 48 'mobile computing devices'??

Re:Budget Cuts? (1)

lister king of smeg (2481612) | about a year and a half ago | (#41992621)

i thought that to

Many companies already do this (0)

Anonymous Coward | about a year and a half ago | (#41992143)

Many companies already do this. All notebooks where I work (a large Si company) have encrypted hard drives. With a SSD and a reasonably modern CPU there is very little performance impact. My 2 year old notebook with SSD and encryption is much faster than the previous model which had no SSD and no encryption.

What's surprising is that the majority of companies and government agencies don't do this. The cost of implementation is very low compared to the value of the data that could be lost.

12 years ago (0)

Anonymous Coward | about a year and a half ago | (#41992145)

They started the paperwork for it 12 years ago, but it only just approved.

Snark is easy, how about a technical discussion? (0)

Anonymous Coward | about a year and a half ago | (#41992165)

How about an actual conversation about encrypting laptops? What tools do you prefer? What is your workflow?

Re:Snark is easy, how about a technical discussion (0)

Anonymous Coward | about a year and a half ago | (#41992269)

This.

Reasons (1)

rossdee (243626) | about a year and a half ago | (#41992169)

They are worried that Aliens might steal their technology
Somebody might find out they aleady stole alien technology
They are worried that the FBI might hack into their emails and find out who they are having affairs with
Sheldon Addison might wonder where the money he gave Newt went

Really...9/11 forced a lot of large Corps to (1)

oxnyx (653869) | about a year and a half ago | (#41992171)

The security laws in the US after 9/11 force alot of big corps to encrypt. As far as I tell it slow down boot time and forces IT to take 2 days to turn around anything as there is 12hrs to decrypt the hdd and then 12 to re-crypt.This month we got told to put stickers on all documents to state it security level...I'm really sure those stickers "CORP. INTERNAL ONLY" will really slow down those outsider eyes. Soon I'm sure we will have to us a secret de-coder ring to read the print out. Really have you guys read most internal documents? They are of little interest to the people who are PAID to read them.

Re:Really...9/11 forced a lot of large Corps to (1)

tatman (1076111) | about a year and a half ago | (#41992539)

I wonder how long it will be before the gov starts either regulating it. I mean a) requiring it b) requiring a gov back door. All in the name of fighting crime of course.

Really? (1)

erp_consultant (2614861) | about a year and a half ago | (#41992175)

I'm surprised that this is not already standard procedure. If it were up to me I'd probably disable all the USB ports as well. If you've got the best firewall in the world it won't be worth a plug nickel if someone takes a flash drive with a virus on it and plugs it into a PC in the office. Now you're inside the firewall and it spreads like wildfire.

Good old fashioned IT management (1)

Krneki (1192201) | about a year and a half ago | (#41992195)

A known problem since the first laptop was issued, but ignored until today.

Now that the shit hits the fan they want it done yesterday.

This is amazing: Why didn't they do it 10+ years a (4, Interesting)

Terje Mathisen (128806) | about a year and a half ago | (#41992237)

I was in charge of testing/verification of full disk crypto when my then-employer (Hydro) mandated it almost 20 years ago:

At that time 5 vendors made it through our pre-qualification tests, among these I was able to trivially break 3 of them (replace a conditional branch with its opposite), one took 20 minutes and only Utmaco's SafeGuard Easy had done a proper security design, where the user password was used as (part of) the seed for the key used to decrypt a copy of the master disk key.

I.e. the system _must_ be safe against attack from anyone, including the vendor!

I wrote a longer post about this the previous time the same issue came up on /.

Terje

Why keep data on the laptops at all? (2)

concealment (2447304) | about a year and a half ago | (#41992295)

At this point, why not have them VPN in to a central server, and keep all work materials there?

Between the trendy "cloud" and the availability of high-speed internet and most computers having encryption cycles to spare, our machines are now souped-up thin clients.

The idea that people need to take gigabytes or even megabytes (640k is ok though) of confidential data home with them on their laptops needs to be questioned. What are you doing with all of that? At home? On the subway?

Forget it: keep the data under control, and make the laptops worthless to foreign espionage.

My work laptop (2)

Sparticus789 (2625955) | about a year and a half ago | (#41992317)

I work for the Federal Government and every laptop has to have FDE in order to leave the building. This policy has been in place for years. NASA is just behind the times of every other federal agency. Too busy playing with robots, I assume.

AAARRRRGHHH (4, Insightful)

MrLint (519792) | about a year and a half ago | (#41992319)

NONONNONONONO

This is not how you deal with an incident like this. You have to reexamine your infrastructure and find out *why* that info was on an endpoint to begin with. This is teh same BS kneejerk reaction that makes for bad IT planning. Just go and wallpaper of it with a band-aid and look all betterer.

HULK SMASH!!!!

The McAfee Solution (0)

Anonymous Coward | about a year and a half ago | (#41992345)

NASA should do what my employer has done, and start utilizing to McAfee Endpoint Encryption. If you attempt to break the encryption, your computer gets high on bath salts and tries to kill you. Seems secure to me.

NASA doesn't own most of their computers (2)

oneiros27 (46144) | about a year and a half ago | (#41992373)

They're leased from HP as part of the NASA ACES contract :
        http://www.nasa.gov/home/hqnews/2010/dec/HQ_C10-080_ACES.html [nasa.gov]

Prior to that, there was a contract with Lockheed Martin.

They have to put out a specification of what they want the machine configuration to look like, and then HP gives 'em a cost per month for it.

And the 'devices' lost aren't necessarily laptops ... it could be cell phones or tablets, which are also leased through ACES.

There *are* ways around this, but you have to do more paperwork, and then you can buy stuff off SEWP [nasa.gov] , and they're maintained by different groups of sysadmins (assigned to the mission, project or division).

And to make it more fun -- if you sign all of the paperwork to take a government furnished computer off site as a contractor, you're liable for the full original purchase price, no depreciation. (this might not be true for ACES) ... so I know a few people who brought their work-assigned laptops back and said they'd rather buy their own ... which means there's then *NO* control over them ... although they're not supposed to put SBU / ACI on it.

NASA Transparency drirective (2)

scorp1us (235526) | about a year and a half ago | (#41992381)

I thought NASA was ordered to be completely open and no information was to be considered sensitive. This was ordered at its inception when it was created to provide the space program, in order to NOT be military in nature so that the Russians would not be worried. Sure they have shared information over the years but nothing NASA has done has been military in nature.

It seems to me then, that nothing NASA can have can be 'sensitive' in nature, and these encryption efforts run counter to t heir chartered openness.

48 'mobile devices'? in two years? (0)

Anonymous Coward | about a year and a half ago | (#41992409)

Most businesses would have shit after a few devices were lost or stolen. Seriously, how do you lose a laptop or smartphone like that? Do thieves rove the NASA parking lot in packs? Is there a mugger riding up and down in the elevator?

Way to be out front, NASA. (1)

NikeHerc (694644) | about a year and a half ago | (#41992437)

My employers in my last two jobs have given me a total of three encrypted laptops, the oldest going back to the middle of 2008. If you choose an appropriate h/w vendor, an encrypted disk won't slow down the typical laptop user.

Encryption didn't seem to affect the Dell laptop; not true for the ThinkPad, it was slower than Christmas.

Why did it take so Long? (1)

Formorian (1111751) | about a year and a half ago | (#41992479)

I work in Gov't, state level. EVERY SINGLE laptop is encrypted. You plug in a USB, before you can move data to it, it has to be encrypted (you can move data off to computer without encrypting). You burn CD it get's encrypted.

They just this year started encrypting desktops also.

What I don't understand is why is it not a Fed Gov't rule that every agency that has portable media (tablets/laptops/usb/etc) has to be encrypted? This should just be standard now. Esp after having 48 incidents in 3 years? WTF, after first incident they should have started working on a plan to encrypt stuff.

What's NASA trying to hide? (0)

Macdude (23507) | about a year and a half ago | (#41992507)

What's NASA trying to hide? It looks to me like they're a bunch of terrorists...

Surprised (1)

thetoadwarrior (1268702) | about a year and a half ago | (#41992513)

My company has been doing this for ages. It just makes sense and I'm really surprised NASA does not do it already.

Public, private, practical (0)

Anonymous Coward | about a year and a half ago | (#41992545)

On the practical surface of it, this should have been done long ago.

On a more theoretical basis, what's the justification for doing it at all? NASA is a publically-funded research organization. Maximizing public benefit would call for every detail of NASA's activities to be publically available, and "misplaced data" seems more like a happy-accident additional distribution mechanism.

The "right to be secure in one's papers" is a right of the citizen, not of the government. So what's the downside here? "Other countries might learn how to do our stuff"? They already can.

Yes, why the wait? (1)

rickb928 (945187) | about a year and a half ago | (#41992591)

We've been doing this at my work for a few years now. Any organization that is at all concerned with data loss should already be doing this to all user workstations, portable AND desktop. Anything less is bordering on malpractice.

Horses and Barn Doors... (4, Informative)

Mr. Sanity (1161283) | about a year and a half ago | (#41992639)

Too bad they didn't do that before I had to recieve this email this week:

OFFICE OF THE DIRECTOR
November 14, 2012
TO: JPL Employees and Contractor Personnel
FROM: Charles Elachi
SUBJECT: NASA Laptop Security Breach
On Tuesday November 13, we were all notified that a NASA laptop and official NASA documents issued to a Headquarters employee were stolen. The laptop contained records of sensitive, personally identifiable information (PII) for a large number of NASA employees, contractors and others. NASA is assessing and investigating the incident and taking every possible action to mitigate therisk of harm and/or inconvenience to affected employees.
We at Caltech/JPL are extremely concerned about the potential implications of this incident to our employees and affiliates. We have been in contact with NASA Headquarters, and they advise us that they intend to mail letters beginning this week to affected or potentially affected individuals as they are identified. NASA has not provided us with thelist of individuals whowill be notified.
In the meantime, a good resource of protective measures is the Federal Trade Commission's website, Facts for Consumers, Identity Theft: What to Know, What to Do, at: http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt01.shtm [ftc.gov] . The State of California also has information at www.privacy.ca.gov. Click on "Consumer Information Sheets" on the left-hand column and you will find several Consumer Information Sheets that may be helpful.
We call your attention to this portion of NASA's message:
"NASA has contracted with a data breach specialist, ID Experts, who will be sending letters to affected individuals, informing them that their sensitive PII was stored on the stolen laptop and they could be impacted by the breach. This notification also will provide them information on how to protect their identity using the fully managed services of ID Experts at no cost to the individual. These services will include a call center and website, credit and identity monitoring, recovery services in cases of identity compromise, an insurance reimbursement policy, educational materials, and access to fraud resolution representatives. If you receive a notification letter in the mail, follow the directions to activate your services as soon as possible.
All employees should be aware of any phone calls, emails, and other communications from individuals claiming to be from NASA or other official sources that ask for personal information or verification of it. NASA and ID Experts will not be contacting employees to ask for or confirm personal information. If you receive such a communication, please do not provide any personal information."
We will issue further relevant information as we learn more. We are committed to assisting our employees who may be impacted by this incident. If you have questions, please feel free to contact JPL Human Resources at x4-7506.

About F****** Time (1)

moonwatcher2001 (2710261) | about a year and a half ago | (#41992741)

Boeing did this 6 years ago.

Why doesn't NASA Just.... (1)

AMuse (121806) | about a year and a half ago | (#41992863)

An awful lot of people in this thread have quick and simple "just do this" solutions for NASA's data encryption challenges.

NASA isn't your standard corporate environment - there are serious challenges to any "Just do X" solution. They DO need to encrypt everything but its not a simple single-answer thing. They have to accommodate every scenario from "HR newbie with PII data in an office envrionment" to "Laptop collecting data on a C-130 as it flies through hurricanes" to "Laptops controlling robots in the desert during field tests sulating Martian environments".

In many of those cases a laptop with broken
encryption software means millions of wasted dollars if the experiment is a wash.

In other cases NOT having crypto means serious secrecy issues.

Anyway, there's no excuse for this loss but could we please stop pretending that NASA literally never considered DAR on mobile devices, and that simply doing {your favorite product} on everything would solve all the problems?

Thanks....

Wonder what encryption they are using... (0)

Anonymous Coward | about a year and a half ago | (#41992867)

An encrypted laptop is not a be all and end all. I wonder what program they are using for their FDE encryption, since some are better than others, especially when it comes to recovering data.

I have used one commercial program which, if the MBR gets hosed, the drive is worthless. No way to recover, period. Other utilities like TrueCrypt allow for backup CDs to be made so one has a good chance at recovery.

I'm assuming the laptops are running Windows. If so, humble old BitLocker is pretty good. With the TPM, it protects against a good amount of attacks. It also can use a USB flash drive and/or a PIN. Recoverability is easy -- either use a file saved off, use the entries stored in AD, or a data recovery agent.

I use this on laptops I use -- if I'm holding the USB flash drive and the laptop is off, then I know a blackhat will score hardware if it is stolen, but the contents of the laptop are definitely not theirs. I also use a HDD password just so the drive is not usable in any shape or form.

lost or stolen (0)

Anonymous Coward | about a year and a half ago | (#41992973)

Do you think the laptops were really lost or stolen or maybe some people that work there just needed a 'new' computer to use at home

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...