

Stolen NASA laptop had Space Station control codes - aptwebapps
http://www.theregister.co.uk/2012/03/01/nasa_stolen_laptop_unencrypted/

======
coolestuk
It should be a criminal offence to have top secret national information or 3rd
party personal information stored in an unencrypted format.

Even the much-hated Lotus Notes was encrypting databases back in the 1980s.

[http://www.ibm.com/developerworks/lotus/library/ls-
NDHistory...](http://www.ibm.com/developerworks/lotus/library/ls-NDHistory/)

It seems like it is going to take some monumental cock-up before governments
prosecute people for not encrypting data. Mind you, since no-one lost their
job after the monumental cock-up that was 9/11, maybe I'm just naive.

~~~
Symmetry
I'd be surprised if the information was Top Secret, or even Secret - when I
was working at an FFRDC we could but that on any computer that would ever be
attached to the internet. I'm guessing it was just FOUO (For Official Use
Only).

~~~
mvanveen
Telemetry and commands for spacecraft at NASA fall under ITAR compliance (see
[http://en.wikipedia.org/wiki/International_Traffic_in_Arms_R...](http://en.wikipedia.org/wiki/International_Traffic_in_Arms_Regulations)).
Basically, this means that command and telemetry information must be
safeguarded against access attempts by a foreign national. There are NASA
employees who aren't US citizens that are not permitted to have access to this
sort of information without explicit permission.

~~~
mturmon
100% correct. And, anyone who works with space technology is forced to sit
through briefings about all the bad things, including civil and criminal
prosecution to individuals, and civil penalties to institutions, that may
happen if you violate ITAR laws.

------
kylemaxwell
There's something really annoying about the IG saying that NASA lost "the
_algorithms_ used to command and control the ISS" (emphasis mine). I
understand that the laptop could have contained authentication information,
including credentials, code, and/or documentation. But this seems oddly
specific in a totally unintuitive and non-informative way.

Which, come to think of it, might have been the goal in his Congressional
testimony, but really: this doesn't really say much useful about the incident.

~~~
seclorum
There's a big algorithm involved in commanding and controlling the Space
Station .. fire your rockets one way, the station ends up somewhere else in
orbit, and so on .. so I'd say this is quite an accurate report, actually,
since the stolen laptop had the algorithm onboard to calculate when and where
to fire boosters to attain certain orbits, and so on.

~~~
batista
_There's a big algorithm involved in commanding and controlling the Space
Station_

Well, that's more of a procedure (with the military sense) than an algorithm
with the modern math/programming meaning.

(We do use procedures in the above sense, e.g the steps to a cooking recipy,
as an analogy to algorithms in introductory books, though)

------
lawnchair_larry
It's 2012. Zero excuse for not encrypting a laptop. If you don't encrypt a
mobile device, do not be sad when someone else reads the data on it.

~~~
packetslave
Agreed, but even if your laptop HDD is encrypted, you still need to do a risk
assessment as to the value of the data/code before trusting the drive
encryption technology.

Example: Google doesn't allow source code on laptop HDDs, even though we use
full-disk encryption. The risk of a bug/attack on FDE is non-zero, even though
it is probably pretty small, so it's enough to tip the scale.

(edit: grammar)

~~~
webjprgm
I was going to ask wether using full-disk-encryption on Apple's Lion OS (aka
"File Vault 2") would be sufficient. It sounds like Google is uncertain that
it is.

Still, Apple's FDE is much better than no encryption at all! No excuse, NASA
should require FDE on all laptops (even if they're working on something better
eventually).

~~~
thatoneguy
Here's our solution that was recently open-sourced:

[http://google-opensource.blogspot.com/2012/02/cauliflower-
ve...](http://google-opensource.blogspot.com/2012/02/cauliflower-vest-end-to-
end-os-x.html)

------
Havoc
Give the guys a break. FDE is tricky business, especially if you don't have
100s of engineers at your disposal.

------
willidiots
I worked at NASA in a past life. Whole-disk encryption was _banned_ at our
center because it caused "problems" for the IT contractors. If you had
ITAR/SBU data, you were to encrypt and decrypt it manually using Entrust,
which is the biggest pile of dogshit PKI I've ever seen. So of course people
forgot, or got lazy.

Another center was forced to keep using LEAP for years after it was broken,
due to _contract requirements_.

I am completely unsurprised by this. Saddened, but unsurprised.

------
RobertKohr
So does that mean that someone could de-orbit the space station?

~~~
jlarocco
Theoretically.

Practically? Probably not. They'd need to realize what the codes were and have
some way to communicate with the station.

It's possible there's software on the laptop for that, but it would go through
a central server connected to the satellite dishes/antennas, and was probably
locked out when it went missing.

~~~
archivator
To add to that, there _are_ people on the station who can presumably override
anything sent from the ground. In fact, I believe one of their science videos
showed them _initiating_ a boost manoeuvre. As long as there are people up
there, I'm pretty confident in the station's orbital stability.

