22 comments

[ 4.6 ms ] story [ 40.0 ms ] thread
There's something really annoying about the IG saying that NASA lost "the algorithms used to command and control the ISS" (emphasis mine). I understand that the laptop could have contained authentication information, including credentials, code, and/or documentation. But this seems oddly specific in a totally unintuitive and non-informative way.

Which, come to think of it, might have been the goal in his Congressional testimony, but really: this doesn't really say much useful about the incident.

Yes these aren't the codes similar to nuke launch codes but rather algorithms, and software that provide a method of controlling the ISS' attitude. You'd still need an access code (presumably and hopefully not on the laptop) to be able to control it.
There's a big algorithm involved in commanding and controlling the Space Station .. fire your rockets one way, the station ends up somewhere else in orbit, and so on .. so I'd say this is quite an accurate report, actually, since the stolen laptop had the algorithm onboard to calculate when and where to fire boosters to attain certain orbits, and so on.
There's a big algorithm involved in commanding and controlling the Space Station

Well, that's more of a procedure (with the military sense) than an algorithm with the modern math/programming meaning.

(We do use procedures in the above sense, e.g the steps to a cooking recipy, as an analogy to algorithms in introductory books, though)

It should be a criminal offence to have top secret national information or 3rd party personal information stored in an unencrypted format.

Even the much-hated Lotus Notes was encrypting databases back in the 1980s.

http://www.ibm.com/developerworks/lotus/library/ls-NDHistory...

It seems like it is going to take some monumental cock-up before governments prosecute people for not encrypting data. Mind you, since no-one lost their job after the monumental cock-up that was 9/11, maybe I'm just naive.

I'd be surprised if the information was Top Secret, or even Secret - when I was working at an FFRDC we could but that on any computer that would ever be attached to the internet. I'm guessing it was just FOUO (For Official Use Only).
(comment deleted)
Telemetry and commands for spacecraft at NASA fall under ITAR compliance (see http://en.wikipedia.org/wiki/International_Traffic_in_Arms_R...). Basically, this means that command and telemetry information must be safeguarded against access attempts by a foreign national. There are NASA employees who aren't US citizens that are not permitted to have access to this sort of information without explicit permission.
100% correct. And, anyone who works with space technology is forced to sit through briefings about all the bad things, including civil and criminal prosecution to individuals, and civil penalties to institutions, that may happen if you violate ITAR laws.
The STS commands documentation was marked FOUO in the 90's. NASA may have gone all ITAR since then, but I'd bet there are a lot of ISS docs and PDFs from that era that don't say anything about ITAR.
It's 2012. Zero excuse for not encrypting a laptop. If you don't encrypt a mobile device, do not be sad when someone else reads the data on it.
Agreed, but even if your laptop HDD is encrypted, you still need to do a risk assessment as to the value of the data/code before trusting the drive encryption technology.

Example: Google doesn't allow source code on laptop HDDs, even though we use full-disk encryption. The risk of a bug/attack on FDE is non-zero, even though it is probably pretty small, so it's enough to tip the scale.

(edit: grammar)

So does that just mean no programming via laptops, or do you do your work on network drives? Or perhaps remote interactive session?
Programming via laptop is fine, as long as the source (or build artifacts) aren't stored on the local HDD. Some engineers use VNC/NX remote sessions, some use SSH+emacs/VIM, some use sshfs or NFS and run Eclipse or whatever locally.
I was going to ask wether using full-disk-encryption on Apple's Lion OS (aka "File Vault 2") would be sufficient. It sounds like Google is uncertain that it is.

Still, Apple's FDE is much better than no encryption at all! No excuse, NASA should require FDE on all laptops (even if they're working on something better eventually).

(comment deleted)
So does that mean that someone could de-orbit the space station?
Theoretically.

Practically? Probably not. They'd need to realize what the codes were and have some way to communicate with the station.

It's possible there's software on the laptop for that, but it would go through a central server connected to the satellite dishes/antennas, and was probably locked out when it went missing.

To add to that, there are people on the station who can presumably override anything sent from the ground. In fact, I believe one of their science videos showed them initiating a boost manoeuvre. As long as there are people up there, I'm pretty confident in the station's orbital stability.
Give the guys a break. FDE is tricky business, especially if you don't have 100s of engineers at your disposal.
I worked at NASA in a past life. Whole-disk encryption was banned at our center because it caused "problems" for the IT contractors. If you had ITAR/SBU data, you were to encrypt and decrypt it manually using Entrust, which is the biggest pile of dogshit PKI I've ever seen. So of course people forgot, or got lazy.

Another center was forced to keep using LEAP for years after it was broken, due to contract requirements.

I am completely unsurprised by this. Saddened, but unsurprised.