I predict this rule will be ignored by the troops in the trenches as long as possible.

In practice this rule will prove to be entirely impractical to follow, and I suspect it will be generally ignored. It is routine at workshops and meetings, for example, that one must put a copy of a presentation on a single laptop connected to an LCD projector. A USB flash drive excels at such a task. A wireless internet connection isn't always available, and burning a CD to avoid connecting a flash drive is a ridiculous waste of resources. (Besides, there's another rule saying that if we connect our laptops to a non-NASA managed network, we must have them scanned at a NASA center before reconnecting to a NASA network. Of course this rule is equally impractical and routinely ignored.)

What irks me most about these arbitrary IT security policies is that they seem to be so far removed from reality and have so little consideration of the increase in cost if everyone were to actually follow them.

Perhaps if we stopped using operating systems that could be trivially taken over by the simple connection of a storage module, we would all be a lot safer.

To: Rocket Ranger,
To say that you sound misinformed on IT Security is a little understatement. I believe NASA was able to execute missions well beyond doing Power Point presentations many years before the USB Key existed. Is it too much to ask of NASA employees to be responsible about security? I understand exactly why this guidance is released, and I can promise you there is a real threat—this is a fact. I guess you just have to take my word for it, but you can obviously not believe anything that is posted here. To be clear, there are malware programs built by our adversaries that manipulate people with your mindset to benefit there own agenda. Unfortunately, there are many people who fill they can’t be taken advantage of and obviously they know what’s best for their organization—in my world these people are called vulnerabilities.

However, I will remain objective here and would definitely agree with you in saying this document is worthless, because it will be ignored—this is a fact. It’s a prime example of NASA almost making a policy that makes sense. The only way to mitigate this threat is to disable the use of USB Keys—which is becoming the standard in many corporate environments. It is only a matter of time when this will be mandated by an Executive Order. I will finish by saying the USB Key is not what makes NASA employees efficient. I don’t think the Apollo and Mercury Engineers were any less efficient in doing there jobs—lets look at their turn around versus Ares and Orion.

Rob,

With your logic, you might as well just dump all of our computers and go back to the way things were done back in the 60s.

Rather than come up with real viable IT Security solutions that do not compromise the advantage of modern computing, you look for the easy way out. What is the point of advancing computing technology if you cannot use it?

Computing is all about being practical.

ChrisG,

I understand that computing and advanced technologies should be used in the workplace—this is part of my job for a major NASA contractor. However you made a hasty generalization regarding my statements. As with any technology, it should not be utilized at the expense to possibly compromising a mission, compromising proprietary technology (bought and paid for by American taxpayers), or compromising NASA IT Services. The purposes of having advanced IT Solutions to have Confidentiality of your system, Integrity, and Availability. The USB Key has been known to undermine each of these tenants of Information Technology. There are a number of great hacking software tools open for public consumption that can make sharing data unbelievably easy, and NASA employees would definitely be a little more efficient. But we don’t use them because it’s stupid and violates IT Security Principles. As I stated before, we don’t need USB Keys at NASA. I personally move a lot of data at work and have given enough presentations to put every reader of NASAWATCH to sleep for life, but I have never used or needed a USB Key for anything NASA related—I have never even thought of using one.

I do believe the Pentagon has just eliminated USB Key usage throughout DOD—it’s a real problem. Again the USB Key is a great tool for personal use. What is always convenient doesn’t mean it’s proper. If you understood how quick you can propagate malware from a USB Key to other networked systems, I feel you would understand my point a little better. Remember, there is a reason all this is coming down; unfortunately, the DOD and NASA will stonewall everyone for whatever reason. I am assuming they will use the “National Security” reason. This doesn’t help regular users, because they will not understand.

Again, I will remain objective and state there are a number of other major vulnerabilities out there that I can apply this same logic to—for example, e-mail and open Internet access (malware, Trojans, worms, etc..). I don’t feel that I am always right in my logical reasoning, but I will attempt to defend my stance here. Plus I understand your comments and somewhat agree with how you came up with your response. I do not feel that restricting or eliminating the use of every vulnerable technology or access to the Internet is a viable option or even worth talking about—that is just stupid. However, IT Administrators have greater control over e-mail and Internet than they do with USB Key usage—this is from a system administrator’s point of view.

At the end of the day, I am not crying wolf here and somewhat agree with your reasoning too. Understanding that NASA has a very sharing culture, I don’t feel NASA or its employee’s will ever take IT Security very seriously—I have been around for a while and can confirm this fact over the last 25 years. I am a career NASA contractor and absolutely love being part of this organization and will retire here. What I state hear is from my professional IT experience and my personal experience of being a NASA contractor and previous civil servant. However, NASA employees have to realize they are not protecting their personal investments or engineering achievements; the American taxpayer pays our bills and we are all obligated to safeguard the interest and proprietary information for them. And sometimes this responsibility carries a little inconvenience. Is the USB key really that more efficient than using a 1.5MB floppy disc? Just kidding and thanks for the discussion Kieth. You guys have a good turkey day.

Rob

As a DoD contractor who has just lost the use of my USB devices, not just memeory sticks, but external USB "terrabyte" drives as well, I can tell you my job just became more difficult. I deal with large chunks of data including satellite imagery, I need to transfer this data accross many different systems. You can say that we did business before we had USB and believe me I remember formatting card decks. USB keys and devices are no different than floppy disk drives, portable hard drives, or other external devices of the past. What concerns me is that IT contractors are announcing to the world they cannot fix this problem, they can't do the job they are paid to do, and so they are killing the technology. Why should we still pay these people? If I suddenly told my Army customer I couldn't do my job, I would be out of a job and another contractor would be hired to do it. This is a matter of using proven technology, training, and rules to create a workable environment. I challenge our IT managers to step up to the plate and fix the problem, or if you can't fix it, step aside and let someone else do your job.

I think gastronaut hit the nail on the head. If the operating system is unsafe enough to present a risk of infection by simple insertion of a removable storage media to the USB port it is the right time to consider dropping the OS technology in question and move to safer solutions which do not kill technology at the same time.

An interim solution might be to enforce scanning of USB storage media in a safe scanning system (dare I suggest: Linux based?) right at the beginning of each workday.

To IT, I totally agree with you on a interim solution, and would agree that Linux is and always has been a good solution to many IT Security and compatibility issues. Too bad its not used more widely.

To Tim, I would agree that your job will become more difficult and feel your pain—I have been forced for IT Security reasons since the invention of USB drives to not even be allowed to use them—this includes all peripherals. Oh yeah, these are not my rules by the way. And I can assure you that I have to move many gigabytes a day and terabytes a week around. However, at some point IT Security professionals and people that are responsible for protecting our country have to make the tough decisions. Do you honestly feel that DOD would just eliminate the use of these drives because there might be a threat? Come on, you have to smarter than that. There are alternative solutions to transferring data across different systems, so it should not take you long to re-learn. What concerns me is that Government employees and contractors have become so reliant on simple technology such as flash drives, that they feel there work will be impeded due to their reliance on such technology. Just as any job, you have to adapt. If a person gives up because their flash drive will not work, go home and throw their hands up in confusion, or spend a day complaining and whining, then I doubt they have the competence to support any critical programs for the US Government. IT Managers have tried to fight this threat for many years and have for the most part lost the battle; hence, the reason we are having this discussion now. Just as any bad or corrupted piece of technology, you find safer alternatives. I wish someone could make the use of this technology safe, because it would be a good tool to use—and yeah I would then be allowed to use it and probably would. However, as I mentioned before, ease of access is not worth losing everything on the USB device, the PC, and connected networks. The cyber war is real and there is not enough time or space here to explain the complexities of combating the simple and easy to use USB Key. You can totally trust the government is doing everything in its power to protect you—just kidding again.
Thanks again for the discussion,
Rob

It really concerns me that we have people working at NASA that are incapable of using 3rd grade level grammar correctly, i.e the difference between their and there, it's no freaking wonder we have shuttles burning up.

I've never heard so much complaining about security in my life. It is very possible for Network Admins to post a GPO and keep you from using a USB Drive. These items are small and easily lost, easily stolen, and easliy hacked. In 2007 NASA reported the loss of over 94 million dollars worth of equipment. Laptops and drives were among them. The GAO reported that NASA had very lax property controls, and you want me to believe that you can keep secret/FOUO data on a thumbdrive secure?

Every time something comes out in the IT world the users are quick to say I NEED THIS when in reality it is a WANT. Sure, 1 to 2% of the user base may have a NEED for some form of technology but the vast majority do not NEED a thumbdrive, external hard drive, or external Flash readers. They want it.

My job in IT is to keep a DoD network secure. It is not to cater to EVERY WANT of the user base. The user base got their jobs done before the innovation of flash media they will continue to get their job done without. Maybe that 1 to 2% need an external hard drive to port SAT Imagery but this is no excuse for everyone to have it.

I've seen Department Directors cry over not having a personal Laser Printer when there is one that is within 60 feet of their office. Have we become that Lazy that someone can not walk 60 feet to a printer? I thought IT Systems were supposed to make everything paperless...

And the final issue for me is this. My wife, the mother of my kids, is in the Navy. I have a VESTED interest in keeping Secret/Top Secret/FOUO information secure. The loss of this information could mean the difference between her life and death on deployment. And I'll be damned if I'm going to let the crying folks who say they need a thumbdrive when they really don't open up an attack vector that puts her life and the lives of any other service member in danger... Aldrige Ames was able to do much damage with a camera and a photo copier. Imagine if he had a USB flash drive. How many other CIA agents would be dead?

It is not that IT can not do it's job, we do our job. Our job is to keep the user community functioning while balancing that with security. I'm sure you can find a NEED for a 32 inch monitor. But this is not needed by everybody. You can find a NEED for a few people to have external storage devices but this is something that everybody does not NEED.

And finally, I've been a part of many meetings where these types of policy changes are dscussed. I've fought for the user on occasion for functionality reasons but it always comes down to "how much risk are we willing to take and what are the repercussions should something be comprimised" I wonder how many users would get pissed at me if I had the entire network structure on my thumbdrive then accidentally lost it> I wonder how many would be pissed if we got hit with a DDoS attack andthey no longer had access to e-mail for a week? All because I lost a thumbdrive...

So in the network where I work, if you are caught using a thumbdrive, which we can scan for very easily, you're account is locked out and you must go back through IA training. Second time, same thing, Third time you go to see the CO. And you possibly loose the ability to have a network account.