Los Alamos Explains Their Security Problems

They've lost 80 computers: no idea if they're stolen, or just misplaced. Typical story—not even worth commenting on—but this great comment by Los Alamos explains a lot about what was wrong with their security policy:

The letter, addressed to Department of Energy security officials, contends that "cyber security issues were not engaged in a timely manner" because the computer losses were treated as a "property management issue."

The real risk in computer losses is the data, not the hardware. I thought everyone knew that.

Posted on February 17, 2009 at 5:00 AM • 37 Comments

Comments

ThomasFebruary 17, 2009 5:49 AM

"I thought everyone knew that."

Knowing something and acting accordingly are two different things.

Tom WelshFebruary 17, 2009 6:16 AM

The great Barry Boehm told this classic story. If it isn't true, it should be!

"This is a story that I heard second-hand at TRW, but it may be an urban myth. It is about a weights engineer on a spacecraft. He accounts for all of the weight on a spacecraft. The weights engineer came to a software engineer and said, according to budget, there is $3,000,000 accounted for the software and I want to know how much it weighs. The software engineer replied, nothing. The weights engineer said he wanted that kind of a job. You get paid well to produce something that weighs nothing.

"A week later, the weights engineer came back with a deck of cards. Is there any software in here? he asked. The software engineer said yes. The weights engineer said he would weigh the deck to determine the weight of the software. The software engineer said, you have it all wrong; we only use the holes".

maelorinFebruary 17, 2009 6:27 AM

"The real risk in computer losses is the data, not the hardware. I thought everyone knew that."

no. everyone *we* know knows it.

most people can't conceive of intangible things. turning their minds to the idea that the *thing* is not the valuable component, but the intangible 'stuff' on it, is an extra level of difficult.

especially when most people are trying to navigate workplace politics, and deal with the 'reality' of cost-centre accounting - where intangible data is not given a numerical financial value and thus fails to even make it onto the sheet where all the *things* that matter are listed.

BF SkinnerFebruary 17, 2009 6:33 AM

set of everyone == set of humans
set of everyone != set of property custodians

therefore

property custodians are in-human.

I knew it!

atstriker2000February 17, 2009 8:02 AM

With openly available FREE software, such as truecrypt, there is absolutely NO reason for such security oversites as this. I encrypt every drive, I own, mobile or not, and I don't even have much sensitive data! Much less national security secrets that could change the balance of the worlds political structure as we know it.

For all we know, these secrets have been stolen by countries like North Korea, who then sells them to whoever they want! Like, oh, I don't know, Al-qaeda, the taliban, Iran, or... super secret enemies like Fulcrum, or the bad guys on 24! (Ok, the last bit's a joke...)

I mean come on people, if I secure my paypal transactions with two factor authentication, why the heck aren't our labs secured so much that the encrypted data is encrypted and chained down?!?

Ok /rant.

But really Los Alamos, REALLY?!?
Disgusting, pull the funding now.
(no really, /rant this time.)

Doug RansomFebruary 17, 2009 8:31 AM

Los Alamos has a long history of hacking, going back to the manhattan project:
"Feynman played many jokes on colleagues. In one case he found the combination to a locked filing cabinet by trying the numbers a physicist would use (it proved to be 27-18-28 after the base of natural logarithms, e = 2.71828...), and found that the three filing cabinets where a colleague kept a set of atomic bomb research notes all had the same combination. " (snipped from http://en.wikipedia.org/wiki/Richard_Feynman).

EncryptorFebruary 17, 2009 8:42 AM

Well, if the data was encrypted, as one would expect, then it would be just a "property management issue.", since the only loss would be the value of the computer hardware.

If the data wasn't encrypted, then I would expect someone(s), including managers, to get fired (or even jailed) without question, since they are obviously dealing with sensitive data of national importance, and to not encrypt it is criminal.

FFFebruary 17, 2009 9:11 AM

I worked for a Fortune-500 steel company. We knew where every laptop, monitor, and printer was in the company. Software was heavily locked down to prevent users from loading their garbage (even loading Excel plugin's required a CommRequest). Moving hardware was easy - Simply fill out the on-line form and execute the switch - People too lazy to fill out the form got slapped hard.

This is a cultural issue. The security team at LANL has to tell management that their people, however smart, are not competent enough to manage hardware, software, or security, and that rules (that already exist, I'm sure) must be enforced with heavy hands. Unfortunately, in any G'vmt Lab, the best and brightest will simply migrate away from the BS - The pay isn't good enough. Rock and a Hard Place.

MalcolmFebruary 17, 2009 9:56 AM

@Sturat

It's in James Gleick's biography of Feynmann too if that's a more credible source for you.

StephenFebruary 17, 2009 10:02 AM

@atstriker A problem is that the scientists could be using truecrypt and it not be listed as encrypted as it is not on the list of approved DOE encryption matters. The approved encryption method requires for centralized keys, analysis by the NSA, approval by various groups etc.

Also there is a lot of misinformation in the various posts because the word sensitive has different meaning. POGO defines sensitive information as usernames, email headers, etc. LANL uses the government definition of various controlled (but not classified) information. Classified information is a completely different item where stuff is supposed to be not given physical access outside of certain areas. [Not that always happens.]

So if the scientist in Santa Fe worked on a telescope for deep space exploration.. LANL would say no sensitive information was lost and POGO would disagree. And they are both 'right'.

KashmarekFebruary 17, 2009 10:51 AM

The hole is there for a reason. This gives management and subordinates an excuse for the loss to avoid recrimination. Otherwise, they are facing loss of jobs and jail time.

AnonymousFebruary 17, 2009 10:59 AM

Back in the mid-90's I was on the Property Management Survey Board at a NASA Center, and I was looking into the the prior theft of a laptop computer from an employee's car. When I asked what data was on the computer, I got really strange looks from the rest of the Board members. It was obvious that nobody had bothered to ask the user what he had on the drive, even though the theft had taken place at least two months before my review. I hope things are better now...

Clive RobinsonFebruary 17, 2009 11:11 AM

@ atstriker2000, Encryptor,

"With openly available FREE software, such as truecrypt, there is absolutely NO reason for such security oversites as this. I encrypt every drive"

Err no it's at best only a partial solution.

As discussed in other recent Bruce blog pages (hard disk encryption etc).

Encryption only deals with "power down" threats not "power up threats.

Therefore your data is vulnerable to,

1, Malware on the running system.
2, Theft of laptop in hibernation.
3, Theft of laptop by "Hot Snatch".

Due to the human factor these threat states realy are very very likley these days so you need a much better system than just drive encryption.

BF SkinnerFebruary 17, 2009 11:16 AM

@aczarnowski "messy human problem"
He's right you know.

I would hope that bomb secrets are protected with the strongest encryption around and around that big thick walls and outside the wall soliders with big loud guns.

But a lot of it comes down to accounting. During the bad old days crypto was accounted for with paper forms and black ink pens. We knew where the critical equipment was 'cause
...
it was bolted into a rack, welded to a floor. In a room that was a safe that had an alarm that notified the guard who called the marines who apprehended the intruder who attempted to get the codes that jack wrote.
...

When the damage assement was done on Pollard they knew what he took, mostly, cause he signed out the high security data.

I've known organizations with only the vaguest notion of what they had, where they had it and what was on it. It takes determination to implement CM and not everyone sees the need.

Los Alamos aspires to an open campus where the free exchange of ideas, (for making things go boom) is a selling point for recruiting high tension thinkers. I know project managers who say the same thing about their programmers.

Clive RobinsonFebruary 17, 2009 11:29 AM

@ Bruce,

"The real risk in computer losses is the data, not the hardware. I thought everyone knew that."

Not quite true...

It depends what threat model you consider, ie loss to others (data disclosure) or loss to self (no backups).

With regards Data Disclosure, data is just bit's you need the meta-data to give it meaning.

In some cases the meta-data is kept with the data (such as spread sheets).

In other cases it's not kept with the data but built into the programes etc that access the data.

An example of this are the Mag Tapes from the Vietnam war which gave the locations and types of various munitions dropped in the region.

The meta-data is not available and it is quite an extensive task trying to rebuild it.

In some respects it is like trying to break a substitution cipher that has no redundancy and only extreamly fragmented and out of order partial possible plain text. Not impossible just very time consuming work.

Pete S.February 17, 2009 11:39 AM

Is it just me, or does anyone else get really annoyed when government-types use the word "cyber" to refer to anything computer-related?

The only people I ever hear refer to computer-related things as "cyber" are government employees/departments and maybe the occasional journalist.

GweihirFebruary 17, 2009 11:45 AM

With proper encryption, it actually is a property management problem. The only angle I see remaining in this case, is whether somebody steals these in a targetted manner, i.e. attack detection.

kangarooFebruary 17, 2009 2:02 PM

FF: This is a cultural issue. The security team at LANL has to tell management that their people, however smart, are not competent enough to manage hardware, software, or security, and that rules (that already exist, I'm sure) must be enforced with heavy hands. Unfortunately, in any G'vmt Lab, the best and brightest will simply migrate away from the BS - The pay isn't good enough. Rock and a Hard Place.

What the hell is your suggestion? To increase the bureaucratization, and thereby guarantee that security fails at a single point? On top of no one getting any work done -- since we're talking about engineers and software, their needs are significantly greater than "excel plugins".

The problem is not insufficient process! The problem is that the managers of process are imbeciles, and should become street-corner window washers.

The problem is that most human beings are morons, and therefore most organizations are composed of morons. I remember that Feynmann once made a comment about how controls at the earlier nuclear plants were so much weaker than later, yet he thought that the earlier plants were much safer. Why? The folks running the earlier plants weren't idjits.

AustringerFebruary 17, 2009 3:47 PM

Part of the problem is that "confidential" tends to by synonymous with, "no one on Earth really cares about this". It's the boy that cried wolf. Pretty soon people stop thinking about what's important and give everything the same, "Yeah, yeah. Confidential information. Whatever." attitude.

Michael SeeseFebruary 17, 2009 4:25 PM

20 years ago, that might have been somewhat true. If someone stole my first PC, he would have gotten hardware valued at (purchase price) $2,000 and contents valued at $0.

So the equation has shifted. I guess Los Alamos just has a "classic" view of the world.

mattFebruary 17, 2009 5:58 PM

I can appreciate that the data is more important than the hardware at an organizational level, but we shouldn't forget that it is probably not yet the case for a home computer. I would say that my computer hardware is worth more than the data stored on it, and I suspect most home users would feel the same way.

JoeVFebruary 17, 2009 8:50 PM

Since nuclear weapons design is essentially "frozen", meaning that continuing work is being done mainly to maintain the existing stockpile, not design new weapons (and old weapons designs are still useful to those who desire them,) then as time passes there are less and less real "secrets" that need protecting.

The culture of the nuclear weapons business appears to be frozen in time, and this includes their view of security.

We live in a world where the laws of physics are universal. There are no real secrets, just engineering refinements. We already have an Islamic country possessing nuclear weapons -- Pakistan -- and every other nation that has developed them continues to maintain an inventory, except South Africa. Heck, France continues to maintain their inventory of 4 megaton thermonuclear warheads, larger in yield than any currently in US inventory.

I can't help the feeling that the "secrets" are being kept from the US taxpayer, not foreign interests.

~Joe

RobertFebruary 17, 2009 9:00 PM

I will emphasize what was already mentioned about "sensitive" information. For the Department of Energy, under which LANL operates, "sensitive" information includes everything from business plans to personally identifiable information to performance review data. In this case, it certainly does NOT include classified information; such information is processed solely within secure areas and it would be MUCH easier to track who last "checked out" the missing/stolen/lost system.

Most likely, the computers that are missing are CORPORATE laptops that scientists, engineers, and administrative personnel use while on travel. These systems do not process classified; if they do, LANL has many BIGGER problems to worry about.

Think about this as well. LANL has 12,500 employees. If they lost 100 computers, that means that each employee lost 0.008 computers. I am willing to bet that this matches or outperforms a private company with a similar number of employees and computers. Computers get stolen, laptops get misplaced, and people make mistakes. I am not going to completely defend LANL, I am sure they have made many a security faux paux, but don't be so quick to judge them. If a private company lost 100 laptops with the equivalent "sensitive" information, it would barely make the news (depending on how slow the news is that day).

Clive RobinsonFebruary 18, 2009 2:39 AM

@ JoeV,

"Since nuclear weapons design is essentially "frozen"... ...then as time passes there are less and less real "secrets" that need protecting."

Actualy not true, the "real" secrets abound afresh every year.

A very great deal of work is going on into "fusion" in one form or another.

This is an area that has had over sixty years of practical research. And with the exception of "H-Bomb" weapons is an area of research that is steadily getting more active. Due in part to the impending energy crisis. Basicaly the world will need something like 40 TW capacity to continue economic growth and hydrocarbons are becoming very limited and unacceptable methods of power generation.

The nation that first cracks controlable fusion for energy production is going to have energy security and a comercial advantage of significance therefor from that point of view alone there will continue to be secrets.

However the problem with fusion research is that in some cases the technology involved can be used for other purposes (Beware of the Dark Side Luke ;)

The three main contenders at the moment are

1, Magnetic Torus systems (tokamaks).

2, Coherant light induced inertial implosion of beaded fuel pellet (HiPER).

3, Z-Pinch (Taylor reversed-field pinch) implosion systems.

All three use high energy systems to get the fusion reaction to begin. In tokamacs it is often a high power microwave (~100GHz) source, in HiPER it is a high power laser and in Z-Pinch it is an EMP system sufficient powerfull to cause mini earthquakes.

All three of these systems were investigated as potential weapons for Ronald Reagan's ill fated Strategic Defense Initiative (SDI aka "Star Wars") ballistic missile defense that was revived by George W. Bush...

Like all EMP weapons the Z-Pinch system can easily be used as a HERF gun that could (in theory) develop enough energy to compleatly disable communications and other satellite's (even those with significant sunspot activity protection).

So yes they still have new real "National Security" secrets to keep, comming up all the time...

BF SkinnerFebruary 18, 2009 6:14 AM

@kangaroo "The problem is that most human beings are morons"

This is an attitude I see a lot in technical people. An 'if you don't understand what I see so clearly you're obviously defecient and I don't have to listen to you.'

It's arrogance and may be why people don't listen to you. I regard it as an occupational hazard and a failing. Managers (mid and senior) have competing priorities of which your pet project is just one.

Think this instead "You're not all that." ...it's healthy for your brain.

The problem I see is that most people don't sufficiently understand the enivornments they are working within. They know their work, they do their work but what efforts have been exerted to get them committed to a security program?

I have worked in programs where it was all stick and all users spent their time bypassing it.

I have worked in programs where the beleif was that programmers were some sort of diva's. Well treat people like divas and they become prima donna's. Above the rules. A surprise? No. Worth it? Depends on your bs tolerance.

I have also worked in programs where people sought me out to help them with security problems because once they became aware of their system design or coding practices they wanted to improve.

Having people who self-enforce (like having people clean the work kitchen when they see it's dirty) is my prefered place to work. After all it's where we live outside. The vast majority of our fellow humans are trustworthy 'cause they follow rules that help us get along.

It's why we were able to tear down the walls around the cities.

Getting them to that point takes indoctrination and education and methods and procedures that they can actually apply. Some call it patching the user. I find this is, again, arrogant. The user is often the target and really the whole point of any IT system.

bobFebruary 19, 2009 8:30 AM

If someone stole my computer and then gave me a choice get back the hard drive (ie the data) OR everything EXCEPT the hard drive - I would definitely take the drive.

ChazFebruary 19, 2009 10:44 AM

"The real risk in computer losses is the data...."

"no. everyone *we* know knows it."

Times are changing. My pastor and my mother in law know that. They gave me their hard drives to dispose of. They even want safe disposal of a drive that won't spin up, so they're fairly paranoid.

My children won't put real names in a web site. I believe our thinking about security is changing.

RogerFebruary 21, 2009 4:34 PM

@Chaz:
> "no. everyone *we* know knows it."

> Times are changing. My pastor and my mother in law know that.

But dude, those are people you know, so your example does not contradict the claim ... The question is, what about people who are not being personally evangelised by security geeks?

Matthew FlaschenFebruary 23, 2009 7:02 AM

"Well, if the data was encrypted, as one would expect, then it would be just a "property management issue.", since the only loss would be the value of the computer hardware. "

It obviously should be encrypted, but even if it was, the people that could most use information from LANL also have the most motivation and enough means to attempt decryption.

DaveCFebruary 23, 2009 8:15 PM

@matt: I can appreciate that the data is more important than the hardware at an organizational level, but we shouldn't forget that it is probably not yet the case for a home computer. I would say that my computer hardware is worth more than the data stored on it, and I suspect most home users would feel the same way.

I must disagree - a few years ago I lost a drive containing photos, and it was a sore loss, and I've learned to be more diligent about backups at home.

My current home server was built about 2 years ago from $650 in parts, including two identical drives (for RAID-1). I would far rather lose the hardware (current value $200 or so) than the data, which represents a lot more than $650 of my time.

Andrew SFebruary 27, 2009 3:55 PM

The real question is whether these computers were from secure (clearance-only) areas or not. If they're not, then the problem is identical to any typical office. There are many computers around, the security is minimal (simple RFID badges), and things get lost or stolen.

If the lost computers are from clearance-only areas, it's a much bigger deal. To get in or out of those areas you need to go through guarded gates which only allow one person in at a time. All bags are searched, and no electronic devices are allowed in or out. People who do not have clearance must have pre-approved paperwork to enter, and they're not even supposed to be allowed to go to the bathrooms alone without supervision from someone with clearance. This is based on my internship at LANL about ten years ago.

Of course, even if you keep a 100% secure wall that allows no electronics in/out, you're still going to have trouble tracking down every single device. Lab equipment gets moved around, stuffed into random cabinets, and so on. I don't know of any large company that can track down every single piece of capital equipment they own. Losing computers is inevitable, but exposing secret data is inexcusable.

windows keygenNovember 15, 2010 6:59 PM

no. everyone *we* know knows it.

most people can't conceive of intangible things. turning their minds to the idea that the *thing* is not the valuable component, but the intangible 'stuff' on it, is an extra level of difficult.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..