IT/Web: December 2018 Archives

Keith's note: The last two times there was a data breach I was directly affected since I am a former NASA civil servant even though I left the agency 25 years ago. I also underwent a FBI security scan to get a press badge at NASA HQ 15 years ago. I sent an email to NASA HQ PAO, Human Resources, and CIO yesterday asking how media and former employees are affected by the latest security breach. This is the response I got.

It is pointless to send me to the website since I am no longer a NASA civil servant and I do not have a "Smart Card" to log in. So I called the phone number. They never bothered to ask me for my case number (so why was I given one?). A recording of the call is below. Clearly NASA is not prepared for handling responses to former NASA employees about this topic. Note: I am in Virginia which is a "one party" state when it comes to recording phone calls (which I never do if you call me BTW). This is a customer service call that I think is worth sharing.

"Dear Keith, Thank you for your inquiry to the Enterprise Service Desk (ESD) regarding the potential PII compromise. At this time we are being advised to direct all media inquiries to NASA Headquarters, Ms. Karen Northon at [deleted]. We are dedicated to providing you with a high-quality and timely resolution. You can review the status of your inquiry at https://esd.nasa.gov. If you have any questions or need further assistance, please contact us at 1-877-677-2123, option 2 or submit a ticket at https://esd.nasa.gov. For quicker service, reference your case number [deleted] when calling or include it in the subject line of your e-mail. Thank you,

Service Provider, NASA Enterprise Service Desk (ESD)
NASA Shared Services Center
Self-Service/Web: http://esd.nasa.gov/esd
Phone: (877) 677-2123
Fax (support documentation only): (888) 525-6497"

http://images.spaceref.com/news/2018/nasa.flunk.jpg

Potential Personally Identifiable Information (PII) Compromise of NASA Servers

"On Oct. 23, 2018, NASA cybersecurity personnel began investigating a possible compromise of NASA servers where personally identifiable information (PII) was stored. After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised."

Keith's note: According to NASA HQ PAO the latest security breach at NASA does not affect people outside of NASA who may have interacted with NASA security. But people who work or used to work at NASA are at risk. So y'all can expect another "Dear NASA Employee" letter from the agency offering free credit monitoring services.

NASA's performance in complying with Federal regulations governing IT and cybersecurity has been pitiful - especially during the tenure of NASA CIO Renee Wynn. Now there has been another security breach that affects all present and prior NASA employees - even those of us who left the agency decades ago. In the real world the person responsible for such pitiful performance would be fired.

Federal Information Security Modernization Act of 2014 (FISMA) - 2018 report

"Congress enacted the Federal Information Security Modernization Act of 2014 (FISMA) to improve federal cybersecurity and clarify government-wide responsibilities. The act is intended to promote the use of automated security tools with the ability to continuously monitor and diagnose the security posture of federal agencies, and provide for improved oversight of federal agencies' information security programs. In particular, the act clarifies and assigns additional responsibilities to entities such as OMB and DHS."

http://images.spaceref.com/news/2018/FISM2018.jpg

- Nov 2017 FITARA Scorecard

- NASA Totally Flunks FITARA Scorecard 2 Years In A Row (2016), earlier post

"There is a slightly goofy post at NASA CIO's Open.NASA.gov (not findable on the NASA search engine) "NASA's Approach to Implementing FITARA" from 10 March 2016 that opens with "My husband and I are planning a vacation to Disneyworld, an awesome destination for our five year old dreamer. How do we budget for such an grandiose trip?", and then goes on to spout happy talk - with added IT word salad - about how seriously NASA takes FITARA. If only."

Potential Personally Identifiable Information (PII) Compromise of NASA Servers

"On Oct. 23, 2018, NASA cybersecurity personnel began investigating a possible compromise of NASA servers where personally identifiable information (PII) was stored. After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised. Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within. NASA and its Federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time. The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any Agency missions were jeopardized by the cyber incidents."

- NASA Internal Memo: Breach of Personally Identifiable Information Update (2013), earlier post
- NASA's Stolen Laptop and Data Problem Just Got Worse (2012), earlier post
- NASA Still Has Big Unresolved Cybersecurity Issues , earlier post
- OIG: NASA Chief Information Officer Is Doing A Crappy Job , earlier post
- NASA Totally Flunks FITARA Scorecard 2 Years In A Row , earlier post

Earlier IT postings http://nasawatch.com/archives/itweb/

Keith's note: There is yet another space policy event in Washington, DC today aimed at another session of choir practice in an echo chamber by the proverbial usual suspects in the space policy clique. Its an event by the U.S. Chamber of Commerce launching some sort of commercial space thing. Registration for the even closed a while back and only a few media representatives were allowed in. Of course, as is typical of these events the sponsors did not bother to webcast anything. Who cares. These events are all about talking about doing things instead of actually doing the things that they talk about.

Given that there is a Chamber of Commerce in virtually every community in America this could have been an excellent opportunity for the U.S. Chamber of commerce to go into grass roots mode and educate the remaining 99.999% of the population - the ones who pay taxes or work in companies that build space hardware. But no - these policy wonks are only interested in talking to each other and being quoted in trade publications that only they and their friends read.

But there was an exception to this cloistered event: NASA Administrator Bridenstine had someone on his staff stream his keynote speech live via a streaming account registered to @JimBridenstine on their cellphone. He does things like this a lot. Much of it is spontaneous - and much of it is done on his cellphone by him using his own actual fingers. He gets it. There is no reason why any event anywhere cannot be shared with anyone, anywhere. So long as there is cellphone and/or WiFI access you have a means to reach a vast audience.

Yes, the quality is sometimes shaky. I call this the "Max Headroom effect". If you are not familiar with this then go Google the name. Of course its shaky - its being done via a cellphone. The point is that while the quality may be lacking, it is understandable, and it is live, and it is being done so that you can participate - wherever you are.

In 2009 I spent a month at Everest Base Camp at 17,600 feet doing education and public outreach with the Challenger Center as Astronaut Scott Parazynski climbed Everest. We had a commercially available HS 9210 BGAN satellite unit. I carried it to Everest on my back. With it we did live webcasts almost daily with Miles O'Brien who used his laundry room in New York City as our media command center. The quality was often lacking but, in pure Max Headroom mode, we did live webcasts from an extremely remote place where few had done such things before - because we could.

Now its easy to do things like this from Everest since there are people selling WiFI access and you can use your cellphone - the same access that people in these space policy meetings have. Oddly, a community that hypes the space spinoff benefits to the economy - including space-based communication satellites - is incapable of using the same resources to do a simple webcast from their events - something that kids in junior high school know how to do.

There is also this fetish with costs - and ignorance thereof. Space meeting organizers think that webcasts using cellphones and laptops need to be fancy or cost a lot of money. Yet they spring big bucks for expensive stage props and luncheons for their pals at these events. Its all about appearances - not substance.

People in the space industry are always keen to sniff for hints from NASA leadership as to what they are interested in so as to be able to say the right buzz words back to NASA and offer products and services that NASA seems to be interested in. OK: here's a hint: the Administrator of NASA personally streams live video of his comments on social media. He does so without an army of expensive contractors on the cellphone in his pocket. He is trying to reach people that have heretofore remained beyond the reach of NASA's traditional education and public outreach mechanisms.

When big aerospace companies and associations want to send messages to their audiences they buy full page ads in the Washington Post or blanket Metro stations near Capitol Hill with giant banners. Bridenstine uses his cellphone with the ability to reach a vastly bigger audience.

Bridenstine is also sending a message to traditional aerospace community: they need to adapt to his new mode of communication if they want to remain relevant. He is going directly to taxpayers and other stakeholders and bypassing the long-standing system that trade and advocacy groups have usually held a grip on.

He's already got a head start and he's not looking back.

- Keith Cowing Everest Update: Webcasting from a Foggy Buddhist Monastery, 2009

Keith's 30 Nov note: People make honest mistakes on social media. I get that. But its hard to take the JPL science communicators very seriously when they make errors like this and then do nothing to fix them. I and others have pointed this out to JPL. Three days later and the incorrect tweet is still up. Either they do not care or they do not pay attention to detail. Its also becoming obvious that a lot of people who tweet for NASA have no real background on previous NASA missions. As such thousands of people have now liked an official NASA tweet that has several errors - one of them factually incorrect and totally germane to the point that JPL was trying to make i.e. "energy generated by a rover or lander on Mars". Keith's 3 Dec update: JPL finally took their incorrect went down after letting it misinform people for 3 days. Here is what it looked like:
http://images.spaceref.com/news/2018/power.tweet.jpg

Loading

 



Monthly Archives

About this Archive

This page is an archive of entries in the IT/Web category from December 2018.

IT/Web: November 2018 is the previous archive.

IT/Web: January 2019 is the next archive.

Find recent content on the main index or look in the archives to find all content.