IT/Web: November 2020 Archives

Keith's note: Do a Google search for "NASA search engine". The first search result that comes up is NASA Multimedia Search last updated on 26 February 2006. The second result that comes up is Tools for searching last updated on 21 July 2005. Look on the left hand side of either page. Click on simple search, category search, or Advanced search and you get "404 The cosmic object you are looking for has disappeared beyond the event horizon." Indeed the subsequent 5 or so Google search results point back to the same pages with broken links. But wait - use the search box in the upper right hand corner of either page and enter a term - any term. Guess what you get? "404 The cosmic object you are looking for has disappeared beyond the event horizon."

Summary: if you do a Google search for NASA Search engines you get a bunch of NASA pages with links to NASA search engine pages that are actually a collection of broken links and a search box that does not search. These pages have been sitting atop Google search results without any one at NASA noticing - and the pages were last updated 15 years ago.

Oh yes: go and Google "NASA CIO" and look at the top search result. According to Google Renee Wynn is stili the NASA CIO. This is because of a web page hosted by NASA. They could easily fix this - as I pointed out months ago. But the NASA CIO seems to be utterly uninterested in the accuracy of NASA's websites. But he is interested in making it harder for citizens to contact government employees at NASA.

Keith's 18 Nov update: NASA wants to transmit their stuff to you. But they really don't want you to talk to their people about it.

Once upon a time - actually for more than a decade - you could go to people.nasa.gov to find out how to contact a government employee at NASA. Not any more. Here is what the site looked like on 28 October 2020. You used to be able to type in names and find out their email address and phone number. Now all you get is a statement that says "This site and its contents are no longer available. Visitors are encouraged to learn more about space and NASA's mission by visiting the NASA homepage. NASA employees visiting this site should refer to internal directory services for employee information."

I just got another response from NASA PAO to my five follow-up questions regarding the shutdown of NASA's online employee directory. In a nutshell they are afraid that letting people see email and phone numbers of government employees puts the agency at risk so that is now stopping. OK, phishing and scams are on the rise so you cannot fault them with being responsive to that. But many - most - other Federal agencies still let citizens, the media, other government employees, researchers, and congressional staff query their agency's websites to find employees. They will no longer be able to find the people who work on various NASA programs.

Instead, everyone outside of the NASA firewall will now have to go to a "Contact Page" at NASA with high level links to everything except a personnel search. Instead of finding the person you need you will have to hope that these generic links will send you some where where someone will decide that maybe you can contact someone else. Given the glacial speed at which it took CIO to fix simple errors in their own directory takedown you can imagine how slow it will be for NASA to get back to you when you are looking for someone. If they even respond, that is.

But OK, they have their "Contact" page. Is this Contact page mentioned at NASA.gov? Answer: It is a small little link at the lower right at the bottom of the home page where most people will never think to see it. How do you contact NASA if the Contact page itself is more or less hidden from view? Shouldn't it be a prominent link in all of the top menus? Seriously, doesn't NASA want to interact with actual human people while it blasts all the space stuff put on the Internet? NASA complains about not being able to do enough outreach and why people often do not understand what NASA does. So what does NASA do? It continues to shrink the ability for the public - the people who pay for the whole party - to interact with NASA. NASA's big cosmic radio is set on "TRANSMIT". It is never set on "RECEIVE".

We should all be concerned. This is another example of dumbing down NASA's public functionality and reducing overall transparency. Hopefully this will change after 20 January 2021.

NASA PAO Response:

1. Why am I still able to access that database via a rather elementary work around a day after I posted mention that the database is still accessible?

NASA Answer: The Lightweight Directory Access Protocol (LDAP) database is a service that enables secure email to be exchanged with our partners and other federal agencies. Reconfiguration is being implemented in phases in order to ensure sufficient testing is performed to not disrupt current operational services. You noticed that the main search page for the public directory was disabled. Additional changes are planned that will address other ways of obtaining this information.

2. Why are other Federal agencies not adopting your "industry standard" i.e. why are their employee directories still openly accessible by the public?

NASA Answer: With respect to other federal agencies, it is certainly up to them to determine what risks they face and how they will address those risks.

3. When was the determination made that long-standing publicly available information now presents a risk to NASA?

NASA Answer: When people.nasa.gov was established over 20 years ago, the risks of sharing internal official communication email addresses and phone numbers was significantly lower than it is today. Since then, internet-facing organizations have had to adapt to a vastly different threat environment by changing how they present and protect their services. Examples of these types of infrastructure service changes include transitioning to Secure HTTP servers, replacing passwords with multifactor authentication, and closing down insecure internet-facing services like NFS and telnet.

The NASA CIO team is working to strengthen cybersecurity across the agency, and this is part of that process. Spear phishing attacks, which are targeted email-based social engineering threats to an organization, are a very common form of attack. NASA is simply trying to prevent attackers from easily obtaining the information needed to facilitate these phishing attacks. You noticed that the main search page for the public directory was disabled. Additional changes are planned that will address other ways of obtaining this information. With respect to other organizations, it is certainly up to them to determine what risks they face and how they will address those risks.

4. Can you provide me with the specific "industry best practices" that NASA is using as a basis for this action?

NASA Answer: NASA is simply trying to prevent attackers from easily obtaining the information needed to facilitate these phishing attacks. Keith's note: in other words they actually do not have any standards even though they claim to be following them. I hope someone sends in a FOIA on this)

5. Are members of the media and general public at legal risk if they post information that can be readily accessed from this database or post the way in which this database can still be accessed by the public?

NASA Answer: The public may certainly access information that NASA makes publicly available. While the main search page for the public directory was disabled, additional changes are planned that will address other ways of obtaining this information. The public can find information about contacting NASA at: https://www.nasa.gov/about/contact/index.html

Earlier post


Loading

 



Monthly Archives

About this Archive

This page is an archive of entries in the IT/Web category from November 2020.

IT/Web: September 2020 is the previous archive.

IT/Web: December 2020 is the next archive.

Find recent content on the main index or look in the archives to find all content.