My Scibling Mark H. over at the Denialism blog has reproduced an internal NIH memo that is something to behold:
If you aren't used to the conventions of scientific collegiality you might not realize at first the unbelievable stupidity of this. A visiting international scientist (a Canadian or someone from Latin America, a European, often an Asian or African visitor) can't get a snack or go outside for a smoke unless someone goes with them. Or to the bathroom. If your visitor is a member of the opposite sex you'll have to find someone to go into the restrooms with them.
And the computer part is absolutely laughable. The overwhelmingly prevalent way to present your scientific talk is via Powerpoint or LaTeX presentation using a computer and LCD projector. The visitor brings the "slides" on a computer disc or memory stick (thumb drive) which is inserted into the USB port of the computer in the seminar room, auditorium or classroom. The rules don't allow the visitor to put the thumb drive in himself or herself. But they also don't allow you to put in the port for them.
These are rules for the NIH laboratory and scientific campus. As Mark points out, these labs aren't any different than labs anywhere else. We have labs just like them (except ours are nicer) and the work done there is supported by the same NIH dollars that support the same kind of work at the NIH intramural research campus that are under these rules.
I of course echo all the things Mark said about the open and international nature of science, especially biomedical science, but what strikes me about this policy is how truly mindless and moronic it is. There is not even a whiff of competence emanating from it.
Time for a good housecleaning at NIH. It's infested with small minds thinking tiny. Very, very tiny. Nanoscale.
i can see the point of the second regulation much more easily than the first. computer systems and network security is hard, especially when you have to accommodate users who just will insist on running microsoft products (heh), and removable media makes it very much harder.
if it's people from your own organization using removable media that ends up as an inadvertent attack / virus vector, that's bad enough, but you can take disciplinary and educational steps about them. if it's a visitor from an outside, even foreign, organization you'd like to keep good contacts with... that problem might not be technically insurmountable, but it's technically hard and may also be politically unsolvable. bad combination, that.
best solution would be to have desktops configured for delivering presentations that visitors can use, with air gaps between them and everything else when they're in use, and re-image their disks immediately after each use. if visitors need to share data, let them use carefully configured wireless or even wired networks for it, with their own laptops; network traffic can be virus scanned a bit better than memory sticks can be.
the first rule, however, is just infantilizing and insulting to everyone involved. if you truly need that level of physical security on your facilities, you simply shouldn't allow outside visitors at all.
Nomen: Both regs have points but IMO neither makes any sense. Suppose you were worried that a foreign visitor would say something insulting. Would you make a rule that said they couldn't say anything? It would certainly address the point but would do more harm than good. The NIH campus is no different than other scientific research campuses (if there are some special high security labs there, then you treat them differently but not the whole campus). If this makes sense for NIH it makes sense for every lab in the world. Restricting this to international visitors has more than a tinge of xenophobia to it (in fact it is literally xenophobic). There are nasty, malicious, careless scientists of every nationality, including Americans and including NIH employees (who may be more likely to have a grudge against NIH than an international scientist). Both of these regs IMO have lost all perspective and common sense. Just like the rest of the Bush administration. Small minds thinking nano nano.
If this makes sense for NIH it makes sense for every lab in the world.
as far as the computer security rules go, i'd say that would make sense for any organization large enough to have and need a dedicated IT department. keeping viruses, spyware, malware, and suchlike off one's net is just good digital hygiene. washing one's hands and brushing one's teeth are also impositions on time and convenience, but still better ideas than not.
and yes, to the extent it's practically and politically possible --- office politics, to be clear --- such rules should be imposed on permanent staff as well as on visitors. employees might have to get a little more leeway for the sake of getting their jobs done, but they can be afforded more leeway because you can demand things like standard virus checking packages and digital safety seminars of them, also.
removable media is a problem for security because it's basically an uncontrolled hole in the firewalls. it's not just that executable programs can enter the network that way, it's that they can do so without being scanned that's a concern.
of course, we can't do entirely without removable media --- it's just too convenient for moving data around, like presentations, as you say --- but it's still far better to use network connections for that. network connections can be firewalled, scanned, and subjected to IDSes more easily than flash disks. worse comes to worst, network connections can be cut more quickly and easily than it is to chase down that one flash disk that seems to be spreading malware somehow.
I think they are EXACTLY right Revere. On the one hand its not very courteous and they are all scientists right? Well, can anyone tell me why Chinese money for Clintons election campaign was taken and then suddenly nuke/space technology was reclassifed and sold to them? Hell, if ole Bill can steal it legally and then sell it for a campaign contribution then why not everyone else? I dont get it I guess.
Seems to me that only a year later a two stage rocket was sent into the ocean near Hawaii. Later to find out it was a three stage and the last stage failed. If it hadnt Boston and everything except Miami would have been on the chopping block. Its okay, we will have Hillary as SecState and well they do have that campaign debt to settle.
Yeah, into the bathrooms and dont take memory sticks. You can bring a data disk. It works and no one is any the wiser...literally. Read only disks work just might damned fine and they worked up until the USB/memstick came into being. Cant hide a disk up the old chocolate whiz way. And if the only computers that are there for them to use have no write capability its all nice and safe, and etiquette is unnecessary.
Information guarded is just that. If they are anal in doing it, thats an etiquette thing. All information that is compromised in anyway in a security environment is and always has been assumed to be just that, compromised if someone breaches the security.
We deliberately used to leave dummy intel laying around to see who would pick it up and to see if proper protocols were followed.
Oh the disks BTW existed, but amazing who picked them up. From what I hear they had taken them and put, " You are screwed" on them millions of times at the 300 gig level just behind the firewalls and normals OS. Gotcha!
Any intel specialist that can read or write would tell you that its not xenophobic fear Revere. Foreign nationals are actively trying everyday to steal secrets from corporations and the government. The government is far more easy though.
There is no accountability there.
I think that Ms. Quintana should have been executed and that would have been 15 minutes after our Chinese guy.
they had taken them and put, " You are screwed" on them millions of times at the 300 gig level just behind the firewalls and normals OS
and for the record, that's even worse than reversing the polarity of the neutron flux on the Enterprise's warp drive pods. MRK: the words you're using are mostly gibberish. you might be trying to talk about wiping hard disks with random noise to clear out old files, but that sort of treatment is never sufficient to eliminate any truly sensitive data. it's easier and safer to just physically destroy the disks.
If your visitor is a member of the opposite sex you'll have to find someone to go into the restrooms with them.
I don't think this "rule" requires that someone go *into* the bathroom with a guest. An equally plausible reading is that visitors not be allowed to wander around unaccompanied, but that the escort could wait outside the bathroom for the guest.
Tovarishch PP: That's not what it says. Not that it matters, because this stupid memo is likely to be honored in the breach, not the observance. Like the thumb drive rules. That you could even read it two ways says something about these pin heads.
Nomen, shut up please. They used drives that had been deliberately put out to see if they had spies. When they took them and the sticks too, they had the warning about spying/security breaches on them. Doesnt matter, we have Richardson and likely Hilary who'll be out there selling the info in the proper format to their contributors.
Wipe your hard drive out Nomen. Hit the reset button and reformat.
Do European countries do this? Seriously, I'd like to know.
MRK, this is the internet; you only get to tell people to shut up on your own blog. if Revere wants me to shut up, i will, or else i'll be shut up; but you don't have that power here.
although, if you're really sick of reading me, you'll want these three tools in combination: Firefox, Greasemonkey and Killfile. the only reason i'm still seeing anything you write is that i enjoy poking holes in your fallacious thinking and manifest ignorance.
a tiger team exercise to see who'll pick up planted disks and what they'll end up doing with them does indeed sound useful and informative; i'm glad someone thought to do it. but that was not what your original comment actually described --- you used semi-meaningless technobabble that only barely hinted at anything at all, but described nothing.
The first rule is not unlike rules in various software companies I've worked at or visited (although obviously the concern was all non-employees rather than just foreign nationals). Aside from escorting a guest into the bathroom -- which I'm pretty sure is not done 99% of the time regardless of regulation -- it sounds pretty reasonable to me. As a visitor at a somewhat security conscious large software company recently it actually felt a little creepy to be allowed to wander freely; I don't particularly like the liability incurred if I were to later independently come up with something they think might have been their IP (I'm small potatoes so I doubt I'd really be in any danger, but still).
The idea of providing slides on a thumb drive rather than presenting from my own laptop with an air gap seems a little...uncomfortable. That thumb drive is also presumably coming back to my machine eventually and I have no reason to trust your network, y'know? It does look like the 3rd paragraph is written so that outside laptops can't be plugged into overhead projectors, though. In any case, I predict clever young people will end up using much more sketchy methods to get the slides across if there is vigorous enforcement against physical media.
Lea...Yes they DO! Fedex, UPS, International Paper, Boeing, CitiGroup, First Tennessee, the backup center for First Tennessee, Regions, Suntrust ALL require escorts and when you go into any one of them here, you surrender your laptop to the IT people who go and plug it into whatever whiz wheel programs they have to check and see if it has any listening devices attached. Same with your sticks. Better not have any leftover porn, jpg/mpeg/mpg's that you dont want someone to mention to you on the sticks or the hard drive.
If you want to do a presentation you do it with a good old CD and you are never allowed to personally plug it in to anything. You also are not allowed to use your cellphone except in the kiosk areas of four of these that I know. Airbus/Dassault in the EU wont even let you bring your laptop into the building. You need to do a presentation? You are told to make sure that its all on the disk and, you have to bring it to IT first to check THAT out with their software before you plug it into their computer and presentation buggies. Nice little set up really. You walk in, you plug your disk in. You give your spiel and then you leave. If you need to hit the head, you ARE escorted in and out.
Telephones? Yep, them too in the highest level areas. DOD here specifically tells you that your equipment can be searched at anytime for bugs or devices. In the higher levels you are searched first, then your equipment taken and inspected like the above. Then you are taken to the presentation room which is shielded. A EM level is taken in the room when you turn your equipment on and then its monitored to make sure it doesnt rise beyond a certain bandwidth or frequency level. I can only guess what happens if it does exceed it... Guantanamo?
Anyone need to use the bathroom?
Kim: There is a difference from a software co. and a visiting scientist. When giving talks we use thumb drives all the time and use the single computer that the sponsors have connected for all the talks (this practice differs of course, depending on taste; some people always bring their own drives). It would be like bringing your own x2x slide projecdtor instead of your own carousel.
Randy: I was thinking. Airplanes can really be used for some dangerous things. I think everyone who works at any business that uses airplanes should have an FBI full field investigation before they can work there and all packages opened and inspected before being shipped. I'd hate to think of some terrorist getting access to a small plane. Think of the damage they could do. This should include all visitors to the facility, too, and all secretaries,maintenance people, etc.
Yep, and IMO they should extend it to the little airports too with full scans, body cavity searches where necessary. Whether you know it or not by TSA 1544 you are required to inspect a portion of all packages shipped now. In addition Revere, those personnel as a rule are screened now at most private facility FBO's at the major airports. Each airport is different and especially the gateways. You wont get an FBI check, but they can pat you down and I mean get onery about it too. Failure to submit is an automatic arrest and detention while they find out whats on your zipper drive.
Brings new meaning to the words, "Whatever flips your skirt."
BTW-Access to the airside of these facilities is controlled. Groundside access is only escorted in as well.
I personally fear that terrorists or highly motivated foreign soldiers will penetrate the US via Mexico or the Canuck border. Then with the vast areas of the west that are available and plenty of moderate but poorly manned facilities with no security that have, "The one big jet", they will be attacked. They cap the locals, pull up with the Timothy McVeigh U-Haul and load that big assed jet after removing the seats with 5-8000 lbs of explosives. After fueling it up with a full load of gas, they go up and see whats on the primary target list.
Believe me its a lot easier than it sounds. The checklist is right there and you can fly one right off the ground with it. No landing experience required as you have seen. Just aiming it. Reduce the power setting and you can steer it with the rudders once you are locked on. Need a little altitude? Push the throttles up. Really good ones tell you how to trim the airplane.
There is a debate now as to whether batteries should be removed from aircraft bigger than a Cessna and having a payload of more than 450 lbs. IMO they should do it and fast else that "breaking news" logo will be on the tube again soon.
Do you know the date of this internal memo? Here's why I am asking. As I'm sure you know, fairly stringent security procedures were put into place at the NIH after 9/11 but these did not include the flash drive rule or the escort rule.
China has been engaged in an aggressive campaign of computer hacking directed at the Pentagon for a long time and more recently at the presidential candidates. Very recently, the intensity and frequency of these attacks have increased. No-one has publicly explained why this is occurring now.
I don't know if you've seen this, but it was reported on Nov 21, 2008.
If the internal memo you quote was very recent, I would speculate the following: Either a similar intrusion was observed in NIH computers or there was concern that this would occur.
The rule about escorting foreign visitors is more likely concern about espionage rather than terrorism, imo.
One possible interpretation of these actions is that concern about intelligence gathering on biological agents has increased, recently. We should consider the possibility that there is more to this than unreasoning paranoia.
Randy: So you and every employee you have have had a full field investigation? That's a lot ofFBI time, but for airplane access, worthit. 've had one once and they spent I don't know how many hours visiting my neighbors, etc. And I wasn't near airplanes even. How did your sedretary like it? I'm sure it didn't bother you any. What did your neighbors say? Andwhy open only some of the packages. Eveyone takes off their shoes. Why not open every package? Every package. Because it's the one you don't open that could be The One.
Regarding NIH research, I guess they missed all my NIH funded research. Or that of all my colleagues. Or all the thumb drives I take with me when I go to a scientific meeting. Or the one I'm going to in two weeks with all those toher sientists. Or the ones that our visitors use on our computers. But then I've had a full field investigation so I guess it's all right. And of course I have clearance. So my thumb drive can go anywhere. No matter what you think.
Just to be clear. You are telling me that everyone who works at your company has had a full field investigation periodically, right? Everyone? All packages opened and inpsected? By whom?
Mono: My understanding from Mark H. at Denialism is that it is fresh. But owrrhying about Chinese hackers on that campus is kind of frutless since most science -- of the exact same type -- goes on everywhere with few if any of those restrictions. As it should.
you might be trying to talk about wiping hard disks with random noise to clear out old files, but that sort of treatment is never sufficient to eliminate any truly sensitive data.
What reference did you consult for this statement? If it was Peter Gutmann's Secure Deletion of Data from Magnetic and Solid-State Memory, then you should know that even Peter Gutmann no longer belives this and has said so in print. Read the "Epilogue". My understanding is that data recovery companies will not accept media they know has been simply overwritten with ASCII zeros anymore.
And three complete passes with random data satisfies both DoD and RCMP standards.
Ask me how I know.
Physical destruction of the media may be easier and more practical.
A single pass overwrite will require a full hour for each 250GB. Three passes, three hours. If it's a 1 TB disk, make that 12 hours in all. I'm assuming write speeds of approximately 70MB/second, which is consistent with modern hard drive I/O speeds. Look up the specs on the Seagate ST3750640A if you don't credit this. Hint: I just did.
Real-world times will be worse. 12 hours for a 1 TB drive? Shred the damned thing and have done.
M. Randolph Kruger:
Hit the reset button and reformat.
Do you do any homework at all? Ever?
Sorry. Silly question.
No, reformatting won't do a damned bit of good. All that really does is overwrite the file system data structures at the highest level. The contents of most of the disk sectors will be left intact.
What that means is that a brute force search of all data sectors will produce most of the original data. Forensic tools will reasssemble it. That's what they're built for.
Reformatting a hard drive at a low enough level to overwrite all sector data hasn't been practical outside the factory for more than a decade.
Revere's original issue?
Some amateur is writing security policy for NIH. So they're concentrating on band-aids for the paper cut on the pinky, while ignoring the severed artery gushing blood all over the floor.
Here's the severed artery:
Are they patching every single Windows desktop to latest patch levels every single month? Are they auditing this process? Fully?
I suspect, besed on my last 10 years in information security, that the answers to these questions are "No", "No", and "No" respectively.
They'll be doing well, comparitively speaking, if they have a full inventory of their Windows desktops, and an inventory process that will stand up to audit by an external body.
Do they have a similarly robust and auditable process for the antivirus signatures on the desktops and servers? How about the A/V proxies at the network perimeter? My brass would be on "No" and "Yes" respectively.
Do they have a process in place that detects and alarms when any, and I do mean ANY, out-of-policy software is installed on an internal system?
Look, if the NIH is as wide-open as I suspect it is, being a national lab with a civilian staff and a non-military charter, making a visitor's job impossible isn't going to help much. Vet the visitor, vet each and every bit of removable media and every computing device he brings in. Yeah, forensic image them, and then analyze the image.
Past that, all you're doing is impairing the function of NIH without any corresponding security improvement.
If you want to do a presentation you do it with a good old CD
CDs are not any significantly lesser concern than flash drives. why on earth would they be?
* the major worry is stuff coming into a controlled network, not any secrets leaking out. besides, classified data shouldn't be just sitting around on a PC to be copied onto any kind of media, anyway; that should be behind digital access control barriers. being given guest-account access to run a presentation certainly shouldn't give you any entry to classified information, and if an inside user is fool enough to give you their own, higher-privileged account the network's compromised in any event.
* but even if you are concerned about files being copied to outgoing media, most CD-ROM drives these days are CD writers, anyway. certainly on desktop PCs and laptops, at least. i see read-only optical drives mostly in rackmounted server hardware, nowadays, and not always even in such.
* and so what if the CD with that presentation on it has already had, ahem, a presentation written onto it? IT trade vocabulary word of the day: "multisession".
Thanks for the information about when the memo came out. That reinforces my impression that this is tied in some way to the attacks on the Pentagon.
I agree completely with you about the importance of international cooperation in science and can well imagine the annoyance and embarrassment the new rules will result in.
However, it is possible that there is a specific concern about recent espionage activities that has not been made public. If so, these rules may be prudent, no matter how onerous they are.
Certainly, the vast majority of work being done at the NIH has no national security significance whatsoever. But a small amount does. A virus can enter the NIH computer network from many locations and an agent invited to any meeting could wander around by themselves and end up somewhere they shouldn't.
I take your point that sensitive work is being done at many institutions outside of the NIH. One wonders if any of these will be asked to change their procedures as well.
Revere, we are getting annual reviews now...EVERYONE. You probably didnt know that. The FBI doesnt do the checks anymore though. The TSA does. They use the FBI system, but they look into your credit rating, school chums, your priest (you dont have to worry here), and others as appropriate to your level of access to planes.
Are they doing a security risk assessment or an intel risk assessment I think is your question? The former is what is given. Since I am a national incident commander as an NGO I get both. Our secretary wasnt happy when they turned up a little blemish with a bottle and DUI on her last check, but that alone is not enough to tip the scales to limit access to the ramp and hangars. Drug, firearms, and theft are the general automatic termination or failure to disclose them. You might be happy to know that Fedex culled about 2% in a recent review and for all reasons listed.
As for the packages, here is an example. A skid is presented to the airlines for transport. They are now required to pull from the middle and the sides for their opening samples. The have to note it, put special tape on it and then return it it to the skid. They sample one out of ten per the TSA. Some airlines have voluntarily upped that to 20%. The overnight pouches and stuff are scanned randomly through a CT and they are placed into blast resistant containers.
If you cross section a shipment skid with the criteria above you are very likely going to find something if its there. Electronics shipments are the easiest to spot because they are always the same stuff. Anything added is flamingly evident.
Charles.. I meant for Nomen to wipe his butt and give it a rest. He dwells upon ever single detail of comments.
And Charles I agree with your latter stuff. They dont vet really anyone at these places but escorted they limit any and all activity they could possibly have. CD readers only in those places that I mentioned.
Here is a little light reading on the policies of the NIH.
Here is why they have to do it... Everyone does. BTW Revere this NIH policy was concurrent with the DoD policy on Flash Drives.
no, kruger, i certainly don't dwell on every detail you post. nobody has enough time to even dwell on every error you post. trying to get you to explain the loonier parts alone is plenty; such as, why CD's should be any safer to have around than flash disks. again, data going out is a decidedly secondary concern --- it's code coming in you want to worry about.
Thanks Nomen. Now you have no reason to say anything else.
Have a nice Turkey Day.
again, data going out is a decidedly secondary concern --- it's code coming in you want to worry about.
There's an exception to that: any organization which retains large quantities of third-party-confidential information - such as CC numbers and/or socials and/or account numbers - and has only fair-to-poor internal morale and controls.
Places like the bank I used to work in.
NIH isn't really in this category. They have to worry about code coming in.
Upon reflection, I'd say pretty much the same for DoD and military sites. They don't get compromised without some root cause reason. It's almost always the wrong code coming in that leads to the wrong information leaving.
As for CDs - the nice thing about a CD-R is that nobody can rewrite the contents.
So if it checks out after a thorough forensic search of an image, all you need to do at a later time is make sure the cryptographic hash you took and saved, the first time you examined it, matches the one you calculate right now.
That tells you it is, for all intents and purposes, the same disk.
This is harder for flash memory because modern thumb drives run to 16 and 32 GB, with 64 and 128 GB units only a short way down the road. And the same physical unit can be rewritten, as CD-Rs cannot.