I have *way* too many stories about facilitating that one seminar at NASA. Of course, I didn't actually facilitate *at* NASA. They rented space in a motel, which was actually next door to the hotel I was staying in.
However, yes, I was teaching NASA employees. I was, quite literally, teaching rocket scientists. Which made some of the stories all that much more interesting.
I always had difficulty teaching the legal aspects of information security, to Americans. For one thing, the Americans don't have a legal system. They have at least seventy-five legal systems. And so it's extremely hard to determine which American laws you have to pay attention to. (When dealing with information security, of course, the correct answer is, all of them.) At one point, the US Department of Justice maintained a database of all federal and state laws which made something an actual crime. The situation is much simpler here in Canada, where, if it's not in the Criminal Code of Canada, it is not an actual crime. However, the Americans are not so fortunate. The federal government, and all the states, can pass laws making things crimes. And they do. So the Department of Justice maintained this database, and gave up at about the time that I started doing the seminars. They just couldn't maintain the database any longer. There were too many laws, being generated too quickly, to maintain the database with any accuracy. At the time they gave up, there were approximately 29,000 entries in the database.
The other reason that it was difficult teaching legal concepts to Americans was that they only know *their* legal system. That is, they only know the common law legal system. Which, of course, isn't theirs in the first place: it came from Great Britain. And, there are two states in the United States that do not have the common law legal system: at the state level, they follow civil law legal systems. However, all the television shows, and courtroom dramas, and lawyer type movies, all talk about the common law legal system, and the principles involved in it. And, of course, all of these TV and movie scripts talk about the common law principles as if they were the basis of all law, everywhere. So, it's difficult to get Americans to understand that there are other legal systems in the world, and that other countries don't just have different laws, but actually different legal systems, based on different principles. I was, by this time, well used to trying to explain this to Americans, and convincing them of this very fundamental difference. Unfortunately, the NASA crew seem to have particular difficulty at this point. Finally, one of the seminar candidates, rather haltingly, seemed to get it. "You mean, they don't just have different laws? But their entire system is based on different assumptions?" Yes, I said. "Oh," he said. "Then I guess you have problems teaching our legal system in Europe?" Oh no, I replied, they understand your legal system. They all watch Perry Mason.
We dealt with business continuity planning fairly late in the week. I felt, and the seminar candidates seemed to agree, that NASA was pretty good with business continuity planning, and I couldn't teach them very much about it. So, we went through the bulk of it fairly quickly, until I got to the part about amalgamating all the different plans that you had made, for different types of disasters, and sorting them into one big business continuity plan. As we got to that point in the seminar, one of the candidates (in the front row, as it happened) got a deer-in-the-headlights type of look on his face. So I questioned him. Problem?
He said, "I've just realized. We don't have a business continuity plan." I looked at him quizzically. He still had a rather blank face as he explained, "We've got the world's best hurricane plan, but we don't have a business continuity plan."
At the next break, the entire class was meeting in corners of the room, and odd spaces out in the hallway, in little clusters, madly talking about this. I could just see that for the next three weeks there were going to be extensive meetings about a full, integrated business continuity plan at NASA.
When we cover operations, we talk about the fact that, while, in terms of business continuity, it is exceptionally difficult to ensure that all of your information stays as information, and doesn't get corrupted as garbage, that when it comes time to delete information, it is extraordinarily difficult to do that, with full assurance that the information is, in fact, gone. For example, in many operating systems, when you tell it to delete a file, it doesn't actually delete the file, it just marks the space that the file occupies on the disk as available. All of the data that was in that file is still there on the disc. As other files are written on the disk, some of those sectors that contain the file that you deleted will be overwritten. But, by no means all of them. The operating system tends to use considerations of its own, in terms of the speed of access to various sectors on the disk, in deciding where to place information. So, the contents of a file that you have "deleted", are probably mostly still there. I tell people about the time, preparatory to writing the second edition of my first book, when I deleted the original form of a file that had two purposes. Fortunately, I knew that a deleted file wasn't completely gone, and so I used the sector editor to search on indicators that I knew appeared frequently in the file, and, finding about twenty different fragments of this file, in various stages, I managed to recover pretty much the entire thing.
I use this as a lead-in to a discussion of the different types of information, and the relative importance of different types of information, and different information classifications, and the extent to which you have to go in the cases of certain types of information. For example, a civilian employee at one particular military base had the job of destroying hard drives, to eliminate the possibility of disclosure of confidential information. And when I say destroying, his task was to take a locked trunk full of hard drives out to the firing range, and take the individual drives, one at a time, to a safe location, put a thermite bomb on top of them, light the fuse, and run. He said that the amusement factor of this employment was somewhat vitiated by the fact that the whole time he was doing it, there was a soldier, with a loaded gun, pointed at him.
Anyway, we discussed the different types of media, and the different activities that you needed to do to ensure that data could not be recovered from them. CDs and DVDs were a particular concern. Some members of some classes seminars had heavy duty shredding machines, which could chop such discs up into small fragments. But I pointed out that, with the information density on such discs, even the small fragments that they were reduced to could have considerable contiguous information available on the fragments. It was, in fact, safer, in terms of destroying any possibility of access to the information, to put such CDs and DVDs into the microwave.
Now, you will remember, I am literally teaching rocket scientists. But, for some reason, while they all knew that you weren't suppose to put tinfoil and other metals into the microwave, they had missed the physics behind why that was so.
As I started to describe this process, I started to become aware that, in the eyes of most of the candidates in the room, a glow was starting. So, I was describing eddy currents, and other factors involved in why you didn't put metal objects in the microwave, and I realized that they were getting more and more interested. They were going to try this. Not at home. Oh no, they knew they wouldn't get away with it at home. They were going to try this at work. I was describing an interesting process, which these particular geeks had never tried. They were going to do this. At all the lunch and break rooms in NASA. Every place at NASA that they could find a microwave oven. And I could just see the headlines: Canadian terrorist sought for inciting placement of incendiary devices, in all the lunchrooms at NASA.
Previous: https://fibrecookery.blogspot.com/2024/09/mgg-541-hwyd-cleveland.html
Introduction and ToC: https://fibrecookery.blogspot.com/2023/10/mgg-introduction.html
Next: https://fibrecookery.blogspot.com/2024/10/mgg-543-hwyd-brazil-and-astronauts.html
No comments:
Post a Comment