Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

TSA Loses Hard Drive With Personnel Info

CowboyNeal posted more than 7 years ago | from the living-up-to-their-name dept.

United States 123

WrongSizeGlass writes "A portable hard drive containing personnel data for former and current employees, went missing from a controlled area at the TSA. From the article: 'The Transportation Security Administration has lost a computer hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employees.'"

cancel ×

123 comments

Sorry! There are no comments related to the filter you selected.

Encrypted ? (3, Insightful)

messner_007 (1042060) | more than 7 years ago | (#19002123)

There is no problems if the disc was encrypted ...

Re:Encrypted ? (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#19002161)

There 'are' no problems if...

What an insipid comment you made in the attempt to reply first.

Re:Encrypted ? (0)

Anonymous Coward | more than 7 years ago | (#19002193)

WHAT YOU SAY!?!?!

Re:Encrypted ? (3, Funny)

cp.tar (871488) | more than 7 years ago | (#19002375)

All your files are belong to us?

Re:Encrypted ? (0)

Anonymous Coward | more than 7 years ago | (#19005479)

AAAARGH.

AYBABTU references are not funny without the "proper" grammar!

All your FILE are belong to us.

(Or, more likely, all your bank deposit are belong to us.)

Re:Encrypted ? (0)

Anonymous Coward | more than 7 years ago | (#19002269)

Total Security Abandonment!

Re:Encrypted ? (0)

Anonymous Coward | more than 7 years ago | (#19003829)

visTa Sucks, Assuredly?

THAT'S A MIGHTY FINE VAGINA YOU'VE GOT THERE, MISS (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19002357)

The show followed the lives of the waitresses who worked in a posh restaurant located at the top of the Bonaventure Hotel in Los Angeles, designed by John Portman. At the helm was their supervisor Nancy Beebe (Marian Mercer), who sometimes fraternized with the girls but usually gave orders. More often than not, the scheme of the week involved Nancy in some way, which upset her because all she wanted was an orderly staff. Adding to the chaotic working environment was a wisecracking pianist named Sonny Mann (Paul Kreppel). One of the many waitresses on the show was Cassie Cranston, played by actress Ann Jillian. Due to her stint on this show, she became very popular for a time.

Re:THAT'S A MIGHTY FINE VAGINA YOU'VE GOT THERE, M (-1, Troll)

solitas (916005) | more than 7 years ago | (#19004007)

Oh no - they're gonna start doing body cavity searches until they find the drive?

Re:Encrypted ? (2, Interesting)

tverbeek (457094) | more than 7 years ago | (#19002403)

There is no problems if the disc was encrypted ...
...or formatted with HFS+. No one would ever think of mounting the drive on a Mac, and Windows will show the drive as "unformatted". :)

Re:Encrypted ? (1)

rustalot42684 (1055008) | more than 7 years ago | (#19002823)

What about ext3 or ReiserFS?

Re:Encrypted ? (0)

Anonymous Coward | more than 7 years ago | (#19005821)

If the disk is ReiserFS formatted, it'll kill it's wife and bury the body in the woods.

Allegedly.

Re:Encrypted ? (2, Insightful)

8ball629 (963244) | more than 7 years ago | (#19004237)

I'm sure whoever stole it knows what it was mounted to previously.

Re:Encrypted ? (4, Insightful)

Tuoqui (1091447) | more than 7 years ago | (#19002417)

Encryption is not undefeatable.

The entire idea behind encryption is to make it difficult/impossible to the casual hacker. If someone were dedicated to get into the information contained within however it would only be a matter of two variables... Time and Processing power.

Encryption is not a silver bullet to any and all security problems, it just mitigates some of the risk. If they cant crack the encryption within 20 years then most of the info would be useless by then. If they can do it in 3 months then its a problem...

One-time pad encryption is unbreakable (2, Interesting)

davidwr (791652) | more than 7 years ago | (#19002501)

I don't think you need unbreakable encryption for financial data, but for state secrets, a removable-drive one-time pad that is chained to the operator will do the trick.

For anything less than a state secret, you want something that only the most well-funded adversary can break in a reasonable length of time. You get to define "reasonable."

Re:Encrypted ? (2, Insightful)

inviolet (797804) | more than 7 years ago | (#19002531)

The entire idea behind encryption is to make it difficult/impossible to the casual hacker. If someone were dedicated to get into the information contained within however it would only be a matter of two variables... Time and Processing power.

Brute-forcing is for chumps. (Well, assuming your average chump has a grid computer and a few years to spare). Real Men use social engineering to get secret keys.

The TSA has a notoriously shallow understanding of security, because they need to put on a demonstration of security that ordinary people -- who don't understand it either -- will find calming. So you just know that the TSA is plenty vulnerable to the "Hi I'm from IT" call to the receptionist.

Re:Encrypted ? (1)

failure-man (870605) | more than 7 years ago | (#19003389)

The US government uses AES. Nobody's brute-forcing AES any time before quantum computers mature.

Re:Encrypted ? (1)

Antique Geekmeister (740220) | more than 7 years ago | (#19003805)

Would you care to lay a wager that far, far lower encryption standards are used as a matter of course by many federal groups, without even the knowledge of their users? The default setting for many UNIX installations and their password management for /etc/passwd and htpasswd are still DES, and your average Microsoft Certified Software Engineer who is hired straight out of school does not have the experience or pull to get that fixed, even when they do notice the problem.

Re:Encrypted ? (0)

Anonymous Coward | more than 7 years ago | (#19003467)

You do know that with good, modern encryption systems the encryption can't be broken before the sun destroys the earth (in about 4 billion years) unless you either get the key through practical key extraction (rubber hose cryptanalysis or checkbook cryptanalysis), build a practical quantum computer, or build a computer the size of the solar system that runs on matter converted directly into energy.

Re:Encrypted ? (1)

fourchannel (946359) | more than 7 years ago | (#19003739)

I think those might be on sale at BestBuy...I got my quantum computer off of ebay.

Re:Encrypted ? (2, Interesting)

malcomvetter (851474) | more than 7 years ago | (#19003731)

There is no problems if the disc was encrypted ...

Wrong. Encryption is only as good as the key. Or in practical cases, only as good as the password that protects the key. And in all likelihood (like most enterprises) they key is probably managed in such a way that dozens of people could have accessed it, especially if it was shared "enterprise" data.

Security people turn to crypto as the answer to everything. It isn't. Even cryptographer Bruce Schneier lamented that mistake in the opening of his book Secrets and Lies [schneier.com] . Cryptography should always be a last resort. Encrypted data is not protected forever. At a maximum, the lifespan of its protection is limited by Moore's Law. At a minimum, the key management.

This data should not have resided upon drives that were removable without notice. Period. Forget about crypto.

I have said this before, and I'll say this again: we (the IT industry) created a problem with mobile computing. We allow data to be stored on mobile devices in a distributed computing environment and then years later (after we realize the problem we created), we freak out and throw magic crypto fairy dust at the problem. Encrypted hard drives are only as good as they keys that protect them. Since enterprises need the flexibility of a large support staff, many people will have access to the keys. And since the products are designed to run so that even computer illiterate users will use the software, a shoulder-surfer can backdoor the whole process. The best way to protect this data ... and we all know it, most of us just refuse to accept it ... is to return to the mainframe days and centralized computing. If that data stayed on a central SAN and the environment was not set up for removable drives, then this would not be news.

Re:Encrypted ? (1)

PPH (736903) | more than 7 years ago | (#19004297)

Encryption is only as good as the key. Or in practical cases, only as good as the password that protects the key.


TSA default passphrase: "GetOsama".


Or maybe 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.

Re:Encrypted ? (1)

badspyro (920162) | more than 7 years ago | (#19006267)

And encryption can't be broken?

The only decent type of encryption for Data In Transit that I know of is full hard drive encryption with something like Safeboot http://www.safeboot.com/ [safeboot.com] abd even they will admit readily that this isn't infallible and only protects the company LEGALLY.

The true question is why the hell was it on a laptop in the first place? Why not on a sever with remote access?

Encryption? (0, Redundant)

guabah (968691) | more than 7 years ago | (#19002125)

The important stuff was encrypted... Wasn't it?

Re:Encryption? (1)

fluch (126140) | more than 7 years ago | (#19002211)

The important stuff was encrypted... Wasn't it? ... Dough!

Wait... (1, Insightful)

JustinVanHorne (825036) | more than 7 years ago | (#19002151)

A portable hard drive... is missing?

The agency said it did not know whether the device is still within headquarters or was stolen.
This doesn't make much sense. Why would you report a secuirty *breach* if you aren't even sure if it was stolen? It seems sort of bad-business like to worry someone right when something *might have* gone wrong.

Re:Wait... (3, Informative)

Anonymous Coward | more than 7 years ago | (#19002191)

Are you stoned? Theyve lost control of important data that was supposed to be secure. Thats a security breach.

Re:Wait... (1)

wwphx (225607) | more than 7 years ago | (#19002793)

Well, it's missing and important. Not unlike the missing hard drives at Los Alamos Nat'l Lab. It later turned out that their inventory was incorrect and the drives had been destroyed.

Re:Wait... (2, Interesting)

Actually, I do RTFA (1058596) | more than 7 years ago | (#19003753)

Isn't it better to report all possible breaches, including false alarms, so things can be dealt with earlier (and cheaper)?

Its just another statement that if you.... (3, Insightful)

3seas (184403) | more than 7 years ago | (#19002153)

... have a digital identification, and most everyone does, you have to be alert to possible wrongful use of it by others.

Considering all the past digital leaks, I got wonder who hasn't had information on them digitally leaked?

Re:Its just another statement that if you.... (1)

Smallpond (221300) | more than 7 years ago | (#19002439)

Q. Are Social Security Numbers re-assigned after a person dies?

A. No. We do not re-assign Social Security numbers [ssa.gov] . We have assigned more than 440 million Social Security numbers and each year we assign about 5.5 million new numbers. Even so, the current system will provide us with enough new numbers for several generations into the future.

Re:Its just another statement that if you.... (1)

OriginalArlen (726444) | more than 7 years ago | (#19004365)

This incident is a result primarily of poor physical security, firstly lack of controls preventing someone deliberately or accidentally moving it out of the secured area, and secondly the config of the data. If it's in an encrypted fs (Windows EFS or Linux loopback crypto fs or equivalent), which it should be, there's no problem with Dr Evil carrying it back to his volcano lair, even if he has a crack team of inwinceable cryptanalysts (is that a word?).

Where I work, all company data on a laptop goes into an encrypted directory, with no exceptions. (Selected stuff on desktops and servers likewise, but laptops are the No.1 threat vector for data loss threads. Verification and enforcement? I'm planning to get to it next week as it happens - I'm polishing my rubber hose and hammering another rusty nail into my Louiseville LARTer and looking forward the the first senior manager to be randomly selected by our computerised random enforcement monitor system, aka BOFH with a mark 1 finger >:) )

Re:Its just another statement that if you.... (0)

Anonymous Coward | more than 7 years ago | (#19006151)

I'm polishing my rubber hose

Hey tough guy -- blood may spatter, so you'd better spend the rest of your time polishing your helmet.

Captain Obvious says : (5, Insightful)

witte (681163) | more than 7 years ago | (#19002169)

Maybe using Social Security numbers for just about everything isn't such a good idea.

The problem isn't using the SSNs (3, Insightful)

MarkByers (770551) | more than 7 years ago | (#19002207)

Using Social Security Numbers for everything isn't such a bad idea. It is a convenient way to identify someone, since it is guaranteed to be unique. The problem comes when the SSN is the only piece of information you need to take control over someone's life. There should be some more basic checks put in place to ensure the person is who they claim to be. An example could be mailing the person at their last known address and asking them to send a letter back with an authorised signature on a document that explains what is about to happen. When these basic checks are missing, it is no wonder it is so easy to steal another person's identity.

Re:The problem isn't using the SSNs (1)

The MAZZTer (911996) | more than 7 years ago | (#19002253)

I agree; but an interesting caveat is that the gov't reuses old SSNs eventually after the owner dies, so if you keep records long enough and if you have enough of them eventually you might end up with a duplicate key...

Re:The problem isn't using the SSNs (1)

wwwojtek (246402) | more than 7 years ago | (#19002401)

an interesting caveat is that the gov't reuses old SSNs eventually after the owner dies
care to provide a reference to it? Is it just that we'll eventually run out of numbers so they have to be reused or have the numbers been actually re-used already?

Re:The problem isn't using the SSNs (0)

Anonymous Coward | more than 7 years ago | (#19002451)

Not yet, but when you consider the fact that there are 300 million people alive in the country today, and that the system has been running for several decades now, I'd give it only 50 more years tops (roughly two generations now that babies need to be enumerated (originally you didn't need one until you got a job or some other reason to pay taxes)) before they have to either change their allocation strategy or start reusing numbers, since it can only count to one billion and several chunks of it are currently off limits.

Re:The problem isn't using the SSNs (1, Funny)

smitty_one_each (243267) | more than 7 years ago | (#19003883)

I forget the reference, but I heard that when they move from SSNv4 to SSNv6 that there will be enough numbers for everything on the planet, and stuff.

Re:The problem isn't using the SSNs (1)

Fulcrum of Evil (560260) | more than 7 years ago | (#19002809)

They don't actually reuse numbers - this is policy. What has happened is that people have been issued the same number, and illegals have used others' numbers for various purposes, making identification problematic. Combine this with the twin problem (lots of insurance companies aren't set up to handle twin births properly, so they fake it with a shifted birthdate) and SSN really isn't the universal key you were looking for.

Re:The problem isn't using the SSNs (1)

mikiN (75494) | more than 7 years ago | (#19004217)

"These aren't the 'droids you're looking for.
You see, both are registered as ARN#624-926-536624"

"But that spells OBI-WAN-KENOBI, doesn't it?"

"Yeah, but Central Registration Authority never gives out the same number twice!"

"So the registration must be bogus then. Very well, move along..."

Re:The problem isn't using the SSNs (1)

witte (681163) | more than 7 years ago | (#19002411)

I agree that it's easier than having a separate ID for everything, but the privacy and security issues by using a potentially exposable key are not trivial. If you pay taxes for a public service, you would at least want it to be secure enough so some Joe Shmuck can't impersonate as you and go shopping on your credit.

It would be more secure to use a common identifier that is only known inside the systems that need to use/share personal data. Something like a technical primary key, only people with sufficient security clearance (eg. a DBA at the IRS) ought to be able to see those keys without passing thru software that requires authentication and authorisation for data retrieval.

(Of course, if they get printed on envelopes because some idiot at PR thought it would look impressive on mailings etc. this is still not a watertight system...)

Linking individuals back to the secured personal data with false positives or negatives is a bit trickier, but not impossible.
We already have the technology to create systems that prevent human error, but I guess the main reason something like this hasn't been implemented yet is that it would cost mucho dinero to convert the whole country to a new system; and cause a lot of confusion in the transitional period.
(Also, this would create another pork barrel + ensuing political rope-pulling over gov't contracts. Hmm... maybe this isn't such a good idea after all. Sigh.)

supposed to be unique, not always (3, Interesting)

davidwr (791652) | more than 7 years ago | (#19002537)

SS#s are supposed to be unique. They aren't recycled.

Every now and then you find out about a SS# that is not unique. The SS office issues new number to one or both individuals and mea culpas all around. See this news story [whnt.com] for one example.

Re:The problem isn't using the SSNs (0)

Anonymous Coward | more than 7 years ago | (#19002547)

It is a convenient way to identify someone, since it is guaranteed to be unique.
Social Security Numbers are not guaranteed to be unique.

Re:The problem isn't using the SSNs (1)

Keruo (771880) | more than 7 years ago | (#19003601)

> The problem comes when the SSN is the only piece of information you need to take control over someone's life. There should be some more basic checks put in place to ensure the person is who they claim to be.

I cannot think of any way to take any control of someones life just by knowing someones SSN.
You can't sell properity, take a loan or apply for a credit card without showing valid photo ID.

You can't order another photo ID with your picture either, since the bureau who grants valid IDs has the original persons picture in their records already. And you need valid ID or a family member with valid ID to collect that new ID to begin with.
Simply faking an ID isn't that easy either, it has several layers of security, embossing, tiny intentional misspellings etc.
Most modern cards even have chip already, so you'd have to know what to clone there aswell.

But then again.. this is how things are done in Finland, maybe they dont ask for ID anywhere in States.

Re:The problem isn't using the SSNs (1)

Chmcginn (201645) | more than 7 years ago | (#19005497)

It's rarely difficult to find a person (in the US) who can forge a photo ID. There was three people I knew in college with who made fairly convincing fakes of out-of-state driver's licenses in their spare time. This is part of the reason for the 'Real ID' act.

Re:The problem isn't using the SSNs (1)

profplump (309017) | more than 7 years ago | (#19003949)

Or maybe if there were some way that you could execute a legal document and have some agent or officer of the government authenticate your identity and acceptance of the document in-person. That would be handy.

http://en.wikipedia.org/wiki/Notary_public [wikipedia.org]

Re:The problem isn't using the SSNs (2, Interesting)

cellocgw (617879) | more than 7 years ago | (#19004787)

Using Social Security Numbers for everything isn't such a bad idea. It is a convenient way to identify someone, since it is guaranteed to be unique.
It may be unique, but it is most definitely NOT an identifier. Everyone over the age of about 45 (I forget the exact year) got a SSN by asking for it. The original intent of the Social Security Card was to let you and your employer (and Uncle Sam) track your earnings and taxes on said earnings. There was no proof of identity involved. I could have created a SSN for Lrac W. (instead of Carl, get it :-)) and nobody would have cared.
Personally I think it was a disastrously stupid move to make SSNs legal identification. The bloody things don't have fingerprints, photos, DNA, or anything at all that prove who you are.

And in the UK today too (5, Insightful)

AmIAnAi (975049) | more than 7 years ago | (#19002173)

A BBC article [bbc.co.uk] disclosed that a laptop had been stolen that contained Marks & Spencer employee details

From the BBC article:

Salary details, addresses, dates of birth, national insurance and phone numbers were on the machine which was stolen from a printing firm.

It is now too easy for huge quantities of private data to be carried around on laptops and memory sticks, often by people who do not understand the consequnces of failing to protect that data. Companies need to be held to account when data is lost.

But check out who does their background checks! (1)

sgt_doom (655561) | more than 7 years ago | (#19003469)

Given that the firm, Blackwater USA [alternet.org] , is responsible for performing the security background checks on TSA employees (I believe there was a news article several months back where four recently hired employees in the Seattle-Tacoma area were convicted - and jailed - for pilfering luggage - another fine Blackwater USA [thenation.com] mission accomplished!), any compromised data is pretty much a moot point......

New acronym? (0)

Anonymous Coward | more than 7 years ago | (#19002177)

TSA? The stupid Article? The Shitty Article? Topless Sluts in Abilene? bah I give up. time for my oxycodone enywho.

Physical Security (2, Insightful)

Detritus (11846) | more than 7 years ago | (#19002201)

Even if you have decent physical security, some items will attract thieves. Anything shiny and portable is likely to walk out the door. A portable disk drive is a good example of a thief magnet.

Technology is amazing (1)

strcpy(NULL,... (1089693) | more than 7 years ago | (#19002359)

Now we have portable thief magnets? Nobody would believe it ten years ago.

Re:Physical Security (0)

Anonymous Coward | more than 7 years ago | (#19004983)

Yeah they stole it and wiped the contents to use for cracked video games, mp3s and the AVI likeness of some of hollywood's worst films. LOLs

truecrypt (0)

Anonymous Coward | more than 7 years ago | (#19002205)

Somebody really ought to introduce truecrypt to the "security" people...

Re:truecrypt (0)

Anonymous Coward | more than 7 years ago | (#19003863)

Truecrypt is good for a home user, but commercial needs are different.

I would recommend PGP Enterprise where policies can be enforced, such as forcing all removable media to be encrypted, and offering a means of recovery should a user lose his key's password.

Ha! Ha! (3, Funny)

mobby_6kl (668092) | more than 7 years ago | (#19002241)

Now they'll experience how it feels to be on the receiving end of violation of privacy!

Re:Ha! Ha! (1)

TheMeuge (645043) | more than 7 years ago | (#19002307)

Maybe next time they'll lose the hard drive with the war-protester-based no-fly lists, and it'll turn out to be the only copy...

Portable HDD? (5, Insightful)

bulliver (774837) | more than 7 years ago | (#19002257)

There's your problem. I can see the allure of using a portable drive, in that you can easily move the data around from computer to computer, but really, we have a better way to move the data: The bloody network! That HDD should have been screwed into a locked case mounted in a rack bolted to the floor of a securely locked room.

Re:Portable HDD? (1)

Original Replica (908688) | more than 7 years ago | (#19002365)

That would imply that the people there at the Transportation Security Administration had some sort of clue about how to make things secure... when they were easily transported ...

Re:Portable HDD? (2, Interesting)

florescent_beige (608235) | more than 7 years ago | (#19003885)

There is a pretty good reason to carry data around on a removable drive. It's cheap bandwidth.

I know this because we used to do streaming backups to an offsite location (one of the guys' houses (we are a (very) small business)). The DSL we used had a download speed on his end of about 1Mb/s. That is .125MB/s. Carrying a 120GB drive home every night, assuming the drive is one hour, has a bandwidth of 34MB/s or about the speed of a T4 line. It's also essentially free because the amortized cost of the drive and caddy over a few years is about zero.

Re:Portable HDD? (1)

Antique Geekmeister (740220) | more than 7 years ago | (#19004325)

Given the availability and use of 40 GB Ipod devices, and USB devices like these (http://gadgets.fosfor.se/the-top-10-weirdest-usb- drives-ever/), it's difficult to avoid. And you don't dare remove USB ports altogether since employees do need good USB audio and graphical devices to do their work.

Put Management's Data In The Databases (3, Interesting)

NeverVotedBush (1041088) | more than 7 years ago | (#19002309)

Why does it take a data breach happening to some organization to get them to decide to protect information?

Maybe a law should be made that any organization that is trusted with public data be forced to imbed all of their CEO's, CFO's, other officers, management, and shareholder's data in the same databases.

I know that the reason all this data keeps getting exposed is because management would rather save money instead of training their IT staff (if they need it) or just giving them the time to implement good, safe, data handling practices. Put their data on the line too and let's see how they decide about safe data handling practices.

More security (2, Interesting)

blhack (921171) | more than 7 years ago | (#19002311)

I'm still waiting for the day when full drive encryption becomes standard. You power the machine on, input a password (or insert a USB key and input a password) and the machine then continues normally. While this might not stop completely determined information thieves, it should put an end to drives full of personal info showing up on ebay. What would be even better is if it became required practice for anyone working with sensitive data like that.

Re:More security (1)

Tuoqui (1091447) | more than 7 years ago | (#19002511)

Still does not matter unless they encrypt the line between your keyboard and the computer. Thieves and Attackers will always go for the weakest link. This is why keyloggers are likely gaining in popularity.

Re:More security (0)

Anonymous Coward | more than 7 years ago | (#19002659)

What you want sounds a lot like Windows EFS. Data is encrypted by each user login, and it has an optional administrator backdoor:
http://en.wikipedia.org/wiki/Encrypting_File_Syste m [wikipedia.org]

Re:More security (0)

Anonymous Coward | more than 7 years ago | (#19002845)

Yet, another great feature that OS X had way before M$ even thought about stealing the idea.

Maybe that EgyptAir pilot stole it. (0)

Anonymous Coward | more than 7 years ago | (#19002331)

He's very sneaky.

Peter O'Donnell nailed this years ago. (1)

sehlat (180760) | more than 7 years ago | (#19002347)

In one of his Modesty Blaise novels, Miss Blaise remarks to the head of a British security agency that:

"Security agencies are always too busy watching everyone else to watch themselves. How long has it been since you changed your locks or checked on your guards?"

1st rule of TSA (1)

gelfling (6534) | more than 7 years ago | (#19002363)

No one talks about TSA. I'm sure even mentioning that this has happened is a violation of some stupid Federal law and the terrorists have already won.

some people never learn (4, Insightful)

Isaac-Lew (623) | more than 7 years ago | (#19002367)

Why would this information even on a portable drive? And why would it not be encrypted?

This is why I try not to use my Social Security number for identification purposes anymore. I really should try to figure out who has it & what I can do to reduce the use of it.

Re:some people never learn (1)

manif3st (699952) | more than 7 years ago | (#19003705)

The past few days alone have exhibited an increase in this sort of problem exactly (re: encryption). Why large companies aren't using encryption as a standard is something that needs to be answered. Consider the eBay case [bbc.co.uk] where on the 4 May 2007:

Sensitive case notes on vulnerable children in Essex have been found on a computer sold on eBay's auction site.
and the NHS case [bbc.co.uk] where on the 2 May 2007:

About 10,000 health workers in Cornwall have been warned that they could be the victims of fraud after their bank details were stolen.

The latter being more prevalent in my opinion as a critique of the NHS computer systems is revealed [bbc.co.uk] only weeks (16 April 2007) before the breach.

Let's not forget the Los Alamos hard drive scandal, and the countless dozens of other thefts/breaches/losses etc.

Taking into account that I'm a /. user, I am also a professional photographer, and out of simple courtesy to the models that I photograph in revealing states, and also to any other client who has publishing rights to my photographs, I use whole disk encryption (PGP [pgp.com] ) which cost me (if memory recalls correctly) £85 or so, now up to £114 according to the site. A little expensive, yes, but certainly worth it considering site license discount (I'm ignoring admin, I know)? How many other breaches of data have been kept quiet because they didn't involve employees who could snitch to the press?

The corporations pay big money for licenses to Office, and their proprietary software systems. Why can't they invest in encryption?

Perhaps these PR blunders and the cost of repairing them (e.g. the NHS is paying for credit reports for all affected employees) just doesn't offset the cost of the licenses...

This bears repeating (3, Funny)

lawpoop (604919) | more than 7 years ago | (#19002399)

Wayne Madsen is maintaining a chart [waynemadsenreport.com] of data thefts of personal information. He lists 3 or 4 dozens thefts. He believes these thefts are an attempt to populate the Total Information Awareness [wikipedia.org] databases.

Never ascribe to incompetence what can be explained by malice, I guess.

Re:This bears repeating (0, Offtopic)

flyingfsck (986395) | more than 7 years ago | (#19002489)

TIA can probably be populated very easily from second-hand drives bought on Ebay.

The sad thing is that ALL modern drives have an effective erase capability built in:
http://cmrr.ucsd.edu/Hughes/SecureErase.html [ucsd.edu]
but few people know that and fewer still use it before disposing of a drive.

Re:This bears repeating (1)

sgt_doom (655561) | more than 7 years ago | (#19003525)

While Mr. Madsen presents one possible, and likely, scenario, it is important to realize that with the advent of the Bushevik administration there are now something like 61 commercial databases currently under government contract and online - constantly being accessed by the TIA organization: everything from ChoicePoint (sometime take a look at their current and previous directors) to OnStar with First Data volunteering their databases.....

This Wayne Madsen? (1)

commodoresloat (172735) | more than 7 years ago | (#19004963)

You mean this guy [fromthewilderness.com] ? He may be on to something, or it could just be another of his loony theories.

Shit happens... (0)

Anonymous Coward | more than 7 years ago | (#19002473)

...Get over it.

open it up (1)

McGiraf (196030) | more than 7 years ago | (#19002479)

Information wants to be free! If everything was public data we wouldn't have these problems; also, we can get rid of all criminal activities if we abolish every law!

Seriously, with the shear amount of data that is accumulated everywhere, and how densely we can store it, well this is going to happen more and more.

Re:open it up (1)

justinlee37 (993373) | more than 7 years ago | (#19004403)

we can get rid of all criminal activities if we abolish every law!

Well, technically speaking, you are correct ...

They put the S.... (0)

Anonymous Coward | more than 7 years ago | (#19002543)

...in TSA!

What we need.. (1)

Sloppy (14984) | more than 7 years ago | (#19002709)

..is some TLA government organization to take care of TSA's security, so they won't have to deal with that subject, and can dedicate themselves to harassing people.

Why was this on a portable HD in the first place? (5, Informative)

wwphx (225607) | more than 7 years ago | (#19002829)

I've been in gov't IT for 15 years, this should never have left the server farm. If it had to be on a portable device, it should have been a laptop and heavily encrypted, not that I can see a good reason to give anyone that info. The retirement planning people can make do with very little info.

Re:Why was this on a portable HD in the first plac (1)

epp_b (944299) | more than 7 years ago | (#19003647)

I've been in gov't IT for 15 years, ...
I guess we'll consider this an official infiltration!

Gov't infiltration? (2, Interesting)

wwphx (225607) | more than 7 years ago | (#19005789)

I'm sure people at the Fed level have been reading /. for as long as it's been up. I've been on since we first got the web in the early 90's. I've only been at the state and city level, never the fed level.

As a network and database admin, I've found it to be pretty darn important. I first read about I Love You at 7am at work when it sprang, told our security admin who doesn't read /. (or at least he didn't at that time) and he went and yanked the outside connection to our firewall. It did hit us, but very lightly compared to the rest of the city and for some reason the payload did effectively no damage.

Slashdot is important, regardless of for whom you work.

What's really alarming.. (1)

Pointy_Hair (133077) | more than 7 years ago | (#19002967)

is that they had around 100,000 employees to lose data on. That's a lot of shoe checkers!

Update! (1, Funny)

alisson (1040324) | more than 7 years ago | (#19003067)

From the TSA:

JK, no biggie, guys! We just got it as an .pdf attachment from some nice citizen at "i.r.t3h.l33t.haxxr.@hotmail.com!" It also has a cool .exe file, which he assures me is a some security software to keep or data safe! I've installed it on all computers containing sensitive information, so no worries :)

It's astounding.. (1)

mikkelm (1000451) | more than 7 years ago | (#19003195)

.. how government organisations continue to to store HUGE amounts of CRITICAL and VERY PRIVATE data on LAPTOPS. Either they have idiot software developers, or they genuinely do not care about security at all.

It's sad when the developers are the biggest security hole in critical government software.

Re:It's astounding.. (1)

PPH (736903) | more than 7 years ago | (#19004367)

Its not developers. Its IT department policies. Or, in some cases, its the PHB who tells the IT department that he's going on vacation and needs a copy of some data to work on while sitting on the beach, data security policies be damned.

Re:It's astounding.. (2, Insightful)

mikkelm (1000451) | more than 7 years ago | (#19004445)

Any system that could leave hundreds of thousands of private records anywhere but in a centralised and secured database seems pretty bad to me. Luckily anything else is against the law where I'm from.

Disk Encryption (1)

Johnny Mnemonic (176043) | more than 7 years ago | (#19003325)

Where I work, employee laptops are required to make use of File Vault on the Mac, and I believe that the entire HD is encrypted if you chose a windows laptop instead. I'm not sure of the Linux option, but I believe that there is one.

In light of that, why isn't that kind of policy used everywhere? Doesn't it just make good sense?

The TSA shouldn't even be able to claim that this was a legacy laptop, as frankly their agency hasn't been around that long. I don't get it.

Re:Disk Encryption (2, Insightful)

tomstdenis (446163) | more than 7 years ago | (#19003697)

or not wander around with an HD with sensitive data on it? That's just mental. That data should be housed only in a secure facility with only remote secure access to it.

It's plain stupidity and lazyness that compels people to defy the simplest rules of security.

Tom

Backup? (1)

epp_b (944299) | more than 7 years ago | (#19003627)

What, no backup? [slashdot.org]

You can't make this stuff up, folks (2, Funny)

Master of Transhuman (597628) | more than 7 years ago | (#19004301)

I'm waiting for the news story that says the Department of Homeland Security just lost a hard drive with the personal information of every Federal agent in the government and all the White House security information on it.

These people are morons. Their sole purpose in life is to screw up while pushing other people around with self-righteous notions that THEY are the ones "protecting" everybody else.

It's the "cop mentality" writ large - which is the same basic mentality as a Mafia protection racket.

Re:You can't make this stuff up, folks (1)

justinlee37 (993373) | more than 7 years ago | (#19004377)

The TSA probably doesn't run as tight of a ship as our intelligence agencies do.

Re:You can't make this stuff up, folks (2, Insightful)

chill (34294) | more than 7 years ago | (#19004745)

If that does happen -- and hasn't already -- you will NEVER see a story on it. The reporter that runs that will find every lead, every contact and every story from the gov't sector totally dry up. Press credentials would be revoked and they'd probably get a "random" audit from the IRS, along with the census fill-it-all-out-or-go-to-prison long form. They'd be lucky if they could get a local dog catcher to talk to them.

Meh. (0)

Anonymous Coward | more than 7 years ago | (#19004503)

*Dons the cloak of Anonymous Coward*

It's only news because it's the TSA. Most of these... events... don't ever make it into the press.

O no... (1)

tsa (15680) | more than 7 years ago | (#19004675)

Drat, where DID I leave the damn thing?

The untold story (2, Funny)

sjames (1099) | more than 7 years ago | (#19004733)

Apparently the screeners were distracted when someone tried to enter the area with a photo of a shampoo bottle and so they didn't notice the theft. According to the DHS, the photo was probably inserted into the shampoo ad by an al-Queda operative.

The TSA, eh? (1)

Kamineko (851857) | more than 7 years ago | (#19006123)

If it were the TSA [wikipedia.org] , they can just go back in time and find out what happened to it. No biggie.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?