Slashdot Mirror
Governmental Servers Wiped? Never!
Geoff writes with a story from Australia: "Eighteen AIX servers purchased from government via auction -- none of them had data removed from them. Ticket Vending and Validation source code, Payroll, Finance, Emails and Customer complaints. All there on every server; they were even nice enough to include some old backup tapes. At ~$14USD per server, it's amazing how cheap personal information has become."
At ~$14USD per server, it's amazing how cheap personal information has become.
:)
:)
$14 USD? You got ripped off.
A few years back, some guy wearing a workmans uniform and holding a clipboard wandered into the (iirc) customs building here in Australia. Carted off one of the servers from a machine room, and no-one stopped them, or remembered what they looked like.
Slashdot remembers
Makes me proud to be an aussie sometimes
Its kind of hard to get rid of your data on a hard drive. You are lucky if it works, then you can try 'dd if=/dev/zero of=/dev/xxx'. However, if first thay laid off their aix staff, employed some windows engineers, then they decided to sell those aix boxes... Well, well :)
Your task is even harder if you have a hard drive that ceased operating. There exists companies like http://www.kurt.hu/ that have state of the art technology to retrieve data from damaged hard drives. If you need your data: good for you. If you'd like to get rid of it for sure: better take good care of it...
Makes you wonder how many governmental organizations even know how important properly disposing of a computer can be.
Or if the government really cares. Who's going to arrest them? There's no risk of punishment here.
The STA is responsible for the operations of the Sydney Buses network which I used to rely on for travel to & from school, work, and for social events -- until I got my car. It is the most unreliable system ever, on par with the NSW Cityrail system both which has been constantly riddled with problems. It's not surprising that a blunder such as this went by unnoticed.
I would like to do my bit for the environment and use public transport as much as possible but I never get where I need to on time. I've been to Russia and even there, the buses and subway system are more reliable.
Just wondering. He bought the computer and its contents from the government, so does he have rights to the source on the box?
-AT
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
...we don't let a hard drive out the door. All storage media(disks, tapes, CD/DVD, etc) remain in the buildings unless encrypted(laptops) or we are certain they contain no protected data - such as educational CDROMs, etc. Everything else is dismantled and destroyed. For example, CDs and HDD platters are sanded, tape is shredded.
Anything that goes to auction is diskless, and we cannot return a drive under warranty as it's impossible to securely erase a faulty drive, or, for that matter, a good drive - think bad sector remapping.
We're Federal Government, not State, BTW.
If you have signed all usual secrecy and privacy forms before.
The best you can do is to sent STA a stiff invoice for professional data sanitation. Fix ther wagon!
If you are outraged, tell the STA Union their members details were leaked because a slack security (any excuse to strike), tell the State Auditor, tell tax, and the privacy commissioner. Butts will be kicked.
The auction mob were slack, they are meant to wipe the data, and remove all identifying stickers. But the real blame lies higher up.
Conclusions. The STA are as reliable as their timetables, and going to windows will be more risky than ever, if their admins default everything.
I seem to recall a few years ago watching a program that mentioned how the brittish government decomissioned some of it's hard drives.
With a low level format, then a blast furnace, and then holding on to the smelted chunk of crud for a while. [this may have been only for stuff that was "sensative" though]
Of course my brain sucks for holding normal info, but it kinda stood out because we do similar stuff at work, machine dies, we take it out back with a sledge hammer and a cutting torch, someone asks us to strip the machine for parts half an hour after we're tired.
--- As to make my comment seem, by comparison, more intelegent... doodie doodie doodie poop poop poop!
there was a wave of laptop thefts in large companies a year or two back here... done by people who wore suits, they just walked into the open offices and wandered off with the laptops.
world was created 5 seconds before this post as it is.
Q: Is the Gutmann method the best method?
A: No.
Most of the passes in the Gutmann wipe are designed to flip the bits in MFM/RLL encoded disks, which is an encoding that modern hard disks do not use.
In a followup to his paper, Gutmann said that it is unnecessary to run those passes because you cannot be reasonably certain about how a modern hard disk stores data on the platter. If the encoding is unknown, then writing random patterns is your best strategy.
In particular, Gutmann says that "in the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data... For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do".
In other words, DBAN doesn't work for modern hard drives. It's as good as random scrubbing. Which is not that effective anyway.
AIX still runs massive databases for big insurance companies, weather stations and criminal databases. IBM has a moderate representation on the databases and hardware they digitally store fingerprints and mugshots on. Sold them in the 80's and they have upgraded on IBM a few times since than.
An Education is the Font of All Liberty
You could probably make a living selling data snarfed from used disks/tapes off ebay.
I picked up some "blank" used DLT tapes from ebay. These "blanks" contained a filesystem backup for the online store of a multibillion dollar corporation.
Why get so worried about personal data being stolen by l337 h4x0rz through the intarweb? All they need to do is buy a bunch of used media off ebay -- much easier.
One of the major banks decomissioned servers which eventually wound up on ebay. The person who bought them discovered that all data was still intact.
I use Macs to up my productivity, so up yours Microsoft!
Reminds me of an anecdote I heard a few years back. It's off-the-wall enough to be true, but I don't vouch for its accuracy. It was a pub conversation, after all.
Co-worker at a previous job had an acquaintance who was working for a defense contractor (RLM, i think it was), on some crazy uber-classified Over-the Horizon Radar project. They used an absolute stackload of data in Compaq (ex DEC) SANs, I'm told.
Due to the fact that all this data was classified at some level, and they were a good customer, Compaq gave them an unconditional replacement guarantee on the disks in their RAID arrays. If one failed, Compaq didn't want it back.
So, this friend of a friend started sending in bogus RMA requests and taking the disks home. When this came to light, Compaq, obviously, were rather aggrieved. Since they couldn't do him for theft (the contract being rather ambiguous, and they HAD issued him with the RMAs,) they had the Australian Fed. Police arrest him for Treason.
He got 5 to 10 years.
You're doing it wrong.