Slashdot Mirror
Governmental Servers Wiped? Never!
Geoff writes with a story from Australia: "Eighteen AIX servers purchased from government via auction -- none of them had data removed from them. Ticket Vending and Validation source code, Payroll, Finance, Emails and Customer complaints. All there on every server; they were even nice enough to include some old backup tapes. At ~$14USD per server, it's amazing how cheap personal information has become."
They're just rushing to get rid of the things without properly preparing them. Kinda like this attempt at a firt post!
Always going forward, 'cause we can't find reverse.
* That they have sold a bunch of servers laden with personal information for hardly any money at all, or
* Somebody out there is still running AIX
Why are we suddenly complaining about Government being too open?
this is why I love living in Australia! Nobody takes anything too seriously (except beer and sport, which we take very seriously)
And what, ever since I posted to /. about finding the best way to *really* wipe a harddrive I've gotten about 45 emails telling me all kinds of ways to sort out this kind of problem (I still get emails about it, and the posting was more than three years ago). Everything from a quick thermite burn to breaking into a telco exchange for some ultra-high-current bit rearrangement.
those government types just beed to think outside the box a little more. hell, why settle for thermite - these boys have access to our nuclear arsenal!
===== Warble://VX
Interesting, that the blogs subtitle is:
:D
If it's not on fire, then it's a software problem.
Looks like you're about to have a hardware problem
At ~$14USD per server, it's amazing how cheap personal information has become.
:)
:)
$14 USD? You got ripped off.
A few years back, some guy wearing a workmans uniform and holding a clipboard wandered into the (iirc) customs building here in Australia. Carted off one of the servers from a machine room, and no-one stopped them, or remembered what they looked like.
Slashdot remembers
Makes me proud to be an aussie sometimes
Its kind of hard to get rid of your data on a hard drive. You are lucky if it works, then you can try 'dd if=/dev/zero of=/dev/xxx'. However, if first thay laid off their aix staff, employed some windows engineers, then they decided to sell those aix boxes... Well, well :)
Your task is even harder if you have a hard drive that ceased operating. There exists companies like http://www.kurt.hu/ that have state of the art technology to retrieve data from damaged hard drives. If you need your data: good for you. If you'd like to get rid of it for sure: better take good care of it...
Makes you wonder how many governmental organizations even know how important properly disposing of a computer can be.
Or if the government really cares. Who's going to arrest them? There's no risk of punishment here.
if this guy planned on doing anything with the data, he probably wouldn't have blogged about it. He would copy the data, wipe the disks and pretend that he had seen nothing.
Then at a later date, he could do his evil work using that data.
Therefore, this particular blunder is nothing to get worked up about, but the potential for future blunders is.
Because we have rules which force government agencies to keep data for a certain amount of time. To get around this much of the data that was to be covered by this was wiped before the rules came into force :)
Matt Thompson - Actuality - Insert product here.
It's .. um .. transparent government. Yeah, that's it.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
At least then you know that if the drive dies and you don't physically destroy it, for somebody to copy the data they'll have to do more than just get the drive going again.
PCB board failures are the problem. The drive won't work, yet the data on the platters is likely to still be good. PCB failures are also fairly easy to recover from - just go to ebay to buy a second hand drive of the same model, and swap the PCBs over. If it is easy for you to do, it is also easy for your adversaries.
Even if you sell a working drive, as long as you don't provide the customer with the passphrase for the encrypted filesystem where your important data resides (I'm sure I don't have to point out how stupid doing that would be), you can be sure that the above story is unlikely to happen to you.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
Just wondering. He bought the computer and its contents from the government, so does he have rights to the source on the box?
Twice.
Stuart
It's all fun and games until a 200' robot dinosaur shows up and trashes Neo-Tokyo... Again
-AT
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
On ebay, I even found a quad Xeon 550 with 1 gig memory and 5 9.1 scsi cheeta hard drives for less than half of the Dell Xeon. But I don't have any OS that will use 4 CPU's.
What do I need?
Any major Linux Distro will handle 4 CPUs just fine.
I have heard a similar story about two guys in blue overalls walking out of David Jones (or some other department store) carrying a big-screen TV, and noone stopped them either.
Makes me proud to be an aussie
Y'know, it's interesting to note that all our greatest heroes are thieves and brigands. Go Aussie!
Really, a database machine needs more RAM than CPU speed. The more RAM you have, the larger the dataset it can keep in cache, and the less it has to go to the hard drive to pick up information. You'd be fine with a single proc machine; save the money and get a good uniproc motherboard that can accept 4 1 gig sticks of RAM instead.
Marxism is the opiate of dumbasses
We bought a second hand server from ebay which was from someone that buys ex govt stuff from auctions and it had a backup tape in it from the Brisbane Magistrates Court (Australia)
http://www.expatica.com/source/site_article.asp?su bchannel_id=19&story_id=13469&name=The+Dutch+news+ in+October+2004
see october 7th 2004
Some taxi-driver found it, discovered that it had very sensitive information about some current open cases on it, and a lot of personal stuff that could make the prosecutor vulnerable for blackmail etc. when in the wrong hands.
These things just show that some state organisations (or the people working there) have really too little awareness of handling computer data the right way. Actually this year we had a case in the netherlands where some secret state report ended up in an upload filesharing folder of the person working on it, and thereby just could spread all over. I think people working at such positions really should be instructed on safe computing, especially at home or using laptops, the risks are pretty high that data can get stolen.
molmod.com - computing tips from a molecular modeling
o wait, this is the goverment, nevermind
The UK's Data Protection Act, especially as it pertains to medical data, is remarkably strict.
Nonetheless, it came as no surprise to me that, when I worked at a medical centre and they upgraded all their machines, the old ones were merely dumped in the attic before being carted off by the local Council's binmen.
I asked about this (not in terms of security, but because I wanted the machines). Apparently UK companies have to PAY the Council to removed old computers, as part of some enviromental legislation. I offered to take them away for free, naturally.
The only reason I didn't get any "protected" data along with them was because I'd previously wiped it off. But even that was little more than a standard "empty recycle-bin" - it likely wouldn't stop anyone who knew what they were doing.
It's all very well having data protection policies, but unless you tell officials HOW to erase data, it won't be done.
Argh.
These servers could be nicely rehabilitated with Linux, however. In fact, they might make excellent testbeds for developers who wish to compile for Linux on POWER (in lowest common denominator fashion). And IBM hardware is deservedly respected for its quality, and these are server-class machines (unlike, say, a PowerPC 604-based Macintosh). So the buyer did very well, IMHO.
"...And he sang as he laughed as he carted off the server rack - you'll come a-waltzing Matilda with me!"
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I seem to recall a few years ago watching a program that mentioned how the brittish government decomissioned some of it's hard drives.
With a low level format, then a blast furnace, and then holding on to the smelted chunk of crud for a while. [this may have been only for stuff that was "sensative" though]
Of course my brain sucks for holding normal info, but it kinda stood out because we do similar stuff at work, machine dies, we take it out back with a sledge hammer and a cutting torch, someone asks us to strip the machine for parts half an hour after we're tired.
--- As to make my comment seem, by comparison, more intelegent... doodie doodie doodie poop poop poop!
I've only used the free demo but its a great floppy. And it runs FreeDOS too.
... is the more likely scenario - that, for every one of these incidents that are reported, there are 10 that are not.
You could probably make a living selling data snarfed from used disks/tapes off ebay.
I picked up some "blank" used DLT tapes from ebay. These "blanks" contained a filesystem backup for the online store of a multibillion dollar corporation.
Why get so worried about personal data being stolen by l337 h4x0rz through the intarweb? All they need to do is buy a bunch of used media off ebay -- much easier.
One of the major banks decomissioned servers which eventually wound up on ebay. The person who bought them discovered that all data was still intact.
I use Macs to up my productivity, so up yours Microsoft!
Fortunately he was an honest man and didn't sell the list, rather he contacted the DoJ and DoJ contacted DISCO to help get their shit together. The instructor was making the point that when you surplus equipment that you really need to make sure that you wipe the drives and any other storage media. His bias was that the easiest way to do this was to physically remove and destroy the media because you could never really be sure if a wipe program had worked (well you could go over the drive to make sure that it had been erased, but who's going to do this?).
When I don't want to physically destroy a drive but want to make sure that it's gone I either wipe it with a low-level hardware format utility such as the one built into Adaptec SCSI cards, or I use a program such as autoclave by Josh Larios (which he isn't supporting any more outside of the University of Washington community) although now I guess I'll have to try the recommended replacement Darik's Boot and Nuke. A side benefit of programs such as this one is that they really exercise the Hell out of your disks, which is great to smoke out any potential failures.
cheap labor conservatives - they want to keep you hungry enough to be thankful for minimum wage.
Reminds me of an anecdote I heard a few years back. It's off-the-wall enough to be true, but I don't vouch for its accuracy. It was a pub conversation, after all.
Co-worker at a previous job had an acquaintance who was working for a defense contractor (RLM, i think it was), on some crazy uber-classified Over-the Horizon Radar project. They used an absolute stackload of data in Compaq (ex DEC) SANs, I'm told.
Due to the fact that all this data was classified at some level, and they were a good customer, Compaq gave them an unconditional replacement guarantee on the disks in their RAID arrays. If one failed, Compaq didn't want it back.
So, this friend of a friend started sending in bogus RMA requests and taking the disks home. When this came to light, Compaq, obviously, were rather aggrieved. Since they couldn't do him for theft (the contract being rather ambiguous, and they HAD issued him with the RMAs,) they had the Australian Fed. Police arrest him for Treason.
He got 5 to 10 years.
You're doing it wrong.