Slashdot Mirror
U.S. Service Personnel Data Stolen
BStrunk writes "I was reading the news this morning on Reuters, when I stumbled across this article:
U.S. Service Personnel Personal Data Stolen
In the article, an official violated policy by taking the detailed personal information of thousands of active and reserve troops to his personal home, storing it on a personal computer, that was later stolen. In an age where domestic phone calls are monitored, a government employee was allowed to walk out of a government installation with the data on thousands of American citizens to store on an insecure personal computer? Doesn't that seem strange to you? This is a real failure, in my opinion, in government protection of its citizens. Layers of encryption and protected access was successfully bypassed to make the theft of this information as simple as stealing a home pc.
Now, not only do service personnel currently serving have to worry about IEDs and being fired upon, but they are now subject to possible identity theft. A real failure. After this, how could one have faith enough to serve an inept institution?"
The Man is sticking it to itself. And by itself, I mean our men and women in uniform. As if slashing benenfits, pensions, and the "stop-loss" program weren't bad enough.
You are not the customer.
What is an IED?
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
How about: From the three-week-old-news department?
After this, how could one have faith enough to serve an inept institution?
Why do we need all the editorializing in the blurb? And the troops don't serve an institution.
This happens all the time unfortunately. People's stupidity can circumvent and electronic security measures. But I'd rather have my identity stolen than my legs blown off by an IED.
http://psychicfreaks.com/The burglary from the employee's home in Aspen Hill, Maryland, involved a laptop computer with an external disk drive, officials have said.
... and it starts by gathering all the personally identifiable information they can get on us citizens? (first the vets data was stolen, now this) ... Maybe the US terrorist threat level should be raised to red!
2 things...
1.) Wouldn't stuff this sensitive be encrypted if it's sitting on an external disk drive?
2.) Is there some sort of conspiracy going on? With the terrorist arrests in California and Canada? Perhaps somebody is planning something big
You could at least post the update that the Vet's are now suing the VA.
There's a real fear that this includes classified disability info.
If that info gets on the web, an employer googling a potential employee's name may see that candidate has, for instance, post-traumatic stress disorder (PTSD) and decide not to hire them. It's currently illegal to discriminate like that, but there's no way anyone will ever know in this hypothetical situation.
obviously no deficiencies vs. no obvious deficiencies
This is in addition to the identifying data of millions of Veterans stolen in the same event. They originally reported only Veteran data. Now it seems it contains active duty soldier info as well.
TFA: Bryan Whitman, a Pentagon spokesman, said, "We want to encourage service members to be vigilant and carefully monitor their personal information and any statements related to recent financial transactions."
Great, as if they didn't have enough to deal with. I can just picture some soldier under mortar fire in Iraq, trying to load a rifle with one hand while juggling a cellphone on hold with American Express in the other hand..
Slashdot Burying Stories About Slashdot Media Owned
Personal information on about 2.2 million active-duty, National Guard and Reserve troops was stolen last month from a government employee's house, officials said on Tuesday in the latest revelation of a widening scandal.
The Department of Veterans Affairs said the information, including names, Social Security numbers and dates of birth, may have been stored in the same stolen electronic equipment that contained similar personal data on 26.5 million U.S. military veterans.
Same crap, different day. The problem isn't that the information is stolen -- that happens all the time. It's that a lot of these people are in no condition to do much about it. Now you have veterans, many poor, disabled, aging, fighting a new battle alongside active duty personnel, who may be in Afghanistan or Iraq and totally unaware that this is going on, let alone being in a position to do anything about it if their identity is compromised.
Honestly, this kind of thing is so widespread, from credit card companies, to banks, to telcos, and now the government, that it makes you wonder just what it takes to secure your personal data. I wouldn't be surprised if this happens to one of the major credit bureaus somewhere in the near future.
GetOuttaMySpace - The Anti-Social Network
It's not a Dupe... this is a diffrent theft, the origonal data stolen was from the V.A. database.
It just happened exactly the same way...
I guess Slashdot can't help if the news is repetative.
I don't give a damn for a man that can only spell a word one way.
Mark Twain
http://www.va.gov/
"This data contained identifying information including names, social security numbers, and dates of birth for up to 26.5 million veterans and some spouses, as well as some disability ratings."
Slashdot notices a month-old scandal.
Thieves steal personal data of 26.5M vets
Theft of Data Leads to Firings
Clear, Dark Skies
I know that many slashdot readers may not get out much, but you've had to have been living under a rock for the last month to avoid this story; it's been reported on in every mainstream press publication there is.
I would like to see financial liability for exposure of consumer personal data work something like this:
Each individual data item, where item is a phone number, SSN, address, email, an so on, is counted as 1 'unit' of liability for the company storing that data.
In the case of a company leaking or losing their customer data they are held financially liable for all 'units' of customer data times the number of customers.
This way companies would have an incentive to store only the minimal set of customer data that is necessary to operate their business. And it would hopefully lead company information/data managers to actively seek to erase/dispose of all non-essential customer data as soon as possible.
The information is not classified, it's Official Use Only, which is a form of protected information. Personell records are usually, in part, execmt from freedom of information act requests, so they may enjoy a slightly higher level of protection than ordinary OUO.
However, nearly every govenrment computer in existence includiung laptops has gobs of OUO information on it. It's not encrypted because it's not that sort of information. It's just controlled dissemination. That does not mean it might be harmless to release it but it's way below classified.
It is not alarming the people occasionally accdentally disseminate or lose control of OUO. Employees are simply expcted not to do so wilfully or wantonly or carelessly. Its even permissible to share OUO with people outside the governemnt if the employee thinks it would be useful to do so. The fact that OUO was taken home is not a big deal.
In this case the only big distinctions are the massive quantity of the information, and the fact that it's personell records which do have higher levels of protection. Apparently it was also policy not to take these home.
Some drink at the fountain of knowledge. Others just gargle.
Besides, domestic calls are not monitored without a warrant. Do you have a problem with that? Perhaps you are thinking of international* calls to known members of terrorist organizations.
Is that a question?* According to my phone bill, a call made from my house to another country is an international call.
Gamingmuseum.com: Give your 3D accelerator a rest.
Did they ever find out why this official had the info on his home PC to begin with? What possible legitimate use could there be for info like this outside the office?
Slashdot Burying Stories About Slashdot Media Owned
After this, how could one have faith enough to serve an inept institution?"
Had the blurb been posted as a comment it would have been modded as flamebait.
Could we leave the editorializing in the comments please?
The only way to prevent most of that kind of leak is the infamous trusted computing. How can you prevent somebody to walk out of the building with critical files on his USB key without "secure hardware" ?
This seems like an even bigger problem then the article mentions. Sure this information could be used for identify theft and the like, but perhaps even worse, this could be used to harass the families of active military personal. With some groups protesting at military funerals, I could see the same happening with protesting at active serviceman's houses with information like this.
I've worked on military and government contracts. We had the same problems as every company does: employees/contractors/government personel taking home their work and working on it on their personal PCs. Regardless of the number of NDAs they sign, the computer security briefings they get, and the number of times they are told by management they do it anyway. Are they wrong for doing this? Of course! Will they lose their security clearance over this? Probably, depending on what their rank/GS level is.
Training, a no-exception penalty policy for "losing" sensitive data, and encryption are what is needed to prevent this in the future. Unfortunately, the government seems to be a little short on $$$.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
that most folks who go in the military don't do it to "serve an inept institution" or to serve an insitiution of any kind. Those who are serving for ideological reasons (even if "patriotism" only plays a small part in the decision) believe they're serving the country as a whole and the ideals it stands for. That's why we say "serving our country" not "serving the military."
Everyone who has been in the service knows that there are always a few idiots up in the higher levels of the chain of command. Also that the civilian employees of the DoD aren't always interested in looking out for the interests of the military personnel that they are supposed to be serving. Dealing with the civilian DoD folks was a constant frustration during my time at Fort Bragg. Not that those folks are all bad, but the service they gave me when I was in the 82nd was second only to the service I get from the DMV -- surly and uncooperative.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
Don't worry, this is all fixed now, and can't possibly happen again. We recommend that you not dwell on past history, and move forward into the future. Your private information is completely safe with the government, we've learned our lesson.
And that goes double for next time, too.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
"Who shall watch the watchers?" --Decimus Iunius Iuvenalis
[Emphasis mine]
He wasn't allowed to do it, he simply wasn't caught in the act and prevented. Reading the article, I see nothing about him having sought or received permission. Just because one is able to do something does not mean that one is allowed to do it.
It's official. Most of you are morons.
It's true. There are many government officials that are issued government laptops so that they may do their work when they are away from the office. It's not uncommon for employees that work in warehousing, personnel offices, or the like to take their laptop home with them to work with information or print out documents that should be closely guarded. These documents are just 'thrown out' in normal trash instead of being shredded. These documents could contain operation orders, quantity listings of items stored in warehouses, and other potentially classified information. Sadly, the employees are sometimes very careless with the information once they leave the workplace. In this particular case it seems the government official copied the data over to a non-classified/non-government issued computer. This is extremely frowned upon and it was correct punishment in the least for the employee to be fired. I'm suprised that the individual hasn't been charged for such ignorance, if it is what actually happened. Hopefully, the government will use this instance as a guide and put measures into place to safeguard against these types of crimes. Sadly, they can't stop people from being ignorant and getting complacent about their data.
Who cares about some 'identity theft'? Wouldn't that just be what you'd need, assuming that the soul-selling contract is with an individual. Identity theft => no identity => no obligation to hand in your soul.
This space is intentionally staring blankly at you
Sounds fishy to me. How was the data stored, in a flat comma-delimited database files? If someone wanted to walk out of my employer's offices with all that data, they'd have to break into a locked cabinet, and steal a server. I think his co-workers would notice. And since when do data analysts walk out with computer equipment unquestioned?
Nope, it stinks. No way was this done by accident, and no way could the burglars have known the exact date and time to break-in... unless there was some collusion there. This guy did it on purpose.
Does it seem strange to anyone else that so many computers containing sensitive information are suddenly being reported stolen? Is it just an accident that this particular computer, containing this particular set of incredibly extensive personal information, just happened to be stolen from this person's home in Virginia?
First, how would someone know that this computer contained all this information? Perhaps this is a job for spyware. It's easy to imagine a piece of malware that looked for large personal databases and phoned home when they are found. Or, perhaps, people whose jobs gives them access to personal information are being trailed and their computers then stolen?
Yes, I know that laptop theft is pretty endemic, but the number of high-profile thefts like this one, the one's involving the auditors Ernst & Young, etc., makes one wonder if there isn't some type of sophisticated targeting going on. I realize that the pressure to disclose such thefts has risen greatly in recent months, in large part due to laws like California's that require notification. (Laws which, by the way, the Republican Congress is seeking to preempt through federal legislation.) So this could just be a result of increased reporting, but the targets involved seem to have particularly juicy caches of data.
Am I being paranoid?
Oh ... now I understand.
The government already has your SSN, your mother's maiden name, and just about every piece of information someone would need to impersonate you. The only thing you have standing bewtween you and identity theft is the loyalty and competence of government employees.
You are reading a copy of my copyrighted post.
Goverment employees often contribute their own time to work on projects. This is a case of "no good deed goes unpunished." The guy was working on a project at home "unauthorized", his laptop and usb hdd get stolen, officals grandstand, and he gets fired at age 60 (perhaps without a pension).
And as has been stated elsewhere here, it's completely unnecessary, yet common on slashdot.
We're already aware that the NSA and others are secretly collecting information from Americans. With this case, one has to wonder if your taped phone calls and what-not are also being taken home by government employees, only to be stolen...
This is why I don't trust the government.
This is exactly why the government shouldn't keep personal info. Yes, they have to keep personel info. But, imagine if the data walked home with was call records. Or, call transcripts. Or, banking information.... I'm not worried about a benign competent government having my information. I'm worried about the real world situations and real people that data would encounter. This isn't even getting into malice on the part of government officials. Heard a military officer say, whenever you are dealing with more than two or three hundred people, you will have a few scumbags. Now, how many scumbags is that in a government which employes millions of people? Or any major corporation/church/university/institution....
Here's to losing my Karma Bonus again....
Just for clarification.
This follows on to the theft of several laptops worth of corporate employee data. Almost makes me want to open up a consumer credit protection business...
Ernst & Young lose data on a quarter-million Hotels.com customers
Ernst & Young (hey, there is a theme here!) lose information on Sun employees (including then-CEO Scott McNealy). Also included were employee records for IBM, Nokia and Cisco.
Wells Fargo proves it can play the game too.
And not to be left out, let's not forget Fidelity's loss of 200,000 HP employee records.
What's scary is that both Fidelity and E&Y audit other companies for security and regulatory compliance (including HIPAA and Sarbanes-Oxley)...
Just junk food for thought...
Any word on who this guy in Virginia was? I haven't seen him/her identified by name in any of these articles. It would be kind of ironic if the military is protecting the identity of the person who gave up the personal info on millions of soldiers and vets.
How do we know it wasn't an "inside job"? We don't know if this guy is a criminal or just an idiot. I've heard that when you make something more idiot-proof, the world just makes better idiots.
I have worked for tech companies that had various security and ID badge programs, guards at the gates, etc., but nothing that would have prevented me from carrying a few CDs out in my handbag. I also worked at a place that entrusted lot of sensitive info to a vendor -- and the vendor moved all his hardware to his basement in a high-crime neighborhood.
He wasn't supposed to take identifiable data out of the facility, and if he did, it was supposed to be encrypted. The employee ignored his annual data security training, and sufficient barriers don't exist to force the encryption. There is a major data security storm going on around here, and it serves no good to blame the government when it's One Damn Fool causing the problems by ignoring rules.
It's like a postal service driver driving on the wrong side of the road, plowing into a family, killing everyone involved, and blaming USPS for the deaths. At what point do you trust an employee to do his job right? You want to build something into the mailtruck to make sure it stays on the right half of a road? How does he make left turns?
Dare to Hope. Prepare to be Disappointed.
re post rant: what do you mean "not only"?
I think the service personnel are MUCH more worried about being blown up or shot, than "whoops my credit rating got a bit low". So much so that I don't think it really adds to their problems.
Yeah it's a shitter but you can't compare someone using your name to apply for a credit card or a car loan, with being KILLED.
a government employee was allowed to walk out of a government installation
This is very misleading. Considering it sounds like he took it in electronic format, there are a TON of ways he could have taken this home and I doubt people are strip searched everyday they leave the office.
It is probably against policy to take these documents home without permission. So saying he was "allowed" to do it is very misleading...he was not allowed to do it, he was just a trusted employee who has security clearance (hence the trust) and he did something stupid.
I mod down so you can mod up. Your welcome.
As ever, with security, when it comes to sysadmins, you need to be able to trust the personnel, no only in terms of their integrity, but also in terms of their stupidity.
init 11 - for when you need that edge.
From the submiter, " an official violated policy "
Lets blame the whole system, based on the actions of one individual.
People are focusing on the transgression of the guy putting this data on his laptop and taking it out of the building. In reality, you can bet the systems he was working on were networked and he could have accessed the data from his home directly. I'm not sure if there is a simple solution to this other than constantly making sure all data is encrypted wherever it is stored.
Deployed soldiers not only have to worry about their current condition, but they do worry about everything going on back home. The more worries back home, the more distraction from their current jobs, the more danger of making a mistake. Yes, I am a war veteran, so I know.
Soldiers with close family back home should be okay, as they can just have someone else monitor their credit. Soldiers with no family and little access to the Internet should be worried. The VA should at the very least give each soldier and veteran free online credit monitoring for the next couple of years.
Actually this is the best thing that could have happened. A complete failure in a system, potential for identity theft, and involving current/past service men/women. I am one of those by the way.
Why is this the best thing? Cause when troops are involved national pride actually works and things get done. People will flip out over this and they will finally fix it. Think of the children is first followed quickly by think of the troops. Now maybe they'll put the responsibility where it belongs. Squarely on the shoulders of those companies that deal with credit. Then I'll stop getting those calls for the new service that protects my credit and it only costs $14.95 a month. Make that free and actually go after these thieves instead of what they do now.
First off, your last comment: "After this, how could one have faith enough to serve an inept institution?" was offensive. It's not that they have faith to serve an institution- it's they have faith and beliefs that they are protecting something of the utmost importance- YOUR FREEDOM!!! Having served in the Air Force and done my time in the deserts of the Middle East, I know first hand what those guys are going through over there. For some ignorant fool as yourself to question their faith, dissappointing to say the least. They are over there giving their blood, sweat, tears, and families to protect your freedom & you don't even have the common decency to say thank you. To get to the point of your story- yes there are protections put in place to defend information from falling into the wrong hands. But if you are an IT "Geek" you should know, the least secure of any point on a network is physical. If you can physically get access to data then that data can become vulnerable. Its not like you can let people see or copy data, but then wipe it from their minds, computers, etc. the second leave a restricted area. The government has their issues and it deals from the top down. But they need to hire more personnel in the concerned areas who know what they are doing. Too many times did I run into civilian contractors on bases who hadn't a clue how to properly setup and maintain a network. I only wish I had the opportunity to right some of the wrongs I have seen- i.e. civilian contractors collecting in upwards of $200,000 a year to work in a "Hostile" environment; and all they are doing is collecting a pay check AND NOT completing the tasks they need to. I have seen this FIRST HAND while in the Middle East. The civilian IT staffs at most bases there were incompetent; but still they were collecting the big checks. But that Senior Airman going around showing them what is wrong with their networks and fixing their problems for them- he only makes $15,000 a year- AND he is going to hostile environments to do it. You tell me where the problem lies.... it lies in the hands of people like yourself who complain about the "Institution," but do nothing to change it; except maybe vote the person in who has changed our country over the bast 6 years. THANK YOU!
"I will not Lie Steal or Cheat, nor tolerate among us anyone who does. Furthermore, I resolve to do my duty and live ho
This is a common misstatement made by those who think joining the armed services is about service to the army, or the navy, or the president. Joining one of the U.S.A.'s armed services is about serving your country, not the individuals in control of it. It's about protecting your homeland from invaders. It's about getting a shot at the brass ring of U.S. citizenship through sacrifice. It's about putting yourself on the line for your brother, your friend, your mother, your future, etc.
When I apply for a job in the states, I do so based on my ability to trust my employer to treat me responsibly. I would refuse a job that didn't pay well, or one where my employment would be degrading or unduly dangerous. Joining any military is a distinctly different sort of employment. It's an inherently dangerous job, one in which you can expect abuse from your employer, rigorous and painful training, and eventual combat duty.
So, in short, while this article is certainly a sign that our government is abusing our troops, one should honor those who do so despite the obvious risks inherent in service. Rather than wondering who would serve, we should wonder who would treat so poorly those who give so much. We ought (as in a moral ought) to respect and honor those who risk their lives to defend our way of life. We ought (again, moral ought) to hold in deepest revulsion those who abuse them, or send out the troops over petty personal desires and greed.
-GiH
"In an age where domestic phone calls are monitored, a government employee was allowed to walk out of a government installation with the data on thousands of American citizens to store on an insecure personal computer? Doesn't that seem strange to you."
No contradiction here, both are consistent with each other. Either way, it is because you have no privacy in the eyes of the state.
${YEAR+1} is going to be the year of Linux on the desktop!
I've done work like this, writing software that works with various sensitive data, millions of records, maybe even one of you, and I've done it from home.
However, my set of data was real data that was obfuscated, random names, SSNs, etc., generated, replacing the ones in the database. No real data was ever allowed to be exported off the database server, period. Only an SA could steal it.
That this wasn't done is just gross negligence on the part of the organization.
"how could one have faith enough to serve an inept institution?"
./ editors have enough of the spin and editorializing - especially when its egregiously wrong as it is in this case. How about getting an editor with some military background instad of the usual suspects? A little bit if diversity might help ./ avoid posters like the originator who completely misses the point of the article and instead tries to spin it politically (point is veterans records were taken via a moron breaking security at the VA, not some anti-military screed that the OP tries to spin it into).
I didnt serve the Army - I served *IN* the Army.
What I served was the American People, through their elected Commander in Chief, and the primary focus of the Oath I and others swear is:
to Uphold and Defend the Constitution of the United States
Second error bythe OP is the "institution" that lost the data was not the military per-se but the Veterans Administration, a cabinet level office that is seperate fromthe Army, Navy, Airforce, marines and Coast Guard,m etc.
When will
There Plenty of libertarian geek veterns out there who post here regularly - Rob, grab one and add some diversity to the editorial clique.
Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo! http://goo.gl/J9bkO
I know that in this case more than social security numbers were taken. But this is a good spot to say that I would like the US government to publish, for free download, a list of all issued SSNs and their associated names. Then the banks, insurance companies, universities and so on will have to stop pretending the damn things are secret.
I know most people here don't know or care that there's a difference, but not everyone in the military is a "soldier". In fact, most of our service men and women are not soldiers at all.
but, as far as I know, the government is not only elected by the voters, it consists entirely of citizens.
It may sound like a left-field libral statement, but working for the country isn't working for the "dirt" of the country, it's working for the people who make up the country. There are a lot of folks (at the local level in smaller cities at least) who do believe that this kind of service (serving as mayor, working for the Dept. of Building Safety) provides something useful to people. Even at the federal level, a lot of folks at least start out with the idea that they will be serving their fellow citizens. I know of a good number of vets who had that same idea about being in the military. (Though as another poster mentioned, there were also a good number in it for the GI Bill)
From your post it sounds like you don't believe that there can ever be a justification for war. I suppose you'd deny it was worth fighting to prevent another 6 million Jews killed in the 40s? Peace in our time, right Neville? Or perhaps that when England invaded the US in 1814 we should have let them burn the entire country, rather than just Washington DC?
There are a lot of people who believe that it's possible to serve their fellow citizens by serving in the military (But probably not a lot reading slashdot, oh the horror of such a politically incorrect thought! Close your minds now, slashdotters). Whether those people serving in that way agree with a particular political decision that our duly elected leaders make is another issue entirely. Confusing the two (as you do) is nonsensical.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
This all comes down to being able to trust your employees. The government has a lot of poeple working for them, and it is impossible to make sure that every employee is doind exactly what they should. Maybe we can spend more tax dollars to get guards to search everyone before they leave and train them on how to look for information on computers. Then since we can't trust every guard we need to spend more to higher people to watch the guards, and more to watch the watchers, and more to watch the watchers of the watchers, and ... I think you get the idea.
I hear there are a lot of Service Memebers bringing a class-action against the VA in this case. Being a military member myself I don't get why. If you want to sue then get the man that took the info home. If you sue the VA and win then the VA is going to have to pay a lot of money out of its already decreasing budget. How will we get the good healthcare and other bennifits if the budgt is going to send every service member a check for $1.50. Let's face it class actions aren't very good at getting anyone money except the lawyer. I say we just look for the thiefs, who most likely didn't know that info was on the laptop, and put them in jail. The laptop has most likely been reformatted and sold at a pawn shop.
The greatest of all weaknesses is the fear of appearing weak. ->JB Bossuet, Politics from Holy Writ. 1709
Okay, not a ton of verts on ./, and fewer still have been in the past 10 years.
This is not a problem with insecure hardware, someone taking work home, etc. Thi6s is a much deeper problem.
Who knows what an access roster, alpha roster, or leader's book contains? Military style?
Who knows what it takes to do anything and what goes on almost every piece of paperwork you have to fill out?
Full Identifying Data, to include First, Middle, Last Name, Social Security Number, and often times Date of Birth go on all these. This problem is an issue with how the military identifies, tracks, and loves to have SSN's on everything it prints. Then, despite the best OPSEC plans if you are not in an MI unit with it's own burn bin set up for Classified and SBU (Sensitive But Unclassified) your information will go home with everyone, get thrown in the trash, and be available to anyone on post, and any personnel guy anywhere.
Identifity theft and risk for it is ripe in the military, and the issue is with the administrative and personnel system currently in place for the military.
YouStockIt - Education through Unorthodox Methods
"After this, how could one have faith enough to serve an inept institution?" The short answer is that someone has to serve in the hopes of someday things being made right. If the best and brightest will not do the job they should not complain, on the other hand, if the best and brightest are doing the job we cannot expect people not to, occassioanlly, make bad decisions or mistakes. While this is a serious transgression I hope this individual was not knowingly compromising our veterans and, being a veteran myself, I feel confident that since the information was made public, by the transgressor, I can be more observant of my finances etc.. In the end incidents like this will happen and we can only hope that they will be handled in a timely and professional manner. Perhaps we can also suggest solutions to the problems instead of just complaining.
"Layers of encryption and protected access was successfully bypassed"
So was your grammar checker.
Why yes, I AM a rocket scientist!
Here's how it happens:
The big problem is management, the people who make the big money to take responsibility, react more than proact. Security means vigilance, but it also means giving people the proper time to do their work within the procedures of security. In my life I've only met a few people who took day to day security seriously and made a point of not giving in when someone asked for a short cut, "just this one time."
Management as much as ever seems to attract people to the wages and not the actual responsibilities. Peter principal of some strip I suppose.
A feeling of having made the same mistake before: Deja Foobar
Someone stole a laptop. It would be wiped and sold on the street. 99% chance no one would be the wiser, the thief didn't know what he had. Now news comes out that there could be a laptop with tons of valuable info...thiefs all now look to see if they have the golden laptop! Another case where the news of the incident makes the problem worse. Lets make a big deal of this when someone actually knows they have this data and uses it for ill intent.
and they can't deny it. they do everything they can to try and focus attention away from their utter and total failure in every possible direction, every possible measurement. and. it. isn't. working.
if this is supposed to be a new economy, how come they still want my old fashioned money?
That's what happened a couple of weeks ago when the a huge data store of Veterns identity info from the VA went missing on a stolen laptop.. I mean you can't turn on the news with out hearing someone rant about this travesty. You only have to go to a VA hospital to see exactly how much Americans care about their troops.
I am sure the outrage over this one is going to be deafening. Just like the protests against the nazi fundamentalists who tried to get FOX to stop airing "Saving Private Ryan" on the anniversary of D-Day because they were offended by it. Jeez, why did they show back to back repeats of "House" last night instead?
In the meantime, I am going to stock up on Identity Theft and Volcano insurance.
This was different data, on the same damn laptop. I think the guy was in on it. Nothing else was stolen, just his laptop, which, oopsie! had not one but two sets of valuable data which were not supposed to be on it. Here's what I think went down:
Dude had some bad debts to some bad men. Said bad men approached him with a way he could pay them off. Just get data for ID theft on his laptop then leave it in his house and they would make it look like a burglary. Dude does so, and reports laptop stolen, but not the data on it. Later, after other Bad Dudes are off his back, dude has a change of heart and admits the data was on the laptop.
I know, never ascribe to malice or greed what can adequately be ascribed to incompetence, but I think the facts in this case are pretty damn fishy.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
After this, how could one have faith enough to serve an inept institution?
So, surely you've seen some of the great moments of the Commander in Chief that currently runs policy for the US military?
And this was the first clue in 6 years that it was an inept institution?
Oh, I get it now. Welcome back. How was Mars?
While you were away, Earth has been on the verge of total chaos in the absence of any remotely intelligent leadership, mostly thanks to the fundamentalist sheep that seem to make up the highly vocal minority of the human population.
Just to bring you up to speed, the most powerful man in the world has trouble stringing two coherent sentences together when a camera is pointed at him (which is almost constantly, unfortunately), and the runner up is widely regarded as being his poodle. This pretty much implies that the two most powerful military forces on the planet are pretty much running on empty in the IQ dept. As you will have guessed, this means nobody on the front lines is safe from any angle. Many of those on the "Home Front" are pretty much in the same boat.
So, while these idealistic, brave young men and women are trying to protect us in the "free" world, we're all losing the freedom they're dying to protect. You ever hear any of the stories where someone sets of a major alarm at one end of the city, then robs a gold repository at the other end when all the cops are away? That's what's happening here, only the gold being carted off is our freedom and privacy, and the soldiers are off dying in the wrong place for the wrong reason. Given the apparent incompetence of the world leadership, it's more likely being misplaced than stolen.
This is not surprising to me at all. I know of several DoD systems that are totally lacking in any kind of real security. Currently, the best they can muster is obscurity. When a severe security hole was brought up the response was, "Yeah, but who would think to look there?"
The problem is that the various networks have been outsourced to contractors. Contractors only care about one thing--[strike]following the letter of the contract[/strike] Getting paid. The thought is, "They won't ever find it because, if they knew the difference they wouldn't need us to do it for them."
The solution, unfortunately, is money. The military's new prime directive is to "Do more with less" and to that end is looking to leverage (...I think I just threw up in my mouth a little bit...) the power of the computer. Currently, that takes the form of contractors, but contractor's are not the solution. TCO aside (I think the cost avoidance of outsourcing is debatable if looked at with a wider scope), beaurucratic instruments do not possess the tactical flexibility needed by an operational force. DoD needs to return to the days of yore when they were the producers not the consumers (think ADA and ARPANET). Congress needs to provide the funds needed for this in-house development and the public needs to demand the appropriate oversight to ensure that it doesn't go for more office chairs in the back office where shady contracts get signed.
From my initial readings of the articles, being a Veteran I am concerned, I also remember reading that the reports of the incident and subsequent arrests took place about 2 weeks AFTER the actual incident. While this is in no real way surprising, it made me wonder, why such a long wait for the data security failure to be reported/come to light?
Well...my theory...
The information had been stolen through a network link of some sort and they had to come up with some way to both report the stolen data (allowing the 4.7 million personal the opportunity to protect themselves) and cover their collective asses.
So, they found someone who was out of favor, and sent someone to steal his laptop. The data does not even have to be ON the drive because the Feds would not allow the local yokels to access it because of the private nature of the data (my supposition). Boom, instant scapegoat and an easy way out for a larger ineptitude and management failure.
Keep in mind, this is all totally conspiracy theorist material, but it fits the facts well.
"Talk amongst yourselves."
"The way you think it is may not be the way it is at all." St. Oran
"Honestly, this kind of thing is so widespread, from credit card companies, to banks, to telcos, and now the government, that it makes you wonder just what it takes to secure your personal data. I wouldn't be surprised if this happens to one of the major credit bureaus somewhere in the near future."
Trusted Computing would help here by allowing the stolen hard drive to only work on appropriate computers.
You lost me on Senior Airman. I've never seen one with more than very rudimentary skills. It takes YEARS of experience to be truly proficient at network troubleshooting and setup. To be perfectly frank, as a former Army guy, I was pretty amazed at the lack of competence at the lower levels in the Air Force. Combine that with most people I saw who were sent over were being punished or were otherwise undesirable in a stateside unit and I sincerely doubt your statement is accurate.
On the other hand, your sentiment was completely spot on. The parent poster was an asshole.
>> After this, how could one have faith enough to serve an inept institution?"
Anyone living in the US does, not just those in the services.
From personal experience of being a government contractor for over 10 years, security on government networks has a lot to be desired. First, while there are passwords and secure logins, after that most data on government networks is totally unsecure. Second, no one checks you as you walk out that door after work. Third, the government should provide a better way to work home. Everyone is working more hours, and rush hour is forever and a half here in the DC area. It would be very productive if they made working from home easier and more secure. This data could have been accessed through a VPN, making it far more difficult for it to get into the wild.
It's fun being a Beltway Bandit!
Whatever news reuters must either be a slow news angency or something. I heard about this atleast a week ago, but I believe it was two or three weeks ago when they were talking about the Department of Veterans Affairs and the lost data, that they believed there could have been a large number of current solders who info was also lost.
Now, not only do service personnel currently serving have to worry about IEDs and being fired upon, but they are now subject to possible identity theft. A real failure. After this, how could one have faith enough to serve an inept institution?"
I'm in Iraq right now. Yes, we have to deal with IED's and being fired upon. And yes, having to worry about this isn't all that great either. But that has absolutely nothing to do with "serving an inept institution" as you call it. We don't serve an institution. We serve in the Armed Forces of the United States. I serve in the Army, and I don't think that the Army is inept. This isn't a failure of the US Army as a whole, but it was due to the indiscretionary act of one person. He violated OPSEC (Operational Security) and he had no business taking sensitive information into his personal computer. This is HIS fault, and I hope he gets prosecuted to the fullest possible extent under the UCMJ. So please, like the parent said, no editioralization is necessary. We serve because we took an oath. We serve because we are professionals. We serve because words like Loyalty, Honor, Duty and Courage mean something to us. It doesn't mean that it means nothing to a civilian. But I hate it when people assume we are nothing but mindless drones. I, personally, try to keep politics away from the military. Which is why I don't endorse any side of political debate, when speaking as a soldier. I'm here to do a job, and I'm here as a professional.
Sorry for going so far off-topic.
Vivin Suresh Paliath
http://vivin.net
I like
He's a retired vet.
Luckily for me, I served in the Canadian Army, and they take personal privacy a little more seriously up there.
It's a sad commentary when the supposedly most advanced superpower in the history of the world can't even keep personal data private for it's most advanced military forces.
-- Tigger warning: This post may contain tiggers! --
Improvised Explosive Device. DIY bomb, if you will. Nasty little fsckers.
:P (-_-) ;_;
I heard 'secondhand' that Gulf War 2 didn't have to have all the IED carnage.
In brief:
At the begining of Gulf War 2 there was an ammo dump over there that wasn't secured by
the good guys. So the bad guys got access to it first and cleaned it out.
Since then, the good guys have been paying the price for this oversight....
The IED'ers are using sound guerllia tactics. I recently heard that the insurgents don't
resort to 'sniping' from a concealed location because after the first shot or two, their
position is given away and a RPG could be forthcoming a moment later in retailiation from superior forces (the good guys). So with IED's you get the ultimate, deadly 'jack in the box' experience: you never know when one will show up next....
What is really 'mindblowing' is that the insurgent forces are killing their own countrymen with these things just because they want to help the 'good guys' out with this military operation (i.e. police station-based IED attacks).
9/11 and Gulf War 2 was/is nasty business--there are no winners....
I hate to say it, but having been a developer on big databases full of reasonably sensitive information this doesn't surprise me in the least. Operators & developers must have very liberal access to be able to perform their jobs, and they're far too often dangerously undertrained re: basic fundamentals of data security. "i have to run out, can I just leave you my password to check on this job status in 30 minutes?..."
I'm not exactly convinced that my freedom lies in a desert oil field or is protected by shooting innocent civilians in other countries.
Then please, go live in one of those other countries. WE won't miss you here I promise.
They don't want to serve an institution, and they didn't join in order to serve an institution, but let's get serious. Once someone is in, their job isn't to think up "what does my country need today?" -- their job is to follow orders. Orders which come from someone, who got their orders from someone else, up a long chain to..
That takes a hell of a lot of faith, faith so strong that it denies all observations of how political leaders get into the position to issue orders. Perhaps this spectacularly-idealistic faith is the the modern explanation for the proverb "there are no atheists in foxholes."
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Press reports say there was some medical information in the records(http://www.modernhealthcare.com/article.cm s?articleId=40022).
If there was enough to rise to the level of "electronic Protected Health Information" then the big guns of HIPAA swivel in the VA's direction.
Then the VA would be legally required to encrypt the data. (Of course, as with anything said about HIPAA, I'm oversimplifying. Encryption is an "addressable" requirement, which means you're allowed to say (with proof) "I can't do it" as long as you do something else that you can show is just as good).
"Official Use Only" does not *begin* to cover HIPAA requirements.
Ok, I'm off to sign my life and freedom away to fight and kill civilians in the name of your freedom. Are you proud of me now?
The stories regarding this matter keep referring to "data theft" and "stolen data". But while the laptop and external harddrive were stolen, the data itself was not. "Stolen" and "theft" only apply to cases in which the rightful owner no longer has possession of the item in question. So we cannot say that the data itself was "stolen", rather we must say that the rights of the righful data owners were "infringed", right? Indeed, if someone had obtained this data without authorization by hacking into the VA's computers (rather than by stealing a harddrive), then "stolen" and "theft" wouldn't apply at all. Am I right? No? I didn't think so either. ;-)
-- "I never gave these stories much credence." - HAL 9000
The news is that 2.2M Active Duty personnel data was also on the laptop.The previously reported story was about the 26.5M Veteran's Data personnnel was stolen.
Now the enemy can get the service mans address and kill there family's anyone think of that. times are different if we stay stupid we are going to lose.
Oh.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Almost good enough to be a movie plot. Dude buys stolen laptop for drugs, then finds it has multi-million dollar value for the data it contains. Suddenly, he realizes that everyone and his ex-wife will be looking for the thing, so he has to bump off the junkie that sold him the thing to cover his tracks.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
Many of the comments have been about the failings of the individual responsible for taking the data home. While this is certainly an important aspect, I think that the fact that service member personal data can be taken home is a bigger issue. Where was this data? Probably in a malformed spreadsheet on his work PC, completely unprotected by encryption. If we (the people) want to ensure that this cannot happen anymore, puch your duly elected representatives to enact legislation requiring any personally identifiable information be encrypted at all times. If the entertainment industry can see to it that I can't copy a CD, then certainly the government should be able to ensure that nobody can copy my SSN or other such info.
I worked in a IT shop in the AF for a contracting squadron and I must say that if it were up to me, the PC's would all have biometric stuff, no writeable drives (CD, DVD, Floppy), no open ports on the machine (USB, Firewire, Parallel, COM, etc...), and no printscreen button. This seems to me to be the only way to stop this sort of thing from happening.
"I was reading the news this morning on Reuters, when I stumbled across this article: US Service Personnel Personal Data Stolen
[missing period]
In the article, an official violated policy by taking the detailed personal information of thousands of active and reserve troops to his personal home, storing it on a personal computer, that was later stolen.
['that was later stolen' doesn't need a comma]
In an age where domestic phone calls are monitored, a government employee was allowed to walk out of a government installation with the data on thousands of American citizens to store on an insecure personal computer?
[This is not a question]
Doesn't that seem strange to you.
[This is a question]
This is a real failure, in my opinion, in government protection of its citizens.
[should be '*of* government protection]
Layers of encryption and protected access was successfully bypassed to make the theft of this information as simple as stealing a home pc.
['*were* bypassed' It's plural]
Now, not only do service personnel currently serving have to worry about IEDs and being fired upon, but they are now subject to possible identity theft.[wow! no mistakes!]
A real failure.
[sentence fragment]
After this, how could one have faith enough to serve an inept institution?"
["faith enough" Were you born 100 years ago?]
Err,
Is this the same incident that I heard about on NPR like 3 weeks ago? And it's just now making slashdot. I don't reckon "Stuff that matters" really applies to a 'news' site that runs old news.
If anything this should show the American people just how bad of a problem managing stored personal information can be.
And the Feds want a lot more.
I am a vet and this makes me sick to my stomach.
Do you want the same?
Just support the warehousing of information without any plan, oversight or security.
For anyone to EVEN consider that anything that happens within the Bush Administration is not greed/power driven is to be completely beyond belief - unless you've been on the orbiting space station or trekking the Andes over the past 6 years.
Please, and forever more, always ask the next question.
This is the crucial aspect to analytical thinking: always ask the next question - understand the existence of cause and effect, but - never assume something that follows something else IS ALWAYS the effect (Post hoc, ergo propter hoc.).
Example: when those Spanish-language radio stations organized the national protest marches (while that NSA illegal spying was in the news), one should ask: Who owns those Spanish-language radio stations????
Another case where the news of the incident makes the problem worse.
I'm just dying to know what your criteria is for when something should and shouldn't be released in the media. When do you let the light escape that box? The more powerful an institution is (and therefore the more capable of harm due to misbehavior or ineptness), the less we should report about it? Seems to follow from your premise, doesn't it?
In terms of government accountability, the precedents for and implications of your position are disturbing as all get out. The obvious analog to "Don't report anything bad about [the war], it's only abetting the enemy" is the stuff of any totalitarian state.
You're confusing the role of reporters with that of propagandists.
"Fundamentalism" isn't about divine morality. It's about human authority.
It just shows Unite States Military Service Personell are doing such a great job of watching us, that they are willing to have their own lifes compromised.
This is a good thing, no?
-- Safely entrenched at the bottom of 'Bad Karma'.. now I can finally speak my mind-- one of the '10' times per day limit, set by the same
I will gladly loose all of life's battles.. in order to win the war..
This is precisely why we need to monitor everybody's telephone calls and net communications... If we had been keeping tabs on this guy, we would have none he was violating the privacy rights of millions of our sevicemen.
With all the recent news of mass killings in Iraq, the sagging US economy, the problem with immigration and illegal immigrants, the news of congressional scandals, stories of massacres by marines, the NSA listening in on private conversations, and his own sagging poll numbers-- George W. Bush held a press conference to address these various concerns by US citizens who are afraid of losing their jobs, unable to get health insurance, afraid of government intrusion into their private lives and abuses by US marines in Iraq and Afghanistan, and identity theft stemming from the recent spate of lost personal data at the hands of government officials. Here is a link to the Press Conference.
Considering that the upper age limit of enlistment is currently 35 and that even at a younger age an E-4 in any branch can attend college (prior to and during service) and gain experience in network setup and troubleshooting that's kind of insulting. Also, I personally know that the list to go to the sandbox are primarily volunteer in the Air Force, until they have more slots than people, then the selection is made on skillsets (i.e. Weapons, Vehicles, supervising, etc.). Most of the time unless someone goes down for medical or family it's all volunteer. Just because the Army punishes their people by sending them to pound sand doesn't mean that the rest of the services do.
On topic, yes the parent poster is an asshole.
What about when the thief realizes that he has the addresses and ranks of almost every active member in the US military. Someone without any ethical standards would call up Al-Quaeda and say "Hey look, you want to knock of the families of every colonel and lieutenant in the nation? Here... it's yours for 20 million dollars." In my opinion, this is the biggest concern. Along with the people that are saying this is the best thing that's ever happened, claiming it demonstrates some hole in the government. I can't make any sense of that. I know the government gets a lot of things wrong, but it also gets a lot of things right, and thinking it's a good thing that 27 million people are now at risk of having their identities stolen or worse is messed up. That idea is just stupid.
From the summary:
a government employee was allowed to walk out of a government installation with the data on thousands of American citizens to store on an insecure personal computer
Does anyone else see the adjective "insecure" in so many IT contexts and realize how funny it sounds? I mean, what are we to make of an insecure document? A document that is harbouring feelings of self doubt? That poor tortured little document -- imagine what it must be thinking: "Am I really a document? Do people like to read me? Does this file format make me look fat?"
If it weren't for deadlines, nothing would be late.
> This is exactly why the government shouldn't keep personal info.
I think you're trying to close the barn door while whining about all the horses that got out.
I think this is exactly why we should quit pretending that knowledge of SSN and birthdate is ANY kind of reliable authenticator at all.
Only morons in government and banking have such a pathetic lack of understanding as to believe that a good password is a permanent unchangable code which is stored in many databases and known to many people besides the subject.
Seriously folks, this happened like two months ago. I remember hearing about this on ABC news well over a month ago and it was old news even then because it was covered up. There is a reason I get me news from other sources than slashdot...
I used to be a GS11 Systems Administrator with a J6 (yes, J not G) and the biggest problem was that no one was tracking anything (system data, systems, up time, etc.). "I don't know" was a fairly common answer if you asked for information about anything. You could've run a bus through the network and no one would have noticed. Most of the time the only way we knew a site was down was when they called the support center.
Basically AR 25-2 and AR 25-1 were not taken as mandates, they were just "nice to haves." Anyone else notice that some bases simply have the most clueless admins and least amount of auditing equipment and knowlege? If this guy had just said that he was using his laptop for videogames I doubt anyone would have ever known.
Perhaps you didn't notice, but the entire federal government got failing grades on their infosec security report card.
What percentage of companies would receive a failing grade on infosec security if they were held to the same tests and standards? Just a wild guess, but I would hazard over 90 percent. Not a month goes by without some business reporting sensative data loss, and it still happens, again and again. And be mindful that business have an easier time hushing up such things than the government. I saw an article a few days ago about how even HIPPA is being largely ignored now that the newness and enthusiasm has worn off
This loss was catastrophic and inexcusable, but it could easily happen to any private firm handling credit data too. As in this case, all it takes is one well meaning but stupid (and unlucky) employee to circumvent the rules and the world turns to crap.
I would guess that most corporations are less structured than the government in formulating and implementing policies. In fact, unlike the government, corporate policies are rarely backed by criminal laws. The worst a business can do is fire a negligent employee and maybe, just maybe, sue him, unless they can convince the local prosecutor that fraud was involved. The government can (and does) do all the above plus they can prosecute for simple negligence.
This guy, while obviously negligent and stupid, was probably not of malicious intent. He probably thought he was "serving the veterans" by working at home without compensation. Stupid and unlucky for him. As I said before "no good deed goes unpunished", but a more apt saying would be "the road to hell is paved with good intentions".
I think a larger issue than this one theft is that this same data exists out in the financial world too, handled by many outsourced companies and uncleared employees in a completely unregulated way. A better solution would be for Congress to nix this whole situtation by rendering SSNs usless for financial transactions by making it a crime for any firm to use or store SSNs **FOR ANY PURPOSE**, other than payroll tax collection for its own employees. The only people to whom your SSN should have any meaning and use ought to be you, the Federalis, and your employer. The credit agencies and data brokers would howl, but it should be done.
Speaking as someone who recently served in the military and now works as a defense contractor, the DOD and the VA have a huge problem with protecting the personal information of people that work for the agencies. Walk into any office on any military installation and I can practically guarantee you will find the names of people with SSN either posted on the walls or lying around freely on someone's desk. Unfortunately, DOD and VA track all their employee's data with a SSN, including things like security clearances and who's authorized in an area.
Let me be neither the first nor last to say that perfect security for a sprawling heterogeneous institution like the Federal Government is humanly impossible. Even if you have perfect algorithms (which you don't) and perfect code (which you don't) and perfect hardware (which you don't), you'll still have people who make honest mistakes.
What can you do? Try to audit every line of code and you'll still miss things. Do the most extensive background checks and you'll still miss things. If you require more training and paperwork, compliance issues take up so much of your time that you don't get any work done (and you'll still miss things).
Yes, there are problems and they need to be fixed. Yes, the government often deserves the bad grades they get from auditors. Of course not every mistake is honest, and there are some corrupt employees. But inefficiency, corruption, and idiocy creep into every large organization, and saying "fuck him" and calling people idiots is cathartic but useless.
What, for example, have you done in the arena of information security? Since this is Slashdot, you might very well be a security expert. But if you feel strongly about a secure federal government, why don't you try to make a difference instead of posting flames on Slashdot? But since this is Slashdot, you might very well be talking out of your ass. In that case, congrats on the +5 but please get a clue before flaming.
It's easy to call the government inept, and it never gets old. That's called a cheap shot. What improvements can you suggest? I agree there need to be improvements, but I don't consider myself so eminently qualified to deride others for their efforts.
--
"Extra Anus Kills Four-Legged Chick" -- Headline
You know, THIS discussion is about an individual. I do have an improvement to suggest to the individual: ENCRYPT ANY DATA THAT IS SUPPOSED TO BE CONFIDENTIAL. This is not fucking rocket science, nor is it difficult, nor does it cost you anything but time. There is NO EXCUSE for not doing this. If I took a bunch of customer records from work (we have a database of about 65,000 casino players, many of whom have given us their SSNs so we can produce tax forms for them, or make a cash transaction over $10,000, or what have you) and lost them, not only would I be fired, but I'd probably end up slapped with some kind of lawsuit for exposing the business to liability - and I would deserve it.
As for suggestions for our government's IT departments, I'm sure I'd have plenty of them were I looking at configs. They obviously do a lot of stupid things. I won't bother enumerating possible fixes to problems that may or may not exist. But the best advice? PAY ATTENTION, and if you want to be secure, LISTEN to your IT guys. I've made security recommendations various places I've worked that haven't been taken into consideration, and on occasion they've paid for them later. (And no, not by my hand.)
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Oh kiss my fucking red white and blue ass. You haven't clue one about the hypocrisy you perpetrate. I was in Military Intelligence, my brother is an officer in the Navy with an Office in the Pentagon and my other brother is the head of the Army Reserves in the Midwest. And all of us having served learned one thing... you ARE disposable.
Anyone who believes in freedom and liberty haven't tried to be gay, athiest or of any ethnicity but white. When Virginia Beach passes no cursing laws on their public beaches, how much freedom of speech do you have? When your cops are trained at academys to practice racial profiling, how free are you?
You sir are not only ignorant but a deluysional jingoist.
This is my sig. There are many like it but this one is mine.
That doesn't mean that Microsoft makes it easy (the EFS stuff in NTFS looks pretty hokey and hard to use, and apparently isn't in XP Home, only XP Pro, and it's not clear from a few minutes' reading of the documentation whether you can tell it to encrypt your My Documents folder withough causing major chaos. (And yes, I realize that that's only part of what needs to be encrypted, and I don't trust MS's current crypto given how badly broken all their earlier crypto was, but at least it's a _start_.)) Linux/BSD? Multiple solutions are available and relatively easy to implement - obviously any secure data needs to be on a computer with a real operating system...
And the best security we've got in practice is that thieves or fences usually wipe the info on stolen machines to avoid getting caught, instead of realizing that it's usually worth much more than the stolen hardware. Encrypting or Multi-Level-Secure databases have been around for a while, but are still mostly researchy.
But Crypto's only a bandaid, and I say this as somebody who's been a crypto geek for a couple of decades. People who handle information need to think about what's sensitive and what's not, and design their databases so that nobody needs to touch sensitive data unless they actually need to touch the sensitive data. So Social Security Numbers (or your local government's equivalents) shouldn't be used as database keys, and Last-4-digits shouldn't be used as passwords, and Employee ID Numbers or Customer ID Numbers should be something entirely unrelated to SSN. That means you need a separate table connecting ID# and SSN that the Payroll department tax bureaucrats can use when they're reporting taxes, but which isn't accessible to anybody who's not handling taxes. And Medical Insurance account numbers shouldn't be your SSN, in spite of how convenient it is to all the large bureaucracies out there to start all conversations by asking for your Social. If HR needs to collect new hires' Citizenship ID#s when verifying that they are legally permitted to work in the country, or the Driver's License Bureaucrats need to collect it to verify that people who drive aren't "Deadbeat Dads" and don't speak Spanish, then that data needs to be kept separate from the less-sensitive data.
The Bush Administration and its predecessors in the military and civil service have put a lot of emphasis on "Know Your Customer" laws and requiring airlines and banks and employers and such to collect lots of private data and report it to them, maximizing the ability of everybody with a cheap Moore's-Law-Inside PC to do massive data mining, and it's going to be hard to undo all that infrastructure once we through them out of office - it's important to make sure that you can protect your own employees and customers and suppliers from accidental data loss, and deliberate theft, and planned or unplanned data mining.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
But far more important is thinking about what data needs to be used together and what data can be kept separate - that Customer SSN data of yours should be in a separate database, only used to generate tax paperwork, and not accessible to other applications (unless of course you're investigating fraud, which wouldn't be a totally surprising problem for a casino to encounter.) Not only should you not be taking it home, you shouldn't be keeping it near the less sensitive marketing stuff.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
- - whether they'll get shot at, or about
- - what country is going to do something stupid or dangerous enough to need attacking or defending, or
- - how often they'll need to be away from their families, or
- - whether their weapons will be reliable in whatever country they get sent to next (because weapons that work well in Northern Europe may suck in Vietnamese jungles or Iraqi deserts, and weapons that work fantastically well on Powerpoint presentations inside the Beltway somehow aren't the same when you take them out in the field), or
- - whether they'll get the supplies they need to do the job they've got to do, or
- - how to get their platoon to learn to stay alive while getting the job done, or
- - whether they ought to frag their bonehead lieutenant before he gets them killed, or
- - how to tell the REMFs back at the Pentagon that they don't have a clue what's happening down on the ground, or
- whether the recruiters who said they'd learn valuable new skills thought they'd get jobs improvising truck armor when they got back home to LA.
That doesn't mean that they don't care about their personnel data, especially if it affects their paychecks or promotions or pensions, but when they join the Army they pretty much understand they're joining the Army.And it's not like working for a bank or the Phone Company or a factory or a university instead gives you a lot of reassurance that your data won't get mishandled (or if it does, think again.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Article on new Seagate products was mentioned in today's Slashdot article on hybrid flash+disk drives, but farther down the article it talks about some laptop drives with built-in encryption. While I think that the OS really ought to be doing it, farming the job out to the disk is certainly a good start, and it's probably easier to use if less flexible.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I am not worried about identity theft per se. I am worried that the New World Order is behind the entire dog and pony show. After spy's hacked the information from a dimwitted g-man, the CFR is now armed with lethal information (name, D.0.B., race & ss# is not a big deal--but 26 million at once is an exploitive demographic for more reasons than ID theft) they can potentially use economic warfare against 26 million U.S. Militia members in the quest to disarm the U.S. in an effort to control the planet.
Go ahead laugh.