Slashdot Mirror
Stolen VA Laptop Recovered
lancejjj writes "Remember how the VA was pinning the theft of 26.5 million veterans' personal records on a hard working-but-renegade employee whose laptop was stolen? Surprise! It turns out that the employee had written permission to bring the sensitive data home. Fortunately, the laptop has been recovered. It is still unclear how the laptop was recovered, or if any of the veterans' personal data was leaked."
Seriously. Attention any/all US federal legislators reading this: just mimic the EU on this one. It's a no-brainer and will win you the all-important geek vote.
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
After discovering truecrypt, I realized how easy it is to have your sensitive data secured. Provided that the laptop doesn't contain spyware, only the person with password to the truecrypt volume can read it. After it's turned off, nobody else can.
And the hidden volumes feature in truecrypt makes it much harder to steal the data (not only you'd need the normal volume password, you'd also need the hidden volume password - IF there is a hidden volume, which you don't know).
One of the articles quoted the permission granting documents, saying that the analyst needed real SSNs for his work. I don't understand why that would be the case. Couldn't they have generated a fake list, verified that no two numbers were alike, and assigned a bunch of random names? It seems like the whole issue could have been eliminated from the start by doing this. Also, it's just shameful the way a bunch of middle-management types are trying to shaft the analyst when he's had written permission for ~4 years.
Meh, a real sig would take too long, and I have an MMORPG to play with....
Because one method involves Chuck Norris and immediate death for the thief. The other involves Charlie Sheen and about two hours of pouty looks and deadpan humor. We owe it to history to properly document this event!
Why? He had at least three written memos given express permission for him to do what he did. The problem here wasn't with the worker, it's with the policies and directors that signed the memos.
Meh, a real sig would take too long, and I have an MMORPG to play with....
Nothing appeared to be copied? Bah. What's keeping a would be data thief to boot up with a Linux distro, copy at will and shutdown the computer
.I use a utility called TrueCrypt on my computer. I don't use a Mac (I would if I had the money), but I think the Mac has a utility (built in to the OS to boot) that let's you encrypt the contents of your home folder. This utility (TrueCrypt) enables me to reserve a chunk of space on my HD and encrypt it. I'm pretty confident that if my laptop gets stolen, the data will be *reasonably* safe.
This is just a mix of bad infosec policies and worse OS.
the future is but past forgotten
Oh no, the best thing they could do is let him keep the job. He's the least likely person in the US to do this again. It would be different if he stole it himself.
You are checking your backups, aren't you?
Or using a system that doesn't even touch the last accessed date in the first place.
I for one am relieved that the data was not accessed, since I am a veteran who received a letter saying that I might be subject to identity theft as a result of this incident.
They gave us all a years worth of ID theft tracking service at a cost to the gov't of $(several millions?).
If a class action law suit against the VA for this debacle is successful it will cost them a lot more than that.
I am more than a little annoyed that they gave the guy permission to take the data home, and now they are firing him for having done so.
In spite of my feelings, I hope such a lawsuit fails, since it will only hurt those who rely on the VA's funding for their health care, etc.
The people who allowed this to happen certainly aren't going to give themselves a cut in pay!
...the future crusty old bastards are already drinking the Kool-Aid.
The employee had permission to access social security numbers. The employee had permission to take a laptop home. The employee had permission to use database software at home.
The VA still contends that the employee did not have permission to put the social security numbers on the computer and take it home.
Look at the timeline. He gets permission to access SSNs in February. He gets permission to take a laptop home in September. Sometime during the year he got permission to use a database program at home. It still sounds to me like he took a little personal initiative to take the SSN database home.
Still, the whole affair was handled pretty damn poorly, particularly the delay in reporting it, among other things.
-h-
Data privacy laws aren't there to keep the gov't from snooping into your stuff, it's to keep companies from trading your private data, or even keeping it on file in many instances.
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
You don't even have to pull the drive.
Just boot with knoppix, or some other bootable linux on a cd and do something like:
dd if=/dev/hda |gzip -9 |ssh -l someuser somemachine.com "dd of=stolendrivebackup.gz"
I think it unlikely that the VA depended on the "Last Accessed Date" when they made their claim that the data hadn't been stolen.
Given what we've seen so far in the case, it's more likely that they carefully scanned it, determined the data was still there, and therefore must not have been stolen.
If the masses can keep you down, you're not the Ubermensch.
Start ---> Documents ---> Recent Documets
FBI Analyst #1: Doesn't seem like anyone looked at the file.
FBI Analyst #2: I concur
FBI Official: We are pleased to announce that it does not seem that anyone accessed the records in question.
[Fuck Beta]
o0t!