Slashdot Mirror
Intern Loses 800,000 Social Security Numbers
destinyland writes "A 22-year-old intern said today he's the 'scapegoat' for the loss of over 800,000 social security numbers - or roughly 7.3% of the people in the entire state of Ohio. From the article: 'The extent of my instructions on what to do after I removed the tapes from the tape drive and took the tapes out of the building was, bring these back tomorrow.' Three months into his $10.50-an-hour internship, he left the tapes in his car overnight — unencrypted — and they were stolen. Interestingly, the intern reports to a $125-an-hour consultant — and was advised not to tell the police that sensitive information had been stolen, which initially resulted in his becoming the prime suspect for the theft. Ohio's Inspector General faults the lack of data encryption — and too many layers of consultants. But their investigation (pdf) revealed that Ohio's Office of Management and Budget had been using the exact same procedure for over eight years."
"So what did you learn interning this summer?"
"DIAF."
I'm forever amazed at how often people seem to be willing to snag a stack of backup media out of the back of someone's car. The criminal element seems to be quite tech savvy these days; I just wish some of that would pass to the rest of the population.
I live in the south, and "media left in a car" is not really a problem here; leaving tapes in the back seat of a car in the summertime is what we do when the incinerator is out of order...Works even at night!
Who the hell would send an intern out with backup tapes anyway? Makes no sense. Is that their offsite storage procedure? Send the tapes home with an intern, and hope he brings 'em back? Reading the PDF report, that turns out to be exactly what their procedure was...They even had it in their disaster plan, which makes me think it was more disaster and less plan. What the hell? Does the state of Ohio have so few buildings that they have to send the tapes home with people?
Fricking consultants. By the "You get what you pay for" scale you'd think $125-an-hour would buy you more than a huge pain in the ass like this. Sounds like the whole organization was rotten though, so it's hard to blame them.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Hell even in that case, why didnt they have a remote backup to prevent loss through a fire or flood.
Yep plenty of blame to go around.
"Slashdot, where telling the truth is overrated but lying is insightful."
Is that 7.3% of the population is working directly for the state government! I wonder what total percentage of the population works directly and indirectly (such as the contractor) for the government at all levels?
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Just goes to show you- no matter how good of an employee you are, sometimes the blood that they hand to the angry masses is yours.
"Three months into his $10.50-an-hour internship, he left the tapes in his car overnight -- unencrypted -- and they were stolen, and his 1990 Yugo mysteriously replaced with a new Ferrari."
After all these years, they've finally found a security hole in the Sneakernet.
Slashdot Burying Stories About Slashdot Media Owned
"Maybe my social security number is on these tapes?"
Would they have handled it any differently if it was?
Ok, I know that keeping data off-site is a good thing, but do you hand an intern your backups and send him home with the tapes? I think they REALLY need to redo their backup plan. Especially if it involves THAT MUCH personal data.
What kind of job asks you to take backup tapes w/ sensitive information home with you? Don't they have a cabinet or a drawer inside the building (which is itself presumably safer)?
Cheers!
Atheist: Buddhist in a Prius
Intern Loses 800,000 Social Security Numbers, 1 Internship
Fixed it for you.
7.3% sounds right. I know of several people affected by this- but rest assured, the great state of Ohio is promising one full year of ID theft protection. Bet that makes those folks sleep better at night. One friend that got a letter informing him of his SSN being stolen was told why- he was one of many Ohio taxpayers who has not yet cashed their state tax refund, and as a result, was kept in a database on the stolen tapes. As the Prentenders said, "Way to go Ohio!"
heh.. getting fired for doing what your boss told you to do.. it's the new trend in corporate america!
i get told now and then to do something not quite above board.. so i send the requester an email asking them to state in explicit detail what they want so i can be clear (and also have a record/trail). most times, the request is not repeated. doesn't make me terribly popular, but i sure as hell am not going to get tossed for another person's bad (or illegal?) request.
i kinda feel bad for the intern.. kinda like a falsely-accused criminal. this will probably follow him around a while and it was little or no fault of his own..
-r (has NO problem believing the intern's story 100%)
-'fester
Who better to blame than some dumb (get off my lawn!) kid? We're all young and stupid at some point in our lives. There were times in my youth that I followed procedures by the book or (more usually) per instructions, had something screw up, and I got the blame.
On the bright side, he's an intern, meaning he's supposed to be in a learning situation. This will teach him not to trust his supervisors!
Of course, the blame ought to go to whoever stole the tapes in the first place. The only question that nags at me is why anyone would steal tapes? And I'm haunted by times I was supposed to change backup tapes at another (now closed) facility, and often left tapes in the car thinking nobody would have any use for them. Of course, ours were encrypted...
-mcgrew
This reminds me of a story a dumb ass teacher told us in a professional presentation class. I guess a guy with his Masters Degree (can not remember the degree) wrote a proposal to the government for Bell Helicopter. He had about 20 people below him and they proofed it to make sure the proposal looked ok. Well the proposal was not ok the budget numbers were off. So the government rejected the proposal and Bell did not get the contract. Bell then told the guy with his Masters he had to fire all 20 people below him because they did not catch that mistake. What I do not get is why do they not fire the guy who wrote it in the first place? It is always pin it on the little guy. I feel sorry for the intern. He probably did not know what he had, and the boss probably told him to do that. I bet the boss gets to keep his job.
I found them!
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
My girlfriend was one of the number's stolen, the state has graciously offered to buy her a year of ID protection. Cause yeah, after a year, this problem goes away. She is going to have to pay for the service for years after this, just for peace of mind. Thanks you so much, we didn't need this stress. You know how much beer I can buy with a year's worth of ID theft prevention? Enough to get me drunk _several_ times buddy, yeah, you are killing my buzz already!
You know what they say, "if an intern triples your workload, consider yourself lucky."
--Nuintari
slashdot : where an opinion can be wrong.
It makes sense not to report the loss for a while. 5 cars were broken into that night, and the thieves certainly grabbed anything that looked half valuable. They most likely had no idea that the tapes contained potentially valuable information, and almost without any doubt had no means to actually read the data.
If a news report came out the next day "20,000 SSNs stolen" then they would know what they had, and try to find a buyer. Otherwise the tapes would likely have been trashed so the criminals wouldn't have incriminating evidence sitting around their house.
Dan East
Better known as 318230.
The State of Ohio is offering one year of identity theft protection to those affected. To lookup your access code for this one free year of ID theft prevention please visit this page:
http://ohio.gov/idprotect/lookup/lookup.aspx/
On this page you enter your last name and the last four of your SSN. Anybody see anything fishy about this page? HOW ABOUT THAT IT ISN'T USING SSL. Apparently they don't believe in using encryption anywhere, ever. Not on backup tapes and definately not when transmitting sensitive information over the Internet.
I set up a clinic for an NHS contractor in the UK last year and the IT supplier of the clinical system actually had an NHS approved protocol documenting the exact same procedure - ie take tape off site every night. /usr/bin/mysqldump -q -uroot -psecretpassword database > /tape/backup.sql
I went through the backup code and this was the command executed every day from their pre-production version of mysql5:
which was nice.
First, someone decided to blame the Scaled Composites explosion on Bush and now this? I don't like Bush, either, but there are (still) limits to his power, you know.
Ben Hocking
Need a professional organizer?
I'm sure if Big Evil Government was in charge of these tapes, it would have hired a $250/hr consultant to give them to a $21/hr intern to lose. Think of the savings!
I swear to God...I swear to God! That is NOT how you treat your human!
In all of these articles that pop up the same thing pops in mind. Why are people allowed to take anything of value home with them? Information like this needs to have some kind of cvs/subversion system with it. If you need to check it out, there is a trail showing who has what, and people shouldn't be allowed to take things home, and all sensitive information needs to be encrypted whether internally or not.
Thief probably thought he had a VHS tape! ... but it wouldn't play, so it went into the trash.
There is a simple solution to this kind of thing. You take the SSN, bank account and CC numbers of the person in charge (the General, Congressman, CEO etc.) and you put them in every container, laptop, tape, HDD, USB stick, etc. that has private information on it.
Problem solved.
HPC for Primates. Read Cluster Monkey
The 22 yr olds' response is unacceptable given the amount of press and exposure identity theft is given.
The value of labor per hour is not relevant and should be considered distraction of truth in this situation. The reality is that an adult of mature age was directed to secure the property and was asked to take it home and keep it safe.
Whether this was wrong or not is non point the moment he accepted the assignment.
The fact that he left it in his vehicle is a first point of negligence.
The second fact would be his willingness to do something he felt was a risk, such as taking these tapes home.
The third being his lack of documented objection to the process and procedure which is obviously faulted.
This is old news for Ohioans. I submitted this story to /. 2 weeks ago...
For a good portion of my database backups that may or may not contain confidential information, I tar, compress and encrypt with gpg my backup data files before they get put into a directory archived by by our automated tape library. I don't have to trust who has the tapes, and who is going to carry them off-site during our next hurricane threat. I clocked gpg on a fairly modest Dell 2950 server at about 10 megabytes / second. If you need more, there are hardware-based accelerator cards available.
Is your reading comprehension:
There were SSN's of 770,000 taxpayers plus 64,000 state employees that together were 7.3% of the state population. Nowhere does it say that 7.3% of the population was working for the state government.
Just imagin how much information would be available if the RealID act was in effect. This is precisely the reason I don't trust the government with my information: they can't keep it safe.
Live life to the fullest. It's not that life is short, but that you are dead for so long.
1) He also obviously did not take time to investigate or read the policy. Granted .. this can be also blamed on supervisor's. But there is no 'patch' for ignorance, correct? Sometimes you only get one shot.
2) If he had any idea what was on the tape, he should not have left it in his car. I don't know if it was in the open or not, but 'intern' or not, he should be aware of the sensitivities of that sort of data. He commented on the policy (which he was not aware of until after the fact ... we've covered that) and said it was "unreasonable to assume that the person would not stop somewhere on their way home". (He is questioning the policy, but we'll cover that next.) Again ... if I knew what was on that tape (granted, I am not an innocent, young 'intern'), I wouldn't take it. If forced to, I wouldn't let it out of my sight til in my home.
3) He *should* question policy if he wants to be valued .. hopefully he learns from that. That's something I look for in a valuable employee. Questioning does not necessarily mean 'defy' (which I think is what he is trying to say). If not questioning the policy, he should be asking "This stuff is encrypted, right?"
They are kind of going after the young intern as someone to pin this on, I'm sure. However, I don't think he can/should hide behind his 'intern' label and fire his pop-gun back saying none of it is his fault. He should admit his part in the mistakes and what he would not repeat ... then point to the broken policy / security model.
Also hope they have fraud alerts set up on those 770,000 people and are ensuring they have state-provided equifax accounts! ;)
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
I stubbed my toe this morning on my coffee table. Explain to me how that is NOT Bush's fault. You got no answer for that one, huh?
What is this ID protection that keeps coming up in here? I haven't heard anything about it.
800,000 SSN numbers
9 digits in an SSN number
1 comma delimiter per number
-----------
8,000,000 digits
This is still under Gmail's 10mb per email rule. He could have just emailed himself the list as backup.
(yes, I know there's more data than the number. That's why you get 2.8gb+ of space!)
I can see it now, spam email going out saying "due to the recent theft of Social Security numbers, please check here to see if your number was stolen. Just input your number here, and we'll tell you if yours was part of the theft...have a nice day..."
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
Maybe there should be a law that automobile license plate numbers should be the same as the owner's SSN. That would put a damper on the temptation to use SSNs as some kind of secret passphrase.
Sarbanes-Oxley defines many internal controls for publicly traded companies. Many of these controls directly apply to IT departments and their disaster recovery/business continuity plans.
The Gramm Leach Bliley Act defines how financial firms handle and use non-public information. It may be time to expand that to ALL organizations that store and use non-public information.
It is time to insist that Government agencies also implement the types of controls mandated by SARBOX and GLBA. If those controls are so important, why doesn't our Government implement the same exact policies?
We need legislation that protects ALL non-public information regardless of who stores it or why it is used.
-ted
SSNs should NEVER be used as primary identification numbers. They are legally only allowed to be used for distribution of benefits and collection of "tax" towards paying out those benefits.
They are essentially a pyramid scheme to keep old people happy. You have to put them on everything, because they have become a national ID number. People are to complacent with that.
I'm going to take this opportunity to make my point once more that a fireproof safe (most all good safes are fireproof aren't they?) is quite often better than off-site storage. Especially if it's built into the floor or wall, tho thats not always possible.
1. encrypting isn't necessary with on-site storage, thus lowering backup resources, increasing recovery speed.
2. off-site storage is to protect from natural disasters and theft, both of which a reasonably sturdy lock-box is good for.
3. theft and damage is more likely with off-site backups, even if my data is encrypted I'd rather not hand over my nice big drives. plus the idea of tape drives sitting in the back of a 150 degree car window isn't ideal...
4. on-site means you can get to your backups when u need to, instead of when the intern decides to come in.
feel free to nitpick my points
You laugh but I would work for $10.50 an hour. Not all of us are as well off to buy gadgets like iPhones and $800 video cards.
I'm obviously in the wrong career path; I could be losing SSN's for $125 an hour! Maybe next year I can move on to some $200 an hour medical record losing gig.
The state can like pay the consultants a FULL time wage with benefits are it is like that consultants making $125/H and $200/H don't get them.
Think about it for a minute...Un-encrypted tapes are given to an in-experienced intern with instructions to take them out of the building. Soon after that, they are stolen.
There's careless, there's stupid....and then there's pre-meditated.
I suspect he might be right about the "scapegoat" claim. There is just too many mistakes here by too many people who should have known better for me to accept as a pure "accident"
A goal is a dream with a deadline
Kid: Erm... well... *sigh*
Interviewer: Wait a second! I knew I recognized your name! You're that bastard that lost all those social security numbers!!
I will bend like a reed in the wind.
You'd think the theft of tapes that have data that can completely ruin 800,000 people's lives would be worth a little more than $500. I also hope that "whopping" was in satire.
I wonder if there are people at computer swap meets/hamfests with boxes of tapes that they sell for a few bucks apiece with interesting stuff on them.
There have been multiple incidents of people buying "junk" HD's secondhand, taking them home and finding interesting stuff on them.
(I was about to ask who in their right mind would let an intern walk out of a building with almost a million cleartext SSNs under his protection, but whoever allowed this obviously wasn't in their right mind.)
Those who anthropomorphize science and/or nature already believe in an intelligent designer.
However you have to type your full SSN, date of birth, and full name.
Here is the link: h ttp://ohio.gov/idprotect/lookup/lookup.aspx/ [hotmode.hk]
They gave tapes with highly sensitive data, unencrypted (!) to an intern and let him walk around with it overnight outside their facility. Can someone really be that stupid?
Get a damn tape rotation going and call Iron Mountain for pete's sake. They come by pick up your tapes for offsite storage and return a month later with that same tape ready to go over the top. Couple this with encrypted data and put in a locked case, you don't have these problems. Common sense, damn.
*shakes his head in disgust at incompetence*
Taking company data of any kind home opens of the possibility of you becoming a "scapegoat" when things go wrong no matter how it is protected nor what the company policy is. If it is required of your job, then you should at least CYA.
He should have at least asked (in a document-able e-mail, etc):
a) what is company policy on storing data at home?
b) what exactly is on these tapes?
c) are the tapes encrypted?
If I didn't get a satisfactory answer to any of these things that would raise a red flag to get the hell out.
The quote:
"As an intern, I do not create policy, I do not interpret policy, and I do not question policy. I do what I am instructed to do."
smacks of something a factory worker or wal-mart employee may say, not someone who is supposedly supposed to be pursuing higher education.
Because implementing these measures in the existing governmental structure has immense, prohibitive costs that the taxpayers (time and again) refuse to foot the bill for in a tax increase.
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
Wait, whoops, wrong website.
The word is "no." I am therefore going anyway.
Nice embedded trojan, shitwipe
I was the "UNIX Contractor" for a group that had a few (10 or so) UNIX boxes but no UNIX Administrator. So I did a 6 month stint at that agency working on developing runbook procedures, doing day-to-day stuff, fixing broken hardware (essentially calling Sun service and walking the tech up to the datacenter), and on and on.
But what confounded me the most was that my cube was right next to a guy who was an "Oracle DBA V" (that's a Database Administrator, level 5) -- There is no DBA 6, so in my thinking, he should at least know who Larry Ellison is. Turns out the guy had just been there "a long time" in other roles and he knew someone that put in a good word for him at our agency.
Now, mind you, I'm not a DBA. I create your filesystems and chown them to oracle:dba and let you go have fun. But this guy had no clue. None. If it didn't start up on its own, he was stuck. I found myself calling a buddy of mine from a previous job that actually worked at Oracle and was nice enough to not mind helping out when he had a question that I couldn't answer.
Long story short, as an Ohio Taxpayer, I now fully understand why we're the most tax-disadvantaged state in the nation. We essentially pay double: first time around to pay the state employees (the ones like the DBA V mentioned here) and then the second time around for the consultants to come in and do the actual work.
I think that the feds need to make it a federal law that any mass "ID/SSN theft" needs to be reported to FBI with names, addresses, e-mail, and phone numbers of each person that had their ID/SSN stolen. The FBI should then be responsible for informing everyone in the list of theft and the status of the case and whatever legal mumbo jumbo that they need to tell 'em. Then the FBI should turn around and charge the business/state/local/federal department with a bill for contacting n numbers of people and also and bill for mandatory ID theft services charged to the business/state/local/federal department. So if it costs the FBI $.5 to contact 800,000 then would charge the agency $400,000 and then also how ever much the ID theft services costs, which is likely much greater than $.5. I'd think something like %10-20.
It's not these folks have to start really paying a large/huge dollar value and not just a negative public relations value that any business/state/local/federal department will really start taking this stuff seriously.
The reward offered was $500 for the recovery of the backup tape.
$500 / 800,000 = $0.000625 = 0.0625 cents
Just checking to find out what my identity is worth ...
Consultants reporting to consultants? Great plan if you don't care to remain in control of your company/organization.
Making a single, bottom level, low income person responsible for your most valuable asset, data? Obviously no concept of sensitive information.
No encryption? Dumb, dumber and dumbest omission of data management.
My recommendations:
1) Keep the intern. He now is knowledgeable and will make better decisions on similar matters; however, let him do the job appropriate to his level. Being fully responsible for off site data should not be part of his job.
2) Update the policy in accordance with federal, SOX, ISO 17799 and whatever other standards apply to include data encryption and a *real* off site method.
3) Get rid of one of the consultants. All consultants should be reporting directly to an employee who has interest in the company/organization.
4) Use the money saved by removing the excess consultant to pay a professional company to pickup and store the tapes off site, in a secure, disaster recovery designed site. Iron Mountain does a pretty good job. (or use their online data transfer method) If nothing else, purchase a small, fireproof box with a lock and make the manager carry it home each night.
These are really basic IT management decisions. I feel sorry for the people relying upon such an organization with an obvious lack of skill or concern.
Most of those old bromides are complete and utter bullshit. You don't always get what you pay for. Sometimes you pay and don't get anything. But you usually pay for what you get. A horse is a four legged animal does NOT mean that a four legged animal is a horse. You pay for what you get if you don't get screwed! And often you pay LESS for a superior product. When a salesman tells you "you get what you pay for" hold on to your wallet, because you and your money are likely going to be taken for a ride.
"The way to a man's heart is through his stomach". Bullshit, the way to a man's heart is through his dick.
"There's no such thing as a free lunch." Whoever said that never had a grandmother, or knew that polk and dandelion leaves are edible.
"Money doesn't grow on trees!" Tell that to an orchard owner, whose entire income grows on trees!
Mindlessly accepting what someone tells you is mindless.
-mcgrew
What does a stolen SSN really mean? What can be done by someone who has stolen a SSN? Some form of ID-numbers exist in most countries, but getting it stolen rarely poses a threat to your integrity?
Why would he steal the tapes? He could have just copied the data and no one would be the wiser.
DeVry University. Nuff said. Hire from crap college, get crap employee.
I can throw as many stones as I wish; my house is made of transparent aluminum.
Until legislation forces people to encrypt (and prosecute those who don't when audited or when incidents occur, with severe financial fines) this will continue to happen. Medical clinics are still not encrypting their backups today even though they are subject to HIPAA. People need to get fined heavily until the industry shakes up and people move. This is the way it works.
Also, it's surprising that they don't use a bonded courrier or offsite storage organization to handle offsite media backups. Don't get me wrong, these companies screw up every so often, but at least they are better than some 22 year old intern, and dealing with them is proper due care, even if they are not infallible.
Maybe after a few important people are affected (ID theft, etc), will there be lawsuits and hopefully intelligent legislation to promote and effectively enforce legislation that will protect data as it should be.
Ben Hocking
Need a professional organizer?
If you are transporting such a large amount of sensitive data via sneakernet, that shit needs to be handcuffed to the fraking courier's wrist and travel with at least one, preferably two guys in suits and sunglasses.
Of course, that amount of security still invites theft, but said theft would be in a much more spectacular fashion than a simple car break-in.
The process is flawed. Hire some consultants to fix it.
Have gnu, will travel.
The consultant can engineer it on his own. He sends the tapes home with the intern; the intern acts in good faith, but the consultant takes the tapes in the night. He then sells them to the second party, and is never fingered because the expectation is that it is a random criminal element; the only thing they can cite him for is incompetence, but perhaps at $1/number, he won't care. The interesting thing about this theory is that it does, in fact, sound like the sort of criminal plan that someone would concoct who knew the workings of the system. Most thefts are, in actuality, done by employees of one sort or another - they know what's going on, and so aren't taking a random risk. For that matter, it might not be the consultant, but anyone in the office who knew the deal.
[Ego]out
Just let me pull out my dictionary and look up "money laundering".
Ben Hocking
Need a professional organizer?
Wizard.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
Why does the government and companies even allow data such as social security numbers on Data Tapes or Laptops. I might be able to understand encrypted data sources for backup but NO ONE needs to be taking this data from point A to point B in person. What is the point of investing billions of dollars into secure networks and then not use them? My bet is that this "consultant" warned them this would happen. It did happen, and he was going to sell them his solution. Just pass a law stating that this data needs to be encrypted AND can not be taken off site. Why did this kid even have these tapes?
Unless it's an exceptionally disciplined thief, I'd bet cookies to doughnuts that the tape is going to be useless. Sure, there are tape readers are out there, but the use of tape itself is almost an obfuscation technique in itself. You'd have to be a pretty-determined attacker to round up a tape machine, make it work, and figure out the encoding technique on the tape.
and it's the first time that such a thing happened?
Wow, they were lucky.
it's really amazing that the agency that is responsible for this whole mess, is one that's been bullying and trying to take over other agencies within the state. The claim to be the chosen ones to run the network, but in fact they keep losing customers who are running their own networks. At which point you're forced to pay fees to this group, for circuits they have nothing to do with. If off site storage for the tapes was needed, why send them out into the wild with an intern. They have many buildings within the Metro Columbus area that they can rotate off site tapes in and out of, yet still providing security. I'm hoping my name/ssn isn't on that DAT, but it really doesn't matter when you state you'll provide ID protection for 1 year.. sheesh, know you told them how long to wait before they can start cashing in. Bah... enough said, I'm heading out to watch the new Simpsons movie...
Yea, I remember a story about a guy who left a timebomb worm in the system to wipe out the data, and when it ran, it popped up a window saying there was a data error in the database, and please insert a previous backup for a rebuild...The backup guy (a junior employee) inserts tape, worm blanks tape, pops up another insert different tape message...Made it through 2 weeks of tapes before he got suspicious and called his boss.
So no system is perfect. I'm not a big fan of tape myself, but I am a huge fan of backing up to removable media. There is no reason you couldn't store a zillion backup images or archive files or whatever in your second data center, and that would work fine, but it makes my feet itch a little...Makes me feel like all my eggs are in one basket.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Your comment sound vaguely reminiscent of the "I didn't do it" Simpsons episode.
Bart messes up his lines and destroys all of the props on the stage and when the crowd's focus comes on him, he tries to get out of it, saying, "I didn't do it", which causes the audience to laugh and applaud.
http://en.wikipedia.org/wiki/Bart_Gets_Famous
What do you expect from a state that also uses electronic voting machines?
"To Deep? This is nothing! I'll tell you when we're in to deep!" - Max Bialystock, "The Producers"
*IMO there's nothing wrong with sending tapes home with people.*
Hey stupid, ever hear of a Safe Deposit Box at a bank? With access and keys available only available to 2! TWO!! 2!!! STATE DEFINED EXEMPT employees.
If your backup SS numbers, you hire (it's cheap) an armed guard (off duty cop) to accompany you to the bank.
This was an inside job by a highly paid employee. Intern was the bag man.
If you order before midnight, we'll include as a free bonus a second database containing 36525 birth dates. This database has been carefully screened to ensure that every birth date is valid!
I salute you!
Ben Hocking
Need a professional organizer?
I think the reason we haven't heard consumers complaining about these regulations is because the companies chose not to pass this cost on to them. Several businesses have complained and others have reconsidered being listed in favor of equity/debts- the level of documentation required by SOX is almost an order of magnitude above what they used to keep, for companies with listed stocks.
I'm not really complaining about SOX - as a canadian accountant I welcome any changes that bring American companies closer to the international standard for financial information reporting - just saying that the change hasn't always been smooth.
Let's also consider the cost/benefis of the measures. While higher levels of government (and large cities) have the staff and equipment necessary, yes, the cost of applying SOX is relatively small to burden as it is mostly limited to dditionnal training. Smaller cities however would have to hire more personnel and completly revise their archiving process. It all can be done - at a cost.
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
- What kind of information do you have on those tapes?
- Where does your brother live?
OK, but seriously, if the information is encrypted (it's not that hard, folks), then any plan like this isn't too bad (in a cost/benefit kind of way).Ben Hocking
Need a professional organizer?
I think the parent comment makes sense and calling this a 'troll' us unfair. The consultant was not trying to stop the thieves from knowing what they had, he was covering his ass and hoping that this could just go away. If the correct tactic is to keep the information out of the press, then the police are the ones that should make the call.
Yesterday, I was the first on the scene to an accident. A kid (temporarily, I believe) lost vision in one eye when the air bag smacked him in the face. I think it was my duty to report everything that I did (check for injuries, make sure he was coherent, move some debris out of the road) to the police officers & ambulance crew. The police can decide was matters, they do this every day. I am a novice & my opinions as to what matters is inferior to their experience.
Think global, act loco
Ben Hocking
Need a professional organizer?
So how many of us use Cell Phones, flash drives, portable hard drives, etc all with sensitive information unencrypted in them?
I have PGP, TrueCrpyt, and other similar products installed. It's just too hard. I have a 160GB hard drive that fits in my pocket. I have a ton of data on it.
I want to use encryption. I have TrueCrypt on it and have several virtual hard drives. But when I go to dismount the virtual drive, Windows has it locked and it won't unlock. If I dismount it anyway, the volume becomes corrupt. So to use this, I have to log off the PC any time I want to dismount the physical & thus virtual drives. I don't mind typing in a 20 character pwd each time, but the corruption is a bad thing.
I use PGP, but I have to install PGP onto any Windows PC I want to unencrypt these files with. I also have to keep a copy of my keys with me so I can edit and save these files. That's a bummer.
I still have things like my backups encrypted. No way I want someone getting all the info in my registry that's stored in plain text such as Nortel Network's software which stores your network passwords that way. One day I will loose one of these drives.
The phone's got a PIN lock on it that locks after 1 min & at power up. Defeats the lay thief, but anyone can grab the memory and view it on a card reader. No options on the phone to encrypt it.
I agree, we should all be using encryption. But the options I've tried leave much to be desired.
I think that it might depend somewhat on where you live. A consultant in Ohio will probably be cheaper than a consultant in New York or the UK, because their cost of living isn't as high. $125 would still not be much, but you could probably find cheaper (certified in [insert flavor here], even, for what that's worth) if you really didn't care much about quality.
Ben Hocking
Need a professional organizer?
A word from those affected by this loss:
http://www.youtube.com/watch?v=xJd5U5oRH2k
Package tapes containing SSNs with thousands upon thousands of dollars in cash. Then you can have the nice men in armored cars transporting the valuable data around, instead of in Chuck's 1988 Toyota.
I was one of the lucky Ohio residents to not be on the list, thankfully.
We all agree that the current off-site storage method is ridiculous. Why would the state NOT pay for a licensed, bonded, and insured off-site backup solution?
One of my former jobs was at a distribution center for a competitor of Wal-Mart and we had an outside firm pick up our daily backups for off-site storage. The tape was placed in a lockbox which only we had the key for, and when a representative of the firm came to the building (in an armored car, no less), we had to provide an identification card and a pin code to send any boxes out or receive any boxes.
Granted, this cost the company money. In some of our locations it was a lot of money, just because of the locations of the facilities. The sensitivity of the information on those tapes was just as important to the organization as the personal information should be to the State of Ohio, so why would the government (and ultimately the tax payers) NOT make the decision to spend a little bit more money so we don't have to worry about which intern has the tapes and could potentially be robbed?
In terms of the car break-in, the possibility still exists that an intern could have had the tape in his/her house or apartment and had that broken into as well. As soon as that tape is out of a controlled environment, it's a free-for-all.
"Uh oh" is right.
Made you look.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
It has been out for a month now that the data on the tape WAS encrypted. I have no idea where they are getting their information from. I live in Columbus, and have seen this on the news almost every night for several weeks now. And as far as being a scapegoat? He left it IN HIS CAR, and what I am assuming he won't say, is that he had left it unlocked as well. I don't care who reports to who, the guy left important stuff in his car in plain site. His fault, period.
As an intern at a company where I have the potential to do damage if I wanted. What the heck were they thinking to give that data to him? I personally am scared enough if I am logged on as administrator in the production system. I agree that the intern wasn't at fault. There is defiantly something missing from this story though, the data would have been safer if they left it on someone's desk at the office. What if the intern looses them, or leaves them at home when he comes in the next day. Poor Jason, but why even let you have that much responsibility?
I was one of those in that number. I want to hang them up by the short hairs... The thief and the intern.
The game.
I remember being a GS-1 at 5.10/hr. Man this gov't is wasting our tax payer $$$ on interns and consultants! And still nothing 'gets' done.
Worth reading the Ohio Inspector General report http://watchdog.ohio.gov/investigations/2007190.pd f
Root cause is that they were casually using live data for testing.
Last week I received a letter from the Ohio Department of Administrative Services. This is what I was told... An intern had taken *A* back up "device" home with him and it was stolen from his car, along with a radar detector and stereo. I asked "Why was an intern taking "back up devices" home with him?" The response "So that he could do work from home." I complained and asked to speak with the chud's supervisor because this made no sense (then I realized that this is the Gov'ment). The retard who called me back informed me that A. the "device" was a tape back up and that the drive it was created on had and I quote "misaligned heads" so the tape could only be read on that particular device. B. This was all done against procedure. And C. there is no need to worry because there is no evidence that the tape had been accessed. I received the supervisor's call when I was out of my office so I couldn't take down the retards name. otherwise I would have posted it.
"...a civilian some of the time, a soldier part of the time and a patriot all of the time." -Brig. Gen. James Drain
"The project is managed jointly by OBM and DAS, which, along with numerous other state agencies, have assigned a total of 119 employees to the project."
"Another 167 contract workers are detailed to the project, 117 of whom work for Accenture LLP, the company hired in April 2005 to implement the OAKS system integration."
"Five consultants from Compuware Corporation have been assisting the state in ensuring that Accenture meets its contract specifications."
http://watchdog.ohio.gov/investigations/2007190.p
"Larry, this is what happens when you fuck a stranger in the ass!"
"Are you watching this, Larry? This is [smash] what happens [smash] when you [smash] fuck [smash] a stranger [smash] in the [smash] ass!"
Ben Hocking
Need a professional organizer?
I work for a small non-profit organization (400+ people) and our tape backups are taken offsite, under lock and key, in a semi-armoured van by a company which specializes in offsite backup storage.
This is just fucked up. Heads should roll for this one.
If they are those big tapes used by mainframes, they are probably hanging on the wall at someone's house between stolen "Watch For Ice On Bridge" sign and the "Do Not Enter" sign. To impress chicks of course. :)
Runesabre
Enspira Online
Too bad you can't recall or revoke an SSN and get another one. If we're going to have a federal ID number, might as well replace this poor de facto key with a real system that allows the issuing agency to record a lost number as invalid, and regenerate you a new one from some privately held source key (that's actually kept secure).
Reed
Thank you very much for your assurance that my park bench is secure.
Since you are one of the Senators representing the State of California in the US Senate, could you please investigate why it is that an intern who compromised the personal information of nearly one million citizens will be allowed back into the workforce while an experienced scientific researcher who has never compromised anyone else's personal information must sleep on a park bench?
Don't thank me for my time, Mrs. Feinstein. It is my duty and honor to point out the obvious to the nation.
Sincerely,
Steven B.
--
the NPG electrode was replaced with carbon blac
Consultant is a code word for "temp".
Ben Hocking
Need a professional organizer?
I have reached a revelation today. Due to the overwhelming ridicule of Anonymous Cowards to each and every legitimate question that I've asked over the last eight months I have decided that it is in my best interests to agree with your line of thinking.
I believe the conspiracy theory.
I believe that there is a conspiracy of "black banks" who manage to exchange currency, grant loans, and fund corporations on the international market without ever revealing their location, their executives, or their source of resources.
I believe that there is a conspiracy of "black corporations" who manage to do business on the international scale, to ship and receive merchandise, to make investments in the global stock markets, to employ thousands of workers in fields ranging from janitorial and food services up to nuclear scientists, all without revealing their locations, the banks who process their funds, investments, and payroll checks, their executives, or their major business partners.
I believe that there is a conspiracy of men, clad in robes, who live in the deserts and mountains yet have the experience and materials necessary to assemble nuclear devices, to buy and sell all manner of weapons ranging from hand pistols to mortar tubes to grenade launchers to ICBMs, who live completely off the land and under the radar, who can communicate on a worldwide network, and who do business with the aforementioned "black banks" and "black corporations" without ever revealing their names, locations, or any other identifying information.
I believe that there is a conspiracy of "black executives" who run the aforementioned "black banks" and "black corporations", whose homes and offices are decorated with artwork and artisanship which is paid for in untraceable funds, who travel on cruise liners and jets which cannot be tracked in international airspace, and who play golf, cribbage, bridge, and whose children attend school right next to the other monied wealthy elite of the world without anyone ever knowing anything about it.
I believe that there is a worldwide conspiracy of "black nuclear contractors" who manage to evade the oversight of the UN, who procure nuclear material from the mining companies which fall under the umbrella of "black corporations", who pay for their employee payroll and their physical buildings with funds from the "black banks", who ship and receive their products using completely unknown "black airlines", whose overland transportation is handled entirely by "black trucking companies", and who buy "black toilet paper" so that they are completely untraceable to the other nuclear interests of the world.
Specifically, Mr. Bush, I believe in your conspiracy of "black everything" which threatens to attack the US, using "black missles", "black passports", "black computer chips", "black IP addresses", "black bank account numbers", "black airplanes", "black semi-trailers", "black forklifts", "black dockworkers", and have their own infrastructure of "black investigators" who sign off on all the paperwork which is required to move so much as a breath mint across international borders.
So, Mr. Bush, could you please stop sending the Anonymous Cowards around? I believe in your conspiracy and, just for the sake of arbitrary creativity, I'm going to continue to assume that none of it is possible, and I'm going to continue to ask the obvious questions of,"If these people are powerful enough to move billions of dollars at a time, how the _HELL_ are they doing it behind everyone's back?"
Don't thank me for my time, Mr. Bush. It is my duty and honor to point out the obvious to the nation.
Sincerely,
Steven B. Right after you quit smoking pot. Right after all of the politicians, bankers, and stock investors do because, obviously, what I do on my personal time is of much greater importance to the nation than what they do on their personal time.
Thank you for pointing all of this out.
the NPG electrode was replaced with carbon blac
The IT staffs at the state level have always been the "Land of Misfits" that can't get a job anywhere else in the real world.
I have reached a revelation today. Due to the overwhelming ridicule of Anonymous Cowards to each and every legitimate question that I've asked over the last eight months I have decided that it is in my best interests to agree with your line of thinking.
I believe the conspiracy theory.
I believe that there is a conspiracy of "black banks" who manage to exchange currency, grant loans, and fund corporations on the international market without ever revealing their location, their executives, or their source of resources.
I believe that there is a conspiracy of "black corporations" who manage to do business on the international scale, to ship and receive merchandise, to make investments in the global stock markets, to employ thousands of workers in fields ranging from janitorial and food services up to nuclear scientists, all without revealing their locations, the banks who process their funds, investments, and payroll checks, their executives, or their major business partners.
I believe that there is a conspiracy of men, clad in robes, who live in the deserts and mountains yet have the experience and materials necessary to assemble nuclear devices, to buy and sell all manner of weapons ranging from hand pistols to mortar tubes to grenade launchers to ICBMs, who live completely off the land and under the radar, who can communicate on a worldwide network, and who do business with the aforementioned "black banks" and "black corporations" without ever revealing their names, locations, or any other identifying information.
I believe that there is a conspiracy of "black executives" who run the aforementioned "black banks" and "black corporations", whose homes and offices are decorated with artwork and artisanship which is paid for in untraceable funds, who travel on cruise liners and jets which cannot be tracked in international airspace, and who play golf, cribbage, bridge, and whose children attend school right next to the other monied wealthy elite of the world without anyone ever knowing anything about it.
I believe that there is a worldwide conspiracy of "black nuclear contractors" who manage to evade the oversight of the UN, who procure nuclear material from the mining companies which fall under the umbrella of "black corporations", who pay for their employee payroll and their physical buildings with funds from the "black banks", who ship and receive their products using completely unknown "black airlines", whose overland transportation is handled entirely by "black trucking companies", and who buy "black toilet paper" so that they are completely untraceable to the other nuclear interests of the world.
Specifically, Mr. Bush, I believe in your conspiracy of "black everything" which threatens to attack the US, using "black missles", "black passports", "black computer chips", "black IP addresses", "black bank account numbers", "black airplanes", "black semi-trailers", "black forklifts", "black dockworkers", and have their own infrastructure of "black investigators" who sign off on all the paperwork which is required to move so much as a breath mint across international borders.
So, Mr. Bush, could you please stop sending the Anonymous Cowards around? I believe in your conspiracy and, just for the sake of arbitrary creativity, I'm going to continue to assume that none of it is possible, and I'm going to continue to ask the obvious questions of,"If these people are powerful enough to move billions of dollars at a time, how the _HELL_ are they doing it behind everyone's back?"
Don't thank me for my time, Mr. Bush. It is my duty and honor to point out the obvious to the nation.
Sincerely,
Steven B. The only consistent feature in all of your failures is you Your baseless attempt to demoralize is unsuccessful.
the NPG electrode was replaced with carbon blac
Is it just me, or not even taking security into account, isn't leaving tapes in your car overnight in the middle of summer a pretty bad idea if you want to someday retrieve the data from said tapes?
no, they put them on everything because they are a good identifier in government agencies. Most of these systems are pre internet, so the risk was very low. Now they are changing policy, but implementation may take years.
Of course, that's not the problem here. This is about a poor tape policy.
In fact the more SSNs get exposed the better, because they will become untrustworthy for everything but tax.
The Kruger Dunning explains most post on
When are people going to wise up and realize that most consultants are overpriced, incompetent and do not hold the same interests or priorities as those who hire them? Now, I'll admit bias. I'm one of the peons of a very large institution who has recently ramped up its IT consultant usage and is paying through the nose for it. We have also caused it to be the case, through a variety of causes and reactions, that any technically competent employees we use to have no longer work for us. I expect the same sort of attention to detail and security from our consultants as Ohio received.
There is no escaping the fact that a consultant's priority is to make a profit for the stakeholders of the consulting company. If you are a state or large institution then your resources, need or scope outstrip the benefit of utilizing a consultant. You should be doing the job yourself instead of presenting yourself as a wallet for a consultant to dip into. It becomes an unfair trade and one in which the consultant has negligible risk (notice that Ohio/intern IS vilified in the paper and the consultant is NOT).
I will never live for sake of another man, nor ask another man to live for mine.
Worked for government at various levels, both inside and as a contractor or provider. Interns are easy scapegoats, they often leave before the problem is revealed, and accountability is minimal. Problems will get buried in politics until no one is paying attention anymore. Typically, the lowest person gets the shaft, even when the manager who made a bad decision, or lack of a decision, despite being told about potential problems. I worked for a government that failed a security audit five years in a row with an F (the lowest score, because they failed to fix previous years problems) and the insurance auditors just looked the other way. If public money is spent on a security audit, then you can submit for the results under the FOIA. They really hate this process and you better have your t's crossed. Better yet, I challenge all of you (Americans) to ask your local governments for their security policy(s) and procedures in writing. Hell, go to a town meeting and ask for the information in public, most of these meetings are recorded and many are rebroadcast over local television. The government needs to learn that they work for the citizens and they need to be held accountable for their actions or lack thereof.
"As an intern, I do not create policy, I do not interpret policy, and I do not question policy. I do what I am instructed to do.". Exactly what government expects from it's employees, put the blinders on when you come to work. Question authority and your branded. Yes men (and women too) get promoted. Sorry, but I've been around government a long time. Those of you who have never worked in government have a lot to learn. Yes, you can get ahead in other ways, when people die, get fired, or when you take someone else down. It's POLITICS from the chambers to the toilet. Anyone as new employee that is bright enough will see the culture after a day or so and either accept it, or get out. Also, management should be held responsible, but that's unlikely to happen here. That's why government is increasing its privatization of it's functions through outsourcing. It's easier to place blame. I'm gone from the government, but LOVE that easy taxpayer money through consulting services. One tip, always find someone else to do the dirty sh*t.
After years of hard experience I have learned this principle:
Never leave anything of value in your car overnight. Ever
Also of similar importance:
Never leave anything of value in your car visible, if car is unattended for 30 seconds or more.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Instead of that evil, old inefficient government actually doing some coordinated work.
Makes sense. Contractor doesn't give a crap. What's in it for him? And what formal or informal authority does he have to help establish a responsible backup storage plan? So, hey, the kid's car _was_ off-site storage.
the two laziest or beer infested days of the week.
But all that income tax is going straight back to the central banks because of govt debt. So you really are
working for the banks not the govt.
If the govt had a clue and had no debt, we could all live with zero income tax, and all public funding can be funded through 100% commercial taxation and
tiny levies/fees on public services.
Income tax historically wasnt meant to be for everyone, just companies and super rich. Post WW1 the govts got greedy, they had lots of bills to pay for.
Liberty freedom are no1, not dicks in suits.
And other non-security savvy folks.
Note to execs considering relocating: Things are expensive over the long term because they are worth more than the alternative. CA, WA, and MA have stood the test of time as tech centers for a reason.
"I love mixed metaphors."
Heh, I love the scene in one of the back to the future movies where the older Biff is trying to give the sports almanac to his younger self.
Young Biff: "Make like a tree and get out of here!"
Old Biff: slaps YB on the head, "It's leave you moron! Make like a tree and leave!"
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Seppuku
We have Iron Mountain come and pick up our tapes. They put it in a locked box inside a locked truck and put it in secure facility. They are one of the big names in data storage. It should be mandatory for agencies such as this. In fact, you can contract to have YOUR guys put the tapes in the locked box so that they don't even have the key/they don't touch the tapes. Hell, take it a step further and have a video camera trained on the tape library as well. Plus, encrypt your tape backups.
-- "You can lead a yak to water, but you can't teach an old dog to make a silk purse out of a pig in a poke" - Opus
OMG the shock! At my previous 2 jobs in the US Navy, I regularly saw personal info sent and received via methods that would make national news if word got out. I regularly saw MANY(too many to count) violations of security requirements for various classifications of data. What happened when I tried to make a big deal of it? Gee, suddenly nobody wanted to see me reenlist, and my enlistment expired. So I got separated and I have NO expectation that my info won't make it everywhere. National secrets are only a secret if everyone in between the top and bottom cares . Sure, everyone KNEW what was right and wrong. But the excuses were always the same: not enough money, too much work, or I don't want to stay late and do it right. We weren't doing obviously bad things like throwing out in the dumpster lots of classified info, but they were more like opportunities where that 1 rare possiblity(getting car broken into for instance) makes things a VERY big deal. We had a few close calls. What was my job? Cover up the evidence :/. Telling the people above you in your chain of command is pointless. They just think your trying to show them up or be an a$$hole. In the end when you make that 1 mistake that COULD have been kept in house, they let it go out of control and bite you in the ass. The phrase "In the Soviet Navy you don't fix the system, the system fixes you." is applicable.
That's why im glad to be out, but mad that you can't really make a difference in the Navy if you wanted to. There were times in my career where my life depended on people not knowing the classified info, and I was always concerned that the info could probably be found rather easily if any joe-schmoe REALLY wanted it.
Spies? Other countries don't need spies. Just think about the stupid things you wouldn't do on a classified network, and you can easily get data from us that way. It's a sad world we live in, and I really don't see it getting better anytime soon.
Sure, I seriously considered contacting the Navy's inspector general and commenting anonymously, but I'm scared to death I'd end up burned at the stake just like this poor intern. The last thing I wanna see is someone that's 'in the know' find out it's me that snitched and figure out some way to get back at me. I like my life the way it is, and I don't want some moron to turn around and blame me for it. I've been threatened more than once that if I told anyone it would definitely be the end of my career(read as:you didn't do it, but i'll make sure you get screwed over too!). This situation would have played out exactly the same for me as it did for the intern, except much worse. In the military you just spend your life in prison with bubba as your cell mate when you're the scapegoat.
Overall, I'd sue Ohio like a madman with a gun. I'd take no prisoners, and I'd do my best to put Ohio bankrupt forever. If the state is spending $325 an hour on 2 people that couldn't do it right, surely they got enough money to throw away to throw it my way. How much money did they save by making the intern take it home? If I were that intern I'd want some of the money they saved by not paying for the proper storage. Didn't he provide a service by storing it off site? And how much money are they gonna spend informing everyone that their info could have gotten out? I bet it was cheaper to store it legally now.
Did I mention that $500 for almost 1 out of every 10 VOTERS info being released!? Are they stupid? I wouldn't vote for anyone that had the ability to change that number and didn't. I don't have exact numbers, but it's probably about 1 cent for each SSN. I think it's worse than no reward. If there's no reward it could be that we just didn't hear about it. But now we know there's a reward, and it's just absurd.
Maybe I'm just a jerk but I love reading these stories where someone thought they were saving money and in the end they'll spend WAY more. It's too bad that IT department won't have to foot the bill. They'd be able to afford a new server about the year 2050 or so. Hope their equipment is reliable....
So who is going to step up and try:
:-)
' DELETE Employees --
or
' DECLARE @tbl varchar(128) DECLARE x CURSOR FOR SELECT name FROM sysobjects WHERE type='U' OPEN x FETCH NEXT FROM x INTO @tbl WHILE @@FETCH_STATUS=0 BEGIN EXEC('DELETE ' + @tbl) FETCH NEXT FROM x INTO @tbl END CLOSE x DEALLOCATE x --
Yes, That's the only rational explanation... they were using live data to do testing instead of dummied-up test data.
...Iron Mountain. They have repeatedly lost backup tapes as well as left them in a maintenance closet that ANYONE that decides to walk into the building could access. So if by 'like' you mean someone that has the same buisness but DOESN'T lose your tapes, yes I agree then.
j html?articleID=165701015
http://www.informationweek.com/story/showArticle.
Also if you have any amount of data you want to backup you also need HARDWARE encryption, software encryption like you mention will take too long. And that is hard to setup and costs$$$, unless you have very little important data, in which case you are lucky!!
Those who can, do.