Slashdot Mirror
Intern Loses 800,000 Social Security Numbers
destinyland writes "A 22-year-old intern said today he's the 'scapegoat' for the loss of over 800,000 social security numbers - or roughly 7.3% of the people in the entire state of Ohio. From the article: 'The extent of my instructions on what to do after I removed the tapes from the tape drive and took the tapes out of the building was, bring these back tomorrow.' Three months into his $10.50-an-hour internship, he left the tapes in his car overnight — unencrypted — and they were stolen. Interestingly, the intern reports to a $125-an-hour consultant — and was advised not to tell the police that sensitive information had been stolen, which initially resulted in his becoming the prime suspect for the theft. Ohio's Inspector General faults the lack of data encryption — and too many layers of consultants. But their investigation (pdf) revealed that Ohio's Office of Management and Budget had been using the exact same procedure for over eight years."
"So what did you learn interning this summer?"
"DIAF."
I'm forever amazed at how often people seem to be willing to snag a stack of backup media out of the back of someone's car. The criminal element seems to be quite tech savvy these days; I just wish some of that would pass to the rest of the population.
I live in the south, and "media left in a car" is not really a problem here; leaving tapes in the back seat of a car in the summertime is what we do when the incinerator is out of order...Works even at night!
Who the hell would send an intern out with backup tapes anyway? Makes no sense. Is that their offsite storage procedure? Send the tapes home with an intern, and hope he brings 'em back? Reading the PDF report, that turns out to be exactly what their procedure was...They even had it in their disaster plan, which makes me think it was more disaster and less plan. What the hell? Does the state of Ohio have so few buildings that they have to send the tapes home with people?
Fricking consultants. By the "You get what you pay for" scale you'd think $125-an-hour would buy you more than a huge pain in the ass like this. Sounds like the whole organization was rotten though, so it's hard to blame them.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Hell even in that case, why didnt they have a remote backup to prevent loss through a fire or flood.
Yep plenty of blame to go around.
"Slashdot, where telling the truth is overrated but lying is insightful."
Is that 7.3% of the population is working directly for the state government! I wonder what total percentage of the population works directly and indirectly (such as the contractor) for the government at all levels?
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
"Three months into his $10.50-an-hour internship, he left the tapes in his car overnight -- unencrypted -- and they were stolen, and his 1990 Yugo mysteriously replaced with a new Ferrari."
After all these years, they've finally found a security hole in the Sneakernet.
Slashdot Burying Stories About Slashdot Media Owned
"Maybe my social security number is on these tapes?"
Would they have handled it any differently if it was?
Ok, I know that keeping data off-site is a good thing, but do you hand an intern your backups and send him home with the tapes? I think they REALLY need to redo their backup plan. Especially if it involves THAT MUCH personal data.
What kind of job asks you to take backup tapes w/ sensitive information home with you? Don't they have a cabinet or a drawer inside the building (which is itself presumably safer)?
Cheers!
Atheist: Buddhist in a Prius
Intern Loses 800,000 Social Security Numbers, 1 Internship
Fixed it for you.
7.3% sounds right. I know of several people affected by this- but rest assured, the great state of Ohio is promising one full year of ID theft protection. Bet that makes those folks sleep better at night. One friend that got a letter informing him of his SSN being stolen was told why- he was one of many Ohio taxpayers who has not yet cashed their state tax refund, and as a result, was kept in a database on the stolen tapes. As the Prentenders said, "Way to go Ohio!"
heh.. getting fired for doing what your boss told you to do.. it's the new trend in corporate america!
i get told now and then to do something not quite above board.. so i send the requester an email asking them to state in explicit detail what they want so i can be clear (and also have a record/trail). most times, the request is not repeated. doesn't make me terribly popular, but i sure as hell am not going to get tossed for another person's bad (or illegal?) request.
i kinda feel bad for the intern.. kinda like a falsely-accused criminal. this will probably follow him around a while and it was little or no fault of his own..
-r (has NO problem believing the intern's story 100%)
-'fester
I found them!
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
My girlfriend was one of the number's stolen, the state has graciously offered to buy her a year of ID protection. Cause yeah, after a year, this problem goes away. She is going to have to pay for the service for years after this, just for peace of mind. Thanks you so much, we didn't need this stress. You know how much beer I can buy with a year's worth of ID theft prevention? Enough to get me drunk _several_ times buddy, yeah, you are killing my buzz already!
You know what they say, "if an intern triples your workload, consider yourself lucky."
--Nuintari
slashdot : where an opinion can be wrong.
It makes sense not to report the loss for a while. 5 cars were broken into that night, and the thieves certainly grabbed anything that looked half valuable. They most likely had no idea that the tapes contained potentially valuable information, and almost without any doubt had no means to actually read the data.
If a news report came out the next day "20,000 SSNs stolen" then they would know what they had, and try to find a buyer. Otherwise the tapes would likely have been trashed so the criminals wouldn't have incriminating evidence sitting around their house.
Dan East
Better known as 318230.
The State of Ohio is offering one year of identity theft protection to those affected. To lookup your access code for this one free year of ID theft prevention please visit this page:
http://ohio.gov/idprotect/lookup/lookup.aspx/
On this page you enter your last name and the last four of your SSN. Anybody see anything fishy about this page? HOW ABOUT THAT IT ISN'T USING SSL. Apparently they don't believe in using encryption anywhere, ever. Not on backup tapes and definately not when transmitting sensitive information over the Internet.
Um, I wouldn't call anyone forgetting backup tapes in his car a good employee. Besides the risk of being stolen, melting is another possiblity if its hot enough.
That, and he should know better than to not report something stolen to the police... especially if its someone else's property.
First, someone decided to blame the Scaled Composites explosion on Bush and now this? I don't like Bush, either, but there are (still) limits to his power, you know.
Ben Hocking
Need a professional organizer?
Yeah, it's easier for any entity to blame its peons for misjudgment rather than highlight the lack of process that would have prevented this type of situation in the first place. The higher-ups had the noose on this kid before anyone else bothered to realize the intern is not to blame. And now we've got an article on Slashdot about how the "intern" lost the SSN's. But did he really lose them?
To all the comments that are calling the intern an idiot for leaving the tapes in his car, I ask you this: where should he have stored them? In his apartment which can be just as easily broken into? Was he supposed to rent out a protected storage unit at his own expense? The correct answer is that he should have never been responsible for storing them. Now ask yourself what is worse: a superior handing over 800,000 SSN's to an intern, or an intern leaving those SSN's in his car?
For he today that sheds his blood with me shall be my brother.
I'm sure if Big Evil Government was in charge of these tapes, it would have hired a $250/hr consultant to give them to a $21/hr intern to lose. Think of the savings!
I swear to God...I swear to God! That is NOT how you treat your human!
In all of these articles that pop up the same thing pops in mind. Why are people allowed to take anything of value home with them? Information like this needs to have some kind of cvs/subversion system with it. If you need to check it out, there is a trail showing who has what, and people shouldn't be allowed to take things home, and all sensitive information needs to be encrypted whether internally or not.
Thief probably thought he had a VHS tape! ... but it wouldn't play, so it went into the trash.
There is a simple solution to this kind of thing. You take the SSN, bank account and CC numbers of the person in charge (the General, Congressman, CEO etc.) and you put them in every container, laptop, tape, HDD, USB stick, etc. that has private information on it.
Problem solved.
HPC for Primates. Read Cluster Monkey
The 22 yr olds' response is unacceptable given the amount of press and exposure identity theft is given.
The value of labor per hour is not relevant and should be considered distraction of truth in this situation. The reality is that an adult of mature age was directed to secure the property and was asked to take it home and keep it safe.
Whether this was wrong or not is non point the moment he accepted the assignment.
The fact that he left it in his vehicle is a first point of negligence.
The second fact would be his willingness to do something he felt was a risk, such as taking these tapes home.
The third being his lack of documented objection to the process and procedure which is obviously faulted.
This is old news for Ohioans. I submitted this story to /. 2 weeks ago...
For a good portion of my database backups that may or may not contain confidential information, I tar, compress and encrypt with gpg my backup data files before they get put into a directory archived by by our automated tape library. I don't have to trust who has the tapes, and who is going to carry them off-site during our next hurricane threat. I clocked gpg on a fairly modest Dell 2950 server at about 10 megabytes / second. If you need more, there are hardware-based accelerator cards available.
Is your reading comprehension:
There were SSN's of 770,000 taxpayers plus 64,000 state employees that together were 7.3% of the state population. Nowhere does it say that 7.3% of the population was working for the state government.
Just imagin how much information would be available if the RealID act was in effect. This is precisely the reason I don't trust the government with my information: they can't keep it safe.
Live life to the fullest. It's not that life is short, but that you are dead for so long.
1) He also obviously did not take time to investigate or read the policy. Granted .. this can be also blamed on supervisor's. But there is no 'patch' for ignorance, correct? Sometimes you only get one shot.
2) If he had any idea what was on the tape, he should not have left it in his car. I don't know if it was in the open or not, but 'intern' or not, he should be aware of the sensitivities of that sort of data. He commented on the policy (which he was not aware of until after the fact ... we've covered that) and said it was "unreasonable to assume that the person would not stop somewhere on their way home". (He is questioning the policy, but we'll cover that next.) Again ... if I knew what was on that tape (granted, I am not an innocent, young 'intern'), I wouldn't take it. If forced to, I wouldn't let it out of my sight til in my home.
3) He *should* question policy if he wants to be valued .. hopefully he learns from that. That's something I look for in a valuable employee. Questioning does not necessarily mean 'defy' (which I think is what he is trying to say). If not questioning the policy, he should be asking "This stuff is encrypted, right?"
They are kind of going after the young intern as someone to pin this on, I'm sure. However, I don't think he can/should hide behind his 'intern' label and fire his pop-gun back saying none of it is his fault. He should admit his part in the mistakes and what he would not repeat ... then point to the broken policy / security model.
Also hope they have fraud alerts set up on those 770,000 people and are ensuring they have state-provided equifax accounts! ;)
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
I stubbed my toe this morning on my coffee table. Explain to me how that is NOT Bush's fault. You got no answer for that one, huh?
What is this ID protection that keeps coming up in here? I haven't heard anything about it.
800,000 SSN numbers
9 digits in an SSN number
1 comma delimiter per number
-----------
8,000,000 digits
This is still under Gmail's 10mb per email rule. He could have just emailed himself the list as backup.
(yes, I know there's more data than the number. That's why you get 2.8gb+ of space!)
I can see it now, spam email going out saying "due to the recent theft of Social Security numbers, please check here to see if your number was stolen. Just input your number here, and we'll tell you if yours was part of the theft...have a nice day..."
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
Maybe there should be a law that automobile license plate numbers should be the same as the owner's SSN. That would put a damper on the temptation to use SSNs as some kind of secret passphrase.
Sarbanes-Oxley defines many internal controls for publicly traded companies. Many of these controls directly apply to IT departments and their disaster recovery/business continuity plans.
The Gramm Leach Bliley Act defines how financial firms handle and use non-public information. It may be time to expand that to ALL organizations that store and use non-public information.
It is time to insist that Government agencies also implement the types of controls mandated by SARBOX and GLBA. If those controls are so important, why doesn't our Government implement the same exact policies?
We need legislation that protects ALL non-public information regardless of who stores it or why it is used.
-ted
SSNs should NEVER be used as primary identification numbers. They are legally only allowed to be used for distribution of benefits and collection of "tax" towards paying out those benefits.
They are essentially a pyramid scheme to keep old people happy. You have to put them on everything, because they have become a national ID number. People are to complacent with that.
I'm going to take this opportunity to make my point once more that a fireproof safe (most all good safes are fireproof aren't they?) is quite often better than off-site storage. Especially if it's built into the floor or wall, tho thats not always possible.
1. encrypting isn't necessary with on-site storage, thus lowering backup resources, increasing recovery speed.
2. off-site storage is to protect from natural disasters and theft, both of which a reasonably sturdy lock-box is good for.
3. theft and damage is more likely with off-site backups, even if my data is encrypted I'd rather not hand over my nice big drives. plus the idea of tape drives sitting in the back of a 150 degree car window isn't ideal...
4. on-site means you can get to your backups when u need to, instead of when the intern decides to come in.
feel free to nitpick my points
I'm obviously in the wrong career path; I could be losing SSN's for $125 an hour! Maybe next year I can move on to some $200 an hour medical record losing gig.
The state can like pay the consultants a FULL time wage with benefits are it is like that consultants making $125/H and $200/H don't get them.
"But did he really lose them?"
Uh, yes. That is emperical fact. They were in his car and he left them unattended.
"... where should he have stored them?"
No. '... why would he have taken them?'
Interns aren't tabula rasa, they're just inexperienced. What background did he have? Any IT schooling? If so, he was aware of what he was doing. All the persons in the chain of command are guilty, even the peons.
Think about it for a minute...Un-encrypted tapes are given to an in-experienced intern with instructions to take them out of the building. Soon after that, they are stolen.
There's careless, there's stupid....and then there's pre-meditated.
I suspect he might be right about the "scapegoat" claim. There is just too many mistakes here by too many people who should have known better for me to accept as a pure "accident"
A goal is a dream with a deadline
Kid: Erm... well... *sigh*
Interviewer: Wait a second! I knew I recognized your name! You're that bastard that lost all those social security numbers!!
I will bend like a reed in the wind.
You'd think the theft of tapes that have data that can completely ruin 800,000 people's lives would be worth a little more than $500. I also hope that "whopping" was in satire.
I wonder if there are people at computer swap meets/hamfests with boxes of tapes that they sell for a few bucks apiece with interesting stuff on them.
There have been multiple incidents of people buying "junk" HD's secondhand, taking them home and finding interesting stuff on them.
(I was about to ask who in their right mind would let an intern walk out of a building with almost a million cleartext SSNs under his protection, but whoever allowed this obviously wasn't in their right mind.)
Those who anthropomorphize science and/or nature already believe in an intelligent designer.
They gave tapes with highly sensitive data, unencrypted (!) to an intern and let him walk around with it overnight outside their facility. Can someone really be that stupid?
Get a damn tape rotation going and call Iron Mountain for pete's sake. They come by pick up your tapes for offsite storage and return a month later with that same tape ready to go over the top. Couple this with encrypted data and put in a locked case, you don't have these problems. Common sense, damn.
*shakes his head in disgust at incompetence*
Why not? I "store" company property at home. Free office supplies!
lol: You see no door there!
Because implementing these measures in the existing governmental structure has immense, prohibitive costs that the taxpayers (time and again) refuse to foot the bill for in a tax increase.
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
Wait, whoops, wrong website.
The word is "no." I am therefore going anyway.
I was the "UNIX Contractor" for a group that had a few (10 or so) UNIX boxes but no UNIX Administrator. So I did a 6 month stint at that agency working on developing runbook procedures, doing day-to-day stuff, fixing broken hardware (essentially calling Sun service and walking the tech up to the datacenter), and on and on.
But what confounded me the most was that my cube was right next to a guy who was an "Oracle DBA V" (that's a Database Administrator, level 5) -- There is no DBA 6, so in my thinking, he should at least know who Larry Ellison is. Turns out the guy had just been there "a long time" in other roles and he knew someone that put in a good word for him at our agency.
Now, mind you, I'm not a DBA. I create your filesystems and chown them to oracle:dba and let you go have fun. But this guy had no clue. None. If it didn't start up on its own, he was stuck. I found myself calling a buddy of mine from a previous job that actually worked at Oracle and was nice enough to not mind helping out when he had a question that I couldn't answer.
Long story short, as an Ohio Taxpayer, I now fully understand why we're the most tax-disadvantaged state in the nation. We essentially pay double: first time around to pay the state employees (the ones like the DBA V mentioned here) and then the second time around for the consultants to come in and do the actual work.
I think that the feds need to make it a federal law that any mass "ID/SSN theft" needs to be reported to FBI with names, addresses, e-mail, and phone numbers of each person that had their ID/SSN stolen. The FBI should then be responsible for informing everyone in the list of theft and the status of the case and whatever legal mumbo jumbo that they need to tell 'em. Then the FBI should turn around and charge the business/state/local/federal department with a bill for contacting n numbers of people and also and bill for mandatory ID theft services charged to the business/state/local/federal department. So if it costs the FBI $.5 to contact 800,000 then would charge the agency $400,000 and then also how ever much the ID theft services costs, which is likely much greater than $.5. I'd think something like %10-20.
It's not these folks have to start really paying a large/huge dollar value and not just a negative public relations value that any business/state/local/federal department will really start taking this stuff seriously.
Interns aren't tabula rasa, they're just inexperienced. What background did he have? Any IT schooling? If so, he was aware of what he was doing. All the persons in the chain of command are guilty, even the peons.
So what should he have done? Said "I'm not taking them" and risked getting fired?
He made a mistake, even a somewhat dumb one, but it's at least an understandable one. In his situation I would have taken the tapes too, though I would have kept them in the trunk until getting to my apartment, then taken them inside.
If your apartment is as easily broken into as your car, you might want to move. Most people, by the time they're 22, realize it's not a good idea to keep valuable stuff in your car. And if he didn't feel safe taking the stuff back to his apartment, then the proper response would have been to refuse to take them. If it were me, I'd at the very least want some kind of paper trail indicating my exact instructions, and I'd have kept my eyes on the thing until I was able to return it.
So the intern doesn't deserve to be singled out; there's plenty of blame to go around. On the other hand, though, he's still kind of an idiot.
Yes, but even when he took them inside, he stored them ON TOP OF HIS TV! If he happened to watch TV, those big electromagnets that aim the stream of electrons at his face would eat away at the data.
The reward offered was $500 for the recovery of the backup tape.
$500 / 800,000 = $0.000625 = 0.0625 cents
Just checking to find out what my identity is worth ...
Consultants reporting to consultants? Great plan if you don't care to remain in control of your company/organization.
Making a single, bottom level, low income person responsible for your most valuable asset, data? Obviously no concept of sensitive information.
No encryption? Dumb, dumber and dumbest omission of data management.
My recommendations:
1) Keep the intern. He now is knowledgeable and will make better decisions on similar matters; however, let him do the job appropriate to his level. Being fully responsible for off site data should not be part of his job.
2) Update the policy in accordance with federal, SOX, ISO 17799 and whatever other standards apply to include data encryption and a *real* off site method.
3) Get rid of one of the consultants. All consultants should be reporting directly to an employee who has interest in the company/organization.
4) Use the money saved by removing the excess consultant to pay a professional company to pickup and store the tapes off site, in a secure, disaster recovery designed site. Iron Mountain does a pretty good job. (or use their online data transfer method) If nothing else, purchase a small, fireproof box with a lock and make the manager carry it home each night.
These are really basic IT management decisions. I feel sorry for the people relying upon such an organization with an obvious lack of skill or concern.
What does a stolen SSN really mean? What can be done by someone who has stolen a SSN? Some form of ID-numbers exist in most countries, but getting it stolen rarely poses a threat to your integrity?
Why would he steal the tapes? He could have just copied the data and no one would be the wiser.
DeVry University. Nuff said. Hire from crap college, get crap employee.
I can throw as many stones as I wish; my house is made of transparent aluminum.
His job wasn't to "be perfect." His job was to write a proposal. The other peoples' job was to make sure it contained no mistakes. He did his job, they didn't.
Ben Hocking
Need a professional organizer?
If you are transporting such a large amount of sensitive data via sneakernet, that shit needs to be handcuffed to the fraking courier's wrist and travel with at least one, preferably two guys in suits and sunglasses.
Of course, that amount of security still invites theft, but said theft would be in a much more spectacular fashion than a simple car break-in.
If a manager can delegate everything, including ultimate responsibility, what the fuck are they getting the big bucks for?
Chernobyl 'not a wildlife haven' - BBC News
Oh come on. They guy's an intern. What do you expect him to do? Interns, by and large, aren't going to question things. And you can't expect them to.
The process is flawed. Hire some consultants to fix it.
Have gnu, will travel.
The consultant can engineer it on his own. He sends the tapes home with the intern; the intern acts in good faith, but the consultant takes the tapes in the night. He then sells them to the second party, and is never fingered because the expectation is that it is a random criminal element; the only thing they can cite him for is incompetence, but perhaps at $1/number, he won't care. The interesting thing about this theory is that it does, in fact, sound like the sort of criminal plan that someone would concoct who knew the workings of the system. Most thefts are, in actuality, done by employees of one sort or another - they know what's going on, and so aren't taking a random risk. For that matter, it might not be the consultant, but anyone in the office who knew the deal.
[Ego]out
Just let me pull out my dictionary and look up "money laundering".
Ben Hocking
Need a professional organizer?
Wizard.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
Why does the government and companies even allow data such as social security numbers on Data Tapes or Laptops. I might be able to understand encrypted data sources for backup but NO ONE needs to be taking this data from point A to point B in person. What is the point of investing billions of dollars into secure networks and then not use them? My bet is that this "consultant" warned them this would happen. It did happen, and he was going to sell them his solution. Just pass a law stating that this data needs to be encrypted AND can not be taken off site. Why did this kid even have these tapes?
Unless it's an exceptionally disciplined thief, I'd bet cookies to doughnuts that the tape is going to be useless. Sure, there are tape readers are out there, but the use of tape itself is almost an obfuscation technique in itself. You'd have to be a pretty-determined attacker to round up a tape machine, make it work, and figure out the encoding technique on the tape.
and it's the first time that such a thing happened?
Wow, they were lucky.
That's the encryption method. I believe the previous intern's encryption method consisted of sticking the tapes to the 2 kg speaker magnet in the back of his guitar amp. That works pretty well, too.
But, seriously - What was the physical form factor for the stolen tapes? Some of the drives used for heavy backup duty aren't exactly the sort of gear you can purchase at your local shopping mall.
"The plural of anecdote is not data" -- Bruce Schneier
Yea, I remember a story about a guy who left a timebomb worm in the system to wipe out the data, and when it ran, it popped up a window saying there was a data error in the database, and please insert a previous backup for a rebuild...The backup guy (a junior employee) inserts tape, worm blanks tape, pops up another insert different tape message...Made it through 2 weeks of tapes before he got suspicious and called his boss.
So no system is perfect. I'm not a big fan of tape myself, but I am a huge fan of backing up to removable media. There is no reason you couldn't store a zillion backup images or archive files or whatever in your second data center, and that would work fine, but it makes my feet itch a little...Makes me feel like all my eggs are in one basket.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
What do you expect from a state that also uses electronic voting machines?
"To Deep? This is nothing! I'll tell you when we're in to deep!" - Max Bialystock, "The Producers"
If you order before midnight, we'll include as a free bonus a second database containing 36525 birth dates. This database has been carefully screened to ensure that every birth date is valid!
I salute you!
Ben Hocking
Need a professional organizer?
I think the reason we haven't heard consumers complaining about these regulations is because the companies chose not to pass this cost on to them. Several businesses have complained and others have reconsidered being listed in favor of equity/debts- the level of documentation required by SOX is almost an order of magnitude above what they used to keep, for companies with listed stocks.
I'm not really complaining about SOX - as a canadian accountant I welcome any changes that bring American companies closer to the international standard for financial information reporting - just saying that the change hasn't always been smooth.
Let's also consider the cost/benefis of the measures. While higher levels of government (and large cities) have the staff and equipment necessary, yes, the cost of applying SOX is relatively small to burden as it is mostly limited to dditionnal training. Smaller cities however would have to hire more personnel and completly revise their archiving process. It all can be done - at a cost.
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
- What kind of information do you have on those tapes?
- Where does your brother live?
OK, but seriously, if the information is encrypted (it's not that hard, folks), then any plan like this isn't too bad (in a cost/benefit kind of way).Ben Hocking
Need a professional organizer?
I think the parent comment makes sense and calling this a 'troll' us unfair. The consultant was not trying to stop the thieves from knowing what they had, he was covering his ass and hoping that this could just go away. If the correct tactic is to keep the information out of the press, then the police are the ones that should make the call.
Yesterday, I was the first on the scene to an accident. A kid (temporarily, I believe) lost vision in one eye when the air bag smacked him in the face. I think it was my duty to report everything that I did (check for injuries, make sure he was coherent, move some debris out of the road) to the police officers & ambulance crew. The police can decide was matters, they do this every day. I am a novice & my opinions as to what matters is inferior to their experience.
Think global, act loco
Ben Hocking
Need a professional organizer?
So how many of us use Cell Phones, flash drives, portable hard drives, etc all with sensitive information unencrypted in them?
I have PGP, TrueCrpyt, and other similar products installed. It's just too hard. I have a 160GB hard drive that fits in my pocket. I have a ton of data on it.
I want to use encryption. I have TrueCrypt on it and have several virtual hard drives. But when I go to dismount the virtual drive, Windows has it locked and it won't unlock. If I dismount it anyway, the volume becomes corrupt. So to use this, I have to log off the PC any time I want to dismount the physical & thus virtual drives. I don't mind typing in a 20 character pwd each time, but the corruption is a bad thing.
I use PGP, but I have to install PGP onto any Windows PC I want to unencrypt these files with. I also have to keep a copy of my keys with me so I can edit and save these files. That's a bummer.
I still have things like my backups encrypted. No way I want someone getting all the info in my registry that's stored in plain text such as Nortel Network's software which stores your network passwords that way. One day I will loose one of these drives.
The phone's got a PIN lock on it that locks after 1 min & at power up. Defeats the lay thief, but anyone can grab the memory and view it on a card reader. No options on the phone to encrypt it.
I agree, we should all be using encryption. But the options I've tried leave much to be desired.
I think that it might depend somewhat on where you live. A consultant in Ohio will probably be cheaper than a consultant in New York or the UK, because their cost of living isn't as high. $125 would still not be much, but you could probably find cheaper (certified in [insert flavor here], even, for what that's worth) if you really didn't care much about quality.
Ben Hocking
Need a professional organizer?
Package tapes containing SSNs with thousands upon thousands of dollars in cash. Then you can have the nice men in armored cars transporting the valuable data around, instead of in Chuck's 1988 Toyota.
"Uh oh" is right.
Made you look.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
The trunk would've been a big improvement.
As an intern at a company where I have the potential to do damage if I wanted. What the heck were they thinking to give that data to him? I personally am scared enough if I am logged on as administrator in the production system. I agree that the intern wasn't at fault. There is defiantly something missing from this story though, the data would have been safer if they left it on someone's desk at the office. What if the intern looses them, or leaves them at home when he comes in the next day. Poor Jason, but why even let you have that much responsibility?
I was one of those in that number. I want to hang them up by the short hairs... The thief and the intern.
The game.
Ben Hocking
Need a professional organizer?
the intern is not at fault.
the $125 an hour consultant is at fault.
who let's an intern take home the master backup?
What state official lets a consultant take home a master backup?
They're using their grammar skills there.
I work for a small non-profit organization (400+ people) and our tape backups are taken offsite, under lock and key, in a semi-armoured van by a company which specializes in offsite backup storage.
This is just fucked up. Heads should roll for this one.
If they are those big tapes used by mainframes, they are probably hanging on the wall at someone's house between stolen "Watch For Ice On Bridge" sign and the "Do Not Enter" sign. To impress chicks of course. :)
Runesabre
Enspira Online
Too bad you can't recall or revoke an SSN and get another one. If we're going to have a federal ID number, might as well replace this poor de facto key with a real system that allows the issuing agency to record a lost number as invalid, and regenerate you a new one from some privately held source key (that's actually kept secure).
Reed
I got "the letter" too. For those actually interested, here it is:
"The State of Ohio has confirmed that your name and social security number was contained on a computer back-up device that was stolen. It is unlikely that someone can access the data contained in the device without specialized knowledge and equipment. Because we have no information to date that the data has been accessed, everything we are doing, or suggesting that you consider doing, is preventative.
The State of Ohio is doing everything possible to recover the stolen device and protect the personal information that was on the device. We regret that the loss of this sensitive data may place an undue burden of concern on you.
To assist you in the protection against the potential, though unlikely, misuse of personal information, the state has arranged for identity theft prevention and protection services through Debix to be available for one year at no cost to you. If you would like to take advantage of the Debix coverage, there are two ways to register: on line at www.debix.com/stateofohio or by mail using the attached form. This service will be valid for one year from the date you register for it. Please provide the activation code located at the top of this notification letter under your address when you are registering. Please note that part of the sign-up process includes receiving a phone call from Debix soon after you initiate the registration process. You will also need and email address to complete the process. If you have questions about Debix or its coverage, please contact them directly at (888) 332-4963.
For additional information including suggestions on things you can do on your own, please refer to www.ohio.gov/idprotect. If you have additional questions, call 1-800-267-4474 Monday through Friday from 8:00 a.m. to 5:00 p.m.
Sincerely,
Hugh Quill, Director
Ohio Department of Administrative Services
State of Ohio"
Nothing like poo-pooing the importance or potential amount of risk involved with identity theft. Having that data leave the premises overnight is about as safe as sticking it in an 8 year old's backpack and expecting it to come home in one piece. The intern wasn't a moron...that classification falls squarely on the shoulders of the Great State of Ohio.
Thank you very much for your assurance that my park bench is secure.
Since you are one of the Senators representing the State of California in the US Senate, could you please investigate why it is that an intern who compromised the personal information of nearly one million citizens will be allowed back into the workforce while an experienced scientific researcher who has never compromised anyone else's personal information must sleep on a park bench?
Don't thank me for my time, Mrs. Feinstein. It is my duty and honor to point out the obvious to the nation.
Sincerely,
Steven B.
--
the NPG electrode was replaced with carbon blac
Consultant is a code word for "temp".
Ben Hocking
Need a professional organizer?
I have reached a revelation today. Due to the overwhelming ridicule of Anonymous Cowards to each and every legitimate question that I've asked over the last eight months I have decided that it is in my best interests to agree with your line of thinking.
I believe the conspiracy theory.
I believe that there is a conspiracy of "black banks" who manage to exchange currency, grant loans, and fund corporations on the international market without ever revealing their location, their executives, or their source of resources.
I believe that there is a conspiracy of "black corporations" who manage to do business on the international scale, to ship and receive merchandise, to make investments in the global stock markets, to employ thousands of workers in fields ranging from janitorial and food services up to nuclear scientists, all without revealing their locations, the banks who process their funds, investments, and payroll checks, their executives, or their major business partners.
I believe that there is a conspiracy of men, clad in robes, who live in the deserts and mountains yet have the experience and materials necessary to assemble nuclear devices, to buy and sell all manner of weapons ranging from hand pistols to mortar tubes to grenade launchers to ICBMs, who live completely off the land and under the radar, who can communicate on a worldwide network, and who do business with the aforementioned "black banks" and "black corporations" without ever revealing their names, locations, or any other identifying information.
I believe that there is a conspiracy of "black executives" who run the aforementioned "black banks" and "black corporations", whose homes and offices are decorated with artwork and artisanship which is paid for in untraceable funds, who travel on cruise liners and jets which cannot be tracked in international airspace, and who play golf, cribbage, bridge, and whose children attend school right next to the other monied wealthy elite of the world without anyone ever knowing anything about it.
I believe that there is a worldwide conspiracy of "black nuclear contractors" who manage to evade the oversight of the UN, who procure nuclear material from the mining companies which fall under the umbrella of "black corporations", who pay for their employee payroll and their physical buildings with funds from the "black banks", who ship and receive their products using completely unknown "black airlines", whose overland transportation is handled entirely by "black trucking companies", and who buy "black toilet paper" so that they are completely untraceable to the other nuclear interests of the world.
Specifically, Mr. Bush, I believe in your conspiracy of "black everything" which threatens to attack the US, using "black missles", "black passports", "black computer chips", "black IP addresses", "black bank account numbers", "black airplanes", "black semi-trailers", "black forklifts", "black dockworkers", and have their own infrastructure of "black investigators" who sign off on all the paperwork which is required to move so much as a breath mint across international borders.
So, Mr. Bush, could you please stop sending the Anonymous Cowards around? I believe in your conspiracy and, just for the sake of arbitrary creativity, I'm going to continue to assume that none of it is possible, and I'm going to continue to ask the obvious questions of,"If these people are powerful enough to move billions of dollars at a time, how the _HELL_ are they doing it behind everyone's back?"
Don't thank me for my time, Mr. Bush. It is my duty and honor to point out the obvious to the nation.
Sincerely,
Steven B. Right after you quit smoking pot. Right after all of the politicians, bankers, and stock investors do because, obviously, what I do on my personal time is of much greater importance to the nation than what they do on their personal time.
Thank you for pointing all of this out.
the NPG electrode was replaced with carbon blac
no, they put them on everything because they are a good identifier in government agencies. Most of these systems are pre internet, so the risk was very low. Now they are changing policy, but implementation may take years.
Of course, that's not the problem here. This is about a poor tape policy.
In fact the more SSNs get exposed the better, because they will become untrustworthy for everything but tax.
The Kruger Dunning explains most post on
When are people going to wise up and realize that most consultants are overpriced, incompetent and do not hold the same interests or priorities as those who hire them? Now, I'll admit bias. I'm one of the peons of a very large institution who has recently ramped up its IT consultant usage and is paying through the nose for it. We have also caused it to be the case, through a variety of causes and reactions, that any technically competent employees we use to have no longer work for us. I expect the same sort of attention to detail and security from our consultants as Ohio received.
There is no escaping the fact that a consultant's priority is to make a profit for the stakeholders of the consulting company. If you are a state or large institution then your resources, need or scope outstrip the benefit of utilizing a consultant. You should be doing the job yourself instead of presenting yourself as a wallet for a consultant to dip into. It becomes an unfair trade and one in which the consultant has negligible risk (notice that Ohio/intern IS vilified in the paper and the consultant is NOT).
I will never live for sake of another man, nor ask another man to live for mine.
haha, doubtful the tapes would be close enough.
The Kruger Dunning explains most post on
After years of hard experience I have learned this principle:
Never leave anything of value in your car overnight. Ever
Also of similar importance:
Never leave anything of value in your car visible, if car is unattended for 30 seconds or more.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Instead of that evil, old inefficient government actually doing some coordinated work.
Makes sense. Contractor doesn't give a crap. What's in it for him? And what formal or informal authority does he have to help establish a responsible backup storage plan? So, hey, the kid's car _was_ off-site storage.
the two laziest or beer infested days of the week.
But all that income tax is going straight back to the central banks because of govt debt. So you really are
working for the banks not the govt.
If the govt had a clue and had no debt, we could all live with zero income tax, and all public funding can be funded through 100% commercial taxation and
tiny levies/fees on public services.
Income tax historically wasnt meant to be for everyone, just companies and super rich. Post WW1 the govts got greedy, they had lots of bills to pay for.
Liberty freedom are no1, not dicks in suits.
And other non-security savvy folks.
Note to execs considering relocating: Things are expensive over the long term because they are worth more than the alternative. CA, WA, and MA have stood the test of time as tech centers for a reason.
"I love mixed metaphors."
Heh, I love the scene in one of the back to the future movies where the older Biff is trying to give the sports almanac to his younger self.
Young Biff: "Make like a tree and get out of here!"
Old Biff: slaps YB on the head, "It's leave you moron! Make like a tree and leave!"
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Seppuku
We have Iron Mountain come and pick up our tapes. They put it in a locked box inside a locked truck and put it in secure facility. They are one of the big names in data storage. It should be mandatory for agencies such as this. In fact, you can contract to have YOUR guys put the tapes in the locked box so that they don't even have the key/they don't touch the tapes. Hell, take it a step further and have a video camera trained on the tape library as well. Plus, encrypt your tape backups.
-- "You can lead a yak to water, but you can't teach an old dog to make a silk purse out of a pig in a poke" - Opus
So who is going to step up and try:
:-)
' DELETE Employees --
or
' DECLARE @tbl varchar(128) DECLARE x CURSOR FOR SELECT name FROM sysobjects WHERE type='U' OPEN x FETCH NEXT FROM x INTO @tbl WHILE @@FETCH_STATUS=0 BEGIN EXEC('DELETE ' + @tbl) FETCH NEXT FROM x INTO @tbl END CLOSE x DEALLOCATE x --
To piss off bitter little minions like you?
...Iron Mountain. They have repeatedly lost backup tapes as well as left them in a maintenance closet that ANYONE that decides to walk into the building could access. So if by 'like' you mean someone that has the same buisness but DOESN'T lose your tapes, yes I agree then.
j html?articleID=165701015
http://www.informationweek.com/story/showArticle.
Also if you have any amount of data you want to backup you also need HARDWARE encryption, software encryption like you mention will take too long. And that is hard to setup and costs$$$, unless you have very little important data, in which case you are lucky!!
Those who can, do.