Slashdot Mirror
"Clear" Laptop Found, In the Same Locked Office
jafo alerts us to an SFGate story reporting that the lost "Clear" Program laptop has turned up in the same office from which it was reported missing, but not in its previous location. "A preliminary investigation shows that the information was not compromised... The computer held names, addresses and birthdates for people applying to the program, as well as driver's license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information... The information was encrypted on the server, but not on the laptop, although it should have been... However, it was protected by two levels of passwords." Reader jafo adds, "Pardon me if I have little confidence that an organization that loses a sensitive laptop for 9 days is able to tell if it was compromised."
... I borrowed it for the weekend to play WoW.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Those are, like, needed to remove the hard drive, right?
Wait, if it was not encrypted on the drive, but the device was physically compromised, how was it protected by any passwords, let alone two levels of passwords?
Even though this laptop was not actually stolen, that does not excuse the gross lapse of judgement by the people responsible. Two levels of passwords is fine, but unencrypted data still leaves potential victims vulnerable. This still raises the question of why sensitive data was on something as portable as a laptop. Oh and nevermind the fact that they managed to lose it in their own office completely kills any confidence I had in them.
and none of it came back today.
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
I cleaned and moved senior sm-eee-ths office aftah his lady friend has leff, she musta mov-ed the baby compuuutah.
On a more serious note, Isn't this just another way of the company saying "Oh wait, haha, we didn't lose anything JUST a big mis-understanding, you can keep giving us more money..."
The truth is, they have no idea if it was compromised or not. All you'd need is an Ubuntu boot CD and you could read the data straight off the drive.
Next time they should use THREE levels of passwords. ;)
So... what does that actually mean? I know that TFA is a media fluffed version washed for the general masses, but they could've mentioned that part at least. If one was the NT login, were the admins smart enough to disable the LM Hash? Still, booting it with a *NIX CD and blanking the SAM password for administrator is trivial. What could the second be? A BIOS password? Open it and pull the battery. Big deal.
Is there something I'm missing about this? Are there a (whopping!) two password scheme that could actually make something more secure then just booting it with something else and pulling data off?
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
Yeah, we...uhm...found the laptop again...really did...yeah...because claiming so leaves us protected from any coming lawsuits that might or might not be caused by any identity theft cases that could be related to (but, of course, actually are nothing at all caused by) this incident...which certainly did never happen...
And of course noone tampered with the machine...after all if WE couldn't find it, who else could have?
Friends again?
That is why I prefer opaque laptops.
Better known as 318230.
I would assume it had been compromised if it was missing for that long, even if nothing showed up in the logs. How hard is it to make a clean copy of the drive and then doing what you want with the copy. Or if they have some type of hardware encryption (one of those IBM stuff) it's still easy to get to the data.
Never keep personal information on a laptop, encrypted or otherwise. Store it on a server, or if you really need to bring it with you keep it encrypted on a USB stick that you have on your keychain and you should notice if it goes missing. Maybe keep some semi-secure (password encrypted) key-file on the laptop. Ie to get to the data they would need to get a hold of both the laptop and the USB-stick + that the password would need to be bruteforced.
Lost for nine days? Found in the same office in which it was reported lost? How hard did they look for it? Talk about failing to build confidence...
FTA: "Beer said the airport office is always locked, so if the laptop was removed, someone would have needed a key to return it." .... That ought to at least narrow the list of dumbasses who may have taken it home (hopefully) and put it back.
The laptop had either been stolen, and sold with the information wiped, stolen and the information sold, lost, destroyed, or left in an office.
Whichever it was, the only information they had was that it was unaccounted for. It was actually a good response to automatically assume the worst case scenario and deal with the situation as if that had happened. If the worst case scenario was the case then at least it was dealt with as best it could be. If not then the only harm done is to them and not their customers.
So while losing it was very inept, their response afterwards was actually fairly responsible of them.
This whole 'Clear' thing is bullshit. Its a bad solution to a problem that should not exist in the first place.
If you buy the story that all the airport security that results in thousands standing around waiting to get to their gates is both necessary and effective then you must question any program that claims to pre-screen anyone because that just opens a window of opportunity between the pre-screen and the actual boarding of the flight in which the pre-screened person can be compromised in any number of ways.
It all comes back to the problem that there is no such thing as "the evil bit" - and any system which tries to make up for that by using some other combination of 'bits' as a proxy for the non-existent 'evil bit' is just a house of cards built on a non-existent foundation.
Even if you take Bruce Schneier's view that Clear is a good thing - not for the pre-screen, but because of the open-market approach to airport security which lets people pay more in exchange for a guaranteed short processing time - its still bullshit. That's because the rich and the powerful - the idiots who make the laws that created the TSA and their time/money wasting policies will be able to avoid having to suffer the consequences of their own actions. They can just pay a few hundred dollars more and never suffer the crap that they dumped on all the plebes.
Congress already exempts itself from too many of the laws its passes (no social security, they have their own program, no anti-discrimination in hiring laws on the hill, etc) they should not be able to get another free pass on suffering the effects of creating the TSA.
When information is power, privacy is freedom.
That having the company's personal information crown jewels on a laptop, unprotected would be an automatic, stop, don't pass go firing offense at any self-respecting corporation today.
is that this was likely an inside job. It is probable that the person HAD the password, grabbed the laptop, used the password to obtain info, and then put it back.
Another real possibility, is that they grabbed the HD, copied it, and then put it back after the heat was high.
Trusting this company is like trusting W.; u KNOW that you are being lied to.
"[data was not encrypted] However, it was protected by two levels of passwords."
Baby, I'm sorry I cheated on you. But I was thinking of you while we did it.
...electronic versions of the Rose Law Firm billing records.
Any technology distinguishable from magic is insufficiently advanced.
...by acting the slightest bit suspicious. They move me swiftly to the front of the cavity search line, and then usually send me straight to the terminal when they're done.
i have a roll of electrical tape.
Obviously, no one could have taken the information if it was still on the hard drive.
I can t hold them back any more, PROfessor.
the Twins want there results on time(18:32.0am).
~%%%%%
The creator of this post (Jacob Smith) hereby releases it, and all of his other posts, into the public domain.
Allison Beer is a senior vice president for a company called "Clear". Has to be a joke here someplace.
If you want news from today, you have to come back tomorrow.
names, addresses and birthdates for people applying to the program, as well as driver's license, passport and green card information
That's more than enough to steal an identity. I've ran across folks who had their identity stolen by folks who just used their names, address and DOB - the thief found a very careless creditor; which wasn't hard.
When they finally found the laptop did they stop cleaning the office or did they finish up?
FTA:[blockquote]The information was encrypted on the server, but not on the laptop, although it should have been, Beer said. However, it was protected by two levels of passwords.[/blockquote]I'm confused. It was not encrypted on the laptop, but was protected by two passwords? What?
If you want news from today, you have to come back tomorrow.
I've given up. I bought a case of KJ and whenever Congress is in session, regardless of what party is in power, I pull out a tube and mumble, "Here we go again, sigh."
I'll vote against all the incumbents in November - for what good it may do
They lose a laptop with sensitive information, and it inexplicably (and allegedly) reappears in the same office as if by magic, but it's okay, because even though none of the data was encrypted, it was guarded by two levels of passwords (ooh, shiny), and they claim they have some way of knowing that the data hadn't been accessed in spite of their shaky grasp of basic security and data encryption.
Sorry guys, but you're going to need a bigger shovel to handle all that bullshit properly.
Clearly leaving sensitive information on an unencrypted laptop with only two passwords will deter hackers from paying mind to it. In fact, they'll think they stole the wrong laptop and return it to the same place they took it once they realize there's no encrypted data.
Ha ha!
You never expect irony, do you?
Want to be a professional wrestler? Visit www.iyfwrestling.com
@iyfwrestling
So, what we have here is starting to sound like: employee 'borrows' office computer for home use, manager raises alarm, news media panics, employee waits until dust settles a little to slip 'borrowed' property back into office.
Either that, or the identity thieves who who masterminded the scheme to steal that data were really slow.
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
I find these two articles disturbing. They disagree as to the level of customer information involved. The newer article also implies that although they have no idea where this laptop was for nine days - they consider the information to be uncompromised.
"We don't believe the security or privacy of these would-be members will be compromised in any way," said Verified Identity Pass chief executive Steven Brill.
I'm sorry, but if there are serious questions as to where the laptop was for nine days - the data has to be treated as compromised. If there is a question as to what sensitive information was being stored on the laptop - it points towards even more serious flaws in data handling processes.
If I'd lost a laptop with all this sensitive data on it and I wanted to ensure that the Clear system continued to work, I would probably "find" the laptop again.
Wouldn't want confidence to drop now would we?
I guess what are the loggings in the internet browser history during these 9 days. Uhm, well, probably some high double-password-secured visits for some popular xxx sites and some not so popular. No, I'm not talking about horses ans penguins, this must be weird. But leaving the ironic side, I ask what USA border police may comment about such thing. Would this machine be arrested in frontier or they prefer to take some teenagers laptops?
Information technology means all information.
I had to move it after spilling some bawls on the table...
must have forgot where i put it
After the big media blitz, I imagine the laptop was found "somewhere," and it was a lot easier to explain if "somewhere" became the same locked office it was supposed to be in. I seem to recall some removable hard drives in the Los Alamos fiasco that also eventually "were discovered" in secure areas like behind a copy machine or something.
/cynical
realistic (what's the difference, anyway?)
Laptops and removable hard drives are inherently portable - if you really care about preserving the confidentiality of anything, it should be treated in an "eyes only" manner while on the portable media - when you're done, either encrypt or wipe. If the portable device leaves your sight for 15 minutes, you can assume that it has been copied. If it's not encrypted, it doesn't matter how many passwords are required, it can be copied in a very short time with a screwdriver and a mini-notebook, or any other contraption with a compatible drive controller.
/realistic
Dear Slashdot,
I've borrowed a laptop from my office to download a little . . . well, nevermind. But, the thing is that my manager went apeshit and the laptop turns out to have a lot of valuable data sitting on it. What should I do?
The FBI is searching the homes of all the employees, so I can't keep it. If I give it to a friend, some one will eventually tell and I'll get busted.
If I dump it or destroy it, they'll assume espionage and the investigation will go on for months and I'm sure to slip up eventually.
If I return it to quiet things down, I might provide them with forensic evidence they can link to me, not to mention maybe getting caught doing it.
Please help. If I lose my security clearance, I'll never get another job.
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
Oh, so we should be looking for someone with a bootable ubuntu CD! that narrows it down! Of course, Someone could have just misplaced it (to play WoW), but then to crack the passwords you do need a sword thats +9 to Ogres. On a further note ... My captcha word is "testicle" .. sick, sick world
Breaking into the Pentagon computer..
Double click on 'Yes.'
Oh. Password protected. Twenty billion possible chances..
Er..
Jeff.
Hey!
End of line..
It was never actually missing. They just couldn't find it in their own office.
I am Bennett Haselton! I am Bennett Haselton!
Thank you.
Thanks for protecting our pri... wait I didn't order two tickets to Macau!?
Three cops dead, and they found my fingerprints?
Put Knoppix, Puppy, or any of the other myriad live linux distros in the CD drive, turn the power on, and presto. You can now clone the hard drive (via USB if you don't want to open the case) with ease. Passwords? Who needs passwords? If the disk wasn't encrypted, all your data belong to us.
I don't see how anyone would have "evidence" that this was/wasn't done.
Hey, guess what? There's a difference between "we can't prove the data was accessed" and "we can prove the data wasn't accessed". Only one of these would matter. Nope, not that one...
I'll give them points for raising the alert when they weren't sure what happened. I stop giving them points when they found the laptop, and decided to put out a press release that appears to say "No one did anything obvious to let us know the data was accessed. So we're going to tell you there was no data breech and wish really hard everyone will shut up about it."
A "fairly responsible" response would be "We've recovered the laptop. We are still investigating where it was and who had it during the unaccounted period. While we can tell the data was not accessed 'casually', it would be difficult to tell if someone with some computer skills had accessed the data. Therefore, out of an abundance of caution, we will proceed as if the data was compromised, including securing what we can of the possibly compromised data, and taking steps to ensure no such breech could happen in the future."
Gone for 9 days? I think a variation of the Rainbow-Table solution can be applied here. Aside from the reason that the laptop was not in the office in the first place. I think that the scenario to consider is that the entire hard drive was copied, more than once, and that now the new owner of the copies has all the time in the world to brute force the passwords. And in a few weeks when all this is blown over, there will be a new list on the open market to purchase. The Bad Guys are on the job 7/24, these types of personalities are not the types to under estimate. I would hope the FBI persues them before we as a group are to damaged by this lapse in laptop security.
the first password is 12345
Amazing, that's the same password that I use on my luggage!
No, no, no. Just a little radiation leak. Give us a minute to lock it down.
... uh ... oh look! We found it! It was here all along! We're fine here ... now. How are you?
Uh, negative, negative, don't come in here
How could you tell, if you borrowed the notebook, took out the drive, used an adapter to mount the drive another computer, and dd'd it.
This is my sig.
WHY THE HELL IS THIS STUFF ON LAPTOPS TO START WITH!
I'm sorry, but there are some information that belongs on servers managed by people that at least understand (hopefully) security and encryption. And then the only access to it from secured thin client terminals inside the office.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
they no longer have to tell you they are searching, and can do it quietly/legally while you are away.
maybe the feds came in took it, got a good clean copy, and returned it?
But of course Toshiba has the BIOS freely downloadable on their site, for the challenge/response system to be reverse engineered at the leisure of the attacker (unless they decrypt the BIOS upon flashing in hardware, using some key stored in NVM, which is probably not the case). This would all be nice, real mode x86 with no hidden libraries to search for, and a simple assembly job, searching for a call to the data segment "PLEASE TYPE IN CMOS RESET CODE", and solving the hash. Or, if it is a good hash, reflashing/replacing the bios chip with one that has an appropriate JMP command inserted, or BNE replaced with BEQ, so that the only response that doesnt work is the right one :-)
The HDD password system stores the hash in the drives EEPROM, not the platter. It does not encrypt the contents of the platter, but just makes the drive unresponsive. To recover data from toasted drives in the past I have had success swapping controller boards when that is that part that failed. You lose all the information on bad sectors, but depending on how valuable the data is, 99.99% good data is better than 0 data. I cannot say I have tried this for password locked hard drives, but it is very possible that the controller board swap method would allow access to the data, good enough for a not-quite forensic sector-by-sector copy to be made.
You also risk corrupting all data on the drive. Sometimes the risks are worth it.
I am a clear member, and here is what was sent to me:
Thank you for your email; we appreciate your concern and apologize for it. We will be sending out an email this morning to everyone laying out exactly what happened â" and what didnâ(TM)t happen, but Iâ(TM)ll share the essence of it with you here:
We take the protection of your privacy extremely seriously at Clear. Thatâ(TM)s why we announced yesterday that a laptop from our office at the San Francisco Airport containing a small part of pre-enrollment information (but not Social Security Numbers or credit card information) recently went missing. And we were prepared to send all applicants and members the appropriate notice yesterday detailing that situation.
The laptop was recovered yesterday. And, we have determined from a preliminary investigation that no one logged into the computer from the time it went missing in the office until the time it was found; therefore, no unauthorized person has obtained any personal information.
We are sorry that this theft of a computer containing a limited amount of applicant information occurred and we apologize for the concern that the publicity surrounding our public announcement might have caused. But in an abundance of caution, both we and the Transportation Security Administration treated this unaccounted-for laptop as a serious potential breach. We have learned from this incident and we have suspended enrollment processes temporarily until all pre-enrollment information is encrypted for further protection. The personal information on the enrollment system was protected by two separate passwords, but Clear is in the process of completing a software fix â" and other security enhancements â" to encrypt the data, which is what we should have done all along, just the way we encrypt all of the other data submitted by applicants. Clear now expects that the fix will be in place within days. In the meantime, all airport Clear lane operations continue as normal.
Mootpoint
Wow, that is a pretty naive assumption.
1. Steal laptop
2. Copy user records
3. Modify a few select existing records
4. Replace laptop to avoid suspicion
5. ???
6. Profit!!
I'm sure some people would pay some pretty good money to get on the Clear list...
Others would pay good money to get a copy of who is on the list...
All I can say is, "Ha Ha!"
Thank god the server is encrypted but the laptop isn't. That makes a lot of sense.
Anyone else think this story is just a cover-up for the fact the laptop really is still lost? Falsely claiming it's been recovered is a lot less painful than dealing with the PR consequences.
...you can't make THIS shit up either.
Bet he didn't lose his $tarbucks card.
deleting the extra space after periods so i can stay relevant, yeah.
I remember getting a security audit. These people came in to 'hack' (just get root access) to the systems. Once they had that they stopped. They really just ran password guessing programs on the machines. I had a DB server that was not part of the domain only used DB accounts no domain accounts were used. So the domain accounts and passwords didn't work. At the end of the week they never got into that machine. The rest of the windows, sun, VAX, I forget about the mainframe were cracked. My boss was wondering why that one windows box was not cracked, and so did the company. I never told the company I just said they failed to get into my DB machine. They left and my boss and a few VPs wanted to know how I did it.
The password was: ThisIsThePasswordForMachineDelta
They never went past 15 characters in their password program. I was surprised that it wasn't guessed since it was all letters but it worked. And a new 30+ password systems was set in place. I did get a few threatening emails after the new password policy was put in place though. This was also 1997 too, so it most likely would not work today.
IIRC (which is unlikely) hdparm will give you the last few spin-up times? But presumably this data could be dd-ed over with the old data.
Are there any other ways to check if the computer has been booted? Perhaps test the voltage across capacitors on the motherboard ... yeah that'll be what they did!?
So that's why my computer always has that "new hard drive" smell?
Would it have been better if the laptop was found behind the photocopier?
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
They catch bad press and all of a sudden the laptop just.. turns up in the same room it was lost? Please.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
"The squeaky wheel gets the oil."
you had me at #!
"Reader jafo adds, "Pardon me if I have little confidence that an organization that loses a sensitive laptop for 9 days is able to tell if it was compromised.""
Jafo my friend, even if they could tell it was or was not compromised the public answer is going to be the same either way... now *that* some slashdot level cynicism
"Ahh! Arrogance and stupidity in the same package, how efficient of you!" --Londo Molari
As I was waiting my turn in line at the SFO security gates and about to put my things on the conveyor belt, all of a sudden a "Clear" employee brings a customer of theirs to cut right in front of me with a curt "excuse me". What is that? Just because they pay money they get to cut in front of me? Isn't the airport a public facility?
Can I open up shop in a grocery store and sell tickets whereby I cut in front of everybody else to get my clients through?
I wanted to raise a fuss but being that it was the airport I kept my mouth shut otherwise they'd probably arrest and detain me for terrorism or something. But seriously, what is the deal?
Makes me very angry.
I have to wonder:
If someone has physical unencrypted access to the laptop, can someone access it and effectively cover their tracks? (i.e. can you really be sure if the data has been read/copied?)
If someone has physical access to the laptop, what checks would you run (software and hardware) to ensure that it's entirely safe to put back on to the TSA's network? Do you believe that's it's possible / probable that the laptop would be properly checked out before being reintroduced to the network?
Just thinking out loud - everyone's focusing on the data integrity of the Clear list, wonder if that's the only thing that should worry IT about this security event.
I thought dd couldn't write more than ~2GB? When I tried to do that very thing (salvaging my wife's home directory), it would mysteriously fail. Eventually, I just did a mass scp of * to another machine, but was genuinely surprised that dd wouldn't work. Am I using the wrong version, or not passing it the right options, or what?
...gets through airport security quickly every time! ;-)
Ask Me About... The 80's!
Ok, they brought it back, and these idiots think that it was safe as it had 2 passwords....tell you what, lend me your personal laptop, encrypted and everything, I will pop out the hdd and clone it in minutes, then bring it back before you had a change to do anything, then I will use VMWare to boot that drive and take as long as I need to hack into it, 'cuz now I have it at home....
Sh*t, some people should not own computers, just like some should not drive.
I work for a state government, we "outsource" stuff to subcontractors sometimes, too. Here's the problem: subcontracting removes the ability to hold someone accountable. The manager (it's always a manager, they fired the employees when they outsourced it) responsible for the program says "don't look at me! It's the subcontractor's fault". Yet the government is usually powerless to tell the subcontractor to fire the idiots responsible ("government interference with 'small' business! Oh my god!"). A third problem: the subcontractor makes their profit by doing things cheaply, so they pay the employees as little as possible, creating a bribery incentive for data like this to be copied. I don't really like the TSA, but if we _have_ to have it, none of the operations should be outsourced. They should all be direct government employees without career service protections, so they can be fired at will. Perhaps put them into a branch of the military (Coast Guard would be the closest in terms of purpose), and if they screw up, rotate them into a combat zone somewhere - or, if we aren't in conflicts anywhere, let them guard radar installations at Point Barrow, Alaska. Whatever it takes to make the employees know that their performance is judged _seriously_. The better solution is to abolish it and therefore the cost of running it... but like I said, if we have to have it, then let's at least get serious about doing it right.