Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Clear" Laptop Found, In the Same Locked Office

Posted by kdawson on from the never-mind dept.

jafo alerts us to an SFGate story reporting that the lost "Clear" Program laptop has turned up in the same office from which it was reported missing, but not in its previous location. "A preliminary investigation shows that the information was not compromised... The computer held names, addresses and birthdates for people applying to the program, as well as driver's license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information... The information was encrypted on the server, but not on the laptop, although it should have been... However, it was protected by two levels of passwords." Reader jafo adds, "Pardon me if I have little confidence that an organization that loses a sensitive laptop for 9 days is able to tell if it was compromised."

26 of 264 comments (clear)

  1. Sorry by MyLongNickName · · Score: 4, Funny

    ... I borrowed it for the weekend to play WoW.

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
    1. Re:Sorry by Loibisch · · Score: 4, Funny

      I'm amazed...how did you get through the two levels of passwords? You must be one hell of a master hacker!

    2. Re:Sorry by MyLongNickName · · Score: 4, Funny

      Oh, that's easy. You see, we tape the passwords to the bottom of the PC. Those of us who work there know this, but no outside hacker would ever think to look there.

      Plus the first password is 12345 and the second is ABCDEFG. Half the time, I don't even have to look at the sticky note.

      --
      See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
    3. Re:Sorry by $RANDOMLUSER · · Score: 5, Informative

      Trust me, if the bomb diffuses, things just got WAY worse.

      --
      No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    4. Re:Sorry by JWSmythe · · Score: 4, Funny

      Only if you roll less than a 20 on 2d10.

          God, I can't believe I remember crap like that from 20 years ago. :)

      --
      Serious? Seriousness is well above my pay grade.
    5. Re:Sorry by hansraj · · Score: 4, Informative

      Your (mysterious) reply prompted me to go to the far corners of the internet to learn that the proper word is "defuse". Words spoken like a true zen master - you don't get a clue unless you are already enlightened.

      Thank you.

    6. Re:Sorry by databyss · · Score: 4, Funny

      Is "20 years ago" code for "last night in moms basement"?

      --
      Hmmm witty sig or funny sig? Maybe elitest techy sig!
  2. Two Levels of Passwords? by something_wicked_thi · · Score: 5, Funny

    Those are, like, needed to remove the hard drive, right?

    1. Re:Two Levels of Passwords? by amazeofdeath · · Score: 5, Funny

      Yes, the screws on the bottom of the laptop will ask you the boot and Windows passwords before they'll open.

      --
      U+F8FF
    2. Re:Two Levels of Passwords? by Siener · · Score: 4, Informative

      You don't even have to remove the HD. If the data is not encrypted you can boot from a USB key or CD and just copy the files.

      --
      siener's youtube channel
    3. Re:Two Levels of Passwords? by flappinbooger · · Score: 5, Interesting

      Yes, Yes, Inside job it was, young skywalker. You are advancing in the force, you are!

      Reminds me of one time where my boss was in the field at a customer's factory. He had his "notebook" in which he writes everything down. (a paper notebook, old school, not a laptop)

      He left it on a table in the break room for a couple hours and forgot about it. Later, when he remembered, it was gone.

      A few hours LATER, it was back, pretty much where he left it.

      Luckily it didn't have any pricing or other such things in it, but it still wasn't a good thing.

      But Karma is interesting, this same customer a few months later set us an email which happened to have a high level very confidential spreadsheet attached, accidentally. It contained the companies strategic plan for the coming months - peoples salaries, names, locations, PLANT CLOSURE PLANS, savings from plant closures, all that stuff. "ummm, yes, there was a spreadsheet that you ... shouldn't have got... can you please erase that? Right now? And not look at it? Thanks!"

      My point is, and I have one, encryption is fine but it is no guarantee against mistakes and/or stupidity.

      --
      Flappinbooger isn't my real name
  3. no excuses by iveygman · · Score: 5, Insightful

    Even though this laptop was not actually stolen, that does not excuse the gross lapse of judgement by the people responsible. Two levels of passwords is fine, but unencrypted data still leaves potential victims vulnerable. This still raises the question of why sensitive data was on something as portable as a laptop. Oh and nevermind the fact that they managed to lose it in their own office completely kills any confidence I had in them.

  4. I lost all confidence in Clear yesterday by oodaloop · · Score: 5, Interesting

    and none of it came back today.

    --
    Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  5. It wasn't by Digital_Quartz · · Score: 5, Insightful

    The truth is, they have no idea if it was compromised or not. All you'd need is an Ubuntu boot CD and you could read the data straight off the drive.

    Next time they should use THREE levels of passwords. ;)

  6. Two Passwords? by xanadu-xtroot.com · · Score: 4, Insightful

    However, it was protected by two levels of passwords.

    So... what does that actually mean? I know that TFA is a media fluffed version washed for the general masses, but they could've mentioned that part at least. If one was the NT login, were the admins smart enough to disable the LM Hash? Still, booting it with a *NIX CD and blanking the SAM password for administrator is trivial. What could the second be? A BIOS password? Open it and pull the battery. Big deal.

    Is there something I'm missing about this? Are there a (whopping!) two password scheme that could actually make something more secure then just booting it with something else and pulling data off?

    --
    I'm not a prophet or a stone-age man,
    I'm just a mortal with potential of a super man.
    1. Re:Two Passwords? by gruntled · · Score: 4, Insightful

      Hmm. Standard internal investigation procedure: Wait until suspected bad actor has gone home, go into his office, remove hard drive from computer, use Ghost to create reasonably accurate copy of existing drive on another drive, replace duplicate drive in computer. Take your original drive back to your forensics lab, use your forensics software to make a forensically sound image of the original drive, lock the original drive in your safe in case a judge ever wants to see it, drill down through your forensic image at your leisure.

      If you weren't especially interested in creating chain of custody documents, you'd just make a forensic image of the original drive and replace the original drive in the box. Then, absent tool marks or other evidence that the box had been opened, even a qualified forensic technician could swear under oath that there was no evidence that anybody had accessed the data on the box. And it wouldn't matter how many passwords you had on the box if it weren't encrypted...

    2. Re:Two Passwords? by jamesh · · Score: 4, Informative

      What could the second be? A BIOS password? Open it and pull the battery. Big deal.

      It could be a big deal. We do warranty and service work for HP hardware and in the past laptops have come in with BIOS passwords and we were not able to remove them. The password is actually part of the ATA protocol and so the disk is unusable without it, even in another machine. I think the only operation you can do is an ERASE. If you remove the battery then the BIOS forgets not only the BIOS password, but the disk password too.

      I'm sure there are backdoors for some drives, but the customer in question in this case certainly wasn't willing to pay for us to investigate it so the data was as good as lost.

      TPM, if implemented correctly, provides fairly good protection too. As does Microsofts BitLocker.

      Physical access reduces security by a whole heap, but if things are done right then it doesn't reduce it to zero.

      Of course as others have mentioned, an organisation that loses laptops like that probably isn't 'doing things right'...

  7. "Clear" Laptop Found, In the Same Locked Office by Dan+East · · Score: 5, Funny

    That is why I prefer opaque laptops.

    --
    Better known as 318230.
  8. How Hard Did They Look? by whisper_jeff · · Score: 4, Insightful

    Lost for nine days? Found in the same office in which it was reported lost? How hard did they look for it? Talk about failing to build confidence...

  9. Correct response by 91degrees · · Score: 5, Insightful

    The laptop had either been stolen, and sold with the information wiped, stolen and the information sold, lost, destroyed, or left in an office.

    Whichever it was, the only information they had was that it was unaccounted for. It was actually a good response to automatically assume the worst case scenario and deal with the situation as if that had happened. If the worst case scenario was the case then at least it was dealt with as best it could be. If not then the only harm done is to them and not their customers.

    So while losing it was very inept, their response afterwards was actually fairly responsible of them.

  10. Clear is bullshit by Jah-Wren+Ryel · · Score: 5, Interesting

    This whole 'Clear' thing is bullshit. Its a bad solution to a problem that should not exist in the first place.

    If you buy the story that all the airport security that results in thousands standing around waiting to get to their gates is both necessary and effective then you must question any program that claims to pre-screen anyone because that just opens a window of opportunity between the pre-screen and the actual boarding of the flight in which the pre-screened person can be compromised in any number of ways.

    It all comes back to the problem that there is no such thing as "the evil bit" - and any system which tries to make up for that by using some other combination of 'bits' as a proxy for the non-existent 'evil bit' is just a house of cards built on a non-existent foundation.

    Even if you take Bruce Schneier's view that Clear is a good thing - not for the pre-screen, but because of the open-market approach to airport security which lets people pay more in exchange for a guaranteed short processing time - its still bullshit. That's because the rich and the powerful - the idiots who make the laws that created the TSA and their time/money wasting policies will be able to avoid having to suffer the consequences of their own actions. They can just pay a few hundred dollars more and never suffer the crap that they dumped on all the plebes.

    Congress already exempts itself from too many of the laws its passes (no social security, they have their own program, no anti-discrimination in hiring laws on the hill, etc) they should not be able to get another free pass on suffering the effects of creating the TSA.

    --
    When information is power, privacy is freedom.
  11. Quote of the Day by SendBot · · Score: 4, Funny

    "[data was not encrypted] However, it was protected by two levels of passwords."

    Baby, I'm sorry I cheated on you. But I was thinking of you while we did it.

  12. We'll just put it back by PMuse · · Score: 4, Insightful

    So, what we have here is starting to sound like: employee 'borrows' office computer for home use, manager raises alarm, news media panics, employee waits until dust settles a little to slip 'borrowed' property back into office.

    Either that, or the identity thieves who who masterminded the scheme to steal that data were really slow.

    --
    "We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
  13. Ask Slashdot by PMuse · · Score: 4, Funny

    Dear Slashdot,

    I've borrowed a laptop from my office to download a little . . . well, nevermind. But, the thing is that my manager went apeshit and the laptop turns out to have a lot of valuable data sitting on it. What should I do?

    The FBI is searching the homes of all the employees, so I can't keep it. If I give it to a friend, some one will eventually tell and I'll get busted.

    If I dump it or destroy it, they'll assume espionage and the investigation will go on for months and I'm sure to slip up eventually.

    If I return it to quiet things down, I might provide them with forensic evidence they can link to me, not to mention maybe getting caught doing it.

    Please help. If I lose my security clearance, I'll never get another job.

    --
    "We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
  14. My guess... by g0bshiTe · · Score: 4, Funny

    Reader jafo adds, "Pardon me if I have little confidence that an organization that loses a sensitive laptop for 9 days is able to tell if it was compromised."

    It was never actually missing. They just couldn't find it in their own office.

    --
    I am Bennett Haselton! I am Bennett Haselton!
  15. what was your password that no one guessed by BlackSnake112 · · Score: 4, Interesting

    I remember getting a security audit. These people came in to 'hack' (just get root access) to the systems. Once they had that they stopped. They really just ran password guessing programs on the machines. I had a DB server that was not part of the domain only used DB accounts no domain accounts were used. So the domain accounts and passwords didn't work. At the end of the week they never got into that machine. The rest of the windows, sun, VAX, I forget about the mainframe were cracked. My boss was wondering why that one windows box was not cracked, and so did the company. I never told the company I just said they failed to get into my DB machine. They left and my boss and a few VPs wanted to know how I did it.

    The password was: ThisIsThePasswordForMachineDelta

    They never went past 15 characters in their password program. I was surprised that it wasn't guessed since it was all letters but it worked. And a new 30+ password systems was set in place. I did get a few threatening emails after the new password policy was put in place though. This was also 1997 too, so it most likely would not work today.