"Clear" Laptop Found, In the Same Locked Office

jafo alerts us to an SFGate story reporting that the lost "Clear" Program laptop has turned up in the same office from which it was reported missing, but not in its previous location. "A preliminary investigation shows that the information was not compromised... The computer held names, addresses and birthdates for people applying to the program, as well as driver's license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information... The information was encrypted on the server, but not on the laptop, although it should have been... However, it was protected by two levels of passwords." Reader jafo adds, "Pardon me if I have little confidence that an organization that loses a sensitive laptop for 9 days is able to tell if it was compromised."

Two Levels of Passwords?

[something_wicked_thi]

Those are, like, needed to remove the hard drive, right?

Re:Two Levels of Passwords?

[amazeofdeath]

Yes, the screws on the bottom of the laptop will ask you the boot and Windows passwords before they'll open.

Re:Two Levels of Passwords?

[flappinbooger]

Yes, Yes, Inside job it was, young skywalker. You are advancing in the force, you are!

Reminds me of one time where my boss was in the field at a customer's factory. He had his "notebook" in which he writes everything down. (a paper notebook, old school, not a laptop)

He left it on a table in the break room for a couple hours and forgot about it. Later, when he remembered, it was gone.

A few hours LATER, it was back, pretty much where he left it.

Luckily it didn't have any pricing or other such things in it, but it still wasn't a good thing.

But Karma is interesting, this same customer a few months later set us an email which happened to have a high level very confidential spreadsheet attached, accidentally. It contained the companies strategic plan for the coming months - peoples salaries, names, locations, PLANT CLOSURE PLANS, savings from plant closures, all that stuff. "ummm, yes, there was a spreadsheet that you ... shouldn't have got... can you please erase that? Right now? And not look at it? Thanks!"

My point is, and I have one, encryption is fine but it is no guarantee against mistakes and/or stupidity.

no excuses

[iveygman]

Even though this laptop was not actually stolen, that does not excuse the gross lapse of judgement by the people responsible. Two levels of passwords is fine, but unencrypted data still leaves potential victims vulnerable. This still raises the question of why sensitive data was on something as portable as a laptop. Oh and nevermind the fact that they managed to lose it in their own office completely kills any confidence I had in them.

I lost all confidence in Clear yesterday

[oodaloop]

and none of it came back today.

It wasn't

[Digital_Quartz]

The truth is, they have no idea if it was compromised or not. All you'd need is an Ubuntu boot CD and you could read the data straight off the drive.

Next time they should use THREE levels of passwords. ;)

"Clear" Laptop Found, In the Same Locked Office

[Dan+East]

That is why I prefer opaque laptops.

Correct response

[91degrees]

The laptop had either been stolen, and sold with the information wiped, stolen and the information sold, lost, destroyed, or left in an office.

Whichever it was, the only information they had was that it was unaccounted for. It was actually a good response to automatically assume the worst case scenario and deal with the situation as if that had happened. If the worst case scenario was the case then at least it was dealt with as best it could be. If not then the only harm done is to them and not their customers.

So while losing it was very inept, their response afterwards was actually fairly responsible of them.

Clear is bullshit

[Jah-Wren+Ryel]

This whole 'Clear' thing is bullshit. Its a bad solution to a problem that should not exist in the first place.

If you buy the story that all the airport security that results in thousands standing around waiting to get to their gates is both necessary and effective then you must question any program that claims to pre-screen anyone because that just opens a window of opportunity between the pre-screen and the actual boarding of the flight in which the pre-screened person can be compromised in any number of ways.

It all comes back to the problem that there is no such thing as "the evil bit" - and any system which tries to make up for that by using some other combination of 'bits' as a proxy for the non-existent 'evil bit' is just a house of cards built on a non-existent foundation.

Even if you take Bruce Schneier's view that Clear is a good thing - not for the pre-screen, but because of the open-market approach to airport security which lets people pay more in exchange for a guaranteed short processing time - its still bullshit. That's because the rich and the powerful - the idiots who make the laws that created the TSA and their time/money wasting policies will be able to avoid having to suffer the consequences of their own actions. They can just pay a few hundred dollars more and never suffer the crap that they dumped on all the plebes.

Congress already exempts itself from too many of the laws its passes (no social security, they have their own program, no anti-discrimination in hiring laws on the hill, etc) they should not be able to get another free pass on suffering the effects of creating the TSA.

Re:Sorry

[$RANDOMLUSER]

Trust me, if the bomb diffuses, things just got WAY worse.