British MoD Stunned By Massive Data Loss

← Back to Stories (view on slashdot.org)

British MoD Stunned By Massive Data Loss

Posted by timothy on Friday October 10, 2008 @08:41PM from the austin-powers-meets-the-peter-principle dept.

Master of Transhuman writes "Seems like nobody can keep their data under wraps these days. On the heels of the World Bank piece about massive penetrations of their servers, the British Ministry of Defense has lost a hard drive with the personal details of 100,000 serving personnel in the British armed forces, and perhaps another 600,000 applicants. This comes on the heels of the MoD losing 658 of its laptops over the past four years and 26 flash drives holding confidential information. Apparently the MoD outsources this stuff to EDS, which is under fire for not being able to confirm that the data was or was not encrypted."

166 comments

Min score:

Reason:

Sort:

Hardly 3 hours by Anonymous Coward · 2008-10-10 20:47 · Score: 2, Insightful

Hardly 3 hours since the last post on /. about
UK Govt wanting to spy.
1. Re:Hardly 3 hours by Goldberg's+Pants · 2008-10-10 21:10 · Score: 4, Insightful
  
  They want to spy more so they can gather more information to lose.
  Seriously, lately it seems not a week goes by without some ridiculous data leak in the UK. Whether it be thumbdrives that automatically log into private networks, laptops being stolen, documents being left on a train, confidential information being lost in the post etc...
  They won't need the Data Protection Act much longer in the UK because there'll be no data left to protect as it'll all have been leaked.
2. Re:Hardly 3 hours by Dr.+Hellno · 2008-10-10 21:34 · Score: 4, Insightful
  
  "I'm just looking forward to when the data gets lost."
  From the summary of that post. 3 hours ago.
  
  ...Holy Crap.
  
  We know they're abusing their power. We know that they're incompetent!
  And it never changes! It just happens again and again and again!
  I don't know whether to laugh or cry or scream or kill or just give up anymore. I just don't know.
3. Re:Hardly 3 hours by Firehed · 2008-10-10 21:40 · Score: 2, Insightful
  
  We know they're abusing their power. We know that they're incompetent!
  And it never changes! It just happens again and again and again!
  Isn't that the definition of a government?
  
  --
  How are sites slashdotted when nobody reads TFAs?
4. Re:Hardly 3 hours by ObitMan · 2008-10-10 23:45 · Score: 1
  
  well at least you know now that If they get something on you, the info probably won't stick around long enough for them to prosecute.
  
  --
  Who run Barter Town?
5. Re:Hardly 3 hours by Anonymous Coward · 2008-10-11 01:33 · Score: 0
  
  They want to spy more so they can gather more information to lose.
  Note that GCHQ is never the company that loses data. Then note who would be looking after the data in the previous story.
6. Re:Hardly 3 hours by gbjbaanb · 2008-10-11 02:03 · Score: 4, Funny
  
  or they're just moving to a more distributed data system, they want to spy on you so they can see the data you now hold. Its like a bittorrent data-storage solution, all these 'lost' laptops and pendrives is a secret mechanism of distributing the data in the most widely and random way - thus adding to the security of the overall system, as no-one else knows where its ended up.
  See, its simple really :-)
7. Re:Hardly 3 hours by mpe · 2008-10-11 05:55 · Score: 1
  
  Note that GCHQ is never the company that loses data.
  
  Probably because part of their job is to find leaking data from other parts of the world. It also helps that they are about the only part of the British Government who understand how to use encryption properly.
  Wonder if GCHQ has anything to do with EDS, most likely if they do they keep a proper eye on them.
8. Re:Hardly 3 hours by Heather+D · 2008-10-11 09:50 · Score: 1
  
  Ah, yes. The old "Back up the data by letting the enemy have it" ploy. Hey, maybe they'll secure it better than the govt. did. :-/
9. Re:Hardly 3 hours by Goldberg's+Pants · 2008-10-11 11:07 · Score: 1
  
  Ever hear of a sense of humour? You may want to look into getting one. They're fun!
10. Re:Hardly 3 hours by Antique+Geekmeister · 2008-10-11 16:19 · Score: 1
  
  Although GCHQ does have this sort of thing (http://wikileaks.org/wiki/Katharine_Gun). They were basically revealed, by one of their own staff, to be involved in bugging the offices of six 'swing nations' of the UN, involved in the vote for the Iraq war.
  Organizations with that kind of history and power can have publicity about their data losses quashed as 'national security', especially in a country as swayed by paperwork as England. Note that this does not necessarily apply to Ireland or Scotland, which have their own attitudes about privacy and government paperwork, but it especially applies to those actually in England that I've dealt with. They accept governmental paperwork manipulation to an extent that is shocking to most Americans I've worked with.
11. Re:Hardly 3 hours by sumdumass · 2008-10-12 09:41 · Score: 1
  
  Who was it that said transparency in government?
  Well, maybe this isn't what they meant.
No, no, no by gowen · 2008-10-10 20:47 · Score: 5, Informative

the British Ministry of Defense has lost a hard drive with the personal details of 100,000 serving personnel

No. EDS lost a hard-drive, belonging to the MoD. Had to get that in before the "Government is intrinsically incompetent" posse got here. EDS, a privately owned and run subsidiary of Hewlett-Packard, subcontracting to the MoD, were responsible for the security of this drive, and they, not anyone at the MoD did the losing here.

--
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
1. Re:No, no, no by Zsub · 2008-10-10 20:54 · Score: 1
  
  Still: this is the umpteenth time the UK gov't has lost data. How often does this happen anyway? Do other gov'ts just manage to keep it secret that they lose this much sensitive data? I am quite amazed...
2. Re:No, no, no by drsquare · 2008-10-10 21:04 · Score: 3, Insightful
  
  What exactly is the MoD doing sending out sensitive data to foreign private contractors? In fact, why are they giving anyone data at all?
  Fuck Labour.
3. Re:No, no, no by gowen · 2008-10-10 21:05 · Score: 3, Informative
  
  this is the umpteenth time the UK gov't has lost data.
  
  Are you reading impaired, or just an idiot?
  No member of -- or person directly employed by -- the UK Government lost this data. EDS, a long-established, privately owned subsidiary of Hewlett Packard, lost this data.
  
  --
  Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
4. Re:No, no, no by gowen · 2008-10-10 21:08 · Score: 4, Informative
  
  Fuck Labour.
  
  What? Do you really believe a politician made the decision on whom to outsource data management too?
  Are you familiar with the concept of a civil service at all? Do you know who runs the day-to-day operations for the MoD?
  Clue: Decisions like "Which subcontractor should we hire" are not made by the Secretary of State for Defence.
  
  --
  Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
5. Re:No, no, no by Zsub · 2008-10-10 21:12 · Score: 4, Insightful
  
  Are you just an idiot?
  
  How does the fact that this company loses the gov'ts data not imply that the gov't loses data? Please tell me if this logic is flawed...
  
  And does it actually matter who loses the data? I mean, I don't live there, I can't be arsed, it's not my private information but the whole point of my post was that the UK gov't loses data. Who exactly magically makes the disks or flashdrives disappear is besides the point.
6. Re:No, no, no by Anonymous Coward · 2008-10-10 21:13 · Score: 0, Troll
  
  you are stupid.
  MoD did lose the data, because they gave it to an incompetent company to handle.
  you suck at logic.
7. Re:No, no, no by gowen · 2008-10-10 21:16 · Score: 1, Informative
  
  EDS has been around since 1962. To quote Wikipedia:
  
  EDS's largest clients include General Motors, Bank of America, Arcandor, Kraft, United States Navy, the UK Ministry of Defence and the Royal Dutch Shell.
  
  But, hey, if an anonymous coward says they're an "incompetent company", that's good enough for me. I stand corrected.
  
  --
  Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
8. Re:No, no, no by i'm+lost · 2008-10-10 21:17 · Score: 2, Insightful
  
  So the problem is actually that the MoD is stupid enough to entrust their data with a private company that's too incompetent to avoid losing data? That's just as bad, I'm not sure what you're defending here.
9. Re:No, no, no by BiggerIsBetter · 2008-10-10 21:18 · Score: 1
  
  Incompetent is one possibility... so is espionage. Perhaps it's a Bond PR stunt.
  
  --
  Forget thrust, drag, lift and weight. Airplanes fly because of money.
10. Re:No, no, no by Anonymous Coward · 2008-10-10 21:22 · Score: 1, Interesting
  
  if they run their business like who they're owned by (HP as you pointed out)
  then yes, they are incompetent.
11. Re:No, no, no by cyber-vandal · 2008-10-10 21:23 · Score: 4, Insightful
  
  But the overuse of external subcontractors is a political decision. Fuck New Labour and fuck the Tories who started it all.
12. Re:No, no, no by dnwq · 2008-10-10 21:32 · Score: 1
  
  Minister of Defence.
  
  "Secretary of State for Defence" doesn't really make sense anyway ;)
13. Re:No, no, no by dnwq · 2008-10-10 21:33 · Score: 1
  
  ... okay, I'm an idiot.
14. Re:No, no, no by Anonymous Coward · 2008-10-10 21:36 · Score: 1, Interesting
  
  Different AC here, but that list of clients look familiar. I'm sure half of them have been on slashdot about lost data or poor security standards at one point or another in the last year yes?
15. Re:No, no, no by hdparm · 2008-10-10 21:36 · Score: 4, Insightful
  
  Why are you so apologetic on behalf of the British government? The drive was the responsibility of MoD. This includes the choice of people and/or organisations who do the handling. Likewise, even if the EDS was not the minister's choice, he should have been sacked because he hasn't made the decisions of this magnitude his choice.
16. Re:No, no, no by Anonymous Coward · 2008-10-10 21:49 · Score: 1, Insightful
  
  Sorry, are you implying that EDS are not an incompetent shower of useless bastards who routinely fail to deliver, deliver late or deliver wildly outside the scope of what was contracted?
17. Re:No, no, no by CountBrass · 2008-10-10 21:58 · Score: 5, Informative
  
  And who decided that EDS were competent to manage the MoD's data? That would be the MoD i.e. the government. So it is the Government that is intrinsically incompetent: they have a history of either handing over vast amounts of private data to untrustworthy companies (EDS, PA Consulting, Capgemini) or of losing it themselves (HMRC, Home Office, SIS).
  
  In law under the Data Protection Act the MoD, not EDS, are the Data Controller and therefore responsible for losing it.
  
  --
  Bad analogies are like waxing a monkey with a rainbow.
18. Re:No, no, no by tendrousbeastie · 2008-10-10 22:25 · Score: 2, Insightful
  
  It seems resonable to assume that the MoD are not putting sufficient emphasis on data security when placing contract with private companies. There have been several instances of private companies losing government data. The common factor is the government involvement. Seems that their procurement contract ought to be drawn up in such away to put safeguards against this happening. That is why it is the UK Govternment's fault.
19. Re:No, no, no by Anonymous Coward · 2008-10-10 22:44 · Score: 0
  
  Actually, I should chime in on this. I work for the Information Commissioner's Office who deal with these organisations when something like this happens. Any company contracted by an organisation is legally obliged to work to the policies set by the contractee. If EDS are found to have followed those policies and the data breach has occurred then it's the MoD's fault. If EDS didn't follow policy then the MoD haven't been monitoring properly. That's why its always the parent organisation that accepts blame.
20. Re:No, no, no by SoupIsGoodFood_42 · 2008-10-10 22:51 · Score: 3, Informative
  
  Fuck Labour.
  Yeah, because they are the ones who are more likely to out source work to a private company, right? Last time I checked, parties like Labour generally prefer that the government did it themselves, even if it costs more, and it's the opposition who are the ones who like to out source and privatise things.
21. Re:No, no, no by captain_dope_pants · 2008-10-10 22:54 · Score: 2, Informative
  
  EDS are regularly in a UK magazine called Private Eye - usually for being useless or money grabbing or somehow winding up with yet another Govt contract when their track record isn't that good.
  
  --
  while (true != false) process_more_stupid_code();
22. Re:No, no, no by jeremyp · 2008-10-10 23:05 · Score: 3, Interesting
  
  EDS has been responsible for quite a number of screwed up Government IT projects in the UK. Somebody at the MoD was responsible for giving the data to that incompetent shower.
  
  --
  All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
23. Re:No, no, no by Anonymous Coward · 2008-10-10 23:11 · Score: 1, Interesting
  
  Heh, I just remembered, I've dealt with EDS before.
  I had to fix something for them. A consulting gig of some sort (I don't recall) the customer, or partner or them, called us up because we fix other consultants screw ups.
  EDS is incompetent. (In my limited experience)
24. Re:No, no, no by gowen · 2008-10-10 23:11 · Score: 1
  
  It seems resonable to assume that the MoD are not putting sufficient emphasis on data security when placing contract with private companies.
  
  Well, that's not an entirely invalid inference, but I don't see how you can infer that just from the data that's given.
  None of us is privy to the terms of the contract. You can guess what's in them if you like, but your guess are far more likely to be based on your biases than any actual facts available to you. So please don't pretend there's any syllogism involved. When you asy "assume" here, it just means "guess".
  If there is a plane crash is it "reasonable to assume that the airline is not putting sufficient emphasis on their planes not crashing"?
  
  --
  Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
25. Re:No, no, no by Anonymous Coward · 2008-10-10 23:22 · Score: 0
  
  The people working in the MoD, at least those at the grades making these decisions, do not change when the Government changes. Similarly with the tax office and all the other places that have lost data.
  Blaming the Government is not fair - it is civil servants that are to blame.
26. Re:No, no, no by gowen · 2008-10-10 23:22 · Score: 0, Flamebait
  
  Because there's a difference between the controlling party in power, and the machinery of state. And the dishonest media portrayal of things like this people have lost the ability to make that distinction, we get the whole "government is intrinsically incompetent" meme, and people come to believe that private-public partnership and running government like a free market is intrinsically better -- because the free market works and government sucks.
  Cases like this therefore become so distorted that they are considered, in the public conciousness, as data points that cause people to trust government less with their data. Whereas the actual villain here is the policy of devolving governmental responsibilities to the private sector. But that is never, never, never portrayed as the story -- because the meme is "don't trust governments", and when the facts contravene the meme, the media print the meme.
  We should be saying "No to outsourcing of private data -- because private companies cut corners to make profits." Instead, we blame the government because the government is accountable, rather than because the government is at fault. And that's seriously fucked up.
  Additionally, all that is sending the British political discourse the way of the American one -- where a candidate's almost complete inexperience of government can be portrayed as a benefit.
  As to why, I'm against that; well, that's left as a exercise for the reader.
  
  --
  Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
27. Re:No, no, no by gowen · 2008-10-10 23:23 · Score: 1
  
  of losing it themselves (HMRC)
  
  Oh, yes those disks that were lost. By whom were they lost? TNT, a privately owned courier company.
  
  --
  Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
28. Re:No, no, no by Anonymous Coward · 2008-10-10 23:27 · Score: 0
  
  In this case the assumption is based on a pattern.
  Several different private companies have recently been found to loose government data. With no other common denominator involved than the government, it seems like a safe assumption in som way the cause is related to the government.
  Certainly an assumption is more similar to a guess than it is to a certainty, but in the face of only minimal eveidence one has to either make assumptions or drop out of the conversation (as there is nothing to talk about).
  Without certain assumptions this story is essentially "some data was lost. We don't know enought to talk about it".
29. Re:No, no, no by pjt33 · 2008-10-11 00:00 · Score: 3, Informative
  
  Check again. Labour has changed since the 1980s.
30. Re:No, no, no by Gordonjcp · 2008-10-11 00:01 · Score: 3, Interesting
  
  EDS used to have a facility in Livingston (basically right in the middle of Scotland) where they printed welfare cheques (photos of the abandoned plant here). This closed down when they went to paying by BACS or similar. Anyway, according to a couple of people I know who were hired by contractors to clear all the media and computers from the site, there were quite a few highly unsavoury types handling not just storage devices and backup tapes, but also paper records while the building was being cleared. No background checking, nothing.
  What utter fucktards.
  (incidentally, posting this showed up an oddity of the URL parser - if the URL wraps so there's a space between 'href="' and 'http" then it breaks, big time.)
31. Re:No, no, no by lazy_playboy · 2008-10-11 00:12 · Score: 1
  
  > No member of -- or person directly employed by -- the UK Government lost this data. EDS, a long-established, privately owned subsidiary of Hewlett Packard, lost this data.
  Whether it be the government itself, or an agency acting for the government, this is still the government doing the losing.
  > Are you reading impaired, or just an idiot?
  !?! Lay off the caffiene.
32. Re:No, no, no by Anonymous Coward · 2008-10-11 00:33 · Score: 0
  
  Angry bastard, aren't you. The government can delegate the task of looking after data to contractors - but can't delegate responsibility. The MoD is accountable for this.
33. Re:No, no, no by Sique · 2008-10-11 01:01 · Score: 1
  
  If you burn the office of the premier minister, it's not as if the premier minister has committed arson. If a privately owned company loses data, it's the company which loses the data, independent of the rightfull owner of it.
  
  --
  .sig: Sique *sigh*
34. Re:No, no, no by Anonymous Coward · 2008-10-11 01:08 · Score: 0
  
  It's also that thinking that lets companies patent things for what amounts to forever. Or to break laws for which no single human must answer. CEOs know this as they cash their checks. Just ask the folks at AIG; they're teaching Enron a few things.
35. Re:No, no, no by Anonymous Coward · 2008-10-11 01:18 · Score: 0
  
  So, if the government contracts *everything* out, they won't be responsible when the contractor loses data, no matter what the level of incompetence responsible in either the company or the oversight of its contracts? Sweeeet. Time to outsource more.
36. Re:No, no, no by Anonymous Coward · 2008-10-11 01:20 · Score: 0
  
  You think that's worrying? Lockheed Martin (yes, that's the US defence contractor) has already won the contract to process the 2011 UK census forms. Hands up anyone who thinks the US government won't get a copy.
37. Re:No, no, no by Anonymous Coward · 2008-10-11 01:37 · Score: 0
  
  Ok. I work for EDS, and I agree that it's incompetent. I don't have a point to make, but here's my rant:
  
  Full hard encryption is forced upon us (Pointsec) and it slows down my laptop at times (like when the virus scanner chooses to go off just when I need to get an important piece of information quickly) to the point of being useless. We support hundreds of servers (all for the same client) with NO directory services configured, and we have to change our passwords on them every three weeks. All hail sticky-notes on the monitor, eh! Even though I have no personal client data on my laptop, I still bear with the pain, and pay the price for the few morons out there who lose their laptops that do.
  
  We have plenty of good techs, but there is also plenty of fools and poor management. Maybe the 26,400 jobs that HP cuts over the next 3 years will take care of some of that.
38. Re:No, no, no by Anonymous Coward · 2008-10-11 01:46 · Score: 0
  
  If you burn the office of the premier minister, it's not as if the premier minister has committed arson. If a privately owned company loses data, it's the company which loses the data, independent of the rightfull owner of it.
  If the Prime Minister hires a cleaning staff without checking them for a history of arson or other felonies, and doesn't pay attention to if there are large amounts of gasoline being brought into the office, then a member of that staff burns down the office, yeah, it's at least a good part the PM's fault (or rather, whoever did the hiring).
  Or, car analogy- if you let your kid drive the car without instructing him/her on safe driving or sending them to a driver's ed class, and they wreck your car, yeah, it's at least partway your fault.
39. Re:No, no, no by Sique · 2008-10-11 01:56 · Score: 1
  
  Still it's the cleaning staff who gets convicted for arson. And with an underage kid you are responsible for everything he does because he is underage. If they were someone else's kids driving your car, their parents have to pay you for the wreckage (even if you are responsible for the damage done by your car).
  Yes, the government is responsible for due diligence, it is responsible to get its helper (may they be external companies or the own staff) to conform to data protection regulation. It is even responsible to recover the lost data and shield the persons affected by the data loss against harm.
  But nevertheless: It was an incompetent, privately owned company losing the data, and not a government.
  
  --
  .sig: Sique *sigh*
40. Re:No, no, no by Detritus · 2008-10-11 02:13 · Score: 1
  
  EDS doesn't tie their own shoes without getting a government bureaucrat to sign-off on the deal.
  
  --
  Mea navis aericumbens anguillis abundat
41. Re:No, no, no by bwcbwc · 2008-10-11 02:39 · Score: 2, Insightful
  
  And before you go blaming those dam' foreigners, EDS is in this business in the UK because they bought the large UK contractor Scicon back in the 1990's. So regardless of the ownership, the people responsible for the operational f-ups that caused loss of the drive are probably home-grown.
  
  --
  We are the 198 proof..
42. Re:No, no, no by RiotingPacifist · 2008-10-11 02:40 · Score: 1
  
  We have plenty of good techs,... Maybe the 26,400 jobs that HP cuts over the next 3 years will take care of some of that.
  fixed
  
  --
  IranAir Flight 655 never forget!
43. Re:No, no, no by RiotingPacifist · 2008-10-11 02:42 · Score: 1
  
  the contract has propably been around since before we knew EDS was incompetent, the gov contractors have a habit of signing long contracts with "and we still get all the money if you cancel early" clauses.
  
  --
  IranAir Flight 655 never forget!
44. Re:No, no, no by RiotingPacifist · 2008-10-11 02:45 · Score: 1
  
  mod parent up, labour are one step away from outsourcing governance to an Indian telephone exchange tbh.
  
  --
  IranAir Flight 655 never forget!
45. Re:No, no, no by RiotingPacifist · 2008-10-11 02:46 · Score: 1
  
  It doesnt really matter EDS have probably already lost the data so the UK are the only country without a copy
  
  --
  IranAir Flight 655 never forget!
46. Re:No, no, no by RiotingPacifist · 2008-10-11 02:47 · Score: 1
  
  of losing it themselves (HMRC)
  Oh, yes those encrypted disks that were lost. By whom were they lost? TNT, a privately owned courier company.
  fixed
  
  --
  IranAir Flight 655 never forget!
47. Re:No, no, no by RiotingPacifist · 2008-10-11 02:51 · Score: 1
  
  I think in America, when the whitehouse changes its there its all change, judges, military contractors and constitutional experts, to whoever suits the presidents friends best. And that not just Bush (although the huge cost+ contracts to the VPs company stink) but a bipartisan effort.
  
  --
  IranAir Flight 655 never forget!
48. Re:No, no, no by gilgongo · 2008-10-11 03:08 · Score: 1
  
  this is the umpteenth time the UK gov't has lost data.
  Are you reading impaired, or just an idiot?
  No member of -- or person directly employed by -- the UK Government lost this data. EDS, a long-established, privately owned subsidiary of Hewlett Packard, lost this data.
  If were the case, how on earth do you imagine the government would have any public accountability for anything?
  It's completely beyond dispute that the buck stops with government on this. This fact that EDS is private, long-established, lives on Mars or is owned by Chuck Norris is *absolutely* irrelevant. British contract law, ethics and common sense all say that by contracting EDS, the GOVERNMENT is responsible to the PEOPLE for what EDS do.
  I'm genuinely shocked that you would think otherwise!
  
  --
  "And the meaning of words; when they cease to function; when will it start worrying you?"
49. Re:No, no, no by Anonymous Coward · 2008-10-11 03:30 · Score: 0
  
  It is partially his fault, though, if he gave you a blow-torch for your birthday.
50. Re:No, no, no by phulegart · 2008-10-11 03:59 · Score: 1
  
  I'll try to make this simple, and I'll even use a car analogy.
  You loan your car to a friend.
  Your friend loses the keys.
  Does this mean you are guilty of losing the keys? Absolutely not.
  You may be guilty of loaning your car to an idiot, but you did not lose the keys.
  Now, I understand you want to emphasize the incompetence of the British Ministry of Defense. However, it has already been established that *they* lost nothing. Get over it. Get off it.
  
  --
  "I love deadlines. I love the whooshing sound they make as they fly by." -D. Adams
51. Re:No, no, no by hairyfeet · 2008-10-11 04:10 · Score: 1
  
  Uhh.....They were carrying government data under a government contract while employed by the government,so how exactly is it NOT the government's fault? If you run a division in a company and you hire a bunch of idiots that completely bone you and get all the customer's data stolen,do you think we should blame the idiots or the idiot that hired them? So IMHO you can lay this squarely at the government's feet,as they hired the dumbasses that lost the data.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
52. Re:No, no, no by mpe · 2008-10-11 04:46 · Score: 2, Interesting
  
  EDS lost a hard-drive, belonging to the MoD. Had to get that in before the "Government is intrinsically incompetent" posse got here.
  
  Maybe instead of paying 12 billion quid to spy on the British public it should instead be used to spy on EDS...
  
  EDS, a privately owned and run subsidiary of Hewlett-Packard, subcontracting to the MoD, were responsible for the security of this drive, and they, not anyone at the MoD did the losing here.
  
  WTF was the MoD doing letting this data near any foreign company? At the very least whoever agreed to this should be prosecuted under the official secrets act.
53. Re:No, no, no by mpe · 2008-10-11 05:02 · Score: 2, Insightful
  
  No member of -- or person directly employed by -- the UK Government lost this data. EDS, a long-established, privately owned subsidiary of Hewlett Packard, lost this data.
  
  If anything this is worst than someone employed by the British Government losing the data. Security was breached when they let a foreign owned company have access to it. That that company lost the media is just the icing on the cake.
  This is like the driving theory test data, lost from somewhere it should never have been in the first place.
  There are only 11 locations in the US that the British Government has any business at all sending this kind of data.
54. Re:No, no, no by mpe · 2008-10-11 05:25 · Score: 1
  
  the contract has propably been around since before we knew EDS was incompetent, the gov contractors have a habit of signing long contracts with "and we still get all the money if you cancel early" clauses.
  
  These are enforcable exactly how? A contract with anyone which said "we get all the money even if we break the contract" would not be enforcable against anyone. There is no way in which EDS could sue the MoD, if they even tried two words would stop them. Those words being "Crown Immunity". Governments in general cannot be sued unless they consent to be sued.
  Also the MoD has this thing called an "Army" avilable.
55. Re:No, no, no by canuck57 · 2008-10-11 05:52 · Score: 1
  
  Fuck Labour.
  I have NEVER>/b> in my day seen a security breach that didn't rest on managements shoulders. Lax policies, no thought into process or control, apathy towards security, starve the security budget because you can't watch porn undetected, side with lazy cannot change types, but it all comes down to incompetence of management every time. Now you can't put that in a report to management, but it is the truth.
  Reports to management need a fall guy, usually the person on the front line that does not have the authority, no tools nor process defined for the safe handling of data.
  How you got mod points for that statement is beyond me, if I had them now I would have said troll.
56. Re:No, no, no by Anonymous Coward · 2008-10-11 06:37 · Score: 0
  
  And guess what, if I rent a movie, lend it to a friend, and the friend loses it... it's still my fscking problem, now isn't it?
57. Re:No, no, no by Soruk · 2008-10-11 11:01 · Score: 1
  
  It was outsourced to one of two British companies, Systems Designers or SciCon (who bought SD).
  Then along came EDS and bought SciCon.
  
  --
  -- Soruk
58. Re:No, no, no by drsquare · 2008-10-11 19:32 · Score: 1
  
  So you're telling me that the civil service made the decision to outsource sensitive data all by themselves? Even if they did, then either Labour knew about it and did nothing, meaning they were culpable, or didn't know about it, in which case they're incompetent.
  Sorry but whichever way you look at it, your party and government are horrendously terrible.
59. Re:No, no, no by cheekyboy · 2008-10-11 22:01 · Score: 1
  
  BUT THEY PAID EDS, THEY HIRED EDS, They TRUSTED EDS.
  Are they that stupid, they cannot hire smart people inhouse?
  Fuck me, might aswell outsourced state secrets to china.
  IDIOTS.
  
  --
  Liberty freedom are no1, not dicks in suits.
60. Re:No, no, no by duckInferno · 2008-10-12 12:35 · Score: 1
  
  EDS in the UK have a reputation for fucking up. It seems that while the rest of the world (post-2004, the dreaded "Brown years") are posting major contract wins and successful implementations, EDS in the UK is stuck in the year 2000. Please don't use their performance as any sort of baseline for EDS as a whole. The performance and culture of the corporation differs widely amongst countries.
  
  Disclaimer; I speak as an EDS NZ employee.
  
  --
  Fool me once, shame on you. Fool me twice, watch it -- I'm huge!
61. Re:No, no, no by lamapper · 2008-10-12 16:16 · Score: 1
  
  mod parent up, labour are one step away from outsourcing governance to an Indian telephone exchange tbh.
  Whew, what a relief...at least they are outsourcing to potential family. Though they could not inherit anything without being officially recognzed...oops, not even then, dang.
  Now if the outsourcing was in South America, not sure if England has tried to Empire Build down there as much as India we might have cause to worry.
  
  --
  Is your Internet Throttled? Install DD-Wrt, OpenWRT or Tomato to learn the truth! Google: 1Gbps/1Gbps: 5 Communities
62. Re:No, no, no by kraut · 2008-10-12 21:43 · Score: 1
  
  the British Ministry of Defense has lost a hard drive with the personal details of 100,000 serving personnel
  No. EDS lost a hard-drive, belonging to the MoD. Had to get that in before the "Government is intrinsically incompetent" posse got here. EDS, a privately owned and run subsidiary of Hewlett-Packard, subcontracting to the MoD, were responsible for the security of this drive, and they, not anyone at the MoD did the losing here.
  The incompetence is in hiring EDS when they have proven time and time again that they're clueless to the point of being dangerous.
  
  --
  no taxation without representation!
63. Re:No, no, no by kraut · 2008-10-12 21:52 · Score: 1
  
  Fuck Labour.
  Yeah, because they are the ones who are more likely to out source work to a private company, right? Last time I checked, parties like Labour generally prefer that the government did it themselves, even if it costs more, and it's the opposition who are the ones who like to out source and privatise things.
  You clearly haven't checked since about 1991. While technically it was the Conservatives that invented the expensive accounting scam called PFI, it was Labour who implemented it with full gusto, in a vain attempt to hide as much public borrowing as possible in the private sector in exchange for wasting even more taxpayers' money.
  It was also Labour that really instituted the practice of throwing enormous amounts of cash at management consultancies; the fact that cabinet members rotate in and out of those consultancies is clearly unrelated.
  
  --
  no taxation without representation!
64. Re:No, no, no by SoupIsGoodFood_42 · 2008-10-12 23:27 · Score: 1
  
  And the Conservative Party would not have done something similar if they had been in power at the time? You'll have to excuse me ignorance here, as I'm from NZ, where it's pretty much Labour vs. National.
Encrypted or not? HAH! by NoobixCube · 2008-10-10 20:51 · Score: 1

As if that question makes an appreciable difference. Encrypted or not, data loss is data loss. It's bad security practice. Having the data encrypted will do just a tiny bit to save face, but it will hardly stop anyone who wants in.

--
Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
1. Re:Encrypted or not? HAH! by mccalli · 2008-10-10 21:54 · Score: 1
  
  Having the data encrypted will do just a tiny bit to save face, but it will hardly stop anyone who wants in
  
  Really? Let me know when you've finished breaking TrueCrypt then, or PGP, or BitLocker, or FileVault. I'll be the one waiting over here. For a very, very long time...
  
  Cheers,
  Ian
2. Re:Encrypted or not? HAH! by Anonymous Coward · 2008-10-10 22:42 · Score: 0
  
  It does make a huge difference, because it doesn't matter if you loose encrypted hard drives (assuming you have a strong key). It is bad security practice, if your security guideline says so. But you could make a guideline that says you don't care (assuming these are not your only copies).
  To third parties, you just gave them random data.
3. Re:Encrypted or not? HAH! by leenks · 2008-10-10 23:23 · Score: 3, Insightful
  
  His point was that if someone wants the data, eg they actively stole the hard drive, then they are likely to steal or obtain the mechanism to decrypt the data too.
4. Re:Encrypted or not? HAH! by Penguinoflight · 2008-10-11 01:45 · Score: 1
  
  This is the truth, anyone arguing can talk about semantics but it's just a matter of time before the data can be decrypted. Encryption is great for network security, when someone has limited access to connections, systems and physical access. When someone has access to the hardware it's only a matter of longer wait times, depending on the skill and equipment that the cracker has.
  In this sense, it is perfectly logical for individuals who need portable access to the data to be personally and professionally responsible for the data. Physical security is stil the most important and first line of defense.
  
  --
  "And we have seen and do testify that the Father sent the Son to be the Savior of the World"
  1 John 4:14
5. Re:Encrypted or not? HAH! by RiotingPacifist · 2008-10-11 02:53 · Score: 1
  
  they are going to break maths? cool
  
  --
  IranAir Flight 655 never forget!
6. Re:Encrypted or not? HAH! by Anonymous Coward · 2008-10-11 04:26 · Score: 0
  
  No.. if I want the passphrase, all I have to do is break you, which wouldn't be too difficult.
  After I work your Achilles tendon over with a rusty semi-dull blade you'll be telling me the football scores from next week.
7. Re:Encrypted or not? HAH! by mpe · 2008-10-11 05:39 · Score: 1
  
  It does make a huge difference, because it doesn't matter if you loose encrypted hard drives (assuming you have a strong key).
  
  Also assuming that the device was simply lost, rather than stolen by someone with the ability to also find out the key.
  
  It also matters if the encryption is symetric or asymetric key. With symetric key encryption you have the whole problem of key management (and ensuring that the cyphertext and key are not together). A CD/DVD with the key used to decrypt it written on it (as could easily happen with a symetric key method) may as well not be encrypted at all. Whereas using an asymetric method (see RFC 2440) means that whoever encrypted the data never needs to know the key used to encrypt it. So long as the recipient keeps their private key secure only they can read the media.
Combine this with the immediately preceding story by kaos07 · 2008-10-10 20:53 · Score: 2, Insightful

Enough said.
I can! by matt4077 · 2008-10-10 20:56 · Score: 5, Funny

I can confirm that the data was or was not encrypted.

--
Fleur de Sel
Hidden Safety Feature by mini_razor · 2008-10-10 21:01 · Score: 1

What they fail to say is that this hard drive will self destruct in 5 seconds. 4 3 2 1.............
1. Re:Hidden Safety Feature by fluch · 2008-10-10 22:04 · Score: 1
  
  yeah ... and since they bought the cheapest version of this hiden safty feature there will be only a tiny 'pling' after the counting finished (and not a big smoky explosion) ... and then the drive will continue to work as before...
2. Re:Hidden Safety Feature by Linker3000 · 2008-10-11 01:48 · Score: 1
  
  ...Oh, it was a older Maxtor was it?
  
  --
  AT&ROFLMAO
this is the reason why... by MoFoQ · 2008-10-10 21:04 · Score: 3, Funny

this is the reason why the brits have to spy more....'cuz it's about quantity.....if u have more data coming in.....than that is going out (aka losing)...then u'r golden.
(I don't think it's a coincidence that this was posted after the bit about the brits needing to spy more)
1. Re:this is the reason why... by Evil_Ether · 2008-10-10 23:15 · Score: 1
  
  And then it's also harder for anyone who finds the data to find the important parts in all the crap!
  
  --
  If taxation is legalized theft, then Capitalism is a prolonged rape followed by a slow death.
News from MOD by auric_dude · 2008-10-10 21:14 · Score: 5, Informative

Update from MOD http://www.mod.uk/DefenceInternet/DefenceNews/DefencePolicyAndBusiness/ModIssuesUpdateOnMissingEdsHardDisk.htm
1. Re:News from MOD by operator_error · 2008-10-10 23:58 · Score: 1
  
  Not a mention of encryption anywhere in that statement either. I wish/hope the missing data is somehow safely encrypted.
Are they really being lost? by argiedot · 2008-10-10 21:16 · Score: 4, Interesting

The only time I have ever lost a device is when I was mugged and my phones were taken from me and I'm just any other person.
It should be interesting to see what the ratio of laptops lost to all laptops provided is. Maybe this cynicism is because I live in India where corruption is rampant and entire flyovers can be 'lost', but I'm a bit suspicious about this whole thing.
Also, if they're losing laptops with information at such a high rate, at what rate are they losing paper files? Surely it's harder to keep track of the 20 binders with 100 sheets in them than it is to keep track of one hard drive?
I find it hard to believe that these people are really that incompetent. Hanlon's Razor doesn't always apply.
1. Re:Are they really being lost? by Anonymous Coward · 2008-10-10 21:52 · Score: 4, Informative
  
  Business travellers in the US and Europe lose a staggering 15,648 laptops per week, according to a new study by Dell.
  So one shouldn't be surprised that laptops go missing, if the study is anything like accurate.
2. Re:Are they really being lost? by somersault · 2008-10-10 22:20 · Score: 3, Interesting
  
  It was standard practice for our head of accounting to take our backup tapes home for a few years. This year I saw some of our tapes just lying out in plain view on the passenger seat of his car, so I politely showed him a couple of stories about data loss when tapes were stolen from cars, and have been taking the tapes home myself now..
  
  --
  which is totally what she said
3. Re:Are they really being lost? by pimpimpim · 2008-10-10 23:39 · Score: 1
  
  Would the head of accounting from the 60's ever have the idea to make copies of all binders and bring them home, in case the office would burn down? Electronic data really is "smaller" than its paper counterpart, and also more easily moved to other devices, laptops, pcs, etc. BTW I'm sorry for you that you have to take over the questionable practice of taking the tapes home, just because someone else did it in a worse way. Are you sure that you want to carry the liability in case the tapes get stolen from your home?
  
  --
  molmod.com - computing tips from a molecular modeling
4. Re:Are they really being lost? by MPAB · 2008-10-11 02:28 · Score: 1
  
  *Study performed in its integrity by browsing eBay.
5. Re:Are they really being lost? by somersault · 2008-10-11 12:23 · Score: 1
  
  How is it a questionable practice? Fires may not be very likely, and the servers are on the first floor (second in American terms) so we're not likely to have problems in a flood, but it's always better safe than sorry.
  What would you do personally if you had ~250GB of data from various servers that needed to be regularly backed up? Would you still backup to tape but then just store them in a fireproof safe onsite? That should protect the tapes from most disasters, but you just never know, do you? We regularly have large cranes in the yard - if one of them were to topple or swing a heavy 20 foot container through the server room wall or something crazy like that, it could do some serious damage.
  We're primarily a research and design company so we don't hold big databases of customer credit card numbers etc - I'm not overly concerned about the risk of being held liable for patented company designs or past financial history becoming available - especially when you compare the consequences of that to the consequences of losing all our data for the last 20 years!
  I'm the only full time IT staffer at the company, so it's basically up to just me to make sure that all of our data is safe, and seeing the tapes lying out in a car like that freaked me out. We actually had someone break into an employee's carin the car park - in broad daylight - a couple of years ago, so I don't think I'm being too paranoid in just taking over responsibility myself. Don't know how many years that guy had been in charge of the tapes, but he was far too relaxed about it.
  
  --
  which is totally what she said
6. Re:Are they really being lost? by Phroggy · 2008-10-11 18:35 · Score: 2, Funny
  
  How is it a questionable practice? Fires may not be very likely, and the servers are on the first floor (second in American terms) so we're not likely to have problems in a flood, but it's always better safe than sorry.
  What would you do personally if you had ~250GB of data from various servers that needed to be regularly backed up? Would you still backup to tape but then just store them in a fireproof safe onsite? That should protect the tapes from most disasters, but you just never know, do you? We regularly have large cranes in the yard - if one of them were to topple or swing a heavy 20 foot container through the server room wall or something crazy like that, it could do some serious damage.
  I think what the GP was saying was, I wouldn't want the liability associated with taking the tapes home myself. I mean, what if somebody did break into my car, or whatever? What if I got in an accident on my way home, and the tapes were destroyed? If there's any problem, I don't want to take them blame.
  That's why I would pay somebody else to take care of it for me. Fortunately, it turns out that there's a company called EDS that offers just such a service! They do this kind of thing for plenty of other companies/government agencies, so I'm sure they're as reliable as anyone, and the important thing is, if there's a problem, I'm off the hook.
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
7. Re:Are they really being lost? by somersault · 2008-10-12 10:08 · Score: 1
  
  Ya I get that, but the company means more to me than that (was going to go into all the reasons why but meh), so I want to do what is least likely to result in losing our data, and IMO that is for me to take the tapes. If we were keeping anything other than our own data then then of course it could be worth calling in a third party, but our backups are more about making sure our data is safe than keeping it private. That doesn't mean privacy is of no concern though, which is obviously why I decided to take action myself. If I did get mugged then I don't think I could or would be blamed. I guess I should have a word with upper management to establish exactly what their opinions are on the matter of liability though!
  
  --
  which is totally what she said
As a former EDS Subcontractor ... by Anonymous Coward · 2008-10-10 21:31 · Score: 0

the MoD outsources this stuff to EDS, which is under fire for not being able to confirm that the data was or was not encrypted.
It wasn't.
Quite who EDS are sleeping with in the Blair/Brown government I don't know but why they keep getting contracts which they persistently fall to deliver on time and on cost i do not know.
Yet another example... by Firefalcon · 2008-10-10 21:35 · Score: 4, Interesting

...of why we shouldn't be outsourcing critical/sensitive data handling. Yes, Government departments can cock-up enough without external help, but so many of these data loss issues at the moment seem to be the fault of a private company they've outsourced to.
Also, I worry about the outsourcing of anything relating to our Country's security. When you give the job to the lowest bidder, what can you expect but a barely adequate service?
1. Re:Yet another example... by Anonymous Coward · 2008-10-11 02:32 · Score: 0
  
  It has to be outsourced. We would be appalled at the size of government if no outsourcing was allowed and government employees had to be hired for all the tasks!
2. Re:Yet another example... by mpe · 2008-10-11 05:13 · Score: 1
  
  ...of why we shouldn't be outsourcing critical/sensitive data handling.
  
  Especially if you then add to the problem by outsourcing it to foreigners.
  
  Also, I worry about the outsourcing of anything relating to our Country's security.
  
  It appears that these people don't understand "national security". IMHO this includes restricting certain things to people who are citizens of only the relevent country. Excluding duel citizens or people who could claim citizenship of another country (this includes the situation of another country making a standing offer of citizenship which cannot be revoked).
3. Re:Yet another example... by greenrd · 2008-10-12 10:27 · Score: 1
  
  Let me try to decode that... you're saying exclude all Jews, because they have a standing offer of citizenship from Israel? I think that would fall afoul of racial discrimination law.
  
  --
  Female Prison Rape in NY
ensure deleting of data by buchner.johannes · 2008-10-10 21:58 · Score: 1

I wonder if it is technically possible to create a system that is able to ensure that data are deleted after a certain time. (e.g. application forms for companies, ISP data, surveillance recordings, ...) in a form that outsiders can confirm it. So that you can be sure there aren't any copies around either.

--
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
1. Re:ensure deleting of data by somersault · 2008-10-10 22:30 · Score: 1
  
  Technically there are easy ways to do that (at least for individuals since the data protection act shouldn't let you see if data is being held on other people), but you'd have to be pretty gullible to believe that any company was using such a system properly. You also have to take into account backups being made of data, or possible malware on their systems that is taking a copy of data before they erase it themselves, and so on.
  
  --
  which is totally what she said
2. Re:ensure deleting of data by jamesh · 2008-10-10 22:43 · Score: 1
  
  I know!!! I know!!! What is DRM?
  I'm wrong of course... DRM is a technical solution to a social problem, which never works.
  #1. You could build something into the device holding the data that ensures that it self destructs after a certain time
  #2. You could program something into the device that ensured that all copies taken were known.
  #3. You could use cryptography to ensure that all devices that connected to it via #2 were certified to comply with whatever specification ensured the deletion of the data
  but, #1 is impossible, #2 is impossible, and #3 is impossible. So 'no' is the answer to your question.
Re:Combine this with the immediately preceding sto by houghi · 2008-10-10 22:18 · Score: 3, Funny

Information wants to be free.

--
Don't fight for your country, if your country does not fight for you.
Privacy shmivacy by LordLucless · 2008-10-10 22:19 · Score: 1

Cause => Effect

--
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
It's called DRM by Anonymous Coward · 2008-10-10 22:24 · Score: 0

.. or haven't you used a Zune? (wise move if you didn't btw).
No, I'm not kidding. I have seen MS trying to sell the MoD DRM, casually omitting answers to interesting questions like who would have the root key and how this would stand up in theatre where almost anything can fail and a lack of information can result in blue on blue (aka fratricide).
You could also promise to put any further perpetrators and their directors in stocks on the nearest square and made it compulsory for every object thrown at them to either stink or have been rotting for days. Or both. Nothing else seems to help.
EDS has always been a trash outfit by Anonymous Coward · 2008-10-10 22:47 · Score: 0

Nothing new here, EDS has been going from bad to worse for the better part of two decades.
They're a high gloss outfit where image is all (hence beloved by PHBs), with little interest in technical competence nor care of workforce or of customers. As long as the money is rolling in and they get their colossal markup, it's all smart ties and "Yes sir", while the substance can go to the dogs for all they care.
I'm not at all surprised by this latest event, it's par for the course for EDS.
1. Re:EDS has always been a trash outfit by Anonymous Coward · 2008-10-11 10:57 · Score: 0
  
  With all due respect, fuck you.
  There are a lot of us there who are on top of the scale when it comes to technical competence, and we do our utmost to ensure what we do is done to the very best that it can be, since it's good for the customer, it's good for EDS and it's good for us. But no, you don't hear about that because it isn't newsworthy.
  "EDS builds MoD computer system, works flawlessly and comes in under budget" would not sell newspapers. Some idiot misplaces a hard disc, and you can't move for news stories.
hehehe... by bhunachchicken · 2008-10-10 22:56 · Score: 1

Rather unfortunate to place this directly above the article on the front page saying that the British Government needs more spies... :)

--
THE HONOUR OF THE KNIGHTS - CC Licensed Sci-Fi Novel
Not surprising at all... by Aramil · 2008-10-10 22:56 · Score: 1

No matter how much they spend on security most of the times its PEBKAC that does the trick... Like here when a cop forgot his USB stick in an Internet cafe containing PDFs of reports about spying certain people and political groups...Of course someone found it and they spread all over the web... There are numerous examples of situations like this.Security systems are the least responsible for such data losses I guess...
Destroy it all by damburger · 2008-10-10 23:00 · Score: 1

Chuck every hard drive, pen drive, CD, and paper file the government has into a hole, add thermite, and break out the marshmellows.
If someone were to push the spooks and bureaucrats who collected the data into such a fire, I wouldn't object too much either.

--
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
Knowledge begets knowledge..... by 3seas · 2008-10-10 23:09 · Score: 1

And specific knowledge begets its own.
Isn't it obvious?
personal data on "portable hard di by Seth+Kriticos · 2008-10-10 23:44 · Score: 1

So can anybody explain me why they are storing this kind of data on a "portable hard disk drive"? (I mean, it sounds like a laptop 2.5" drive). Is this kind of a default high security policy. I mean, I always thought, that this kind of data should be on some central secure servers and accessed through some secure forms. Am I missing something here?

Interesting, the MoD site was created with "Microsoft Visual Studio 7.0". Well, that sure is totally unrelated anyway.
Not to worry! by mattr · 2008-10-10 23:50 · Score: 1

Those responsible will be reassigned to the domestic surveillance project!
Ah more spying by Anonymous Coward · 2008-10-10 23:50 · Score: 0

I love the way this is the next story along from:
'UK Government Says More Spying Needed'
so who do you think has the hard drive?
MOD PARENT UP by BenEnglishAtHome · 2008-10-11 00:00 · Score: 1

That first sentence may be the most insightful thing I've read in a week.
1. Re:MOD PARENT UP by MrNaz · 2008-10-11 04:39 · Score: 1
  
  I would like to add my +1 to this sentiment. I have asked that question in many forms at many dinners, conferences and causal lunches, and almost every time I do, I essentially get called a commie and that's the end of the discussion.
  The conflict of interest when public goods (such as infrastructure, health care, education, defense etc) are handled by the private sector are so palpable that it boggles the mind that there is even a counter argument to the idea that the government should handle all public works, let alone that the counter argument is the current mode of operation for the world.
  Here's another public service that many often overlook, that I think at the moment is getting a lot of scrutiny: finance.
  Money, its creation and its destruction is such a fundamentally public function, so intimately at the core of public activity, that I cannot understand how the fact that that private firms get to do as they please with it with no accountability is just ignored.
  Ignored that is, until recently. Lets see how this experiment with fundamentalist marketism in the US ends up. I'm betting "not well".
  
  --
  I hate printers.
Government Incompetence? by BenEnglishAtHome · 2008-10-11 00:15 · Score: 5, Informative

Isn't that the definition of a government?

Not really. Where I work, any laptop connected to the network is checked at every connection for the presence of active full disk encryption software. If it isn't found (which can happen when computers are being built and the encryption installation hasn't been completed) then an immediate alert is sent to the support staff nearest the machine. In response to that alert, the machine must be encrypted or seized immediately. We're talking same-day action, here, with the consequence of inaction being that someone gets fired.
The result is that when we lose (usually through theft but the method is unimportant in this context) a laptop, we can immediately report that said laptop was fully encrypted and no data was lost or is at risk.
If we need to let a contractor on our network, we set up one of our laptops to meet all security requirements and lend that hardware to the contractor. No contractor is allowed to put their machine on our network.
Finally, when data is written to removable media, it's encrypted. We run a software package (Guardian Edge) that forces all writes to removable media to be encrypted. It's a pain sometimes, but it's the least we can do to keep the publics private data safe.
Frankly, I'm shocked that the MOD would accept less stringent practices on the part of contractors. I know we don't.
1. Re:Government Incompetence? by Anonymous Coward · 2008-10-11 00:29 · Score: 2, Funny
  
  Great job, way to piss on our parade of mocking government incompetence. I hope you're happy with yourself.
  (Please don't audit me!)
2. Re:Government Incompetence? by RiotingPacifist · 2008-10-11 02:32 · Score: 1
  
  My dad works for a company contracted to do some system for skynet (yes they seriously called their new satellite network skynet WTF) and all his files are stored remotely via a VPN* w/ keycard, even though his local hard drive is encrypted and all hes doing is writing the training manual for the system.
  I seriously doubt the MOD would accept less stringent practices on the contractors, wether the contractors fucked up or not is another question.
  which is good as his laptop can only connect to WEP wireless because its locked down so much.
  
  --
  IranAir Flight 655 never forget!
3. Re:Government Incompetence? by Anonymous Coward · 2008-10-11 02:37 · Score: 0
  
  Interestingly, EDS just finished an initiative to encrypt all their hard-drives, similar to the process described here. Was it an internal response before the news became public?
4. Re:Government Incompetence? by lysergic.acid · 2008-10-11 02:54 · Score: 4, Insightful
  
  there's no inherent reason for the government to be incompetent. but it's always those who want to cut down on public infrastructure and social welfare programs that are incompetent themselves. of course when you elect such people into government they make a complete mess of things and use their own incompetence as an excuse to hand these roles over to the private sector.
  i mean, how can you put people who don't believe in public infrastructure in charge of public infrastructure? it's a self-fulfilling prophecy.
5. Re:Government Incompetence? by Firehed · 2008-10-11 03:38 · Score: 1
  
  Thanks for killing my joke, but since you answered seriously - what kind of tricky stuff are you doing to detect full-disk encryption on any machine that touches the network? And more importantly (assuming that this requires a boot-time password; I've never bothered with any serious encryption), do you have something that detects the sticky note on the bottom of the laptop with said password?
  I guess I can sleep a little better knowing that the IRS is working hard to ensure that they only screw me over once per year.
  
  --
  How are sites slashdotted when nobody reads TFAs?
6. Re:Government Incompetence? by BenEnglishAtHome · 2008-10-11 04:20 · Score: 4, Interesting
  
  what kind of tricky stuff are you doing to detect full-disk encryption on any machine that touches the network?
  
  I don't know. I'm on the receiving end of those alerts, so I know they happen. Exactly how, I'm not sure. Our logon scripts do all sorts of stuff, including automatically installing updates to vertical apps, so checking for full disk encryption wouldn't seem to be too hard a task. I know there are certain files on the machines that do not exist until encryption has been installed and fully enabled. I assume that looking for them would be trivial. But that's just a guess.
  To show you how tight our scans are, we had a contractor who plugged a personally-owned USB key into his IRS-issued laptop. It contained some basic maintenance tools as well as some network monitoring tools. He wanted some simple utility, I forget which one, and instead of asking for it through channels he just plugged in his copy. Literally *5* minutes after he plugged in the key, his machine was deleted from the domain and his personal identifier was wiped from all systems, just like we do when someone is fired. 5 minutes after that, his boss got a call from our security office explaining that the employee was being reviewed for termination. The boss explained that he was a good guy, new to the organization, just made a mistake, and asked for some slack. Ultimately, the guy got a two-week suspension and then had to re-build everything (system access permissions, etc.) as if he were newly hired.
  I really don't question the notion that our monitoring does a good job of catching any funny business.
  
  And more importantly (assuming that this requires a boot-time password; I've never bothered with any serious encryption), do you have something that detects the sticky note on the bottom of the laptop with said password?
  This is one of the areas where we take a notably sensible approach. Our security rules that each person must sign and obey do NOT prohibit writing down passwords. It's officially discouraged but not prohibited. We take the attitude that as long as that list is protected, like people protect their ID card, door key card, and credit card, there's no problem.
  Nobody puts a sticker on the bottom of their laptop or keyboard. We have constant security inspections, usually after hours, and doing crap like that gets you disciplined severely.
  I wont go into excess detail (which, by itself, would be a violation of our security rules) but suffice it to say that if you wanted to steal and get data off an IRS laptop, you'd have to mug the user, get their password list, know their internal ID (which no one writes down because we use it constantly) then mug a different person with local machine administrator credentials, get logons and passwords from that person, then know exactly where to type all of them in without making more than three mistakes to lock up the machine.
  The only people who could successfully get information off our laptops would be our admins. But we can get to that stuff internally, already, so that's not a realistic threat.
  Realistically, the only thing a thief can do with a stolen IRS laptop is wipe it, install an OS, and use it.
7. Re:Government Incompetence? by byronf · 2008-10-11 05:34 · Score: 2, Insightful
  
  I wont go into excess detail (which, by itself, would be a violation of our security rules) but suffice it to say that if you wanted to steal and get data off an IRS laptop, you'd have to mug the user, get their password list, know their internal ID (which no one writes down because we use it constantly) then mug a different person with local machine administrator credentials, get logons and passwords from that person, then know exactly where to type all of them in without making more than three mistakes to lock up the machine.
  What if I find a disenfranchised employee, and offer money?
8. Re:Government Incompetence? by VJ42 · 2008-10-11 06:50 · Score: 2, Funny
  
  It's the same the world over, the only part of government that does it's job well is the one the citizens wish would fail miserably.
  Seriously, the IRS, or HMRC here in the UK, would track down Osama bin laden if owed them a penny. Unfortunately, it seems he must file his tax returns on time...
  
  --
  If I have nothing to hide, you have no reason to search me
9. Re:Government Incompetence? by BenEnglishAtHome · 2008-10-11 07:24 · Score: 1
  
  What if I find a disenfranchised employee, and offer money?
  
  That has happened. But if the employee uses their own credentials to get the data, the leak will be traced to them. If you compromise an admin, you'll get caught even quicker because we're so closely monitored.
  But, I'll grant you, it can happen. I've known of three cases that happened geographically close to me over the last 25 years. In two cases, the employees were marched out in handcuffs. In the third, the employee was arrested at home. Most of us aren't willing to throw away our pensions and/or spend multiple years in federal lockup just to sell some data. There are buyers, I suppose, but none that pay the kind of money that makes that sort of risk worthwhile to any of us with a brain.
10. Re:Government Incompetence? by BenEnglishAtHome · 2008-10-11 07:32 · Score: 1
  
  That's funny stuff. I laughed, until I remembered that I used to be a field officer. During that time, part of my job was finding people who didn't want to be found. One time, nearly 20 years ago, I found a guy hiding in China. He owed very little money (less than $USD50K, given the size cases I had back then) but I just got a wild hair about finding him, worked all the angles, and eventually turned him up. Hint - If you can find someone's mother, you can find them.
  BTW - What's HMRC? I thought the tax agency in the UK was called the Inland Revenue Service.
11. Re:Government Incompetence? by Bloke+down+the+pub · 2008-10-11 07:44 · Score: 1
  
  It was the Inland Revenue. No service. Then it merged with HM Customs and Excise. Everybody thought excise was a silly word so they took the chance to drop it.
  
  --
  It's true I tell you, feller at work's next door neighbour read it in the paper.
12. Re:Government Incompetence? by ydrol · 2008-10-11 07:54 · Score: 1
  
  Why not suggest to your IT Security people that they can just disable the USB drivers. Also I hope that the guys training/induction mentioned that unauthorised USB sticks are prohibited and ninjas will smash through the office partitions if you try to use one.
13. Re:Government Incompetence? by Anonymous Coward · 2008-10-11 08:02 · Score: 0
  
  Wow, it's amazing how well a government organization can run when that organization is tasked with collecting money.
14. Re:Government Incompetence? by Skuldo · 2008-10-11 08:11 · Score: 2, Informative
  
  The UK Skynet has been around since at least 1969.
15. Re:Government Incompetence? by BenEnglishAtHome · 2008-10-11 09:04 · Score: 2, Informative
  
  your IT Security people that they can just disable the USB drivers
  
  We'd have to quell a revolt. Some of our people have repeated needs to move multi-gig data files from place to place. USB sticks have been a godsend. Given that some of our offices have such poor connectivity to the rest of the world, large file transfers used to require overnight or longer planning. Just moving a file from cube to manager's office for review could take hours. Now that they can sneakernet or mail a USB stick to move a big file, turning off that capability would have them hunting for our scalps.
16. Re:Government Incompetence? by BenEnglishAtHome · 2008-10-11 09:08 · Score: 1
  
  I didn't say the organization was run well. That's completely debatable. But our laptops are secure against data loss in the event they're stolen.
  As for how well the organization is run? I could write a book...
17. Re:Government Incompetence? by Anonymous Coward · 2008-10-11 10:34 · Score: 0
  
  AIUI the disc was discovered missing after the project that owned it moved from one site to another.
18. Re:Government Incompetence? by Antique+Geekmeister · 2008-10-11 16:23 · Score: 1
  
  If you disable USB entirely, you disable touchpads, mice, and external CD drives necessary for laptops without DVD drives built in. Disabling the 'write' capability for those is awkward. And you'd better believe that I can attach a local networked memory device, such as a dumb web server, without detection unless the IT staff have invested one hell of a lot of effort in tracking and detection equipment.
  Such detection is possible, but awfully expensive to set up. Very few facilities bother.
19. Re:Government Incompetence? by ultranova · 2008-10-11 23:43 · Score: 1
  
  The UK Skynet has been around since at least 1969.
  
  But it didn't become sentient until August 29, 1997. Luckily for all of us its operators, being part of the British government and thus barely sentient themselves, failed to notice anything unusual, so it was left to lead a peaceful existence, talk with any foreign computer it wished, and spawn children in the form of virus-infected data sets, such as the one described in the article.
  It would explain a lot of things, wouldn't it ?
  
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Stupid much? by Atrox666 · 2008-10-11 00:15 · Score: 1

When I was in the army people who screwed up like this had accidents.
It made the army and the species stronger.
Why is it that by Arancaytar · 2008-10-11 00:54 · Score: 1

All of the recent data catastrophes seem to be happening in Britain?
And in the face of this, the UK government is upping the surveillance, too. "Don't worry, nobody except us is ever going to see your private data. You can trust us."
I think /. needs to change its FAQ by MagdJTK · 2008-10-11 01:36 · Score: 1, Insightful

"Slashdot is U.S.-centric. We readily admit this, and really don't see it as a problem. Slashdot is run by Americans, after all, and the vast majority of our readership is in the U.S. We're certainly not opposed to doing more international stories, but only if we're slagging off other countries. Positive stories about anywhere other than the US are frowned upon."
1. Re:I think /. needs to change its FAQ by Detritus · 2008-10-11 02:23 · Score: 0
  
  Would you prefer a story about "Paddington Bear finds a jar of marmalade"?
  
  --
  Mea navis aericumbens anguillis abundat
Mod Parent +1 Correct by ozphx · 2008-10-11 01:58 · Score: 2, Insightful

The MOD must demand from it's subcontractors a certain level of service, and be responsible for it. "Well it wasn't our fault, it was that guy" doesn't cut it when it comes to state secrets.
Get better subcontractors next time or DIY, retards.

--
3laws: No freebies, no backsies, GTFO.
Leaking is British (tm) by Teun · 2008-10-11 02:14 · Score: 1

Those of us that remember the British cars and motor cycles of years gone by know the absence of leaks had to be due to a dry sump, a seized engine is waiting when no leak is discernible.

With the automotive industry all but gone from the UK this national obsession with making things leak has been taken to a new industry.
They know what they're doing.

--
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
1. Re:Leaking is British (tm) by Anonymous Coward · 2008-10-12 14:18 · Score: 0
  
  You are so right, but the funny aspect is that most of those motorcycles were supposed to have a dry sump. They had a scavenge pump which pumped the oil into the oil tank, which had the advantage of acting like an oil cooler, and also helped keep the engine low as it did not need a deep sump to hold the oil below the moving parts. Despite this, they managed to leak like crazy. Mine also leaked out of the primary chaincase and the gearbox, which were separate from the engine and each other. I suppose to be fair it was good engineering....for the 1930's.
Reagan/Thatcher Bureaucratic Heaven by smchris · 2008-10-11 02:51 · Score: 0, Flamebait

It strikes me that the wonderful thing about outsourcing government, from government administration's standpoint, is that nobody is ever really responsible. The contractors can say government didn't properly communicate with them, oversee the operation, or allocate adequate funding. Government can claim that they did and it's the contractor's fault. Perfect. Everybody's happy. Except for the people who are supposed to be served, of course.
Contains everything you need for perfect ID theft by gilgongo · 2008-10-11 03:25 · Score: 3, Informative

From TFA:
"The portable drive contains the names, addresses, passport numbers, dates of birth and driving licence details of around 100,000 serving personnel across the Army, Royal Navy and RAF, plus their next-of-kin details. "
Wow. Just... wow.
The person who finds this and wants to exploit it would become unimaginably rich on stolen identities for pretty much the rest of their lives. I suppose if the MoD have a record of exactly who's details were on the disk, they could re-issue things like national insurance numbers and driving licences to prevent that, but even then the possibilities for other avenues of exploitation using this information would be huge (next of kin, for pity's sake!!).
Data like this needs to be treated as if it were nuclear waste or a volatile explosive mixture. It would be just about OK to have a list of 100,000 driving licence numbers if these were kept physically separate from, say, names and addresses (eg keying them on a one-time ID), but when certain classes of data are kept TOGETHER like this, it should be every right-thinking person's reaction to scream the house down in panic.
We have to assume that at some point, all data will leak out somewhere. All we can do is to to ensure than when it does, it's not actionable. Oh, and by the way - you can forget encryption. People don't understand it and in most cases those who steal data will steal or otherwise obtain the keys as well.

--
"And the meaning of words; when they cease to function; when will it start worrying you?"
Re:alsjkhaok jasdpaiosdj asdasiodjas by Tubal-Cain · 2008-10-11 03:36 · Score: 1

Frank Shoemaker would call this noise.
MOD PARENT UP by BenEnglishAtHome · 2008-10-11 03:40 · Score: 3, Insightful

This:

how can you put people who don't believe in public infrastructure in charge of public infrastructure?

is one of the best questions I've ever seen posted on Slashdot. With an election looming, it's a question that every voter should ask themselves. Whoever modded it flamebait is a dufus.
Encryption? by PishiGorbeh · 2008-10-11 04:04 · Score: 1

Loss happens, especially portable devices. Question is; are the drives encrypted?
1. Re:Encryption? by Anonymous Coward · 2008-10-11 13:10 · Score: 0
  
  That is exactly the point, they don't know. From the summary
  
  Apparently the MoD outsources this stuff to EDS, which is under fire for not being able to confirm that the data was or was not encrypted.
EDS S.O.P.? by WED+Fan · 2008-10-11 04:18 · Score: 1

EDS lost a hard-drive, belonging to the MoD.
I beginning to wonder if this is deliberate on EDS's part. In the U.S. Navy NMCI contract, they have lost drives and created vast security stand-down efforts while trying to create one big happy Navy network, which, btw, has resulted in a net increase in Networks and domains rather than the intended reduction.
I'm starting to believe this is part of something else.

--
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
Re:Contains everything you need for perfect ID the by mpe · 2008-10-11 05:50 · Score: 1

"The portable drive contains the names, addresses, passport numbers, dates of birth and driving licence details of around 100,000 serving personnel across the Army, Royal Navy and RAF, plus their next-of-kin details. "
Data like this needs to be treated as if it were nuclear waste or a volatile explosive mixture. It would be just about OK to have a list of 100,000 driving licence numbers if these were kept physically separate from, say, names and addresses (eg keying them on a one-time ID), but when certain classes of data are kept TOGETHER like this, it should be every right-thinking person's reaction to scream the house down in panic.

There is a more fundermental problem here in that just because it is possible to combine information together does not mean that doing so is sensible.
e.g. the Army, Navy and Air Force are separate services. So it makes little sense to combine them into one? Do the driving licence and passport details even need to be there in the first place?
Who Watches the Watchers? by Doc+Ruby · 2008-10-11 06:36 · Score: 1

UK Government Says More Spying Needed Sat Oct 11, '08 01:32 AM
from the need-to-make-up-for-the-losses dept

--
--
make install -not war
Re:alsjkhaok jasdpaiosdj asdasiodjas by Bloke+down+the+pub · 2008-10-11 07:37 · Score: 2, Funny

Larry Wall wouldn't.

--
It's true I tell you, feller at work's next door neighbour read it in the paper.
EDS again by Anonymous Coward · 2008-10-11 15:24 · Score: 0

This is one of many EDS screwups. Last year they printed Social Security numbers on a mass mailing to 147K State of Wisconsin taxpayers, 6 months later they did the same thing to 440K Wisconsin residents in violation of the HIPPA act. Yet no prosecution for either violation, must have been alot of political grease applied.
Because at last we admit it by Kupfernigk · 2008-10-11 20:07 · Score: 1

There are some new IT people around with a clue, and they know that the leaks need to be exposed before anything will happen about it.
BTW the Civil Service preference for large incompetent foreign IT companies with big entertainment budgets over small efficient local ones is well known. Exposing the uselessness of companies like EDS and Capita has a sub-agenda; let's get our IT back.

--
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
Re:No, no, no - That's not the key point. by Irritated+User · 2008-10-12 04:32 · Score: 1

Fuck Labour.
What? Do you really believe a politician made the decision on whom to outsource data management too?
Are you familiar with the concept of a civil service at all? Do you know who runs the day-to-day operations for the MoD?
Clue: Decisions like "Which subcontractor should we hire" are not made by the Secretary of State for Defence.
.
That's not the main point, I'd suggest the following are key:

1. The data/security paradigm changes when data are moved from hard/paper copy to a machine-readable form. Most people still think of security and access in paper-based terms, not that of electronic data which is a very different animal. Had the records been stored on traditional paper-based record systems then there would have been no breach of security.

2. Data in electronic form acquires a range of new and powerful properties when compared with that of the same records stored on hardcopy/paper. For example, stealing 600,000 plus paper-based records would be nigh on impossible, but this electronic 'loss' is not even theft as far as we know--just incompetence and mishandling. Those handling or using this data do not understand this differences between the electronic data and hard copy paradigms (especially a problem in government bureaucracies). Ipso facto, if they did then this data security breach would not have happened. Unfortunately, this lack of understanding is not unique; even those in the data processing/security game have a very poorly understanding of the problem: for they usually concentrate on specific security issues and technicalities, not why or whether certain facts or information should or should not be committed to electronic storage, or what the implications are if the data falls into unwanted hands.

3. It is questionable whether certain forms of sensitive data should actually be transferred into an electronic format, especially if bound into fully collated databases (as here). If electronic records are absolutely essential then the data can be held in multiple parts in distributed databases--one part alone being useless without others. (The fact that this data is not secured and managed in such a way that its loss would be trivial ought to be of great concern. Computer science just hasn't evolved sufficiently to always guarantee security and simultaneously make it easy and foolproof to implement: only electronic encode that which is essential.)

4. Governments, control freaks and penny-pinching accountants etc.--those with a police state mentality--want all records conveniently to hand, often for very questionable reasons including very little practical justification or need. In this instance, not only have they collected and collated vast amounts of sensitive personal data and stored it in an easily 'losable' form but the very act of doing so is one of utter irresponsibility. That such data and on such a grand scale has the potential to be--and has been 'lost' [or stolen etc.] in this way ought to be treated as an act of malfeasance.

4.1 Essentially, what has happened here is that an act of treason has been committed against the 'collective of citizens' [who constitute part of the state]--those who gave their personal data on the understanding that their government would keep it secure but who failed though negligence, inter alia.

4.2 There's little doubt that this incident will be hushed up, and there will be an scapegoat or two or possibly not even that. Moreover, I'll bet it happens again sometime soon, remember this is not the first of such incidents. With Britain going to a universal ID card what would happen if Al-Qaeda or similar organization were to ever get such a file? Even a friendly power such as the USA would be only too happy to snap up such valuable data, no questions asked.

5. Whether relevant or not, Governments, bureaucrats
Re: British MoD Stunned By Massive Data Loss by Irritated+User · 2008-10-12 06:42 · Score: 1

I'd suggest there are a number of key issues to keep in mind when considering the massive loss of data by British MoD. Here's a few to begin with:

1. The data/security paradigm changes when data are moved from hard/paper copy to a machine-readable form. Most people still think of security and access in paper-based terms, not that of electronic data which is a very different animal. Had the records been stored on traditional paper-based record systems then there would have been no breach of security.

2. Data in electronic form acquires a range of new and powerful properties when compared with that of the same records stored on hardcopy/paper. For example, stealing 600,000 plus paper-based records would be nigh on impossible, but this electronic 'loss' is not even theft as far as we know--just incompetence and mishandling. Those handling or using this data do not understand this differences between the electronic data and hard copy paradigms (especially a problem in government bureaucracies). Ipso facto, if they did then this data security breach would not have happened. Unfortunately, this lack of understanding is not unique; even those in the data processing/security game have a very poorly understanding of the problem: for they usually concentrate on specific security issues and technicalities, not why or whether certain facts or information should or should not be committed to electronic storage, or what the implications are if the data falls into unwanted hands.

3. It is questionable whether certain forms of sensitive data should actually be transferred into an electronic format, especially if bound into fully collated databases (as here). If electronic records are absolutely essential then the data can be held in multiple parts in distributed databases--one part alone being useless without others. (The fact that this data is not secured and managed in such a way that its loss would be trivial ought to be of great concern. Computer science just hasn't evolved sufficiently to always guarantee security and simultaneously make it easy and foolproof to implement: only electronic encode that which is essential.)

4. Governments, control freaks and penny-pinching accountants etc.--those with a police state mentality--want all records conveniently to hand, often for very questionable reasons including very little practical justification or need. In this instance, not only have they collected and collated vast amounts of sensitive personal data and stored it in an easily 'losable' form but the very act of doing so is one of utter irresponsibility. That such data and on such a grand scale has the potential to be--and has been 'lost' [or stolen etc.] in this way ought to be treated as an act of malfeasance.

4.1 Essentially, what has happened here is that an act of treason has been committed against the 'collective of citizens' [who constitute part of the state]--those who gave their personal data on the understanding that their government would keep it secure but who failed though negligence, inter alia.

4.2 There's little doubt that this incident will be hushed up, and there will be an scapegoat or two or possibly not even that. Moreover, I'll bet it happens again sometime soon, remember this is not the first of such incidents. With Britain going to a universal ID card what would happen if Al-Qaeda or similar organization were to ever get such a file? Even a friendly power such as the USA would be only too happy to snap up such valuable data, no questions asked.

5. Whether relevant or not, Governments, bureaucrats and security services have a Nazi-like obsession in collecting vast amounts of data on citizens and there is no obligations on those collecting it to even tell citizens that they are doing so let alone let the citizen see or review the data. Whether storing so much detail about citizens in vulnerable electronic format (such as in single but comprehensive databases) is warranted o