Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reporters Find US Gov't Data In Ghana Market

Posted by samzenpus on from the full-recycle-bin dept.

narramissic writes "'Hundreds and hundreds of documents about government contracts,' were found on a hard drive purchased at a market in Ghana for the bargain basement price of $40, said Peter Klein, an associate professor with the University of British Columbia, who led an investigation into the global electronic waste business for the PBS show Frontline. The hard drive had belonged to US government contractor Northrop Grumman and in a made-for-TV ironic twist, 'some of the documents talked about how to recruit airport screeners and several of them even covered data security practices,' Klein said. 'Here were these contracts being awarded based on their ability to keep the data safe.'"

43 of 154 comments (clear)

  1. What a news scoop....*yawn* by Ritz_Just_Ritz · · Score: 2, Funny

    Yet another example of some bonehead "disposing" of old equipment without wiping the data first. Time to start cranking out those Pulitzer prizes. ;)

  2. Contracts by hellfish006 · · Score: 3, Interesting

    They should lose their contracts for failing to wipe the data off the hard drives.

    1. Re:Contracts by Cheerio+Boy · · Score: 4, Informative

      They should lose their contracts for failing to wipe the data off the hard drives.

      They likely will as this is almost certainly a violation of ITAR regulations. Northrup Grumman does very little that is non-military.

      --

      "Bah!" - Dogbert
    2. Re:Contracts by plover · · Score: 5, Insightful

      They should lose their contracts for failing to wipe the data off the hard drives.

      They likely will as this is almost certainly a violation of ITAR regulations. Northrup Grumman does very little that is non-military.

      They most certainly will not lose their contracts over this. They'll find a way to blame the lost data on some tiny sub-subcontractor that the subcontractor responsible for disposing of used equipment hired to wipe the drives, and they'll get fired. Or maybe they'll fire the person who kept the data on their hard drive instead of the network drive, and trot out the click-through policy that says "we told you we could fire you for violating this policy."

      There's always a weasel-way for companies to get out of these situations by blaming someone for the failure.

      --
      John
    3. Re:Contracts by Cheerio+Boy · · Score: 4, Informative

      They should lose their contracts for failing to wipe the data off the hard drives.

      They likely will as this is almost certainly a violation of ITAR regulations. Northrup Grumman does very little that is non-military.

      They most certainly will not lose their contracts over this. They'll find a way to blame the lost data on some tiny sub-subcontractor that the subcontractor responsible for disposing of used equipment hired to wipe the drives, and they'll get fired. Or maybe they'll fire the person who kept the data on their hard drive instead of the network drive, and trot out the click-through policy that says "we told you we could fire you for violating this policy."

      There's always a weasel-way for companies to get out of these situations by blaming someone for the failure.

      ITAR is pretty strict but you're probably right in that they'll blame the recycling firm or some such nonsense. From my experience they can at least expect a fresh ITAR audit courtesy of the federal gooberment because there is now "reason to question" their security.

      Personally I don't let a hard drive out of the building unless it's been at least wiped (non-secure data) if not destroyed (secure data). Usually I destroy them just to make sure.

      --

      "Bah!" - Dogbert
    4. Re:Contracts by geobeck · · Score: 4, Interesting

      They should lose their contracts for failing to wipe the data off the hard drives.

      What's so ridiculous is how easy it is to destroy data without investing in ultra-super-duper-mil-spec data destruction software. When I destroyed hard drives for my old company, I'd pull out the drive, take it down to the shop floor, and watch as one of our fabricators put a 1/2-inch hole through the platters with a drill press. It's theoretically possible that an expert who really, really wanted our data could have read something from the partial platters, but I guarantee that none of our drives ever showed up in use anywhere else.

      And with the old IBM death stars, pretty much any possibility of data recovery was eliminated when those glass platters shattered inside the case as the drill went through.

      Of course, this technique requires you to have a drill press or a good, sturdy hand drill somewhere on your site, but I think Northrop Grumman could afford one of those.

      --
      Find environmentally and socially responsible products on http://buy-right.net
    5. Re:Contracts by rpillala · · Score: 2, Insightful

      Or maybe the whole thing is secret under the aegis of War On Terror or National Security or whatever the fuck. I don't think we'll hear much more about how this turns out, and therefore no accountability.

      --
      When the axe came to the forest, the trees said, "Look out - the handle was once one of us."
    6. Re:Contracts by networkconsultant · · Score: 2, Informative

      Government Sub-contractors are required to maintain liability insurance for instances like this.

      Sadly, this poor fellow will be sued into oblivion; the minimum in Canada is 2 million, in the U.S. I don't even know.

      Northrop is usually very good but the issue is that it's "Sensitive Informaiton" chances are the person using the system didn't follow the security protocols in place (i.e. Not storing classified informaiton in an Unclass environment).

      It's for this very reason all of my file systems are encrypted.

      As for Northrop they are responsible to meet all IT Security Policies in place by the Military, that's one of the reasons classified systems are soo damn expensive, you buy it for 5K, service it for 100K and then de comission it for 10K, if the guy is just taking the 10K and recycling it then you have a problem. Ideally the Hard drives should be wiped, degaussed, smashed with large hammers (hydraulic or sledges work well) or shredded and then thrown into an furnace. That is a NATO standard for classified information. It's a lot of labor and hence the 10K.

    7. Re:Contracts by TheBig1 · · Score: 2, Informative

      I don't know if this is flamebait, or just ignorance. While it is true that given enough time any encryption can be broken, what is not mentioned is how much time. A proven symmetric cipher (e.g. AES 256 or similar) which is implemented correctly can withstand attacks from current equipment for far longer than you (or anyone else on earth) will be alive. Why not use it, and if you are paranoid *also* destroy the drive when finished with it? Multiple layers of security never hurt anyone.

      Cheers

    8. Re:Contracts by TheLink · · Score: 2, Funny

      I haven't tested this myself but I think something like an oxy-acetylene cutter can be pretty effective and fast.

      It will take a lot of effort to recover the data from the resulting molten puddles of metal ;).

      If you want to wipe very many hard drives at a go, there's always stuff like thermite, furnaces and bessemer converters.

      --
  3. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  4. When I dispose of an obsolete drive by Peter+Simpson · · Score: 3, Interesting

    I disassemble it, remove the platters, mount each one in a vise and bend it by striking it with a hammer.

    If they can get data off that platter, they're welcome to it.

    1. Re:When I dispose of an obsolete drive by rotide · · Score: 5, Informative
      Sounds time intensive. While a little pricey, get a hard drive destroyer. Pop it in, hit go and it folds 90 degrees!

      http://www.garner-products.com/PD-8400.htm

    2. Re:When I dispose of an obsolete drive by FudRucker · · Score: 3, Funny

      thermite, lets see them get data out of a pile of slag

      --
      Politics is Treachery, Religion is Brainwashing
    3. Re:When I dispose of an obsolete drive by cbiltcliffe · · Score: 2, Interesting

      Not to mention...you have some fun in the process. :)

      Although, I can't imagine running it through a DoD wipe with DBAN would be recoverable, and then the drive is reusable. We already have enough electronic junk going in landfills, so I find destroying drives rather than properly wiping them to be particularly distasteful.

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    4. Re:When I dispose of an obsolete drive by Patrik_AKA_RedX · · Score: 4, Funny

      My methode is much better. I install windows on it, have internet explorer start automaticly and open Slashdot. By the time they're done, the data is way to old to be of any relevance.
      The rest of the drive I fill up with the combine works of David Hasselhof. Cruel, but effective.

    5. Re:When I dispose of an obsolete drive by cenc · · Score: 2, Interesting

      I have a fast and simple solution. I take my trusty drill and run the bit through the platter at least once to several times depending on the importance of the drive. Yea, someone could in theory super reconstruct the data, but not without spending hundreds of thousands if not millions of dollars more than the data was worth. For that kind of money, I would just give them the data. It is a simple, cheap, quick solution that in all but the most sensitive situations would be sufficient to keep the data from being recovered in 99.9% of all cases.

      The thing people forget in all their bs about "just overwrite it with 0 and 1" is that hard drives are often being discarded because they have mechanical problems. The platter is likly still in good shape, just something else has failed that stops it from being mountable. My solution fixes both.

      --
      Living in Chile
    6. Re:When I dispose of an obsolete drive by Rich0 · · Score: 2, Interesting

      I don't pretend to know all the regulations involved, but that website mentions that such a device is suitable for emergency destruction of top secret data.

      In an emergency this probably would be a good tradeoff between security and time - you can't take three weeks to do an "emergency" destruction if your security guards are holding off a regiment of troops looking to capture your data (which I think is the actual scenario envisioned - maybe some paratroops drop in on your roof or something or there are rioters outside looking to break in).

      However, I think that if a hard drive truly contained top secret data it would probably need to be almost completely incinerated to be secure - preferably to the point of melting the platters and destroying the memory chips. Top secret data potentially would be of interested to a very determined government - a merely bent hard drive could probably be read just fine with something like a tunnelling electron microscope. Sure, it would take quite a bit of determination, but if you're talking about the detailed designs and source code for an F22 or a nuclear bomb or something like that I'm sure somebody would be willing to go through the trouble. Reading the bits off of a bent hard drive has to be easier than building your own from scratch.

    7. Re:When I dispose of an obsolete drive by hairyfeet · · Score: 3, Insightful

      Same here, that is just stupid and wasteful, not to mention based on old wives tales. I have yet to see ANYBODY recover a DoD wiped drive. You'd think that one of those data recovery firms would brag about it if they had actually been able to pull it off, yet nada. Give them a good DoD wipe and then they can be reused in computers for the poor.

      Even to this day I have no problem giving away a 400Mhz or better to somebody who doesn't actually have a PC. Just slap DSL-N and they have a nice clean desktop that is quite fast and a pleasure with to surf. I keep a 733MHz around to run Win9X for old games and to surf on when my main boxes are busy, and with 384Mb of PC100 and DSL-N it is a very pleasurable surfing experience. It is just stupid and wasteful to destroy those drives and make even more e-waste when they can be reused by those that don't have any. Single moms, homeless shelters, churches, there are tons of places that are quite happy to take a free working machine, and if everyone destroys the drive the cost of giving those machines away suddenly becomes too expensive.

      So don't fall for old wives tales, DoD wipe and recycle. Good for the environment and your fellow man.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    8. Re:When I dispose of an obsolete drive by DavidTC · · Score: 3, Informative

      I have yet to see ANYBODY recover a DoD wiped drive. You'd think that one of those data recovery firms would brag about it if they had actually been able to pull it off, yet nada. Give them a good DoD wipe and then they can be reused in computers for the poor.

      Forget DoD wipes, it has never even been demonstrated it's possible to recover data from a single 00000000 wipe. No one has ever managed to read as much as a byte of data after it has been overwritten once with any value.

      The whole thing is sheer paranoid lunacy. It has its origin when hard drives encoded data in a different way, and were a lot looser in where they wrote on the drive, so in theory parts of the signal could be left behind. But that was only hypothetical even back then, there was no way to separate the signals out, and hard drives are a lot denser and encode the signal differently now.

      The only thing that makes a bit of sense is that hard drives can reassign clusters and leave data behind in bad ones, but you can get around that by using the right commands. It would be a hell of a lot more useful if the DoD would just invest in some external hard drive controller-type device to low-level format drives, and then when they're done turn on a huge magnet just to make sure.

      And stop wasting all that hardware.

      --
      If corporations are people, aren't stockholders guilty of slavery?
  5. They found... by iamapizza · · Score: 4, Funny

    some of the documents talked about how to recruit airport screeners

    It contained a link to monster.com?

    --
    Always proofread carefully to see if you any words out.
    1. Re:They found... by pjt33 · · Score: 3, Funny

      Airport screeners know how to use monster.com?!

  6. Umm.. that's not how it works by QuantumG · · Score: 2, Interesting

    It's a long standing complaint that governments keep information about contracts secret for the benefit of the contractors. Now you're complaining that a contractor didn't keep information about their contracts adequately secured? Are you stupid or something? The US taxpayers have a right to know the details of these contracts.. but they are denied that by commercial confidentiality concerns. If you want to cry a river for someone, think about the shareholders, but don't go blathering on about "secret government contracts" because they simply shouldn't exist.

    --
    How we know is more important than what we know.
    1. Re:Umm.. that's not how it works by langelgjm · · Score: 3, Insightful

      .I thought the same thing at first, but then I read the rest of the summary:

      some of the documents talked about how to recruit airport screeners and several of them even covered data security practices

      Typically we're interested in contracts during the bidding process (to make sure the public is not being ripped off), and later on, to see that the contractor actually delivers the goods. But "transparency" doesn't mean everyone needs to know the details of how Northrop Grumman builds its missiles or whatever.

      --
      "Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
    2. Re:Umm.. that's not how it works by Opportunist · · Score: 3, Funny

      I think it's asking a bit much of the US taxpayer that he should be required to go to a local market in Ghana to buy the info. It should be provided by the government.

      Besides, this is a company providing the info. I'm not really much into socializing everything, but dammit, there are some things that belong into government hands!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Bargain basement??? by fuzzyfuzzyfungus · · Score: 4, Insightful

    $40 for a used hard drive of unknown provenance seems pretty high, unless you are talking about a considerably cooler than ordinary drive. Methinks that those journalists were haggling about as effectively as someone with an expense account for the story might be expected to.

    1. Re:Bargain basement??? by Opportunist · · Score: 2, Insightful

      Depends on how it was marketed. I mean, how much would you pay for a use HD from NorGrum?

      I'm fairly sure a HD once used in the development area of MS can fetch a nice price.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Bargain basement??? by adosch · · Score: 2, Insightful

      $40 seems steep, but the size of the hard drive wasn't even list ITFA, and there was definite intent and motive to go find some secret government/contractor data on a piece of computer hardware, too, by the journalists themselves. So it's evident price or need of a hard drive wasn't an issue. With dumpster diving and shady data mining practices that have been at least publicly practiced over the last decade quite over announced, have people not learned to wipe the data on their storage devices? I pitty the "outside" company who is suppose to be in charge of doing that (or so NG claims). At work, it's kind of a break from the pace to sit down with a bunch of servers, and let DOI standard wipe policy chug away. It's not like you have to constantly monitor it; should be one of the easiest things do to on the side.

    3. Re:Bargain basement??? by Culture20 · · Score: 2, Informative

      A used 300GB Ultra320? I'd pay $40 if it worked at sale.

  8. Re:Still? by Ritz_Just_Ritz · · Score: 4, Informative

    Did you even read the article? It doesn't appear that the employee was at fault. The computer was "disposed of" by some outside company. Allegedly, they are responsible for sanitizing the hardware prior to binning it or parting it out.

    I would expect, however, that this "outside firm" is wondering if they still have their contract with Northrop Grumman. I suspect not.

  9. Re:Still? by tibman · · Score: 2, Interesting

    NG said it went through an outside firm, that doesn't mean it did. Not only that but this could have been from a personal computer.

    Northrop Grumman is a business. Their employees don't take an oath to support (or defend) the constitution. It's all about the money.

    --
    http://soylentnews.org/~tibman
  10. Re:Yea by rhook · · Score: 5, Insightful

    Those "locks" do nothing to protect the data, and the drive still spins up when power is applied. You can even retrieve the password if you know what you're doing. Full drive encryption is a much better solution.

  11. Cheaper option: Rifle by Anonymous Coward · · Score: 2, Interesting

    They make nice targets. Even the NSA would be hard-pressed to get data off of platters with bullet holes in them. I have seen this done with a high-velocity 7mm bolt-action rifle. VERY effective. Auditor asks how we ensure that hard drives are erased when they are taken out of service. Of course we erase them before using our "special process". Showed them a few samples, bullet holes and all. No more questions about hard drive erasure.

  12. Linux CD by fenring · · Score: 2, Insightful

    Yes, it's called a linux bootable cd. It turns out it's quite cheap as well.

  13. Re:Erasure Device? by plover · · Score: 2, Insightful

    While destroying the HD physically is a solution, it prevents the drive being reused.

    Destroying the drive physically has a benefit beyond the obvious that the data is rendered unrecoverable. The more critical benefit is that if you have two crates of disk drives to destroy, you can look at them and know that the crate full of smashed drives is the "done" crate. That's especially important when you have an unskilled labor pool doing the work. You post a guy at the door with a clipboard ensuring only smashed drives are allowed to leave the building. It doesn't take a computer scientist to do that job correctly.

    Wiping the drive and selling it has much less benefit than you might think. The value of the used drive is tiny -- especially since you still have to pay someone to track it through the wiping process, and you have to pay someone to wipe it. When you finally sell it, you might make a dollar or two at most.

    Compared to the cost of the risk of losing data, it's a false economy to think that salvaging drives is a smart choice. Just the legal costs Northrup Grumman is about to go through over this one far exceeds the amount of money they have now or ever will make selling used drives.

    --
    John
  14. Since when was data totally secure? by Bob_Who · · Score: 2

    The only secure information is never written down or told to other people.

  15. me smell's B.S by Anonymous Coward · · Score: 2, Interesting

    not that this does'nt happen, i just find the story unlikely , reporters go to a random market in a random country and find this disk. more likely they had the disk beforehand and just made up the market bit.

  16. Re:Erasure Device? by jps25 · · Score: 2, Informative

    DBAN http://dban.sourceforge.net/

  17. Re:Name of outsourced company? by HikingStick · · Score: 2, Interesting

    It doesn't matter whether N-G handled it in-house or subcontracted the task. It was their responsibility to make sure the data was kept private or properly destroyed. If it was handled by a subcontractor, there should have been oversight provisions in place. While a subcontractor may have made the ultimate error, it does not clear N-G of its responsibility.

    --
    I use irony whenever I can, but my shirts are still wrinkled...
  18. Re:Position Sensitivity by tibman · · Score: 2, Interesting

    I'd say an Oath is a Moral "contract" and a Contract is a Legal "contract". God is not part of any oath i've ever taken. The US Constitution is the highest authority in the country.

    It's nice to talk to a contractor that has had good experiences working inside the government. I'm being very honest, it's good to hear a gov employee say they take their job very seriously.

    I have mostly dealt with KBR and NG which left a bad taste in my mouth. The worst cases being the $7,000 per month (rent) canvas tents my platoon lived in and a $100K generator that wouldn't run more than 10 hrs without someone babysitting it. The true reasons the Iraq war has cost us so much money.

    --
    http://soylentnews.org/~tibman
  19. V.I. Lenin said it best by Torodung · · Score: 2, Insightful

    "The Capitalists will sell us the rope with which we will hang them." -V.I. Lenin

    Let's prove him wrong, eh?

    --
    Toro

  20. The NSA should just buy all the drives on eBay! by whoever57 · · Score: 4, Funny

    Instead of using illegal wiretaps, the NSA should just buy every drive that is sold on eBay. Just think of the information they could mine out of them!

    --
    The real "Libtards" are the Libertarians!
  21. Re:Yea by Sir_Lewk · · Score: 2, Informative

    Nonsense, placing platters into other drive enclosures to aid in data recovery is one of the oldest tricks in the book. It may not be perfect but it'll certainly work well enough.

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)