UK Prisons Ministry Fined For Lack of Encryption At Prisons

Bruce66423 (1678196) writes The Guardian reports that the UK Information Commissioner has levied a fine of £180,000 on the Ministry of Justice for their failure to encrypt data held on external hard drives at prisons. The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability. Of course it's interesting to consider the dangers of this hopefully old way of storing backups; but the question of whether we do a lot better now is quite pointed. To make matters worse, one of the unencrypted backup hard drives walked away.

stealing identity

[WarJolt]

I can't imagine the identities of a bunch of ex-cons are that valuable.

Re:stealing identity

[crioca]

I can’t say I agree, but regardless there’s plenty of other uses for a database of 16000 criminals.

Re:stealing identity

He didn't say "important", you self-righteous assfag, he said "valuable".

Re:stealing identity

[Charliemopps]

I can't imagine the identities of a bunch of ex-cons are that valuable.

In the US that's 1% of the population.

Re:stealing identity

Importance vs. value? Seriously? When was the last time you paid for something that had no perceived value to you?

Re:stealing identity

You might want to check that number again. ex-con != currently in prison even with the US's horrible recidivism rates.

Re:stealing identity

One word: Pension

The US, UK, Canada and many other countries have an old age pension system that are all very easy to exploit if you have the number. Crooks amass multiple numbers and then collect the pensions. The system is very lax and doesn't check whether someone who claims to be 104 years old is really still alive and at least looks like he is 104 for example.

Whenever you hear of some Romanian peasant who reached the ripe old age of 120, it is simply because he adopted the identity of his parent, buried the parent without informing anyone and happily collected his parent's pension ever since (and eventually his own too).

Re:stealing identity

[JosKarith]

The identity of 3000 people who have been proven they are prepared to break the law? Or maybe the police reports on the true connection/affiliation of said people? Can't possibly see how that information could of be any use to organised crime...

Re:stealing identity

They just have not stolen the drives containing the details of the 9%+ you incarcerate yet.

Re:stealing identity

Whenever you hear of some Romanian peasant who reached the ripe old age of 120, it is simply because he adopted the identity of his parent, buried the parent without informing anyone and happily collected his parent's pension ever since (and eventually his own too).

THAT RACIST!

LOL. That AC made a claim equivalent to "when you see a nigger running, it is because he stole something" and get moderated up because EVERYONE hate gypsy. Even the anti-racism mainstream crowd...

Re:stealing identity

[Cardoor]

where do you think all the bond villains get their recruits? "Hello, Mister Job is it?.... Oh, it's Mister Oddjob? Sorry... I'm calling from Goldfinger Staffing Services. We happened to come upon your resume'..."

Re:stealing identity

>When was the last time you paid for something that had no perceived value to you?

I renewed my license plates recently, does that count? I suppose there's false value in that the government won't lock me up. In that case, the mafia provides some real value, too.

Re:stealing identity

I can't imagine the identities of a bunch of ex-cons are that valuable.

Revenge targets/ who fingered me/ now I know where your family live, you'll let this named prisoner know I can still get him even though he's in prison/ when you get out there will be a mob waiting etc etc...

Re:stealing identity

[OurDailyFred]

Importance vs. value? Seriously? When was the last time you paid for something that had no perceived value to you?

How about alimony?

Re:stealing identity

[mjwalshe]

I am sure any tabloid paper would love to get there hands on that data.

Re:stealing identity

[mjwalshe]

This actually happened at a company I worked at corrupt insiders allowed a hit man to track down the parents of a criminal who where then both killed - I believe the insiders got done for conspiracy and are serving a long prison sentence.

Re:stealing identity

[Qzukk]

Who's stealing the identity?

The drive walks away one evening, then the next morning it shows up and oh hey it looks like Doctor Death is coming up for release, he's served 999.9 years of his 1000 year sentence, it says so right in this excel spreadsheet, and excel never lies.

Don't worry, if they encrypt it...

then they can just hide all of the abuses they don't report.

Re:Don't worry, if they encrypt it...

[sillybilly]

There is no such thing as absolutely secure encryption. A good policy is to not have secrets. But secrets are a fact of life. Even then, security through obscurity is often better than off the shelf things.
I don't use encryption on my disks, because, first of all I could lose all my data on all my hard drives and be fine, second, if somebody finds it and sees everything on it, there are still privacy rules and laws that apply, but I don't really have that much to hide (everybody does have some), and third, encryption gets in the way of easy access and data recovery, and adds computing overhead. When I make a backup, my biggest issue is time, and speed of the backup. Also I'd like to be able to get to files from weird places like old linux distros, for which I try to store stuff on FAT32 (2TB max total, 2GB max per file) on smaller portable drives, which means dvd images have to be split into 2GB sizes. As I will forever will be stuck on Windows 2000 or the like (I'm reluctantly on XP, but it has way too much crap compared to basic Win2K) and oldschool linuxes for basic computer use, and maybe purchase appliance type newer computers to snatch new files from the Internet to move to those older computers, so I have been thinking on using ext2(32TB max total, 2TB max per file) as standard on portable disks, (and yes, ext2, not ext3) which can take DVD images and 32 TB disks which are not even on the market yet. The only issue is you can't take it to say a computer library and expect linux with ext2 support to be present, or windows with ext2 drivers, but for at home use and long term data storage once you're fully off the net, it should work great. Encryption only gets in the way, when the stuff you store is mostly public domain, or easy to just erase in case you get a government raid and says it's copyright violation, you can't have it pay for it or erase, dude i can erase everything and anything and be fine. I do not really need encryption for those reasons. The only situation is a business trade secret, where there are competitors and you invest a lot of effort and money into developing something workable, and in that case you can say because of the costs involved you have secrets to protect. But my everyday life is not like that, I don't have secrets that are a matter of life and death, or at least a sustenance, so I don't need encryption at all for my portable disk storage. I still like encryption on on line banking and shopping, and there is such a thing as identity theft, but there is like nothing you can do if they are really set to find out every detail about you, and then it's easy to do identity theft.

Re:Don't worry, if they encrypt it...

[Dutch+Gun]

There is no such thing as absolutely secure encryption. A good policy is to not have secrets. But secrets are a fact of life. Even then, security through obscurity is often better than off the shelf things.

High-strength industry standard encryption, properly implemented, is currently believed to be completely unbreakable. It's extremely unlikely any government agency can crack modern cryptography, as evidenced by the lengths they go to in order to try to regulate it (historically), or circumvent it at the source. You can't *prove* it's unbreakable, of course, but we've seen zero evidence to the contrary, with many, many people looking, so I won't be hypocritical and say "it's unbreakable", but "for all practical purposes, it's unbreakable".

I can't think of worse advice than "security through obscurity". You definitely want "off the shelf" solutions, because those solutions have been vetted by many experts - some friendly, some hostile - all trying very hard to break that security. The quickest way to create a security disaster is to roll your own security solution. Remember WEP?

Re:Don't worry, if they encrypt it...

Look, you misunderstood: sillybilly secures his data via the Bennett Haselton algorithm.

Step 1. Procedurally generate a wall of text that is incoherent but is syntactically valid, vaguely related to the general topic, and is filled with irrelevant personal opinion, bemused speculation, and random misconceptions.

Step 2: Embed data to be secured in the middle of said text.

Step 3: Back up the data to the cloud (aka "troll Slashdot with your post")

That's it! Both Bennett and sillybilly could post their SSNs, credit card numbers, etc in plain view on Slashdot and no one would be the wiser!

Re:Don't worry, if they encrypt it...

[Imrik]

It's only unbreakable through a computer science approach, it's still vulnerable to social engineering.

Re:Don't worry, if they encrypt it...

It's only unbreakable through a computer science approach, it's still vulnerable to social engineering.

Or like the all too familiar XKCD

Pointless accountability?

[cforciea]

The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability.

It seems like the two clauses of that sentence are contradicting each other. How does a "pointless" fine show any accountability at all?

Re:Pointless accountability?

[ShanghaiBill]

How does a "pointless" fine show any accountability at all?

It is not pointless. Bureaucrats care very much about their discretionary budgets and perquisites.

Re:Pointless accountability?

[apraetor]

They particularly don't like having to explain to their superiors that the budget is down £180k because they failed to follow compulsory data privacy protection regulations, and that the fines will continue to recur until they implement appropriate security.

Re:Pointless accountability?

[sociocapitalist]

The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability.

It seems like the two clauses of that sentence are contradicting each other. How does a "pointless" fine show any accountability at all?

Blame and hopefully a bit of shame perhaps, is better than nothing at all.

Re:Pointless accountability?

In Belgium some department asked for a budget increase to pay fines to healt and safety (other part of the government). They got it and the other budget was reduced by the same amount. Nice solution.

Re:Pointless accountability?

[denzacar]

Easy.

You just have to realize that whoever wrote that "rather pointless" line is committing a fallacy.
You know... by not grasping things like separation of branches of government or things like internal control or even the idea that THE LAWS STILL APPLY.

He probably thinks that prison terms for government officials, be they politicians, soldiers, police or bureaucrats working in some office somewhere are equally pointless.
After all, they are all government employees, just like the judges who would sentence them, and that would be government sentencing itself - and that will never happen.
Ergo, if you work for the government in any way, you are free to commit crimes. Kill, steal, pillage, jaywalk... they can't touch you for you are the government.

Based on personal prejudice of "all government branches and officials being the same thing", he commits an existential fallacy... and from there you can attach any conclusion and it would be equally retarded.

Tax spenders fined tax spenders??

What's the point of this? If the ministry is unable to operate due to lack of money, they'd just have to ask it back again, from the *earnings* of UK Information Commissioner.

Am I the only who found this ridiculous and idiotic?

Oh RRY?

From the article:
"But the ICO's investigation into the latest loss found that the prison service did not realise the encryption option on the new hard drives needed to be turned on to work correctly"

"To work correctly"?

stealing identity

Could you expand on how your identity is more important, your holiness?

The hard drive walked away

What an outrage

Re:The hard drive walked away

[ruir]

They have a tendency to walk away in Britain...being in a prison maybe someone hid it away in a dark place, who knows. Pity they havent invented yet backup servers...Who are providing the IT services? The felons?

Re:The hard drive walked away

They have a tendency to walk away in Britain...being in a prison maybe someone hid it away in a dark place, who knows. Pity they havent invented yet backup servers...Who are providing the IT services? The felons?

Might be. In Finland they provided the bugs drug police use. Ok, the drug police did provide the drugs, and well, the whole mess looks like the police are the criminals, and soon to be felons. It's all fun and games.

Re:The hard drive walked away

> .Who are providing the IT services? The felons?

Atos, probably, so yes.

Walked away?

[ArcadeMan]

To make matters worse, one of the unencrypted backup hard drives walked away.

Of course it walked away. Thanks to Hitachi, they can even dance.

Re:Walked away?

Holy shit, that video brings back memories! The day terabytes became a consumer fad.

Re:Walked away?

It's alright, they can buy it back on Ebay. It should still have all the data too.

Re:Walked away?

[SigmundFloyd]

Moral of the story: only buy legless hard drives.

So... outsource ALL OF IT

[NotQuiteReal]

Outsource all of the government functions - put it all out for bid.

Outsource the management too.

Have elections to select which management firms are eligible to be in the random drawing for the next 1,2,4, or 5 year cycle...

Re:So... outsource ALL OF IT

[ShanghaiBill]

Outsource all of the government functions - put it all out for bid.

Right. Just outsource IT to Oracle, SAP, or Microsoft. That is a wonderful solution.

Re:So... outsource ALL OF IT

oddly, as bad as those bloated companies are... they are better than entitled, can't be fired, civil servants doing the same work...

Re:So... outsource ALL OF IT

[ruir]

No matter how incompetent civil servants you have, they will save you a lot HELL more money than those money grabbing machines now as Oracle, SAP or Microsoft. By a couple of orders of magnitude.

Re:So... outsource ALL OF IT

[davester666]

The prisoner's will win with the low-bid...they'll watch themselves for the low-low fee of 10 pounds/hr [well, for 8 hrs a day, after that it's overtime, and then working on weekends and holidays].

Re:So... outsource ALL OF IT

[BeCre8iv]

It already has been. Thats the problem. The civil service service is run by pension farming bureaucrats who pushed a lifetime of paper to get to the middle. For example vanloads of paper docs are secure couriered around the country because nobody knows enough about encryption to ask ATOS to make it so.

Re:So... outsource ALL OF IT

Outsourcing is the main problem with modern British government, you stupid fuck. Profit motive means doing the MINIMUM work for the MAXIMUM personal gain - it is the very opposite of what you need in a prison system, where pretty much none of the humans are informed, rational, voluntary actors.

And changing providers every few years just to suit your stupid ideology eliminates the efficiency of experience.

There is almost no British government function that has been improved by outsourcing, and IT projects are the worst in this respect, reaching insane budgets and always under-delivering (in some cases this is good because the citizens would not benefit from the project, e.g. Universal Credit or shared health records). Please take your religion and find a sound-proofed church to preach it in.

Re:So... outsource ALL OF IT

[Imrik]

They just have to work shifts, taking turns being the guards.

Re:So... outsource ALL OF IT

[BVis]

I like how he/she automatically assumes private business doesn't have incompetent can't-be-fired-because-they're-the-boss'-son-in-law idiots working for them that make the average civil servant look like Albert Einstein..

Re:So... outsource ALL OF IT

[ruir]

Idiots far more expensive too, btw.

Re:So... outsource ALL OF IT

[ruir]

Answered too fast sadly. Besides the possibility of having idiots far more expensive outsourced from the private sector, the fact is that public sector often gets assigned second or third rate consultants because the best ones are assigned to private sector customers.

outsource IT makes stuff like this more likely

[Joe_Dragon]

outsource IT makes stuff like this more likely and can leave tech people in a place where they can't do stuff needed to make it work and or need to disable it to be able to get work done as some outside vendor picked something that does not work that well.

old way?

What's the new way of storing backups? On someone else's hard drive over the internet? How is that better?

Re:old way?

[hawkinspeter]

I think encryption is the key here. Doesn't matter so much where you store it as how encrypted it is. However, if you put it onto a device that can fit very easily into someone's pocket, then you'd better make damn sure that it's encrypted.

Papa's got a brand new bag

Jamie Archer: When did you start smoking?

Castor Troy: You'll be seeing a lot of changes around here.

[blows smoke rings at Jamie]

Castor Troy: Papa's got a brand new bag. OW!

As a former employee...

[BeCre8iv]

I can attest that the British MoJ is a Gilliamesque farce. It was as if an overzealous technocrat saw 'Brazil' and rebuilt the Civil Service in its image.

I was an temp admin-monkey for 6 months after things went to shit in 2008/9, in what we called the 'Ministry of Paperwork'. The HR offices for the MoJ. Holders of 60k+ complete records of everyone who ever applied to work in the UK courts. Right up to the top judges and bigwigs.

At this point we were using WinNT on boxes with XP CoAs and paying meeeelions for the privilege. All to run a bespoke Oracle client that topped out NTs user profile limits with excessive caching and borkt the windows session. All built and supported by one of the most predatory firms in the UK, affectionately known as Twatos.

The decision-makers were in another city and were clueless about the day to day running of a computerised office. Let alone data protection.

This sort of incompetence runs to the core of the Civil Service and they get fleeced at every turn. Including by the recruitment agency supplying staff to the HR department.

The idea of the government fining itself is preposterous. Terry Gilliam must be laughing in his grave.

--

Re:As a former employee...

[JosKarith]

AFAIK Brazil was actually written partially based on Gilliam's dealings with the Civil Service. And MoJ is STILL using XP - they paid M$ £5m for the privilage of getting to use it for another year...

Re:As a former employee...

[dkf]

All built and supported by one of the most predatory firms in the UK, affectionately known as Twatos.

Don't worry. They're just as bad in many other european countries too.

Terry Gilliam must be laughing in his grave.

Fortunately for him, Terry Gilliam appears to be still alive. Terribly selfish that, not dying on you just so that you could lazily use a cliché like that.

Re:As a former employee...

[BeCre8iv]

Gotta love it when life imitates satire.

Re:As a former employee...

[hawkinspeter]

Maybe he keeps an (empty) one in hes back garden just for times when he feels like laughing a lot. He's a strange chap.

Re:As a former employee...

[Cardoor]

does he hang out in his grave with his laptop/wifi and read /.? last i heard, we still could fog a mirror...

Re:As a former employee...

Terry Gilliam appears to be still alive.

That's gotta suck for Terry Billiam. Sorry about the mixup, ol' chap.

Yeah but..

[countach]

I can picture a scenario that if they were encrypted, the recovery key would be lost, or the person holding it would die or resign or quit and suddenly all the backups are unrecoverable. You can say ok, so the key should be kept somewhere secure, but where? When you answer that question, then why not put the actual backups there? It's not like you could have just one key forever either. That would be insecure to never change it. But to change it means having some filing system to keep the whole list of them from years and years back and storing them so people can find them. Then how are you going to encrypt THAT?

Re:Yeah but..

[Kijori]

There are plenty of solutions to this problem that only marginally reduce security. For example, keep copies of the encryption keys on index cards in a safe at the Ministry of Justice head office. An attacker would need both the backup hard drive and the key, and they are now in separate, secure locations.

As for why not move the backups off-site too - it sounds like that is the long-term plan, and this is just the stop-gap for prisons that haven't moved over to it yet.

Ironic...

...for a country where encryption is more or less illegal.

Re:Ironic...

[Gonoff]

No. It's not illegal, or even remotely so,
In many business situations, it's pretty close to mandatory. For the rest of us, encryption has caught on because of dodgy newspapers and Nigerian street markets.

In a lecture, a couple of years ago, I was asked what the best way of removing data from old drives. My answer was "a 10 year old with a lump hammer". Once that has been done with gusto, no spook or criminal News International employee will get much out of your stuff!

Re:Ironic...

I thought UK mentality was that anyone who uses encryption must be a terrorist, or a child molester/pornographer?

Re:Ironic...

If you mean the British courts' opinions, effectively yes. Failing (not necessarily 'refusing') to decrypt data on your hardware when ordered to by a court is an indictable offense (5 years).

Sir Humphrey Appleby would be proud.

[LWATCDR]

" The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability"
  in the voice of Sir Humphrey Appleby.
No minister it is not pointless at all. You get to show that their is some accountability at no cost to the government in monetary terms. The error will be shown to be a problem with a contractor that is following his original contract instead of the new updated rules so no one in the civil service will be held responsible and in the end nothing really will change and we can get on with the business of running the government.

Government doesn't understand IT

[AlecC]

This is just another example of the way the UK government and Civil Service, as institutions, do not understand IT. Down at the bitface, there may well be some very competent IT people - but their voices do not reach up to the levels that have control. The people who actually make the decisions, both politicians and civil servants, have no gut fel for IT. The assume that if you had over enough money to a plausible contractor, you will get something that works. The contractors, of course, are building something that meets the spec. The idea that "something that works" and "something that meets the spec" are not the same thing completely escapes them. On a large scale, the NHS IT fiasco.

  In this case, they bought drives specified as encrypted, and assumed the job done. Anybody who thought through the problem would have realised that there is a second, administrative phase: who sets they keys, who holds them, what happens if they are ill or leave, should we change the keys if people who know them leave... A side effect of this thinking would have been to decide when to turn on encryption, who to do it etc. But because they had bought a box with "encrypted" on the side, they assumed that the technology fairies would do the rest.

No buts!

Well, why do you have keys, as in physical ones? Because they're easier to lug around than the secured object. Even something as simple as a money box: You lug it around locked and perhaps have someone else carry the key. And in large institutions you (have to) have key management that keeps track of who has which keys. There are interesting parallels with gobs of data.

One of the first things you have to ask is whether it is more desirable to lose access to the data by losing unencrypted storage devices holding the data on the bus or by losing the keys and so ending up with encrypted devices that hold data you cannot do anything with... and neither can anyone else. The outcome here can easily be different to what's a desirable failure mode for losing the key to some inmate's cell door. The procedures and processes around it, though, are similar.

And with data encryption you have many more options of storing the data and managing the keys. You could, for example, encrypt the keys using public key crypto and send the results to a key management facility. That one person quits, you get their work key back at the cost of a bunch of paperwork. Something like that. It's not difficult, you just have to organize it within your organisation.

I don't believe fining it the correct punishment

[Stan92057]

I don't believe fining it the correct punishment. I mean go ahead fine me, its not my money anyways. I really think that was travesty of justice the person in charge should be suspended or fired. One government office fining another is a slap in the face of the taxpayer who pay the fine.

Re:I don't believe fining it the correct punishmen

[Stan92057]

sorry for the butchered title. I was like mannnnnnnnnnnnnnnnnnnnnnnn.lol

Yeah but..

There are systems where x of n keys (say 2 out of 3) can be used to decrypt for exactly this scenario.