Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Prisons Ministry Fined For Lack of Encryption At Prisons

Posted by Unknown on from the not-like-prisoners-are-people-anyway dept.

Bruce66423 (1678196) writes The Guardian reports that the UK Information Commissioner has levied a fine of £180,000 on the Ministry of Justice for their failure to encrypt data held on external hard drives at prisons. The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability. Of course it's interesting to consider the dangers of this hopefully old way of storing backups; but the question of whether we do a lot better now is quite pointed. To make matters worse, one of the unencrypted backup hard drives walked away.

44 of 74 comments (clear)

  1. stealing identity by WarJolt · · Score: 2, Funny

    I can't imagine the identities of a bunch of ex-cons are that valuable.

    1. Re:stealing identity by crioca · · Score: 1

      I can’t say I agree, but regardless there’s plenty of other uses for a database of 16000 criminals.

    2. Re:stealing identity by Charliemopps · · Score: 1

      I can't imagine the identities of a bunch of ex-cons are that valuable.

      In the US that's 1% of the population.

    3. Re:stealing identity by Anonymous Coward · · Score: 2, Interesting

      One word: Pension

      The US, UK, Canada and many other countries have an old age pension system that are all very easy to exploit if you have the number. Crooks amass multiple numbers and then collect the pensions. The system is very lax and doesn't check whether someone who claims to be 104 years old is really still alive and at least looks like he is 104 for example.

      Whenever you hear of some Romanian peasant who reached the ripe old age of 120, it is simply because he adopted the identity of his parent, buried the parent without informing anyone and happily collected his parent's pension ever since (and eventually his own too).

    4. Re:stealing identity by JosKarith · · Score: 2

      The identity of 3000 people who have been proven they are prepared to break the law? Or maybe the police reports on the true connection/affiliation of said people? Can't possibly see how that information could of be any use to organised crime...

      --
      'Don't worry' said the trees when they saw the axe coming, 'The handle is one of us.'
    5. Re:stealing identity by Cardoor · · Score: 1

      where do you think all the bond villains get their recruits? "Hello, Mister Job is it?.... Oh, it's Mister Oddjob? Sorry... I'm calling from Goldfinger Staffing Services. We happened to come upon your resume'..."

    6. Re:stealing identity by OurDailyFred · · Score: 1

      Importance vs. value? Seriously? When was the last time you paid for something that had no perceived value to you?

      How about alimony?

      --
      If your only tool is a hammer, you'll approach every problem as if it were a nail. - Abraham Maslow
    7. Re:stealing identity by mjwalshe · · Score: 1

      I am sure any tabloid paper would love to get there hands on that data.

    8. Re:stealing identity by mjwalshe · · Score: 1

      This actually happened at a company I worked at corrupt insiders allowed a hit man to track down the parents of a criminal who where then both killed - I believe the insiders got done for conspiracy and are serving a long prison sentence.

    9. Re:stealing identity by Qzukk · · Score: 1

      Who's stealing the identity?

      The drive walks away one evening, then the next morning it shows up and oh hey it looks like Doctor Death is coming up for release, he's served 999.9 years of his 1000 year sentence, it says so right in this excel spreadsheet, and excel never lies.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
  2. Pointless accountability? by cforciea · · Score: 1, Insightful

    The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability.

    It seems like the two clauses of that sentence are contradicting each other. How does a "pointless" fine show any accountability at all?

    1. Re:Pointless accountability? by ShanghaiBill · · Score: 2

      How does a "pointless" fine show any accountability at all?

      It is not pointless. Bureaucrats care very much about their discretionary budgets and perquisites.

    2. Re:Pointless accountability? by apraetor · · Score: 1

      They particularly don't like having to explain to their superiors that the budget is down £180k because they failed to follow compulsory data privacy protection regulations, and that the fines will continue to recur until they implement appropriate security.

    3. Re:Pointless accountability? by sociocapitalist · · Score: 1

      The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability.

      It seems like the two clauses of that sentence are contradicting each other. How does a "pointless" fine show any accountability at all?

      Blame and hopefully a bit of shame perhaps, is better than nothing at all.

      --
      blindly antisocialist = antisocial
    4. Re:Pointless accountability? by denzacar · · Score: 1

      Easy.

      You just have to realize that whoever wrote that "rather pointless" line is committing a fallacy.
      You know... by not grasping things like separation of branches of government or things like internal control or even the idea that THE LAWS STILL APPLY.

      He probably thinks that prison terms for government officials, be they politicians, soldiers, police or bureaucrats working in some office somewhere are equally pointless.
      After all, they are all government employees, just like the judges who would sentence them, and that would be government sentencing itself - and that will never happen.
      Ergo, if you work for the government in any way, you are free to commit crimes. Kill, steal, pillage, jaywalk... they can't touch you for you are the government.

      Based on personal prejudice of "all government branches and officials being the same thing", he commits an existential fallacy... and from there you can attach any conclusion and it would be equally retarded.

      --
      Mit der Dummheit kämpfen Götter selbst vergebens
  3. Walked away? by ArcadeMan · · Score: 1

    To make matters worse, one of the unencrypted backup hard drives walked away.

    Of course it walked away. Thanks to Hitachi, they can even dance.

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Walked away? by SigmundFloyd · · Score: 1

      Moral of the story: only buy legless hard drives.

      --
      Knowledge is power; knowledge shared is power lost.
  4. outsource IT makes stuff like this more likely by Joe_Dragon · · Score: 1

    outsource IT makes stuff like this more likely and can leave tech people in a place where they can't do stuff needed to make it work and or need to disable it to be able to get work done as some outside vendor picked something that does not work that well.

  5. Re:So... outsource ALL OF IT by ShanghaiBill · · Score: 1

    Outsource all of the government functions - put it all out for bid.

    Right. Just outsource IT to Oracle, SAP, or Microsoft. That is a wonderful solution.

  6. Re:The hard drive walked away by ruir · · Score: 1

    They have a tendency to walk away in Britain...being in a prison maybe someone hid it away in a dark place, who knows. Pity they havent invented yet backup servers...Who are providing the IT services? The felons?

  7. Re:So... outsource ALL OF IT by ruir · · Score: 3, Insightful

    No matter how incompetent civil servants you have, they will save you a lot HELL more money than those money grabbing machines now as Oracle, SAP or Microsoft. By a couple of orders of magnitude.

  8. Re:So... outsource ALL OF IT by davester666 · · Score: 1

    The prisoner's will win with the low-bid...they'll watch themselves for the low-low fee of 10 pounds/hr [well, for 8 hrs a day, after that it's overtime, and then working on weekends and holidays].

    --
    Sleep your way to a whiter smile...date a dentist!
  9. As a former employee... by BeCre8iv · · Score: 1

    I can attest that the British MoJ is a Gilliamesque farce. It was as if an overzealous technocrat saw 'Brazil' and rebuilt the Civil Service in its image.

    I was an temp admin-monkey for 6 months after things went to shit in 2008/9, in what we called the 'Ministry of Paperwork'. The HR offices for the MoJ. Holders of 60k+ complete records of everyone who ever applied to work in the UK courts. Right up to the top judges and bigwigs.

    At this point we were using WinNT on boxes with XP CoAs and paying meeeelions for the privilege. All to run a bespoke Oracle client that topped out NTs user profile limits with excessive caching and borkt the windows session. All built and supported by one of the most predatory firms in the UK, affectionately known as Twatos.

    The decision-makers were in another city and were clueless about the day to day running of a computerised office. Let alone data protection.

    This sort of incompetence runs to the core of the Civil Service and they get fleeced at every turn. Including by the recruitment agency supplying staff to the HR department.

    The idea of the government fining itself is preposterous. Terry Gilliam must be laughing in his grave.

    --

    --
    This perpetual motion machine Lisa made is a joke, it just keeps getting faster and faster. - Homer
    1. Re:As a former employee... by JosKarith · · Score: 1

      AFAIK Brazil was actually written partially based on Gilliam's dealings with the Civil Service. And MoJ is STILL using XP - they paid M$ £5m for the privilage of getting to use it for another year...

      --
      'Don't worry' said the trees when they saw the axe coming, 'The handle is one of us.'
    2. Re:As a former employee... by dkf · · Score: 1

      All built and supported by one of the most predatory firms in the UK, affectionately known as Twatos.

      Don't worry. They're just as bad in many other european countries too.

      Terry Gilliam must be laughing in his grave.

      Fortunately for him, Terry Gilliam appears to be still alive. Terribly selfish that, not dying on you just so that you could lazily use a cliché like that.

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
    3. Re:As a former employee... by BeCre8iv · · Score: 1

      Gotta love it when life imitates satire.

      --
      This perpetual motion machine Lisa made is a joke, it just keeps getting faster and faster. - Homer
    4. Re:As a former employee... by hawkinspeter · · Score: 1

      Maybe he keeps an (empty) one in hes back garden just for times when he feels like laughing a lot. He's a strange chap.

      --
      You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
    5. Re:As a former employee... by Cardoor · · Score: 1

      does he hang out in his grave with his laptop/wifi and read /.? last i heard, we still could fog a mirror...

  10. Re:Don't worry, if they encrypt it... by Dutch+Gun · · Score: 1

    There is no such thing as absolutely secure encryption. A good policy is to not have secrets. But secrets are a fact of life. Even then, security through obscurity is often better than off the shelf things.

    High-strength industry standard encryption, properly implemented, is currently believed to be completely unbreakable. It's extremely unlikely any government agency can crack modern cryptography, as evidenced by the lengths they go to in order to try to regulate it (historically), or circumvent it at the source. You can't *prove* it's unbreakable, of course, but we've seen zero evidence to the contrary, with many, many people looking, so I won't be hypocritical and say "it's unbreakable", but "for all practical purposes, it's unbreakable".

    I can't think of worse advice than "security through obscurity". You definitely want "off the shelf" solutions, because those solutions have been vetted by many experts - some friendly, some hostile - all trying very hard to break that security. The quickest way to create a security disaster is to roll your own security solution. Remember WEP?

    --
    Irony: Agile development has too much intertia to be abandoned now.
  11. Re:Don't worry, if they encrypt it... by Anonymous Coward · · Score: 1

    Look, you misunderstood: sillybilly secures his data via the Bennett Haselton algorithm.

    Step 1. Procedurally generate a wall of text that is incoherent but is syntactically valid, vaguely related to the general topic, and is filled with irrelevant personal opinion, bemused speculation, and random misconceptions.

    Step 2: Embed data to be secured in the middle of said text.

    Step 3: Back up the data to the cloud (aka "troll Slashdot with your post")

    That's it! Both Bennett and sillybilly could post their SSNs, credit card numbers, etc in plain view on Slashdot and no one would be the wiser!

  12. Re:So... outsource ALL OF IT by Anonymous Coward · · Score: 2, Interesting

    Outsourcing is the main problem with modern British government, you stupid fuck. Profit motive means doing the MINIMUM work for the MAXIMUM personal gain - it is the very opposite of what you need in a prison system, where pretty much none of the humans are informed, rational, voluntary actors.

    And changing providers every few years just to suit your stupid ideology eliminates the efficiency of experience.

    There is almost no British government function that has been improved by outsourcing, and IT projects are the worst in this respect, reaching insane budgets and always under-delivering (in some cases this is good because the citizens would not benefit from the project, e.g. Universal Credit or shared health records). Please take your religion and find a sound-proofed church to preach it in.

  13. Yeah but.. by countach · · Score: 2

    I can picture a scenario that if they were encrypted, the recovery key would be lost, or the person holding it would die or resign or quit and suddenly all the backups are unrecoverable. You can say ok, so the key should be kept somewhere secure, but where? When you answer that question, then why not put the actual backups there? It's not like you could have just one key forever either. That would be insecure to never change it. But to change it means having some filing system to keep the whole list of them from years and years back and storing them so people can find them. Then how are you going to encrypt THAT?

    1. Re:Yeah but.. by Kijori · · Score: 1

      There are plenty of solutions to this problem that only marginally reduce security. For example, keep copies of the encryption keys on index cards in a safe at the Ministry of Justice head office. An attacker would need both the backup hard drive and the key, and they are now in separate, secure locations.

      As for why not move the backups off-site too - it sounds like that is the long-term plan, and this is just the stop-gap for prisons that haven't moved over to it yet.

  14. Re:Don't worry, if they encrypt it... by Imrik · · Score: 1

    It's only unbreakable through a computer science approach, it's still vulnerable to social engineering.

  15. Re:So... outsource ALL OF IT by Imrik · · Score: 1

    They just have to work shifts, taking turns being the guards.

  16. Sir Humphrey Appleby would be proud. by LWATCDR · · Score: 3, Insightful

    " The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability"
      in the voice of Sir Humphrey Appleby.
    No minister it is not pointless at all. You get to show that their is some accountability at no cost to the government in monetary terms. The error will be shown to be a problem with a contractor that is following his original contract instead of the new updated rules so no one in the civil service will be held responsible and in the end nothing really will change and we can get on with the business of running the government.

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  17. Government doesn't understand IT by AlecC · · Score: 1

    This is just another example of the way the UK government and Civil Service, as institutions, do not understand IT. Down at the bitface, there may well be some very competent IT people - but their voices do not reach up to the levels that have control. The people who actually make the decisions, both politicians and civil servants, have no gut fel for IT. The assume that if you had over enough money to a plausible contractor, you will get something that works. The contractors, of course, are building something that meets the spec. The idea that "something that works" and "something that meets the spec" are not the same thing completely escapes them. On a large scale, the NHS IT fiasco.

      In this case, they bought drives specified as encrypted, and assumed the job done. Anybody who thought through the problem would have realised that there is a second, administrative phase: who sets they keys, who holds them, what happens if they are ill or leave, should we change the keys if people who know them leave... A side effect of this thinking would have been to decide when to turn on encryption, who to do it etc. But because they had bought a box with "encrypted" on the side, they assumed that the technology fairies would do the rest.

    --
    Consciousness is an illusion caused by an excess of self consciousness.
  18. Re:Ironic... by Gonoff · · Score: 1

    No. It's not illegal, or even remotely so,
    In many business situations, it's pretty close to mandatory. For the rest of us, encryption has caught on because of dodgy newspapers and Nigerian street markets.

    In a lecture, a couple of years ago, I was asked what the best way of removing data from old drives. My answer was "a 10 year old with a lump hammer". Once that has been done with gusto, no spook or criminal News International employee will get much out of your stuff!

    --
    I'll see your Constitution and raise you a Queen.
  19. Re:old way? by hawkinspeter · · Score: 1

    I think encryption is the key here. Doesn't matter so much where you store it as how encrypted it is. However, if you put it onto a device that can fit very easily into someone's pocket, then you'd better make damn sure that it's encrypted.

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
  20. Re:So... outsource ALL OF IT by BVis · · Score: 1

    I like how he/she automatically assumes private business doesn't have incompetent can't-be-fired-because-they're-the-boss'-son-in-law idiots working for them that make the average civil servant look like Albert Einstein..

    --
    Never underestimate the power of stupid people in large groups.
  21. I don't believe fining it the correct punishment by Stan92057 · · Score: 1

    I don't believe fining it the correct punishment. I mean go ahead fine me, its not my money anyways. I really think that was travesty of justice the person in charge should be suspended or fired. One government office fining another is a slap in the face of the taxpayer who pay the fine.

    --
    Jack of all trades,master of none
  22. Re:I don't believe fining it the correct punishmen by Stan92057 · · Score: 1

    sorry for the butchered title. I was like mannnnnnnnnnnnnnnnnnnnnnnn.lol

    --
    Jack of all trades,master of none
  23. Re:So... outsource ALL OF IT by ruir · · Score: 1

    Idiots far more expensive too, btw.

  24. Re:So... outsource ALL OF IT by ruir · · Score: 2

    Answered too fast sadly. Besides the possibility of having idiots far more expensive outsourced from the private sector, the fact is that public sector often gets assigned second or third rate consultants because the best ones are assigned to private sector customers.