Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Importance of Deleting Old Stuff

Posted by Soulskill on from the you-don't-need-meeting-notes-from-2006 dept.

An anonymous reader writes: Bruce Schneier has codified another lesson from the Sony Pictures hack: companies should know what data they can safely delete. He says, "One of the social trends of the computerization of our business and social communications tools is the loss of the ephemeral. Things we used to say in person or on the phone we now say in e-mail, by text message, or on social networking platforms. ... Everything is now digital, and storage is cheap — why not save it all?

Sony illustrates the reason why not. The hackers published old e-mails from company executives that caused enormous public embarrassment to the company. They published old e-mails by employees that caused less-newsworthy personal embarrassment to those employees, and these messages are resulting in class-action lawsuits against the company. They published old documents. They published everything they got their hands on."

Schneier recommends organizations immediately prepare a retention/deletion policy so in the likely event their security is breached, they can at least reduce the amount of harm done. What kind of retention policy does your organization enforce? Do you have any personal limits on storing old data?

18 of 177 comments (clear)

  1. Dear Nazis by Anonymous Coward · · Score: 3, Insightful

    Official Nazi Memo

    Please do not keep documents about Concentration-Camp details more than 3 Months.
    If the gold in the inmates' teeth have been molten and the lamp-shades with their skin have been shipped all data about it can be shredded and burnt.
    Once the Jews, the intellectuals and the gipsies have all been cremated, the documents about it can be safely destroyed.
    We don't have to keep statistical data about the efficiency of the Zyklon B showers more than 1 month either, it's cheap enough.
    Immediately dismantle showers and crematorium after use, we wouldn't want the public getting a bad impression.

    PS. Do not make jokes about Leni Riefenstahl in your official communications.
    No jokes about Sonja Henie as well.
    Also, do not propose Jesse Owens as the next James Bond.

    PPS. Don't talk to Goebbels about Company secrets, he keeps a diary.

    PPPS. If anybody asks, Treblinka was a summer camp. //For the sarcasm-detector: this is a test

    1. Re:Dear Nazis by turbidostato · · Score: 4, Insightful

      "Please do not keep documents about Concentration-Camp details more than 3 Months."

      Wow! Godwin law acomplished in the very first comment. That's a feat!

      But then, I think you have a point: It seems to me that Sony's problems don't come from retaining old emails but from these emails being embarrasing to start with.

      Schneier's position seems to be "don't worry about your poor ethics, just cover your tracks".

    2. Re:Dear Nazis by gstoddart · · Score: 4, Insightful

      Schneier's position seems to be "don't worry about your poor ethics, just cover your tracks".

      In fairness to him, that's pretty much the industry position on data retention, and what the lawyers will tell you.

      See, you are legally obligated to hold onto some things for a given period. Deleting it before then can get you into legal trouble if you suddenly find it needed.

      Similarly, if you are under litigation and things have been requested, you are legally obligated to hold onto it because you're not allowed to delete stuff which is relevant to an on-going court case.

      And, finally, once the base retention period has happened, and once your legal team confirms this stuff is legal to delete -- you want to get rid of it as soon as you possibly can, so that it's not lingering about to bite you in the ass.

      This has been true of the legal landscape for document/records retention for at least a decade, because older information which should have been deleted can be a liability to your company.

      The problem can be that employees hold onto stuff for their records, either as a CYA or a record of things they've worked on. And if that stuff pops up in discovery, even if the corporate version has been purged, it's legally admissible. But it's much harder to convince your employees they need to delete their copies of something, because their own personal interest means they care less about your corporate needs -- because who wants some ass of a manager coming back and blaming you for something you objected to?

      I think this is pretty much standard records keeping since SOX came into play.

      But don't think for a minute that it's just him saying essentially this same thing. This has been pretty standard stuff for quite some time, even if most people are clueless about it.

      --
      Lost at C:>. Found at C.
    3. Re:Dear Nazis by Anonymous Coward · · Score: 2, Insightful

      See, you are legally obligated to hold onto some things for a given period. Deleting it before then can get you into legal trouble if you suddenly find it needed.

      Similarly, if you are under litigation and things have been requested, you are legally obligated to hold onto it because you're not allowed to delete stuff which is relevant to an on-going court case.

      There's a difference in holding on to for legal (or whatever) reasons and keeping online. The former doesn't necessitate the latter.
      It's quite a bit easier to remotely hack an Exchange server than a bunch of offline tapes or drives stuffed in a safe ...

    4. Re:Dear Nazis by Anonymous Coward · · Score: 1, Insightful

      Fuck Godwin's law. That applied in the 1990's and 2000's when we lived in "end of history" times and Seinfeld nonchalance was a national attitude.

      It's 2015. We've got religious fanatics abroad, corporations looting at home, western democracies in practical paralysis, and some kind of identity-political, fascism 2.0 popping up like mold all over the web.

      The Nazi's were a lesson from history. Time to brush off the textbooks.

    5. Re:Dear Nazis by Anonymous Coward · · Score: 0, Insightful

      Don't worry. The NSA has already captured all that data and keeping it safe for future use, including blackmail...

    6. Re:Dear Nazis by DarkOx · · Score: 3, Insightful

      Schneier's position seems to be "don't worry about your poor ethics, just cover your tracks".

      I think you know we now live in a world where you can make a fairly benign statement and their exists a very real possibility someone with an axe to grind may strip it of its context and use it against you. I think you also know that behavior is normative. What is appropriate conversation with say all male company over beers after work, may not be appropriate while still in the office, might not be appropriate if a female colleague has joined you for those beers etc. That stuff might still land on the corporate backup server etc, if someone decides to use their corporate smart phone to video some of your night out. While none of it was ever said while on the clock, or in any official communication never the less through stupidity its found its way onto company assets; suddenly its discoverable etc.

      So now that innocent comment between to men who were meeting not as employees of Innertrode, but just to buddies having drinks about how the waitress had a nice ass, can be used to demonstrait a pattern of hostile culture or whatever in some unrelated lawsuit. That is the world we live in. It could work the other way around too, your corporate stuff might get tied up in legal proceedings involving them personally that did not need to involve the company. This alone is why BYOD should be strangled in its cradle anytime someone brings it up. You don't want peoples personal lives tied to corporate assets. You don't want your file/e-mail/backup/messaging server to be evidence in their divorce proceedings, drug trafficking trial, etc.

      Essentially my mothers advice is still the best, if you don't want someone to read don't write it down. Don't write it down, don't record it, don't photograph it. Do not keep in your diary under lock and key, do not keep it on your file server protected with AES-256, just don't record it. Also its not destruction of evidence you can't be guilty of deleting something that never existed.

      So my advice is NO BYOD period, people putting personal assets on corporate networks should be escorted to HR to receive their pink slip and then out of the building; that should be the policy. As to data retention, yes a good data retention policy is important, but even more important is education on how corporate IT assets should be used, what type of language is never appropriate, not used for personal stuff, etc.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    7. Re:Dear Nazis by turbidostato · · Score: 3, Insightful

      "It would be a stretch (and a very disingenuous one) to make inferences about Schneie's ethics from his professional position in the matter (in the context of security) alone."

      I don't think so. The man is the slave of his words and the master of his silence. Schneier is completly free to give whatever advice he deems appropriate and of course everything somebody says (given it has not been put out of context) reveals his ethos, specially if, as it is the case, it is full of behaviour indications:

      "[in regards to the attack against Sony Pictures] there's another equally important but much less discussed lesson here: companies should have an aggressive deletion policy.
      [...]
      Everything is now digital, and storage is cheap -why not save it all?
      [...]
      Saving data, especially e-mail and informal chats, is a liability.
      [...]
      If Sony had had an aggressive data deletion policy, much of what was leaked couldn't have been stolen and wouldn't have been published."

      Schneier could said just as easily something like this instead:

      "[in regards to the attack against Sony Pictures] there's another equally important but much less discussed lesson here: companies should have an aggressive policy enforcing high ethical standards.
      [...]
      Everything is now digital, and storage is cheap -why not save it all?
      [...]
      Allowing psycopaths in your company, is a liability.
      [...]
      If Sony had had an aggressive ethos policy, much of what was leaked wouldn't have been published or, if so, it would just showed what a high standards company it is."

      See? Still Schenier pointed the former, not the later.

  2. Air-gap. by ledow · · Score: 3, Insightful

    Retain everything.

    Just make sure that anything past your legal retention limit is only retained offline.

    How hard is that? Standard practice as far as I'm concerned - when you hit the limit on what you need to store, archive it to get your space back but keep the archives around just in case you need them later (e.g. lawsuits, etc.). There's nothing stopping you putting your old tapes, or old NAS disks, into storage because by the time the data is about to retire, so are the old units that stored it.

    Not saying keep them around forever, but just keep what you don't NEED to keep offline. Otherwise you're just chewing disk space for no good reason anyway.

    Then when you do come across your (encrypted) backup tapes in the archives in a few years time, you know you can safely ditch anything there should you be short of space, and that you can probably restore anything that might be there if the lawyers send you in. And nobody can access it but you. Hell you could store it live, but encrypted, and just archive the encryption key for each year that you don't need.

    Air gap and encryption, people. Seems like it should be pretty basic stuff to a company as HUGE as Sony.

    1. Re:Air-gap. by Drethon · · Score: 1, Insightful

      I work for a contracting company, our data retention limit is the end of time. Though knowing that all of our e-mails are kept stored for possible contract issues also means I try not to send highly embarrassing e-mails on work e-mail...

    2. Re:Air-gap. by jbmartin6 · · Score: 3, Insightful

      You aren't going to appear to hide data if it is part of your data retention practice. If you can say that you were deleting everything over five years old long before any issues came to light, that isn't going to be a problem. Now if you start deleting it the day before you get the subpoena, you've got a problem.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    3. Re:Air-gap. by kent_eh · · Score: 3, Insightful

      my old emails (especially) are kept in the "CYA" file heirarchy.
      It has served my intrerests a few times. "why didn't anyone warn us?"..."I did in this e-mail from 6 years ago (attached)".

      --

      ---
      "I can't complain, but sometimes still do..." Joe Walsh
  3. I have a simpler policy by 0123456 · · Score: 4, Insightful

    I don't do or email anything that would "cause enormous public embarrassment" to the company if it got out.

    1. Re:I have a simpler policy by bws111 · · Score: 3, Insightful

      So you never give an honest negative opinion about a product under development, for instance? You would never report any suspicion of wrong-doing? You would never give an opinion of a fellow employee if asked?

  4. Sony could have archived by Karmashock · · Score: 4, Insightful

    You don't need to keep everything on line. That was the thing that was so stupid. They had everything online with a common key to access everything.

    First, Sony knew they had a problem over a year ago. They're refusing to admit it but everyone knows.

    Second, they way Sony laid out their network was dumb. They should have compartmentalized and archived.

    Third, when you know you are getting hacked don't just sit there with your thumb up your ass. Do something about it.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  5. I have another idea... by Floyd-ATC · · Score: 5, Insightful

    If huge corporations started following some basic legal and ethical guidelines, they wouldn't have to worry so much about old documents getting leaked. If your business strategy is to f##k your customers and/or your partners, sooner or later you will pay for it, documents or no documents.

    --
    Time flies when you don't know what you're doing
  6. Risk management? by mark_reh · · Score: 3, Insightful

    I think a lot of company communication retention policies are based on risk management. They are afraid to delete anything in case they get sued. Depending on the industry they may be required to retain data by law.

    It seems this can work equally in their favor or against them.

    I have worked for a lot of big companies and realized from day one of email that there is literally zero privacy. Once you hit the send button you have no idea who is going to read what you wrote. I have always refrained from putting anything in a company email (or in a personal email accessed via company networks) that could come back and bite me in the ass. No jokes, no comments about coworkers, the boss, or management in general, no comments about the futility of the project I'm assigned to, etc. Keep it strictly business. Likewise for telephone conversations where one or both ends are in the company phone network. Likewise for web browsing and searches.

    Anyone who thinks any form of communication at their place of employment is private is an idiot. Always assume every word said, written, or typed will be heard/read by someone who was not intended to be part of the communication, either now or in the future.

  7. Document Retention Rules. by mschiller · · Score: 5, Insightful

    Rules:
    1) Don't delete other people's stuff. IT workers / Lawyers I'm looking at you. You should never delete something without a specific verbal or written OK from the document owner. When you automatically delete my stuff I find ways around your scripts.. It does no good, because I WILL retain my records indefinitely. So just stop wasting my time and leave my stuff alone.... The only justifiable reason to delete my files is: the Server harddrive is full. But it costs less to buy a freaking hard drive, than to decide what documents can be deleted...
    2) Document Retention Policy: Min: Legally required length of time Max: FOREVER. See Rule #1. You should NEVER touch my inbox, Network Drive, or any other place I store documents with an automated script, deletion of files should only occur by hand by the document owner...
    3) Don't do unethical things. You don't have to worry about what's in the document if you did the right thing in the first place... You should fire any employee who is unethical and as a corporation take responsibility if those unethical things embarrass the company. This is what reviews (code, business, technical etc) are for, you're supposed to check that your employees are following good practices... Then that circumspect code, business practice etc, would've never seen the light of day in the first place. When a corporation fails that they shouldn't hide it, they should admit it and take their licking...

    My email contains important technical information that I may need for years after I composed that email. When you delete it for me. You waste valuable company time as I recreate the exact same information I already "knew" which may have never made it into a formal document.

    JUST STOP IT. There is nothing illegal about keep business documents forever. There is something highly unethical (and possibly illegal!) about a practice that stems from the idea of destroying evidence. So stop it. The ethical, right, and more reasonable thing to do is enforce from the IT perspective the minimum retention policy. After that, (ie when you delete) should be based on business need: 1) I really will never need this again and 2) The storage costs don't justify the (low) possible future return. Since storage is CHEAP, #2 should pretty much never come into play...