Such data as personal financial information, social security number and so on, does not have such sensitivity, that it shouldn't be transferred even by means of SSL. If you're using internet banking, you know it. There's a difference of scale here. If someone decrypts a recording of that session (not impossible but hard work) they will get ONE (1) account. I imagine phishing to be more successful. Grabbing the data off that laptop is much more useful as it can help with mass compromise, and the return on effort is thus MUCH higher.
so they're probably using personal copies of the database. And the problem is not in using that copies, but in wrong implementation of the concept, which allows stealing of all the company customers personal data. No, no, no. If you're the treasurer, do you walk around with all the bonds in your briefcase just in case you'd need them? There are so many ways in which confidential data can be contained and it starts with identifying the very need in the first place: is it really required to have real data? Maybe for someone working with customers, yes, but for software dev purposes live data should not even be used (depending on the data it can even be considered a breach of the UK Data Protecion Act as 'testing' is generally not given as a reason to collect information). Secondly, if you DO need live data, do you (a) really need it outside the building and (b) do you need all of it or can you carry a subset that will allow you to work but not expose the lot. Thirdly, if you DO wander around with live customer data, how long do you need it for? You're not 100% outside, and if you do you need to protect that data.
I think I don't even need to comment, that chances are low that bank would use TrueCrypt, just because it's OS (open source) and free. And PGP doesn't work on 64-bit systems yet. And NTFS encryption is flawed. And taking into account that the whole work is going on notebook, any software encryption would make the work with so large database... unpleasant
You're missing the point, or maybe I didn't make myself clear enough. The observation was that you require at least the basics of encryption, product names were merely as examples. NTFS encryption is flawed, yes, but even that gives at least SOME protection from someone spinning up a boot CD and grabbing the data. Having said that, good corporate encryption could not be using Truecrypt unless they can back up the data in the clear as they would be at risk of breaking the Regulation of Investigative Powers Act (RIPA) 2000. They will use a system that has a multiple parts masterkey so data can be recovered, but without the risk of a sole administrator doing that (hence the multiple parts). So, to summarise, this data should not have been in the clear, full stop. If the encryption overhead is too much that's a good incentive to keep the dataset small or stay in contained environments.
Oh, and before I forget, that they didn't lose all the details is hardly reassuring, a bit of mosaic matching with other 'creatively discovered' information is all that is needed to complete the set.
The problem with Ritalin (ie speed) is that it's an 'always on' drug, and ADHD appears to either lack or activity or overactivity of certain brain regions (both types of ADHD exist, which is why Ritalin doesn't always help). With neurofeedback you end up trainign those brain parts to perform as required (ie switch on and off as required) which is much more effective, and the results are permanent.
The nice thing is that you'll know within one or two sessions if it works, no need for months to wait before you know it works. I've seen plenty of kids being more or less 'rescued' from a life with Ritalin, that alone is worth a try..
I'm partially kidding here, but your main points get lost because of the lack of structure.
However, let me offer you an observation: it. does. not. really. matter. what. you. study. as long. as. you. get. a. degree.
Employers look for 'advanced education' because it is generally assumed that you will have come through that because you have an at least partially functional brain. So, it seems to matter little WHAT you have studied as long as you've completed it.
Although I do agree with apprenticeships, you must be aware that the model carries more risk as you're having the work done by less experienced people. Not all employers are willing to take that risk, also because the investment in time/effort can walk out of the door at any moment.. I call that flawed thinking, that's a character decision more than anything else - but that is a consideration..
In your scenario, the matching tool is used correctly because it ASSISTS in the decision making process. But how often have you heard "it's on the computer so it must be right"?
The whole problem starts with someone considering the computer to be authoritative instead of yet another fraud detection tool - usually followed by downskilling the frontline workers which makes the whole matter worse.
As much as it pains me to defend MS, this has zero to do with the OS, and everything to do with process.
(1) those files hould have NEVER gotten out of the door. Full stop, no if, no but, no maybe. Should. Not. Have. Left. The. Building.
(2) the oink that had them should have no need to work with real data. Real data should be processed inhouse (see point 1) andor transported with protection. Real data is NOT a development/test tool.
Only after all of the above do you start thinking about the conditions under which this data may possibly travel and may be used for otherpurposes (which, incidentally, would be potentially another violation of the UK Data Protection Act 1998 as usage is defined at the point of collection - it cannot be changed later without explicit permission of the provider, i.e. you). Even with MS you can encrypt matters to a sensible degree (or install Truecrypt, but that seems to equate to 'hassle' until it goes wrong).
Be careful because you're heading into a conflict zone. FOSS does NOT have all the answers, and is not THE solution, ditto for anything proprietary. It is part of a solution set.
A client solution is likely to use both proprietary and FOSS components to make it work for *them*. Zealotry on either side has to be dealt with because it benefits nobody..
Nationwide is a UK business and thus subject to the UK Data Protection Act 1998. In chapter 9.5 of the UK Data Protection Act 1998 it defines this specific data loss as unlawful, and AFAIK this is a criminal offence for which the Directors get hit unless they can prove some poor schlob didn't do his job properly.
However, that doesn't quite get them off the hook if it can be demonstrated that the directors were negligent in enforcing the rules.
So, it's not a la Microsoft, pay the fine and try again - a criminal offence creates a criminal record, and it is destined to land in a person's lap, not a 'corporation'.
.. coming from someone in a country where the average monthly salary wouldn't buy a legit copy of Windows without depriving the family of basic needs. I wonder if this is simply someone trying to get into bed with software vendors. And don't get me started on 'buggy'.
AFAIK, Thailands' universities have quite a decent track record in Open Source, with various school projects targeting low cost IT for schools (a bit like what happened later in Spain in the Extremadura region) and I think they have decent code for OpenOffice as well, with algorithms to support spell checking for a language where spaces between words appear more or less optional.
In summary, I think some people shouldn't be allowed near the press for their own good..
If you take the paid-for AdAware you can automate some of the stuff they now have to manually do. In my experience, any manual operation will be omitted within weeks from taking your hands off the system..
Just imagine it runs Windows - best not give it too much ammo or you won't be able to get near it for service if it needs an update..
"20 seconds to comply" is thus obviously no longer SF:-).
Shows how old those damn satellites must be :-)
on
Google Earth In 4D
·
· Score: 3, Insightful
It's going to be interesting how the usual historical inaccuracies are dealt with, including moving river deltas and/or later removal of objects such as the British Echelon site, Menwith Hill:-)
Well, this is fundamentally correct. You're using someone else's computing/technical resources without permission, hence you break the relevant laws. That's more or less an open and shut case.
However, the next step is indeed the appropriateness of the punishment. If this ends up with more than a warning and maybe a small fine, what is a cracker going to get after causing deliberate damage? OK, you can probably go after him for the actual damage as well, but a fine should be adjusted to the nature of the crime - what's the point of ruining this kid's life with a criminal record?
I have a feeling he'd rather rip the wireless circuitry out of his laptop than ever doing this again - I come across enough people who aren't aware of this being a crime.
I hope sanity prevails here. They may be harsh there, but they're most certainly not stupid. In fact, I've never come across a nation where people studied so hard (but then again, I haven't travelled that much so my sampling rate is a bit low;-) - even the cleaners are working on their next PhD..
Your first error was assuming you would be able to correctly interpret the data you received. Data knowledge, that's what doctors study all those years for.
Second error was not to talk to someone competent about your fears - worries grow if not confronted by reality. I could making jokes about tipping off customs the next time you fly on a plane (so you get it done for free on arrival), but cancer is a serious condition so I won't .
It is a good idea to clue yourself about what you have, it's a bad idea to Google for diagnostics if you're not competent to (a) ensure you have ALL relevant data and (b) interpret the results.
But I'm glad for you it wasn't cancer.
BTW, as I've been withholding bad humor it needs another outlet, so here it is.
Q: Why is a strong laxative the best anti-cough medicine? A: You wouldn't DARE cough..
It's interesting to see this mindset still prevail - I wholly agree with your lock down.
Let me turn this round a bit: if you do not have access to a system it's going to be hard to prove that you were involved in a problem or criminal activity involving that facility/service/system.
In other words, if someone screws up badly it'll be pretty easy for you to avoid "helping the police with their inquiries" because a decently managed setup would thus prove you to be not party to the events. Given the ever increasing creativity of the criminal fraternity there is an increased probability for brown stuff hitting uneven distribution methods (that's "shit hitting the fan" for the non-PC crowd:-). I would see this as a Good Thing rather than a Bad Thing.
But hey, nobody can stop you finding another job..
Oh, and for the original topic, I have two business cards. One without title, the other one with - it depends on teh country/culture I'm in which one I use. As the company carries my name it's going to be a tad self-evident that it's mine anyway:-).
(disclaimer - I've been doing this WAY too often:-)
AFAIK you're facing a legal requirement for disclosure, but also a PR nightmare if you mishandle it. If your DR and BCP doesn't say anything about media handling you ought to give its author a bit of a heads up - the disclosure is going to be painful enough, mishandling how you tell the customers this (and the press) can cause serious harm to your customers.
I won't address the legal issues - that's what lawyers are for. Tech stuff you will have covered by the time everyone has had their say as well, so let's pick a less obvious one: media and press.
A couple of things:
- don't lie. When (not if) you'll get caught out it'll destroy the last remnant of trust you're trying to salvage;
- don't estimate anything unless you can back it up with numbers or a method by which you arrived at the estimate. The problem is not the estimate, it's what happens if you got it wrong (+ or -);
- don't duck the truth. Something went wrong. This is IMHO the best route to keep trust: if you have found what happened and have addressed it that's good news. If you're still guessing that's not so good news;
- think as your customer (I know it's 'duh' but you'd be surprised at how often this gets overlooked). If I had data out there I would like you to tell me (1) what the risk is (2) what YOU are doing about it for me and (3) what I can or even must do to protect myself further if so required.
There's a whole set of things you need to do here (besides sorting out the root problem), and be aware that sorting out a crisis is an entitely different skill than running day-to-day ops, but I'm biased as I do this work myself;-).
Good luck, and don't forget to evaluate 3 months on how you did. The lessons you'll learn will then save you a lot of pain the next time...
- Alternatives are not virus-free because they're more secure, they're virus-free because they're not worthwhile targets. If they become worthwhile targets, people will find holes in them just as fast as they do windows.
Invalid argument, for 2 key reasons (it's an old debate):
1. Only now Windows starts to take the defensive posture that is the default in Linux: the day-to-day user does not have admin rights by default, only by deliberate rights escalation. 2. Linux' roots are in Unix, which was from the ground up a multi-user system. Windows did not come from that background and in reality, multi-user really only meant management of access rights, not execution of segregated processes. It has taken until Windows XP that you had an ability to have multiple users concurrently logged in - only recently has the idea arrived that walking AND chewing gum at the same time was possible.
In summary, that 's is the purest FUD out there that is rolled out ad infinitum, together with 'managed' virus presence statistics. I see the effort required to keep Windows malware free on an almost daily basis, and it sucks. As an aside, it's also worth noting that most of the smaller firewalls in routers and designated devices such as the Firebox are based on Linux. No new code, established, tried and tested, mature code.
- for web browsing and email and menial word processing, sure, but how often are you gonna upgrade systems that only do that? Who this really hurts is gamers, and where's the alternative?
There I can only agree. Linux totally sucks on the games front. I must admit that I have a slight tendency to ignore that because I mainly work with business systems (and most people I know use dedicated games consoles). So, I guess if you're into gaming you'll have to continue suffering the efforts required to keep a Windows box safe. And bear being falsely accused of licesne violations - I'm sure that after a number of 'accidental' court cases that will settle too. Or you will, as you need a fat wallet in the US to remain innocent (slight aside, but worth noting from a risk management perspective).
Get the book, read it yourself first. And if you deal with a lot of people in need of education, keep 2 copies in your personal library.
Having said that, my target audience differs (senior Board members and CEOs) because most of my family and friends have suffered enough from virus infections to stay with Linux (they have games consoles so that argument disappeared quite early on:-).
I teach IT and business security to CEOs and Board members as part of my work and the issues are 100% identical because they're usually told a lot of BS by vendors and consultants pushing their wares, and by their own staff because of politics.
I don't just wish you luck - I wish you lots of patience..
Slashdot Mirror
Class - that made me laugh :-)
Hmm,
... unpleasant
Such data as personal financial information, social security number and so on, does not have such sensitivity, that it shouldn't be transferred even by means of SSL. If you're using internet banking, you know it.
There's a difference of scale here. If someone decrypts a recording of that session (not impossible but hard work) they will get ONE (1) account. I imagine phishing to be more successful. Grabbing the data off that laptop is much more useful as it can help with mass compromise, and the return on effort is thus MUCH higher.
so they're probably using personal copies of the database. And the problem is not in using that copies, but in wrong implementation of the concept, which allows stealing of all the company customers personal data.
No, no, no. If you're the treasurer, do you walk around with all the bonds in your briefcase just in case you'd need them? There are so many ways in which confidential data can be contained and it starts with identifying the very need in the first place: is it really required to have real data? Maybe for someone working with customers, yes, but for software dev purposes live data should not even be used (depending on the data it can even be considered a breach of the UK Data Protecion Act as 'testing' is generally not given as a reason to collect information). Secondly, if you DO need live data, do you (a) really need it outside the building and (b) do you need all of it or can you carry a subset that will allow you to work but not expose the lot. Thirdly, if you DO wander around with live customer data, how long do you need it for? You're not 100% outside, and if you do you need to protect that data.
I think I don't even need to comment, that chances are low that bank would use TrueCrypt, just because it's OS (open source) and free. And PGP doesn't work on 64-bit systems yet. And NTFS encryption is flawed. And taking into account that the whole work is going on notebook, any software encryption would make the work with so large database
You're missing the point, or maybe I didn't make myself clear enough. The observation was that you require at least the basics of encryption, product names were merely as examples. NTFS encryption is flawed, yes, but even that gives at least SOME protection from someone spinning up a boot CD and grabbing the data. Having said that, good corporate encryption could not be using Truecrypt unless they can back up the data in the clear as they would be at risk of breaking the Regulation of Investigative Powers Act (RIPA) 2000. They will use a system that has a multiple parts masterkey so data can be recovered, but without the risk of a sole administrator doing that (hence the multiple parts). So, to summarise, this data should not have been in the clear, full stop. If the encryption overhead is too much that's a good incentive to keep the dataset small or stay in contained environments.
Oh, and before I forget, that they didn't lose all the details is hardly reassuring, a bit of mosaic matching with other 'creatively discovered' information is all that is needed to complete the set.
Judging by other comments from you seem to be capable of reasonably level headed comments, so why this anomaly?
Not quite having the right coffee-to-blood ratio yet?
The problem with Ritalin (ie speed) is that it's an 'always on' drug, and ADHD appears to either lack or activity or overactivity of certain brain regions (both types of ADHD exist, which is why Ritalin doesn't always help). With neurofeedback you end up trainign those brain parts to perform as required (ie switch on and off as required) which is much more effective, and the results are permanent.
The nice thing is that you'll know within one or two sessions if it works, no need for months to wait before you know it works. I've seen plenty of kids being more or less 'rescued' from a life with Ritalin, that alone is worth a try..
I'm partially kidding here, but your main points get lost because of the lack of structure.
However, let me offer you an observation: it. does. not. really. matter. what. you. study. as long. as. you. get. a. degree.
Employers look for 'advanced education' because it is generally assumed that you will have come through that because you have an at least partially functional brain. So, it seems to matter little WHAT you have studied as long as you've completed it.
Although I do agree with apprenticeships, you must be aware that the model carries more risk as you're having the work done by less experienced people. Not all employers are willing to take that risk, also because the investment in time/effort can walk out of the door at any moment.. I call that flawed thinking, that's a character decision more than anything else - but that is a consideration..
In your scenario, the matching tool is used correctly because it ASSISTS in the decision making process. But how often have you heard "it's on the computer so it must be right"?
The whole problem starts with someone considering the computer to be authoritative instead of yet another fraud detection tool - usually followed by downskilling the frontline workers which makes the whole matter worse.
As much as it pains me to defend MS, this has zero to do with the OS, and everything to do with process.
(1) those files hould have NEVER gotten out of the door. Full stop, no if, no but, no maybe. Should. Not. Have. Left. The. Building.
(2) the oink that had them should have no need to work with real data. Real data should be processed inhouse (see point 1) andor transported with protection. Real data is NOT a development/test tool.
Only after all of the above do you start thinking about the conditions under which this data may possibly travel and may be used for otherpurposes (which, incidentally, would be potentially another violation of the UK Data Protection Act 1998 as usage is defined at the point of collection - it cannot be changed later without explicit permission of the provider, i.e. you). Even with MS you can encrypt matters to a sensible degree (or install Truecrypt, but that seems to equate to 'hassle' until it goes wrong).
There is no excuse for negligence.
Be careful because you're heading into a conflict zone. FOSS does NOT have all the answers, and is not THE solution, ditto for anything proprietary. It is part of a solution set.
A client solution is likely to use both proprietary and FOSS components to make it work for *them*. Zealotry on either side has to be dealt with because it benefits nobody..
If the guy doesn't know by now he's not very world aware (story on BBC and probably in newspapers). I think his price just went up..
Nationwide is a UK business and thus subject to the UK Data Protection Act 1998. In chapter 9.5 of the UK Data Protection Act 1998 it defines this specific data loss as unlawful, and AFAIK this is a criminal offence for which the Directors get hit unless they can prove some poor schlob didn't do his job properly.
However, that doesn't quite get them off the hook if it can be demonstrated that the directors were negligent in enforcing the rules.
So, it's not a la Microsoft, pay the fine and try again - a criminal offence creates a criminal record, and it is destined to land in a person's lap, not a 'corporation'.
IANAL, though.
.. coming from someone in a country where the average monthly salary wouldn't buy a legit copy of Windows without depriving the family of basic needs. I wonder if this is simply someone trying to get into bed with software vendors. And don't get me started on 'buggy'.
AFAIK, Thailands' universities have quite a decent track record in Open Source, with various school projects targeting low cost IT for schools (a bit like what happened later in Spain in the Extremadura region) and I think they have decent code for OpenOffice as well, with algorithms to support spell checking for a language where spaces between words appear more or less optional.
In summary, I think some people shouldn't be allowed near the press for their own good..
If you take the paid-for AdAware you can automate some of the stuff they now have to manually do. In my experience, any manual operation will be omitted within weeks from taking your hands off the system..
That post should be modded sky high for the confusion it will cause. What's next, water in powder form?
Priceless - you made my day..
Just imagine it runs Windows - best not give it too much ammo or you won't be able to get near it for service if it needs an update..
:-).
"20 seconds to comply" is thus obviously no longer SF
It's going to be interesting how the usual historical inaccuracies are dealt with, including moving river deltas and/or later removal of objects such as the British Echelon site, Menwith Hill :-)
Well, this is fundamentally correct. You're using someone else's computing/technical resources without permission, hence you break the relevant laws. That's more or less an open and shut case.
;-) - even the cleaners are working on their next PhD..
However, the next step is indeed the appropriateness of the punishment. If this ends up with more than a warning and maybe a small fine, what is a cracker going to get after causing deliberate damage? OK, you can probably go after him for the actual damage as well, but a fine should be adjusted to the nature of the crime - what's the point of ruining this kid's life with a criminal record?
I have a feeling he'd rather rip the wireless circuitry out of his laptop than ever doing this again - I come across enough people who aren't aware of this being a crime.
I hope sanity prevails here. They may be harsh there, but they're most certainly not stupid. In fact, I've never come across a nation where people studied so hard (but then again, I haven't travelled that much so my sampling rate is a bit low
With popunders you can generate quite a lot of fun content in the cache. Well worth remembering..
It was my main gripe about Thinkpads, no Windows key. Normally all you need to do is +L and the screen locks in XP..
Your first error was assuming you would be able to correctly interpret the data you received.
Data knowledge, that's what doctors study all those years for.
Second error was not to talk to someone competent about your fears - worries grow if not confronted by reality. I could making jokes about tipping off customs the next time you fly on a plane (so you get it done for free on arrival), but cancer is a serious condition so I won't .
It is a good idea to clue yourself about what you have, it's a bad idea to Google for diagnostics if you're not competent to (a) ensure you have ALL relevant data and (b) interpret the results.
But I'm glad for you it wasn't cancer.
BTW, as I've been withholding bad humor it needs another outlet, so here it is.
Q: Why is a strong laxative the best anti-cough medicine?
A: You wouldn't DARE cough..
Aaaargh..
It's interesting to see this mindset still prevail - I wholly agree with your lock down.
:-). I would see this as a Good Thing rather than a Bad Thing.
:-).
Let me turn this round a bit: if you do not have access to a system it's going to be hard to prove that you were involved in a problem or criminal activity involving that facility/service/system.
In other words, if someone screws up badly it'll be pretty easy for you to avoid "helping the police with their inquiries" because a decently managed setup would thus prove you to be not party to the events. Given the ever increasing creativity of the criminal fraternity there is an increased probability for brown stuff hitting uneven distribution methods (that's "shit hitting the fan" for the non-PC crowd
But hey, nobody can stop you finding another job..
Oh, and for the original topic, I have two business cards. One without title, the other one with - it depends on teh country/culture I'm in which one I use. As the company carries my name it's going to be a tad self-evident that it's mine anyway
.. do you program a Rockstar?
:-)
Just curious
It had to be said ...
(disclaimer - I've been doing this WAY too often :-)
;-).
AFAIK you're facing a legal requirement for disclosure, but also a PR nightmare if you mishandle it. If your DR and BCP doesn't say anything about media handling you ought to give its author a bit of a heads up - the disclosure is going to be painful enough, mishandling how you tell the customers this (and the press) can cause serious harm to your customers.
I won't address the legal issues - that's what lawyers are for. Tech stuff you will have covered by the time everyone has had their say as well, so let's pick a less obvious one: media and press.
A couple of things:
- don't lie. When (not if) you'll get caught out it'll destroy the last remnant of trust you're trying to salvage;
- don't estimate anything unless you can back it up with numbers or a method by which you arrived at the estimate. The problem is not the estimate, it's what happens if you got it wrong (+ or -);
- don't duck the truth. Something went wrong. This is IMHO the best route to keep trust: if you have found what happened and have addressed it that's good news. If you're still guessing that's not so good news;
- think as your customer (I know it's 'duh' but you'd be surprised at how often this gets overlooked). If I had data out there I would like you to tell me (1) what the risk is (2) what YOU are doing about it for me and (3) what I can or even must do to protect myself further if so required.
There's a whole set of things you need to do here (besides sorting out the root problem), and be aware that sorting out a crisis is an entitely different skill than running day-to-day ops, but I'm biased as I do this work myself
Good luck, and don't forget to evaluate 3 months on how you did. The lessons you'll learn will then save you a lot of pain the next time...
- Alternatives are not virus-free because they're more secure, they're virus-free because they're not worthwhile targets. If they become worthwhile targets, people will find holes in them just as fast as they do windows.
Invalid argument, for 2 key reasons (it's an old debate):
1. Only now Windows starts to take the defensive posture that is the default in Linux: the day-to-day user does not have admin rights by default, only by deliberate rights escalation.
2. Linux' roots are in Unix, which was from the ground up a multi-user system. Windows did not come from that background and in reality, multi-user really only meant management of access rights, not execution of segregated processes. It has taken until Windows XP that you had an ability to have multiple users concurrently logged in - only recently has the idea arrived that walking AND chewing gum at the same time was possible.
In summary, that 's is the purest FUD out there that is rolled out ad infinitum, together with 'managed' virus presence statistics. I see the effort required to keep Windows malware free on an almost daily basis, and it sucks. As an aside, it's also worth noting that most of the smaller firewalls in routers and designated devices such as the Firebox are based on Linux. No new code, established, tried and tested, mature code.
- for web browsing and email and menial word processing, sure, but how often are you gonna upgrade systems that only do that? Who this really hurts is gamers, and where's the alternative?
There I can only agree. Linux totally sucks on the games front. I must admit that I have a slight tendency to ignore that because I mainly work with business systems (and most people I know use dedicated games consoles). So, I guess if you're into gaming you'll have to continue suffering the efforts required to keep a Windows box safe. And bear being falsely accused of licesne violations - I'm sure that after a number of 'accidental' court cases that will settle too. Or you will, as you need a fat wallet in the US to remain innocent (slight aside, but worth noting from a risk management perspective).
Get the book, read it yourself first. And if you deal with a lot of people in need of education, keep 2 copies in your personal library.
:-).
:-).
Having said that, my target audience differs (senior Board members and CEOs) because most of my family and friends have suffered enough from virus infections to stay with Linux (they have games consoles so that argument disappeared quite early on
I teach IT and business security to CEOs and Board members as part of my work and the issues are 100% identical because they're usually told a lot of BS by vendors and consultants pushing their wares, and by their own staff because of politics.
I don't just wish you luck - I wish you lots of patience..
You'll need it