British MoD Stunned By Massive Data Loss 166
Master of Transhuman writes "Seems like nobody can keep their data under wraps these days. On the heels of the World Bank piece about massive penetrations of their servers, the British Ministry of Defense has lost a hard drive with the personal details of 100,000 serving personnel in the British armed forces, and perhaps another 600,000 applicants. This comes on the heels of the MoD losing 658 of its laptops over the past four years and 26 flash drives holding confidential information. Apparently the MoD outsources this stuff to EDS, which is under fire for not being able to confirm that the data was or was not encrypted."
Hardly 3 hours (Score:2, Insightful)
Hardly 3 hours since the last post on /. about
UK Govt wanting to spy.
Re:Hardly 3 hours (Score:5, Insightful)
They want to spy more so they can gather more information to lose.
Seriously, lately it seems not a week goes by without some ridiculous data leak in the UK. Whether it be thumbdrives that automatically log into private networks, laptops being stolen, documents being left on a train, confidential information being lost in the post etc...
They won't need the Data Protection Act much longer in the UK because there'll be no data left to protect as it'll all have been leaked.
Re:Hardly 3 hours (Score:5, Funny)
or they're just moving to a more distributed data system, they want to spy on you so they can see the data you now hold. Its like a bittorrent data-storage solution, all these 'lost' laptops and pendrives is a secret mechanism of distributing the data in the most widely and random way - thus adding to the security of the overall system, as no-one else knows where its ended up.
See, its simple really :-)
Re: (Score:2)
Probably because part of their job is to find leaking data from other parts of the world. It also helps that they are about the only part of the British Government who understand how to use encryption properly.
Wonder if GCHQ has anything to do with EDS, most likely if they do they keep a proper eye on them.
Re: (Score:2)
Although GCHQ does have this sort of thing (http://wikileaks.org/wiki/Katharine_Gun). They were basically revealed, by one of their own staff, to be involved in bugging the offices of six 'swing nations' of the UN, involved in the vote for the Iraq war.
Organizations with that kind of history and power can have publicity about their data losses quashed as 'national security', especially in a country as swayed by paperwork as England. Note that this does not necessarily apply to Ireland or Scotland, which hav
Re: (Score:2)
Ever hear of a sense of humour? You may want to look into getting one. They're fun!
Re:Hardly 3 hours (Score:4, Insightful)
"I'm just looking forward to when the data gets lost."
From the summary of that post. 3 hours ago.
...Holy Crap.
We know they're abusing their power. We know that they're incompetent!
And it never changes! It just happens again and again and again!
I don't know whether to laugh or cry or scream or kill or just give up anymore. I just don't know.
Re: (Score:3, Insightful)
We know they're abusing their power. We know that they're incompetent!
And it never changes! It just happens again and again and again!
Isn't that the definition of a government?
Government Incompetence? (Score:5, Informative)
Not really. Where I work [irs.gov], any laptop connected to the network is checked at every connection for the presence of active full disk encryption software. If it isn't found (which can happen when computers are being built and the encryption installation hasn't been completed) then an immediate alert is sent to the support staff nearest the machine. In response to that alert, the machine must be encrypted or seized immediately. We're talking same-day action, here, with the consequence of inaction being that someone gets fired.
The result is that when we lose (usually through theft but the method is unimportant in this context) a laptop, we can immediately report that said laptop was fully encrypted and no data was lost or is at risk.
If we need to let a contractor on our network, we set up one of our laptops to meet all security requirements and lend that hardware to the contractor. No contractor is allowed to put their machine on our network.
Finally, when data is written to removable media, it's encrypted. We run a software package (Guardian Edge) that forces all writes to removable media to be encrypted. It's a pain sometimes, but it's the least we can do to keep the publics private data safe.
Frankly, I'm shocked that the MOD would accept less stringent practices on the part of contractors. I know we don't.
Re: (Score:2, Funny)
Great job, way to piss on our parade of mocking government incompetence. I hope you're happy with yourself.
(Please don't audit me!)
Re: (Score:2)
My dad works for a company contracted to do some system for skynet (yes they seriously called their new satellite network skynet WTF) and all his files are stored remotely via a VPN* w/ keycard, even though his local hard drive is encrypted and all hes doing is writing the training manual for the system.
I seriously doubt the MOD would accept less stringent practices on the contractors, wether the contractors fucked up or not is another question.
which is good as his laptop can only connect to WEP wireless be
Re: (Score:2, Informative)
Re:Government Incompetence? (Score:5, Insightful)
there's no inherent reason for the government to be incompetent. but it's always those who want to cut down on public infrastructure and social welfare programs that are incompetent themselves. of course when you elect such people into government they make a complete mess of things and use their own incompetence as an excuse to hand these roles over to the private sector.
i mean, how can you put people who don't believe in public infrastructure in charge of public infrastructure? it's a self-fulfilling prophecy.
MOD PARENT UP (Score:4, Insightful)
This:
is one of the best questions I've ever seen posted on Slashdot. With an election looming, it's a question that every voter should ask themselves. Whoever modded it flamebait is a dufus.
Re: (Score:2)
Thanks for killing my joke, but since you answered seriously - what kind of tricky stuff are you doing to detect full-disk encryption on any machine that touches the network? And more importantly (assuming that this requires a boot-time password; I've never bothered with any serious encryption), do you have something that detects the sticky note on the bottom of the laptop with said password?
I guess I can sleep a little better knowing that the IRS is working hard to ensure that they only screw me over once
Re:Government Incompetence? (Score:5, Interesting)
I don't know. I'm on the receiving end of those alerts, so I know they happen. Exactly how, I'm not sure. Our logon scripts do all sorts of stuff, including automatically installing updates to vertical apps, so checking for full disk encryption wouldn't seem to be too hard a task. I know there are certain files on the machines that do not exist until encryption has been installed and fully enabled. I assume that looking for them would be trivial. But that's just a guess.
To show you how tight our scans are, we had a contractor who plugged a personally-owned USB key into his IRS-issued laptop. It contained some basic maintenance tools as well as some network monitoring tools. He wanted some simple utility, I forget which one, and instead of asking for it through channels he just plugged in his copy. Literally *5* minutes after he plugged in the key, his machine was deleted from the domain and his personal identifier was wiped from all systems, just like we do when someone is fired. 5 minutes after that, his boss got a call from our security office explaining that the employee was being reviewed for termination. The boss explained that he was a good guy, new to the organization, just made a mistake, and asked for some slack. Ultimately, the guy got a two-week suspension and then had to re-build everything (system access permissions, etc.) as if he were newly hired.
I really don't question the notion that our monitoring does a good job of catching any funny business.
This is one of the areas where we take a notably sensible approach. Our security rules that each person must sign and obey do NOT prohibit writing down passwords. It's officially discouraged but not prohibited. We take the attitude that as long as that list is protected, like people protect their ID card, door key card, and credit card, there's no problem.
Nobody puts a sticker on the bottom of their laptop or keyboard. We have constant security inspections, usually after hours, and doing crap like that gets you disciplined severely.
I wont go into excess detail (which, by itself, would be a violation of our security rules) but suffice it to say that if you wanted to steal and get data off an IRS laptop, you'd have to mug the user, get their password list, know their internal ID (which no one writes down because we use it constantly) then mug a different person with local machine administrator credentials, get logons and passwords from that person, then know exactly where to type all of them in without making more than three mistakes to lock up the machine.
The only people who could successfully get information off our laptops would be our admins. But we can get to that stuff internally, already, so that's not a realistic threat.
Realistically, the only thing a thief can do with a stolen IRS laptop is wipe it, install an OS, and use it.
Re: (Score:2, Insightful)
I wont go into excess detail (which, by itself, would be a violation of our security rules) but suffice it to say that if you wanted to steal and get data off an IRS laptop, you'd have to mug the user, get their password list, know their internal ID (which no one writes down because we use it constantly) then mug a different person with local machine administrator credentials, get logons and passwords from that person, then know exactly where to type all of them in without making more than three mistakes to lock up the machine.
What if I find a disenfranchised employee, and offer money?
Re: (Score:2)
That has happened. But if the employee uses their own credentials to get the data, the leak will be traced to them. If you compromise an admin, you'll get caught even quicker because we're so closely monitored.
But, I'll grant you, it can happen. I've known of three cases that happened geographically close to me over the last 25 years. In two cases, the employees were marched out in handcuffs. In the third, the employee was arrested at home.
Re: (Score:2)
Re: (Score:3, Informative)
We'd have to quell a revolt. Some of our people have repeated needs to move multi-gig data files from place to place. USB sticks have been a godsend. Given that some of our offices have such poor connectivity to the rest of the world, large file transfers used to require overnight or longer planning. Just moving a file from cube to manager's office for review could take hours. Now that they can sneakernet or mail a USB stick to move a
Re: (Score:2)
If you disable USB entirely, you disable touchpads, mice, and external CD drives necessary for laptops without DVD drives built in. Disabling the 'write' capability for those is awkward. And you'd better believe that I can attach a local networked memory device, such as a dumb web server, without detection unless the IT staff have invested one hell of a lot of effort in tracking and detection equipment.
Such detection is possible, but awfully expensive to set up. Very few facilities bother.
Re: (Score:3, Funny)
Seriously, the IRS, or HMRC here in the UK, would track down Osama bin laden if owed them a penny. Unfortunately, it seems he must file his tax returns on time...
Re: (Score:2)
That's funny stuff. I laughed, until I remembered that I used to be a field officer. During that time, part of my job was finding people who didn't want to be found. One time, nearly 20 years ago, I found a guy hiding in China. He owed very little money (less than $USD50K, given the size cases I had back then) but I just got a wild hair about finding him, worked all the angles, and eventually turned him up. Hint - If you can find someone's mother, you can find them.
BTW - What's HMRC? I thought the ta
Re: (Score:2)
Re: (Score:2)
I didn't say the organization was run well. That's completely debatable. But our laptops are secure against data loss in the event they're stolen.
As for how well the organization is run? I could write a book...
Who Watches the Watchers? (Score:2)
UK Government Says More Spying Needed [slashdot.org] Sat Oct 11, '08 01:32 AM
from the need-to-make-up-for-the-losses dept
No, no, no (Score:5, Informative)
No. EDS lost a hard-drive, belonging to the MoD. Had to get that in before the "Government is intrinsically incompetent" posse got here. EDS, a privately owned and run subsidiary of Hewlett-Packard, subcontracting to the MoD, were responsible for the security of this drive, and they, not anyone at the MoD did the losing here.
Re:No, no, no (Score:4, Insightful)
What exactly is the MoD doing sending out sensitive data to foreign private contractors? In fact, why are they giving anyone data at all?
Fuck Labour.
Re:No, no, no (Score:4, Informative)
What? Do you really believe a politician made the decision on whom to outsource data management too?
Are you familiar with the concept of a civil service at all? Do you know who runs the day-to-day operations for the MoD?
Clue: Decisions like "Which subcontractor should we hire" are not made by the Secretary of State for Defence.
Re:No, no, no (Score:5, Insightful)
But the overuse of external subcontractors is a political decision. Fuck New Labour and fuck the Tories who started it all.
MOD PARENT UP (Score:2)
That first sentence may be the most insightful thing I've read in a week.
Re: (Score:2)
"Secretary of State for Defence" doesn't really make sense anyway
Re: (Score:2)
Re:No, no, no (Score:5, Insightful)
Why are you so apologetic on behalf of the British government? The drive was the responsibility of MoD. This includes the choice of people and/or organisations who do the handling. Likewise, even if the EDS was not the minister's choice, he should have been sacked because he hasn't made the decisions of this magnitude his choice.
Re: (Score:2)
So you're telling me that the civil service made the decision to outsource sensitive data all by themselves? Even if they did, then either Labour knew about it and did nothing, meaning they were culpable, or didn't know about it, in which case they're incompetent.
Sorry but whichever way you look at it, your party and government are horrendously terrible.
Re:No, no, no (Score:4, Informative)
Fuck Labour.
Yeah, because they are the ones who are more likely to out source work to a private company, right? Last time I checked, parties like Labour generally prefer that the government did it themselves, even if it costs more, and it's the opposition who are the ones who like to out source and privatise things.
Re:No, no, no (Score:4, Informative)
Re: (Score:2)
mod parent up, labour are one step away from outsourcing governance to an Indian telephone exchange tbh.
Re: (Score:2)
Fuck Labour.
I have NEVER>/b> in my day seen a security breach that didn't rest on managements shoulders. Lax policies, no thought into process or control, apathy towards security, starve the security budget because you can't watch porn undetected, side with lazy cannot change types, but it all comes down to incompetence of management every time. Now you can't put that in a report to management, but it is the truth.
Reports to management need a fall guy, usually the person on the front line that does not have the
Re: (Score:2)
It doesnt really matter EDS have probably already lost the data so the UK are the only country without a copy
Re:No, no, no (Score:5, Informative)
In law under the Data Protection Act the MoD, not EDS, are the Data Controller and therefore responsible for losing it.
Re: (Score:2)
Oh, yes those encrypted disks that were lost. By whom were they lost? TNT, a privately owned courier company.
fixed
Re: (Score:2)
I think in America, when the whitehouse changes its there its all change, judges, military contractors and constitutional experts, to whoever suits the presidents friends best. And that not just Bush (although the huge cost+ contracts to the VPs company stink) but a bipartisan effort.
EDS S.O.P.? (Score:2)
I beginning to wonder if this is deliberate on EDS's part. In the U.S. Navy NMCI contract, they have lost drives and created vast security stand-down efforts while trying to create one big happy Navy network, which, btw, has resulted in a net increase in Networks and domains rather than the intended reduction.
I'm starting to believe this is part of something else.
Re: (Score:3, Interesting)
Maybe instead of paying 12 billion quid to spy on the British public it should instead be used to spy on EDS...
EDS, a privately owned and run subsidiary of Hewlett-Packard, subcontracting to the MoD, were responsible for the security of this drive, and they, not anyone at the MoD did the losing here.
WTF was the MoD doing letting this data near any foreign company? At the
Re: (Score:2)
It was outsourced to one of two British companies, Systems Designers or SciCon (who bought SD).
Then along came EDS and bought SciCon.
Re: (Score:3, Informative)
Are you reading impaired, or just an idiot?
No member of -- or person directly employed by -- the UK Government lost this data. EDS, a long-established, privately owned subsidiary of Hewlett Packard, lost this data.
Re:No, no, no (Score:4, Insightful)
How does the fact that this company loses the gov'ts data not imply that the gov't loses data? Please tell me if this logic is flawed...
And does it actually matter who loses the data? I mean, I don't live there, I can't be arsed, it's not my private information but the whole point of my post was that the UK gov't loses data. Who exactly magically makes the disks or flashdrives disappear is besides the point.
Re: (Score:2)
If you burn the office of the premier minister, it's not as if the premier minister has committed arson. If a privately owned company loses data, it's the company which loses the data, independent of the rightfull owner of it.
Re: (Score:2)
Re: (Score:2)
Still it's the cleaning staff who gets convicted for arson. And with an underage kid you are responsible for everything he does because he is underage. If they were someone else's kids driving your car, their parents have to pay you for the wreckage (even if you are responsible for the damage done by your car).
Yes, the government is responsible for due diligence, it is responsible to get its helper (may they be external companies or the own staff) to conform to data protection regulation. It is even respons
Re: (Score:3, Insightful)
And before you go blaming those dam' foreigners, EDS is in this business in the UK because they bought the large UK contractor Scicon back in the 1990's. So regardless of the ownership, the people responsible for the operational f-ups that caused loss of the drive are probably home-grown.
Re: (Score:2)
I'll try to make this simple, and I'll even use a car analogy.
You loan your car to a friend.
Your friend loses the keys.
Does this mean you are guilty of losing the keys? Absolutely not.
You may be guilty of loaning your car to an idiot, but you did not lose the keys.
Now, I understand you want to emphasize the incompetence of the British Ministry of Defense. However, it has already been established that *they* lost nothing. Get over it. Get off it.
Re: (Score:2, Insightful)
So the problem is actually that the MoD is stupid enough to entrust their data with a private company that's too incompetent to avoid losing data? That's just as bad, I'm not sure what you're defending here.
Re: (Score:2, Insightful)
Re:No, no, no (Score:4, Interesting)
EDS has been responsible for quite a number of screwed up Government IT projects in the UK. Somebody at the MoD was responsible for giving the data to that incompetent shower.
Re: (Score:2)
the contract has propably been around since before we knew EDS was incompetent, the gov contractors have a habit of signing long contracts with "and we still get all the money if you cancel early" clauses.
Re: (Score:2)
These are enforcable exactly how? A contract with anyone which said "we get all the money even if we break the contract" would not be enforcable against anyone. There is no way in which EDS could sue the MoD, if they even tried two words would stop them. Those words being "Crown Immunity". Governments i
Re: (Score:2)
Re: (Score:2)
Are you reading impaired, or just an idiot?
No member of -- or person directly employed by -- the UK Government lost this data. EDS, a long-established, privately owned subsidiary of Hewlett Packard, lost this data.
If were the case, how on earth do you imagine the government would have any public accountability for anything?
It's completely beyond dispute that the buck stops with government on this. This fact that EDS is private, long-established, lives on Mars or is owned by Chuck Norris is *absolutely* irrelevant. British contract law, ethics and common sense all say that by contracting EDS, the GOVERNMENT is responsible to the PEOPLE for what EDS do.
I'm genuinely shocked that you would think otherwise!
Re: (Score:3, Insightful)
If anything this is worst than someone employed by the British Government losing the data. Security was breached when they let a foreign owned company have access to it. That that company lost the media is just the icing on the cake.
This is like the driving theory test data, lost from somewhere it should never have been in the first plac
Re: (Score:2)
Incompetent is one possibility... so is espionage. Perhaps it's a Bond PR stunt.
Mod Parent +1 Correct (Score:3, Insightful)
The MOD must demand from it's subcontractors a certain level of service, and be responsible for it. "Well it wasn't our fault, it was that guy" doesn't cut it when it comes to state secrets.
Get better subcontractors next time or DIY, retards.
Re: (Score:2, Informative)
Re:No, no, no (Score:4, Interesting)
What utter fucktards.
(incidentally, posting this showed up an oddity of the URL parser - if the URL wraps so there's a space between 'href="' and 'http" then it breaks, big time.)
Re: (Score:2)
We have plenty of good techs,... Maybe the 26,400 jobs that HP cuts over the next 3 years will take care of some of that.
fixed
Encrypted or not? HAH! (Score:2)
As if that question makes an appreciable difference. Encrypted or not, data loss is data loss. It's bad security practice. Having the data encrypted will do just a tiny bit to save face, but it will hardly stop anyone who wants in.
Re: (Score:2)
Really? Let me know when you've finished breaking TrueCrypt then, or PGP, or BitLocker, or FileVault. I'll be the one waiting over here. For a very, very long time...
Cheers,
Ian
Re:Encrypted or not? HAH! (Score:4, Insightful)
His point was that if someone wants the data, eg they actively stole the hard drive, then they are likely to steal or obtain the mechanism to decrypt the data too.
Re: (Score:2)
they are going to break maths? cool
Re: (Score:2)
This is the truth, anyone arguing can talk about semantics but it's just a matter of time before the data can be decrypted. Encryption is great for network security, when someone has limited access to connections, systems and physical access. When someone has access to the hardware it's only a matter of longer wait times, depending on the skill and equipment that the cracker has.
In this sense, it is perfectly logical for individuals who need portable access to the data to be personally and professionally
Re: (Score:2)
Also assuming that the device was simply lost, rather than stolen by someone with the ability to also find out the key.
It also matters if the encryption is symetric or asymetric key. With symetric key encryption you have the whole problem of key management (and ensuring that the cyphertext and key are not together). A CD/DVD with the key used to decrypt it written on it (as could
Combine this with the immediately preceding story (Score:3, Insightful)
Comment removed (Score:4, Funny)
I can! (Score:5, Funny)
this is the reason why... (Score:4, Funny)
this is the reason why the brits have to spy more....'cuz it's about quantity.....if u have more data coming in.....than that is going out (aka losing)...then u'r golden.
(I don't think it's a coincidence that this was posted after the bit about the brits needing to spy more)
News from MOD (Score:5, Informative)
Are they really being lost? (Score:5, Interesting)
The only time I have ever lost a device is when I was mugged and my phones were taken from me and I'm just any other person.
It should be interesting to see what the ratio of laptops lost to all laptops provided is. Maybe this cynicism is because I live in India where corruption is rampant and entire flyovers can be 'lost', but I'm a bit suspicious about this whole thing.
Also, if they're losing laptops with information at such a high rate, at what rate are they losing paper files? Surely it's harder to keep track of the 20 binders with 100 sheets in them than it is to keep track of one hard drive?
I find it hard to believe that these people are really that incompetent. Hanlon's Razor doesn't always apply.
Re:Are they really being lost? (Score:4, Informative)
Business travellers in the US and Europe lose a staggering 15,648 laptops per week, according to a new study by Dell. [itpro.co.uk]
So one shouldn't be surprised that laptops go missing, if the study is anything like accurate.
Re:Are they really being lost? (Score:4, Interesting)
It was standard practice for our head of accounting to take our backup tapes home for a few years. This year I saw some of our tapes just lying out in plain view on the passenger seat of his car, so I politely showed him a couple of stories about data loss when tapes were stolen from cars, and have been taking the tapes home myself now..
Re: (Score:2)
Re: (Score:2)
How is it a questionable practice? Fires may not be very likely, and the servers are on the first floor (second in American terms) so we're not likely to have problems in a flood, but it's always better safe than sorry.
What would you do personally if you had ~250GB of data from various servers that needed to be regularly backed up? Would you still backup to tape but then just store them in a fireproof safe onsite? That should protect the tapes from most disasters, but you just never know, do you? We regular
Re: (Score:3, Funny)
How is it a questionable practice? Fires may not be very likely, and the servers are on the first floor (second in American terms) so we're not likely to have problems in a flood, but it's always better safe than sorry.
What would you do personally if you had ~250GB of data from various servers that needed to be regularly backed up? Would you still backup to tape but then just store them in a fireproof safe onsite? That should protect the tapes from most disasters, but you just never know, do you? We regularly have large cranes in the yard - if one of them were to topple or swing a heavy 20 foot container through the server room wall or something crazy like that, it could do some serious damage.
I think what the GP was saying was, I wouldn't want the liability associated with taking the tapes home myself. I mean, what if somebody did break into my car, or whatever? What if I got in an accident on my way home, and the tapes were destroyed? If there's any problem, I don't want to take them blame.
That's why I would pay somebody else to take care of it for me. Fortunately, it turns out that there's a company called EDS that offers just such a service! They do this kind of thing for plenty of other
Yet another example... (Score:5, Interesting)
...of why we shouldn't be outsourcing critical/sensitive data handling. Yes, Government departments can cock-up enough without external help, but so many of these data loss issues at the moment seem to be the fault of a private company they've outsourced to.
Also, I worry about the outsourcing of anything relating to our Country's security. When you give the job to the lowest bidder, what can you expect but a barely adequate service?
Re: (Score:2)
Especially if you then add to the problem by outsourcing it to foreigners.
Also, I worry about the outsourcing of anything relating to our Country's security.
It appears that these people don't understand "national security". IMHO this includes restricting certain things to people who are citizens of only the relevent country. Excluding duel citizens or people who could claim citizenship of another country (this includes the situatio
Privacy shmivacy (Score:2)
hehehe... (Score:2)
Rather unfortunate to place this directly above the article on the front page saying that the British Government needs more spies... :)
Knowledge begets knowledge..... (Score:2)
And specific knowledge begets its own.
Isn't it obvious?
Not to worry! (Score:2)
Those responsible will be reassigned to the domestic surveillance project!
Why is it that (Score:2)
All of the recent data catastrophes seem to be happening in Britain?
And in the face of this, the UK government is upping the surveillance, too. "Don't worry, nobody except us is ever going to see your private data. You can trust us."
I think /. needs to change its FAQ (Score:2, Insightful)
"Slashdot is U.S.-centric. We readily admit this, and really don't see it as a problem. Slashdot is run by Americans, after all, and the vast majority of our readership is in the U.S. We're certainly not opposed to doing more international stories, but only if we're slagging off other countries. Positive stories about anywhere other than the US are frowned upon."
Leaking is British (tm) (Score:2)
With the automotive industry all but gone from the UK this national obsession with making things leak has been taken to a new industry.
They know what they're doing.
Contains everything you need for perfect ID theft (Score:4, Informative)
From TFA:
"The portable drive contains the names, addresses, passport numbers, dates of birth and driving licence details of around 100,000 serving personnel across the Army, Royal Navy and RAF, plus their next-of-kin details. "
Wow. Just... wow.
The person who finds this and wants to exploit it would become unimaginably rich on stolen identities for pretty much the rest of their lives. I suppose if the MoD have a record of exactly who's details were on the disk, they could re-issue things like national insurance numbers and driving licences to prevent that, but even then the possibilities for other avenues of exploitation using this information would be huge (next of kin, for pity's sake!!).
Data like this needs to be treated as if it were nuclear waste or a volatile explosive mixture. It would be just about OK to have a list of 100,000 driving licence numbers if these were kept physically separate from, say, names and addresses (eg keying them on a one-time ID), but when certain classes of data are kept TOGETHER like this, it should be every right-thinking person's reaction to scream the house down in panic.
We have to assume that at some point, all data will leak out somewhere. All we can do is to to ensure than when it does, it's not actionable. Oh, and by the way - you can forget encryption. People don't understand it and in most cases those who steal data will steal or otherwise obtain the keys as well.
Re: (Score:2)
Data like this needs to be treated as if it were nuclear waste or a volatile explosive mixture. It would be just about OK to have a list of 100,000 driving licence numbers if these were kept physically separate from, say, names and addresses (eg keying them on a one-time ID), but when certain
Re: (Score:2)
yeah ... and since they bought the cheapest version of this hiden safty feature there will be only a tiny 'pling' after the counting finished (and not a big smoky explosion) ... and then the drive will continue to work as before...
Re: (Score:2)
...Oh, it was a older Maxtor was it?
Re: (Score:2)
Technically there are easy ways to do that (at least for individuals since the data protection act shouldn't let you see if data is being held on other people), but you'd have to be pretty gullible to believe that any company was using such a system properly. You also have to take into account backups being made of data, or possible malware on their systems [slashdot.org] that is taking a copy of data before they erase it themselves, and so on.
Re: (Score:2)
I know!!! I know!!! What is DRM?
I'm wrong of course... DRM is a technical solution to a social problem, which never works.
#1. You could build something into the device holding the data that ensures that it self destructs after a certain time
#2. You could program something into the device that ensured that all copies taken were known.
#3. You could use cryptography to ensure that all devices that connected to it via #2 were certified to comply with whatever specification ensured the deletion of the data
but, #
Re: (Score:2)
Re: (Score:3, Funny)