Encyption is not the real issue...
If the information wasn't on the laptop in the first place, encryption is not needed. First they should find out how & why the information got there.
Defence minister Des Browne has admitted that the Ministry of Defence (MoD) has lost not one, but three laptops containing unencrypted information since 2005. Last week, it emerged that the MoD had lost a laptop containing the personal details of 600,000 people who had expressed an interest in joining the armed services. The …
This post has been deleted by its author
This is just another reason why the idea of a central UK ID database is a bad idea. People put vast wads of data, unencrypted, onto their laptops because they can. Technology makes it easy, and it makes their work easier to have the data to hand. It doesn't matter what regulations the organisation has in place, and people aren't being malicious or even lazy, they do it because they can.
Now consider how data storage is progressing. It is not inconceivable that in 10 years time somebody at UK_ID central is going to download the entire ID database onto their mobile phone. Because it's convenient for them, and because they can.
Now, if this is almost inevitable and easy for someone who is simply wanting to make their work easier, what's going to stop someone who is actually has more devious plans in mind for the data (and by that I don't just mean criminals)?
Ok, I think it's time for El Reg to update it's "scales of measure".
We've got weights and spaces, and so on, but we need a new measure of "leakage" I think. Is a Burrell more porous than an MoD? Is a DWP more leaky than a clean install of a Vista?
We need answers Reg, and we need them now!
(Hilton icon because I need things making really simple!)
"Lost" is nicer as it implies it might soon be found with minimum damage or inconvenience. "Stolen" should be used as it implies it's gone forever at the hands of criminal nerdowells with associated prejudicial consequences. (eg I've lost my socks, someone has stolen my Ferrari). If the data is valuable the effort to crack any encryption will be commensurate - wooops!
I anticipate some squaddies may well be wanting to tax their brother/sister soldiers on their deficiency in the security measures taken in this matter.
If it weren't so sad it might be laughable. What is the UK equivalent of a Siberian posting? There is an applicable quote from Oscar Wilde but I can't remember it 'cos I've longterm misplaced my marbles.
Yes, he should have the book thrown at him. It's not as if the fiasco about the missing CD's didn't make the news. He can hardly say he didn't know.
BUT the person who runs the systems should also be shot. It should not be possible to download the stuff onto a laptop in the first place.
This post has been deleted by its author
I suspect that sometimes these are like "the man that never was" (a corpse made to look like a drowned naval courier, with planted false invasion plans, in WWII) -- a way of leaking misinformation to certain parties. They'd have to be well-packed with other information, to stop it being too obvious.
This post has been deleted by its author
Presumably, if there *were* an all-singing, all-dancing central database, you wouldn't be able to get it onto a laptop. There are far better arguments against than that.
I'm more worried about the new spirit of openness from Government agencies here. Rather than coughing under duress to losing something last year, they're now issuing press releases pointing out that they lost important data yesterday (i.e. *before* it's had its hard disk wiped and been flogged down the pub) and giving away enough detail to ensure that whoever's got it knows they have.
Whoever's nicked it must really appreciate this.
Losing it is stupid. Telling the thief that his latest aquisition is stuffed with highly valuable data while this piece of information is still of great interest is sheer f***ing lunacy.
By the look of the laptop it was probably supplied before it was mandatory for laptop HDs to be encrypted (assuming it's even an MOD supplied laptop).
The encryption used for restricted info and above is robust so it's a fair comment re the military grade encryption statement (look at the likes of becrypt).
Whatever way, the technical rules here were find - depending on how the material was classified if should never have been on the machine at all (thin client) or encrypted. This isn't a fault of us techies, but the management!
But what will actually happen...
Why tell him, so he can tell them they've been naughty and not allow them to use their Playstation for a week?
Until Richard Thomas and his department hand out some meaningful fines vital data will continue to be posted on CDs, stored on laptops given to morons and dumped on roundabouts.
but Kilgetty was ported only to MT4 (no personal experience, but I gather it was a bit of a clunky b****rd to use)
Our MinDef wasn't quite accurate when he stated that MoD use something better than that available to us mere mortals. Currently the full-disk encryption for laptops processing up to RESTRICTED (pertinent level of Protective Marking in this instance) approved by CESG is AES@128-bit.
AES@256-bit is approved for downgrading SECRET to be treated as if it were RESTRICTED.
For higher levels of Protective Marking and for purposes other than full disk encryption CESG approved algorithms tend not to be public domain. In the lack of any evidence to the contrary, I will not provide any opinion about acceptability of security-by-obscurity.
Sack the junior officer for leaving the laptop in the car. No excuses. He wouldn't leave his wallet on the passenger seat would he?
And sack the IT staff repsonsible for allocating laptops if they failed to notify the user about leaving equipment in a car. Definitely sack them if they're allowing confidential data to be taken and moved onto a laptop in this slipshod manner.
"Vote them out" - and watch them be replaced with another set of corporate whores, hell bent on recreating 1984 with astonishing accuracy? Not liklely.
"Insurrection. Revolt." - It's not really something one does by one's self. Plus, the nation is so blase right now regarding personal privacy vs. (in)Security thanks to Terr'rism in High Definition that it would get no momentum.
This government and the corporations it protects so diligently are the hand pushing down on the head of the water-treading UK population. They'll either paddle until their legs give in and fall listlessly into slumber, or they'll grab that hand and drag them down with them.
Jeebus, I sound like a conspiracy nut. Maybe they had a point all along...
This post has been deleted by its author
"People put vast wads of data, unencrypted, onto their laptops because they can."
I think they put vast wads of data irrelevant to their immediate purpose on laptops because it's easier than extracting just the data they need.
I wish I could just give Home Insulation Grants every detail of 1.3 million people instead of trying to pick out the ones who are over 70 and haven't got social landlords and still live here and aren't in care homes or prison or dead or duplicate records...
the large and difficult to remember passwords (of which you tend to require at least three different ones to log in) tend to be stuck on to the laptop itself as nobody can remember them.
Go into any MOD office and look under the mousemats to see how secure the IT network is...
If all organisations used a 'morning after' tool they wouldn't need to worry about encryption. Once a laptop is reported lost or stolen it can be located through the mobile phone network and the data deleted before the machine has even completed the boot sequence.
The thief has a blank laptop but so what, the owner has a report that states categorically that all the data was deleted, where and when. It can even triangulate and locate the laptop so if the police were interested they could pinpoint it on a map.
This could change the world
Simple solution here for the Govt in general. All data relating to, or from, the citizenry needs to be classified data. Stick a "Confidential" classification on it and it won't get lost. Don't bother with "Restricted" - that's controlled slightly less than illicit photocopies of the Times crossword .
Yes, this will drive costs up, but not as much as widespread identity theft? The only downside is that the news hacks will have to look a little further for stories about Govt imcompetence (but not **that** far eh?)
Although I'm outraged at the lack of security these organisations seem to have, the real issue is not how easy it is for criminals to get hold of personal information, but how easily they can use it to obtain money, goods and services!
Banks, as the main gateway to your money, need to have better procedures to prevent misuse of personal data for financial fraud. After all, much your "personal" data is public domain anyway, it gets handed to individuals and organisations all the time: hire a car and book a flight and you wil be asked for your passport number, driving license number and credit card details. We hand these details over on a regular basis.
Most 'personal' data is really just a User ID; its the rest of the security mechanism (the password, certificate etc.) that needs to be protected.
Jeremy Clarkson's recent "experiment" highlighted this very problem.
"The Royal Navy ... is considering what action to take against the junior officer."
Well clearly they should court-martial him and give him a slap on the wrist, followed by a promotion and a transfer to Naval intelligence as liaison officer to the foreign agency that wanted the data. If it works out well, later on they could make him First Sea Lord.
Years ago, there was a break-in at one of my former employer's sites. We were told the next day, "[n] laptops were stolen. But don't worry, they were all new laptops, waiting to be issued to employees."
Cutting out the bulk of the story, there were five managers whose laptops were stolen. Only one of the five managers had any significant unencrypted data on his system. (Unfortunately, one of the unencrypted data items was a passwords list, which included passwords for a few encrypted files on a second manager's laptop.) The manager was not specifically penalized for his lack of data security.