another example of
war-on-terror gravy train.
Update The missing laptop has now been found – in the office from which it was apparently stolen. A spokesperson for Verified Identity Pass which operates the program said late yesterday the laptop was “not in an obvious location” according to local news station CBS 5. She added that the firm was investigating whether the …
Obviously not, clearly their muppet CEO Steven Brill should realise that very strong encryption is essential to control such sensitive data.
Get your bloody head out of the sand you half wit - pathetic excuses or lame explanations are no longer acceptable.
I always thought giving up your personal data for a fast track through airport security wasn't worth it...
(Sorry to be insensitive to those affected).
Also - if the laptop disappeared from a locked room, they surely can put a limit on the number of potential suspects? Interesting that that point wasn't addressed...
We're from the government and we're here to help you.
We'll take from you your most sensitive information. We will make it available to criminals. We will charge you $100/annum for this service.
You cannot touch us. We are the government and you are our servants. Complaints are handled in room 101 of the Ministry of Love.
The terrorists have won.
We turn up at the air port and are treated like criminals for no good reason (apart from the paranoid ideas of some idiots somewhere). But those people who are treating us like criminals are letting REAL criminals apparently wander round secure areas of airports and walk off with laptops...
I think I must be dreaming.
who the hell carries this sort of sensitive data around on a laptop to begin with, and for what purpose?
this stuff should be locked up in a central database, and NEVER allowed out of a secure network.
every day there is another instance of some retard carrying around data that should never have even been on a fricken laptop to begin with.
i'd really really like to know what data mining or other processing of names, addresses, SSNs, etc. is happening on a stupid laptop, where the data needs to be local. a fucking spreadsheet no doubt.
whoever 'lost' this data should be fired and sued. the TSA of all places loses this. i'm american, but christ my fellow countrymen are all complete retards...
Big p/blunder indeed. Very scary, too. Moreover, it sounds to me that this laptop was deliberately targeted for its information. If expedited airport security could also mean a lighter one, this kind of information could be very valuable to terrorists, I am afraid.
Why bother with identity theft? Let's see... Presumably there are a few whole families enrolled, with young children, right? Names and birth dates give you that... What else was inside the stolen data? Oh yeah, addresses! Hmm... What could a bunch of ruthless fanatics on a crusade against America and Americans do with that information, I wonder? Yeah, those terrorists who have no qualms about destroying buildings with thousands of people inside, or beheading, uh, hostages on video. What would not a father or mother do to save the lives of their children and/or spouses? For instance... use their expedited security clearance to get a bomb into an airplane, perhaps?
Now, there are 33,000 people on that list, all over America, I imagine. How many potential victims could there be? Would they settle with just one? Why not several? Of course, they'd like for each victim to deliver their payload, so to optimize their chances, what would a sensible person do? Exactly, do them all at the best time. And what's the best time? A sudden first blow... at the same time. Or maybe they want to be more discreet and be them who get the virgins in heaven after a blaze of horror, and use that as a diversion to slip something.
This might sound like the plot for a 24 season and perhaps I ought to become a screenwriter instead, but it all is plausible. I would keep a close eye on those people, if I were the authorities...
Now I hope I am not giving the terrorists any new ideas and become an unwilling and unwitting terrorist mastermind, while in actuality what I want is for people to realize what a serious blunder this was and that an scenario like this should be contemplated. I don't think the terrorist leaders are so stupid not to be able to come up with a plan like this. Maybe this is actually a very naive plan and the CIA has got their asses covered already.
Be afraid, very afraid.
SFO is one of a very few airports in the US at which the TSA function is handled by a private contractor. From the story, it appears that the laptop was the property, and therefore the responsibility of another contractor. I don't know, and it isn't clear from the story whether the contractor that owned the laptop was hired by the TSA directly or whether they had been hired by the TSA contractor at SFO. Since the quick pass programme for travelers extends beyond just SFO, it's easier to imagine that contractor linked directly to the TSA rather than the other contractor.
Apparently, then, not only can't the TSA manage it's own, it can't manage those they hire to help them out. Of course such muddled relationships do provide the TSA with some semblance of plausible deniability when things like this happen.
Why is the person who put that unencrypted data on the computer not in jail? Why is their manager not in jail? Why is the CEO of that company not in jail for allowing the company to have policies where this sort of thing is done?
Oh, right, because they have the right Washington connections, and privacy, along with anything else, is easily bought and sold in the USA. It'll get swept under the rug and quickly forgotten, with nobody getting even a minor slap on the wrist so that when the next one does it they can claim "there's no precedent".
Idiots.
OK, how hard is it to use offline files and the built-in encryption on Windows XP? If you absolutely have to take your work with you, and work offline from a company network, this is a good choice.
Granted I had to do some fiddling to make sure the Group Policy settings enabling EFS and offline files encryption stayed on, but they stayed on and lusers couldn't turn them off. They also couldn't store stuff anywhere else. Including USB keys.
With this, a stolen and later returned laptop in my care didn't compromise anything. Lots of dumb password attempts in the security log and the battery was drained, but that was it. The luser that lost it got a replacement and kept working until it came back.
I am surprised that this didn't happen sooner. Airports appears to be (at least most of them) to be criminal heaven. It is quite common that thieves steal out of checked in luggage. That same luggage is supposed to be secured to start with, but isn't.
How do I know that airports are thieve havens ? I got robed at Schiphol in Netherlands.
Airport security is a myth like Bigfoot and Jesus.
A lot of systems are designed with good security, procedures put in place then the business people get involved and all the rules go to hell in a hand-basket...
(cue swirly lines)
I'd like to take you on a journey if I may....you are about to enter a world of supposedly sensible people, with strong intelligence, but zero common sense...welcome to the BUSINESS ZONE!
Johnny Arse-Hat is a typical company director. One day Johnny goes to his favourite lackey and makes a request. "I want some data to run some reports, get the IT dept to throw come of that useful data onto my laptop.".
So lackey goes to IT bod, "Can I have XYZ data in Excel format?".
"No! Certainly not! We need security clearance and the security officer needs to be informed. nce we have the correct clearance we'll let it go."
"Well Mr Big, head -honcho, director type person wants it, are you going to say no?"
"Yes I will tell him no."
Lacky heads to his line manager and says IT dept are being difficult and won't give up some data for Johnny director.
Manger heads to Johnny and says need security clearance. Johnny has a quiet word with CTO and security officer, Johnny says he'll promise to be careful with it but if he doesn't get it then we could lose X millions in customers, so please make it happen before it gets to P45 time!
CTO orders IT dept to dump data into insecure format and try to do their best to secure it on laptop.
Laptop is destined for Johnny. Director although he may have an MBA has zero common sense and the IT dept usually have to set the passwords on laptops to something like "pas55word" or director's favourite niece's name.
Well you know the rest....do-do-do-de-do-do-do
The lapdog has just been taken into the care of US Customs Goons ^^^^^^H Officials as permitted by US Homeland Defence. All is well - the US standard for security personnel is the same as 'round 'ere so only people with a criminal record will take the job due to the pathetic pay. The lapdog will appear on eBay.
Your raving on terrorists using the list is completely and utterly stupid.
So they'd need a list of 33.000 names and addresses so they woul dknow whom to kill? Yeah, sure. It's so hard to find random people in the US, you have to like, look at a house and say "why not this one?". Very hard, so for sure, it's better to get a list, check out each address and choose from there...
Oh, and I heard someone stole a White Pages book from a telephone company! Just imagine, names and addresses of hundreds of thousands of people. Whoh, terrorrists could kill them all thanks to their addresses. Scary isn't it?
I just don't get why companies (including the one I work for) have been encrypting laptop hard drives for years to protect industrial data, and yet the governments don't encrypt drives holding the personal data of xxxx thousands of people.
I don't know what laws apply in the U.S. but I strongly believe that those responsible in cases like these should be held accountable under the data protection act. They have wilfully neglected to protect peoples personal data thus allowing it to be stolen and potentially used for a purpose other than the one it was collected for.
If they started introducing criminal proceedings in cases of e-security neglect then I am sure we'd start to see an improvement.
As someone else has said;
Cost of putting in a secure wi-fi (that's a contradiction in terms) in the airport covering that area, or having a secure private APN on a 3G data service in the USA - a few grand.
Cost of putting a large hard disk into a laptop and having an offline copy of the DB - a couple of hundred quid. Why don't they encrypt it? Because the laptops they use are so shite it slows the machine down to a crawl and therefore you get Mr and Mrs impatient from Esher in the queue complaining why does it take so long, thus the operatives complain. Plus they won't pay the measly couple of hundred quid for PGP, for example.
I know there's free versions of all these software, but you have to realise who you're dealing with here. Big corporate and FM companies are mainly wary of 'free' software and as such won't use it. They equate 'Free' with 'Back Door'. Which is a bit of a contradiction in terms.
Knowing that the bean counters run the country and the companies, not the Information Security people, and knowing that they pay nak all to their IT staff, are you surprised that this happens every day?
It's the lowest common denominator. Heck, when you look at the IT Facilities Management companies that manage data for the Government and the Bank, they pay crap wages because they've undercut everyone else to get the cheapest contract, and as is the old adage, you pay peanuts and you get monkeys.
Organisations leaving other people's personal details sitting around on an unencrypted laptop is akin to the bank leaving your cash on the counter for a while. It is negligent and it should be punishable by hanging or electrocution. Or perhaps a fate worse than a fate worse than death. By entering a given sphere of commercial activity, organisations have obligations which extend beyond 'profit'. It's time lawmakers punished these miscreants, rather than worrying about me using my satnav while driving (I mean, when else would I want to use it? I never walk if avoidable and it doesn't work on the tube)
"...it isn't clear from the story whether the contractor that owned the laptop was hired by the TSA directly or whether they had been hired by the TSA contractor at SFO..."
It doesn't matter a bean whether it was the TSA or their agent or their agent's agent. This just goes to show that the more this kind of info is collected, the more it will get pilfered.
And the deniability is only plausible if you accept that the Federal agency involved has not responisbility for what its agents get up to. Which has to be a crock, since otherwise all the feds have to do is outsource everything and then they don't have any accountability. Or is that the way the States is heading?
Stop the presses!
http://www.flyclear.com/news_pr/pr/pr_laptopfound.html
"Press Release
Verified Identity Pass Confirms It Has Found Laptop It Reported Missing; Preliminary Investigation Indicates No Information Compromised"
Still doesn't mitigate the fact that the data was stored unencrypted on an unsecured laptop that could (and did) go missing.
Muppets
Not that they're not grossly incompetent for having such sensitive information stored unencrypted or whether it simply has been returned after syphoning off the info etc, but apparently the laptop has turned up in their office:
http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2008/08/05/financial/f102608D05.DTL&tsp=1
Humans equal human error. It will always be the case so we should be able to react to disasters. Deleting the data of a lost device before somebody can get to the data must be the best way to go. Might have been tough in this case though because they don't even know if the laptop was lost.
>Technically, that's correct. Previously the data was contained, now it's loose.
Um, still No. The OP didn't say the data was "loose", they said somebody was "loosing sensitive data", as in somebody "loosed" (or maybe loost?) it. Complete nonsense.
I'd accept "letting loose sensitive data" or even the "data is on the loose". You could even possibly "loosen" the security around the data. But "the data is loose" -- even if that had been what the OP said, and it isn't -- implies either its numerically not very accurate, or it's rattling around the disc surface every time the laptop is moved. An interesting mental picture, but even then there is no way to contort "loosing the data" to mean "the data was made loose". At least, not in english.
Don't make me come down there.
@ "Just noticed that the WTC bomb date written like that is the yank emergency services number. Think 9/11, think panic? Despite the fact it should be 11/9 but Americans are doodie heads" - wtf? where have you been the last 10 years? surely everyone else guessed that the same day? lol
i say make companies accountable. if your ID gets lost by a company £1M fine. now, do this for every lost ID and that really fucks up the company.
i always think its amusing that directors get stupid bonuses because their people have done what was wanted. yet they never get penalised if anyone makes a fuckup. so its just win win being a director.
Couple of things:
1) Before Osama turned 'bad', before he was friends with the CIA, before all that, he was the son of a very well respected family (shake hands with the Bushes and all that good stuff) - who says that just because you aren't a threat today you won't be tomorrow?. Therefore the whole concept of a 'Clear' list is ridiculous
2) The quality of staff enforcing the 'rules' isn't exactly sky high. I don't know what it's like in the US at the moment, but whenever I fly from the UK I take one look at the spotty reject nosing through my hand luggage and think "If you're the last line of defense between me, and criminal minds so ingenious they can make a bomb out of 101ml of water then I am so DEAD!"
3) If you contract out work to the lowest bidder (or let's be honest your best mate), no matter how much legalese you get them to sign and whether or not you are legally liable its still YOUR FAULT when something goes wrong. You trusted someone who was not worthy of trust.
4) The laptop was 'found' - yeah right, translation: "We are getting shit loads more flak from this than we expected and since we still have copies of the data you can't prove anything". Whether it was found or not the best that can be said is that this sensitive information is revealed to be stored on an unencrypted portable device, which they do not keep good tabs on and have no idea where it is some of the time. Serious security that!
5) As for the statement from the company involved "Yes, it was sensitive privacy information, but not the stuff that was most sensitive", translation: "We store that on a CD...". Once you have got to the point where you have stolen 33,000 ($3.3million TSA dollars worth incidentally) records containing enough information to potentially clone supposedly 'safe' IDs, does it really matter if you didn't managed to get their sexual preferences?
Joke since thats all this post 9/11 nonsense is - one big sick joke
The problem is NOT a lack of laptop encryption. The system is fundamentally flawed, and no amount of security technology or process is every going to keep exploitable data from leaking.
Stop and think about how ludicrous it is that simple identifiers, such as names, addresses, and passport numbers, should ever be used as an authentication factor. Names and addresses are a matter of public record, and our quality of life continues to decline to the extent that we feel the need to protect the 'secrecy' of routine identifiers.
We're becoming a strange sort of postmodern magic-based culture in which we all feel the need to use pseudonyms, fearing that anyone who has our true name consequently has power over us. And justifiably so.
Our system is broken when just knowing some simple personal details is sufficient to take out credit in someone else's name, or apply for some other form of privilege using their identity.
Until somebody has the courage to fix this fundamental flaw, routine encryption of laptops and memory sticks is a good idea, but it is still a temporary expedient. It is a band-aid on a gaping wound.
Why aren't we placing the blame where an economic analysis would indicate it belongs? We need to hold credit givers, governments, and other institutions accountable when they use non-secret information as the basis for determining identity, and subsequently give credit or privileged access to the wrong person.
I think the people responsible (and I use that word in the loosest possible sense) should be punished, but I think the punishment should fit the crime.
I suggest the courts publish the same amount of *their* personal data online and in the paper press.
If they lost fullnames, passport numbers, date of birth, religion; their fullnames, passport numbers, date of birth and religion should be published.
I bet after a few managers had their details published security would go way up ;)
This whole gimmick has been fishy since day one. If the TSA/DHS/CIA/FBI can't make me secure Johnny CEO sure as hell can't. They really don't do anything but take all your personal info (lose it) then give you a silly little clear card that means you're not a terrorist. You are still molested by TSA, your bags are still searched, and your laptops HDD can still be copied/stolen - you just get the privilege of going through a shorter line before you are anally raped.
The whole idea is bad. Let the Govt lose my data, not some shitty company with no morals, and as is obvious from their press release, no common sense.
I hope it was stolen and returned. I'd be interested to see how many people with "terrorist" names were issued "Clear" cards. I bet there aren't any - maybe we'll find out soon.
is a reactionary "watchdog" Media prying and looking for the slightest negative angle to blow across the worldwide front page.
If it potentially makes America look stupid=launch it within minutes, no research or verification required
If it potentially makes a Democrat/Liberal look bad=sit on it and repress it while you do "research' to "verify" until it all blows over (Edwards, anyone?)
Given the TSA's legendary ineptitude, I'll lay plenty of 6 to 4 that 'hacking into' one of these passwords will be no more difficulth than booting the machine and repeatedly pressing F8.
Also, Shay Mclaclan has beaten me to my second point. I don't believe they 'found' it again for one second.
Two options:
1.) It's not been found - it's easier for them to lie to me
2.) It has been returned by the thief. How on earth can they tell it wasn't compromised!
I bet they're using a bog standard laptop with a 2.5'' HDD in it and not even stickers over the screws.
Simple job of unscrewing the laptop, pop the drive into another machine and image it - then put it back in.
Any system logs wouldn't even show a boot since it was stolen so it would look like it hadn't been touched.
Mr BadMan now has all your data and can do what he likes with it - do these people think we're all as dumb as they are..............
One kind of stupid - the idea that our present government and business community is either competent or moral enough to do the job of judging who can be trusted on a plane.
Another - the idea that becoming freer from random suspicion and harassment ought to cost money. This is more vile than stupid, like a protection racket, except with more suffering and less protection.
Third (well, about sixth, but I'm tired of politics), is the lack of planning demonstrated by the very EXISTENCE of a non-trackable (GPS, anyone?) laptop with TERRORIST-SENSITIVE data on it. (Yeah, I know I'm over-reacting, but they do all the time. Why NOT here?)
Fourth - assuming there WAS some secret, elaborate system that required this database to be on a portable device - an XP laptop? And an unsecured one? By "unsecured" I mean "if you can download or buy software to open it, it's not locked." It's just NOT THAT HARD to set up an OS - nearly ANY OS, including Win 3.1, for crying out loud - to secure your actual data. But you have to start.
Fifth - the relatively random collection of personal data as identifiers, especially of a class of people some of whom have only a hypothetical fixed address, and others who keep their personal information intensely private.
Sixth - the likely but not proven case that this was a local copy of a database, of which there are actually hundreds of copies running around, largely not in sync ;)
Seventh - the fact that, security and encryption aside, they f***ing LOST THE LAPTOP IN THE SAME ROOM FOR A WEEK!!!
Isn't there a pattern emerging here? Government and non-government agencies playing fast and 'loose' with all our data, c'mon, no-one is that stoopid. Media hype and coverage of these 'mistakes' only hasten the secret agenda - make everyone so scared that they demand another solution.
If data isn't safe because of 'human' fallibility then I wonder what we can do about that? If personal details are that easy to come by and for ID theft to be so successful, then what can we do about that?
The answer, and I mean it is the answer that government is looking for you sheeple to come up with, it's not the REAL answer of course, but it will be an embedded chip in everyone's brain - problem solved. All your data conveniently packaged in one place and you carry it around wherever you go.
And who's going to hack into your brainchip? Why the government of course. After all, they are concerned about your safety and security, aren't they?
It's a bit disappointing hearing such garbage from Steven Brill. I'm indifferent to many of his projects (including Clear, which doesn't significantly impair our half-assed air-travel "security", but doesn't entice me either). But _Brill's Content_ was a nice magazine for its short lifetime, doing its little bit to encourage critical thinking.
Ref: post by "Aitor"
Posted Wednesday 6th August 2008 07:58 GMT
It is NOT a choice between encryption and compression. That is an un-knowledgeable excuse.
You can do both quite easily and securely without significant storage overhead with any number of programs on multiple platforms. E.G. Check out TrueCrypt, a free open-source program that lets you transparently encrypt/decrypt at disk, partition, or file level.
I've no personal or financial interest in any company, product, etc. that may be described in this post.