School laptop auction devolves into extortion allegation When a Texas school district sold some old laptops at auction last year, it probably didn't expect to end up in a public legal fight with a local computer repair shop – but a debate over what to do with district data found on the liquidated machines has led to precisely that. The San Benito Consolidated Independent School …
I did this exact thing for many years. Wiping all student and faculty computers destined for the broker. Checked, and double checked by a second techie. All units wiped had all data migrated to the users new laptop prior to wiping and putting a factory image for the broker.
These un-wiped machines were most likely from School Administrators who couldn't be bothered to bring the unit in when required, and they fell through the cracks, hence the "Sensitive" data being left behind.
It's all too familiar behavior from a school district.
we wouldn't even let machines go to charities with a used hard disk in, hard disks were removed and crushed. Our social services team however (operational not IT) bought a large number of early word processors with built in memory which later turned up at car boot sales complete with the last half dozen letters.
When challenged they denied ever realising that the devices had any memory and claimed they were 'just typewriters)
You'd be surprised how these un-wiped machines got back into the pool... school admin brings the computer in after hours, right to the tech director who's working late etc, assuring him he's wiped everything, tech director passes it off, or does the bit of admin himself telling his team the next day it's all good...
I've never disposed of a device with the disc still in it. The disc comes out, gets beaten repeatedly with a hammer and mangled with various implements until it is a tangled mess of metal. Better still are the ones with glass platters. SMASH!!
I had a tablet die and I could not factory reset it (still don't really trust that) so out came the pliers, screwdriver and hot air gun and the PCB was depopulated with zero care and the flash chips beaten with a hammer.
My old work had a disposal company come to site to deal with a pile of old discs. They had a device about the size of a washing machine that made a very ominous humming/buzzing noise before using hydraulics to perforate the disc with a very satisfying crunch.
Paranoid? Maybe just a bit.
I Bought a Sun Enterprise 6000 at an auction at Redstone Armory in Huntsville, AL. This particular machine calculated artillery ballistics (for many known and experimental shells, including a bunch of fluid dynamics) ... so I was told.
As it happens, it came with an *Empty* A-1000 Disk Array* (Cranky Beast, that array was) and a document describing the fate of the drives:
They were taken out to The Range**, packed in thermite, surrounded by other junks and some "iffy ordinance". Oh yes, those drives were unreadable.
* Replacing those effing drives would have cost me more than the whole server.
** I worked out there and knew most of the Ordi guys around base.
Boot Note: I turned the chassis into a Kegerator with two half-kegs and taps.
An ex-colleague admitted one night in the pub after a good few drinks that she’d photocopied her genitalia at a previous employers. It was after a particularly alcoholic Christmas party and a lot of the girls had done it. It was a black and white copy only, because they couldn’t remember the code to allow colour copies to be made. She had the resultant A4 paper copy in a frame in her bedroom.
When we told her the scan might have been stored on the hard drive she said the entire office was on there, “I’m not bothered”!
Found a win95 machine outside a PC repair place in Ontario in late 2004 (it was their habit to put the non resellable bits kerbside for disposal or geeks to take). Very old scsi hard drive, with a blown surface mount fuse, bridged it with a strand from a cord... and found medical records from a local doctor's office :O ... I did the decent thing and wiped it immediately, but yes, this kinda thing has been going on forever, and will continue forever. Because humans
From this article, it seems to me that RDA is doing its job. Found unwiped sensitive data on auctioned machines that had also been sold to public buyers. It is largely too late to bring in an NDA and, if the goal is to sweep the whole affair under the rug, well a certain Mrs Streisand who certainly like to have a word with that school.
Not just the US either. Most countries will shoot the messenger if they bring bad news!
However, right now, it's the company that's under investigation, not the school. And that "Streisand effect" might be invoked again and again, the fact is, do you even remember right now what happened with Barbra Streisand? I sure don't.
So it might be the focus of news for a while, then the interest will wane, while the investigation will continue to put pressure on the company for months or years (again, not the school, which at this point doesn't seem at all interested in fixing their internal issue).
Given a few more "COMPANY UNDER INVESTIGATION FOR EXTORTING SCHOOL" headlines, I'm not sure the public consciousness will bother with the more complicated technical details.
His name is Ken Paxton. Last year I would have expected him to be busy avoiding the consequences of being indicted for securities fraud. These days, he is on the run to escape being served a subpoena.
His name is Ken Paxton. Last year I would have expected him to be busy avoiding the consequences of being indicted for securities fraud. These days, he is on the run to escape being served a subpoena.
I thought he was to be referred to as "He who shall not be named". But I guess that is now "He who shall not be served".
Would you do business with a PC shop that openly admits it examines data on PCs that pass through their hands?
The guys I use to get rid of my old technology routinely ask "any disks in this equipment" and if so part of their service is to definitively wipe or destroy (my choice) regardless of whether there's any data on the disks. Of course that does leave a matter of trust but in UK and probably most of Europe the act of looking at the data on any disks without permission would be an offence.
It's also an offence not to destroy the data before disposal so the school hasn't covered itself in glory either but do some not necessarily IT literate admin people think about that when there's a stash of redundant kit going to auction, maybe like this one https://www.sbcisd.net/apps/news/article/828912 with a mixed bag that might include Playground equipment, Sewing machines, Computers/TV's/laptops
OK so RDA are claiming to be acting in a public spirited manner because "he alleges some computers sold by the district went to foreign buyers" but wants the school to buy back the entire 514 machines (perhaps at a substantial mark-up?) AND he wants to rubbish the school's reputation and get his name in the headlines - well he succeeded in that.
Maybe the auctioneers have some responsibility too, did the sale catalogue make any explicit reference to the status of the disks. In my opinion they should be aware of risks inherent in what they are auctioning. If they were selling hand grenades I would expect them to state whether they were inactivated, dummies or contained detonator and explosive charge.
Bear in mind that the value of a completely wiped PC may be less than one that can be booted up into a valid operating system.
Not just from a security perspective any individual relinquishing control of a PC (a student at the end of the school year?) should ensure there's no personal data remaining, so should anyone responsible for disposal of obsolete kit and IMHO ethically, morally and possibly legally, anyone finding they are in receipt of personal data to which they are not entitled, is not entitled to use that for personal or financial gain.
Sounded to me like the school proposed the buy back. This is just obfuscation by the school and trying to sick the lawyers on the buyer to cover their arse. They don't want to admit they potentially sold kit with data on it to foreign entities, in potential violation of federal law. This has little to do with the kit sold RDA and everything to do woth the kit sold to foreign entities that they have little chance of getting back or having the drives wiped. And they know that!
The sale was just to buy the kit, to be repurposed as the buyer sees fit. It was not a data destruction agreement so RDA has no obligation to destroy the data nor return/sell back the kit. Plus the owner is right to inform the public of the school district liability in exposing the sensitive data!
As was stated before, this is standard procedure in the US when government agencies have their cock ups exposed to the public. Shoot the messanger and hope that story is all that the media focus on and not their incompetance.
"Would you do business with a PC shop that openly admits it examines data on PCs that pass through their hands?"
Ridiculous. Yes, of course I would. There's no ulterior motive there. He doesn't want the school to buy back the machines. The school district are proposing to buy them back so they can wipe them, but he has to sign an NDA first.
[QUOTE]The district admitted to the exposure of the data as a result of the sale to RDA, but said Avila's company "has not agreed to our proposed solution."[END_QUOTE]
"Would you do business with a PC shop that openly admits it examines data on PCs that pass through their hands?"
No. On the other hand, would I do business with a shop that notices that a disk wasn't wiped without having to poke through all the files? Sure. There's a difference between "I noticed this disk has a filesystem, which means it wasn't wiped" and "I had a read through all the emails I could recover because why not". The first is acceptable and worth warning about if it indicates a risk of additional damage, as in this case. The second is unacceptable and likely criminal.
We are not sure that the Texas AG is actually "investigating" anything.
After the San Benito CISD told what appears to be a series of lies about RDA already detailed in this article, Superintendent Theresa Servellon issued a statement saying "The District is providing information to the Texas Attorney General to aid representatives from the Texas Attorney General's office in their future inspection of RDA Technologies."
Note she doesn't actually claim there is presently an investigation, but an "inspection", and not an active one, but maybe sometime in the future. I'm willing to bet all the school district did was send the Texas AG an email. If the Texas AG bothered to respond in any meaningful way the ISD would claim they are "in communication" or "having a discussion". I'm pretty sure its against the law to claim someone is being investigated when they are not, and I'm also pretty sure lying about anything a state's AG is up to is very stupid if you expect their future cooperation.
All drives must be destroyed when done with service. All but one company I worked for had this policy - that was government. The gov facility had us wipe the drives with their tool then they auctioned the systems to employees as first dibs. One of the users bought their own system, scanned the drive and found only the boot sector was wiped and all data was on the drive - turned into a very big deal - All on the crap policy of wipe them. Every place else we destroy the drives. At the bank we pay and watch and get a cert of destruction - even printer drives. Another company we bought a drill press. Drives are cheep and should be destroyed when finished with. Your home computer should be treated the same - as it is your data.
One of the users bought their own system, scanned the drive and found only the boot sector was wiped and all data was on the drive
This should be a no-brainer: use DBAN ("Derik's Boot and Nuke") on spinning rust drives. (Flash drives and SSDs need to be electrocuted or smashed.)
"All drives must be destroyed when done with service. All but one company I worked for had this policy"
All companies I've worked for have had this policy. None of them did it reliably. The small ones were disorganized enough that you could walk off with a disk and nobody would know. The large ones were so large that people didn't understand the process for disposing of equipment. I somewhat recently had a discussion with a team where we determined that an old machine under a desk was not used by any of us, maybe from the last people to use the office but nobody knew who that was, we didn't know who to call about this*, we didn't have an identifier we could tell them even if we found out, the machine did still have a disk in it (we assumed it wasn't wiped but nobody wanted to check), and that every alternative course to leaving it under the desk seemed more risky**. If anyone hid a bug in it, they got to listen to us for a long time.
* We were developers, so we knew enough to manage our own machines (and IT trusted us to do so) but we didn't know any of the IT people. I sent a message to our local IT helpdesk, and they didn't respond.
** We considered wiping or destroying the disk for the company because even if they cared about the data, there was no chance they'd find it, but we decided they could blame us for destroying corporate property. We considered turning it on and connecting it to the network in the hope that monitoring software would find it and someone would do something, but if it was unpatched that could be undesirable. We considered bringing it to the IT guy and leaving it there, but that room wasn't secured and our place was, the guy was frequently working remotely and we had no clue if he came in at all, and the data on the computer was potentially sensitive even to other employees. Then we decided that talking more about the machine would delay our work and moved it to the corner.
"... a hacker spotted a 2019 copy of the no-fly list on an unsecured public-facing server last month. While it doesn't appear to have been published online ..."
I guess the distinction between "unsecured public-facing server" and "online" is too subtle for me.
I interpreted that to mean that nobody, after obtaining the list, turned around and put the entire thing elsewhere. That means that I can't go out to some open file site and obtain a copy of the list. The only person known to have seen it outside the airline was a researcher who won't be handing out copies, and if any more malicious people got copies before the server was secured, they aren't making them available. That means that the list hasn't been as compromised as if it was available to literally anyone with a connection.
If you find yourself in possession of some cheap kit with drives full of data, the best thing to do is just quietly wipe them and not tell anyone. Even alerting anyone to the fact that you've found it is liable to attract unwanted attention.
Old personal data on a used drive is a lot less glamorous than it sounds. What can you actually do with a bunch of long-since expired credit card numbers, and names and addresses of strangers that -- if they even still live there -- could be looked up in the phone book? What can you do with it that you couldn't have done without it? (A credit card number is a 3, 4 or 5 followed by 14 more digits and a Luhn check digit. Names and addresses can be looked up in the phone book.) And how much trouble is likely to be coming your way if (when) your criminal enterprise goes wrong?
Just give it one single overwrite (if data that had been overwritten even once was really recoverable, someone would certainly have made a device that used the phenomenon to increase storage capacity), install your favourite Linux distribution (so you can advertise it as "all genuine software, no pirate copies or demo versions") and never speak of it again. Needlessly destroying drives is depriving people in future of a valuable resource.
That's not very helpful though, is it. It doesn't ensure that good practices are followed in the future and it doesn't provide accountability. It is a very me-first way of thinking. Someone who is interested in privacy will want to put pressure on governmental agencies to respect privacy and the law. A school district suing a responsible citizen using public funds. It beggars belief.
It is not about me. Sure, I can wipe the drives and move on. I am trustworthy in that account - though that is not something easy to prove to a 3rd party.
The problem is who else are they shipping drives to? And can they be trusted to do the right thing? Thus, reporting the transgression, and doing so publicly to alert those whose data may have been misplaced.
But yeah.... These came from a school. OMG, Little Johnny got a B- grade, and [shock] here is his term paper!
I don't think it's safe to assume a bunch of computers from a school don't have material that's considerably more sensitive. And in the US, school grades are covered by FERPA, so there's a legal requirement to protect that data, regardless of whether you find it interesting.
RDA did the right thing, and San Benito is at fault, under FERPA. That's pretty clear. Paxton, as usual, doesn't give a rat's ass about the law – though of course FERPA is a Federal law and it's the US ADA who should be getting in on this.
Hard drives have had secure erase functions in firmware for a long time, some IDE/PATA drives had it just prior to SATA emergeence, SCSI about the same time. Retrieving data after an overwrite of random bits is not inexpensive and would only be cost effective for highly valuable data. Peter Guttmann, the one whose 1996 35 pass overwrrite method has been held as the golden standard, stated years ago that for modern (now old) drives that a single random overwrite pass should suffice.
I never dealt with SCSI drive data destruction. For PATA/SATA/SAS I have used hdparm to issue the proper firmware command sequence to trigger the built-in overwrite. The overwrite pattern is selected by the manufacturer for the technology of the drive. It executes way faster than any method trying to overwrite through the drive bus bottleneck. If a drive does not support a secure erase in the firmware, then maybe I will execute a dd command using /dev/random to the appropriate /dev/{devicefile}. Otherwise then physical destruction is appropriate since it would be so old, of limited capacity, and of little use.
My physical destruction method is to disassemble the drive and obtain the platters. Then use a MAPP gas torch on the platters. All platter materials will melt with MAPP gas in my experience. The data likely goes up in smoke by the magnetic coating combusting prior to the platters melting. I know, not as cool as thermite, or target practice, but just as or even more thorough. I have thought that putting in a requisition or reimbursement request for ammunition or explosive material might be amusing.
I agree with those that said the computer shop is doing the right thing. The problem is the data has left the building. The school district has a responsibility to prevent such a data leak, they failed. Instead of owning up to the problem, they try to shoot the messenger. A better response would be enlisting the help of the messenger and offering recompense to assist in building a process to try and prevent a repeat. Community cooperation works well, good leaders facilitate such.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
