• Menu
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Before Header

  • About Us
  • Lexicon
  • Contact Us
  • Our Store
  • ↑
  • ↓
  • ←
  • →

Balloon Juice

Come for the politics, stay for the snark.

Fuck these fucking interesting times.

We are aware of all internet traditions.

Russian mouthpiece, go fuck yourself.

Shallow, uninformed, and lacking identity

Proof that we need a blogger ethics panel.

A thin legal pretext to veneer over their personal religious and political desires

Something needs to be done about our bogus SCOTUS.

This has so much WTF written all over it that it is hard to comprehend.

You don’t get rid of your umbrella while it’s still raining.

Never entrust democracy to any process that requires republicans to act in good faith.

No offense, but this thread hasn’t been about you for quite a while.

Infrastructure week. at last.

“Can i answer the question? No you can not!”

People are complicated. Love is not.

I’d like to think you all would remain faithful to me if i ever tried to have some of you killed.

if you can’t see it, then you are useless in the fight to stop it.

A democracy can’t function when people can’t distinguish facts from lies.

So it was an October Surprise A Day, like an Advent calendar but for crime.

Authoritarian republicans are opposed to freedom for the rest of us.

And we’re all out of bubblegum.

Take your GOP plan out of the witness protection program.

Whoever he was, that guy was nuts.

Take hopelessness and turn it into resilience.

We still have time to mess this up!

Mobile Menu

  • Winnable House Races
  • Donate with Venmo, Zelle & PayPal
  • Site Feedback
  • War in Ukraine
  • Submit Photos to On the Road
  • Politics
  • On The Road
  • Open Threads
  • Topics
  • Balloon Juice 2023 Pet Calendar (coming soon)
  • COVID-19 Coronavirus
  • Authors
  • About Us
  • Contact Us
  • Lexicon
  • Our Store
  • Politics
  • Open Threads
  • War in Ukraine
  • Garden Chats
  • On The Road
  • 2021-22 Fundraising!
You are here: Home / Science & Technology / ‘Privacy’ Is for Suckers

‘Privacy’ Is for Suckers

by Anne Laurie|  December 11, 201210:58 am| 61 Comments

This post is in: Science & Technology, Our Awesome Meritocracy, Security Theatre

FacebookTweetEmail

You’ll tell us what we ask for, citizen, and we’ll tell you what we please. From the NYTimes:

In 2007, Robert M. Nelson, an astronomer, and 27 other scientists at the Jet Propulsion Laboratory sued NASA arguing that the space agency’s background checks of employees of government contractors were unnecessarily invasive and violated their privacy rights.

Privacy advocates chimed in as well, contending that the space agency would not be able to protect the confidential details it was collecting.

The scientists took their case all the way to the Supreme Court only to lose last year.

This month, Dr. Nelson opened a letter from NASA telling him of a significant data breach that could potentially expose him to identity theft.

The very thing he and advocates warned about had occurred. A laptop used by an employee at NASA’s headquarters in Washington had been stolen from a car parked on the street on Halloween, the space agency said.

Although the laptop itself was password protected, unencrypted files on the laptop contained personal information on about 10,000 NASA employees — including details like their names, birth dates, Social Security numbers and in some cases, details related to background checks into employees’ personal lives. …

FacebookTweetEmail
Previous Post: « Call me, call me anytime
Next Post: Noodling Through the Bismarck Option »

Reader Interactions

61Comments

  1. 1.

    japa21

    December 11, 2012 at 11:06 am

    Okay, I am not a computer geek, but I have to ask why that information would be on the laptop itself. It would seem to me that it would be in a main NASA computer somewhere and could be accessed by the laptop owner remotely, but not on the laptop specifically.

    If that is the case, then security measures could be put in place as soon as the theft is discovered to make sure whoever took the laptop is unable to access the main files.

    For the computer geeks out there, is that implausible?

  2. 2.

    Origuy

    December 11, 2012 at 11:08 am

    Why does anyone need employee confidential data on a laptop? It should be on a secured server behind locked doors. My work laptop, which has little or nothing that anyone would care about, has BIOS level encryption. Nobody gets past the initial password prompt and if they pull the hard drive, good luck cracking the encryption.

    Edit: japa21, not only plausible, but it should be mandatory in this case.

  3. 3.

    Zifnab25

    December 11, 2012 at 11:12 am

    @japa21:

    Okay, I am not a computer geek, but I have to ask why that information would be on the laptop itself. It would seem to me that it would be in a main NASA computer somewhere and could be accessed by the laptop owner remotely, but not on the laptop specifically.

    There’s plenty of ways for the data to land on an individual laptop. Firstly, working over a network – particularly a highly secure network – can get really laggy and annoying. So people will regularly pull a file over, work on the file, and then export it back again. Secondly, because people recognize latency is an issue, many programs will store a temporary copy of a file on a local machine while it is being view/edited/whatever. If you have ever opened a PDF in a web browser, an actual copy of the PDF was downloaded to your machine somewhere and read locally.

    Those are just two reasons that leap to the top of my head. But the short of it is that we haven’t reached a level of high speed internet connectivity to allow people to operate entirely off of thin clients connecting to remote systems.

  4. 4.

    Cermet

    December 11, 2012 at 11:18 am

    First off, not having background checks would have done zero for this case – the critical data stolen (or lost if the thief just wipes it so they can use the computer) was just normal data that everyone provides to an employer; second and most importantly, the policy of allowing anyone to take such data without encryption is the issue here. Now-a-days this is required for such information so someone screwed up and not getting personal data would not have change this fact.

    This critical information should never be on portable computers much less taken out of the building.

  5. 5.

    Mnemosyne

    December 11, 2012 at 11:18 am

    This is not just a government problem. One of the sales reps at G’s office had a laptop stolen, which had a bunch of patient information on it, including Social Security numbers and addresses.

    The Giant Evil Corporation I work for got sued because the encoding of our ID cards included our Social Secuirty numbers and could be scanned without our knowledge. The especially stupid part of that is that we were all issued personnel numbers to avoid having our SSNs be potentially available to anyone who got hold of our ID cards, but they never bothered to change the protocol for encoding the IDs until they got sued.

    Etc.

  6. 6.

    PeakVT

    December 11, 2012 at 11:20 am

    Do not put important or sensitive information on laptops. The End.

    I bet 99% of laptop thefts are for the equipment, not the information, but one can never know when the information is actually the target.

    Related: a new compute cluster can crack every 8-character Windoze password in less than 6 hours.

  7. 7.

    Butch

    December 11, 2012 at 11:20 am

    I’m just at the tail end of resolving a case of identity theft that it my case was fairly minor by comparative standards. It’s a nightmare.

  8. 8.

    The Moar You Know

    December 11, 2012 at 11:22 am

    For the computer geeks out there, is that implausible?

    @japa21: Sadly, the “remote wipe” thing for an actual laptop is pretty implausible. The information in question flat-out should not have been on a laptop, but as we have found over and over and over and over and over again for the last decade, banks, governmental agencies and health care providers routinely do this shit all the time no matter how dire or embarrassing the penalty.

    The “password protected” thing is a joke. Google “NT Passcracker” and by using that tool even the most inexperienced noob can have that stolen laptop open in ten minutes.

  9. 9.

    Jack the Second

    December 11, 2012 at 11:22 am

    My workplace uses four policies together to keep things pretty secure.

    1. You maintain control of your laptop at all times. Don’t lend it to a friend, don’t leave it on a table.

    2. No sensitive data on laptops. Even if you lose control of it, there shouldn’t be anything on it to steal. It’s just a dumb terminal for accessing the corporate network.

    3. Full disk encryption on every laptop. Some people will willfully or accidentally put some sensitive data on laptops.

    4. Remote wipes of laptops. If your laptop is lost or stolen and connected to a network, everything on it can be deleted remotely.

    None of these policies is particularly expensive or difficult to implement nowadays.

  10. 10.

    Todd

    December 11, 2012 at 11:22 am

    Conservatives have long told us that there is no right to privacy, Blackmun’s opinion in Roe notwithstanding. In fact, I remember a whole bunch of them, including the Glibertarians, laughing at the notion of the penumbra of privacy, and the Glibertarians happily signing on to the notion that Roe was a heinous assault on personal liberty, in that having an organ of government declare that there are aspects of private lives into which government cannot intrude is a huge assault on Freedom, and Americanism, and Liberty, and all that is good.

  11. 11.

    Hypatia's Momma

    December 11, 2012 at 11:22 am

    @japa21:
    It’s not simply a “computer geek” question; any information relating to Human Resources/Payroll should not be transported off-site by any employee.

  12. 12.

    Mnemosyne

    December 11, 2012 at 11:23 am

    @Cermet:

    First off, not having background checks would have done zero for this case – the critical data stolen (or lost if the thief just wipes it so they can use the computer) was just normal data that everyone provides to an employer; second and most importantly, the policy of allowing anyone to take such data without encryption is the issue here.

    Just repeating this for emphasis. No deep background check was done on me for my job at the GEC, but I would be just as screwed as those NASA employees if someone had my personnel information on a laptop that got stolen.

    It’s not like our employers having our SSN, birthdate and address is somehow unique to government work.

  13. 13.

    NorthLeft12

    December 11, 2012 at 11:24 am

    I hate to sound like a conspiracy obsessed nutjob, but this almost sounds too perfect to be true.

    It’s as if a big FU was sent to the scientists for daring to question the genius management of NASA.

    It would be interesting to know if NASA management personal information was on that laptop, or if it was just restricted to scientists and other lesser human beings…………….. that is if the laptop and data were ever really “stolen”.

  14. 14.

    slag

    December 11, 2012 at 11:24 am

    I was shocked the other night when, while participating in a Kickstarter campaign, I was sent to an Amazon checkout site that required my Social Security number. WTF?

  15. 15.

    Villago Delenda Est

    December 11, 2012 at 11:33 am

    @Origuy:

    Why does anyone need employee confidential data on a laptop? It should be on a secured server behind locked doors.

    This is one of those mysteries that has baffled mankind since Grace Hopper found a moth inside the innards of that vacuum tube firing tables calculating machine back in the 40’s.

    Why, indeed, is anything considered confidential on anything but a well secured mainframe guarded by giant two-headed attack dogs?

  16. 16.

    redshirt

    December 11, 2012 at 11:33 am

    Some hacker actually had the control codes for the ISS last year. Fun times!

  17. 17.

    Villago Delenda Est

    December 11, 2012 at 11:36 am

    @The Moar You Know:

    The “password protected” thing is a joke. Google “NT Passcracker” and by using that tool even the most inexperienced noob can have that stolen laptop open in ten minutes

    Scriptkiddies strike in the dark of the night!

  18. 18.

    Villago Delenda Est

    December 11, 2012 at 11:38 am

    @Todd:

    You’ve articulated the primary problem with glibertarianism: It’s totally fucked up as a “philosophy.” They’re distressed that actual philosophers start convulsing with laughter when the name “Ayn Rand” is mentioned as a philosopher.

  19. 19.

    Mnemosyne

    December 11, 2012 at 11:38 am

    @NorthLeft12:

    If that’s the case, it’s going to be a very expensive FU for NASA — the VA had to pay out $20 million in compensation to the veterans whose information was stolen from a VA laptop.

  20. 20.

    ? Martin

    December 11, 2012 at 11:38 am

    @Jack the Second:

    None of these policies is particularly expensive or difficult to implement nowadays.

    In theory. The problem with public sector budgeting is that it can be incredibly difficult to secure the limited funds needed to do something even this basic. And most public sector operations have bottom-up IT rather than top-down, which makes it harder yet.

    The fundamental problem I’ve found is that user-interaction roles get primary funding and everything behind the scenes is some combination of nonexistant of desperately underfunded. Think about our public education debate. We talk about funding per pupil and student-teacher ratios, classroom time, access to resources. But someone needs to maintain teacher HR records, student records, and so on. Any money that does go to education gets very publicly dumped as close to the student as possible as everyone desires. Spending that money on the back-end gets vicious criticism even from the left, so its politically impossible to actually build anything there. And when the budget cuts come through, guess where the cuts are the deepest?

    Does anyone think things are NASA are really that different from your local elementary school?

  21. 21.

    qwerty42

    December 11, 2012 at 11:39 am

    The only way these issues are ever resolved is by firing some managers. And not low-ranking ones either. It has to be a significantly visible consequence. And why this stuff is on a laptop? My guess is the data was on a spreadsheet or, if they are really up on things, an Access “db”. Possibly because it is “too hard” to read the data as stored in tables/views on DB2 or Oracle.
    geeze.

  22. 22.

    Amir Khalid

    December 11, 2012 at 11:40 am

    @Mnemosyne:
    This might amuse you. About decade go the Malaysian government made us all get the new Mark 2 national identity cards(ICs, as we call them). The Mark 1 IC, introduced by the British as a security measure during the Communist insurgency, had a serial number (your “IC number”) that you’d use to identify yourself in personal transactions, filling out forms etc. The Mark 2 IC number starts with your date of birth in DDMMYY format, followed by a two-digit code for your state of birth, and a serial number. So anytime a Malaysian fills in a form they’re giving away two items of personal information: date of birth and place of birth.

  23. 23.

    Brachiator

    December 11, 2012 at 11:42 am

    @PeakVT:

    Do not put important or sensitive information on laptops. The End.

    We are soooo beyond this. People put or access sensitive information by means of all kinds of devices, including smartphones, tablets, and maybe even game consoles. And let’s throw in various iterations of cloud storage and file sharing.

    And the background to many possible security breaches, as posters here have noted is an attitude that says, “it can’t happen to me” or “I’m in a hurry” or “I can’t be bothered with the security crap that is preventing me from getting my work done.”

    And on top of this is the attitude by many that privacy and security are so last century. Devices and software are engineered to maximize sharing and accessibility.

    And all of this is a side issue to the original JPL case, which I think makes a pretty good case that the government’s claim to excessively personal background information is unnecessary, intrusive, accomplishes nothing, and may be stupidly made accessible to ID thieves and other goons.

  24. 24.

    Amanda in the South Bay

    December 11, 2012 at 11:50 am

    @Brachiator: I feel the same way about security clearance background checks.

  25. 25.

    ? Martin

    December 11, 2012 at 11:58 am

    @qwerty42:

    And why this stuff is on a laptop? My guess is the data was on a spreadsheet or, if they are really up on things, an Access “db”. Possibly because it is “too hard” to read the data as stored in tables/views on DB2 or Oracle.

    1) We don’t buy desktops any longer. There is no performance benefit to them. There is barely a cost benefit to them. They are less flexible for employees that work in multiple locations. We’re centralizing our HR operations. Almost every one of our HR staff will be traveling to work sites in 18 months.
    2) I haul around vastly too much stuff in spreadsheets (also on my laptop as I have no server to store it on – but I keep everything in a highly encrypted virtual partition, which I can back up as an encrypted partition – it’s relatively secure). I could store the stuff in a database, but I can’t get funding for Oracle. I could store it in mysql, but I can’t get funding for a server, or server hosting even at my own employer because we have insufficient rack space. Being in .gov, we’re not allowed to put this data offsite, so we can’t rent RDS from Amazon.

    This is not the rightwing argument that government workers are too stupid and lazy to write SQL. It’s the argument that for all the false reasons noted here about how stupid government is, nobody will fund government efforts as a consequence. I just, yesterday, got $25K in funding to actually get some of this in databases. I’ll use that money on services and equipment and do the labor in my free time, because I’ll burn through it in days if I hire it out. Could I get even 20% of an FTE to build this? Nope. No continuity. We’re going to lurch from temporary funding to temporary funding, building short-term solutions for lack of long-term funding.

    It took me 6 years to get that $25K and I’m going to start today on the next $25K of funding to replace/upgrade this equipment because in 6 years it’ll be needed.

    All because SQL is “too hard”.

  26. 26.

    Jay in Oregon

    December 11, 2012 at 12:12 pm

    @Brachiator:
    There’s also the rise of “BYOD”, or Bring Your Own Device, in a lot of workplaces. Organizations that are strapped for money to upgrade IT resources are starting to allow employees to use their own laptops/smartphones/tablets for work purposes.

    I have work-related material on my laptop—I take after-hours calls from time to time—though nothing really sensitive. And even that is kept in Wuala, a Dropbox-style service that uses client-side strong encryption. (I also use it for receipts, tax info, the accumulated notes and emails from my recent mortgage refinance, etc.)

    http://www.wuala.com/referral/AJG5C7FF6PKFN63K3455

    FYI, that is a referral link; it gets you 6GB instead of 5GB of storage, but people don’t have to use it if they don’t want to.

  27. 27.

    Brachiator

    December 11, 2012 at 12:23 pm

    @Jay in Oregon:

    There’s also the rise of “BYOD”, or Bring Your Own Device, in a lot of workplaces. Organizations that are strapped for money to upgrade IT resources are starting to allow employees to use their own laptops/smartphones/tablets for work purposes.

    Good point. There is BYOD all over the place, even in organizations that are not strapped for cash (and I wonder whether some IT people are frazzled at having to support BYOD devices).

    Smartphones and tablets have also accelerated more offsite and in-the-field work. I know sales people and managers who work from home a couple of days a week. Sometimes they take laptops home with them, other times they do remote access. All of this convenience comes with some security concerns.

    ETA: I seriously loves me some Dropbox.

  28. 28.

    Meg

    December 11, 2012 at 12:29 pm

    I worked at JPL before. The new security check they introduced at that time was beyond the normal ones we already all went through when we first got hired. I don’t remember the details now. But it required everyone who already worked there to go through another intrusive check. The information they seek including your drug usage, any small encounter with the law enforcement, and the statements from your friends and neighbors (not relatives or family members) about your qualification to work at JPL. The letters need to be mailed from the writers themselves to JPL or NASA so you do not know what they say about you.

    For me, I don’t even know more than two neighbors that I trust and know well to ask for their statements. On top of it, why would any one of them be qualify to judge if I am qualify professionally or morally to work at JPL? If i am secretly evil or inept, i mostly likely wouldn’t broadcast it to my neighbors.Anyway, the mere mentioning of this thing makes me very upset.

  29. 29.

    Jay in Oregon

    December 11, 2012 at 12:30 pm

    @Brachiator:
    I love Dropbox, too; I use that for files I intend to share with others (friends and family) and use Wuala for the private stuff.

    Wuala isn’t quite as user-friendly, but that’s partly by necessity; the cached data is stored in an encrypted file (disk image?) and so you must launch the client app to gain access to it.

  30. 30.

    PurpleGirl

    December 11, 2012 at 12:38 pm

    At one point a member of the Board of Trustees of my former employer thought that we should have the field staff enter volunteer names into the database on their home computers after working in the field (i.e., at a school) during the day. This person thought we could save on data keyboarders. We (the central office admin staff) patiently explained why it would be a bad idea. What ultimately convinced the Board member was our mentioning that we could do that with the donor database too — and that she was the Board member who didn’t think the office staff should have access to donor information at all. Let’s not mention that not all the field people had computers at home, laptops or otherwise. Not everyone was computer fluent. Did they really want us to have some 50 copies of the volunteer database out there that had to be reconciled to the master db?

  31. 31.

    Brachiator

    December 11, 2012 at 12:39 pm

    @Jay in Oregon:

    Wuala isn’t quite as user-friendly, but that’s partly by necessity; the cached data is stored in an encrypted file (disk image?) and so you must launch the client app to gain access to it.

    I also meant to add, thanks for the tip about Wuala. I will definitely check it out. It might come in handy with work that I sometimes have to do.

    @Meg:

    I worked at JPL before. The new security check they introduced at that time was beyond the normal ones we already all went through when we first got hired.

    Yes. The additional irony is that some JPL employees had lived in countries with repressive authoritarian regimes and knew from first hand experience how stupidly intrusive this stuff could be, and how easily it could be misused.

    The other irony is that the “need” for these extra intrusive background checks impacted long time employees who had passed all number of clearances before and who did not do work on any sensitive projects.

    And some people tried, and still try, to defend these procedures not with any rational objective or security concern, but with lame BS like “well, you don’t have to work for the government if you object to their getting all up in your business.”

  32. 32.

    redshirt

    December 11, 2012 at 12:48 pm

    If only they’d used “The Cloud”!

  33. 33.

    Hypatia's Momma

    December 11, 2012 at 1:01 pm

    @Brachiator:

    Good point. There is BYOD all over the place, even in organizations that are not strapped for cash (and I wonder whether some IT people are frazzled at having to support BYOD devices).

    For human resources and accounting, though? That’s… stupid.

  34. 34.

    Meg

    December 11, 2012 at 1:06 pm

    @Brachiator: You are exactly right.
    And we are really grateful that these group of scientists fought back with a big investment of their own money and time so some of the most intrusive measures were stopped.
    But the thing I don’t understand the most is why the Obama administration feels they need to defend this Bush era draconian policies.

  35. 35.

    Roger Moore

    December 11, 2012 at 1:07 pm

    @japa21:
    I want to know why in hell they weren’t using whole disk encryption. I have it on all my personal computers, and it’s pretty transparent once you’ve unlocked the system. And if they aren’t using it because their operating system doesn’t support an acceptable version, then this is a sign that they need to either pressure their operating system vendor or switch OS to something that allows them to use reasonable security.

  36. 36.

    Roger Moore

    December 11, 2012 at 1:13 pm

    @Hypatia’s Momma:

    any information relating to Human Resources/Payroll should not be transported off-site by any employee.

    That’s not a workable solution. Any reasonably sized organization needs to have a backup plan that includes off-site backups to restore things in the event of a disaster. Maybe you need to include some kind of protection against data theft- that’s what encryption is for- but you can’t leave payroll and HR out of the plan.

  37. 37.

    burnspbesq

    December 11, 2012 at 1:32 pm

    @Jay in Oregon:

    The other benefit to using Wuala is that its servers are located in places that (1) aren’t likely to experience a severe earthquake or catastrophic weather event and (2) that are subject, in whole or in part, to EU data-protection laws.

  38. 38.

    Gindy51

    December 11, 2012 at 1:39 pm

    @Jack the Second: As far as remote deletion, doesn’t that work only if the computer is hooked to the internet or tries to gain access to your company’s network? What if the thief turns it on away from a live network and just prints out the sensitive info or transfers it to another machine?

  39. 39.

    Hypatia's Momma

    December 11, 2012 at 1:40 pm

    @Roger Moore:
    Which is not at all the same thing as any individual employee transporting the information off-site willy-nilly. I’m not sure how that easy-to-understand distinction is so readily lost on you but, hey.

  40. 40.

    BGK

    December 11, 2012 at 1:44 pm

    All of you tend to underestimate the pure hydraulic force of end user bitching and moaning.

    I work for a small company that deals with personally identifiable information. We give most people laptops now, as the cost differential is small over a desktop. They all have smart card readers. Our security badges have embedded smart chips. We got smart-card-reader keyboards as the cost difference was laughable. We licensed whole disk encryption as part of our endpoint security suite. We have a slick (as its engineer, I have a little pride in it) PKI that takes exactly no maintenance.

    We don’t have whole disk encryption.

    Why?

    Users forget their security badges all the f*cking time. Rather than deal with the tiny bit of grief of getting a temporary badge, they tap on the goddam glass entry doors and get let in. Then they borrow someone else’s badge when they need to go to the can, or out for a butt. We tried a smart card pilot, and the pissing and moaning over having to get temporary badges was deafening. As we’re mostly salespeople, they claimed with straight faces it was affecting revenue. Dumb president believes them, end of pilot.

    We can’t have nice things.

  41. 41.

    redshirt

    December 11, 2012 at 2:00 pm

    I worked briefly in a very high security facility and first, there were no laptops. Second, there were really no computers. Each machine was a VM and it was wiped and re-built nightly. Lastly, no non-approved devices were allowed, specifically USB drives.

    Not going to occur in most offices, but if you’ve got any kind of security concerns (hello NASA!), at least use a BIOS level encryption for any laptop. It’s an inconsequential cost/effort and provides great security.

    But don’t worry! Most users will simply tape their encryption password to the laptop regardless.

  42. 42.

    low-tech cyclist

    December 11, 2012 at 2:05 pm

    Although the laptop itself was password protected, unencrypted files on the laptop contained personal information on about 10,000 NASA employees — including details like their names, birth dates, Social Security numbers and in some cases, details related to background checks into employees’ personal lives. …

    Hey, that’s nothing. I don’t know why it hasn’t gotten bigger play, but in South Carolina, a stolen password led to the exposure of tax records of 4.5 million tax filers and another 1.9 million dependents, not to mention 3.3 million bank account numbers.

    Nikki Haley proceeded to blame the IRS – for not imposing Federal mandates on South Carolina requiring that certain encryption standards be used at the state level.

    States’ rights in action.

  43. 43.

    Schlemizel

    December 11, 2012 at 2:25 pm

    The the laptop drive itself was not encrypted and allowed to hold this data should be grounds for summary execution. There is no excuse for this sort of leak.

    Thats a separate issue from the collection of the data but anyone with half a brain would not permit sensitive data to rest anywhere unless it is encrypted.

    Death is too good for them.

  44. 44.

    LanceThruster

    December 11, 2012 at 2:25 pm

    People, please. National security is not rocket surgery. Just submit to the draconian privacy intrusions and all will be well. Only those with something to hide (as evidenced by taking offense at such minor intrusions) need be concerned.

  45. 45.

    Mike G

    December 11, 2012 at 3:00 pm

    Sensitive database information should not be stored on a laptop in any situation. I can’t see any valid reason why an entire copy of the database would be off the server (apart from well-defined server backup procedures).

    There are multiple good reasons, above and beyond security, why you don’t want different versions of a database floating around in different locations that have to be reconciled.

    Users should access the specific data they need on the secure server, using a Virtual Private Network (an encrypted network ‘tunnel’ connection) if they are out of the office using the public internet, and laptop disks should be encrypted. Multiple layers of security.

  46. 46.

    liberal

    December 11, 2012 at 3:17 pm

    @Schlemizel:
    But these things are bound to happen if appropriate controls are not in place.

    Having an encryption solution on a particular device is an “engineering control.” But you need administrative controls, too, such as “No laptop shall ever be issued without disk encryption first being installed.” If you don’t have good admin controls like that, and make carrying them out the responsibility of people other than end-users, failure is inevitable.

  47. 47.

    liberal

    December 11, 2012 at 3:18 pm

    @Mike G:

    There are multiple good reasons, above and beyond security, why you don’t want different versions of a database floating around in different locations that have to be reconciled.

    Agree 1000%, but try telling that to all the people I work with who refer to spreadsheets as “databases.”

  48. 48.

    liberal

    December 11, 2012 at 3:23 pm

    @BGK:

    Users forget their security badges all the f*cking time.

    We use them at my place, and frankly it is a giant pain-in-the-ass.

    Yeah, sure, it might be worth the effort, but I don’t see any evidence that the folks at the top here did any kind of meaningful threat analysis, as opposed to “let’s do this, this, and this to cover our ass.”

    Of course, in your case if you’re in charge of the PKI, you’re pretty close to the ground, probably know the threat landscape pretty well, and have different mileage on the badge issue.

  49. 49.

    liberal

    December 11, 2012 at 3:29 pm

    @redshirt:
    LOL.

  50. 50.

    Bokbokbok

    December 11, 2012 at 3:55 pm

    Having worked for NASA as a contractor, I can tell you this: the government is paying for identity theft protection for most government workers in perpetuity because of stuff like this.

    They offer three years of protection every time data is compromised like this, and it keeps happening, despite NASA’s best practices specifically prohibiting putting any of this stuff on a portable computer for any reason.

    My main beef with HSPD-12 (the background check that the JPL contractors found onerous) is that it asks questions about your background that are NONE of the government’s business for low-level, non-ITAR work. Every person who has been through HSPD-12 gets an FBI jacket, because that’s who does the investigation. And, like most of NASA’s contractors, I’m a citizen, have been all of my life, have vets in my family, and was under the same suspicion as foreign nationals working right alongside me.

    HSPD-12 was a make-work program for the FBI – a gift from George W. Bush that ensured everyone who has ever done anything for the government had a head start on government data collection on their life.

  51. 51.

    Bokbokbok

    December 11, 2012 at 3:57 pm

    “Agree 1000%, but try telling that to all the people I work with who refer to spreadsheets as “databases.””

    Um, a spreadsheet _is_ a database. A flat-file, non-relational database, but a database nonetheless.

  52. 52.

    kc

    December 11, 2012 at 4:18 pm

    That is inexcusable.

  53. 53.

    kc

    December 11, 2012 at 4:20 pm

    @low-tech cyclist:

    Hey, that’s nothing. I don’t know why it hasn’t gotten bigger play, but in South Carolina, a stolen password led to the exposure of tax records of 4.5 million tax filers and another 1.9 million dependents, not to mention 3.3 million bank account numbers.

    I think it didn’t get much play in part because Nikki Haley sat on the news for weeks after finding out about the breach and didn’t release it until a Friday afternoon.

  54. 54.

    Schlemizel

    December 11, 2012 at 7:22 pm

    @liberal:

    Ah, so you understand security also! Fantastic!

    Yes you need both the policy & the tool. The person who allowed this to happen should stand in front of the person who keep that data unencrypted & left in a car when they shoot so they don’t have to waste a second bullet on the morons

  55. 55.

    pluege

    December 11, 2012 at 7:24 pm

    privacy is for losers. Just ask any wingnut, especially the cretin 5 on SCOTUS.

  56. 56.

    lol

    December 11, 2012 at 9:05 pm

    I don’t know why I assumed GuardianEdge was standard for all federal laptops.

  57. 57.

    J R in WVa

    December 12, 2012 at 5:05 am

    Real RDBMS backups are useless to data thieves because you need substantially the same DB to load them, anmd even having loaded them, you then need DB security to access the data, and about a year of support to understand what you got.

    I had a senior manager once send an email to a federal employee with a live internet link to one of our pages in it. Said ignorant federal employee asked dumb senior manager if that was a security threat. Dumb senior manager forwarded question to me, without the original email containing link to public web page.

    I said “Send me a copy of the email and I’ll let you know.” because it was rude to tell senior manager that this was the dumbest thing I ever heard of. Time passes, days. Then I get an envelope with threats on the outside about the dire consequences of anyone but the addressee (me) opens it.

    Inside is a print-out of the email, where obviously I can evaluate the security threat of the ink?!?!

    NOT!!!

    The senior manager was gradually eased further and further from any real responsibilty and then went away, but sadly, she was not an isolated case.

    Wildly stupid, just like putting HR data on a laptop then removed from secure space. It happens every day. People are SO stupid about computers, they act like it’s magic and no one can take advantage of it, when a moment’s thought (the real problem, no one thinks they’re paid enough to think) would tell anyone how dumb it is to take secrets out where anyone can steal them.

    And no one wants to pay for anything but pretty shiny things!

  58. 58.

    liberal

    December 12, 2012 at 9:52 am

    @Bokbokbok:
    My preference is to use the word “database” for “relational database.”

    If you want to call it something, call it “data” or “spreadsheet”.

  59. 59.

    liberal

    December 12, 2012 at 9:55 am

    @Schlemizel:
    Actually, my concepts of tool and policy come from safety engineering. I don’t have any formal training at all, but you can see it in wood shops, I assume. Guards over blades are “engineering” controls, instructions what to do/not do are “administrative” controls/policies.

  60. 60.

    liberal

    December 12, 2012 at 10:06 am

    @J R in WVa:

    …you then need DB security to access the data

    Not quite sure that’s true. OK, literally if you read the data into the RDBMS, you won’t have permission to look at the data, if it was set up OK, but there’s got to be easy workarounds. Just like having a BIOS password on a machine without encrypting the hard disk isn’t really enough.

  61. 61.

    liberal

    December 12, 2012 at 10:07 am

    @J R in WVa:

    And no one wants to pay for anything but pretty shiny things!

    That’s the real problem here. An additional point related to “no one cares about this/is willing to really invest resources” is that it’s a thankless job. Just like being a “good” statistician is—your job is then to tell people that the lovely results they just got are not statistically significant.

Comments are closed.

Primary Sidebar

Fundraising 2023-24

Wis*Dems Supreme Court + SD-8

Recent Comments

  • JPL on On The Road – BigJimSlade – Hiking in the Alps, Chamonix and Grindelwald 2022, Odds & Sods (Mar 24, 2023 @ 8:06am)
  • Deputinize Eurasia from the Kuriles to St Petersburg on Thank the Trickster God It’s Friday Open Thread: Waiting for the Big Reveal (Mar 24, 2023 @ 8:05am)
  • Baud on Thank the Trickster God It’s Friday Open Thread: Waiting for the Big Reveal (Mar 24, 2023 @ 8:05am)
  • RedDirtGirl on On The Road – BigJimSlade – Hiking in the Alps, Chamonix and Grindelwald 2022, Odds & Sods (Mar 24, 2023 @ 8:02am)
  • Spanky on Thank the Trickster God It’s Friday Open Thread: Waiting for the Big Reveal (Mar 24, 2023 @ 7:57am)

🎈Keep Balloon Juice Ad Free

Become a Balloon Juice Patreon
Donate with Venmo, Zelle or PayPal

Balloon Juice Posts

View by Topic
View by Author
View by Month & Year
View by Past Author

Featuring

Medium Cool
Artists in Our Midst
Authors in Our Midst
We All Need A Little Kindness
Classified Documents: A Primer
State & Local Elections Discussion

Calling All Jackals

Site Feedback
Nominate a Rotating Tag
Submit Photos to On the Road
Balloon Juice Mailing List Signup
Balloon Juice Anniversary (All Links)
Balloon Juice Anniversary (All Posts)

Twitter / Spoutible

Balloon Juice (Spoutible)
WaterGirl (Spoutible)
TaMara (Spoutible)
John Cole
DougJ (aka NYT Pitchbot)
Betty Cracker
Tom Levenson
TaMara
David Anderson
Major Major Major Major
ActualCitizensUnited

Join the Fight!

Join the Fight Signup Form
All Join the Fight Posts

Balloon Juice Events

5/14  The Apocalypse
5/20  Home Away from Home
5/29  We’re Back, Baby
7/21  Merging!

Balloon Juice for Ukraine

Donate

Site Footer

Come for the politics, stay for the snark.

  • Facebook
  • RSS
  • Twitter
  • YouTube
  • Comment Policy
  • Our Authors
  • Blogroll
  • Our Artists
  • Privacy Policy

Copyright © 2023 Dev Balloon Juice · All Rights Reserved · Powered by BizBudding Inc

Share this ArticleLike this article? Email it to a friend!

Email sent!