×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Handling Corporate Laptop Theft Gracefully

Zonk posted more than 8 years ago | from the it-hurts dept.

197

Billosaur writes "From NPR, we get a Marketplace story about the theft of corporate laptops and the sensitive data they may contain, specifically how to handle the repercussions. From the story: 'TriWest operates in about 21 states. It's based in Phoenix, Arizona. In December of 2002, somebody broke into the company's offices and stole two computer hard drives.And those hard drives contained the personal information of 550,000 of our customers from privates in the military all the way up to the chairman of the Joint Chiefs of Staff.' How they handled the situation earned them an award from the Public Relations Society of America."

Sorry! There are no comments related to the filter you selected.

Encrypt the disks. (4, Informative)

base3 (539820) | more than 8 years ago | (#15320202)

Then there's no data loss, and thus no ethical or legal obligation to tell anyone, and thus no need to handle getting caught with your pants down gracefully.

Re:Encrypt the disks. (1)

shawn(at)fsu (447153) | more than 8 years ago | (#15320223)

I didn't think any excryption was perfect. So what happens if they do encrypt the disk and the drive gets stolen. If they don't report it and the encrytion is broken what recourse do those people with compromised information/identities have?

Re:Encrypt the disks. (3, Interesting)

winkydink (650484) | more than 8 years ago | (#15320388)

It's not perfect. Nothing is perfect. How close to perfect do you have to get to be good enough?

Re:Encrypt the disks. (1)

krakelohm (830589) | more than 8 years ago | (#15320942)

If it is someone else with my data... As close to perfect as possible.

Re:Encrypt the disks. (1)

hackstraw (262471) | more than 8 years ago | (#15321024)

It's not perfect. Nothing is perfect. How close to perfect do you have to get to be good enough?

Keeping all of the files on a networked filesystem via an encrypted channel that is backed up, redundant and secure.

Who in their right mind keeps important files on a laptop? Especially if those files are valuable to those outside of the organization that owns the laptop.

Insightful? Interesting? (0)

Anonymous Coward | more than 8 years ago | (#15321100)

In your rush to say something trite, I think you missed the grandparent's point.

Encrypting the disks may be 'good enough' to protect the company from liability for the lost data (assuming the company was not negligent in other regards). However, since encryption is not perfect, customers should still be informed of the loss, because the company will not be able to say with certainty that the data was not accessed.

Re:Encrypt the disks. (0)

Anonymous Coward | more than 8 years ago | (#15320514)

Good point. It doesn't even matter whether or not the encryption is perfect. The password is the weak point and typically the password is set by a user who tapes it to the bottom of his laptop or uses easily cracked passwords.

If the information is stolen, it should always be reported to customers. If the company wants to save face, they can simply say, "Because we take security seriously, the disk was encrypted, so it is unlikely your data was actually accessed." Customers know, company saves some face. Problem solved.

Re:Encrypt the disks. (1)

swillden (191260) | more than 8 years ago | (#15320629)

I didn't think any excryption was perfect.

Well, not unless the key is as long as they data. If it is, then you can prove that the encryption is perfect.

In practice, though, the imperfect crypto that we have is damned good, and if you do encrypt you disks with something decent you can quite safely assume that no one who grabs the disks can read the data, as long as they don't have the resources of a major world government available to them (and maybe even if they do). If you're worried about whether the NSA can read your data, you'd better not be leaving disks around where they can be stolen.

Re:Encrypt the disks. (2, Interesting)

vertinox (846076) | more than 8 years ago | (#15320695)

If they don't report it and the encrytion is broken what recourse do those people with compromised information/identities have?

A laptop theif isn't going to spend 3 months and 10,000 distributed computers to crack your laptop. Well... Maybe... If he thinks it was really critical, but chances are he might just format the drive and sell it at pawn shop.

Re:Encrypt the disks. (1)

Kadin2048 (468275) | more than 8 years ago | (#15321321)

chances are he might just format the drive and sell it at pawn shop.

In many cases true, but if you had sensitive (we're talking geopolitically sensitive, not credit-card and Social Security numbers sensitive) then such an assumption might be unwarranted and a very bad idea. Certainly it's not a chance that I want people taking if I was in a position of responsibility.

Re:Encrypt the disks. (1)

HUADPE (903765) | more than 8 years ago | (#15321353)

The laptop in question contained data on the US military, including senior officers (Joint Chiefs of Staff et. al.). A random thief wouldn't bother cracking it. Iran would.

Re:Encrypt the disks. (1)

mopslik (688435) | more than 8 years ago | (#15320745)

I didn't think any excryption was perfect. So what happens if they do encrypt the disk and the drive gets stolen.

Let me get this straight. There are two scenarios: leaving the disk unencrypted, and encrypting it. Under scenario 1, if the laptop is stolen, the thieves have free access to all the info on the hard drive. Under scenario 2, the thieves have potential access to all of the info on the hard drive, but only if they break the encryption.

Are you arguing that scenario 2 is no better than scenario 1?

If they don't report it and the encrytion is broken what recourse do those people with compromised information/identities have?

I'd say that has more to do with the company's actions (not reporting the theft) than the encryption itself. Under scenario 2, the company should still be liable, but they can come back and say "hey, at least we tried to put some basic security measures in place."

Re:Encrypt the disks. (4, Insightful)

shawn(at)fsu (447153) | more than 8 years ago | (#15320869)

I think you missed the a 3rd scenario.

Do not store sensitive data on a laptop.

Re:Encrypt the disks. (2, Insightful)

sgent (874402) | more than 8 years ago | (#15321197)

Not an option.

I don't know what world you live in, but people need access to sensitive data on their laptops -- espcially if they are in an area that doesn't have internet / communications availability.

You can take precautions such as encrypting the disk -- but many people can't do their jobs without access to that information.

Before computers, people often put files in their cars, or carried pen / pencil notebooks. The requirements to have that information available away from the office haven't changed.

Re:Encrypt the disks. OR don't use laptops (1)

cinnamoninja (958754) | more than 8 years ago | (#15320251)

Sure, encryption would help.

But, first I have to ask: why on earth is this data on a laptop?

I mean, really! This is health-care data for top military officials! Who needs to take that data on the road with them? Encrypt, stick it in a secure database, on a server in some closet in HQ. At least make it take effort to get at, no?

Re:Encrypt the disks. OR don't use laptops (1)

OnlineAlias (828288) | more than 8 years ago | (#15320562)

The drives in Tri-West's case was inside a locked building, not on a laptop.

Re:Encrypt the disks. (2, Interesting)

MandoSKippy (708601) | more than 8 years ago | (#15320256)

While California's SB1386 specifically mentioned encryption as a reason for not having to disclose to customers under that law, other laws do not. Specifically Wisconsin Act 138 does not mention encryption as a way to preclude disclosure. Basically Wisconsin's law states if someone unauthorized has a clients data, you must tell the client about it. Now, of course I am not a lawyer, nor do I play one on TV, but I know this is a new law (March 16th, 2006) and have any Jurisprudence clarifying this. On the flip side, encrypting the data sure makes the disclosure a lot less painful. I.e. Yes, we had laptops stolen, but all the data was encrypted per our policy and the likelyhood of you data being imporperly used is extremely low. I am currently researching a workstation encryption project, so if anyone (a lawyer perhaps?) has any insight into this stuff, I'd be happy to hear it from the expert.

Re:Encrypt the disks. (1)

Skjellifetti (561341) | more than 8 years ago | (#15320791)

Specifically Wisconsin Act 138 does not mention encryption as a way to preclude disclosure. Basically Wisconsin's law states if someone unauthorized has a clients data, you must tell the client about it.

If the data is on an encrypted disk, does the thief really have the data if they steal the encrypted disk?

Re:Encrypt the disks. (5, Insightful)

hazem (472289) | more than 8 years ago | (#15320842)

If the data is on an encrypted disk, does the thief really have the data if they steal the encrypted disk?

Yes. Because the thief may be able to decrypt the data because they also copied down the password/key that was on a post-it note hidden under the keyboard of the computer. Or they might exploit a flaw in the encryption. Or they manage to socially-engineer access to the key needed to decrypt the data. Or they might have installed a key-logger to get the key and then came back a week later to get the drives too.

Re:Encrypt the disks. (0)

Anonymous Coward | more than 8 years ago | (#15320258)

If you encrypt all your disks ... you must have extra CPU cycles to burn.

Re:Encrypt the disks. (1)

MandoSKippy (708601) | more than 8 years ago | (#15320303)

Research Whole Disk Encryption. It's actually not that bad on performance (I am running it right now)

Re:Encrypt the disks. (0)

Anonymous Coward | more than 8 years ago | (#15320754)

Done [google.com]

Re:Encrypt the disks. (1)

Dare nMc (468959) | more than 8 years ago | (#15321202)

> Research Whole Disk Encryption.
Doesn't seam like that would be a solution for the server drives stolen for this article.
    You either have to key in a password on any power-up, or have some device authorizing on boot. guess if your running multiple distant site redunency you could have it retrive the password across the network somehow, so it's authentication could be pulled if you lost just one server...

For valuable data, it seams like physical security of something that does the unlocking will need to occur no matter what. be it multiple people, or multiple computers... because encrypting the data on the server is going to either have the unlock passwords hard coded somewhere, or have everyone who accesses the data having memorized passwords that essentually unlock the servers data.

Re:Encrypt the disks. (0)

Anonymous Coward | more than 8 years ago | (#15320400)

First of all, yes, people have extra CPU cycles to burn. Second, encryption would put the CPU cycles to good use. It's a worthy price to pay for securing the data. Third, dedicated encryption coprocessors could greatly increase the throughput and lower the power consumption necessary for on the fly encryption and decryption of harddisks. Demand needs to be made heard for the supply to grow.

OT: Moderation (1, Insightful)

mizhi (186984) | more than 8 years ago | (#15320315)

This post is currently moderated as "Flamebait"

WTH are /. moderators smoking?

Re:OT: Moderation (1)

MandoSKippy (708601) | more than 8 years ago | (#15320330)

Agreed. The post is not 100% correct but is not flamebait.

Re:OT: Moderation (0, Offtopic)

Threni (635302) | more than 8 years ago | (#15320498)

Perhaps you can't read the OP's sigfile?

Re:OT: Moderation (1)

mizhi (186984) | more than 8 years ago | (#15320588)

Or perhaps his sig is not relevant to the discussion, which is what moderaters should be looking at?

At worst, his sig is tactless.

Re:Encrypt the disks. (0)

Anonymous Coward | more than 8 years ago | (#15320338)

Why is the parent comment flamebait? Properly encrypted data can be stolen or copied without causing harm because without the key the thief only gets useless garbage. Properly encrypted data can not be tampered with in a meaningful way. Encryption really is the solution to data leak and authenticity problems through laptop thefts and manipulations. Regardless of the legal obligations after a laptop theft, encrypting sensitive data is the right thing to do.

And it's a good idea for desktops and private citizens too: What if the harddisk with your personal data (you know, the pictures nobody but you and your spouse is supposed to see) fails catastrophically and you need to have it replaced? Are you going to send it to the manufacturer with all your data on the platters? If you had encrypted that data, there wouldn't be a problem with returning it for a refund or having it replaced.

Re:Encrypt the disks. (1)

nsciphysics (920974) | more than 8 years ago | (#15320923)

Recall the trick used in Neil Stephenson's Cryptonomicon: Wrap several coils of wire around the doors and windows, and during the evening run several amps through them. Anybody stealing a hard drive will be left with a paperweight. Just remember to turn it off during the daytime ;)

Handling Corporate Laptop Theft Gracefully (5, Funny)

suso (153703) | more than 8 years ago | (#15320206)


Tip 1: When you make your get away, float above the carpet like a feather caught in the wind.
Tip 2: If you encounter security or other obstacles, aim for the biscuits.
Tip 3: Make sure you check the laptop for any homing devices that will help them track you down.
Tip 4: The password is usually the username with 123 at the end or the their children's ages.
Tip 5: Get the evidence out of your hands as quickly as possible to beat the feds.
Tip 6: Relax and enjoy reading the next day's headlines on Slashdot about stolen private information.

Re:Handling Corporate Laptop Theft Gracefully (1)

Not_Wiggins (686627) | more than 8 years ago | (#15321111)

and of course...

Tip 7: Profit!

Worst. Article. Ever. (-1, Offtopic)

Whiney Mac Fanboy (963289) | more than 8 years ago | (#15320209)

Please, never link to a transcript of (what I hope was a podcast, because it wasn't good enough for radio) again. I didn't (couldn't) read the linked article, so I'm just going to comment on the summary.

Data that sensitive in those sort of quantities should be encrypted. Triwest as a health care provider should know that.

It's unclear how the story & the headline relate (as the headline is laptops, and the story appears to be about hard drives), but laptops should not have sensitive data in the clear on them. Either access it through a secure VPN or (if net access is unavailable), keep it on truecrypt or similar.

Sure, data theft is still possible, but taking a few simple precautions wills stop cheap hardware theft ballooning into a PR/security nightmare.

You should be thankful. (1)

khasim (1285) | more than 8 years ago | (#15320309)

I didn't (couldn't) read the linked article, so I'm just going to comment on the summary.
I was not so fortunate and read comments such as this:
"When the information theft occurred against my company, we discovered that existing state and federal laws protecting consumers from identity theft had been surpassed by the individuals perpetrating the crimes, so I made 'identity theft' my fight," said McIntyre.
Okay, I believe that "When the information theft occurred against my company" can be translated into "When the data was stolen".

I don't have any idea what "existing state and federal laws protecting consumers from identity theft had been surpassed by the individuals perpetrating the crimes" means.

But it seems that "so I made 'identity theft' my fight," means "I pushed for changes in the laws".

Sooooo..... "When the data was stolen ...something... I pushed for changes in the laws".

And the FA says nothing about changes to their policy of storing personal information in an un-encrypted format. But now we have some more laws. And laws will stop people from "stealing" identities. Yes. Right.

Re:You should be thankful. (1)

gEvil (beta) (945888) | more than 8 years ago | (#15320443)

Sooooo..... "When the data was stolen ...something... I pushed for changes in the laws"

'something' = 'and I learned state and federal identity theft laws were a joke'

Re:You should be thankful. (1)

operagost (62405) | more than 8 years ago | (#15320466)

Meanwhile, thousands of sysadmins use auditing procedures and technology to secure their data BEFORE it gets stolen, and they don't get any awards.

Aack! Just buy a Mac already! (0)

Anonymous Coward | more than 8 years ago | (#15320364)

Macs (including laptops) come with Filevault built in. If the laptop is stolen, all the data in that users folder is useless without the password. It is dirt simple to turn on, seamless, highly secure and barely noticeable when it is working.

Re:Aack! Just buy a Mac already! (2, Informative)

wyip (914072) | more than 8 years ago | (#15320677)

Windows 2000 and XP Pro are able to encrypt files and folders out of the box. You could just encrypt your profile in 'Documents and Settings' for essentially the same effect as Filevault on Mac. Setup the Administrator account as a Data Recovery Agent for the same effect as the File Vault master password. This is what we're doing for the Windows users in our department who won't or can't switch to Mac. (We're actually using this as a temporary solution while we look at PGP)

Re:Worst. Article. Ever. (4, Informative)

ZombieRoboNinja (905329) | more than 8 years ago | (#15320421)

FYI, this story was a followup to a longer story about laptop and identity theft. The original story did indeed focus a lot on data encryption.

From the original article:
"This is Jonathan Zittrain, a co-founder of the Berkman Center for Internet and Society at Harvard Law School. He says he's not surprised that all of this information is walking around on portable computers. People want to be productive on the run, he says. But he says there are pretty sure-fire ways to protect sensitive information. Like, encrypting it, or leaving the data on the main server and remotely tunneling through the Internet to work with it."

Way to declare this the "worst article ever" in the same post you brazenly declare you didn't read it, by the way. A bold move, even by Slashdot standards.

Re:Worst. Article. Ever. (1)

coaxeus (911103) | more than 8 years ago | (#15320666)

Yeah, trying to read tfa (or whatever it is) was one of the more difficult things I've tried to do recently. I could have listened to the STREAMING AUDIO, but that shit is annoying.

Wrong, wrong, wrong... (0, Offtopic)

WebfishUK (249858) | more than 8 years ago | (#15320212)

I think we all know that the real question here is, in a straight, clean fight, who wins, Airwolf [imdb.com] or Bluethunder [imdb.com] ?. Now I know what your thinking? What chance does stright to video star Jan-Michael Vincent have against HAL chess playing, shark killing, SeaQuest DSV commanding Roy Scheider? Well to you I say, don't forget that Airwolf co-pilot was none other than Poseidon surviving, Gattaca acting, SpongeBob SquarePants Mermaid Man (I shit you not [imdb.com] ) Ernest Borgnine. Yeah people. Not so easy now is it?

Re:Wrong, wrong, wrong... (1)

iogan (943605) | more than 8 years ago | (#15320275)

maybe a little OT, but Airwolf, hands down.

Re:Wrong, wrong, wrong... (0, Troll)

OctoberSky (888619) | more than 8 years ago | (#15320322)

I have read your reply 4 times and still have no idea what this has to do with the topic at hand.

Mr. Webfish, what you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.

Re:Wrong, wrong, wrong... (0)

Anonymous Coward | more than 8 years ago | (#15320349)

AirWolf. Their copter looked cooler.

Re:Wrong, wrong, wrong... (1)

gaijincory (605955) | more than 8 years ago | (#15320387)

Bluethunder, if only for Malcolm McDowell. Feed the trolls.

Re:Wrong, wrong, wrong... (4, Funny)

zakezuke (229119) | more than 8 years ago | (#15320591)

I think we all know that the real question here is, in a straight, clean fight, who wins, Airwolf or Bluethunder?.

Remember kids

Red Dawn + Bluethunder = Purple Rain

Blame Teh Terrerists (0)

Anonymous Coward | more than 8 years ago | (#15320231)

Just claim that Osama himself came out of the sewer pipes and swiped your computer. Then demand that the government do something to protect the helpless citizens. That should earn you some brownie points from the government at least, and if they say they you're right, anyone who argues might just find themselves taking a nice long vacation to cuba.

Handling Secure Data Loss Gracefully (2, Interesting)

digitaldc (879047) | more than 8 years ago | (#15320267)

Resign with thank you cards, smiles all around and a wonderfully inspiring anecdote about how much you had accomplished in your career up until that day.

Re:Handling Secure Data Loss Gracefully (0)

Anonymous Coward | more than 8 years ago | (#15320528)

Handled Pretty Well (3, Interesting)

Wannabe Code Monkey (638617) | more than 8 years ago | (#15320279)

I actually listened to this story last night on the way home (or the day before, can't remember). Anyway, at first I was shocked when I heard the intro, they lost all this sensitive data, did some stuff and then won a PR award. If the actions they took were so great shouldn't they have won some sort of privacy award. Winning a public relations award makes it sound like you did a great job covering it up. But actually listening to the story I found that they really did handle it in a great way for their customers.

Whole Disk Encryption vs. File/Directory (2, Interesting)

MandoSKippy (708601) | more than 8 years ago | (#15320286)

So I am researching encryption for this very reason (laptop encryption) anyone have any links or insights into why anyone would choose file/directory encryption? I am heavily leaning towards whole disk, mainly because how can you be sure you get everything. (i.e. temp files, pagefiles, hibernation files) I have seen some items regarding "inteligent encryption" but I just can't see how any program can "know" what to encrypt and what not to without tons of administrative overhead. That's why I like whole disk. Just do it all. Any thoughts?

Don't know the windows side.. (1)

Junta (36770) | more than 8 years ago | (#15320457)

But for individual workstations/laptops with single users where there is no protection of the data from multiple users, whole disk works well (except for /boot with the kernel and an initrd with dm-crypt tools). I have / and swap encrypted and don't have to worry about theft much with respect to private data.

Individual directory/file encryption is important for multi-user workstations/servers, where you have to worry about other users getting the files when owner is not logged in. encfs and the like provide some additional protection against this, but not much meaningful. It can protect the contents of data on a fileserver from even the administrator though, as I have seen encfs used to translate data from an nfs server to a local workstation mountpoint... I believe the built in windows file encryption mechanism has similar benefit from shared fileservers.

Re:Whole Disk Encryption vs. File/Directory (3, Informative)

Foolicious (895952) | more than 8 years ago | (#15320538)

Generally, disk encryption is great if a machine is stolen; however, it doesn't offer you any benefits should the machine be compromised following login of the encyption product (generally at boot). Some products have timeout modes kind of like a screensaver where it forces a login to the encrpytion package following a period of inactivity, but basically disk encryption isn't a safe bet for complete safety. For instance, it can do nothing if someone remotes in to the machine or a "rogue" employee accesses the machine after login. This is where content encryption offers benefits. Disk encryption alone is just a hassle for the user (in terms of an extra password to remember) in order to placate suits who want the company's rear end covered, but don't want to spend the money and resources (which can be substantial) on a complete package that would handle both disk and content encryption. Just my 2 cents.

Re:Whole Disk Encryption vs. File/Directory (1)

dgatwood (11270) | more than 8 years ago | (#15321242)

My Mac OS X laptop is set to require a password to wake it from screen saver or sleep. I make it a point to never leave it without sliding the cursor to a hot corner to start the screen saver (or sleep it if it isn't doing anything in the background and I'm not coming right back). That coupled with disk encryption would be a pretty hard thing to defeat.

Short of that, storing important information on encrypted disk images goes a long way towards solving the problem, though.

Re:Whole Disk Encryption vs. File/Directory (1)

lukas84 (912874) | more than 8 years ago | (#15320828)

EFS [microsoft.com] is your Friend and can be configured by group policies.

Quite impressive... (3, Funny)

GillBates0 (664202) | more than 8 years ago | (#15320290)

How they handled the situation earned them an award from the Public Relations Society of America.

You mean they handled the situation (and the laptop) with a single three-fingered hand [publicradio.org] ? That is quite impressive.

Creepy though.

Marketplace != NPR (2, Informative)

Palshife (60519) | more than 8 years ago | (#15320359)

ARGH. This is the second time this has been done. NPR does not produce or distribute Marketplace. NPR has nothing to do with Marketplace. It's produced by American Public Media. Please get it right. You're even LINKING TO APM!

Re:Marketplace != NPR (0)

Anonymous Coward | more than 8 years ago | (#15320541)

Seriously though, what else does this mean than MPR is taking over largeish swaths of NPR programming every so often?

Re:Marketplace != NPR (1)

MonaLisa (190059) | more than 8 years ago | (#15320548)

I second this. NPR does not do EVERYTHING that happens on public radio.

Re:Marketplace != NPR (1)

Billosaur (927319) | more than 8 years ago | (#15320988)

NPR does not do EVERYTHING that happens on public radio.

Perhaps not the worst faux pas I have ever made, but certainly an honest mistake. I am fully aware that NPR does not produce Marketplace, but NPR does carry the show, and I should have indicated it that way, or mentioned American Public Media. Guess I have to turn in my Guy Noir trenchcoat now.

Re:Marketplace != NPR (1)

NutscrapeSucks (446616) | more than 8 years ago | (#15320691)

At least around here, the announcers tend to say things like "You are listening to National Public Radio [Callsign]. Up next is Marketplace." It is an understandable mistake.

Re:Marketplace != NPR (0)

Anonymous Coward | more than 8 years ago | (#15321301)

Typically NPR News Programming will be scheduled adjacent to Marketplace and the "You are listening to National Public Radio" is the end of a National Public Radio program -- the closing credit. The call sign and "Up next, Marketplace" are done by the local public radio station.
Being anal about this is reserved for when it is propigated by a news outlet of which which Slashdot is one. It's similar enough to the Linux v/s GNU/Linux thing except that fewer people know or care to argue or point it out.

Re:Marketplace != NPR (1)

Moofie (22272) | more than 8 years ago | (#15320768)

You get upset when people say "LEGOs", don't you?

Re:Marketplace != NPR (1)

Palshife (60519) | more than 8 years ago | (#15320938)

I don't get it.

Re:Marketplace != NPR (1)

Moofie (22272) | more than 8 years ago | (#15321037)

Don't worry about it. Everybody else will.

Re:Marketplace != NPR (1)

Palshife (60519) | more than 8 years ago | (#15321179)

Okay...

Re:Marketplace != NPR (1)

shaka999 (335100) | more than 8 years ago | (#15321239)

Can you hand me a kleenex?

Re:Marketplace != NPR (1)

Moofie (22272) | more than 8 years ago | (#15321325)

They're on the xerox machine.

Explosives (4, Funny)

Infernal Device (865066) | more than 8 years ago | (#15320365)

All laptops with sensitive information should be equipped with a remote detonation device and 10 grams of C4.

Not to stop the criminals.

For the entertainment value ...

Re:Explosives (1)

MadTinfoilHatter (940931) | more than 8 years ago | (#15320490)

...more specifically the entertainment value of being tazered, when you get caught trying to board a flight with it. ;-)

Re:Explosives (1)

morgan_greywolf (835522) | more than 8 years ago | (#15320807)

...more specifically the entertainment value of being tazered, when you get caught trying to board a flight with it. ;-)

Actually, believe it or not, as scary as this sounds, it's more like if, not when.

Sure, the TSA has sensors that can check for certain high-order explosives (including RDX, aka cyclonite, the main explosive ingredient of Composition C4) but it's not whether or not the sensors detect it, it's whether or not the TSA employees bother to check.

My wife once worked as an undercover security employee -- her job was to smuggle anything through airport security, including drugs, weapons, explosives, etc. If she made it through, the screening employees got written up. And you know what? More often than not, she got the stuff through.

Re:Explosives (1)

duffstone (946343) | more than 8 years ago | (#15321056)

Haha, my first thought was what a kewl freak'n job to have. Then it occured to me that they've shut down decent sized airports for toy guns and white dust let alone C4 or any other type of contraband. Imagine being an undercover agent testing the system and bringing DIA to a halt... That would suck hard core... haha... But I can see it happening easily enough. :-)

Re:Explosives (0)

Anonymous Coward | more than 8 years ago | (#15320636)


All laptops with sensitive information should be equipped with a remote detonation device and 10 grams of C4.

Not to stop the criminals.

For the entertainment value ...


You laugh. But since the cops won't do much, and the insurance won't pay for any losses beyond possibly replacing the laptop (big deal) you're not the only one to have thought of it.

After having some twits break into my car to steal a cheap stereo - it might be worth $10 on the street - I have thought of buying another one and packing it with Estes rocket engines on an electronic delay timers to go off about 60 seconds after being disconnected from the battery.

Re:Explosives (1)

jintxo (698154) | more than 8 years ago | (#15320737)

Yeah just make sure your battery never goes kaput, heh.

Maybe this kind of information (0, Redundant)

iminplaya (723125) | more than 8 years ago | (#15320367)

shouldn't be stored locally on a laptop. This would include passords, etc. Put it on the company server and work it from there. Might be kind of slow, but it seems like good insurance.

BS (0, Troll)

jafiwam (310805) | more than 8 years ago | (#15320398)

Bah, some corporate whore-org commends some member cuz they managed to pull the wool over everyone's eyes. That's like satan giving george bush a cookie.

From the PRSA website;

Chartered in 1947, PRSA's primary objectives are to advance the standards of the public relations profession and to provide members with professional development opportunities through continuing education programs, information exchange forums and research projects conducted on the national and local levels.

"You sure managed to make a positive spin on screwing the public and armed forces, good show chaps!"

So... like the retired officers club gives an award to the army for "blowed that up good", or maybe the United Tattoo Artists Association giving awards to Jesse James for pointing out his tats on TV.

Re:BS (1)

hackstraw (262471) | more than 8 years ago | (#15321062)

That's like satan giving george bush a cookie.

Bush quit eating cookies, drinking alcohol, doing cocaine, AND taking things offered by Satan when he was "born again".

Give the guy a break!

Conscientious Capitalism (4, Insightful)

Doc Ruby (173196) | more than 8 years ago | (#15320413)

Capitalists know that PR is cheaper than security. Never trust them.

Re:Conscientious Capitalism (1, Funny)

Doc Ruby (173196) | more than 8 years ago | (#15320549)

Moderation -1
    100% Troll

I guess the PR of the Year Award comes with a free subscription to AsTrollTurf Inc.

Re:Conscientious Capitalism (1)

noidentity (188756) | more than 8 years ago | (#15321260)

"Capitalists know that PR is cheaper than security. Never trust them."

And it's the public who sets the stage by valuing PR more than security. Capitalism is like a computer: it does exactly what you tell it, and you often don't realize what you're really telling it to do.

Re:Conscientious Capitalism (1)

Doc Ruby (173196) | more than 8 years ago | (#15321354)

And that's why posting sensible observations on Slashdot can be as valuable as coding securely.

bad headline (2, Insightful)

Anonymous Coward | more than 8 years ago | (#15320436)

This isn't about laptop theft, it's about how the company handled potential identity theft and loss of sensitive data. The hardware is irrelevant.

article.. (0, Troll)

Feyr (449684) | more than 8 years ago | (#15320476)

/quote
If he gets his way, even possessing the kind of information that the thieves stole from his ca, and from his company, will be a crime someday /quote

so what he's saying is that if he gets his way, all the credit bureaus, banks, insurance companies, everyone doing credit checks and your own accountant will be criminals. even his company

i'm sure that will work out JUST RIGHT.

remember kids, when you make it a crime to possess credit informations, only criminals will have that data

Encryption? Priceless. (5, Interesting)

mythosaz (572040) | more than 8 years ago | (#15320480)

I work as the senior engineer for the desktop engineering department of a large west-coast healthcare organization with over 20,000 PCs.

Not only do we encrypt EVERY laptop, regardless of if we think it contains PHI; theft of desktop equipment has prompted us to encrypt EVERY desktop, regardless of if we think it may contain PHI. We also encrypt and monitor every PDA (including phones with sync).

The software: Millions of dollars.
Support: Millions of dollars.
Not being sued in California for losing PHI: Priceless.

Interesting theft (2, Interesting)

Anonymous Coward | more than 8 years ago | (#15320552)

Breaking into an office and stealing two hard drives, which contains all that data may point to a sophisticated, targeted hit, maybe using hired pros.

Re:Interesting theft (0)

Anonymous Coward | more than 8 years ago | (#15321185)

Since personal data of high ranking military members is involved, it may have been staged as simple theft by foreign intelligence services. The fact that there is no obvious sign that any of the half million people's data have been misused makes this theory even more likely. If a foreign secret service was targeting access to a specific high ranking military person, such theft would be quite a standard scenario.

What's amazing in this story is that the company where this could happen is receiving an award.
A lawsuit that puts them out of business and the CEO into jail would seem to be more appropriete treatment.

Re:Interesting theft (0)

Anonymous Coward | more than 8 years ago | (#15321308)

A professional would have just made a backup and left physical media. That way they would never know the data was compromised.

But speculation aside, there really isn't enough data on the robbery to jump to any conclusions. For all we know the entire IT's shop area could be gone: monitors, desktops, various other devices, but only 2 of the things stolen were worth including in the article.

Corporate policies needed (5, Funny)

MarkusQ (450076) | more than 8 years ago | (#15320578)


There's very little you can do after the fact (though the C4 idea above was cute). The key is to do what somewhere I once worked did: make sure that there are effective corporate policies in place long before hand to make sure that laptop thieves don't profit when they get their hands on sensitive information.

For example:

  • Have policies that make corrupting corporate data easy, but correcting it tedious/impossible.
  • Give different departments "ownership" of different data and encourage them to distribute it to people who need it via e-mail (hand copied from the application), screen shots, or exported spreadsheets that do not correctly propagate column names.
  • Encourage employees to edit the e-mails to produce versions of the data that they think are more accurate, and distribute them with names like "New (revised) revision of Q4 draft data dump--updated, with corrections by MQR for some of the errors introduced by BC in Q3"
  • Have data retention policies that assure that every laptop has at least twenty such interpretations of any key data on it at any time.
  • Prevent the addition of new columns to databases, and instead encourage users to reuse existing columns (Title, Address_line_2, Retirement_date, ROI_projection, Collateral_damage, NSA_contact_name etc.) that are otherwise underutilized.
  • Make test data by permuting fields (and words/digits within fields) between rows of live data. Do not clearly distinguish live data from test data, to assure that some of these will end up on laptops as well.

With a few simple precautions like these, you can be sure that the bad guys may steal the laptop, and the data, but they won't have any more idea what to do with it than you do.

--MarkusQ

Crypto! (1)

redelm (54142) | more than 8 years ago | (#15320614)

Laptops get stolen. It's a reality of life. The worst thing is to compromise cutomers/other's data. This can easily be prevented by using crypto for data directoris. GPG has a Windows drop-in for the clueless.

Re:Crypto! (1)

Zemplar (764598) | more than 8 years ago | (#15320815)

True, PGP Co. has a product for the Windows "clueless." But doesn't better protection start by asking yourself if the "clueless" should actually be handling or otherwise be responsible for this type of data?

Re:Crypto! (1)

redelm (54142) | more than 8 years ago | (#15321102)

Specialization! As computers get used more and more, the lusers _must_ get less and less clueful. The available knowledge has to be bolted in.

why is computer-theft still an issue? (5, Interesting)

schweini (607711) | more than 8 years ago | (#15320638)

i fail to see why computer theft is still an issue - even i implemented a relativly simple, yet, as far as i can see, 'secure enough' system for these situations:
all 'interesting' files are inside AES256 encrypted container-files wich are mounted via loop-devices.
if, for some reason, a server or machine reboots, it asks the next higher server for the password it needs to decrypt itself via an encrypted network connection. if a machine is reported as stolen, the server that has the task of sending the passwords gets advised of this, and simply wont send the corresponding password anymore. the peak of this pyramid of trusted machines is an off-site server far, far away. thus, if the hierarchy is broken (e.g. by computer theft) anywhere along the way, it's a matter of seconds to render all information contained on the stolen machine completly useless.
if i came up with this, surely the admins of REALLY important data can?

Re:why is computer-theft still an issue? (0)

Anonymous Coward | more than 8 years ago | (#15320868)

No they can't and the universe may not be infinite.

Not NPR (0)

Anonymous Coward | more than 8 years ago | (#15320963)

Marketplace is distributed by American Public Media and I think it's produced by Wisconsin Public Radio (maybe a different state), but it is not and National Public Radio joint.

Hmmm (0)

Anonymous Coward | more than 8 years ago | (#15321058)

  1. Have laptop containing sensitive data stolen
  2. Lobby for legislation which thieves will not read
  3. Win award for being incompetent
  4. ???
  5. Profit!

What about external HDs? (1)

$t0mp (974550) | more than 8 years ago | (#15321097)

I am curious whether anyone else out there does what my company does. The company I work for has always been paranoid about laptop theft. To address this concern they have taken the following approach:

- All laptop users are issued a external hard drive 80-160GB that is encrypted
- The built-in laptop hard drive is partioned into 2 parts. One part stores the OS and all program files, the second part is used for swap space (virtual memory and temp files)
- Laptop users are instructed to store *ALL* data on the external drives as well as to always secure the drive (via removing it and locking in a drawer, or carrying it with them when leaving the laptop).

The general consensus is that the primary target is the laptop. If it is lost then there is no exposure because no data is stored on it. The existence of data in temporary files is minimized by using the single partition which is constantly re-writing to itself.

Given that these external hard-drives are alot easier to pick-up and walk away with, we still feel that we are more secure. We often find the laptops unattended, but rarely, due to training, do we find an unattended hard-drive.

$t0mp 0ut

Why store data on latop at all? (1)

HumanCarbonUnit (802508) | more than 8 years ago | (#15321124)

How about this, instead of putting data on the laptop putting it at risk of theft don't store sensitive data on the laptop at all. Use a VPN or SSH tunnel and have the laptop access a remote server to get access to the information. You can even (and should) have the VPN / SSH server on a seporate server from where the data is located.

To futher secure it, you can setup a static route that says all remote login traffic cant access any other machine on the network except the database server. This way if the laptop is stolen, only the laptop is stolen and the data is safe. If the login server is broken into, there aren't allot of other places on the internal network the attacker can go to, provided of course you can detect / eliminate the threat before the attacker also gains access to the database server.

Well, thats my 2 cents on the topic: BTW: this is only theory, actual implementation would be more complex and thought out.

Re:Why store data on latop at all? (1)

sgent (874402) | more than 8 years ago | (#15321262)

Your assuming an internet connection -- try again.

Foreign Intelligence Operation? (4, Interesting)

CodeBuster (516420) | more than 8 years ago | (#15321127)

There is one other possibility that has not been considered and that is that the break-in was organized by a foreign intelligence agency in an apparently successful operation to capture records relating to United States military personnel. If this is true then it ups the ante significantly because foreign intelligence agencies have the resources and expertise to organize these types of raids despite the best private security and especially if the operatives are willing to kill for the information. They could have infiltrated across the Mexican border, where security is sorely lacking, and gone anywhere in the US without attracting much attention. Most corporations do not employ the types of security measures that the military does and so they would probably be caught off guard by a commando style raid in the middle of the night. The night watchmen doesn't get paid enough to be killed over a couple of hard drives and all he saw were men in balaclavas before he was knocked over the head with the butt of an mp5 and tied up...you get the idea. This may have been a professional job.

Laptop theft? No problemo (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15321146)

I handle the possibility of laptop theft by encrypting my /home partition with dm_crypt, and backing up the laptop nightly. If the laptop is stolen, the thieves won't know my passphrase and so they can't get any personal data.

Although the loss of the physical assets would be a nuisance, the laptop itself isn't worth much (under $500) and so I'd just replace it and maybe see if my insurance will pay for it.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?