Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

"Clear" Laptop Found, In the Same Locked Office

kdawson posted more than 5 years ago | from the never-mind dept.

Privacy 264

jafo alerts us to an SFGate story reporting that the lost "Clear" Program laptop has turned up in the same office from which it was reported missing, but not in its previous location. "A preliminary investigation shows that the information was not compromised... The computer held names, addresses and birthdates for people applying to the program, as well as driver's license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information... The information was encrypted on the server, but not on the laptop, although it should have been... However, it was protected by two levels of passwords." Reader jafo adds, "Pardon me if I have little confidence that an organization that loses a sensitive laptop for 9 days is able to tell if it was compromised."

cancel ×

264 comments

Sorry (4, Funny)

MyLongNickName (822545) | more than 5 years ago | (#24494363)

... I borrowed it for the weekend to play WoW.

Re:Sorry (4, Funny)

Loibisch (964797) | more than 5 years ago | (#24494371)

I'm amazed...how did you get through the two levels of passwords? You must be one hell of a master hacker!

Re:Sorry (3, Funny)

hansraj (458504) | more than 5 years ago | (#24494423)

Jeez man, didn't you learn anything from all those hollywood documentaries? Out of the bazillion possibilities, the password is always set to be the one that happens to be your second guess (third if there is a bomb ticking and you need the password to diffuse the bomb).

Re:Sorry (1)

Anonymous Coward | more than 5 years ago | (#24494523)

I only remember a particular scene from Swordfish and man, being a hacker sure pays off! I wouldn't have given a shit about the password as a long as "the action" had continued. :P

posting anonymously because...hi hon!

Re:Sorry (5, Informative)

$RANDOMLUSER (804576) | more than 5 years ago | (#24494555)

Trust me, if the bomb diffuses, things just got WAY worse.

Re:Sorry (1)

almitchell (1237520) | more than 5 years ago | (#24495385)

Yes, because then that means it's down to a fistfight between you and the Bad Guy.

Re:Sorry (4, Informative)

hansraj (458504) | more than 5 years ago | (#24495567)

Your (mysterious) reply prompted me to go to the far corners of the internet to learn that the proper word is "defuse". Words spoken like a true zen master - you don't get a clue unless you are already enlightened.

Thank you.

Re:Sorry (1)

Firehed (942385) | more than 5 years ago | (#24495471)

True, but I've yet to come across the hot chick that'll give me a blowjob while I attempt to crack the password :(

Re:Sorry (4, Funny)

MyLongNickName (822545) | more than 5 years ago | (#24494451)

Oh, that's easy. You see, we tape the passwords to the bottom of the PC. Those of us who work there know this, but no outside hacker would ever think to look there.

Plus the first password is 12345 and the second is ABCDEFG. Half the time, I don't even have to look at the sticky note.

Re:Sorry (3, Funny)

dascritch (808772) | more than 5 years ago | (#24494961)

yep, first password was "AlQaeda", but no way to remember the exact ortograph of these f**ing ba**ard hem.

The second was "bomb".

Re:Sorry (2, Funny)

Lumpy (12016) | more than 5 years ago | (#24494567)

simple...

he's a level 3 hacker.

Re:Sorry (1)

Loibisch (964797) | more than 5 years ago | (#24494661)

Level 3 hacker beats two level password...makes sense. :)

Re:Sorry (4, Funny)

JWSmythe (446288) | more than 5 years ago | (#24495213)

Only if you roll less than a 20 on 2d10.

    God, I can't believe I remember crap like that from 20 years ago. :)

Re:Sorry (1)

El_Muerte_TDS (592157) | more than 5 years ago | (#24494663)

It was easy. The first password was the same and my luggage. And the second one was the same as the first.

Re:Sorry (1)

PopeRatzo (965947) | more than 5 years ago | (#24494773)

I'm amazed...how did you get through the two levels of passwords?

Easy. Both of them were "password".

Re:Sorry (1)

Dan541 (1032000) | more than 5 years ago | (#24495139)

failing that check the post-it note on the underside.

ob Eddie Izzard (2, Funny)

Drathos (1092) | more than 5 years ago | (#24495217)

Breaking into the Pentagon computer..

Double click on 'Yes.'

Oh. Password protected. Twenty billion possible chances..

Er..

Jeff.

Hey!

Re:Sorry (1)

zimtmaxl (667919) | more than 5 years ago | (#24495499)

there is a post-it attached to the screen, of course!

Sorry, No English.. (1)

PC and Sony Fanboy (1248258) | more than 5 years ago | (#24494405)

I cleaned and moved senior sm-eee-ths office aftah his lady friend has leff, she musta mov-ed the baby compuuutah.

On a more serious note, Isn't this just another way of the company saying "Oh wait, haha, we didn't lose anything JUST a big mis-understanding, you can keep giving us more money..."

n00b (-1, Offtopic)

MyLongNickName (822545) | more than 5 years ago | (#24494407)

Next time yell "Fr!st Post".

damn n00bs.

Re:n00b (-1, Flamebait)

MyLongNickName (822545) | more than 5 years ago | (#24494695)

Yes! Got down modded for flaming myself ;)

Two Levels of Passwords? (5, Funny)

something_wicked_thi (918168) | more than 5 years ago | (#24494373)

Those are, like, needed to remove the hard drive, right?

Re:Two Levels of Passwords? (5, Funny)

amazeofdeath (1102843) | more than 5 years ago | (#24494399)

Yes, the screws on the bottom of the laptop will ask you the boot and Windows passwords before they'll open.

Re:Two Levels of Passwords? (0)

Anonymous Coward | more than 5 years ago | (#24494619)

Yes, the screws on the bottom of the laptop will ask you the boot and Windows passwords before they'll open.

Seriously though... "Data was not encrypted but two levels of passwords..."

I can't help but think that the first was password to their Vista Enterprise and second... Well... That hopefully was atleast bitlocker, perhaps more.

Re:Two Levels of Passwords? (2, Funny)

Siener (139990) | more than 5 years ago | (#24494793)

I can't help but think that the first was password to their Vista Enterprise and second... Well... That hopefully was atleast bitlocker, perhaps more.

Or maybe the first one was BIOS and the second Windows.

Re:Two Levels of Passwords? (1)

JPDeckers (559434) | more than 5 years ago | (#24494957)

And with a bit of luck, the BIOS password was the same as the hard disk password, making all these "Use Ubuntu" or "Remove HDD from laptop" replies null and void, as you can simply not access/read the HDD without the correct password.

Unless ofcourse I understood the concept of HDD password wrong, but I just googled it and it seems to work like I thought: http://www.laptoptips.ca/security/hard-disk-password/ [laptoptips.ca]

Re:Two Levels of Passwords? (1)

oodaloop (1229816) | more than 5 years ago | (#24494843)

My guess both were

admin
admin

Would anyone be the slightest bit surprised given their superior skills at security demonstrated thus far?

Re:Two Levels of Passwords? (1)

Loibisch (964797) | more than 5 years ago | (#24494703)

Yup, it's pretty much like the scene at the Bridge of Death in Monty Python's Quest for the Holy Grail.

If you don't get all the answers right, you die!

Re:Two Levels of Passwords? (4, Informative)

Siener (139990) | more than 5 years ago | (#24494819)

You don't even have to remove the HD. If the data is not encrypted you can boot from a USB key or CD and just copy the files.

Re:Two Levels of Passwords? (1)

PMuse (320639) | more than 5 years ago | (#24494863)

Never mind that any thief who had the keys/access to the office to return the laptop is also rather likely to have had the passwords.

Re:Two Levels of Passwords? (5, Interesting)

flappinbooger (574405) | more than 5 years ago | (#24495561)

Yes, Yes, Inside job it was, young skywalker. You are advancing in the force, you are!

Reminds me of one time where my boss was in the field at a customer's factory. He had his "notebook" in which he writes everything down. (a paper notebook, old school, not a laptop)

He left it on a table in the break room for a couple hours and forgot about it. Later, when he remembered, it was gone.

A few hours LATER, it was back, pretty much where he left it.

Luckily it didn't have any pricing or other such things in it, but it still wasn't a good thing.

But Karma is interesting, this same customer a few months later set us an email which happened to have a high level very confidential spreadsheet attached, accidentally. It contained the companies strategic plan for the coming months - peoples salaries, names, locations, PLANT CLOSURE PLANS, savings from plant closures, all that stuff. "ummm, yes, there was a spreadsheet that you ... shouldn't have got... can you please erase that? Right now? And not look at it? Thanks!"

My point is, and I have one, encryption is fine but it is no guarantee against mistakes and/or stupidity.

unencrypted protection? (1)

spud603 (832173) | more than 5 years ago | (#24494381)

Wait, if it was not encrypted on the drive, but the device was physically compromised, how was it protected by any passwords, let alone two levels of passwords?

It wasn't (5, Insightful)

Digital_Quartz (75366) | more than 5 years ago | (#24494419)

The truth is, they have no idea if it was compromised or not. All you'd need is an Ubuntu boot CD and you could read the data straight off the drive.

Next time they should use THREE levels of passwords. ;)

Re:It wasn't (1)

Loibisch (964797) | more than 5 years ago | (#24494641)

Yeah, the additional third one being the password to an encrypted container in which the data is stored.

It was the level 45 Paladin (0)

Anonymous Coward | more than 5 years ago | (#24495097)

Oh, so we should be looking for someone with a bootable ubuntu CD! that narrows it down! Of course, Someone could have just misplaced it (to play WoW), but then to crack the passwords you do need a sword thats +9 to Ogres. On a further note ... My captcha word is "testicle" .. sick, sick world

Re:It wasn't (1)

zomper514 (235646) | more than 5 years ago | (#24495327)

As absurd as 3 passwords would be, someone would just come out with 4 later on.
Don't believe me, Perhaps you've never heard of Mach3 and/or Quatro.

no excuses (5, Insightful)

iveygman (1303733) | more than 5 years ago | (#24494383)

Even though this laptop was not actually stolen, that does not excuse the gross lapse of judgement by the people responsible. Two levels of passwords is fine, but unencrypted data still leaves potential victims vulnerable. This still raises the question of why sensitive data was on something as portable as a laptop. Oh and nevermind the fact that they managed to lose it in their own office completely kills any confidence I had in them.

I lost all confidence in Clear yesterday (5, Interesting)

oodaloop (1229816) | more than 5 years ago | (#24494393)

and none of it came back today.

liars & touts & shills, oh my (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24494415)

the difference between the 'laws' of man & the processes of the creators will become crystal clear to those whose conscience/spirit have not been damaged, or completely taken, by man-made illusions. fear is the primary weapon of unprecedented evile. that, along with deception & coercion, helps most of us remain (unwittingly?) dependent on its' greed/fear/ego based hired goons' agenda. Most of yOUR dwindling resources are being squandered on the 'war', & continuation of the billionerrors stock markup FraUD/pyramid scheme. nobody ever mentions the real long term costs of those debacles in both life & the notion of prosperity, not to mention the abuse of the consciences of those of us who still have one. see you on the other side of it. the lights are coming up all over now. conspiracy theorists are being vindicated. some might choose a tin umbrella to go with their hats. the fairytail is winding down now. let your conscience be yOUR guide. you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

http://news.google.com/?ncl=1216734813&hl=en&topic=n
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A
http://www.nytimes.com/2008/05/29/world/29amnesty.html?hp
http://www.cnn.com/2008/US/06/02/nasa.global.warming.ap/index.html
http://www.cnn.com/2008/US/weather/06/05/severe.weather.ap/index.html
http://www.cnn.com/2008/US/weather/06/02/honore.preparedness/index.html
http://www.nytimes.com/2008/06/01/opinion/01dowd.html?em&ex=1212638400&en=744b7cebc86723e5&ei=5087%0A
http://www.cnn.com/2008/POLITICS/06/05/senate.iraq/index.html
http://www.nytimes.com/2008/06/17/washington/17contractor.html?hp
http://www.nytimes.com/2008/07/03/world/middleeast/03kurdistan.html?_r=1&hp&oref=slogin
http://biz.yahoo.com/ap/080708/cheney_climate.html
http://news.yahoo.com/s/politico/20080805/pl_politico/12308;_ylt=A0wNcxTPdJhILAYAVQms0NUE

is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.

http://www.google.com/search?hl=en&q=weather+manipulation&btnG=Search
http://video.google.com/videosearch?hl=en&q=video+cloud+spraying

dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);

http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html

the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.

corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7

as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable. some of US should consider ourselves somewhat fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate. it's right in the manual, 'world without end', etc.... as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis. concern about the course of events that will occur should the life0cidal execrable fail to be intervened upon is in order. 'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."

meanwhile, the life0cidal philistines continue on their path of death, debt, & disruption for most of US. gov. bush denies health care for the little ones;

http://www.cnn.com/2007/POLITICS/10/03/bush.veto/index.html

whilst demanding/extorting billions to paint more targets on the bigger kids;

http://www.cnn.com/2007/POLITICS/12/12/bush.war.funding/index.html

& pretending that it isn't happening here;

http://www.timesonline.co.uk/tol/news/world/us_and_americas/article3086937.ece
all is not lost/forgotten/forgiven

(yOUR elected) president al gore (deciding not to wait for the much anticipated 'lonesome al answers yOUR questions' interview here on /.) continues to attempt to shed some light on yOUR foibles. talk about reverse polarity;

http://www.timesonline.co.uk/tol/news/environment/article3046116.ece

Re:liars & touts & shills, oh my (1)

lilomar (1072448) | more than 5 years ago | (#24494647)

I can t hold them back any more, PROfessor.
the Twins want there results on time(18:32.0am).
~%%%%%

Two Passwords? (4, Insightful)

xanadu-xtroot.com (450073) | more than 5 years ago | (#24494425)

However, it was protected by two levels of passwords.

So... what does that actually mean? I know that TFA is a media fluffed version washed for the general masses, but they could've mentioned that part at least. If one was the NT login, were the admins smart enough to disable the LM Hash? Still, booting it with a *NIX CD and blanking the SAM password for administrator is trivial. What could the second be? A BIOS password? Open it and pull the battery. Big deal.

Is there something I'm missing about this? Are there a (whopping!) two password scheme that could actually make something more secure then just booting it with something else and pulling data off?

Re:Two Passwords? (4, Insightful)

gruntled (107194) | more than 5 years ago | (#24494585)

Hmm. Standard internal investigation procedure: Wait until suspected bad actor has gone home, go into his office, remove hard drive from computer, use Ghost to create reasonably accurate copy of existing drive on another drive, replace duplicate drive in computer. Take your original drive back to your forensics lab, use your forensics software to make a forensically sound image of the original drive, lock the original drive in your safe in case a judge ever wants to see it, drill down through your forensic image at your leisure.

If you weren't especially interested in creating chain of custody documents, you'd just make a forensic image of the original drive and replace the original drive in the box. Then, absent tool marks or other evidence that the box had been opened, even a qualified forensic technician could swear under oath that there was no evidence that anybody had accessed the data on the box. And it wouldn't matter how many passwords you had on the box if it weren't encrypted...

Re:Two Passwords? (1)

mpe (36238) | more than 5 years ago | (#24494777)

If one was the NT login, were the admins smart enough to disable the LM Hash? Still, booting it with a *NIX CD and blanking the SAM password for administrator is trivial.

Makes more sense to take a copy of the disk first. Which leaves the original unaltered.

Is there something I'm missing about this? Are there a (whopping!) two password scheme that could actually make something more secure then just booting it with something else and pulling data off?
A HDD password will make things more difficult...

Re:Two Passwords? (4, Informative)

jamesh (87723) | more than 5 years ago | (#24494801)

What could the second be? A BIOS password? Open it and pull the battery. Big deal.

It could be a big deal. We do warranty and service work for HP hardware and in the past laptops have come in with BIOS passwords and we were not able to remove them. The password is actually part of the ATA protocol and so the disk is unusable without it, even in another machine. I think the only operation you can do is an ERASE. If you remove the battery then the BIOS forgets not only the BIOS password, but the disk password too.

I'm sure there are backdoors for some drives, but the customer in question in this case certainly wasn't willing to pay for us to investigate it so the data was as good as lost.

TPM, if implemented correctly, provides fairly good protection too. As does Microsofts BitLocker.

Physical access reduces security by a whole heap, but if things are done right then it doesn't reduce it to zero.

Of course as others have mentioned, an organisation that loses laptops like that probably isn't 'doing things right'...

Re:Two Passwords? (1)

fabs64 (657132) | more than 5 years ago | (#24495147)

They specifically said the files were not encrypted, barring encryption, physical compromise is 100% compromise, no ifs or buts.

Re:Two Passwords? (0)

Anonymous Coward | more than 5 years ago | (#24495313)

A BIOS password? Open it and pull the battery. Big deal.

AFAIK there is no easy way to temporarily remove a BIOS password and then reset the old (unknown) password. So if they got the laptop back with the original BIOS password still on it, they could sensibly assume that the BIOS protection was not bypassed.

(This does not guarantee the disk wasn't copied in another way, of course, but it's a start.)

Found it again... (3, Insightful)

Loibisch (964797) | more than 5 years ago | (#24494443)

Yeah, we...uhm...found the laptop again...really did...yeah...because claiming so leaves us protected from any coming lawsuits that might or might not be caused by any identity theft cases that could be related to (but, of course, actually are nothing at all caused by) this incident...which certainly did never happen...

And of course noone tampered with the machine...after all if WE couldn't find it, who else could have?

Friends again?

Re:Found it again... (1)

Mr. Underbridge (666784) | more than 5 years ago | (#24494687)

I was thinking the same. Seems a little suspicious, no? This thing gets lost, they catch hell, then it mysteriously appears?

Hell, there's tons of possibilities:

1) Cover-up. They know if they didn't produce this laptop they could lose the contract.

2) Inside job. Employee "borrows" the laptop to steal the data (didn't that happen to TJ Maxx recently?), then surreptitiously returns it when no one notices and lets someone find it.

3) It really was lost. Which makes one wonder, how many laptops are floating around unaccounted for? And anyway, why would you encrypt the non-portable server and leave the highly portable laptop unencrypted? Both should be encrypted, but if you had to pick one - don't you pick the laptop?!?!

Of course, the two layers of passwords is gold. Who wants to bet they were both written on a post-it note attached to the laptop?

"Clear" Laptop Found, In the Same Locked Office (5, Funny)

Dan East (318230) | more than 5 years ago | (#24494445)

That is why I prefer opaque laptops.

Compromised?? (0)

Anonymous Coward | more than 5 years ago | (#24494453)

I would assume it had been compromised if it was missing for that long, even if nothing showed up in the logs. How hard is it to make a clean copy of the drive and then doing what you want with the copy. Or if they have some type of hardware encryption (one of those IBM stuff) it's still easy to get to the data.

Never keep personal information on a laptop, encrypted or otherwise. Store it on a server, or if you really need to bring it with you keep it encrypted on a USB stick that you have on your keychain and you should notice if it goes missing. Maybe keep some semi-secure (password encrypted) key-file on the laptop. Ie to get to the data they would need to get a hold of both the laptop and the USB-stick + that the password would need to be bruteforced.

How Hard Did They Look? (4, Insightful)

whisper_jeff (680366) | more than 5 years ago | (#24494473)

Lost for nine days? Found in the same office in which it was reported lost? How hard did they look for it? Talk about failing to build confidence...

Re:How Hard Did They Look? (2, Funny)

nomadic (141991) | more than 5 years ago | (#24494769)

Honestly I can't criticize, that sounds like something I would do.

No way did it just turn up (1)

netbuzz (955038) | more than 5 years ago | (#24494487)

FTA: "Beer said the airport office is always locked, so if the laptop was removed, someone would have needed a key to return it." .... That ought to at least narrow the list of dumbasses who may have taken it home (hopefully) and put it back.

Re:No way did it just turn up (1)

nedlohs (1335013) | more than 5 years ago | (#24494693)

Because office door locks are infallible. No one has ever picked one of them, or got their hands on the key for a 5 seconds to make an imprint and cut their own copy.

Re:No way did it just turn up (0, Redundant)

xanadu-xtroot.com (450073) | more than 5 years ago | (#24494699)

office is always locked

Ya know, that one got me too. I don't know about anyone else here, but the offices I've worked in all have drop ceilings. Ya know, the wall ends at the ceiling tiles? The ones, you can easily climb over...

Re:No way did it just turn up (2, Interesting)

JWSmythe (446288) | more than 5 years ago | (#24495329)

    A lot of people don't know that. It's been helpful to know though. I've retrieved (or told someone to retrieve) things in "locked" rooms that weren't suppose to be locked.

    Except for once... The CEO had this thing for keeping the tape backups in his safe, in his locked office. He was out of town, the door was locked, and we needed one of the tapes. With the COO's permission, one guy climbed over and opened the door from the inside for us. The safe was a lot easier, he left the door open.

    Then again, I've been having more fun learning how to pick locks. It's a lot more impressive to sit at the door handle for 30 seconds, and pop the door open, without having to get dirty or climb on anything. :)

Re:No way did it just turn up (1)

juanfe (466699) | more than 5 years ago | (#24495203)

Because they don't have access card readers with smart chip cards to make sure that only vetted and authorized people can get through?

No surprise that TSA trusts these morons with national security... they trust themselves, don't they?

Correct response (5, Insightful)

91degrees (207121) | more than 5 years ago | (#24494489)

The laptop had either been stolen, and sold with the information wiped, stolen and the information sold, lost, destroyed, or left in an office.

Whichever it was, the only information they had was that it was unaccounted for. It was actually a good response to automatically assume the worst case scenario and deal with the situation as if that had happened. If the worst case scenario was the case then at least it was dealt with as best it could be. If not then the only harm done is to them and not their customers.

So while losing it was very inept, their response afterwards was actually fairly responsible of them.

Followed by an Incorrect response (1, Insightful)

Anonymous Coward | more than 5 years ago | (#24495487)

I'll give them points for raising the alert when they weren't sure what happened. I stop giving them points when they found the laptop, and decided to put out a press release that appears to say "No one did anything obvious to let us know the data was accessed. So we're going to tell you there was no data breech and wish really hard everyone will shut up about it."

A "fairly responsible" response would be "We've recovered the laptop. We are still investigating where it was and who had it during the unaccounted period. While we can tell the data was not accessed 'casually', it would be difficult to tell if someone with some computer skills had accessed the data. Therefore, out of an abundance of caution, we will proceed as if the data was compromised, including securing what we can of the possibly compromised data, and taking steps to ensure no such breech could happen in the future."

Clear is bullshit (5, Interesting)

Jah-Wren Ryel (80510) | more than 5 years ago | (#24494519)

This whole 'Clear' thing is bullshit. Its a bad solution to a problem that should not exist in the first place.

If you buy the story that all the airport security that results in thousands standing around waiting to get to their gates is both necessary and effective then you must question any program that claims to pre-screen anyone because that just opens a window of opportunity between the pre-screen and the actual boarding of the flight in which the pre-screened person can be compromised in any number of ways.

It all comes back to the problem that there is no such thing as "the evil bit" - and any system which tries to make up for that by using some other combination of 'bits' as a proxy for the non-existent 'evil bit' is just a house of cards built on a non-existent foundation.

Even if you take Bruce Schneier's view that Clear is a good thing - not for the pre-screen, but because of the open-market approach to airport security which lets people pay more in exchange for a guaranteed short processing time - its still bullshit. That's because the rich and the powerful - the idiots who make the laws that created the TSA and their time/money wasting policies will be able to avoid having to suffer the consequences of their own actions. They can just pay a few hundred dollars more and never suffer the crap that they dumped on all the plebes.

Congress already exempts itself from too many of the laws its passes (no social security, they have their own program, no anti-discrimination in hiring laws on the hill, etc) they should not be able to get another free pass on suffering the effects of creating the TSA.

Re:Clear is bullshit (3, Interesting)

Lumpy (12016) | more than 5 years ago | (#24494679)

Welcome to the Windows Computing culture.

Data is secure in the SQL server in the system. Dumbass manager #2 uses his login and dumps it to excel or to access because he's handy with those.

I am sure the IT department has warned against this behavior but managers like to ignore what IT says when they have an "idea"

Kind of like how someone discovered the entire companies salary breakdown on a laser printer in the sales area.... A dipshit manager in Accounting printed a secure document on a unsecure printer (because hers was being serviced) and LEFT IT THERE for 4 hours.

Re:Clear is bullshit (2, Interesting)

MrMr (219533) | more than 5 years ago | (#24495155)

You are aware that keeping salaries a secret is not in the interest of the employees?
Perhaps your 'dipshit manager' is the only honest person in accounting...

Re:Clear is bullshit (3, Insightful)

JWSmythe (446288) | more than 5 years ago | (#24495413)

I'm glad someone said it.

    No company that I've ever worked for that keeps salaries "secret" are being honest. There are tremendous variances in pay rates, which are based on arbitrary things, not on the position, ability, performance, or workload of the individual.

    If you can have a 5 year employee making $35k/yr, and a starting employee making $75k/yr, and another making over $100k/yr, all doing the same job, with the same workload, then there's something seriously wrong with the pay scheme. If you believe a position is worth $75k/yr, then that's what the base salary is for the position, and there should be adjustments for time with the company (10%/yr), performance bonuses, incentives, etc.

    I could rant for days, but I agree, the "dipshit" manager "accidentally" let a company secret out, which needed to be told.

Amen to that. (1)

BitterOldGUy (1330491) | more than 5 years ago | (#24494717)

That's because the rich and the powerful - the idiots who make the laws that created the TSA and their time/money wasting policies will be able to avoid having to suffer the consequences of their own actions.

I've given up. I bought a case of KJ and whenever Congress is in session, regardless of what party is in power, I pull out a tube and mumble, "Here we go again, sigh."

I'll vote against all the incumbents in November - for what good it may do

Re:Clear is bullshit (1)

maxume (22995) | more than 5 years ago | (#24494719)

The rich and powerful fly on private jets and don't bother with airport security at all.

Clear is for their functionaries.

You would think... (1)

MikeRT (947531) | more than 5 years ago | (#24494527)

That having the company's personal information crown jewels on a laptop, unprotected would be an automatic, stop, don't pass go firing offense at any self-respecting corporation today.

Re:You would think... (1)

stephanruby (542433) | more than 5 years ago | (#24495197)

That having the company's personal information crown jewels on a laptop, unprotected would be an automatic, stop, don't pass go firing offense at any self-respecting corporation today.

Yes, at least for a low-level employee, or may be for an employee nobody liked.

However if it's an executive who was responsible for the laptop, or if it's an executive who borrowed the laptop, then most corporations wouldn't fire such a person. Firing someone in the abstract is really easy. Firing a friend/colleague in real life is actually much harder.

In any case, if you ask me, the laptop never had any work-related stuff on it, that's how they know it wasn't compromised. It was probably used as a gaming computer since its first day. Sometimes the primary reason laptops get purchased, or VCRs get purchased, is because of some end-of-year overflow budget (if you don't spend it, you lose it next year).

The real problem (0)

Anonymous Coward | more than 5 years ago | (#24494569)

is that this was likely an inside job. It is probable that the person HAD the password, grabbed the laptop, used the password to obtain info, and then put it back.
Another real possibility, is that they grabbed the HD, copied it, and then put it back after the heat was high.

Trusting this company is like trusting W.; u KNOW that you are being lied to.

Re:The real problem (1)

JWSmythe (446288) | more than 5 years ago | (#24495441)

    I'd lay odds on the idea that he put it "away" in the wrong place, forgot he put it there, and when he was trying to find it where he expected in the "normal" place, it wasn't there, so it was obviously stolen.

    I've seen a lot of stuff show up like that. It's an emergency, a conspiracy, an evil deed. "Oh ya, I did put it there" comes later.

Quote of the Day (4, Funny)

SendBot (29932) | more than 5 years ago | (#24494581)

"[data was not encrypted] However, it was protected by two levels of passwords."

Baby, I'm sorry I cheated on you. But I was thinking of you while we did it.

Re:Quote of the Day (1)

gilbertopb (1286258) | more than 5 years ago | (#24494911)

They took 9 days to restore the machine because took 9 days laughing on floor because the strong afraid of the two level passwords.

Re:Quote of the Day (1)

lju (944654) | more than 5 years ago | (#24494943)

More like: "Baby, I'm sorry I cheated on you, but I used two condoms so it's alright."

And on it they also found... (1)

Illbay (700081) | more than 5 years ago | (#24494593)

...electronic versions of the Rose Law Firm billing records [pbs.org] .

Re:And on it they also found... (1)

value_added (719364) | more than 5 years ago | (#24495173)

OK, I laughed, but you should be embarrassed.

Making a Clinton-era joke is like wearing bell bottoms, a tie-dyed T-shirt AND an afro. No one can tell whether you're trying to be funny, or agree on what's really funny.

I get past the lines... (2)

ag3ntugly (636404) | more than 5 years ago | (#24494639)

...by acting the slightest bit suspicious. They move me swiftly to the front of the cavity search line, and then usually send me straight to the terminal when they're done.

Obviously (1)

alucard963 (542262) | more than 5 years ago | (#24494645)

Obviously, no one could have taken the information if it was still on the hard drive.

American Beer is Clear (0)

Frosty Piss (770223) | more than 5 years ago | (#24494659)

Allison Beer is a senior vice president for a company called "Clear". Has to be a joke here someplace.

More than enough (1)

BitterOldGUy (1330491) | more than 5 years ago | (#24494667)

The computer held names, addresses and birthdates for people applying to the program, as well as driver's license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information. "Yes, it was sensitive privacy information, but not the stuff that was most sensitive," she said.

names, addresses and birthdates for people applying to the program, as well as driver's license, passport and green card information

That's more than enough to steal an identity. I've ran across folks who had their identity stolen by folks who just used their names, address and DOB - the thief found a very careless creditor; which wasn't hard.

Frost 4ist (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#24494683)

About time you cleaned that office Bob (2)

portwojc (201398) | more than 5 years ago | (#24494697)

When they finally found the laptop did they stop cleaning the office or did they finish up?

Huh? (0)

Frosty Piss (770223) | more than 5 years ago | (#24494709)

FTA:[blockquote]The information was encrypted on the server, but not on the laptop, although it should have been, Beer said. However, it was protected by two levels of passwords.[/blockquote]I'm confused. It was not encrypted on the laptop, but was protected by two passwords? What?

So let me get this straight... (1)

davidbrit2 (775091) | more than 5 years ago | (#24494735)

They lose a laptop with sensitive information, and it inexplicably (and allegedly) reappears in the same office as if by magic, but it's okay, because even though none of the data was encrypted, it was guarded by two levels of passwords (ooh, shiny), and they claim they have some way of knowing that the data hadn't been accessed in spite of their shaky grasp of basic security and data encryption.

Sorry guys, but you're going to need a bigger shovel to handle all that bullshit properly.

what about wifi? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#24494743)

The entire wireless scene, specifically the 802.11x world, has subtly changed in unexpected ways--and now the process has come to a dead end and is going retrograde. At least people are finally getting a clue and securing their connections. Apparently, both the configuration programs and public education have made it so that you will, over time, find fewer and fewer open connections in the wild.

You'll notice this the next time you try to poach a signal from a neighbor. I live on the side of a hill and get signals from at least 20 Wi-Fi transceivers. All of them have security turned on except one, and that one comes up with a splash screen asking for money. If I had done this experiment two years ago, I would have found three or four open access points from my house. Now I've got nothing. I'm beginning to notice this around the country when I travel: The wide-open poachable signals are being buttoned up fast.

But where did all the good Samaritans go--the people who were going to leave their access points open for the good of all mankind?

There are other issues, too. Here are a few additional trends I've observed regarding Wi-Fi:

1. Less and less talk about faster speeds. Promises were made that we'd be coasting on Wi-Fi at speeds near 600 megabits per second by now. Where are they?

2. Continued 802.11n nomenclature issues. Has this standard actually been finalized? What happened?

3. Free municipal Wi-Fi initiatives scuttled left and right due to costs, maintenance, and misplaced idealism.

4. Incredible lack of universal service providers. It's nearly impossible to find one ISP to which you can subscribe and then travel the world using it through peering or other agreements with local providers. One or two come close, but there's always someplace they don't work--and that's the place you end up traveling to.

5. Fixed wireless is becoming more and more of a fiasco, though it seems as if something should work. It's not rocket science.

6. Overpriced service at airports, where Wi-Fi should be free.

7. More confusion as phone companies de-emphasize Wi-Fi in favor of costly cell-phone Internet connections.

It appears that Wi-Fi is now an established and mature technology and therefore unlikely to undergo any radical changes in the years ahead. In other words, things may not get any better.

The only new idea floating around seems to be 802.11y, which is slower, in fact, than current gear. It operates at 54 Mbps on the licensed 3.6-GHz band but allows users to pump out 20 watts. (I wouldn't want to be in the same room with the transmitter, personally.) Right now most 802.11 installations work at well under 1W, with 1W being the legal limit and actually hard to find.

802.11 is not the only wireless technology that seems to have pulled up short. UWB (ultra wideband), a short-range pulse radio technology, has been promising us cordless connectivity in the office for at least a decade--and has delivered nothing. Now we hear about the UWB USB 2.0 connection. Okay, send me one.

WiMAX is another technology howling at the moon with promises of fixed and mobile long-range connections to the net. I'm waiting. Sprint Broadband Direct once had a fixed wireless lash-up that it shuttered in anticipation of some sort of solution that doesn't require a line-of-sight connection. It's been a decade, and now Sprint looks no closer to a solution despite all the on-again, off-again noise about its Xohm WiMAX dream.

As a former Sprint Broadband Direct customer, I was offered an EV-DO card for my laptop. Great. Now I get to pay more money to go online. And, of course, this service will be capped in some way or another. Watch one YouTube video and you are done for the month. Plus I don't even want to get into Zigbee, Bluetooth, and all the other wireless initiatives that are interesting but have limited usefulness.

At least Wi-Fi is still a good solution for connecting machines around the house, and the Wii in the family room seems to be happily connected to the Belkin Wi-Fi router upstairs. Still, a lot more than this one convenience should have happened by now. It didn't.

Taking 'security by obscurity' to new heights (1)

kiehlster (844523) | more than 5 years ago | (#24494761)

Clearly leaving sensitive information on an unencrypted laptop with only two passwords will deter hackers from paying mind to it. In fact, they'll think they stole the wrong laptop and return it to the same place they took it once they realize there's no encrypted data.

Said it before, I'll say it again (1)

SoundGuyNoise (864550) | more than 5 years ago | (#24494803)

Ha ha!

We'll just put it back (4, Insightful)

PMuse (320639) | more than 5 years ago | (#24494809)

So, what we have here is starting to sound like: employee 'borrows' office computer for home use, manager raises alarm, news media panics, employee waits until dust settles a little to slip 'borrowed' property back into office.

Either that, or the identity thieves who who masterminded the scheme to steal that data were really slow.

Re:We'll just put it back (3, Insightful)

Downside (662268) | more than 5 years ago | (#24495333)

3rd possiblity: blustery pompous asshat puts laptop in desk drawer before going home. Next morning he comes in and can't see laptop on the desk where "I left it right there" and starts shouting about theft?

All data still compromised. (1, Insightful)

Anonymous Coward | more than 5 years ago | (#24494825)

I find these two articles disturbing. They disagree as to the level of customer information involved. The newer article also implies that although they have no idea where this laptop was for nine days - they consider the information to be uncompromised.

"We don't believe the security or privacy of these would-be members will be compromised in any way," said Verified Identity Pass chief executive Steven Brill.

I'm sorry, but if there are serious questions as to where the laptop was for nine days - the data has to be treated as compromised. If there is a question as to what sensitive information was being stored on the laptop - it points towards even more serious flaws in data handling processes.

Good idea to "find" the laptop again (1)

TooTechy (191509) | more than 5 years ago | (#24494851)

If I'd lost a laptop with all this sensitive data on it and I wanted to ensure that the Clear system continued to work, I would probably "find" the laptop again.

Wouldn't want confidence to drop now would we?

Browse the history (1)

gilbertopb (1286258) | more than 5 years ago | (#24494853)

I guess what are the loggings in the internet browser history during these 9 days. Uhm, well, probably some high double-password-secured visits for some popular xxx sites and some not so popular. No, I'm not talking about horses ans penguins, this must be weird. But leaving the ironic side, I ask what USA border police may comment about such thing. Would this machine be arrested in frontier or they prefer to take some teenagers laptops?

oops (1)

halfEvilTech (1171369) | more than 5 years ago | (#24494897)

I had to move it after spilling some bawls on the table...

must have forgot where i put it

Too convenient (2, Interesting)

JoeMerchant (803320) | more than 5 years ago | (#24494935)

After the big media blitz, I imagine the laptop was found "somewhere," and it was a lot easier to explain if "somewhere" became the same locked office it was supposed to be in. I seem to recall some removable hard drives in the Los Alamos fiasco that also eventually "were discovered" in secure areas like behind a copy machine or something.

/cynical

realistic (what's the difference, anyway?)

Laptops and removable hard drives are inherently portable - if you really care about preserving the confidentiality of anything, it should be treated in an "eyes only" manner while on the portable media - when you're done, either encrypt or wipe. If the portable device leaves your sight for 15 minutes, you can assume that it has been copied. If it's not encrypted, it doesn't matter how many passwords are required, it can be copied in a very short time with a screwdriver and a mini-notebook, or any other contraption with a compatible drive controller.

/realistic

Re:Too convenient (1)

Knuckles (8964) | more than 5 years ago | (#24495067)

/cynical

realistic (what's the difference, anyway?)

George Bernard Shaw to the rescue: "The power of accurate observation is commonly called cynicism by those who don't have it."

Ask Slashdot (4, Funny)

PMuse (320639) | more than 5 years ago | (#24494955)

Dear Slashdot,

I've borrowed a laptop from my office to download a little . . . well, nevermind. But, the thing is that my manager went apeshit and the laptop turns out to have a lot of valuable data sitting on it. What should I do?

The FBI is searching the homes of all the employees, so I can't keep it. If I give it to a friend, some one will eventually tell and I'll get busted.

If I dump it or destroy it, they'll assume espionage and the investigation will go on for months and I'm sure to slip up eventually.

If I return it to quiet things down, I might provide them with forensic evidence they can link to me, not to mention maybe getting caught doing it.

Please help. If I lose my security clearance, I'll never get another job.

Re:Ask Slashdot (1)

n3tcat (664243) | more than 5 years ago | (#24495527)

1) Post your question as Anonymous Coward
2) If step 1 fails, flee to Canada
3) ???
4) Profit!

My guess... (4, Funny)

g0bshiTe (596213) | more than 5 years ago | (#24495237)

Reader jafo adds, "Pardon me if I have little confidence that an organization that loses a sensitive laptop for 9 days is able to tell if it was compromised."

It was never actually missing. They just couldn't find it in their own office.

Re:My guess... (1)

kannibal_klown (531544) | more than 5 years ago | (#24495473)

Reader jafo adds, "Pardon me if I have little confidence that an organization that loses a sensitive laptop for 9 days is able to tell if it was compromised."

It was never actually missing. They just couldn't find it in their own office.

I guess that's possible, I've done that with personal things.

IE, I thought I put my wallet on one end of the table and later can't find it (and thus go into panic mode, fearing that maybe I left it at work). And when in panic mode, you usually miss the obvious. Later I find it on the other end of the table partially covered by a newspaper.

Maybe when they didn't see it on the desk they went into panic mode and didn't do a thorough search of the whole office.

On the other hand it's equally feasible that someone put it back into the office.

To the person who cleared the data.. (0)

Anonymous Coward | more than 5 years ago | (#24495269)

Thank you.
Thanks for protecting our pri... wait I didn't order two tickets to Macau!?
Three cops dead, and they found my fingerprints?

Amazingly, not everyone uses Windows.... (0, Redundant)

Anonymous Coward | more than 5 years ago | (#24495353)

Put Knoppix, Puppy, or any of the other myriad live linux distros in the CD drive, turn the power on, and presto. You can now clone the hard drive (via USB if you don't want to open the case) with ease. Passwords? Who needs passwords? If the disk wasn't encrypted, all your data belong to us.

I don't see how anyone would have "evidence" that this was/wasn't done.

Hey, guess what? There's a difference between "we can't prove the data was accessed" and "we can prove the data wasn't accessed". Only one of these would matter. Nope, not that one...

inform4tive cumCoUM (-1, Troll)

Anonymous Coward | more than 5 years ago | (#24495393)

[gay-sex-accees.com]? aapeared...saying Trying to dissect Raymond in his Java IRC client are almost it has to be fun developers
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...