Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UK Intel Agency's Missing Laptops Might Contain Sensitive Data

timothy posted more than 4 years ago | from the their-ruse-their-clever-trick dept.

Government 51

superapecommando writes "GCHQ lost 35 laptops in one year, potentially containing highly sensitive data. The UK's electronic spy centre was today lambasted by MPs for having a 'cavalier' attitude to data security. The centre is responsible for tracking the electronic communications of terrorists. In a new report, the Commons Intelligence and Security Committee expressed concern that GCHQ appeared to be entirely unaware whether or not the computers, lost in 2008, contained top secret information on people posing an imminent security threat to the country."

cancel ×

51 comments

Sorry! There are no comments related to the filter you selected.

Newsflash: (0)

Anonymous Coward | more than 4 years ago | (#31463100)

US citizen doesn't care about what may or may not have existed and may or may not be lost.

Re:Newsflash: (1)

deepershade (994429) | more than 4 years ago | (#31463180)

This is about the UK. What's a US citizen got to do with it?

Re:Newsflash: (0)

Anonymous Coward | more than 4 years ago | (#31463200)

Considering how nations spy on each other to get around local laws, it's more likely the laptops held information about US citizens than Brits.

Re:Newsflash: (0)

Anonymous Coward | more than 4 years ago | (#31463182)

Just the same way most of Europe doesn't give a shit about the same sort of crap posted about the US. Don't be a dick.

Re:Newsflash: (0)

Anonymous Coward | more than 4 years ago | (#31464002)

This is what is lost on some people in the USA: the rest of us are forced to endure your news and entertainment, and the fact that there are no major non-US-based English-language Hollywoods mean that we really don't have a choice.

I type from a country (NZ) which will use US news stories which most viewers won't have a clue about, when they have nothing to run. I really do not care that a disabled US Marine had to spend a lot of his time to get veteran's benefits. I do not care about some American Football score. No US station reports on NZ domestic cricket scores...

Re:Newsflash: (0)

Anonymous Coward | more than 4 years ago | (#31464690)

This is what is lost on some people in the USA: the rest of us are forced to endure your news and entertainment, and the fact that there are no major non-US-based English-language Hollywoods mean that we really don't have a choice.

But the fact of the matter is that this is a failing of you and your nation, not the US.

YOU watch US-centric channels instead of boycotting them, and YOU are making it profitable.

Kiwis, of all things, should be the last to complain about anything since they hide behind the skirts of the major democracies of the world. I knew NZ had lost it when they ditched their air force, thus you are unable to assert sovereignty over your own airspace. Fucking pathetic.

Re:Newsflash: (1)

Tim C (15259) | more than 4 years ago | (#31464074)

Don't care? Don't read it. This site may be based in the US and heavily biased towards it, but it has an international readership.

Re:Newsflash: (1)

lorg (578246) | more than 4 years ago | (#31465636)

Why not? Perhaps you should. You think they only contain secrets relevant to the UK? How can you be sure.

If a spy agency, any, loose data/intel it is probably a concern to more then the people in the country where the agency belongs since spying is a global business.

But in most industries... (1)

infolation (840436) | more than 4 years ago | (#31463128)

'lost laptop' translates as 'executive perk'.

Intel... igence? (1)

dolmen.fr (583400) | more than 4 years ago | (#31463198)

I did not understood the relation between Intel and UK MP's until I thought the word may have been abbreviated.

Lack of information (1)

EdZ (755139) | more than 4 years ago | (#31463206)

I've always wondered whether these 'lost laptops' are simply the personal laptops of employees, that should never have been anywhere near anything to do with GCHQ, and GCHQ is just being overly cautious (does not know what, if any, data accidentally ended up on a personal laptop, so assume the worst). Or it could just be garden variety incompetence. Except for the unlikely event of an intelligence service disclosing far more information than would be prudent, there's little to tell either way.

What do they mean by lost? (2, Interesting)

ThePangolino (1756190) | more than 4 years ago | (#31463208)

What do they mean by lost? Is it lost like "Lost in space", "Just lost The Game" or "Sorry, I *lost* my homework"?

Re:What do they mean by lost? (0)

Anonymous Coward | more than 4 years ago | (#31463256)

It means they left it on a train because they're too incompetent to pick it up on the way out.

Re:What do they mean by lost? (1)

mSparks43 (757109) | more than 4 years ago | (#31463336)

The world would be a much safer place if all these secret agencies *lost* their funding.

Re:What do they mean by lost? (1)

RockDoctor (15477) | more than 4 years ago | (#31503112)

The world would be a much safer place if all these secret agencies *lost* their funding.

Oh man, are you so dead. Dead, diced, buried in soft peat for 18 years and finally DNA tested to reveal that you were an Albanian illegal immigrant all along. Remember that family you used to have? Well don't worry about them, the remaining ones don't remember you.
As they say in Texas "Dead man walking!"

Re:What do they mean by lost? (1)

mSparks43 (757109) | more than 4 years ago | (#31547136)

Way to prove my point?

Re:What do they mean by lost? (0)

Anonymous Coward | more than 4 years ago | (#31463584)

Hopefully "Lost In Translation"

Re:What do they mean by lost? (1)

Xest (935314) | more than 4 years ago | (#31480218)

If it's anything like the rest of public sector from when I worked in it for a while some years ago, then "lost" means "I left my laptop perfectly visible in the back seat of my car which I left parked outside on the street overnight in a not exactly crime-free part of town".

So if they want to find them, eBay, or the house with the dodgy people in down the street are probably the best places to look.

Highly sensitive data? (4, Funny)

maxwell demon (590494) | more than 4 years ago | (#31463218)

Well, surely it has been appropriately encrypted with strong encryption and protected with a strong password. After all, those people are not completely incompetent, are they?

Re:Highly sensitive data? (1)

fluch (126140) | more than 4 years ago | (#31463292)

After all, those people are not completely incompetent, are they?

In the UK? You should reconsider your rhetorical question...

Re:Highly sensitive data? (1)

gmccloskey (111803) | more than 4 years ago | (#31463624)

This would be the UK that led the development of modern computing with the work of Alan Turing, led the development of the use of computers in industrial and military environments (Bletchley Park) and which dramatically shortened the second world war. This would be the UK that invented public key cryptography before the NSA. This would be the UK which developed working, scalable MIMD parallel processing (transputer) in the early 90s. Then there was the matter of Boole, who did some minor mathematical work. That UK.

Re:Highly sensitive data? (1)

jabithew (1340853) | more than 4 years ago | (#31466634)

Yes [bbc.co.uk] , that [bbc.co.uk] UK [bbc.co.uk] .

Re:Highly sensitive data? (1)

JohnBailey (1092697) | more than 4 years ago | (#31463324)

Well, surely it has been appropriately encrypted with strong encryption and protected with a strong password. After all, those people are not completely incompetent, are they?

Considering who you are talking about.. the answer can be summed up as.. BWHAAAA!!!

Re:Highly sensitive data? (1)

Fred_A (10934) | more than 4 years ago | (#31463414)

After all, those people are not completely incompetent, are they?

<deep>I find your faith disturbing...</deep>

Re:Highly sensitive data? (3, Informative)

Shimbo (100005) | more than 4 years ago | (#31463560)

Well, surely it has been appropriately encrypted with strong encryption and protected with a strong password. After all, those people are not completely incompetent, are they?

Well, GCHQ workers *invented* public key encryption, so they are obviously not all completely incompetent. Big organisations lose laptops. It's more that they don't have the paperwork to prove nothing secret hit these machines. It's sloppy but hardly unexpected.

Re:Highly sensitive data? (1)

johnw (3725) | more than 4 years ago | (#31463900)

Well, GCHQ workers *invented* public key encryption...

And the story told by one of the inventors is that he made the crucial breakthrough whilst mulling the problem over in his head at home. So strict was the security in those days that he wasn't even allowed to write down his idea on a piece of paper outside the office, and he worried dreadfully that he might forget the details before he got back into the office and was able to record it.

Clearly if they're now leaving laptops lying around, things aren't quite so strict.

Re:Highly sensitive data? (1)

TheLink (130905) | more than 4 years ago | (#31465470)

Yeah, nowadays the GCHQ bunch would probably post it on Twitter.

Should not be a problem... (1)

fluch (126140) | more than 4 years ago | (#31463290)

This should not be a problem IF the hard drives are full disk encrypted. Now the "if" in the previous sentence is the crucial point...

Re:Should not be a problem... (2, Insightful)

gmccloskey (111803) | more than 4 years ago | (#31463720)

All UK government devices storing information classified as RESTRICTED ( no US equivalent) must have two factor authentication, and full disk encryption using a FIPS140 certified product from a CESG-approved list. Anything carrying CONFIDENTIAL or SECRET has the same, plus additional techniques and handling protocols to ensure CIA (confidentiality, integrity, assurance). TOP SECRET isn't discussed in open forums.

This is a non story if they are accidental losses. All organisations, including those within and around the intelligence communities, lose assets. The real questions should be (1) was it accidental, (2) if not, who made the effort and (3) are you confident the systems in place will protect the information for long enough until its value decreases below the effort required to recover it.

  To be honest, the more pressing issue for ordinary citizens is not governments protecting or losing information about citizens, but private organisations.

Re:Should not be a problem... (1)

Tim C (15259) | more than 4 years ago | (#31464096)

This is correct; I also have reason to have some understanding of correct handling and storage procedures for materials covered by the GPMS [cabinetoffice.gov.uk] and those laptops should be encrypted. If not then someone will be facing a shitstorm for it.

Underground? (0)

Anonymous Coward | more than 4 years ago | (#31463296)

From the original article :
"In a hearing for the report, the spy centre said its work was at a level about one third below what was planned, because of difficulty attracting and retaining enough internet experts.

GCHQ is now advertising for more recruits on the London underground, the committee noted. "

That kind of gives the impression that GCHQ are trying to recruit hackers from the counter culture by advertising in tube stations.

Re:Underground? (2, Funny)

BiggerIsBetter (682164) | more than 4 years ago | (#31463552)

That kind of gives the impression that GCHQ are trying to recruit hackers from the counter culture by advertising in tube stations.

And on Slashdot, apparently.

Re:Underground? (3, Insightful)

Anonymous Coward | more than 4 years ago | (#31463634)

That's a great idea. You know where London 2600 is held, right? Pretty sensible place to advertise, then - and if the Security Service and Secret Intelligence Service are advertising, why not GCHQ, the great-granddaddy of the father of modern computing and cryptology?

The big challenge is that all the people with the requisite expertise in that particular field either have ethical problems with working for a government that does things that runs contrary to their personal beliefs (restrictions on free speech, mass surveillance and censorship, certain recent unpopular wars, and so on), or they don't really have anything left in the way of ethics at all (in which case, their trustworthiness is very limited, and they may already be working for organised crime or another government).

Many of the older ones have retired from doing that kind of thing and settled down, and the problem with that is that their skill set is unlikely to be current. There are of course timeless techniques, but the field also moves very quickly and rediscovers new things in different ways, so keeping current is important.

Of course, there are always new ones. Fresh talent does emerge and can probably be recruited in larval form, but not all hacking is self-taught, and the difference between a good hacker and a world-class hacker is things picked up from experience and teaching. Mentoring. But part of that is the counter-culture mindset, it's a required part of the critical thinking needed. Some people are needed to teach, and teach very very well. But the problem is that those people do not want to work for the UK government, even in a teaching capacity.

A similar problem emerges when trying to buy a covert remote intelligence tool (CRIT). What to do; license Zeus? Hardly. The Chinese did something similar, and as you no doubt heard it turned out worryingly successful with a simple black market Trojan and some very astute targeting. But you can scarcely expect that to work the same way twice. Something rather more advanced is needed, but those that have developed more advanced tools have essentially told the intelligence agencies to go screw themselves or are otherwise people it would be recommended to avoid dealing with (as above). So a tender was raised at a recent conference and there have been no decent bids (General Electric almost don't count).

Anyway. As for the story, the key word is "might". This audit is ahead of a new system proposed to modernise the key management by introducing ubiquitous security tokens, and full-disk encryption in software (TOP SECRET uses specialist hardware devices rather than hard disks right now). The problem here is a lack of yearly auditing, and unmarked, uncleared notebooks that should not have touched classified information, and probably did not if best practices from the CESG were followed, but conceivably could have done, which is unacceptable and something that needs to be addressed...

Re:Underground? (1)

jabithew (1340853) | more than 4 years ago | (#31466642)

Yeah. They are. Been on the Tube recently?

A job for Jack Bower? (1)

Galik (730522) | more than 4 years ago | (#31463340)

Where is Jack Bower when you need him?

Re:A job for Jack Bower? (2, Funny)

Anonymous Coward | more than 4 years ago | (#31463356)

He's probably being interrogated and tortured by Jack Bauer as to why the former is attempting to steal the latter's identity.

sekssever (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31463424)

http://sekssever.com

...and by extension,everyone else's communications (1)

D4C5CE (578304) | more than 4 years ago | (#31463596)

The centre is responsible for tracking the electronic communications of terrorists

...which is hardly feasible without having access to everyone's communications, since those deserving of surveillance don't tend to identify themselves by stating e.g. "This is a terrorist communication:" at the start of everything they say.

GCHQ appeared to be entirely unaware whether or not the computers [...] contained [...] information on people posing an imminent security threat [...]

Quite a few others should also/rather want to know whether the computers contained information on people under an imminent security threat; information compiled by none less than the officials on a mission to protect them.
This begs the question if an eavesdropping agency losing 35 laptops in a year can really be called "responsible" for anything, or rather just irresponsible.

Re:...and by extension,everyone else's communicati (1)

drinkypoo (153816) | more than 4 years ago | (#31463732)

The centre is responsible for tracking the electronic communications of terrorists

...which is hardly feasible without having access to everyone's communications

Try "known or suspected terrorists" in the sentence in place of simply "terrorists" and all will be made right. Or as right as it gets.

Quite a few others should also/rather want to know whether the computers contained information on people under an imminent security threat; information compiled by none less than the officials on a mission to protect them.

Well, that's not their mission, but I guess it's not impossible. Usually if it does contain such information, it's on employees of the division in question, though not always.

Re:...and by extension,everyone else's communicati (0)

Anonymous Coward | more than 4 years ago | (#31464196)

"Lost" in this context does not necessarily mean "left on train". It could simply mean "left in locked cupboard within secure building, but nobody knows which cupboard". There are plenty of uses for laptops that don't necessarily even ever get taken off site.

Likewise, there's no reason to assume these laptops contained intercepted communications or personal data on members of the public at all. They could just have been used for unclassified Powerpoints or whatever.

But let's not let rational thought get in the way of a good bit of government-bashing, eh?

Big Deal (1)

Czmyt (689032) | more than 4 years ago | (#31463676)

They look downright responsible compared to the US Department of Homeland Security who supposedly lost over 1,000 laptops in a single year (2008).

Re:Big Deal (1)

dbcad7 (771464) | more than 4 years ago | (#31465462)

Yeah, but were they "homeland security laptops" or passengers laptops at the airport ?.. and "lost" is more likely "stole".. If indeed it was government equipment, the number would not be that high.. because first the person it was assigned to would have to repay the government at the inflated price the government bought it for, and second they would be looking at jeopardizing their cushy gub'ment job.

See this as an opportunity (1)

houghi (78078) | more than 4 years ago | (#31463792)

Now they can make a law that will allow police to search your data without any court order in the interst of Queen and country. Because YOU could be the one that has that unknown data. As such you are also the potential criminal, so your DNS can be taken.

So all people owning a portable will be searched and their DNA will be taken. Also people who live together, are related to, work together with, know somebody who or have ever seen somebody who either owns a portable, a computer, a device connected to the Internet or heard about it, will be searched and added to the database.

No worries. Nobody can access that database or even hack it. It is placed on a portable so it moves around to avoid any physical attacks.

Watch out for bombs (0)

Anonymous Coward | more than 4 years ago | (#31464020)

If they recover any of their laptops they better check them for explosives first. Oh wait ... that was a plot on the BBC series Spooks (aka MI5 in US).

TrueCrpt (1)

rlp (11898) | more than 4 years ago | (#31464192)

Why didn't the UK mandate TrueCrypt (or equivalent) on laptops holding sensitive data?

Re:TrueCrpt (1)

gmccloskey (111803) | more than 4 years ago | (#31464826)

They have - by mandating that appropriate controls are implemented, including full disk encryption. See http://www.cabinetoffice.gov.uk/spf/sp4_isa.aspx [cabinetoffice.gov.uk] - specifically requirement #40.

Truecrypt is not a product tested and approved by http://www.cesg.gov.uk/ [cesg.gov.uk] so it can't be used for UK government business. If someone is willing to pony up the accreditation fees, and it passes, then it can be used.

These new UK gov regulations are interesting - they make specific nominated individuals in every government organisation personally responsible for data security - with penalties including fines and prison. Unsurprisingly, data security is now very heavily implemented and monitored.

Re:TrueCrpt (2, Insightful)

Anne Thwacks (531696) | more than 4 years ago | (#31466030)

If it is anything like the rest of the present government policies, the actual requirement is to put a tick in a box labeled "Data is secure", and then apply a signature resembling "D. Duck" at the bottom of the paper, which is then filed along with 2,000,103 other pieces of identical paper with no way of tracing which piece applies to which equipment. My Guess is that Donald Duck had best be afraid ... very afraid. As should anybody in the UK who would prefer his personal data is not on sale at a market somewhere in India at this very moment.

It is quite safe to assume any statements above about the government's supposed competence are the work of paid shills. In the last 10 years, the government has not previously shown any signs of competence.

a) "It is illegal to import a potato knowing it to be Polish" "Honest, Sir, I did not know that potato was Polish. It does not even have a Polish accent!"

b} "What will the government say if it gets out in the press?" "We will plead corporate insanity"

Re:TrueCrpt (1)

VoiceOfDoom (875772) | more than 4 years ago | (#31466246)

If someone is willing to pony up the accreditation fees

....twenty thousand quid. Not surprisingly, the list of CAPS-approved [cesg.gov.uk] products is quite short and the suppliers that *are* accredited are a) making a mint and b) not inclined to improve their clunky, difficult-to-administer products in any way since all UK Govt clients are locked in to using them anyway.

Re:TrueCrpt (1)

rlp (11898) | more than 4 years ago | (#31467104)

Not surprisingly, the list of CAPS-approved products is quite short

PGP Whole Disk Encryption is on the 'CAPS-approved' list.

God save the queen (0)

Anonymous Coward | more than 4 years ago | (#31464936)

God save the queen

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>