Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ohio Plans To Encrypt After Data Breach

kdawson posted more than 6 years ago | from the shutting-the-barn-door-after-the-horses dept.

Security 237

Lucas123 writes "After a backup tape containing sensitive information on 130,000 Ohio residents, current and former employees, and businesses was stolen from the car of a government intern in June, the state government just announced it has purchased 60,000 licenses of encryption software — McAfee's SafeBoot — for state offices to use to protect data. It's estimated that the missing backup tape will cost Ohio $3 million. In September, the state docked a government official about a week of future vacation time for not ensuring that the data would be protected."

cancel ×

237 comments

hindsight is 20/20 (3, Insightful)

Endloser (1170279) | more than 6 years ago | (#21663641)

People just won't learn that security should be proactive. Society is a very slow learner.

Re:hindsight is 20/20 (2)

creimer (824291) | more than 6 years ago | (#21663803)

Especially when senesitive data is given to an intern. Doesn't anyone read Dilbert?

OpenBSD is the answer. (0)

Anonymous Coward | more than 6 years ago | (#21663941)

They just paid millions of dollars for something that systems like OpenBSD, Linux, and FreeBSD offer for free. OpenBSD's filesystem encryption [xs4all.nl] is particularly good. And when you combine it with their meticulous code reviews and near-100% insistence on using as many security good practices as possible, there's really no reason to not use OpenBSD if security is one of your main concerns.

Re:OpenBSD is the answer. (-1, Troll)

duffbeer703 (177751) | more than 6 years ago | (#21664153)

Oh please STFU. Like you're going to run OpenBSD on laptops. Get real.

Re:OpenBSD is the answer. (2, Interesting)

QuickFox (311231) | more than 6 years ago | (#21664257)

Why not?

Re:OpenBSD is the answer. (1)

FoolsGold (1139759) | more than 6 years ago | (#21664353)

Because we live in a Windows world, that's why. Interoperability with existing software is more realistic than some zealot's idea of switching operating systems just for a little extra security.

Re:OpenBSD is the answer. (2, Insightful)

pat mcguire (1134935) | more than 6 years ago | (#21664819)

The problem is that the government workers don't have the proper technical expertise. Security is only as strong as the weakest link, and even with Windows on the laptops the operating system is usually not the issue, the stupidity of people are. All OpenBSD would do is add another layer of security that the user would disable in order to save five seconds and the trouble of remembering a password. Secondly, OpenBSD's security is mostly directed at remote attacks, as the developers realize that there's no way to secure a computer in the hands of somebody else.

Wonder if McAfee payed them (-1, Flamebait)

orclevegam (940336) | more than 6 years ago | (#21663661)

Would not be surprised to find out that a McAfee representative payed them to use their software. Still even if that's the case it's good that they're doing something.

Re:Wonder if McAfee payed them (1)

geekoid (135745) | more than 6 years ago | (#21663691)

If that was true, somebody would find out, and that would get people fired.
Probably a quick purchase based on needing something now.

Re:Wonder if McAfee payed them (1)

doas777 (1138627) | more than 6 years ago | (#21663889)

exactly! safeboot does a good job. I can't say i like mcaffee, but the product comparision is most favorable.

Backups Won't Be Encrypted (4, Insightful)

nuxx (10153) | more than 6 years ago | (#21663663)

Er, while this software encrypts data on the disk, it doesn't encrypt the backups. These will still be cleanly read from the disks and written out to tape.

Re:Backups Won't Be Encrypted (1)

LiquidCoooled (634315) | more than 6 years ago | (#21663859)

I had this thought as well.
In the UK, lots of government agencies seem to enjoy posting random cds of data around and news is getting out they are being lost.

I have no technical problem with the data being unencrypted onsite as long as adequate access controls are in place, I am more worried about the backups.

And? (2, Insightful)

Colin Smith (2679) | more than 6 years ago | (#21663979)

Your problem is? They have been seen to have done something.
 

Re:Backups Won't Be Encrypted (1)

afidel (530433) | more than 6 years ago | (#21664747)

I would bet they are also going to use encryption in their backup procedure, either in the backup software (inexpensive licensing but expensive in CPU time and hitting backup windows) or by purchasing new tape libraries/drives with crypto modules (not so cheap, though a few vendors offer it at little extra cost once you've already bought the expensive library).

60,000 licenses? (3, Interesting)

Knara (9377) | more than 6 years ago | (#21663673)

Couldn't they have found an OSS solution that would have, y'know, saved the state an assload of money? I'm not an "OSS can do everything commercial software can, but better!" zealot, but that's a big bit of pocket change to be throwin' out for a solution, there.

Re:60,000 licenses? (1)

duffbeer703 (177751) | more than 6 years ago | (#21663813)

There are no Open Source FDE solutions, although some of the commercial products use OpenSSL.

Re:60,000 licenses? (0)

Anonymous Coward | more than 6 years ago | (#21664511)

Just have a data drive thats fully encrypted and it always makes sense to have your OS on a separate drive.
Open source encryption can do that for free.

But then again its only saving thier money and encryption is encryption.
I cant belive im saying this but i hope that we (UK) learn from America on this one

Re:60,000 licenses? (1)

JimDaGeek (983925) | more than 6 years ago | (#21663915)

Hmm, www.safeboot.com [safeboot.com] seems real secure. What's not to like? ;-)

Re:60,000 licenses? (1)

Beat The Odds (1109173) | more than 6 years ago | (#21664031)

Couldn't they have found an OSS solution that would have, y'know, saved the state an assload of money?

A pantload maybe.......

Re:60,000 licenses? (2, Insightful)

schneidafunk (795759) | more than 6 years ago | (#21664275)

I know this is a terrible excuse, but paying for a solution *may* make the ignorant masses feel better.

taxpayer: "hey you could have prevented this disaster without spending an assload of money? WTF!"

Re:60,000 licenses? (1)

Lord Ender (156273) | more than 6 years ago | (#21664371)

The only semi-mature opensource disk encryption product is TrueCrypt, and that completely lacks centralized management and the ability to encrypt boot partitions.

Also, as is obvious to anyone who has been watching the news in the past year, the state of Ohio does not exactly have a stellar, top-talent IT program. It would not be a good idea for the to forge a new path with unsupported software.

Re:60,000 licenses? (1)

CodeBuster (516420) | more than 6 years ago | (#21664691)

It seems to me that unless they need or want whole disk encryption of the boot partition, which still doesn't answer the unencrypted backup tape question, that TrueCrypt [truecrypt.org] would have been perfect for them.

Re:60,000 licenses? (0)

Anonymous Coward | more than 6 years ago | (#21664715)

You don't make it big in the business of government by NOT creating more and more agencies, programs, and laws, and unnecessary expenses -- and certainly not by declaring you already have enough tax dollars to feed your agenda.

You're not in the business of government, are you? ;)

Re:60,000 licenses? (2, Informative)

Chanc_Gorkon (94133) | more than 6 years ago | (#21665045)

Clueless state officials would say I need a nic ecushy service contract. It's called indemnification. If they buy software, they THINK that they can absolve themselves of anything if they have that service contract. I keep telling my friends who work at the state that even though something is techically their fault, it's still the their responsibility to keep the data safe. This encryption software will fix diddly if people:

Share passwords
Share logins
Print stuff off on paper, take it home and lose it.

and more.

Re:60,000 licenses? (0)

Anonymous Coward | more than 6 years ago | (#21665125)

"So and so lost our data" doesn't seem as bad as "So and so didn't follow 'procedure'". With procedure defined as following our encryption process. The later can be used in the following: "So and so didn't follow our encryption process so we fired them." The former: "so and so had data stolen from them", well stuff happens, better luck next time.

They got it wrong. (1)

Poromenos1 (830658) | more than 6 years ago | (#21663679)

Someone tell them they were supposed to encrypt the data before the breach!

Re:They got it wrong. (0)

Anonymous Coward | more than 6 years ago | (#21664179)

Give them a break, they're americans afterall.

Re:They got it wrong. (0)

Anonymous Coward | more than 6 years ago | (#21665011)

Yeah because you guys across the pond sure know how to manage data. Elitist euro-fags.

Calling all Buckeyes! (4, Funny)

pegr (46683) | more than 6 years ago | (#21663705)

Help me close this barn door, would ya?

Re:Calling all Buckeyes! (1)

batquux (323697) | more than 6 years ago | (#21663793)

OH

Re:Calling all Buckeyes! (1)

sethstorm (512897) | more than 6 years ago | (#21664347)

IO

Re:Calling all Buckeyes! (1)

HiggsBison (678319) | more than 6 years ago | (#21664449)

Oh, way to go.

Gotta love government jobs... (5, Funny)

Stanislav_J (947290) | more than 6 years ago | (#21663709)

The state loses $3 million bucks, and the guy responsible gets the punishment of a whole week of lost vacation time? Wow....I want to find me a job where I can screw up so badly and get off so lightly. I mean....other than the Presidency.

Re:Gotta love government jobs... (1)

pixelpusher220 (529617) | more than 6 years ago | (#21663933)

Personally I'd let him keep his vacation time.... just rebook his flight to Guantanamo complete with drugs, bombs and lots of arabic writings in his suitcase....

Re:Gotta love government jobs... (1)

batquux (323697) | more than 6 years ago | (#21664073)

But they only lost 130,000 bucks [ohiostatebuckeyes.com] ...

Re:Gotta love government jobs... (0)

Anonymous Coward | more than 6 years ago | (#21664077)

In America, it's typical (even for high-tech workers) to only get 5 to 7 vacation days each year. So losing out on a week is actually pretty significant.

Re:Gotta love government jobs... (0)

Anonymous Coward | more than 6 years ago | (#21664273)

Maybe it's different in different parts of America, or you're not of this country and speaking out of your arse, but...

Every place I've worked and everyone I know starts at 2 weeks of vacation per year. I've only seen small companies offer less and these are companies that don't have any on staff IT personnel so they are pretty small, less than 50 employees and usually less than $25 million in revenue per year.

At any medium sized and larger company it's 2 weeks for the first 5 years, 3 weeks for the 5-10 year stretch, 4 weeks for the 10-15 year stretch and 5 weeks after 15 years of service.

Re:Gotta love government jobs... (1)

dgatwood (11270) | more than 6 years ago | (#21664411)

Raise your hand if you've ever accrued less than one day per month vacation time. Anybody? Seriously? Heck, most retail employees get at least one day a month.... If you're getting less than that in high-tech, you should seriously find a better job... one that doesn't involve pushing buttons on a highly specialized computing device and asking people if they would like fries with that.... Five days a year is just one tier above "burger flipper".

According to Wikipedia, "According to a report by the Families and Work Institute, the average vacation time that Americans took each year averaged 14.6 days."

Re:Gotta love government jobs... (0)

Anonymous Coward | more than 6 years ago | (#21665111)

I mean....other than the Presidency.
Yeah, like Clinton getting sucked off by a fat Jew girl in the Oval Office?

$3 million? (1, Interesting)

warrior_s (881715) | more than 6 years ago | (#21663721)

Okay, I am having difficulty in understanding $3 million figure... So they bought 60,000 licenses. If we consider the complete $3 million towards licenses, it will be $500 per license, which I think is way too much. However I could not find the cost of the encryption software anywhere on the web (anyone with links????)

anyone care to explain approximately from where $3 million figure came?

Re:$3 million? (2, Informative)

Ohio Calvinist (895750) | more than 6 years ago | (#21663785)

Probably the cost of the investigation in lost hours, the price of notifying all those whom where among the 130,000 and all that comes with it (lawsuits, credit checking, the cost of the corrective actions...) I went to a university of 11,000 at first that paid for 90 days of credit monitoring for all effected students after someone hacked into the student information system that stored SSNs. I'm sure the state had to deal with some more heat than a small university.

Re:$3 million? (0)

Anonymous Coward | more than 6 years ago | (#21663805)

It's estimated that the missing backup tape will cost Ohio $3 million.

No price given for software

Re:$3 million? (1)

MSDos-486 (779223) | more than 6 years ago | (#21663981)

Thats not just the cost of new license. It is the cost of the fiasco as a whole. Including paying everyone the overtime to fix the glitch.

Re:$3 million? (5, Informative)

asills (230118) | more than 6 years ago | (#21664011)

Last I checked $3,000,000 divided by 60,000 equals $50, not $500.

Math issues aside, if you RTFA (and follow TF link to the original article) you'll see the breakdown:

"The incident is expected to cost the state almost $3 million. Of that total, $2.3 million covers projected and existing enrollment in Debix Inc. credit protection services. Debix enrollment paid for by the state for affected individuals will remain open until Oct. 31. Debix protection will not be extended toward any businesses with information on the lost backup tape."

I highly doubt those licenses are figured into the $3 million estimate.

Re:$3 million? (1)

Penguinshit (591885) | more than 6 years ago | (#21664593)

$500 for a site-license, $2.5M for "educational services" and "support"...

This just in.... (0)

Anonymous Coward | more than 6 years ago | (#21663733)

...that same government official's boss has allotted him another week of vacation for not losing the REST of the data that all of Ohio stored.

Losing a week of vacation for a data breach that large is ridiculous; like a slap on the wrists. I bet he's going to get paid overtime for working that extra week.

What ya want to bet... (3, Funny)

lax-goalie (730970) | more than 6 years ago | (#21663763)

...that the next time they get a backup tape stolen, it'll have a post-it note stuck to the tape with the password on it?

What are these backup tapes, Kemo Sabe? (2, Insightful)

igb (28052) | more than 6 years ago | (#21664049)

You'll also be aware of the various rows here in England as the government displays its new networking technology: CDs and a courier. Most of us with medium-sized data farms (I herd about 50TB) are getting out of removable media as fast as we can. I've got 20TB of disk at the far end end of 30 miles of GigE, which with compression (all hail ZFS!) provides me enough space to keep copies of all the critical data, plus a few weeks of daily snapshots. My RPO is ``that day's work'' and my RTO is essentially zero: I can serve the data up over NFS from the replicas as easily as from the live systems. Obviously, some of it's better than ``that day'': the Oracle archive logs go straight over, and the Cyrus mail server will replicate live as soon as I can find the time to get it working. But we're only using tape now for monthly audit copies, and those can therefore safely stay in the machine room: the data replicates offsite, and then comes back into the tape silo monthly. A machine room fire costs us the audit copies: if I feel keen I'll start cloning those and sending them offsite. If I can scare up the budget and offsite space for a MAID then I can get out of tape entirely.

A week's vacation? (4, Interesting)

Jester998 (156179) | more than 6 years ago | (#21663773)

the state docked a government official about a week of future vacation time for not ensuring that the data would be protected

I work as a DBA in a nonprofit healthcare organization. If our backup guys lost a tape, and I hadn't bothered to check off the box in our database backup software that says "Encrypt: 256-bit AES", I would lose my job.

This guy got dinged a whopping 1 week of vacation time. That's not even '1 week suspended without pay'. It's the equivalent of having to stay in detention after school.

I need to move over to the public sector or something.

Re:A week's vacation? (2, Insightful)

GodfatherofSoul (174979) | more than 6 years ago | (#21664019)

Oh please. We've seen mistakes FAR bigger than this in the private sector with less or no consequences. And, if every software outfit canned its employees after a single mistake of whatever scale, there'd be a heck of a lot more turnover in IT.

Re:A week's vacation? (1)

bladesjester (774793) | more than 6 years ago | (#21664239)

And, if every software outfit canned its employees after a single mistake of whatever scale, there'd be a heck of a lot more turnover in IT.

They frequently do. It's just that it usually isn't the person that's actually responsible because they found a scapegoat.

Re:A week's vacation? (0)

Anonymous Coward | more than 6 years ago | (#21664419)

Jester998, go back to the original /. thread if you're actually curious about this. Putting a few posts together made the much more reasonable explanation that this was a minor cover-up. Looks like a long-time employee trapped in Dilbertland was make to take the public fall to cover-up ongoing management incompetance. If he didn't, they'd probably have make it rough for him to reach his approaching retirement. Instead he gets an insignificant financial ding & a reprimand that doesn't matter because he dosn't intend to seek another job in future, or much more promotion within Ohio's public sector.

The value of personal data (0)

Anonymous Coward | more than 6 years ago | (#21663795)

"In September the state docked a state government official about a week of future vacation time for not ensuring that the data would be protected."

So now we know how much Ohio state officials value the personal privacy of its citizens.
40hrs/130,000 - about 1.1 seconds of a government official's vacation time.

Makes me wonder why people stay in a state that values the personal privacy of its citizens so little.

Encrypted IDE connector? (1)

Midnight Thunder (17205) | more than 6 years ago | (#21663823)

Instead of using software, I wonder whether an IDE or SATA connector could be developed that encrypts and decrypts the data going to and from the drive. Basically your organisation would enter a key into the connector and the encryption would happen without the OS knowing. If you remove the drive then you wouldn't be able to use the drive without the connector.

Re:Encrypted IDE connector? (1)

tehniobium (1042240) | more than 6 years ago | (#21663879)

Wouldn't that slow down the drive quite a bit?

Especially for the solid state drives which apparently are the future?
Don't give Micro$oft a reason to encrypt data one more place in our computers :-(

Re:Encrypted IDE connector? (1)

LiquidCoooled (634315) | more than 6 years ago | (#21663891)

Thats a good idea, but what if someone gets hold of a whole box?
How about if the hardware did the encryption, but was also linked to a localised physically protected network resource for its key data?

Re:Encrypted IDE connector? (1, Informative)

Anonymous Coward | more than 6 years ago | (#21664083)

Yes. There have been SCSI enclosures designed to do just that available for years. You can slap a standard tape drive in them, type a key in to the little display panel on the front, and boom -- encrypted tapes. They're not even terribly susceptible to theft of the entire hardware set, because the key (or at least part of it) is not hard-coded; it's stored in RAM and destroyed when the device is unplugged.

There are also in-line devices available if you want to connect to something you can't easily re-case. For example:
http://www.avax.com/paranoia2.html [avax.com]

What is my data doing outside anyway? (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21663831)

Whether it's encrypted or not, why is sensitive data on employee laptops or in intern's cars?

How do you log and audit access to data to prevent abuses if you just hand out copies of databases?

WTF (2, Interesting)

zappepcs (820751) | more than 6 years ago | (#21663895)

I saw four horrifying words...

Intern, backup tape, car

encryption is probably low on the list of security concerns here... just WOW

I absolutely know that I don't want to hear the story of how those four words got used in the same sentence until happy hour is nearly over.

Those 4 words should never be needed in the same sentence. Process is just as important as encryption. That should have been 'backup tape', security company, armored transport, iron mountain in the sentence... oh wait, then there would be no story.

Re:WTF (4, Funny)

fireboy1919 (257783) | more than 6 years ago | (#21664137)

I absolutely know that I don't want to hear the story of how those four words got used in the same sentence until happy hour is nearly over.

Yeah? Well, I wouldn't mind. Not the sentence they added.

Perhaps this one:

"After I checked the backup tapes to ensure that 512-bit AES encryption was working, and that the tapes were still readable, I closed and deadbolted the tape room, and then went out to my car to go to lunch with the new (darn good looking) intern from the art department."

Re:WTF (0)

Anonymous Coward | more than 6 years ago | (#21664917)

I saw four horrifying words...Those 4 words should never be needed in the same sentence.

As I walked hand in hand with the hot new Swedish intern to my car on our way to grab some dinner and drinks, I remembered I forgot to put tonight's backup tape in the TapeMaster 2000. I thought to myself "fuck it, I'll blame it on a tape drive malfunction" and chuckled that low, soft chuckle only a BOFH can appreciate.

Re:WTF (1)

Mix+Master+Nixon (1018716) | more than 6 years ago | (#21665155)

I saw four horrifying words... Intern, backup tape, car


You forgot the word "Ohio". At least the word "election" wasn't around as well. We all know how that story ends.

How Long Before... (2, Insightful)

Anonymous Coward | more than 6 years ago | (#21663939)

...we see a story about 130,000 residence records locked and unavailable due to lost encryption passwords?

Brings me back to the question.... (4, Insightful)

ducomputergeek (595742) | more than 6 years ago | (#21663945)

WTF is this stuff doing on laptops in the first place?

It seems logical to me that this kind of information should be on a centralized servers at a state office with managed firewalls and all the rest with only hardwired terminals allowed access with maybe a VPN set up for remote access if absolutely needed out in the field. I know wireless isn't 100% secure and no system is but that just makes logical sense to me.

Re:Brings me back to the question.... (0)

Anonymous Coward | more than 6 years ago | (#21664215)

Except it was a backup tape stolen, not laptop.

Re:Brings me back to the question.... (0)

Anonymous Coward | more than 6 years ago | (#21664483)

"that just makes logical sense to me"

And this is why you fail.

Re:Brings me back to the question.... (2)

afidel (530433) | more than 6 years ago | (#21665043)

Yeah a county agency (in Ohio) I had as a client was one of the most paranoid I've ever dealt with. The dealt with personally identifiable information of a very sensitive nature and they did things right. Everything was static IP with all LAN information captured to a secure auditing station with IP, MAC and port info recorded. The website their clients (service providers) connected to was behind a good firewall that had rules allowing only a single registered IP to connect from each provider and then used SSL with each agency having a password protected x.509 cert that allowed them access to only their own folder. The data from the website was moved daily via airgap to the LAN, so if somehow the server was compromised only one days uploads would be exposed. It was kind of a pain supporting them because all work had to be done onsite, but I definitely appreciated their thorough approach to security.

Obligatory... (1)

cerskine (202611) | more than 6 years ago | (#21663951)

... nevermind.

A panic reaction (1)

tuomoks (246421) | more than 6 years ago | (#21663955)

Great, now they have a tool to encrypt! Let's hope they thought about key management before implementing it. It's great for vendors that some have no idea of security - more sales. Next we will read all the keys stolen by an employee (usually high in hierarchy, just my experience) and have to start all over again. Or am I too pessimistic / skeptical when it comes to security?

They led the horse to water... (4, Interesting)

Darth Muffin (781947) | more than 6 years ago | (#21664041)

... but can't make it drink. Encryption is only a partial solution. You still need to keep your backup tapes secure (they won't be encrypted by this software, but most higher end backup software will), and you need to keep people from copying files to USB sticks or burning to CD.

I Call Bullshit (2, Insightful)

pseudorand (603231) | more than 6 years ago | (#21664067)

Encryption is crap unless it's used by those trained to understand how it works and what it's limitations are, which I'm sure 60,000 employees will not be. What happens when an employee copies data to a USB disk or e-mails it to someone. If the software prevents this, it will be a major pain in the arse that will cost a lot more than $3 million in lost productivity. If it doesn't, then data will get stolen and everyone will say "no problem, it was encrypted", until massive identity theft cases force them to admit that not all copies were encrypted, but, because the guy in charge spent $3 Million, he'll argue that he did everything reasonable and no one will be held accountable. The real solution is to LIMIT ACCESS TO SENSITIVE DATA TO TRAINED EMPLOYEES WHO ACTUALLY NEED IT TO DO THEIR JOB. I can't imagine that there's 60,000 employees who actually need the personal information of 130,000 Ohio residents. I'm not saying it's obvious who needs what data, but $3 million would buy a lot of manpower to figure it out.

And what happened to Encrypted File System. You know, built-in to NTFS, complete with administrative recovery keys, doesn't cost $3 million? This sounds like just more government waste and McAfee marketing to me.

Re:I Call Bullshit (2, Insightful)

Starteck81 (917280) | more than 6 years ago | (#21664723)

Have you ever tired to teach a lot of non-technical people to follow security procedures? I work for a CPA firm that takes security pretty seriously. All of our hard drives encrypted. We have a secure webportal to transfer files instead of sending them via e-mail. We have encrypted usb thumb drives.

We have tried to train our employee's to use these tools so as to be secure but I still catch people sending things via e-mail and using unencrypted USB drives that they bought. It's not a huge percentage of people but it still happens and all it takes is one person not following the rules.

The point I'm trying to drive home is that at best you can only hope to mitigate your exposure to data theft. Encrypting your disks is a step in the right direction. As for your assertions that they use unencrypted USB drives and unencrypted e-mail well please sight a source that tells us for sure that they are unencrypted. Otherwise you're just making assumptions and we all know what happens when you do that...

SafeBoot? The poor bastards. (5, Informative)

jrronimo (978486) | more than 6 years ago | (#21664109)

Part of my job involves working on laptops owned by an agency that uses SafeBoot to encrypt data on laptops. Gather children, let me tell you of SafeBoot...

1. SafeBoot is whole-disk encryption, but Windows-partitions-only. If you dual-boot or use Linux, there is no solution for you except "Please don't lose your laptop".
2. SafeBoot requires a login before you can boot Windows. If you get your password wrong, you must wait a certain amount of time before you can re-enter your passwords. At first, it's not that bad -- a few seconds. But each successive failure increases the time... eventually, you're waiting minutes.
3. SafeBoot encrypts the drive so that you can't access the drive from another machine -- which is what it's designed for, of course. Try being an IT guy in this scenario: You can't perform ANY troubleshooting that doesn't involve booting Windows. If Windows fails to boot, you have to have your hard-drive decrypted (which, for us happens off-site and is a MAJOR pain in the ass). I cannot boot off a Windows CD to use the recovery console to replace damaged registry files. I cannot do a 'repair' install. I could wipe the drive and re-install Windows...
4. The password policy in place requires users to change their password periodically and be of a certain complexity level. Most users have their SafeBoot password written on a piece of paper and taped to their machine, now...

There's a line between security and usability. When SafeBoot works, it appears great -- it doesn't impact system performance *that* much and it encrypts the contents of the entire drive, woo. But when something goes wrong, it becomes a big pain.

To be honest, though, I think the bigger problems for the work *I* run into with SafeBoot is the policies in place, rather than SafeBoot itself.

Re:SafeBoot? The poor bastards. (1)

dimeglio (456244) | more than 6 years ago | (#21664675)

4. The password policy in place requires users to change their password periodically and be of a certain complexity level. Most users have their SafeBoot password written on a piece of paper and taped to their machine, now...
This is why my co-workers and I always stick a label below the latop and write my latest password on it.

Re:SafeBoot? The poor bastards. (1)

bockelboy (824282) | more than 6 years ago | (#21665077)

Interesting.

In the Unix world, you could just encrypt the $HOME directory of all the users and simply not give them the rights to write outside of that directory. Make sure you don't deploy applications which both keep sensitive data and run as root ... and success!

Unless Ohio is doing something top-secret with the OS their users are running, I guess I only see the need for encrypting the entire drive when there aren't sufficient security policies in the first place.

Then again, I can do plenty of development on Linux without root permissions. Being that most Windows software can't be installed without root permission... well, let's just say I believe I'm lucky to work in a Linux / Mac shop.

The $3 million (1)

SamMichaels (213605) | more than 6 years ago | (#21664157)

The way it's worded seems a little ambiguous to me. Did the theft alone cost the state $3 million or did the theft cause the state to spend $3 on licensing a product from mcafee? Both sound like reasonable figures when dealing with the public sector and taxpayer money.

Isn't going to help (3, Insightful)

belthize (990217) | more than 6 years ago | (#21664191)

If they have 60,000 computers with 'sensitive' data on it then they're borked already.

      If they want to encrypt people's laptops/desktops then fine ... if they want to prevent
personal civilian data from leaking out they're off by a few orders of magnitude on the
extent of their distributed storage.

Belthize

Government (1)

rice_burners_suck (243660) | more than 6 years ago | (#21664197)

Why don't they just use GPG? It won't cost them three million dollars, and it'll be just as good. It's not going to cost Ohio's government three million dollars. It's going to cost the people who live in Ohio three million dollars in tax dollars. Every time someone says, "Let the government pay for that," they really mean, make us all pay for that, because where does the government get its money? From your hard work! And every time someone says, "Let corporations pay for that," they really mean, make us all pay for that, because where do corporations get their money? That's right! It comes out of your pocket whenever you buy any product or service. Somewhere along the line, it was mined, grown, processed, moved, removed, produced, packaged, housed, assembled, displayed, sold, etc., by a corporation. And when that corporation's expenses go up, it becomes included in the price structure of the product or service you buy.

Re:Government (1)

Shados (741919) | more than 6 years ago | (#21664231)

Hmm, while im sure the softwares cost a lot, the summary at least (I didn't read the article, bleh =P ) states that the missing tape is going to cause 3 million $ in loss. I'm guessing a lot of that money is from the damage the loss has caused and stuff... I'd be surprised if the software was even close to half of that.

It doesn't make your argument any less valid, mind you, but...

Re:Government (1)

faloi (738831) | more than 6 years ago | (#21664389)

Likely because they're faced with a couple of choices... Try to get their overburdened support staff up to a point where they're knowledgeable enough about GPG to get it installed, tested, out to the users and get them trained on it. They can hire a consulting company to come in and do all that for them. Or they can go to a vendor who likely sold them all the time and effort to get that going as part of the seat licenses. And all that assumes GPG can do full disk encryption on boot that integrates into a (likely) Windows Active Directory tree.

Re:Government (1)

BroadwayBlue (811404) | more than 6 years ago | (#21664415)

It's not about a particular tool being the solution. Nothing ever is. It's about culture and education.

Re:Government (1)

phantomcircuit (938963) | more than 6 years ago | (#21664793)

And every time someone says, "Let corporations pay for that," they really mean, make us all pay for that, because where do corporations get their money? That's right! It comes out of your pocket
Lets follow your logic here.

  1. Expenses increase
  2. Corporation has less money
  3. Corporation increases prices
  4. Consumers pay more

Seems like airtight logic right?

But what is the corporation is already making so much money that the loss doesn't actually produce need to increase prices?

Your logic will only really follow when CEO's stop being paid billions of dollars.

TrueCrypt (2, Informative)

bruno.fatia (989391) | more than 6 years ago | (#21664367)

TrueCrypt is a very nice free solution and I've been using it for months, haven't had a single problem with it. I guess they were not aware of that software, maybe because they simply didn't look for ANY other products beside McMoney's..

Re:TrueCrypt (1)

Spy der Mann (805235) | more than 6 years ago | (#21664941)

I was going to post the same thing but I searched for your post first (hey, apparently I'm smarter than Ohio govt :P )

My guess is that after the breach, McAffee contacted the guys, who, obviously, haven't got a clue, and in a knee-jerk reaction said "yes, please!".

All those tax dollars... what a waste.

Seriously...Why? (1)

DDLKermit007 (911046) | more than 6 years ago | (#21664509)

The government has a software package they use for such things already. The Macafe stuff it's weak in comparison.

LOL BArnDOrrrrrrz!!!!!! Teh Funnyz! (1)

Darth_brooks (180756) | more than 6 years ago | (#21664577)

You can joke about this being a case of closing the barn door long after the horses have gone scurrying into the country side but......someone got punished and a preventative measure is being taken. You can't hope for a whole lot more than that, especially from a government agency.

Another GET A CLUE! (1)

killmofasta (460565) | more than 6 years ago | (#21664617)

Jeez, put a finger in the dike!

Here is the SECRET on HOW NOT TO LOOSE DATA IN CARS!

Ready?
Really, Ready?
No, Are you Really, Really, Ready?

DONT LEAVE YOUR LAPTOP IN YOUR CAR!

Go back and get it.

A friend of mine, decades ago, lost his portfolio on Syquest cartridges, that he left in his car, ( I would have writtten them off already, but I digress ). I learned the lesson from his mistake. NEVER EVER EVER leave your laptop in your car. Take it out before your lunch, If you really had to, you could replace your lunch.

Want to know another secret? (0)

Anonymous Coward | more than 6 years ago | (#21664761)

How to spell "lose" !

No Pretenders yet? (1)

stummies (868371) | more than 6 years ago | (#21664649)

I went back to Ohio
But my data was gone...

I don't see how Safeboot will stop backup tapes (1)

iamacat (583406) | more than 6 years ago | (#21664661)

What's the use to encrypt your hard drive just to make a nice decrypted backup later? Conversely, this particular problem can be probably solved cheaper, since I doubt that they have 60000 tape drives in the office. Any decent backup software should already support encryption anyway.

I am not saying workstation security is not important, but here it sounds like someone doesn't even understand the problem that they had.

Re:I don't see how Safeboot will stop backup tapes (1)

JimmyDeanRockOn (1201851) | more than 6 years ago | (#21664835)

Safeboot has policy-based file encryption, too, not just whole disk. It's part of the "Network Security Family" on their web site.

60,000 licenses for.. (1)

Sloppy (14984) | more than 6 years ago | (#21664867)

..one gpg command in between tar and the output device.

Why, oh why, didn't I become a government contractor?!?

Encrypt Ohio (1)

InterestingX (930362) | more than 6 years ago | (#21664873)

The state will now be called kaV#29v@a

Re:Encrypt Ohio (1)

Dachannien (617929) | more than 6 years ago | (#21664933)

The state will now be called kaV#29v@a
New state slogan:

kaV#29v@a: the d41d8cd98f00b204e9800998ecf8427e of it all!

Horse gone - Elephant still in room (3, Insightful)

toby (759) | more than 6 years ago | (#21664909)

Hmm... I wonder if they give a damn that their state-wide reliance on Windows is another accident waiting to happen.

Care about trojans, keyloggers, viruses, and all the other uncountable ways to lose confidential data, not to mention productivity?

Get rid of Windows as well. You'll never regret it.

One dumb ass move deserves another (1)

dynomitejj (1113319) | more than 6 years ago | (#21664959)

McAfee ??? I can just see some state dude going down to Best Buy and asking the Geek Squad which software is best. Seriously, McAfee sucks. That software always gave me problems. Could they not find a better solution ? The ONLY reason McAfee is in there is because whoever made the purchasing decision did not know any better.

MY MONEY! (1)

thatskinnyguy (1129515) | more than 6 years ago | (#21665055)

hmmm My money is at stake so what do they do? They pay for this solution with my money!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...