Ohio Plans To Encrypt After Data Breach

Lucas123 writes "After a backup tape containing sensitive information on 130,000 Ohio residents, current and former employees, and businesses was stolen from the car of a government intern in June, the state government just announced it has purchased 60,000 licenses of encryption software — McAfee's SafeBoot — for state offices to use to protect data. It's estimated that the missing backup tape will cost Ohio $3 million. In September, the state docked a government official about a week of future vacation time for not ensuring that the data would be protected."

hindsight is 20/20

[Endloser]

People just won't learn that security should be proactive. Society is a very slow learner.

Re:

[__aaclcg7560]

Especially when senesitive data is given to an intern. Doesn't anyone read Dilbert?

Technological revolution has been far faster...

[Futurepower(R)]

The technological revolution has happened far faster than the ability of humans to adjust.

TrueCrypt [truecrypt.org] is free encryption for both Windows and Linux. It works extremely well, in my experience.

Re:

[__aaclcg7560]

No kidding. I recently saw an article on "Web 3.0" last week. I'm not even finished with Web 1.0 yet.

Re:

[QuickFox]

Why not?

Re:

[pat mcguire]

The problem is that the government workers don't have the proper technical expertise. Security is only as strong as the weakest link, and even with Windows on the laptops the operating system is usually not the issue, the stupidity of people are. All OpenBSD would do is add another layer of security that the user would disable in order to save five seconds and the trouble of remembering a password. Secondly, OpenBSD's security is mostly directed at remote attacks, as the developers realize that there's n

Re:

[sp0rk173]

Hardware support is actually quite good for good laptops, it works great on my thinkpad X31, which I use as my traveling laptop to stay connected to things. Basically just need web and IM, which it'll do perfectly. Use something low-range like ION for the window manager and it becomes a nice little information hub with very very little bloat. Add the filesystem level encryption and you've got something that won't hand your identity to anyone who steals it, to boot.

Of course, if you want to play games,

Re:

[sp0rk173]

Hah. Actually, I do! And it works perfectly well. Suspend works, WiFi works, it gives me everything *I* need. Of course, that's a lot less than most people, but i like being a minimalist.

Backups Won't Be Encrypted

[nuxx]

Er, while this software encrypts data on the disk, it doesn't encrypt the backups. These will still be cleanly read from the disks and written out to tape.

And?

[Colin Smith]

Your problem is? They have been seen to have done something.
 

Re:

[barzok]

Sure, they did "something."

But they didn't address the problem that actually led to the breach. They're encrypting laptops, but it was backup tapes which were compromised. No mention of those getting encrypted.

Re:

[afidel]

I would bet they are also going to use encryption in their backup procedure, either in the backup software (inexpensive licensing but expensive in CPU time and hitting backup windows) or by purchasing new tape libraries/drives with crypto modules (not so cheap, though a few vendors offer it at little extra cost once you've already bought the expensive library).

Re:

[palegray.net]

You make the assertion that this software won't encrypt the backups. Please answer the following questions:

1. What are your sources for that assertion?

2. Have you personally used the software?

3. Have you seen this page [safeboot.com]?

Next time, please think before posting. If you're 100% sure your original statement is valid, I'll gladly stand corrected and eat a healthy slice of humble pie.

Looks right...

[SanityInAnarchy]

I just checked that page, and while I may be jumping the gun a bit, I see no mention of "backup" or "tape". Thus, I can only conclude that unless their backup software itself separately encrypts the backup, or unless the backups are full disk images (taken while the OS is shut down), the backups will not be encrypted.

Of course, those are a couple of assumptions, but they're pretty likely ones.

Disclaimer: I'm not the grandparent poster.

60,000 licenses?

[Knara]

Couldn't they have found an OSS solution that would have, y'know, saved the state an assload of money? I'm not an "OSS can do everything commercial software can, but better!" zealot, but that's a big bit of pocket change to be throwin' out for a solution, there.

Re:

[duffbeer703]

There are no Open Source FDE solutions, although some of the commercial products use OpenSSL.

FDE?

[SanityInAnarchy]

Explain what the requirement of FDE is.

I currently boot my laptop off a USB stick. While I have only configured it to use every single partition encrypted (Linux root, swap, and shared NTFS with Windows), it would be a small step to encrypt the whole disk. (Of course, then I couldn't boot Windows.) I don't currently have passphrases on the key files on that USB stick, but I don't use it for anything else, and, again, that would be a small step.

Obviously, the USB stick cannot itself be encrypted. Must there

Re:

[SanityInAnarchy]

Unless you are using FDE (full disk encryption), you just can't trust that Windows or some Windows application won't write your sensitive data in a place you won't think to encrypt.

It is actually possible to be pretty confident of that -- enough that I don't bother with trying to encrypt the whole thing (yet).

I say "yet" because I still intend to do my work with the Windows-specific stuff in a virtual machine, and everything else on Linux -- which means I can throw the VM image on an encrypted partition,

Re:

[JimDaGeek]

Hmm, www.safeboot.com [safeboot.com] seems real secure. What's not to like? ;-)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Tetsujin]

I know this is a terrible excuse, but paying for a solution *may* make the ignorant masses feel better.

taxpayer: "hey you could have prevented this disaster without spending an assload of money? WTF!"

More to the point, if there's another incident after they buy the software, they can blame McAffee...

Free Software Fails: "Thrifty" fellow who decided to use it gets burned ("Why did you cut corners on important security stuff? Why didn't you shell out some money for a real solution?")
McAffee Software Fails: Buyer takes some heat ("why did you buy that crap?") but seller takes more heat (their product is demonstrated ineffective in a widely published story...)

The fact that there's a software company moti

Re:

[Prof.Phreak]

"Why did you cut corners on important security stuff? Why didn't you shell out some money for a real solution?" ...``Now you'll lose a whole week of future vacation time due to this multimillion dollar screwup!''

Re:

[Lord Ender]

The only semi-mature opensource disk encryption product is TrueCrypt, and that completely lacks centralized management and the ability to encrypt boot partitions.

Also, as is obvious to anyone who has been watching the news in the past year, the state of Ohio does not exactly have a stellar, top-talent IT program. It would not be a good idea for the to forge a new path with unsupported software.

Re:

[SanityInAnarchy]

What makes TrueCrypt less "mature" than, say, LUKS or good ol' Cryptoloop?

And no software can give you the ability to encrypt boot partitions. Where do you suppose the software itself is stored, then? Maybe the Magical Crypto Fairies will decrypt it from the hard disk first thing? (Of course, I can always throw my boot partition on another device -- I currently boot my laptop off a USB stick.)

Re:

[Aram Fingal]

Central management is the key. Where I work, we would really like to switch from PGP to GPG but we can't because of the lack of ADK (Additional Decryption Key) functionality. This is a sort of master key which is held by the institution in case someone forgets their password or gets hit by a bus or some such thing. ADK is absolutely necessary because we have to ensure availability of data as well as confidentiality.

On the Mac side, FileVault is good because it has central management but it has the one dr

Re:

[CodeBuster]

It seems to me that unless they need or want whole disk encryption of the boot partition, which still doesn't answer the unencrypted backup tape question, that TrueCrypt [truecrypt.org] would have been perfect for them.

Re:

[Chanc_Gorkon]

Clueless state officials would say I need a nic ecushy service contract. It's called indemnification. If they buy software, they THINK that they can absolve themselves of anything if they have that service contract. I keep telling my friends who work at the state that even though something is techically their fault, it's still the their responsibility to keep the data safe. This encryption software will fix diddly if people:

Share passwords
Share logins
Print stuff off on paper, take it home and lose it.

and

Re:60,000 licenses?

[H310iSe]

truecrypt [truecrypt.org].

sigh

Re:

[Minwee]

"So, in light of this embarassing breach, what have you done to ensure the security of Ohio residents' personal information?"

"Well, we spent three million dollars on the best encryption software that we could find. We haven't actually installed any of it, and it is causes some incompatibilities with our existing procedures so we probably never will take it out of the box, and if we do chances are that we will just do a half-assed installation which leaves most of the key features disabled, but gosh darn i

They got it wrong.

[Poromenos1]

Someone tell them they were supposed to encrypt the data before the breach!

Calling all Buckeyes!

[pegr]

Help me close this barn door, would ya?

Lots of Horses Still In that Barn

[billstewart]

Right now there's either zero, one, or a small number of scammers who've got a copy of that one data set and the skills to sell it to somebody who can abuse it. It's obviously not good, but there are millions of scammers out there and thousands who've got the skill sets to do something with it who don't have it yet, and many other sets of data that the state has which are even easier to abuse.

Of course, if you parse the Slashdot article title, you'd think that Ohio plans to do lots of remedial encryption *

Re:

[sethstorm]

IO

Gotta love government jobs...

[Stanislav_J]

The state loses $3 million bucks, and the guy responsible gets the punishment of a whole week of lost vacation time? Wow....I want to find me a job where I can screw up so badly and get off so lightly. I mean....other than the Presidency.

Re:

[syousef]

If it wasn't standard practice to encrypt the data, and if it was standard practice for this guy to be required to carry the tape in his car, I'd argue he was made a scapegoat even if it is just a week's vacation that he lost. Unless of course the guy is responsible for setting policy/procedure (but even then someone should be reviewing that and signing off).

Re:

[Prof.Phreak]

Not only that, but his job is already practically vacation!

Re:

[Minwee]

"If anything can go wrong, it will." - Murphy

Finagle [wikipedia.org], actually. Murphy's Law has a subtly different meaning.

Interestingly enough, referring to Finagle's Law as Murphy's is itself an example of Murphy's Law in action.

Re:

[dgatwood]

Raise your hand if you've ever accrued less than one day per month vacation time. Anybody? Seriously? Heck, most retail employees get at least one day a month.... If you're getting less than that in high-tech, you should seriously find a better job... one that doesn't involve pushing buttons on a highly specialized computing device and asking people if they would like fries with that.... Five days a year is just one tier above "burger flipper".

According to Wikipedia, "According to a report by the Fam

Re:

[Mean Variance]

8.34 hrs per semi-monthly pay period == 25 days PTO per year. At my 9th anniv. (just hitting 8), it's 30 days. PTO = sick = vacation = personal days. We're a venture funded company in its 11th year - still waiting to go public.

I have my complaints about my job and where I work, but the PTO is a gem and I think has helped retain many of the software engineers when jobs in Silicon Valley are semi abundant.

In tech I think 15 days is a quite common starting point.

Gov't employees usually get lots of vacation

[billstewart]

There are three main differences between how much vacation government employees and high-tech workers get

• High-tech workers usually change companies often, so they don't get very high up the vacation curve, while government workers usually stick around a long time. Working at startups is especially that way, because they often don't last more than two-three years, and many high-tech workers do contract work so they also don't usually accrue much vacation. There are exceptions, mostly old-line businesses

What ya want to bet...

[lax-goalie]

...that the next time they get a backup tape stolen, it'll have a post-it note stuck to the tape with the password on it?

What are these backup tapes, Kemo Sabe?

[igb]

You'll also be aware of the various rows here in England as the government displays its new networking technology: CDs and a courier. Most of us with medium-sized data farms (I herd about 50TB) are getting out of removable media as fast as we can. I've got 20TB of disk at the far end end of 30 miles of GigE, which with compression (all hail ZFS!) provides me enough space to keep copies of all the critical data, plus a few weeks of daily snapshots. My RPO is ``that day's work'' and my RTO is essentially z

Re:

[SendBot]

Wow, I wrangle a good bit of data for my personal use, but you're obviously in a league well above mine.

So how does MAID compare to RAID?

A week's vacation?

[Jester998]

the state docked a government official about a week of future vacation time for not ensuring that the data would be protected

I work as a DBA in a nonprofit healthcare organization. If our backup guys lost a tape, and I hadn't bothered to check off the box in our database backup software that says "Encrypt: 256-bit AES", I would lose my job.

This guy got dinged a whopping 1 week of vacation time. That's not even '1 week suspended without pay'. It's the equivalent of having to stay in detention after school.

I need to move over to the public sector or something.

Re:

[GodfatherofSoul]

Oh please. We've seen mistakes FAR bigger than this in the private sector with less or no consequences. And, if every software outfit canned its employees after a single mistake of whatever scale, there'd be a heck of a lot more turnover in IT.

Re:

[bladesjester]

And, if every software outfit canned its employees after a single mistake of whatever scale, there'd be a heck of a lot more turnover in IT.

They frequently do. It's just that it usually isn't the person that's actually responsible because they found a scapegoat.

Re:A week's vacation?

[syousef]

I work as a DBA in a nonprofit healthcare organization. If our backup guys lost a tape, and I hadn't bothered to check off the box in our database backup software that says "Encrypt: 256-bit AES", I would lose my job.

What you need to ask is what was the procedure and was the guy following it?

If it's standard procedure for this guy to carry unencrypted data around in his car, it's the guy setting policy/procedure that should be made responsible.

If it is standard procedure for you to encrypt your data, and you fail to follow that procedure you should be disciplined. Better still would be to find a way to make that little check box for encryption on by default. Even better would be to find a way to restrict export without encryption unless it's authorized by a second person. It shouldn't be easy for you to make a mistake that could cause you or your company massive damage.

Re:

[Jester998]

Very good points, actually. At my place of employment, we're a fairly small IT department -- I'm the sole DBA, so by default any policy relating to database operation/security/etc originate with me anyways (although formal policies get approved by the department's director). So, at least in my case, whether it's from lack of policy or breach of policy, it's all on my head anyways. :p

In larger shops, I definitely agree with you. There should be both policies *and* technology in place to prevent violations

Encrypted IDE connector?

[Midnight Thunder]

Instead of using software, I wonder whether an IDE or SATA connector could be developed that encrypts and decrypts the data going to and from the drive. Basically your organisation would enter a key into the connector and the encryption would happen without the OS knowing. If you remove the drive then you wouldn't be able to use the drive without the connector.

WTF

[zappepcs]

I saw four horrifying words...

Intern, backup tape, car

encryption is probably low on the list of security concerns here... just WOW

I absolutely know that I don't want to hear the story of how those four words got used in the same sentence until happy hour is nearly over.

Those 4 words should never be needed in the same sentence. Process is just as important as encryption. That should have been 'backup tape', security company, armored transport, iron mountain in the sentence... oh wait, then there would be no story.

Re:WTF

[fireboy1919]

I absolutely know that I don't want to hear the story of how those four words got used in the same sentence until happy hour is nearly over.

Yeah? Well, I wouldn't mind. Not the sentence they added.

Perhaps this one:

"After I checked the backup tapes to ensure that 512-bit AES encryption was working, and that the tapes were still readable, I closed and deadbolted the tape room, and then went out to my car to go to lunch with the new (darn good looking) intern from the art department."

Re:WTF... Decoy?

[davidsyes]

Maybe the Ohio department has such MI-5-like employees that they need interns as decoys?

How Long Before...

[Anonymous Coward]

...we see a story about 130,000 residence records locked and unavailable due to lost encryption passwords?

Brings me back to the question....

[ducomputergeek]

WTF is this stuff doing on laptops in the first place?

It seems logical to me that this kind of information should be on a centralized servers at a state office with managed firewalls and all the rest with only hardwired terminals allowed access with maybe a VPN set up for remote access if absolutely needed out in the field. I know wireless isn't 100% secure and no system is but that just makes logical sense to me.

Re:

[afidel]

Yeah a county agency (in Ohio) I had as a client was one of the most paranoid I've ever dealt with. The dealt with personally identifiable information of a very sensitive nature and they did things right. Everything was static IP with all LAN information captured to a secure auditing station with IP, MAC and port info recorded. The website their clients (service providers) connected to was behind a good firewall that had rules allowing only a single registered IP to connect from each provider and then used

Re:

[davidsyes]

O-Hai-Yo Arrrht... Etch-Uhhh-Sketch...

Maybe they think laptops are high-tech Etch-A-Sketches and cannot be networked?

I guess in the end, the department head will be "shaken", but not "stirred", happy hour or not.

A panic reaction

[tuomoks]

Great, now they have a tool to encrypt! Let's hope they thought about key management before implementing it. It's great for vendors that some have no idea of security - more sales. Next we will read all the keys stolen by an employee (usually high in hierarchy, just my experience) and have to start all over again. Or am I too pessimistic / skeptical when it comes to security?

They led the horse to water...

[Darth Muffin]

... but can't make it drink. Encryption is only a partial solution. You still need to keep your backup tapes secure (they won't be encrypted by this software, but most higher end backup software will), and you need to keep people from copying files to USB sticks or burning to CD.

I Call Bullshit

[pseudorand]

Encryption is crap unless it's used by those trained to understand how it works and what it's limitations are, which I'm sure 60,000 employees will not be. What happens when an employee copies data to a USB disk or e-mails it to someone. If the software prevents this, it will be a major pain in the arse that will cost a lot more than $3 million in lost productivity. If it doesn't, then data will get stolen and everyone will say "no problem, it was encrypted", until massive identity theft cases force them to

Re:

[Starteck81]

Have you ever tired to teach a lot of non-technical people to follow security procedures? I work for a CPA firm that takes security pretty seriously. All of our hard drives encrypted. We have a secure webportal to transfer files instead of sending them via e-mail. We have encrypted usb thumb drives.

We have tried to train our employee's to use these tools so as to be secure but I still catch people sending things via e-mail and using unencrypted USB drives that they bought. It's not a huge percentage of

SafeBoot? The poor bastards.

[jrronimo]

Part of my job involves working on laptops owned by an agency that uses SafeBoot to encrypt data on laptops. Gather children, let me tell you of SafeBoot...

1. SafeBoot is whole-disk encryption, but Windows-partitions-only. If you dual-boot or use Linux, there is no solution for you except "Please don't lose your laptop".
2. SafeBoot requires a login before you can boot Windows. If you get your password wrong, you must wait a certain amount of time before you can re-enter your passwords. At first, it's not that bad -- a few seconds. But each successive failure increases the time... eventually, you're waiting minutes.
3. SafeBoot encrypts the drive so that you can't access the drive from another machine -- which is what it's designed for, of course. Try being an IT guy in this scenario: You can't perform ANY troubleshooting that doesn't involve booting Windows. If Windows fails to boot, you have to have your hard-drive decrypted (which, for us happens off-site and is a MAJOR pain in the ass). I cannot boot off a Windows CD to use the recovery console to replace damaged registry files. I cannot do a 'repair' install. I could wipe the drive and re-install Windows...
4. The password policy in place requires users to change their password periodically and be of a certain complexity level. Most users have their SafeBoot password written on a piece of paper and taped to their machine, now...

There's a line between security and usability. When SafeBoot works, it appears great -- it doesn't impact system performance *that* much and it encrypts the contents of the entire drive, woo. But when something goes wrong, it becomes a big pain.

To be honest, though, I think the bigger problems for the work *I* run into with SafeBoot is the policies in place, rather than SafeBoot itself.

Re:

[bockelboy]

Interesting.

In the Unix world, you could just encrypt the $HOME directory of all the users and simply not give them the rights to write outside of that directory. Make sure you don't deploy applications which both keep sensitive data and run as root ... and success!

Unless Ohio is doing something top-secret with the OS their users are running, I guess I only see the need for encrypting the entire drive when there aren't sufficient security policies in the first place.

Then again, I can do plenty of developme

Re:

[Locklin]

you forgot /tmp and the swap partition. You might want /var as well if there is sensitive data in the logs. Realistically, you probably need to prevent mounting of disks or USB drives as R/W. Than again, theres probably a few other vulnerable spots on a Unix computer.

Unix great, but it's not as simple as you put to secure it from threats that have physical access to the machine.

Re:

[bockelboy]

Yeah, I assumed there were a couple of directories I was overlooking.

Point is that you ought to be able to easily separate "these are the directories users can touch" from the "these are the directories which users can't touch". In fact, RedHat did some work on this (look up Stateless Linux). I suspect you can come up with a list of N directories (where N 10 or so) which must be encrypted, and let the OS portions be un-encrypted.

Set up a rat's nest of soft-links to an encrypted partition, make sure the i

The $3 million

[SamMichaels]

The way it's worded seems a little ambiguous to me. Did the theft alone cost the state $3 million or did the theft cause the state to spend $3 on licensing a product from mcafee? Both sound like reasonable figures when dealing with the public sector and taxpayer money.

Isn't going to help

[belthize]

If they have 60,000 computers with 'sensitive' data on it then they're borked already.

      If they want to encrypt people's laptops/desktops then fine ... if they want to prevent
personal civilian data from leaking out they're off by a few orders of magnitude on the
extent of their distributed storage.

Belthize

TrueCrypt

[bruno.fatia]

TrueCrypt is a very nice free solution and I've been using it for months, haven't had a single problem with it. I guess they were not aware of that software, maybe because they simply didn't look for ANY other products beside McMoney's..

Re:

[Spy der Mann]

I was going to post the same thing but I searched for your post first (hey, apparently I'm smarter than Ohio govt :P )

My guess is that after the breach, McAffee contacted the guys, who, obviously, haven't got a clue, and in a knee-jerk reaction said "yes, please!".

All those tax dollars... what a waste.

Seriously...Why?

[DDLKermit007]

The government has a software package they use for such things already. The Macafe stuff it's weak in comparison.

LOL BArnDOrrrrrrz!!!!!! Teh Funnyz!

[Darth_brooks]

You can joke about this being a case of closing the barn door long after the horses have gone scurrying into the country side but......someone got punished and a preventative measure is being taken. You can't hope for a whole lot more than that, especially from a government agency.

The reason we're laughing:

[SanityInAnarchy]

We are the ones who are constantly telling people to implement things like encryption.

They either think we're paranoid, or... I don't know what the fuck they think. Probably just don't want to deal with it...

So now they've been bitten, and now they "get it".

Any time someone finally admits you've been right all along, especially when it's a bit too late to prevent the damage, is cause for both glee and frustration.

Now, I'm not saying that them adopting encryption now is a bad thing, though maybe the particul

I don't see how Safeboot will stop backup tapes

[iamacat]

What's the use to encrypt your hard drive just to make a nice decrypted backup later? Conversely, this particular problem can be probably solved cheaper, since I doubt that they have 60000 tape drives in the office. Any decent backup software should already support encryption anyway.

I am not saying workstation security is not important, but here it sounds like someone doesn't even understand the problem that they had.

60,000 licenses for..

[Sloppy]

..one gpg command in between tar and the output device.

Why, oh why, didn't I become a government contractor?!?

Re:

[Alpha830RulZ]

Why, oh why, didn't I become a government contractor?!?

Have you looked at what the government pays lately? There is a reason that this stuff happens. In Washington State, at least, government pay grades are about 1/2 to 2/3 of what you can make in the private sector for the same work. If you consult, you can easily make 3 times what the government pays.

You get what you pay for.

Re:

[SanityInAnarchy]

Look at the subject, though.

Apparently, they're willing to pay for 60,000 licenses, rather than one slightly more intelligent admin?

Horse gone - Elephant still in room

[toby]

Hmm... I wonder if they give a damn that their state-wide reliance on Windows is another accident waiting to happen.

Care about trojans, keyloggers, viruses, and all the other uncountable ways to lose confidential data, not to mention productivity?

Get rid of Windows as well. You'll never regret it.

Re:

[Locklin]

IBM, Novell and Sun are big American corporations aren't they? I think it has more to do with inept (read underpaid, or MS** cert.) IT.

MY MONEY!

[thatskinnyguy]

hmmm My money is at stake so what do they do? They pay for this solution with my money!

The security breach went farther than an intern

[scourfish]

It was due to general incompetence and cutting corners, and the lack of security on the entire OAKS project, which was virtually nonexistant. A shared drive was left open during project development, and it had been discovered many times that people who weren't involved in the project could log in download personal info. My cousin in law interviewed various employees and wrote a good article for the Cleveland Free times: http://www.freetimes.com/stories/15/28/system-failure [freetimes.com] .

Why encrypt the workstations?

[dave562]

The data shouldn't be stored on the local machines. It should be in a centralized database that supports encryption at least at the table level, if not the specific field level. That database should be accessed by a client workstation that doesn't cache the data locally. Then the backups should be password protected and encrypted. This isn't exactly rocket science here.

instead of data being stolen

[Phantom of the Opera]

We'll have data utterly lost. "We lost the piece of paper with the password." Whee!

Some clarifications

[RJurden]

First 2 factual clarifications on this story: The stolen "tape" was actually a "device" that has not been officially disclosed as to what type. Some speculate a laptop while others say it was a USB Flash Drive. Second, nearly 1 million people are estimated to be affected by the theft, not 130,000 as the story states.

Well....okay. I live in Ohio and therefore could be in the group of State of Ohio employees, state taxpayers, Ohio lottery winners, and others and since it regarded social security numbers bank account information and such, along with the fact that the theft happened in my hometown of Hilliard, I paid close attention to the story.

What ACTUALLY happened was an INTERN took the device home for whatever reason. Some speculate to have an off-site backup of the data. The intern left it in their car and their car was broken into and the device was stolen.

To clarify the cost: Ohio is providing, free of charge, 1 year of credit monitoring service to each Ohioan that was affected by the theft. That cost estimate is very high. Even at a bargain basement price of $2 per year per taxpayer, that would be about $2 million. The lowest price you can find online is $4.95 per MONTH and about $60 per year.

Further: The official that lost vacation time was not the intern that took the drive home. That official lost the time because they were responsible for ensuring the safety of the data to begin with. Although the intern is the person in possession of the data and should have verified its safety, they were following the procedure that official set up. The intern is not the only one responsible for the theft.

I didn't read the FA ...

[ScrewMaster]

but whoever was responsible for a breach of that magnitude should be also be encrypted, right after he's properly embalmed.

This is obviously an inside job.

[pclminion]

Here's what I think really happened, folks:

1. Government official gets idea to make a bit of money.
2. Official gives intern important tape, knowing it will be left in the car.
3. Official knows where intern lives, and goes and steals tape from car.
4. Official sells data on the black market for a dollar value far in excess of a week's vacation time.
5. Official gets to keep his job.

There is no "???" step here.

Really, what are the chances that this intern gets his car broken into on the VERY SAME DAY he happens

Re:

[geekoid]

If that was true, somebody would find out, and that would get people fired.
Probably a quick purchase based on needing something now.

Re:Wonder if McAfee payed them

[a_nonamiss]

As an IT professional in Ohio who works in a field very close in both location and function to what this company did, I just want to say that this whole thing has been blown so far out of proportion it's not even funny. Yes, there was some sloppiness going on. Yes, someone, maybe a few people, deserved to lose their jobs over this. However, the amount of time and money that has been spent on this is so far overboard it's ridiculous.

No actual loss has ever been reported as a result of this breach. The tape that was stolen was in a relatively obscure tape format. (I don't believe it's ever been reported, but I work with similar systems, and I would guess it's probably 5 1/4 inch format, likely not even in ASCII. Most of the data backups we get are EBCDIC.) It was unencrypted, but in order for someone to get anything off this, they would need the correct hardware, the correct software and they'd really need to know that they were looking for something. Add to that it wasn't reported until weeks after the loss, by which time the thug who broke into the car had log since ditched the useless cassette tape that he stole.

Meanwhile, Ohio taxpayers are spending millions of dollars doing credit checks on every person whose information was potentially on that tape.

I'm not advocating that we forgo due diligence. I take great care in making sure that all backups from my company are encrypted. I hound everyone in the office to make sure their passwords are secure. However, the fact that we're still speding money on this makes me irate. If there was any indication whatsoever that this data was compromised, I'd be OK, but there's a 99% chance that this tape is in a landfill in southern Columbus right now.

Re:Wonder if McAfee payed them

[WhatAmIDoingHere]

Doesn't matter if it's carved into a brick of lead weighing 4 tons and can only be read by a half blind midget who is kept locked in a dungeon under the guard of five dragons.

The brick being stolen is a security breach, and the information that was carved into it is now to be considered 'out in the open.'

Security through obscurity? Get real.

Re:

[a_nonamiss]

According to your definition, there is a whole hell of a lot of data "out in the open." In Windows 2000/XP, it's reasonably difficult to encrypt your system drive and your pagefile. Even if you diligently keep 100% of your data on an encrypted volume, can you guarantee that no social security numbers were written to your pagefile? That data can be scraped, you know. Plus, if your computer is stolen, can you tell with any degree of confidence which records were in that pagefile? No? Then you have to assume t

Re:

[Ohio Calvinist]

Probably the cost of the investigation in lost hours, the price of notifying all those whom where among the 130,000 and all that comes with it (lawsuits, credit checking, the cost of the corrective actions...) I went to a university of 11,000 at first that paid for 90 days of credit monitoring for all effected students after someone hacked into the student information system that stored SSNs. I'm sure the state had to deal with some more heat than a small university.

Re:$3 million?

[asills]

Last I checked $3,000,000 divided by 60,000 equals $50, not $500.

Math issues aside, if you RTFA (and follow TF link to the original article) you'll see the breakdown:

"The incident is expected to cost the state almost $3 million. Of that total, $2.3 million covers projected and existing enrollment in Debix Inc. credit protection services. Debix enrollment paid for by the state for affected individuals will remain open until Oct. 31. Debix protection will not be extended toward any businesses with information on the lost backup tape."

I highly doubt those licenses are figured into the $3 million estimate.

Re:

[Penguinshit]

$500 for a site-license, $2.5M for "educational services" and "support"...

Re:

[Shados]

Hmm, while im sure the softwares cost a lot, the summary at least (I didn't read the article, bleh =P ) states that the missing tape is going to cause 3 million $ in loss. I'm guessing a lot of that money is from the damage the loss has caused and stuff... I'd be surprised if the software was even close to half of that.

It doesn't make your argument any less valid, mind you, but...

Re:

[faloi]

Likely because they're faced with a couple of choices... Try to get their overburdened support staff up to a point where they're knowledgeable enough about GPG to get it installed, tested, out to the users and get them trained on it. They can hire a consulting company to come in and do all that for them. Or they can go to a vendor who likely sold them all the time and effort to get that going as part of the seat licenses. And all that assumes GPG can do full disk encryption on boot that integrates into

Re:

[phantomcircuit]

And every time someone says, "Let corporations pay for that," they really mean, make us all pay for that, because where do corporations get their money? That's right! It comes out of your pocket

Lets follow your logic here.

1. Expenses increase
2. Corporation has less money
3. Corporation increases prices
4. Consumers pay more

Seems like airtight logic right?

But what is the corporation is already making so much money that the loss doesn't actually produce need to increase prices?

Your logic will only really follow when CEO's stop being paid billions of dollars.

Re:

[triffid_98]

Since when do corporations fail to increase prices when they can get away with it? After all, they need to get those November sales figures up. I'll give a simple example. Gas prices rise when the price of oil rises. Think about this. The corporation that is raising prices now still has millions of gallons of oil they obtained on the cheap, which they will happily sell you for a huge markup. Think about the opposite scenario. Oil prices fall. Said corporation will lower prices if and only if their quasi-leg

Re:

[Dachannien]

The state will now be called kaV#29v@a

New state slogan:

kaV#29v@a: the d41d8cd98f00b204e9800998ecf8427e of it all!

Re:

[SanityInAnarchy]

And, if I had to, I would use a Mac and File Vault.

MAC stands for Media Access Control. Mac is short for Macintosh. As a fanboy, you should know that.

Of course, I'd much more likely use Linux and either GPG, LUKS, or TrueCrypt, or Windows and GPG, FreeOTFE, or TrueCrypt, depending on what needed to be secured and from whom. In fact, that's exactly what I do, and it doesn't cost me a dime. (Well, except the Windows license itself, which costs the company I work for quite a bit...)

My god...

[SanityInAnarchy]

First, there's open source [clamav.net], which is great if you can remember to scan your hard drive every now and then. (I keep waiting for someone to bundle this on a boot CD.)

Then, for more sophisticated protection, there's avast [avast.com] and AVG [grisoft.com]. Of course, these mostly focus on anti-virus.

I recommend Avast, and I use Clamwin, because the only place a virus scanner really helps someone with good online habits is when you've downloaded a file which you know is suspect, and you'd like to scan it prior to use.

On the anti-spyware

Re:

[SanityInAnarchy]

Sorry, forgot. ClamAV for Windows is here [clamwin.com]. The other link is to the main ClamAV package, which really is meant more to run on a Linux mailserver, scanning every message as it goes through.

To clarify, ClamWin is a Windows GUI for ClamAV. So if you're just looking for something to install on Windows, you only need to download ClamWin. (Or Avast, if you'd prefer that.)

Re:

[SanityInAnarchy]

My own setup: Postfix/Bincimap/Bogofilter/Maildrop. Plenty of documentation all around.

Of course, I also wrote some custom software that goes somewhere in that stack, so maybe I'm not the right person to say what documentation.

However, I did not put a virus scanner there, as I don't access my email from any mail clients other than Thunderbird and KMail, or any OSes other than Linux. I laugh at virus attempts -- and then train Bogofilter on them.

For my desktop I run windows because I need Adobe Flash.

Jus