Server with Top-Secret Data Stolen

An anonymous reader writes "Usually missing information stories are fairly low key; the loss of a few thousand student records is cause for concern for those involved, but hardly national security. This one is slightly different. The company Forensic Telecommunications Services has announced that a server containing 'thousands of top-secret mobile phone records and evidence from undercover terrorism and organized crime investigations' has been stolen. From the article: 'The company — whose clients include Scotland Yard and the Crown Prosecution Service — has assured the public that the server is security protected, and the breach will not compromise ongoing police operations. The information is made up of either old cases that have passed through the judicial process, or cases that are already in the judicial system and so subject to full disclosure to both defense and prosecution teams.'"

Just FYI...

[daveschroeder]

...Forensic Telecommunications Services [forensicts.co.uk] is a UK company, not a US company, so please keep that in mind when crafting your comments.

(And yes, this is fairly plainly obvious to anyone who takes a moment to look.)

Re:Just FYI...

[Control Group]

But the British government has been in bed with the US government for years, which means they pretty much do whatever the US tells them to, which means they're pretty much just a US colony, which means that this loss is obviously attributable to FBI negligence, which is clearly linked to the PATRIOT Act, which means that it's the sole responsibility of the current administration - and we all know how Karl Rove likes to publicize secret information; this loss is obviously why he's resigning - which means that George W. Bush wants criminals to go free, so he can further consolidate his power and declare himself interim president for life!!!

CAN'T YOU SEE, MAN? IT'S THE END OF FREEDOM!

Re:

[Dunbal]

Do you think it's a coincidence that this news breaks just after Rove's resignation? I don't think so!!!

New conspiracy in 5 minutes.

Re:

[bryan1945]

You missed FEMA, Hurricane Katrina, and the Red Sox winning the World Series. And maybe crab people, but they could just be communists.

Re:

[cHiphead]

And you missed the White Sox winning the World Series the very next year.

I've been telling you mofos the End is Near, but everyone just laughs it off!

Cheers.

Re:

[cHiphead]

Oh and ONE MORE! Van Halen just got back together. With David Lee Roth.

END!

Cheers.

Okay, here's what we've got

[spun]

The Rand Corporation, in conjunction with the saucer people, under the supervision of the reverse vampires, are forcing George W. Bush to go to bed early in a fiendish plot to eliminate the meal of dinner.

We're through the looking glass, people

Re:

[AHumbleOpinion]

the British government has been in bed with the US government for years, which means they pretty much do whatever the US tells them to

BS. It is a two way street, you are just being myopic in your historical context. We aided the British in the Falklands for example. No US interests were threatened since the British would have won with or without our help. All we did was further alienate ourselves from Central and South America. Then there were the European wars of the last century. Certainly it wouldn't

Re:

[Blakey Rat]

Whoooooooosh...

Re:

[AHumbleOpinion]

Whoooooooosh...

No. While the complete post was obviously a joke, it began with a reasonable point that many do actually believe. It was worthy of a fork that discussed that one point.

Re:

[Control Group]

Wow. I don't know which is scarier - the possibility that you missed the joke because it was over your head, or the possibility that such a load of drivel sounded reasonable enough to you for you to debate the issue.

Either way, I'm scared.

Re:

[conspirator57]

umm... it seems to me that >80% of Britons want out of Iraq. It also seems to me that Blair was replaced to accomplish that. For a little bit now we've been hearing the Brits are getting out of Iraq per popular demand. Then this week we hear the Brits are staying. Two days after a Bush - Brit pow-wow at Camp David... Seems a bit puppetish to me. Maybe this doesn't reflect the relationship as a whole, but then again...

Re:

[AHumbleOpinion]

... For a little bit now we've been hearing the Brits are getting out of Iraq per popular demand. Then this week we hear the Brits are staying. Two days after a Bush - Brit pow-wow at Camp David... Seems a bit puppetish to me ...

We have no idea what was discussed. There are other reasonable possibilities. If the "surge" is having positive results then perhaps the Brits are willing to participate in that. Perhaps the Sunni's turning on Al-Queda changed the "calculation" the Brits used to justify the pull

Re:

[rifter]

Wow. I don't know which is scarier - the possibility that you missed the joke because it was over your head, or the possibility that such a load of drivel sounded reasonable enough to you for you to debate the issue.

Either way, I'm scared.

David Bowie, dude... American... History... Geography..

Head Asplode! [homestarrunner.com] :D

The worst part for y'all is, someone set us up the bomb and we are not afraid of using it. Be afraid, be very very afraid :D.

Humor often used to introduce serious topics

[AHumbleOpinion]

Wow. I don't know which is scarier - the possibility that you missed the joke because it was over your head, or the possibility that such a load of drivel sounded reasonable enough to you for you to debate the issue. Either way, I'm scared.

You have no need to be scared. While the complete post was a joke, it began with a statement that many actually do believe. The point contained in that statement was worthy of being discussed, the fact that it was introduced as part of a joke does not detract from th

Re:

[VJ42]

That's why the good ol' NSA and GCHQ people set up ECHELON [wikipedia.org], and it's not just limited to the UK and USA, the other Countries countries that signed the UKUSA [wikipedia.org]Treaty are Canada, Australia and New Zealand.

I'm not usually one of the tin-foil hat brigade, but the radomes [wikipedia.org] at Menwith hill must be being used for something.

Does it matter?

[Opportunist]

Do you think that something like this cannot happen anywhere else?

Re:

[ArsenneLupin]

The Forensic Telecommunications Services [forensicts.co.uk] website is an ASP site. Please keep that in mind before browsing this site from work or in the presence of young children...

Isn't it obvious?

[thatskinnyguy]

I blame the intern! [techdirt.com]

Comment removed

[account_deleted]

Comment removed based on user account deletion

Top secret public records?

[mmarlett]

Which is it: Top secret phone records or information that has already been released in court cases? It doesn't seem like the two are the same.

Re:Top secret public records?

[yog]

I don't get it. What happened to locks, keys, and trusted employees? It seems like companies and government organizations are constantly leaving sensitive materials in cars or in unsecured locations where they can be stolen by opportunistic thieves. After thousands of years of civilization, and with all the fancy technology at our disposal today, have we learned nothing about how to keep important materials out of mischievous hands?

A server with sensitive information should not be on the public internet, and it should not be on the premises of a subcontractor! It should be safe behind locked doors with access only by a select few, and protected by strong encryption too. I just don't get it; it's kind of depressing.

Re:

[dmpyron]

I've handled TS and above at a number of contractors over the years. That said, "What happened to locks, keys, and trusted employees?". And how do you get a server out of the building? Stuff in down your pants? I've never worked anywhere where areas with classified information weren't surrounded by cameras. And access control. And lots of other means of tracking the comings and goings. There's more to this story than has been made public.

The lady doth protest too much, methinks. Something is rotten

Re:

[crabpeople]

Well you dont hear about the hundreds of millions of secured data protection events everyday because they wouldn't be newsworthy. If a corporation or org successfully repels a threat, why would it make the frontpage of slashdot?

The simple fact is that there is more and more data in the world so more and more breaches will happen. Its inevitable. Just try not to be the one asleep at the switch.

Re:

[Frosty Piss]

The information is made up of either old cases that have passed through the judicial process, or cases that are already in the judicial system and so subject to full disclosure to both defense and prosecution teams

Mybe they meant "proprietary" instead of "Top Secret". Clearly it isn't "Top Secret".

Re:

[sumdumass]

One of the biggest objections Bush had with taking every suspected terrorist to trial was that the information gains could tell the enemy how to defeat the ways they collected it as well as tip them off on who knows what.

It wouldn't surprise me if these servers contained more information then what was used in court. by doing that, they wouldn't be exposing the entire aspect of their investigation. So while the cases have or are in trial, I could be possible that not all the evidence went with them. Just eno

Re:

[RMH101]

In the UK, phone tap evidence is not admissible in a court of law. This is presumably because if it *was* admissible then it could become a matter of public record, and the spooks wouldn't want that to happen.
Hence, it follows in this case that they almost certainly contained way more info than was used in court...

I could sure trust them

[faloi]

Except that their physical security is apparently so poor that I can't imagine their data security is much better.

"All the data is protected, as long as the thieves don't look at the password sticker hidden inside the case."

Re:

[Sunrise2600]

I love how whenever there is a data breach they have to say, don't worry it wasn't important data anyway.

More likely.

[AltGrendel]

They simply forgot to activate the alarm system when they went home.

Never attribute to malice what can be explained by stupidity.

Re:

[Greyfox]

They probably mean "password-protected". We all know how easy THAT is to get around. These guys don't sound clueful enough to actually encrypt their data (Though if any of them are reading this and want to correct me, please go ahead...)

Re:

[Xiaran]

Im not one of those guys but I did used to work in the disk encryption industry in the UK. I wrote(well me and three other programmers) a product that encrypted windows disks and CE based PDAs. One thing to remember is that companies in the UK are subject to the data protection act. That means they are required by law to protect peoples information. That said it isnt that unusal to find companies that have quite caught up or gotten around to encrpyting their sensitive data... but all the companies Ive worke

Good thing I didn't have anything to hide,

[MrMr]

from the Russian mafia.

Wrong Terminology

[stewbacca]

"Top Secret" is a term reserved for government classification schemes (in the US) and is clearly outlined by US laws. Using "Top Secret" for a business is just sensationalism. This business lost sensitive data, not "Top Secret" data.

Re:

[daveschroeder]

Actually, that's incorrect.

Many nations have equivalent parallel classification schemes, including using the terminology "top secret". Long-standing agreements between various nations allow sharing of information in the same categories.

See here [archive.org] and here [wikipedia.org] for details.

If FTS is a contractor on terrorism investigations, it could very well be handling "top secret" data. The article refers to it as "top secret", but you're correct: it's not clear if "top secret" is merely being inappropriately applied here, or wh

Re:Wrong Terminology

[stewbacca]

I was a contractor that handled real Top Secret data and that term is reserved for government classified data only. Contractor's own stuff is neither Top Secret, nor protected under the provisions provided to government Top Secret data. My point is that there are too many stories from JoeBlow, Inc. that report "Top Secret" information being stolen just to sensationalize the story. To working professionals in the Intel field, the notion that Top Secret data was stolen is a national security crisis, only to read in the story that some stupid company lost some data with private information in it.

True, that many countries share classification terminology. England, Canada, U.S. and Australia, for example, have all worked to synchronize their terms and laws. But the common thread is that these are all covered by government classification guidelines, not the private sector.

I suppose the info in the story could be "Top Secret" in the true sense of the word, but if this company was a contractor handling real Top Secret (ie, government classified) data, it would be a much bigger story than something buried in slashdot ;-)

Re:

[jrumney]

it would be a much bigger story than something buried in slashdot ;-)

It was front page news in several UK papers over the weekend.

Re:

[stewbacca]

A week ago I would have known (I just moved back to the States from the UK) ;-) Stupid narrow world-view of the US!

Re:

[zippthorne]

The US is roughly the size of the EU (order of magnitude). Did you pay attention to every issue that is front page news in every member country of the EU when living in UK? or did you mostly focus on your snarky little island nation?

Re:

[Frosty Piss]

Contractor's own stuff is neither Top Secret, nor protected under the provisions provided to government Top Secret data.

In the USA at least, contractors handle actual honest-to-god the real deal "Top Secret" all the time. In fact, most of our government's "Top Secret" programs are run exclusivly by contractors.

Re:

[stewbacca]

True, all of what you said (except contractors are not the majority of classified handlers, especially in compartmentalized intel). I was a contractor and I handled classified all day long. My point is that companies are TOLD by government classification guidelines what is "Top Secret" and don't just make up their own classifications because they work with government classified data. Even if contractors CREATE the data, the company doesn't classify the content they created, the government does. I've sai

Re:

[Torvaun]

Great thing about R&D, sometimes you find things that are even better (more potent) than what you're looking for. People looking for pesticides have found nerve gas, why shouldn't people designing reactors find that some particular design just happens to output mostly weaponizable material?

Re:

[cyphercell]

So, you don't think the Crown Prosecution Service or Scotland Yard would have "Top Secret" data? Seriously, the information stolen was evidence and phone numbers, how likely do you think it is that the phone numbers coincided with the evidence? Sorry, but I think the use of "Top Secret" is completely applicable in this case.

Re:

[stewbacca]

I can only speak for UK law a little bit, having only worked there for a short while, but I do believe that the UK has clear government classification guidelines that are pretty tightly integrated with US classification law. A phone number is not worthy of "Top Secret" classification. Especially since a phone number alone does not reveal means or methods, nor does the compromise of a list of phone numbers cause "grave damage" to national security, which is the basic tenet of "Top Secret" classification un

Re:

[cyphercell]

I think it was "evidence", "phone numbers", "database lost", that caught my attention. :)

Re:

[daveschroeder]

I'm aware of how classified data works, and when and how the terms are used. You said that the term top secret "reserved for government classification schemes (in the US) and is clearly outlined by US laws". If you were simply speaking from a US-centric standpoint, and not to mean that the term wasn't used elsewhere, my apologies; my point was that the term "top secret" is used by several other nations, including the UK. Your statement about how this was codified in the US was confusing since the company in

Re:

[stewbacca]

But it's also wrong to say that data generated by a contractor cannot be top secret in the legal and statutory sense of the term.

I apologize for not being clear, but this is not what I meant. Contractors create Top Secret material all the time; it just isn't their call to say if it is Top Secret or not. They create data, then the US classification authority applies a classification. This goes for government employees as well. An individual working an intelligence mission as a government employee doesn

Re:

[mce]

At least in my country (which is not the US), the government has no monopoly on the terms "confidential", "secret", or "top secret". The government does have a clear definition of them for its own purposes, and it is special in that breaching the applicable regulations has immediate legal consequences, but that does not disallow companies from having their own classification schemes that uses those same terms. In fact, there are provisions in national and NATO regulations that explicitly allow for dealing w

Re:

[fotbr]

Are you sure of that? Companies like Lockheed Martin, Boeing, General Electric, General Dynamics, etc all handle government secrets (and top secrets) as part of their defense contracts -- usually as parts of products they're building, but more and more intelligence analysis is being contracted out as well. I'd be surprised if British defense contractors didn't do much the same.

Re:Wrong Terminology

[stewbacca]

Contractors working with US classified documents are bound to the same rules and regulation as government employees when handling classified data. My point is that companies can't just make up their own classification of something being "Top Secret". Boeing doesn't have the right to make something they created "Top Secret" just because Boeing thinks it is Top Secret. Only the government classification authority can designate a classification of: Unclassified, Confidential, Secret, or Top Secret. Anything else would be internal corporate policy, but any naming convention Boeing comes up with on their own is NOT provided the same protections under US Law that real government classifications are. (I may sound like a broken record, but I used to teach this stuff to government employees).

Re:

[IBBoard]

Maybe the UK works differently (or maybe it's because of transfer of classification based on content) but I work at a List X company [wikipedia.org] and people within the company get to determine whether documents are Restricted or whatever (we use UC, R, S and TS in the UK - there is Confidential, but it's generally replaced with S). They can also extracted parts of a report and release them at a lower classification (since I spend most of my day working on an Unclass machine).

I'm assuming there must be some controls some

Re:

[IBBoard]

Just a related thing I thought of as I posted: Government and Government Associates hate companies who insist on "Private and Confidential" in documents and are unwilling to change to "Private and in confidence". One of the many joys of having Confidential as an important security keyword and having email monitors that check for sensitive keywords to stop accidental release!

Re:

[stewbacca]

"Company name proprietary" is appropriate. What my gripe is, (in the US, at least) is that companies mark business data as "Top Secret", which is strictly reserved and regulated by US law, when the company just means "company proprietary" or "company sensitive" data. It is just an irritating sense of inflated self-importance that gets under my skin, is all.

Re:

[networkBoy]

Not entirely.
We have five levels of "classification":
[company name] top secret
[company name] restricted secret
[company name] secret
[company name] confidential
[company name] public

While I agree that this is not the same as US Gov Top Secret, it leverages people's basic understanding of what those words mean and their impressions as to equality to the government. Just as the US would not want Top Secret notes passed to Iran, we would not want [company name] Top Secret passed to our competitors though we may

Classification Designations

[Jtheletter]

Only the government classification authority can designate a classification of: Unclassified, Confidential, Secret, or Top Secret.

Someone really ought to tell that to Dick Cheney.

This post is Treat As Top Secret. ;)

Re:

[stewbacca]

Someone really ought to tell that to Dick Cheney.

Actually, I was thinking more like Sandy Berger, since he actually broke a law regarding handling of classified documents. I'm not sure what your Cheney comment is referring to, but it can't be more egregious than the Berger incident.

Re:

[Jtheletter]

I'm not sure what your Cheney comment is referring to, but it can't be more egregious than the Berger incident.

Sorry for the uber late reply, you'll probably never see it but just in case this is good info for people to be aware of I think. Basically Cheney has created a new level of cassification to justify not sharing any information from his office. You may have heard about the "man-sized safe" that he has in his office, well he fills it with pretty much every document he produces and labels them "Treat

Re:

[stewbacca]

Absolutely unfounded... There are entirely too many checks and balances in place for the VP (or any politician for that matter) to create his own classification scheme.

Re:

[Jtheletter]

Absolutely unfounded... There are entirely too many checks and balances in place for the VP (or any politician for that matter) to create his own classification scheme.

My friend, some might say there are too many checks and balances to prevent a lot of the things that have gone on with this administration in the last 6 years, yet the abuses occurred anyway. Your disbelief makes them no less true. The Washington Post broke this story and AFAIK there have been no retractions. Here are some links to the articl

Re:

[fotbr]

And that is exactly my point. It may be real TS stuff -- just because a private company lost it doesn't mean its not TS.

a different slant on Wrong Terminology....

[Anonymous Coward]

Other threads are quite correct to say that UK/US/Can etc have similar classifications, and that contractors routinely handle these (though note the lack of a US "Restricted")

When I started my career at a UK C+C Headquarters, we still had some old documents with the original UK top classification on, which was "MOST SECRET". They changed this during WW2 because the Yanks might read this as 'Almost Secret'.

All these classifications used to refer to Military Intelligence-type data. But come the end of the Col

Detailed Cell Phone Bill

[sjaguar]

Do this mean that I will finally be able to see a detailed listing of my wife's calls? :)

Re:

[Reece400]

I'd be more excited if I could get a detailed listing of MY calls, damned cell phone companies!

Re:

[Belacgod]

Should have signed up for the Iphone, then you'd get 52 pages! [slashdot.org]

Re:

[tehcyder]

Do this mean that I will finally be able to see a detailed listing of my wife's calls? :)

It's OK, I recorded them all from my end.

Private company?????

[Anonymous Coward]

Shouldn't someone explain wtf does top secret policial information in the hands of a corporation? Such information should be gathered, kept and custodied by police.

Re:

[pthor1231]

Just because information has a certain classification doesn't mean anyone other than "police" is going to have it. In the US, and I would imagine a fairly similar situation in the UK, quite often contractors will have access to various levels of classified information for their particular project. Chances are though this is not technically "Top Secret" classified information, and just some sensationalist media, as a few other posters have noted.

Re:

[Fallon]

Top Secret data is in the hands of lots of military contractors. If you handle TS data you have to comply with lots of REALLY overkill security measures. Secret classified data must be kept on SIPR net, which is a huge worldwide network massively encrypted and not connected to the Internet. TS is even more secure.

Re:

[LWATCDR]

Nothing like like a good old MkI air gap for security.

Re:

[Don_dumb]

The police outsource forensics. The MOD and most areas of government outsource loads of sensitive jobs (or jobs that handle sensitive data) thanks to the joys of privatisation.

This was a Physical Break in

[varmittang]

"FTS can confirm that the company was recently the victim of a break-in at one of our premises in Kent. As a result, some IT equipment including a server was stolen."

Very important info for all those who want to start a flame war about what OS it was running and why it was connected to the Internet.

Re:

[tehcyder]

Very important info for all those who want to start a flame war about what OS it was running and why it was connected to the Internet.

Spoilsport, now there's only going to be a handful of comments.

Re:

[p0tat03]

I suppose the better question now is... how do you sneak out of a secured building with a server? Stuff it down your pants? Or did they merely open the case and swipe the drive, in which case it's certainly do-able?

Spooks, Spooks, Spooks

[WED Fan]

Wasn't this an episode of "Spooks" [bbc.co.uk] ("MI:5" [bbcamerica.com] in America)

Spooks Brain? "Brain and Brain, what is Brain?"

Comment removed

[account_deleted]

Comment removed based on user account deletion

wow

[ArcadeX]

Somebody drops the ball when a backup tape goes missing. Laptop gets stolen isn't that much of a stretch, but a server? You would think something like this would blow away any confidence people have in this company... Company I work for wipes all computers / servers that get shipped, and the image is pushed over a secure network, hard drive encryption or not, and we don't even have much in the way of confidential information.

Re:

[Detritus]

How many companies have real physical security? By that I mean trained security officers with guns, on duty 24/7/365. Most companies are vulnerable to theft, even of large items like servers. once everyone leaves for the day or weekend.

Re:

[Anonymous Brave Guy]

How many companies have real physical security? By that I mean trained security officers with guns, on duty 24/7/365.

Well, I'm guessing the answer to that specific question in the UK is basically none, given that in general civilians having firearms is illegal and all...

However, I would imagine that businesses working in certain sensitive industries are used to working with the police, and employ a combination of defensive measures and some rapid call-out arrangement to protect themselves. Given that we don't see banks being robbed all the time, it appears that full-time, gun-carrying staff (are scary black outfits an

Protected how?

[hcdejong]

1. Cryptonomicon-style, with a big coil embedded in the door frame of the room where the server was stored (question is, would that even work, without using an MRI as the coil)
2. with a brick of thermite on a proximity detonator inserted into the case
3. boring ol' cryptography

Re:

[Fallon]

We actually have a case of thermite grenades sitting in our TCF (where all our communications gear & servers sit). Of course there's also the thousand odd soldiers with M16s around that you have to get through first. Sitting in downtown Kabul Afghanistan and needing all that physical security does make me a bit nervous at times though.

Re:

[Svartalf]

Nothing like the flash demil process on computer gear. And yeah, I'd be a bit uneasy about needing that level of security, but with where that comm gear (and you) is at, I wouldn't have it any other way really.

Re:

[bryan1945]

"1. Cryptonomicon-style"

I so just jumped to "Necronomicon-style" when I read that. Chin-sucking whirlpool books would probably be rather effective ("Army of Darkness" for you heathens that don't understand that).

Re:

[Cheesey]

1. Cryptonomicon-style, with a big coil embedded in the door frame of the room where the server was stored (question is, would that even work, without using an MRI as the coil)

I don't think that would work, even in 1999 when Neal Stephenson wrote the book. Some data would be recoverable: disks are very hard to completely destroy. Encrypted filesystems are the right way to do it, with the key only kept in memory.

I don't know why Stephenson's characters didn't think of that idea, since they worked for a PGP-s

Re:

[ubrgeek]

> 1. Cryptonomicon-style, with a big coil embedded in the door frame of the room where the server was stored (question is, would that even work, without using an MRI as the coil)

I have one of those in the doorway of my cube. As soon as I get up to tell someone something and walk through it, my memory is wiped... :)

Security Protected?

[Sperbels]

Security Protected? Meaning what? You have to login to Windows?

Well-protected?

[winchester]

If their physical security is this bad, one wonders how much value should be placed in the statement that the data on the server is "adequately protected".

Moreover, this should spark the debate whether it is okay that private companies work on this sort of data, and whether the government should or should not have its own data specialists.

Re:

[Belacgod]

I'd argue that government wouldn't be any better at it. Plus, you could never fire the people responsible--at least here the company's going to lose a lot of business.

Bizarre reporting

[mattr]

It seems most journalists are just mouthing the press releases over again. "Security Protected" is a talk-down-to-you phrase, "protected" means "secure" anyway, and it intentionally doesn't tell you anything about how it really is protected. The company with the break-in obviously wasn't using security sufficient to deter people targeting them - for a security analysis company not to use more expensive security commensurate with the value of their clients' info is not even mentioned. Something silly about outsourcing is mentioned in TFA but in not the press release of course because it was stolen from their premises. Impossible perhaps to deter a truly obsessed insider, but for TFA not even to talk about what that incredible "security protected" technology stuff is, is just dumb.

I think it would be in the company's best interest to say everything was encrypted with unbreakable algorithms, but perhaps they have rules about not disclosing anything and maybe they don't want to spread the idea that people should encrypt things, that would certainly put a damper on their business, wouldn't it. I'd understand if they don't want to say they have a cell phone tracker or phone home device in it, but as for trusting them when they say nothing is important on that server they stole sounds very strange. More likely someone knew what they were going for it sounds.

Laptops, always, desktops, yes, servers - ?

[caluml]

Well, I always use encrypted partitions for equipment that could be stolen - laptops, or my home PC - but I wouldn't consider it for servers.
This makes you think though.

Let me guess, you RMA your disks too

[DamnStupidElf]

Do you RMA unencrypted disks? How do you wipe sensitive data off the dead ones? There are plenty of reasons to encrypt server drives.

Re:

[BenEnglishAtHome]

Where I work [irs.gov], the servers are encrypted. The laptops are encrypted. The desktops are about to be encrypted.

No disk is ever RMA'd anywhere. If we have a failure, we get a new replacement disk and send back a sheet of paper saying we destroyed the old one.

We wipe sensitive data with 7 random overwrites on all disks in storage that may be used again. Working desktop and laptop disks passing out of the organization for donation to schools or charities get the same treatment.

Dead disk drives from lapt

Re:

[DamnStupidElf]

No disk is ever RMA'd anywhere. If we have a failure, we get a new replacement disk and send back a sheet of paper saying we destroyed the old one.

See, that's the thing that most companies would have trouble getting away with. I suppose once you're big enough to audit the taxes of the company RMAing your equipment, they don't really mind taking your word that you're destroying the drives and not selling them on the side.

We wipe sensitive data with 7 random overwrites on all disks in storage that may be

Home server encryption - Is there a good solution?

[BenEnglishAtHome]

What about your kiddie porn stash? Or your usual porn stash if you're married? Or your MP3s if you're a teenager?

I use Cryptobox. [cryptobox.org] Is that good enough?

I'm serious. I don't know if it's good enough. I chose it because it was easy to use but it could be horribly flawed and I'd never know.

live by the sword, die by the sword...

[3seas]

invasion of privacy is a very pervasive thing once you start it up....

contradiction...

[kajumix]

"top secret data ...subject to full disclosure"

Deliberate theft?

[orangesunglasses]

It is probably understandable how laptops and PC's get stolen, as maybe an opportunistic theft, but how the fuck can someone just wander off with a server? This presents two reasons why it was stolen
1. It was stolen for the hardware, so have a look on ebay soon
2. It was stolen for the data that the machine contained, which is probably more concerning.

Re:

[beakerMeep]

Just from reading the summary I kind of had the pessimistic thought that maybe it was stolen not for the data, but to keep the data out of the courts. or maybe it wasn't stolen at all but rather one of those cases where a company "accidentally loses" self incriminating evidence or evidence that hurts the police's cases.

And yes, I watch too much TV.

Top Secret!

[lymond01]

The information is made up of either old cases that have passed through the judicial process, or cases that are already in the judicial system and so subject to full disclosure to both defense and prosecution teams.

So...not top secret then.

Yes, actually. The cat does "got my tongue."

[Impy the Impiuos Imp]

> Usually missing information stories are fairly low key; the loss of a few thousand
> student records is cause for concern for those involved, but hardly national security.

Yeah! The problems of tiny organizations are not really worthy of national, much less international, attention.

> This one is slightly different...'The company -- whose clients include Scotland Yard
> and the Crown Prosecution Service '...

Wait, I thought you said this was slightly different. Sounds like the same class of pr

Stuff you learn about security

[JoeCommodore]

As I have read a lot on administering servers there is one axiom that stands out, "even if you do all the communication and data protection as well as keep out bad guys from getting in through your ports, if they get hold of the box it is just a matter of time, as they have total access."

Encrypted drive with a password to open access during boot would be the best (unless bad guys compromise the box while it is running).

But who knows there probably is a way around that too, as with DRM - someone somewhere se