Laptops, Blunders and War!
POSTED NOV 12, 2006 BY ANDY WENDT
After hearing an endless barrage of news over the last few days about the 1,000 or so missing laptops belonging to the Commerce Department many of which contained census data I was reminded of a Latin proverb that states "To blunder twice is not allowed in war".
What are the two blunders you ask? Could it be the fact that this is not the first time the government has lost a few laptops? Or the fact that five years into the war on terror things have apparently not improved? If you remember the 400 missing laptops in 2002 belonging to the Justice Department, or perhaps even the more sensitive laptops that went missing from U.S. Central Command that same year, you may think that's the second blunder I am referring to. But it is not.
The two blunders are quite simply: The laptops were lost. The laptops contained data.
Now if you hear this story enough you'll notice that we are to believe that no data on any of the laptops has been compromised. That the data was encrypted and kept safe by the myriad of technologies put in place as a result of an extensive list of rules and regulations for such things.
But wait: The laptops were lost and I am pretty sure that's against the rules. Speaking of pretty sure: I am pretty sure it's a bad idea for the smallest and most portable of computers the government owns, in this case laptops, to contain any sensitive data at all.
In regards to the data: Are we to believe that remote connectivity is not advanced or secure enough to force the data to reside exclusively on a server at the appropriate federal office? Should we believe that accessing sensitive data through a remote services brings a greater security risk than leaving it physically sit and supposedly encrypted on who knows how many laptops? Should we believe that those who are not responsible enough to keep from loosing a government laptop are to be trusted with the encryption of the data on those same machines in the first place?
So to get to the point: What I hear missing from this story and what I worry about the most is why any sensitive data is allowed to reside on a laptop at all. Or to summarize and once again quote from our ancient past: 'I am more afraid of our own mistakes than of our enemies' designs - Pericles.
UPDATED POSTED AUG 15, 2007 BY ANDY WENDT
Looks like this time the blunder has hit close to home. At the moment I find myself browsing on the Ohio.gov site to see if my personal information was compromised when a state "storage device" was stolen out of the car of an intern.
My money is on "storage device" being code talk for laptop. Despite the states claim to the contrary.
An interesting side on the whole storage device question is this ZDNet report that says the "state's IT director was able to decipher the data on a cloned laptop." I could be wrong but the phrase "cloned laptop" to me implies it was a laptop.
Other more important aspects of the story that are still vague include the actual numbers involved. Reports say there were anywhere from a quarter of a million up to a solid million individuals who are affected by this little mishap. Several of my co-workers have already received letters from the state selling some sort of identity theft protection.
But as always they tell us there is no need to worry as there is no evidence the data has been accessed. From memory they said it was encrypted. I feel better already. Not.
The best part about this story is that the data did not have to be on the laptop at all. It's not a case of "they should have been using remote access". In my opinion it's a case of "what the heck were you thinking".
That's right the data was on this laptop, I mean "storage device", because they were using it as an offsite backup. Wow! Thanks Ohio for being so concerned about backups that you would use a "storage device" and then let an intern leave it in his car over the weekend.
Glad to see IT guys with those cozy government jobs being so worried about screwing up. For a while there I was beginning to believe the stereotype that government employees just didn't care.
Well anyway thanks Ohio for the nice web site explaining what to do in case of identity theft. But some how this reminds me of the old marketing adage: "Create a need and fill it."