More personal details lost

[Osem]

Quote:

Originally Posted by Raistlin

Unfortunately there is no patch for human stupidity.

MOD laptops are routinely encrypted, even where they are carrying low-level information, I can't understand why this one wouldn't have been.

Even if it was, why was it left in a car overnight?

---------- Post added at 21:45 ---------- Previous post was at 21:03 ----------

http://news.bbc.co.uk/1/hi/england/devon/7198043.stm

It'll all be ok though because Peter Hain has ordered an immediate enquiry

Enquiries into sleaze, corruption and incompetence seem to be about our only growth industry these days

Of course HMG and the companies involved take this sort of thing extremely seriously don't they - just makes you wonder why it keeps happening then!

[TheNorm]

Quote:

Originally Posted by Osem

Even if it was, why was it left in a car overnight?
...

Why was sensitive data allowed to leave a secure building? Hasn't anyone at the MoD heard about VPN?

[Raistlin]

Quote:

Originally Posted by Osem

Even if it was, why was it left in a car overnight?

Like I said, no patch for human stupidity

---------- Post added at 09:37 ---------- Previous post was at 09:36 ----------

Quote:

Originally Posted by TheNorm

Why was sensitive data allowed to leave a secure building? Hasn't anyone at the MoD heard about VPN?

TBH, provided data has been adequately enrypted it shouldn't be an issue where the data is being carried. To all intents and purposes, a properly secured/encrypted laptop should be nothing more than a dull grey paper-weight when turned off.

Besides, given how crap they are at keeping laptops secure would you really want them having VPN access across the Internet from their home computers to your data

[Osem]

Quote:

Originally Posted by Raistlin

To all intents and purposes, a properly secured/encrypted laptop should be nothing more than a dull grey paper-weight when turned off.

Yes but one which has been paid for by the tax payer and ought to be looked after.

[Raistlin]

Quote:

Originally Posted by Osem

Yes but one which has been paid for by the tax payer and ought to be looked after.

Agreed, my point went not to the appropriate security of a physical asset purchased from the public purse, but rather to the logical security of the data contained within it following a physical loss.

There's no excuse (or patch, as I've said previously) for the sheer stupidity of leaving that item on plain view in a car.

[Osem]

Quote:

Originally Posted by Raistlin

Agreed, my point went not to the appropriate security of a physical asset purchased from the public purse, but rather to the logical security of the data contained within it following a physical loss.

There's no excuse (or patch, as I've said previously) for the sheer stupidity of leaving that item on plain view in a car.

I think it's worse than stupidity - I think there's widespread institutionalised disregard for public assets (including information).

[Raistlin]

Quote:

Originally Posted by Osem

I think it's worse than stupidity - I think there's widespread institutionalised disregard for public assets (including information).

Certainly the number of incidents that are currently coming to light would seem to suggest that, I wouldn't be one to suggest that it's the norm though.

[Osem]

Quote:

Originally Posted by Raistlin

Certainly the number of incidents that are currently coming to light would seem to suggest that, I wouldn't be one to suggest that it's the norm though.

Sadly I really think it might be more the norm than you think. I reckon incidents of stupidity like this happen all the time and only a tiny few ever result in a loss - those are the ones we hear about.

[Raistlin]

Quote:

Originally Posted by Osem

Sadly I really think it might be more the norm than you think. I reckon incidents of stupidity like this happen all the time and only a tiny few ever result in a loss - those are the ones we hear about.

You're probably right, because the headline:

"MoD Loses Fully Encrypted, 6 Year-Old, Laptop. Personal Details Perfectly Safe."


Isn't going to sell many papers.

Personally, the loss of the laptop is almost inconsequential. Yes, it's a few hundred pounds out of the public purse, but you could recover that by fining some of the big businesses that run millions of pounds over budget on Government contracts - now that would make the headlines wouldn't it (although, as usual, probably in a negative sense):

"Thousands of Jobs at Risk as Government Penalises UK Industry."

Anyway, it's not the asset that's the issue here, it's the information that it contained.

[Osem]

Quote:

Originally Posted by Raistlin

You're probably right, because the headline:

"MoD Loses Fully Encrypted, 6 Year-Old, Laptop. Personal Details Perfectly Safe."


Isn't going to sell many papers.

Personally, the loss of the laptop is almost inconsequential. Yes, it's a few hundred pounds out of the public purse, but you could recover that by fining some of the big businesses that run millions of pounds over budget on Government contracts - now that would make the headlines wouldn't it:

"Thousands of Jobs at Risk as Government Penalises UK Industry.

Anyway, it's not the asset that's the issue here, it's the information that it contained.

That's true of course - but where an attitude of sloppiness is allowed to prevail it's only a matter of time before something goes badly wrong. MRSA and the like have been allowed to take hold of our hospitals due to sloppy cleaning and basic hygiene practices and at what cost?

[TheNorm]

Quote:

Originally Posted by Raistlin

...TBH, provided data has been adequately enrypted it shouldn't be an issue where the data is being carried. To all intents and purposes, a properly secured/encrypted laptop should be nothing more than a dull grey paper-weight when turned off.

Besides, given how crap they are at keeping laptops secure would you really want them having VPN access across the Internet from their home computers to your data

Sensitive data should not be carried on a laptop (or CDs or DVDs) without adequate security measures in place. What is the justification for doing so?

The VPN access should be restricted to an authorised piece of hardware.

[Raistlin]

Quote:

Originally Posted by TheNorm

Quote:

Sensitive data should not be carried on a laptop (or CDs or DVDs) without adequate security measures in place. What is the justification for doing so?

Did you read the bit where I said 'provided it's adequately encrypted'? If it is then that data isn't at risk. At that point, any justification only needs to be strong enough to outweigh the inherent risks invoved. If the laptop uses encryotion that fully protects the data then your risk is simply to the loss of the asset (if you ingnore the miniscule possibility that the encryption could be broken). Given the ever increasing need for people to work at locations other than their own, and the poor interconnections that I would imagine exist between disperate Government sites at a multitude of locations, the use of a laptop for mobile working actually becomes a sensible option as it enables important work (the defence of the nation for example) to continue unabated.

It's only idiots like this that lose, or have stolen from their car, their laptop that even cause this to become a public issue. By the way, we all seem to be working under the assumption that the details on that laptop are now in the hands of the 'bad guys', have the MoD said whether there was any encryption protecting the data yet?

Quote:

Originally Posted by TheNorm

The VPN access should be restricted to an authorised piece of hardware.

And what would that piece of hardware be?

[TheNorm]

Quote:

Originally Posted by Raistlin

Did you read the bit where I said 'provided it's adequately encrypted'? If it is then that data isn't at risk. ...

If they can't be trusted to keep an eye on a laptop, how can they be trusted to ensure that appropriate encryption was in place?

Quote:

...It's only idiots like this that lose, or have stolen from their car, their laptop that even cause this to become a public issue....

Exactly. Would you trust a monkey with a hand grenade, even though the pin was securely in place when you handed it to him?

Quote:

... By the way, we all seem to be working under the assumption that the details on that laptop are now in the hands of the 'bad guys', ...

I think we ought to assume that. Or is "don't worry, a chav stole it" meant to pacify the situation?

Quote:

...And what would that piece of hardware be?

Erm... a laptop?

Suppose this guy's job was to telephone potential recruits into the armed forces. He wouldn't need all 600,000 names on his laptop, would he? He could VPN to a secure server and get one telephone number at a time.

It isn't rocket science...

[Raistlin]

Quote:

Originally Posted by TheNorm

I think we ought to assume that. Or is "don't worry, a chav stole it" meant to pacify the situation?

But..... if the laptop is properly encrypted then the details that were on the laptop won't be in anybody's hands. That was my point, hence the specification that it was the 'details' that were in their hands (and not the laptop) and the question I asked about the encryption (which you cleverly chose to edit out of the quote you made).

Quote:

Erm... a laptop?

And that laptop would be secured how? What happens if someone breaks into his home? How do you know that you can trust someone to have an unmonitored lapto in their home for extended periods of time? What if someone in their family compromises it (unlimited access, unlimited time) and subverts the VPN?

Even if they're using VPN there is still some processing occuring on the device, what about that information? How would you protect that?

[TheNorm]

Quote:

Originally Posted by Raistlin

But..... (which you cleverly chose to edit out of the quote you made).

Sorry, didn't mean to misquote you. I accept that proper encryption means the data is secure, but I guess I don't trust these guys.

Quote:

... subverts the VPN?...

The scenarios you describe are possible, but less likely than having a laptop stolen. Also, the server could be programmed to release only a certain number of names and addresses on any given day, to stop unauthorised downloads of the entire database.

I'd like to know why anyone would need 600,000 names and addresses on a laptop in a car.