Slashdot Log In
MI6 Terror Photos, Data Accidentally Sold On Ebay
Posted by
timothy
on Tue Sep 30, 2008 09:29 AM
from the that's-ar15-for-ordinary-citizens dept.
from the that's-ar15-for-ordinary-citizens dept.
Barence writes "In what's turning out to be a bad week for security in the UK, confidential MI6 documents, fingerprints and photos relating to suspected Al-Qaeda terrorists have been found in the memory of the second-hand Nikon Coolpix camera, which was bought on eBay for only £17. The buyer immediately went to the police, who initially treated it as a joke; when they realised he was serious, they swooped on his home and seized his camera and PC. Remember, this is the same MI6 which plans to recruit new members via Facebook, a userbase not exactly famous for its dedication to privacy, security and discretion. The news comes on the back of yesterday's embarrassment over a local council whose VPN device ended up on eBay with confidential login details left on it."
Related Stories
[+]
IT: Council Sells Security Hole On Ebay 147 comments
Barence writes "A security expert was stunned to discover a VPN device he'd bought on Ebay automatically connected to a local council's confidential servers. Bought for just 99p for use at work, when plugged in it automatically connected with the login details which had been carelessly left on the device. 'The whole selling point of the device was that it was extremely easy to configure. It's pretty horrific really,' says the intrusion-detection professional. The council says it is 'deeply concerned' by the news, but is confident that 'multiple layers of security have prevented access to systems and data.'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Fuck the police (Score:5, Insightful)
The buyer immediately went to the police, who initially treated it as a joke; when they realised he was serious, they swooped on his home and seized his camera and PC.
This is why you never talk to the police.
Re: (Score:3, Insightful)
According to TFA, the police replaced the camera equipment they swiped. I didn't see any mention in the article of them taking his computer. Only replacing "$1000 worth of camera equipment".
Re:Fuck the police (Score:5, Informative)
4th paragraph:
"However, the police subsequently descended on the man's home, seizing his computer and camera equipment."
Parent
Re:Fuck the police (Score:5, Insightful)
Parent
Re:Fuck the police (Score:4, Insightful)
>>>they swooped on his home and seized his camera and PC.
How nice. You try to be an honest citizen, and they steal your stuff. I wouldn't be surprised if they next decide to charge him for "trafficing" in playboy photos, illegal music, and/or downloaded movies.
Parent
Re:Fuck the police (Score:5, Informative)
Parent
Re:Fuck the police (Score:5, Insightful)
1) They took his computer.
2) They replaced the equipment, at a cost of a grand. Whether or not this was a like-for-like replacement or better is unanswered.
Whether or not he got his personal data back is another question, as anyone knows it is the time invested in generating your own data that is the real value in your PC. I hope he had a backup.
Knowing the British police I expect he'll be arrested for some non-related data on the hard drive like some MP3s.
Parent
Re:Fuck the police (Score:5, Funny)
Whether or not he got his personal data back is another question, as anyone knows it is the time invested in generating your own data that is the real value in your PC. I hope he had a backup.
It's OK, he can just buy them back when they turn up on ebay ...
Rich.
Parent
Re:Fuck the police (Score:5, Insightful)
Actually, in a case like this, having a backup isn't going to help. Likely, the police would want to grab that, too. 8/
Parent
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
If it didn't before, I'm sure it does now. I mean they do have to justify seizing the computer after all. The fact that the person reported it to the police before there were any suspicions clearly can't indicated honesty.
Re:Fuck the police (Score:5, Informative)
A clarification: the cost of replacement equipment was £1,000, not $1,000.
Parent
Re:His computer was classified (Score:5, Insightful)
Yup. What did we learn, boys and girls? (Okay, I know I'm being optimistic on that last part.) If you find yourself with evidence related to a terrorism investigation because an inept government official sold it on eBay, don't go to the police. Send it to the media. Anonymously.
Parent
Re:His computer was classified (Score:5, Insightful)
Damn straight. People should not be punished for being honest.
Government agencies, however, should be publicly punished for being incompetent.
I imagine that if the man had given the camera to the media, the police could have swooped down on the news outlet and confiscated their computers, but then they would be in a much bigger fight with the Fifth Estate rather than some poor schlub who can't fight back.
Here's hoping the free press continues to stay free.
Parent
Re:Fuck the police (Score:5, Insightful)
Parent
Re:Fuck the police (Score:5, Insightful)
You clearly know nothing about how the government deals with classified data. Classified data is considered kind of like a virus, not the computer kind, but the biological kind. If the classified data was in a memory card in the camera, the camera itself is contaminated. If the camera was plugged into a computer, then the computer itself is contaminated. Anything electronic device that the computer touched is then considered to be contaminated. Even if you "KNOW" that it is not possible for your mouse to story encrypted data, your mouse is still assumed to be contaminated. This type of "blanket" policy that makes no exceptions is actually pretty smart, as it is the exceptions that will come back and bite you in the butt.
This is the way that the US government does things in real life (and presumably the UK does the same thing). When developing systems that handle classified data, you have to maintain strict "red/black" separation, and the only interface allowed between red and black are things like *APPROVED* encryption units.
Things are actually a little more complicated than this, but this is the general idea.
Parent
Re:Fuck the police (Score:5, Insightful)
Well, since the computer was likely connected to the Internet, we're having a pandemic by now.
Parent
Re:Fuck the police (Score:5, Insightful)
Parent
Re:Fuck the police (Score:4, Insightful)
No, a smart policy would prevent precisely what they are trying to prevent. A smart policy would say that any device that is capable of permanent retention of data, once contaminated, cannot be resold. That means hard drives, flash cards, and any camera that contains flash memory if such photos were ever stored in the built-in flash memory at any time.
Preventing resale of devices that cannot retain data is idiotic. It only makes sense under the assumption that the people working for your IT department are too inept to know the difference.
There will always be problems of people screwing up and selling things that they shouldn't, but at least by setting sane policies, you reduce the risk of such things being sold due to people desperate for a bigger department budget by reducing the list of things that can't be sold but don't really matter.
Parent
Re:Fuck the police (Score:5, Funny)
The buyer immediately went to the police, who initially treated it as a joke
I'll just type it up on my invisible typewriter.
Parent
Re:Fuck the police (Score:5, Funny)
Parent
Re:Fuck the police (Score:5, Insightful)
Parent
Re:Fuck the police (Score:5, Interesting)
You're right, the police probably had little choice other than to confiscate his equipment. It was a completely predictable reaction, and that is why the person in question shouldn't have gone to the police.
Even if they did return the equipment,I hope he's comfortable with some thug poring over his personal and private data. You know, searching through his email to see who he might have spoken with about these records. Looking at every single image file on the drive, etc.
Parent
Re:Fuck the police (Score:5, Interesting)
Better off to do as the person who found the stuff on the train did. Go to the press ensure that any handover is as public as it can possibly be.
Parent
Re:Fuck the police (Score:5, Insightful)
This is why you never talk to the police.
Sadly you may be right, although for all the wrong reasons. In civilised parts of the world we recognise that society exists because of cooperation, and that includes cooperation with the police.
Unfortunately in cases like these, the police are undermining that cooperation. As another example, it's rumoured that if you report child porn on the internet to the relevant authorities in the UK, you should expect a visit from the coppers and all your computer equipment to be taken away. Which is why I wouldn't report this, even though child abuse is a terrible thing and it should be reported.
Now, if I found "terror photos" (whatever they are) on a second hand laptop or camera, I won't be reporting that either. Just scrubbing any info off the device and get on with my life.
Rich.
Parent
Tinker, Tailor, Soldier, Tard (Score:4, Funny)
George Smiley would whip out a light-saber and... oh, wrong Alec Guiness film. Sorry.
So I just have to wonder. (Score:5, Interesting)
Just how many people buy hard drives just to mine them for data?
1. Buy the drives on Ebay
2. Scan drives for valuable data.
3. Sell cleaned drives on Ebay and sell data to the highest bidder.
4. Profit.
Re:So I just have to wonder. (Score:5, Funny)
Parent
Re:So I just have to wonder. (Score:5, Insightful)
Parent
Re:So I just have to wonder. (Score:5, Funny)
WTF am I going to use nuclear bomb codes for? I'm no longer in the nuclear blackmail business, and all my former henchmen are employed elsewhere. Mostly at Oracle and Microsoft. We still send each other xmas cards, and talk about getting together for a reunion, but it's hard to get all our schedules to line up, especially since most of us have young families now anyway. Back in the day when we were all single, it was easy to commit all our waking hours to work (building a massive underground fortress in a dormant volcano, etc.), but none of us really have the time anymore. Sigh. I guess you really can't go back to the glory days once they're gone.
Parent
Re:So I just have to wonder. (Score:5, Funny)
After we sat back, talked it over amongst ourselves and considered it, we agreed to sell to them. Looking back, I'm not so sure that was really the right thing to do, but at the time the ground was littered with companies who had crossed them and lost. Anyway, a few of us got buyout packages and moved on elsewhere, but most stayed with Microsoft for awhile at least. It's not a bad place to work. Nice campus and all, but it sure wasn't as cool as the supersecret lair was.
Eventually, they managed to integrate some of our world-domination technology into the next build of their OS, but they never really understood it, and it was a disaster (remember ME?). At that point, I was pretty disgusted, so I left to join another start-up.
Parent
Same thing? Really? (Score:5, Insightful)
I think an intelligence service selling a camera with highly sensitive classified data on it is just a little more serious than some local council leaving the password to their VPN on a router.
I would expect small local agencies to either not have or ignore proper data scrubbing policies prior to selling old equipment, but national intelligence agencies? That's a whole different kettle of fish.
Re:Same thing? Really? (Score:5, Insightful)
I would expect small local agencies to either not have or ignore proper data scrubbing policies prior to selling old equipment, but national intelligence agencies? That's a whole different kettle of fish.
It is curious. It would be a safe bet that proper procedures exist to handle equipment like this. Obviously they weren't followed.
I would even hazard to guess that not only were safe disposal procedures not followed, but a whole slew of other procedures covering proper equipment were also ignored. It wouldn't surprise me that this was a personal device used on-the-job due to convenience or necessity despite regulations against such use.
Of course, that's just a wild guess. It could also be as mundane as lost / stolen equipment. Or mis-managed inventory that ended up in some government surplus lot. The scenarios are endless.
It also highlights a personal pet peve of mine; policies are not protection. Too often they are given the air of risk mitigation when they are simply documents. Sure - they're good things to have around. You can't expect people to do things right if you can't tell them the right way of doing things. But so much infosec within the belly of such bureaucratic beasts seems to focus on merely generating and checking those policies. There is too little effort in actually implementing them - or improving the environment to limit actual risk.
If this was, in fact, personal gear I would hazard to guess simply making it easier to get official government kit (with all the tracking and control such kit gets) would have eliminated this eventual leak.
Parent
Note to self... (Score:5, Insightful)
But then again, in the US they would have tasered him for no reason.
Re:Note to self... (Score:5, Funny)
But then again, in the US they would have tasered him for no reason.
You are badly misinformed. American police do NOT ever, under any circumstances taser people for no reason.
They taser them because it is funny.
Parent
Re: (Score:3, Insightful)
The sad thing is - I think this is insightful instead of funny.
Re:Note to self... (Score:5, Informative)
Tasers work!
Just the other day there was a man on a ledge and the police were afraid he'd jump.
He wouldn't come down, so they Tasered him!
He came down quickly after that, I assure you. http://ca.news.yahoo.com/s/capress/080925/world/stun_gun_death_2 [yahoo.com]
Parent
Talking to the Police is a bad Idea (Score:5, Insightful)
I think the individual would have been better off (as in, not having his home raided and property taken) to have just given the data to wikileaks.
In response to MI6's ineptitude, the authorities have attacked the innocent person attempting to help them.
Remember kids, talking to police is not usually in your best interest. Be polite and complicit within your rights, but don't volunteer information.
Re: (Score:3, Insightful)
Presumably MI6 would be able to track down the camera, and hence the buyer, from the photos (then again, they were inept enough to release the camera to begin with, but I digress).
Acting purely in self-interest, if this happened to me, I'd chuckle to myself quietly about the idiocy of government, delete the files and forget about the whole thing. In fact, if this is what any reasonable person would do while acting in their own interests, one has to wonder how under-reported the problem is.
Re:Talking to the Police is a bad Idea (Score:5, Insightful)
I think the individual would have been better off (as in, not having his home raided and property taken) to have just given the data to wikileaks.
"Hey, our national security data turned up on Wikileaks! I wonder how it got there. Oh look, a serial number in the EXIF data. What'd we do with that camera anyway?"
Basically, the poor guy was screwed. He reported the problem and suffered for it. If he didn't report it at all, an audit at MI6 might have turned up the problem and they would have confiscated everything he owned capable of storing the data, possibly including himself.
If he'd followed your harebrained advice, he would probably be dead. Seriously, what part of "taunt the TLA" seems like a good idea to you?
I feel badly for him. My sig is normally meant to be humorous.
Parent
Re:Talking to the Police is a bad Idea (Score:4, Informative)
And we all know since there's no specification for EXIF data [kodak.com] that someone who has a vested interest in removing it [wikileaks.org] would be unable [granneman.com] to [rlvision.com] figure [exifremover.com] it [colorpilot.com] out [opanda.com].
Parent
No Good Deed... (Score:5, Insightful)
ever goes unpunished.
If someone comes to you, DO NOT attack them! Be nice, assist in getting any secret data purged, and sign a confidentiality agreement, and give the guy a nominal reward.
Raiding the house of someone who does the right thing is a pretty strong incentive to never help out again, and a strong incentive for others to do so as well. It also feeds the radical opponents' propaganda machine with fresh fodder and lets them become the "persecuted good guys".
So don't do it. Know who your friends are, and don't mess with them. Or they may stop being your friend.
Western societies and governments have enough enemies already, and there is no need to create any more.
Incidents (Score:5, Interesting)
17 September 2008 The Insolvency Service. Laptop containing personal details of 385 former directors of insolvent companies has been stolen. Greater Manchester Police are investigating the burglary, which happened on 28 August. The Insolvency Service said 385 ex-company directors had been affected and also about 150 people with a connection to the firms. Information on the company directors included name, address, date of birth and occupation. No bank account details were held. In relation to the creditors, complainants and employees, the data included name, address, and bank account details in a small number of cases.
16 September 2008.
NHS memory stick found in street. An NHS trust has apologised after a computer memory stick, containing the confidential files of 200 patients, was found in a street. It stored a summary of medical histories and patients' national insurance numbers and addresses.
Monday, 15 September 2008 18:19 UK.
Police admit to lost data blunder. A police force has undertaken an urgent hunt for a computer memory stick after admitting it has been lost by an officer on duty. A police force has undertaken an urgent hunt for a computer memory stick after admitting it has been lost by an officer on duty.
Monday, 15 September 2008 18:12 UK. Trust loses 18,000 staff records. Discs containing personal information on almost 18,000 NHS staff have gone missing from a north London hospital. Discs containing personal information on almost 18,000 NHS staff have gone missing from a north London hospital.
10 September 2008 11:34 UK
Up to 15,000 patients' data taken
Computer back-up tapes containing personal information on up to 15,396 patients at a surgery have been stolen. "There are 15,396 patients registered at the surgery and potentially information on all of them could be on the tapes.
27 August 2008 12:38 UK,
Health board lost patients' data
A health board has tightened its security measures after the loss of two memory sticks containing patient data.
27 August 2008 12:05 UK Taxpayers' details found on eBay. A Leicestershire council is investigating a report that a computer containing taxpayers' personal details was sold on auction website eBay. Bank account numbers and sort codes of people in the Charnwood Borough Council area were reportedly found after the equipment was sold for £6.99. Information including bank account numbers, telephone numbers, mothers' maiden names and signatures of customers of American Express, NatWest and the Royal Bank of Scotland (RBS) were reportedly found on the computer.
Thursday, 21 August 2008 22:56 UK
Company loses data on criminals
A contractor working for the Home Office has lost a computer memory stick containing personal details about tens of thousands of criminals. The lost data includes details about 10,000 prolific offenders as well as information on all 84,000 prisoners in England and Wales.
9 August 2008 13:06 UK
BBC sorry after TV data is stolen
The BBC has apologised after a memory stick containing the personal details of hundreds of children who had applied to take part in a TV show was stolen. Deverell also informed parents they could call a free helpline if they had concerns about the lost data - which included names, addresses, dates of birth and phone numbers.
29 July 2008 09:42 UK
Missing laptop data not 'at risk'
A laptop computer from the Citizens Advice Bureau in Coleraine has gone missing. The details of about 7,000 people were on the computer of an outreach worker from the voluntary group which was mislaid in transit.
Wednesday, 23 July 2008 14:17 UK
Surgery patients' data is stolen
Information on more than 3,500 patients at a surgery in Greater Manchester has been stolen, health bosses have said.
22 July 2008 20:56 UK
'Spying' requests exceed 500,000
More than 500,000 official "spying" requests for private communications data such as telephone records were made last year, a report says. Police, security services and other p
Police = morons (Score:4, Insightful)
> The buyer immediately went to the police, who initially treated it as a joke; when they realised he was serious, they swooped on his home and seized his camera and PC.
So basically he got punished for doing the right thing. I bet that will make other people want to tell the police too *NOT*.
Police = morons.
the lesson (Score:3, Funny)
Next time, send the data anonymously to Wikileaks.
kill the messenger (Score:4, Insightful)
That's how you make friends and teach people to trust you. A guy wants to help out and you punish him, instead of treating him like the friend of law enforcement that he wants to be.
Good deal (Score:5, Funny)
Profit!! (Score:5, Funny)
1) Sell camera on ebay
2) Wait for buyer to report MI6 photos
3) Steal Camera back
4) PROFIT!!!
5) Go to 1
Re:That was harsh. (Score:4, Informative)
I hope they intend to replace it
TFA: "The police have reportedly replaced the seized equipment, at a cost of £1,000."
Parent
Re: (Score:3, Interesting)