Governmental Servers Wiped? Never!

Geoff writes with a story from Australia: "Eighteen AIX servers purchased from government via auction -- none of them had data removed from them. Ticket Vending and Validation source code, Payroll, Finance, Emails and Customer complaints. All there on every server; they were even nice enough to include some old backup tapes. At ~$14USD per server, it's amazing how cheap personal information has become."

Well

[Arghdee]

Who's going to be taken out the back and shot quietly for that one?

You understand that...

[PrivateDonut]

if this guy planned on doing anything with the data, he probably wouldn't have blogged about it. He would copy the data, wipe the disks and pretend that he had seen nothing.

Then at a later date, he could do his evil work using that data.

Therefore, this particular blunder is nothing to get worked up about, but the potential for future blunders is.

Re:Negligence?

[nmos]

On ebay, I even found a quad Xeon 550 with 1 gig memory and 5 9.1 scsi cheeta hard drives for less than half of the Dell Xeon. But I don't have any OS that will use 4 CPU's.

What do I need?

Any major Linux Distro will handle 4 CPUs just fine.

Blatant theivery.

[felonius maximus]

some guy wearing a workmans uniform and holding a clipboard ... Carted off one of the servers from a machine room

I have heard a similar story about two guys in blue overalls walking out of David Jones (or some other department store) carrying a big-screen TV, and noone stopped them either.

Makes me proud to be an aussie

Y'know, it's interesting to note that all our greatest heroes are thieves [ironoutlaw.com] and brigands [nedkellysworld.com.au]. Go Aussie!

Re:Not trivial though

[baldvin]

has thousands of dollars in equipment and training to recreate your deleted data (like the National Security Agency in conjunction with the CIA

Wrong. See my previous post. You don't need the personnel, neither the equipment. The service is commercially and easily available.

This is similar how most people that used only gui mail clients think that the From: header cannot be faked. They think that you need to be CIA to do that. However, you only need a telnet and some knowledge of an rfc...

You are right only in that they must spying on you to do any steps, and this is definitely not something to consider as a small company. But I expect organizations like the IRS to really take care of my data. Or if they do not, I want to be able to decide what I tell them and what I don't...

Re:Negligence?

[ocelotbob]

Really, a database machine needs more RAM than CPU speed. The more RAM you have, the larger the dataset it can keep in cache, and the less it has to go to the hard drive to pick up information. You'd be fine with a single proc machine; save the money and get a good uniproc motherboard that can accept 4 1 gig sticks of RAM instead.

Cheaper ways...

[pimpimpim]

There was a case in the Netherlands where a state prosecutor just put his personal pc at the trash when it didn't work anymore due to spyware:

http://www.expatica.com/source/site_article.asp?su bchannel_id=19&story_id=13469&name=The+Dutch+news+ in+October+2004 [expatica.com]
see october 7th 2004

Some taxi-driver found it, discovered that it had very sensitive information about some current open cases on it, and a lot of personal stuff that could make the prosecutor vulnerable for blackmail etc. when in the wrong hands.

These things just show that some state organisations (or the people working there) have really too little awareness of handling computer data the right way. Actually this year we had a case in the netherlands where some secret state report ended up in an upload filesharing folder of the person working on it, and thereby just could spread all over. I think people working at such positions really should be instructed on safe computing, especially at home or using laptops, the risks are pretty high that data can get stolen.

Data Protection?

[HugePedlar]

The UK's Data Protection Act, especially as it pertains to medical data, is remarkably strict.

Nonetheless, it came as no surprise to me that, when I worked at a medical centre and they upgraded all their machines, the old ones were merely dumped in the attic before being carted off by the local Council's binmen.

I asked about this (not in terms of security, but because I wanted the machines). Apparently UK companies have to PAY the Council to removed old computers, as part of some enviromental legislation. I offered to take them away for free, naturally.

The only reason I didn't get any "protected" data along with them was because I'd previously wiped it off. But even that was little more than a standard "empty recycle-bin" - it likely wouldn't stop anyone who knew what they were doing.


It's all very well having data protection policies, but unless you tell officials HOW to erase data, it won't be done.

Re:I don't know what's worse...

[Wakko Warner]

I guess this post is "funny" if you consider a bunch of Dells running Fedora a "UNIX environment".

AIX is still huge once you get out of college.

Re:Not trivial though

[Wakko Warner]

Its kind of hard to get rid of your data on a hard drive.

In AIX, you just insert the System Diagnostics CD and tell it to scrub the disk. This is actually apparently US DOD-compliant, so it should probably suffice. Overwriting the disk about a dozen times with various patterns of data is apparently enough to render old data inaccessible.

What you *should* be worried about....

[brunes69]

... is the more likely scenario - that, for every one of these incidents that are reported, there are 10 that are not.

Re:Not trivial though

[bluGill]

tens of terabytes are fairly cheap these days (as in less than the labor for the tech doing the scanning). How important is that data that you forgot to backup? With $20 million? If so, spending a couple hundred thousand to read it is a good idea. Not as good as just having enough backups of course, but that has been ruled out.