Governmental Servers Wiped? Never! 284
Geoff writes with a story from Australia: "Eighteen AIX servers purchased from government via auction -- none of them had data removed from them. Ticket Vending and Validation source code, Payroll, Finance, Emails and Customer complaints. All there on every server; they were even nice enough to include some old backup tapes. At ~$14USD per server, it's amazing how cheap personal information has become."
14 bucks? you got ripped :) (Score:5, Interesting)
$14 USD? You got ripped off.
A few years back, some guy wearing a workmans uniform and holding a clipboard wandered into the (iirc) customs building here in Australia. Carted off one of the servers from a machine room, and no-one stopped them, or remembered what they looked like.
Slashdot remembers
Makes me proud to be an aussie sometimes
Not trivial though (Score:2, Interesting)
Your task is even harder if you have a hard drive that ceased operating. There exists companies like http://www.kurt.hu/ [www.kurt.hu] that have state of the art technology to retrieve data from damaged hard drives. If you need your data: good for you. If you'd like to get rid of it for sure: better take good care of it...
Government (Score:5, Interesting)
Or if the government really cares. Who's going to arrest them? There's no risk of punishment here.
Re:Understandable . . . (Score:5, Interesting)
The STA is responsible for the operations of the Sydney Buses network which I used to rely on for travel to & from school, work, and for social events -- until I got my car. It is the most unreliable system ever, on par with the NSW Cityrail system both which has been constantly riddled with problems [smh.com.au]. It's not surprising that a blunder such as this went by unnoticed.
I would like to do my bit for the environment and use public transport as much as possible but I never get where I need to on time. I've been to Russia and even there, the buses and subway system are more reliable.
Does he have a license to the source now? (Score:5, Interesting)
Reminds me of when I worked for US government... (Score:5, Interesting)
-AT
Re:14 bucks? you got ripped :) (Score:5, Interesting)
There was also the incident a couple of years back when large quantites of backup tapes for three government departments were stored in wheeled garbage bins - as anyone who read this can expect the tapes ended up being dumped and lost forever, and the contractor (Telstra, the half government owned telecomunications company) was not even rapped over the knuckles for it.
It's not just the government - I picked up an old Sun E250 for parts at an auction. To see if it worked I booted off an install CD, plugged in a serial terminal, edited a couple of files with ed (/etc/passwd and /etc/shadow I think, was a while back) to get root on reboot and was very surprised to find a lot of stuff apart from the OS still on the disks. I wasn't curious enough to find out whose it was and what was there - peril lies that way for no gain, so I just did what should have been done and repartitioned the thing.
The opposite extreme is the clueless accountant taking to a retired server with a hammer - saying something about traces being left in the RAM - but he probably hated the thing or just wanted to smash things. If it was me there was a perfectly good 200 ton hydraulic press that could have been used in the same place, a small heat treatment furnace to get all the data off that drive by going beyond the curie temperature, a large array of machine tools and an impact testing rig.
In my department... (Score:1, Interesting)
Anything that goes to auction is diskless, and we cannot return a drive under warranty as it's impossible to securely erase a faulty drive, or, for that matter, a good drive - think bad sector remapping.
We're Federal Government, not State, BTW.
Re:Not trivial though (Score:1, Interesting)
If there is a reasonable chance that someone might want your data bad enough to attempt reconstruction of overwritten data, then you should a) never store unencrypted data and b) still never sell the harddrive.
Otherwise overwriting with zeroes is sufficient.
Australian Law says you must now wipe.. (Score:1, Interesting)
The best you can do is to sent STA a stiff invoice for professional data sanitation. Fix ther wagon!
If you are outraged, tell the STA Union their members details were leaked because a slack security (any excuse to strike), tell the State Auditor, tell tax, and the privacy commissioner. Butts will be kicked.
The auction mob were slack, they are meant to wipe the data, and remove all identifying stickers. But the real blame lies higher up.
Conclusions. The STA are as reliable as their timetables, and going to windows will be more risky than ever, if their admins default everything.
Re:Government (Score:2, Interesting)
Re:Odd... (Score:2, Interesting)
With a low level format, then a blast furnace, and then holding on to the smelted chunk of crud for a while. [this may have been only for stuff that was "sensative" though]
Of course my brain sucks for holding normal info, but it kinda stood out because we do similar stuff at work, machine dies, we take it out back with a sledge hammer and a cutting torch, someone asks us to strip the machine for parts half an hour after we're tired.
Re:Blatant theivery. (Score:3, Interesting)
Please read DBAN FAQ (Score:2, Interesting)
A: No.
Most of the passes in the Gutmann wipe are designed to flip the bits in MFM/RLL encoded disks, which is an encoding that modern hard disks do not use.
In a followup to his paper, Gutmann said that it is unnecessary to run those passes because you cannot be reasonably certain about how a modern hard disk stores data on the platter. If the encoding is unknown, then writing random patterns is your best strategy.
In particular, Gutmann says that "in the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data... For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do".
In other words, DBAN doesn't work for modern hard drives. It's as good as random scrubbing. Which is not that effective anyway.
Re:I don't know what's worse... (Score:3, Interesting)
ebay is great for this... (Score:5, Interesting)
I picked up some "blank" used DLT tapes from ebay. These "blanks" contained a filesystem backup for the online store of a multibillion dollar corporation.
Why get so worried about personal data being stolen by l337 h4x0rz through the intarweb? All they need to do is buy a bunch of used media off ebay -- much easier.
In Canada... (Score:3, Interesting)
Re:Warranty policies (Score:3, Interesting)
Co-worker at a previous job had an acquaintance who was working for a defense contractor (RLM, i think it was), on some crazy uber-classified Over-the Horizon Radar project. They used an absolute stackload of data in Compaq (ex DEC) SANs, I'm told.
Due to the fact that all this data was classified at some level, and they were a good customer, Compaq gave them an unconditional replacement guarantee on the disks in their RAID arrays. If one failed, Compaq didn't want it back.
So, this friend of a friend started sending in bogus RMA requests and taking the disks home. When this came to light, Compaq, obviously, were rather aggrieved. Since they couldn't do him for theft (the contract being rather ambiguous, and they HAD issued him with the RMAs,) they had the Australian Fed. Police arrest him for Treason.
He got 5 to 10 years.