"Clear" Laptop Found, In the Same Locked Office 264
jafo alerts us to an SFGate story reporting that the lost "Clear" Program laptop has turned up in the same office from which it was reported missing, but not in its previous location. "A preliminary investigation shows that the information was not compromised... The computer held names, addresses and birthdates for people applying to the program, as well as driver's license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information... The information was encrypted on the server, but not on the laptop, although it should have been... However, it was protected by two levels of passwords." Reader jafo adds, "Pardon me if I have little confidence that an organization that loses a sensitive laptop for 9 days is able to tell if it was compromised."
I lost all confidence in Clear yesterday (Score:5, Interesting)
Clear is bullshit (Score:5, Interesting)
This whole 'Clear' thing is bullshit. Its a bad solution to a problem that should not exist in the first place.
If you buy the story that all the airport security that results in thousands standing around waiting to get to their gates is both necessary and effective then you must question any program that claims to pre-screen anyone because that just opens a window of opportunity between the pre-screen and the actual boarding of the flight in which the pre-screened person can be compromised in any number of ways.
It all comes back to the problem that there is no such thing as "the evil bit" - and any system which tries to make up for that by using some other combination of 'bits' as a proxy for the non-existent 'evil bit' is just a house of cards built on a non-existent foundation.
Even if you take Bruce Schneier's view that Clear is a good thing - not for the pre-screen, but because of the open-market approach to airport security which lets people pay more in exchange for a guaranteed short processing time - its still bullshit. That's because the rich and the powerful - the idiots who make the laws that created the TSA and their time/money wasting policies will be able to avoid having to suffer the consequences of their own actions. They can just pay a few hundred dollars more and never suffer the crap that they dumped on all the plebes.
Congress already exempts itself from too many of the laws its passes (no social security, they have their own program, no anti-discrimination in hiring laws on the hill, etc) they should not be able to get another free pass on suffering the effects of creating the TSA.
Re:Clear is bullshit (Score:4, Interesting)
Welcome to the Windows Computing culture.
Data is secure in the SQL server in the system. Dumbass manager #2 uses his login and dumps it to excel or to access because he's handy with those.
I am sure the IT department has warned against this behavior but managers like to ignore what IT says when they have an "idea"
Kind of like how someone discovered the entire companies salary breakdown on a laser printer in the sales area.... A dipshit manager in Accounting printed a secure document on a unsecure printer (because hers was being serviced) and LEFT IT THERE for 4 hours.
Too convenient (Score:3, Interesting)
After the big media blitz, I imagine the laptop was found "somewhere," and it was a lot easier to explain if "somewhere" became the same locked office it was supposed to be in. I seem to recall some removable hard drives in the Los Alamos fiasco that also eventually "were discovered" in secure areas like behind a copy machine or something.
/cynical
realistic (what's the difference, anyway?)
Laptops and removable hard drives are inherently portable - if you really care about preserving the confidentiality of anything, it should be treated in an "eyes only" manner while on the portable media - when you're done, either encrypt or wipe. If the portable device leaves your sight for 15 minutes, you can assume that it has been copied. If it's not encrypted, it doesn't matter how many passwords are required, it can be copied in a very short time with a screwdriver and a mini-notebook, or any other contraption with a compatible drive controller.
/realistic
Re:Clear is bullshit (Score:3, Interesting)
Perhaps your 'dipshit manager' is the only honest person in accounting...
Re:No way did it just turn up (Score:3, Interesting)
A lot of people don't know that. It's been helpful to know though. I've retrieved (or told someone to retrieve) things in "locked" rooms that weren't suppose to be locked.
Except for once... The CEO had this thing for keeping the tape backups in his safe, in his locked office. He was out of town, the door was locked, and we needed one of the tapes. With the COO's permission, one guy climbed over and opened the door from the inside for us. The safe was a lot easier, he left the door open.
Then again, I've been having more fun learning how to pick locks. It's a lot more impressive to sit at the door handle for 30 seconds, and pop the door open, without having to get dirty or climb on anything. :)
Re:Two Levels of Passwords? (Score:5, Interesting)
Reminds me of one time where my boss was in the field at a customer's factory. He had his "notebook" in which he writes everything down. (a paper notebook, old school, not a laptop)
He left it on a table in the break room for a couple hours and forgot about it. Later, when he remembered, it was gone.
A few hours LATER, it was back, pretty much where he left it.
Luckily it didn't have any pricing or other such things in it, but it still wasn't a good thing.
But Karma is interesting, this same customer a few months later set us an email which happened to have a high level very confidential spreadsheet attached, accidentally. It contained the companies strategic plan for the coming months - peoples salaries, names, locations, PLANT CLOSURE PLANS, savings from plant closures, all that stuff. "ummm, yes, there was a spreadsheet that you
My point is, and I have one, encryption is fine but it is no guarantee against mistakes and/or stupidity.
no-knock raid by Feds? (Score:2, Interesting)
they no longer have to tell you they are searching, and can do it quietly/legally while you are away.
maybe the feds came in took it, got a good clean copy, and returned it?
Re:Clear is bullshit (Score:3, Interesting)
Ehh. We actually caught a guy double dipping on proposals once that way.
He was working for a competitor at the same time and printed two proposals with different letterheads and left them on a printer outside his office because the last tech set that as the default printer when printer in his office was removed and replaced.
Some drone kept asking who was printing Competitor X's documents and no one answered. So we looked at sales reports for anyone who dropped in sales and then emails for the last week or so and found a pattern where he was pushing whichever deal got him the highest commissions. And this had been going on for over 2 years from what we could tell from the emails.
what was your password that no one guessed (Score:4, Interesting)
I remember getting a security audit. These people came in to 'hack' (just get root access) to the systems. Once they had that they stopped. They really just ran password guessing programs on the machines. I had a DB server that was not part of the domain only used DB accounts no domain accounts were used. So the domain accounts and passwords didn't work. At the end of the week they never got into that machine. The rest of the windows, sun, VAX, I forget about the mainframe were cracked. My boss was wondering why that one windows box was not cracked, and so did the company. I never told the company I just said they failed to get into my DB machine. They left and my boss and a few VPs wanted to know how I did it.
The password was: ThisIsThePasswordForMachineDelta
They never went past 15 characters in their password program. I was surprised that it wasn't guessed since it was all letters but it worked. And a new 30+ password systems was set in place. I did get a few threatening emails after the new password policy was put in place though. This was also 1997 too, so it most likely would not work today.