MI6 Terror Photos, Data Accidentally Sold On Ebay 317
Barence writes "In what's turning out to be a bad week for security in the UK, confidential MI6 documents, fingerprints and photos relating to suspected Al-Qaeda terrorists have been found in the memory of the second-hand Nikon Coolpix camera, which was bought on eBay for only £17. The buyer immediately went to the police, who initially treated it as a joke; when they realised he was serious, they swooped on his home and seized his camera and PC. Remember, this is the same MI6 which plans to recruit new members via Facebook, a userbase not exactly famous for its dedication to privacy, security and discretion. The news comes on the back of yesterday's embarrassment over a local council whose VPN device ended up on eBay with confidential login details left on it."
Fuck the police (Score:5, Insightful)
The buyer immediately went to the police, who initially treated it as a joke; when they realised he was serious, they swooped on his home and seized his camera and PC.
This is why you never talk to the police.
Re:Fuck the police (Score:3, Insightful)
According to TFA, the police replaced the camera equipment they swiped. I didn't see any mention in the article of them taking his computer. Only replacing "$1000 worth of camera equipment".
Same thing? Really? (Score:5, Insightful)
I think an intelligence service selling a camera with highly sensitive classified data on it is just a little more serious than some local council leaving the password to their VPN on a router.
I would expect small local agencies to either not have or ignore proper data scrubbing policies prior to selling old equipment, but national intelligence agencies? That's a whole different kettle of fish.
Re:Fuck the police (Score:5, Insightful)
Note to self... (Score:5, Insightful)
But then again, in the US they would have tasered him for no reason.
Talking to the Police is a bad Idea (Score:5, Insightful)
I think the individual would have been better off (as in, not having his home raided and property taken) to have just given the data to wikileaks.
In response to MI6's ineptitude, the authorities have attacked the innocent person attempting to help them.
Remember kids, talking to police is not usually in your best interest. Be polite and complicit within your rights, but don't volunteer information.
Re:Fuck the police (Score:5, Insightful)
1) They took his computer.
2) They replaced the equipment, at a cost of a grand. Whether or not this was a like-for-like replacement or better is unanswered.
Whether or not he got his personal data back is another question, as anyone knows it is the time invested in generating your own data that is the real value in your PC. I hope he had a backup.
Knowing the British police I expect he'll be arrested for some non-related data on the hard drive like some MP3s.
Re:Fuck the police (Score:2, Insightful)
If I find myself in possession of classified information in this way, I _want_ the agency to confiscate and replace and as publicly as possible, thanks. I don't want anyone thinking I still have this information.
Re:Fuck the police (Score:5, Insightful)
Re:Fuck the police (Score:1, Insightful)
Also, why in the *heck* would they do it that way if they EVER wanted people to "do the right thing" and turn things like this over to them???
It's stupid. Honest and innocent people shouldn't be afraid to talk to the police, but incidents like this will cause such people to avoid helping law enforcement in the future.
Re:So I just have to wonder. (Score:5, Insightful)
Re:Talking to the Police is a bad Idea (Score:3, Insightful)
Presumably MI6 would be able to track down the camera, and hence the buyer, from the photos (then again, they were inept enough to release the camera to begin with, but I digress).
Acting purely in self-interest, if this happened to me, I'd chuckle to myself quietly about the idiocy of government, delete the files and forget about the whole thing. In fact, if this is what any reasonable person would do while acting in their own interests, one has to wonder how under-reported the problem is.
No Good Deed... (Score:5, Insightful)
ever goes unpunished.
If someone comes to you, DO NOT attack them! Be nice, assist in getting any secret data purged, and sign a confidentiality agreement, and give the guy a nominal reward.
Raiding the house of someone who does the right thing is a pretty strong incentive to never help out again, and a strong incentive for others to do so as well. It also feeds the radical opponents' propaganda machine with fresh fodder and lets them become the "persecuted good guys".
So don't do it. Know who your friends are, and don't mess with them. Or they may stop being your friend.
Western societies and governments have enough enemies already, and there is no need to create any more.
Re:Talking to the Police is a bad Idea (Score:5, Insightful)
I think the individual would have been better off (as in, not having his home raided and property taken) to have just given the data to wikileaks.
"Hey, our national security data turned up on Wikileaks! I wonder how it got there. Oh look, a serial number in the EXIF data. What'd we do with that camera anyway?"
Basically, the poor guy was screwed. He reported the problem and suffered for it. If he didn't report it at all, an audit at MI6 might have turned up the problem and they would have confiscated everything he owned capable of storing the data, possibly including himself.
If he'd followed your harebrained advice, he would probably be dead. Seriously, what part of "taunt the TLA" seems like a good idea to you?
I feel badly for him. My sig is normally meant to be humorous.
Police = morons (Score:4, Insightful)
> The buyer immediately went to the police, who initially treated it as a joke; when they realised he was serious, they swooped on his home and seized his camera and PC.
So basically he got punished for doing the right thing. I bet that will make other people want to tell the police too *NOT*.
Police = morons.
Facebook? (Score:1, Insightful)
Re:Fuck the police (Score:5, Insightful)
What is this world coming to? (Score:2, Insightful)
The police not only failed to have him shipped off to Guantanamo Bay, they actually replaced his £1,000 computer that they had seized it as evidence?
kill the messenger (Score:4, Insightful)
That's how you make friends and teach people to trust you. A guy wants to help out and you punish him, instead of treating him like the friend of law enforcement that he wants to be.
Re:Fuck the police (Score:3, Insightful)
Re:Fuck the police (Score:3, Insightful)
If it didn't before, I'm sure it does now. I mean they do have to justify seizing the computer after all. The fact that the person reported it to the police before there were any suspicions clearly can't indicated honesty.
Re:Note to self... (Score:3, Insightful)
The sad thing is - I think this is insightful instead of funny.
Re:Same thing? Really? (Score:5, Insightful)
I would expect small local agencies to either not have or ignore proper data scrubbing policies prior to selling old equipment, but national intelligence agencies? That's a whole different kettle of fish.
It is curious. It would be a safe bet that proper procedures exist to handle equipment like this. Obviously they weren't followed.
I would even hazard to guess that not only were safe disposal procedures not followed, but a whole slew of other procedures covering proper equipment were also ignored. It wouldn't surprise me that this was a personal device used on-the-job due to convenience or necessity despite regulations against such use.
Of course, that's just a wild guess. It could also be as mundane as lost / stolen equipment. Or mis-managed inventory that ended up in some government surplus lot. The scenarios are endless.
It also highlights a personal pet peve of mine; policies are not protection. Too often they are given the air of risk mitigation when they are simply documents. Sure - they're good things to have around. You can't expect people to do things right if you can't tell them the right way of doing things. But so much infosec within the belly of such bureaucratic beasts seems to focus on merely generating and checking those policies. There is too little effort in actually implementing them - or improving the environment to limit actual risk.
If this was, in fact, personal gear I would hazard to guess simply making it easier to get official government kit (with all the tracking and control such kit gets) would have eliminated this eventual leak.
Re:Fuck the police (Score:5, Insightful)
This is why you never talk to the police.
Sadly you may be right, although for all the wrong reasons. In civilised parts of the world we recognise that society exists because of cooperation, and that includes cooperation with the police.
Unfortunately in cases like these, the police are undermining that cooperation. As another example, it's rumoured that if you report child porn on the internet to the relevant authorities in the UK, you should expect a visit from the coppers and all your computer equipment to be taken away. Which is why I wouldn't report this, even though child abuse is a terrible thing and it should be reported.
Now, if I found "terror photos" (whatever they are) on a second hand laptop or camera, I won't be reporting that either. Just scrubbing any info off the device and get on with my life.
Rich.
Re:Fuck the police (Score:2, Insightful)
Yeah, and what happens if one of these named terrorists has a buddy who works for the BBC, or better yet, works there himself?
One would think that a terrorist cell coming across detailed intel on their daily movements and stuff would be like gold to them. They would then know exactly what the gov't knows about them, and what they don't know. At the same time, they know how the gov't tracks them and all kinds of other details that might help them evade surveillance efforts on their group.
Think of how many people at the BBC actually get to look at that stuff, make copies, sell it to other news outlets, etc? I'm sure it would go around the office a few times.
Re:Fuck the police (Score:5, Insightful)
Actually, in a case like this, having a backup isn't going to help. Likely, the police would want to grab that, too. 8/
Re:Fuck the police (Score:5, Insightful)
You clearly know nothing about how the government deals with classified data. Classified data is considered kind of like a virus, not the computer kind, but the biological kind. If the classified data was in a memory card in the camera, the camera itself is contaminated. If the camera was plugged into a computer, then the computer itself is contaminated. Anything electronic device that the computer touched is then considered to be contaminated. Even if you "KNOW" that it is not possible for your mouse to story encrypted data, your mouse is still assumed to be contaminated. This type of "blanket" policy that makes no exceptions is actually pretty smart, as it is the exceptions that will come back and bite you in the butt.
This is the way that the US government does things in real life (and presumably the UK does the same thing). When developing systems that handle classified data, you have to maintain strict "red/black" separation, and the only interface allowed between red and black are things like *APPROVED* encryption units.
Things are actually a little more complicated than this, but this is the general idea.
Re:Talking to the Police is a bad Idea (Score:3, Insightful)
It really sucks for all involved.
These agencies do NOT want to accidentally leak information. This guy did NOT want to find this information on his camera. There is no need to 'punish' these organizations for the leaks. Trust me, they don't like it as much as you do, and they will investigate and correct why that happened. Publishing the data is perhaps the worst thing that anyone could possibly choose to do. It compromises the intelligence gathering, and puts people at risk. It is unfortunate that they had to confiscate his computer, but at least they did work to replace it, and hopefully the data on it can be scrubbed and sent back to him.
Just imagine this situation:
Photos are published on Wikileaks.
Suspect A: Hey, that guy on wiki leaks looks like you.
Suspect B: Holy crap, that is me. But, the only person with me at the time was Bob...
Three weeks later, Bob's head is found along the side of some rural highway, and suspect A, and B have vanished.
Publishing that information would be a VERY bad idea.
Like I said, the situation sucks, but so does having a tree limb fall on your car. Sure, you have insurance, but you would rather not have to use it.
Re:Talking to the Police is a bad Idea (Score:3, Insightful)
I would have just given the data to MI6. Maybe it's because I'm overly supportive of the intelligence community as a whole due to the nature of my work, but I would think that intelligence officials should be the ones handling this data and would not feel weird about just calling them. This doesn't fall under under police duties, and unless the police have classifications, they shouldn't be handling the data. Obviously, it's 'out there' and the eBay buyer shouldn't be looking at it, but he obviously couldn't help it, and at this point you want to contain the information as much as possible.
Contacting MI6 directly will get the data contained faster, with much better "customer service" than the police. MI6 screwed up, they will want to contain their mistake, and they should certainly recognize that by reporting this leak, you are helpful, not some criminal.
Re:Fuck the police (Score:1, Insightful)
Re:Fuck the police (Score:4, Insightful)
>>>they swooped on his home and seized his camera and PC.
How nice. You try to be an honest citizen, and they steal your stuff. I wouldn't be surprised if they next decide to charge him for "trafficing" in playboy photos, illegal music, and/or downloaded movies.
Re:Talking to the Police is a bad Idea (Score:1, Insightful)
And as much as it sucks personally, if you care about the security of your country, reporting the situation is the best plan. It's important to know how the data got out. If it was a malicious leak and you keep quiet, then the leak will likely continue. Your photos and personal data will remain in your possession, but if you think that leaks can't ultimately result in people getting killed, then you need to think again.
Re:Fuck the police (Score:5, Insightful)
Well, since the computer was likely connected to the Internet, we're having a pandemic by now.
Re:Fuck the police (Score:5, Insightful)
Re:His computer was classified (Score:5, Insightful)
Yup. What did we learn, boys and girls? (Okay, I know I'm being optimistic on that last part.) If you find yourself with evidence related to a terrorism investigation because an inept government official sold it on eBay, don't go to the police. Send it to the media. Anonymously.
Re:Fuck the police (Score:4, Insightful)
No, a smart policy would prevent precisely what they are trying to prevent. A smart policy would say that any device that is capable of permanent retention of data, once contaminated, cannot be resold. That means hard drives, flash cards, and any camera that contains flash memory if such photos were ever stored in the built-in flash memory at any time.
Preventing resale of devices that cannot retain data is idiotic. It only makes sense under the assumption that the people working for your IT department are too inept to know the difference.
There will always be problems of people screwing up and selling things that they shouldn't, but at least by setting sane policies, you reduce the risk of such things being sold due to people desperate for a bigger department budget by reducing the list of things that can't be sold but don't really matter.
Re:kill the messenger (Score:2, Insightful)
I think that having the computer confiscated, and also having it publicly known that it was confiscated is in the best interests of the guy who received the camera. If it became known that the camera was seized, but it was possible that the computer wasn't, then it would make sense for any intelligence agency who wants to know what was in that camera to break into the guys house and take it. I don't know about you, but I definitely don't want spies from foreign countries breaking into my house, and potentially endangering me and my family, because my computer might have information valuable to them.
Re:Fuck the police (Score:3, Insightful)
My guess is that if you look deep down into the policy the US government has around classified information, you probably aren't legally allowed to sell media that at some point came into contact with classified information.
Trouble is, much like gun control, not everyone listens. Much like death, information sharing is irreversable, with exception to the latter often closes the former. Three can keep a secret if two of them are dead, and all that.
I think in a lot of ways the saying is true - information wants to be free. If the government has a particular piece of knowledge they don't want shared, maybe it's time to start reconsidering what information we develop and gather in the first place. The best way to prevent rogue countries from developing a nuclear bomb would have been to never invent it. The best way to keep them from stealing one would be to not own one. Yet, we still spend billions each year, learning about newer more effective ways to kill people, ultimately dooming ourselves to one day facing enemies with the same deadly and devasting arsenal.
Re:His computer was classified (Score:5, Insightful)
Damn straight. People should not be punished for being honest.
Government agencies, however, should be publicly punished for being incompetent.
I imagine that if the man had given the camera to the media, the police could have swooped down on the news outlet and confiscated their computers, but then they would be in a much bigger fight with the Fifth Estate rather than some poor schlub who can't fight back.
Here's hoping the free press continues to stay free.
Re:Fuck the police (Score:3, Insightful)
Uh, if they needed to minimise the risk of a copy of the files being left behind, what exactly should the police have done?
A very polite MI6 operative should have shown up with a damned nice computer ( MUCH better than the existing one) and personally transfer the citizen's legitimate data and apps to the new machine. Then leave with the old one. He should have had an immunity document with him clearly outlining that nothing he might see in the data transfer would ever be used as evidence nor would he ever tell anyone about any of it. Just to be thorough, they should have talked to his employer to get him the day off (with full pay) so he could watch all of this take place and verify that nothing was missing.
That may seem excessive, but the alternative is the current situation. Anyone who has read about any of this and then finds themselves in a similar situation will be sorely tempted to just erase the memory card (perhaps) and keep quiet about it (almost certainly).
In comparison, the scenario I laid out is dirt cheap to implement and could only improve the government's relationship with the people.
It's very simple really. Do they want a Citizen finding such data to say to himself "JACKPOT! I'll just turn this in to the authorities!" or "delete delete delete. Now shut up!" or worse, "I'd better give this to a reporter anonymously and let him turn it in"
Re:Fuck the police (Score:3, Insightful)
If only it were that easy. Remember - in the land of blind men, a one-eyed man is king; in the land of idiots and fools, a wise man is put to death.
So it is at government agencies - I know.
Re:Fuck the police (Score:3, Insightful)
Exactly. Few people realize that the basic problem with government is that you can't fire the coasters. OK, it's not impossible, but it's such an uphill challenge that pretty soon you get tired and decide to move on to a job where what you do actually accomplishes something.
Talented and hardworking folks don't usually last long in gov gigs, they become increasingly frustrated at the generalized apathy and incompetence. Even though the pay might be good and the work easy, if you give at least a bit of a shit, you'll soon decide to move on to a place that's intellectually challenging before the pervasive rust starts to creep in.
Granted, you can't generalize, and I'm sure not all gov agencies are like that. But after working in government for some years, I would feel safe betting on the fact that most government agencies (in any part of the world) attract and harbour the kind of people who just want to get through their day without exerting unduly pressure on themselves and having the near-certainty of a never-ending paycheck.
Sad, really.
Re:Fuck the police (Score:3, Insightful)
C'mon, the guy came to the police voluntarily to give them back their camera and confidential pictures. They should have sent an IT guy to his house to sit *with* the guy at his computer, delete all of the pictures (if they weren't already), verify they're deleted, check any media nearby (that would be confiscated in an overreaction), and run a wiping utility to fully wipe the pictures from the hard drive.
Would have taken an hour and not scared citizens away from cooperating with the police to avoid losing all their own personal computers and data to be stored forever at police HQ and rifled through by complete strangers.
This guy went to the police voluntarily, any common sense dictates that he would also cooperate with an on-site technician to verify the files are deleted and wiped. If the guy is hiding a copy somewhere, it's still hidden whether or not they confiscate all of stuff and go through his private data.
Re:Fuck the police (Score:3, Insightful)
That's a good argument for off-site backups, or if you want to get creative, something like encrypted Usenet posts.