narramissic writes "'Hundreds and hundreds of documents about government contracts,' were found on a hard drive purchased at a market in Ghana for the bargain basement price of $40, said Peter Klein, an associate professor with the University of British Columbia, who led an investigation into the global electronic waste business for the PBS show Frontline. The hard drive had belonged to US government contractor Northrop Grumman and in a made-for-TV ironic twist, 'some of the documents talked about how to recruit airport screeners and several of them even covered data security practices,' Klein said. 'Here were these contracts being awarded based on their ability to keep the data safe.'"
Instead of using illegal wiretaps, the NSA should just buy every drive that is sold on eBay. Just think of the information they could mine out of them!
They should lose their contracts for failing to wipe the data off the hard drives.
They likely will as this is almost certainly a violation of ITAR regulations.
Northrup Grumman does very little that is non-military.
They most certainly will not lose their contracts over this. They'll find a way to blame the lost data on some tiny sub-subcontractor that the subcontractor responsible for disposing of used equipment hired to wipe the drives, and they'll get fired. Or maybe they'll fire the person who kept the data on their hard drive instead of the network drive, and trot out the click-through policy that says "we told you we could fire you for violating this policy."
There's always a weasel-way for companies to get out of these situations by blaming someone for the failure.
Then, the next time a contract goes out for tender, they will lose it. And, by 'lose' I mean 'win because they can demonstrate more experience than their competitors in this area'.
They should lose their contracts for failing to wipe the data off the hard drives.
They likely will as this is almost certainly a violation of ITAR regulations.
Northrup Grumman does very little that is non-military.
They most certainly will not lose their contracts over this. They'll find a way to blame the lost data on some tiny sub-subcontractor that the subcontractor responsible for disposing of used equipment hired to wipe the drives, and they'll get fired. Or maybe they'll fire the person who kept the data on their hard drive instead of the network drive, and trot out the click-through policy that says "we told you we could fire you for violating this policy."
There's always a weasel-way for companies to get out of these situations by blaming someone for the failure.
ITAR is pretty strict but you're probably right in that they'll blame the recycling firm or some such nonsense. From my experience they can at least expect a fresh ITAR audit courtesy of the federal gooberment because there is now "reason to question" their security.
Personally I don't let a hard drive out of the building unless it's been at least wiped (non-secure data) if not destroyed (secure data). Usually I destroy them just to make sure.
I don't know if this is flamebait, or just ignorance. While it is true that given enough time any encryption can be broken, what is not mentioned is how much time. A proven symmetric cipher (e.g. AES 256 or similar) which is implemented correctly can withstand attacks from current equipment for far longer than you (or anyone else on earth) will be alive. Why not use it, and if you are paranoid *also* destroy the drive when finished with it? Multiple layers of security never hurt anyone.
Or maybe the whole thing is secret under the aegis of War On Terror or National Security or whatever the fuck. I don't think we'll hear much more about how this turns out, and therefore no accountability.
They should lose their contracts for failing to wipe the data off the hard drives.
What's so ridiculous is how easy it is to destroy data without investing in ultra-super-duper-mil-spec data destruction software. When I destroyed hard drives for my old company, I'd pull out the drive, take it down to the shop floor, and watch as one of our fabricators put a 1/2-inch hole through the platters with a drill press. It's theoretically possible that an expert who really, really wanted our data could have read something from the partial platters, but I guarantee that none of our drives ever showed up in use anywhere else.
And with the old IBM death stars, pretty much any possibility of data recovery was eliminated when those glass platters shattered inside the case as the drill went through.
Of course, this technique requires you to have a drill press or a good, sturdy hand drill somewhere on your site, but I think Northrop Grumman could afford one of those.
This doesn't surprise me at all. However, I'm surprised those idiots don't use a damn password protected lock on the hard drive firmware... my lenovo has this and we are required to use it, so even if it gets stolen the person can't get the disk to spin up.
Those "locks" do nothing to protect the data, and the drive still spins up when power is applied. You can even retrieve the password if you know what you're doing. Full drive encryption is a much better solution.
Those "locks" do nothing to protect the data, and the drive still spins up when power is applied. You can even retrieve the password if you know what you're doing.
This might be possible if you know the drive very well; the vendor might have a tool which can handle it. But you need to know the manufacturer's comment to print the HDD lock code, since there is [obviously] no standard ATA or ATAPI code to do so. If there were, hacking Xboxes would be a hell of a lot easier.
Nonsense, placing platters into other drive enclosures to aid in data recovery is one of the oldest tricks in the book. It may not be perfect but it'll certainly work well enough.
They make nice targets. Even the NSA would be hard-pressed to get data off of platters with bullet holes in them. I have seen this done with a high-velocity 7mm bolt-action rifle. VERY effective. Auditor asks how we ensure that hard drives are erased when they are taken out of service. Of course we erase them before using our "special process". Showed them a few samples, bullet holes and all. No more questions about hard drive erasure.
I don't pretend to know all the regulations involved, but that website mentions that such a device is suitable for emergency destruction of top secret data.
In an emergency this probably would be a good tradeoff between security and time - you can't take three weeks to do an "emergency" destruction if your security guards are holding off a regiment of troops looking to capture your data (which I think is the actual scenario envisioned - maybe some paratroops drop in on your roof or something or there are rio
Not to mention...you have some fun in the process.:)
Although, I can't imagine running it through a DoD wipe with DBAN would be recoverable, and then the drive is reusable. We already have enough electronic junk going in landfills, so I find destroying drives rather than properly wiping them to be particularly distasteful.
Same here, that is just stupid and wasteful, not to mention based on old wives tales. I have yet to see ANYBODY recover a DoD wiped drive. You'd think that one of those data recovery firms would brag about it if they had actually been able to pull it off, yet nada. Give them a good DoD wipe and then they can be reused in computers for the poor.
Even to this day I have no problem giving away a 400Mhz or better to somebody who doesn't actually have a PC. Just slap DSL-N and they have a nice clean desktop that is quite fast and a pleasure with to surf. I keep a 733MHz around to run Win9X for old games and to surf on when my main boxes are busy, and with 384Mb of PC100 and DSL-N it is a very pleasurable surfing experience. It is just stupid and wasteful to destroy those drives and make even more e-waste when they can be reused by those that don't have any. Single moms, homeless shelters, churches, there are tons of places that are quite happy to take a free working machine, and if everyone destroys the drive the cost of giving those machines away suddenly becomes too expensive.
So don't fall for old wives tales, DoD wipe and recycle. Good for the environment and your fellow man.
I have yet to see ANYBODY recover a DoD wiped drive. You'd think that one of those data recovery firms would brag about it if they had actually been able to pull it off, yet nada. Give them a good DoD wipe and then they can be reused in computers for the poor.
Forget DoD wipes, it has never even been demonstrated it's possible to recover data from a single 00000000 wipe. No one has ever managed to read as much as a byte of data after it has been overwritten once with any value.
My methode is much better. I install windows on it, have internet explorer start automaticly and open Slashdot. By the time they're done, the data is way to old to be of any relevance.
The rest of the drive I fill up with the combine works of David Hasselhof. Cruel, but effective.
I have a fast and simple solution. I take my trusty drill and run the bit through the platter at least once to several times depending on the importance of the drive. Yea, someone could in theory super reconstruct the data, but not without spending hundreds of thousands if not millions of dollars more than the data was worth. For that kind of money, I would just give them the data. It is a simple, cheap, quick solution that in all but the most sensitive situations would be sufficient to keep the data from
'Here were these contracts being awarded based on their ability to keep the data safe.'"
Diversion wrapped in a diversion cloaked in a diversion. I bet the spies who read the contracts went out of their ways to break the procedures outlined in them, wasting precious time and resources instead of just getting em on the cheap in Africa. Where is your Isser Dzerzhinsky now?
It's a long standing complaint that governments keep information about contracts secret for the benefit of the contractors. Now you're complaining that a contractor didn't keep information about their contracts adequately secured? Are you stupid or something? The US taxpayers have a right to know the details of these contracts.. but they are denied that by commercial confidentiality concerns. If you want to cry a river for someone, think about the shareholders, but don't go blathering on about "secret government contracts" because they simply shouldn't exist.
.I thought the same thing at first, but then I read the rest of the summary:
some of the documents talked about how to recruit airport screeners and several of them even covered data security practices
Typically we're interested in contracts during the bidding process (to make sure the public is not being ripped off), and later on, to see that the contractor actually delivers the goods. But "transparency" doesn't mean everyone needs to know the details of how Northrop Grumman builds its missiles or whatever.
I think it's asking a bit much of the US taxpayer that he should be required to go to a local market in Ghana to buy the info. It should be provided by the government.
Besides, this is a company providing the info. I'm not really much into socializing everything, but dammit, there are some things that belong into government hands!
Did you even read the article? It doesn't appear that the employee was at fault. The computer was "disposed of" by some outside company. Allegedly, they are responsible for sanitizing the hardware prior to binning it or parting it out.
I would expect, however, that this "outside firm" is wondering if they still have their contract with Northrop Grumman. I suspect not.
I'd say an Oath is a Moral "contract" and a Contract is a Legal "contract". God is not part of any oath i've ever taken. The US Constitution is the highest authority in the country.
It's nice to talk to a contractor that has had good experiences working inside the government. I'm being very honest, it's good to hear a gov employee say they take their job very seriously.
I have mostly dealt with KBR and NG which left a bad taste in my mouth. The worst cases being the $7,000 per month (rent) canvas tents my
$40 for a used hard drive of unknown provenance seems pretty high, unless you are talking about a considerably cooler than ordinary drive. Methinks that those journalists were haggling about as effectively as someone with an expense account for the story might be expected to.
$40 seems steep, but the size of the hard drive wasn't even list ITFA, and there was definite intent and motive to go find some secret government/contractor data on a piece of computer hardware, too, by the journalists themselves. So it's evident price or need of a hard drive wasn't an issue. With dumpster diving and shady data mining practices that have been at least publicly practiced over the last decade quite over announced, have people not learned to wipe the data on their storage devices? I pitty t
It's reasonable to assume that electronics may be more expensive in Ghana, so a used HDD may be worth more.
But, yes, foreigners haggling probably can't get a good price anyway.
Does anyone know if there are any stand alone devices designed to erase the data on a hard drive? I am thinking something you plug in and it then goes about erasing all the data (I am thinking simpler and cheaper than a PC). I doubt a magnet would be a reliable solution. While destroying the HD physically is a solution, it prevents the drive being reused.
I suspect that there are dedicated devices; but I'd be shocked if they are any cheaper or much simpler than a basic x86 with some easily accessible drive bays and a copy of DBAN.
While destroying the HD physically is a solution, it prevents the drive being reused.
Destroying the drive physically has a benefit beyond the obvious that the data is rendered unrecoverable. The more critical benefit is that if you have two crates of disk drives to destroy, you can look at them and know that the crate full of smashed drives is the "done" crate. That's especially important when you have an unskilled labor pool doing the work. You post a guy at the door with a clipboard ensuring only smashed drives are allowed to leave the building. It doesn't take a computer scientist t
I'd think anything that specialized would be so low volume as to be as expensive as a PC, even though it's much simpler.
My suggestion: Next time you or a friend upgrades their computer, or you find one on the side of the road (maybe with data on it..), or whatever, grab it. Pull all the nonessential parts - HD, vid card if it's got onboard or you have a low power junker sitting around - so it uses less power. Cut a hole in the side of the case, and run a PATA and SATA cable, and appropriate power cables out
It doesn't matter whether N-G handled it in-house or subcontracted the task. It was their responsibility to make sure the data was kept private or properly destroyed. If it was handled by a subcontractor, there should have been oversight provisions in place. While a subcontractor may have made the ultimate error, it does not clear N-G of its responsibility.
What a news scoop....*yawn* (Score:3, Funny)
Yet another example of some bonehead "disposing" of old equipment without wiping the data first. Time to start cranking out those Pulitzer prizes. ;)
The NSA should just buy all the drives on eBay! (Score:5, Funny)
Parent
Contracts (Score:3, Interesting)
Re:Contracts (Score:5, Informative)
They should lose their contracts for failing to wipe the data off the hard drives.
They likely will as this is almost certainly a violation of ITAR regulations. Northrup Grumman does very little that is non-military.
Parent
Re:Contracts (Score:5, Insightful)
They should lose their contracts for failing to wipe the data off the hard drives.
They likely will as this is almost certainly a violation of ITAR regulations. Northrup Grumman does very little that is non-military.
They most certainly will not lose their contracts over this. They'll find a way to blame the lost data on some tiny sub-subcontractor that the subcontractor responsible for disposing of used equipment hired to wipe the drives, and they'll get fired. Or maybe they'll fire the person who kept the data on their hard drive instead of the network drive, and trot out the click-through policy that says "we told you we could fire you for violating this policy."
There's always a weasel-way for companies to get out of these situations by blaming someone for the failure.
Parent
Re: (Score:2)
Re:Contracts (Score:5, Informative)
They should lose their contracts for failing to wipe the data off the hard drives.
They likely will as this is almost certainly a violation of ITAR regulations. Northrup Grumman does very little that is non-military.
They most certainly will not lose their contracts over this. They'll find a way to blame the lost data on some tiny sub-subcontractor that the subcontractor responsible for disposing of used equipment hired to wipe the drives, and they'll get fired. Or maybe they'll fire the person who kept the data on their hard drive instead of the network drive, and trot out the click-through policy that says "we told you we could fire you for violating this policy."
There's always a weasel-way for companies to get out of these situations by blaming someone for the failure.
ITAR is pretty strict but you're probably right in that they'll blame the recycling firm or some such nonsense. From my experience they can at least expect a fresh ITAR audit courtesy of the federal gooberment because there is now "reason to question" their security.
Personally I don't let a hard drive out of the building unless it's been at least wiped (non-secure data) if not destroyed (secure data). Usually I destroy them just to make sure.
Parent
Re: (Score:3, Informative)
Cheers
Re: (Score:3, Funny)
It will take a lot of effort to recover the data from the resulting molten puddles of metal
If you want to wipe very many hard drives at a go, there's always stuff like thermite, furnaces and bessemer converters.
Re: (Score:3, Insightful)
Or maybe the whole thing is secret under the aegis of War On Terror or National Security or whatever the fuck. I don't think we'll hear much more about how this turns out, and therefore no accountability.
Re:Contracts (Score:5, Interesting)
What's so ridiculous is how easy it is to destroy data without investing in ultra-super-duper-mil-spec data destruction software. When I destroyed hard drives for my old company, I'd pull out the drive, take it down to the shop floor, and watch as one of our fabricators put a 1/2-inch hole through the platters with a drill press. It's theoretically possible that an expert who really, really wanted our data could have read something from the partial platters, but I guarantee that none of our drives ever showed up in use anywhere else.
And with the old IBM death stars, pretty much any possibility of data recovery was eliminated when those glass platters shattered inside the case as the drill went through.
Of course, this technique requires you to have a drill press or a good, sturdy hand drill somewhere on your site, but I think Northrop Grumman could afford one of those.
Parent
Yea (Score:4, Interesting)
Re:Yea (Score:5, Insightful)
Parent
Re: (Score:2)
Those "locks" do nothing to protect the data, and the drive still spins up when power is applied. You can even retrieve the password if you know what you're doing.
This might be possible if you know the drive very well; the vendor might have a tool which can handle it. But you need to know the manufacturer's comment to print the HDD lock code, since there is [obviously] no standard ATA or ATAPI code to do so. If there were, hacking Xboxes would be a hell of a lot easier.
Re: (Score:3, Informative)
Nonsense, placing platters into other drive enclosures to aid in data recovery is one of the oldest tricks in the book. It may not be perfect but it'll certainly work well enough.
When I dispose of an obsolete drive (Score:3, Interesting)
I disassemble it, remove the platters, mount each one in a vise and bend it by striking it with a hammer.
If they can get data off that platter, they're welcome to it.
Re:When I dispose of an obsolete drive (Score:5, Informative)
http://www.garner-products.com/PD-8400.htm [garner-products.com]
Parent
Cheaper option: Rifle (Score:2, Interesting)
They make nice targets. Even the NSA would be hard-pressed to get data off of platters with bullet holes in them. I have seen this done with a high-velocity 7mm bolt-action rifle. VERY effective. Auditor asks how we ensure that hard drives are erased when they are taken out of service. Of course we erase them before using our "special process". Showed them a few samples, bullet holes and all. No more questions about hard drive erasure.
Re: (Score:3, Interesting)
I don't pretend to know all the regulations involved, but that website mentions that such a device is suitable for emergency destruction of top secret data.
In an emergency this probably would be a good tradeoff between security and time - you can't take three weeks to do an "emergency" destruction if your security guards are holding off a regiment of troops looking to capture your data (which I think is the actual scenario envisioned - maybe some paratroops drop in on your roof or something or there are rio
Re:When I dispose of an obsolete drive (Score:4, Funny)
Parent
Re: (Score:3, Interesting)
Not to mention...you have some fun in the process. :)
Although, I can't imagine running it through a DoD wipe with DBAN would be recoverable, and then the drive is reusable. We already have enough electronic junk going in landfills, so I find destroying drives rather than properly wiping them to be particularly distasteful.
Re:When I dispose of an obsolete drive (Score:4, Insightful)
Same here, that is just stupid and wasteful, not to mention based on old wives tales. I have yet to see ANYBODY recover a DoD wiped drive. You'd think that one of those data recovery firms would brag about it if they had actually been able to pull it off, yet nada. Give them a good DoD wipe and then they can be reused in computers for the poor.
Even to this day I have no problem giving away a 400Mhz or better to somebody who doesn't actually have a PC. Just slap DSL-N and they have a nice clean desktop that is quite fast and a pleasure with to surf. I keep a 733MHz around to run Win9X for old games and to surf on when my main boxes are busy, and with 384Mb of PC100 and DSL-N it is a very pleasurable surfing experience. It is just stupid and wasteful to destroy those drives and make even more e-waste when they can be reused by those that don't have any. Single moms, homeless shelters, churches, there are tons of places that are quite happy to take a free working machine, and if everyone destroys the drive the cost of giving those machines away suddenly becomes too expensive.
So don't fall for old wives tales, DoD wipe and recycle. Good for the environment and your fellow man.
Parent
Re: (Score:3, Informative)
I have yet to see ANYBODY recover a DoD wiped drive. You'd think that one of those data recovery firms would brag about it if they had actually been able to pull it off, yet nada. Give them a good DoD wipe and then they can be reused in computers for the poor.
Forget DoD wipes, it has never even been demonstrated it's possible to recover data from a single 00000000 wipe. No one has ever managed to read as much as a byte of data after it has been overwritten once with any value.
The whole thing is sheer pa
Re:When I dispose of an obsolete drive (Score:5, Funny)
The rest of the drive I fill up with the combine works of David Hasselhof. Cruel, but effective.
Parent
Re: (Score:3, Interesting)
I have a fast and simple solution. I take my trusty drill and run the bit through the platter at least once to several times depending on the importance of the drive. Yea, someone could in theory super reconstruct the data, but not without spending hundreds of thousands if not millions of dollars more than the data was worth. For that kind of money, I would just give them the data. It is a simple, cheap, quick solution that in all but the most sensitive situations would be sufficient to keep the data from
Brilliant! (Score:2)
'Here were these contracts being awarded based on their ability to keep the data safe.'"
Diversion wrapped in a diversion cloaked in a diversion. I bet the spies who read the contracts went out of their ways to break the procedures outlined in them, wasting precious time and resources instead of just getting em on the cheap in Africa. Where is your Isser Dzerzhinsky now?
They found... (Score:4, Funny)
some of the documents talked about how to recruit airport screeners
It contained a link to monster.com?
Re:They found... (Score:4, Funny)
Airport screeners know how to use monster.com?!
Parent
Umm.. that's not how it works (Score:3, Interesting)
It's a long standing complaint that governments keep information about contracts secret for the benefit of the contractors. Now you're complaining that a contractor didn't keep information about their contracts adequately secured? Are you stupid or something? The US taxpayers have a right to know the details of these contracts.. but they are denied that by commercial confidentiality concerns. If you want to cry a river for someone, think about the shareholders, but don't go blathering on about "secret government contracts" because they simply shouldn't exist.
Re:Umm.. that's not how it works (Score:4, Insightful)
.I thought the same thing at first, but then I read the rest of the summary:
some of the documents talked about how to recruit airport screeners and several of them even covered data security practices
Typically we're interested in contracts during the bidding process (to make sure the public is not being ripped off), and later on, to see that the contractor actually delivers the goods. But "transparency" doesn't mean everyone needs to know the details of how Northrop Grumman builds its missiles or whatever.
Parent
Re:Umm.. that's not how it works (Score:4, Funny)
I think it's asking a bit much of the US taxpayer that he should be required to go to a local market in Ghana to buy the info. It should be provided by the government.
Besides, this is a company providing the info. I'm not really much into socializing everything, but dammit, there are some things that belong into government hands!
Parent
Still? (Score:2)
From the article:
The drive had belonged to a Fairfax, Virginia, employee who still works for the company...
But for how much longer?
Re:Still? (Score:5, Informative)
Did you even read the article? It doesn't appear that the employee was at fault. The computer was "disposed of" by some outside company. Allegedly, they are responsible for sanitizing the hardware prior to binning it or parting it out.
I would expect, however, that this "outside firm" is wondering if they still have their contract with Northrop Grumman. I suspect not.
Parent
Re: (Score:3, Interesting)
NG said it went through an outside firm, that doesn't mean it did. Not only that but this could have been from a personal computer.
Northrop Grumman is a business. Their employees don't take an oath to support (or defend) the constitution. It's all about the money.
Re: (Score:3, Interesting)
I'd say an Oath is a Moral "contract" and a Contract is a Legal "contract". God is not part of any oath i've ever taken. The US Constitution is the highest authority in the country.
It's nice to talk to a contractor that has had good experiences working inside the government. I'm being very honest, it's good to hear a gov employee say they take their job very seriously.
I have mostly dealt with KBR and NG which left a bad taste in my mouth. The worst cases being the $7,000 per month (rent) canvas tents my
Bargain basement??? (Score:5, Insightful)
Re: (Score:3, Insightful)
Depends on how it was marketed. I mean, how much would you pay for a use HD from NorGrum?
I'm fairly sure a HD once used in the development area of MS can fetch a nice price.
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:3, Informative)
Erasure Device? (Score:2)
Does anyone know if there are any stand alone devices designed to erase the data on a hard drive? I am thinking something you plug in and it then goes about erasing all the data (I am thinking simpler and cheaper than a PC). I doubt a magnet would be a reliable solution. While destroying the HD physically is a solution, it prevents the drive being reused.
Linux CD (Score:2, Insightful)
Re: (Score:2)
Re: (Score:3, Insightful)
While destroying the HD physically is a solution, it prevents the drive being reused.
Destroying the drive physically has a benefit beyond the obvious that the data is rendered unrecoverable. The more critical benefit is that if you have two crates of disk drives to destroy, you can look at them and know that the crate full of smashed drives is the "done" crate. That's especially important when you have an unskilled labor pool doing the work. You post a guy at the door with a clipboard ensuring only smashed drives are allowed to leave the building. It doesn't take a computer scientist t
Re: (Score:2)
I'd think anything that specialized would be so low volume as to be as expensive as a PC, even though it's much simpler.
My suggestion:
Next time you or a friend upgrades their computer, or you find one on the side of the road (maybe with data on it..), or whatever, grab it.
Pull all the nonessential parts - HD, vid card if it's got onboard or you have a low power junker sitting around - so it uses less power. Cut a hole in the side of the case, and run a PATA and SATA cable, and appropriate power cables out
Re: (Score:3, Informative)
DBAN http://dban.sourceforge.net/ [sourceforge.net]
Geez. No excuse. EABOD. (Score:2)
How tough is it DBAN (Darik's Boot And Nuke) a PC before sending it to the disposal company?
This employee should be forced to EABOD (Erase A Bunch Of Disks).
Since when was data totally secure? (Score:2)
V.I. Lenin said it best (Score:3, Insightful)
"The Capitalists will sell us the rope with which we will hang them." -V.I. Lenin
Let's prove him wrong, eh?
--
Toro
Re: (Score:3, Interesting)