Reporters Find US Gov't Data In Ghana Market 154
narramissic writes "'Hundreds and hundreds of documents about government contracts,' were found on a hard drive purchased at a market in Ghana for the bargain basement price of $40, said Peter Klein, an associate professor with the University of British Columbia, who led an investigation into the global electronic waste business for the PBS show Frontline. The hard drive had belonged to US government contractor Northrop Grumman and in a made-for-TV ironic twist, 'some of the documents talked about how to recruit airport screeners and several of them even covered data security practices,' Klein said. 'Here were these contracts being awarded based on their ability to keep the data safe.'"
What a news scoop....*yawn* (Score:3, Funny)
Yet another example of some bonehead "disposing" of old equipment without wiping the data first. Time to start cranking out those Pulitzer prizes. ;)
The NSA should just buy all the drives on eBay! (Score:5, Funny)
Re: (Score:2)
Contracts (Score:3, Interesting)
Re:Contracts (Score:5, Informative)
They should lose their contracts for failing to wipe the data off the hard drives.
They likely will as this is almost certainly a violation of ITAR regulations. Northrup Grumman does very little that is non-military.
Re:Contracts (Score:5, Insightful)
They should lose their contracts for failing to wipe the data off the hard drives.
They likely will as this is almost certainly a violation of ITAR regulations. Northrup Grumman does very little that is non-military.
They most certainly will not lose their contracts over this. They'll find a way to blame the lost data on some tiny sub-subcontractor that the subcontractor responsible for disposing of used equipment hired to wipe the drives, and they'll get fired. Or maybe they'll fire the person who kept the data on their hard drive instead of the network drive, and trot out the click-through policy that says "we told you we could fire you for violating this policy."
There's always a weasel-way for companies to get out of these situations by blaming someone for the failure.
Re: (Score:2)
Re:Contracts (Score:5, Informative)
They should lose their contracts for failing to wipe the data off the hard drives.
They likely will as this is almost certainly a violation of ITAR regulations. Northrup Grumman does very little that is non-military.
They most certainly will not lose their contracts over this. They'll find a way to blame the lost data on some tiny sub-subcontractor that the subcontractor responsible for disposing of used equipment hired to wipe the drives, and they'll get fired. Or maybe they'll fire the person who kept the data on their hard drive instead of the network drive, and trot out the click-through policy that says "we told you we could fire you for violating this policy."
There's always a weasel-way for companies to get out of these situations by blaming someone for the failure.
ITAR is pretty strict but you're probably right in that they'll blame the recycling firm or some such nonsense. From my experience they can at least expect a fresh ITAR audit courtesy of the federal gooberment because there is now "reason to question" their security.
Personally I don't let a hard drive out of the building unless it's been at least wiped (non-secure data) if not destroyed (secure data). Usually I destroy them just to make sure.
Re: (Score:2)
Re: (Score:3, Funny)
It will take a lot of effort to recover the data from the resulting molten puddles of metal
If you want to wipe very many hard drives at a go, there's always stuff like thermite, furnaces and bessemer converters.
Re: (Score:2)
I wonder how effective are the machines designed to bulk wipe hard drives (by bulk, I mean one whole drive at a time)?
Wiping by writing data has problems -- remapped sectors might be recoverable to someone with the right equipment and know-how and these sectors won't be overwritten using normal disk-wiping methods.
Re: (Score:3, Informative)
Cheers
Re: (Score:3, Insightful)
Or maybe the whole thing is secret under the aegis of War On Terror or National Security or whatever the fuck. I don't think we'll hear much more about how this turns out, and therefore no accountability.
Re: (Score:2, Informative)
Sadly, this poor fellow will be sued into oblivion; the minimum in Canada is 2 million, in the U.S. I don't even know.
Northrop is usually very good but the issue is that it's "Sensitive Informaiton" chances are the person using the system didn't follow the security protocols in place (i.e. Not storing classified informaiton in an Unclass environment).
It's for this very reason all of my file systems are e
Re:Contracts (Score:5, Interesting)
What's so ridiculous is how easy it is to destroy data without investing in ultra-super-duper-mil-spec data destruction software. When I destroyed hard drives for my old company, I'd pull out the drive, take it down to the shop floor, and watch as one of our fabricators put a 1/2-inch hole through the platters with a drill press. It's theoretically possible that an expert who really, really wanted our data could have read something from the partial platters, but I guarantee that none of our drives ever showed up in use anywhere else.
And with the old IBM death stars, pretty much any possibility of data recovery was eliminated when those glass platters shattered inside the case as the drill went through.
Of course, this technique requires you to have a drill press or a good, sturdy hand drill somewhere on your site, but I think Northrop Grumman could afford one of those.
Re: (Score:2)
Re: (Score:2)
On the DOE side of things, hard drives don't get wiped, they get shredded [youtube.com]. Have purchased a surplus computer that had been DOE owned and it had hard drive, optical drive, ram and video card pulled.
Comment removed (Score:4, Interesting)
Re:Yea (Score:5, Insightful)
Re: (Score:2)
Those "locks" do nothing to protect the data, and the drive still spins up when power is applied. You can even retrieve the password if you know what you're doing.
This might be possible if you know the drive very well; the vendor might have a tool which can handle it. But you need to know the manufacturer's comment to print the HDD lock code, since there is [obviously] no standard ATA or ATAPI code to do so. If there were, hacking Xboxes would be a hell of a lot easier.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
Nonsense, placing platters into other drive enclosures to aid in data recovery is one of the oldest tricks in the book. It may not be perfect but it'll certainly work well enough.
When I dispose of an obsolete drive (Score:3, Interesting)
I disassemble it, remove the platters, mount each one in a vise and bend it by striking it with a hammer.
If they can get data off that platter, they're welcome to it.
Re:When I dispose of an obsolete drive (Score:5, Informative)
http://www.garner-products.com/PD-8400.htm [garner-products.com]
Cheaper option: Rifle (Score:2, Interesting)
They make nice targets. Even the NSA would be hard-pressed to get data off of platters with bullet holes in them. I have seen this done with a high-velocity 7mm bolt-action rifle. VERY effective. Auditor asks how we ensure that hard drives are erased when they are taken out of service. Of course we erase them before using our "special process". Showed them a few samples, bullet holes and all. No more questions about hard drive erasure.
Re: (Score:2)
Do you shoot the rifles inside the secure office area? No? Do you carry the drives outside of the building and shoot them in a less secure area of your campus? No? Do you take them off site and shoot them at a range somewhere? Yes?
You're not as secure as you think.
Re: (Score:2)
Re: (Score:3, Interesting)
I don't pretend to know all the regulations involved, but that website mentions that such a device is suitable for emergency destruction of top secret data.
In an emergency this probably would be a good tradeoff between security and time - you can't take three weeks to do an "emergency" destruction if your security guards are holding off a regiment of troops looking to capture your data (which I think is the actual scenario envisioned - maybe some paratroops drop in on your roof or something or there are rio
Re: (Score:2)
At some places, not just government offices, but private companies, they use thermite packages to destroy hard disks. The hard disks go in the enclosure, thermite packs are laid atop the drives, cover is closed, and the stuff is ignited. The result is metal slag that goes to a scrapyard for recycling.
Even if any data remained on an unmelted part of the drive, the hard disk would have been heated far beyond the Curie point so any data on it would be long gone.
Other Benefits of Disassembly (Score:2)
Sure, disassembling hard drives is time-intensive. But the real reward is that you can salvage a bunch of really powerful magnets for mad-science experiments.
Re: (Score:2)
I keep wondering why people always bring up "drive destroying" methods when disposing of a hard drive. What about that Linux (I think) command that overwrites the entire hard drive with 0's? Wasn't there some website offering a pile of money to any data-recovery place that can get anything off of a drive that's had that done? And hasn't pretty much every data-recovery place either failed, or refused to even try once they heard that this command was used?
So... why no just use that command? At least the d
Re: (Score:2)
Re: (Score:2)
Jeez, talk about overkill. For most purposes, wiping the disk [thefreecountry.com] is perfectly adequate. If your hat is made of tinfoil, use software that implements DoD 5220.22M. But really, if you're up against somebody who can recover data after even a basic destructive overwrite (someone like the NSA), they already know all your secrets — assuming they even care that you exist.
Re: (Score:2)
If they want to be able to tell their clients/customers that their data will literally be destroyed when the server is decommissioned, so be it.
Re: (Score:2)
What do you mean by "literally destroyed?" Taking the disk apart and smashing the platters with a hammer? Somebody with the right resources could still reassemble the disks and recover the data. Perhaps you need to dissolve them in acid? Expensive, and there are environment issues.
Show me any evidence that somebody has been able to recover data on disks wiped by DOD-grade software, and I'll concede that you have a point. Going beyond that just so you can claim it's "literally destroyed" is pure security the
Re:When I dispose of an obsolete drive (Score:4, Funny)
Re: (Score:3, Interesting)
Not to mention...you have some fun in the process. :)
Although, I can't imagine running it through a DoD wipe with DBAN would be recoverable, and then the drive is reusable. We already have enough electronic junk going in landfills, so I find destroying drives rather than properly wiping them to be particularly distasteful.
Comment removed (Score:4, Insightful)
Re: (Score:3, Informative)
I have yet to see ANYBODY recover a DoD wiped drive. You'd think that one of those data recovery firms would brag about it if they had actually been able to pull it off, yet nada. Give them a good DoD wipe and then they can be reused in computers for the poor.
Forget DoD wipes, it has never even been demonstrated it's possible to recover data from a single 00000000 wipe. No one has ever managed to read as much as a byte of data after it has been overwritten once with any value.
The whole thing is sheer pa
Re: (Score:2)
Erasing the the whole drive with a giant magnet (ie. not JUST the data area, but also the tracking informatiion encoded ny the manufacturer) is every bit as bad as physically destroying the drive. You certainly won't be using it ever again, unless the manufacturer is specifically involved in refurbishing it (which probably is probably too expensive to be worthwhile).
Re: (Score:2)
turn on a huge magnet just to make sure. And stop wasting all that hardware.
FYI the magnet doesn't help with destroying data, or saving the drive. I attached the biggest magnet I could find to a unused hard drive, and booted the computer, it booted but started making a horrible scratching noise. I shutdown and took off the magnet couple tries over a couple days, and the drive was dead (same horrible noise. Let it sit for 2 weeks, and whatever bent/magnetized metal in the drive recovered enough that all of the data was then readable, drive still works (poorly) with 99.9% of the d
Re: (Score:2)
Yeah, but there are thousands and thousands of old machines 400MHz and up, and most of those are willingly discarded or recycled by those with no sensitive data on them at all, or by those who don't know to wipe their own data off the drive first.
All of those drives are more than enough to supply the single moms, homeless shelters, and churches of the world. Meanwhile, other drives - those that actually have critical information where the consequences of release are high - can be destroyed.
If it makes you
Re: (Score:2)
Re:When I dispose of an obsolete drive (Score:5, Funny)
The rest of the drive I fill up with the combine works of David Hasselhof. Cruel, but effective.
Re: Hoff! (Score:2)
The Hoff was right this time though. He TOLD us that the data is "Looking For Freedom."
Re: (Score:2)
Re: (Score:3, Interesting)
I have a fast and simple solution. I take my trusty drill and run the bit through the platter at least once to several times depending on the importance of the drive. Yea, someone could in theory super reconstruct the data, but not without spending hundreds of thousands if not millions of dollars more than the data was worth. For that kind of money, I would just give them the data. It is a simple, cheap, quick solution that in all but the most sensitive situations would be sufficient to keep the data from
Re: (Score:2)
Find a local building work and give him £20 to put it on top of the next thing he attacks with a kango.
JD.
Brilliant! (Score:2)
'Here were these contracts being awarded based on their ability to keep the data safe.'"
Diversion wrapped in a diversion cloaked in a diversion. I bet the spies who read the contracts went out of their ways to break the procedures outlined in them, wasting precious time and resources instead of just getting em on the cheap in Africa. Where is your Isser Dzerzhinsky now?
They found... (Score:4, Funny)
some of the documents talked about how to recruit airport screeners
It contained a link to monster.com?
Re:They found... (Score:4, Funny)
Airport screeners know how to use monster.com?!
Re: (Score:2)
Where else would you find a girl to love these monsters?
Umm.. that's not how it works (Score:3, Interesting)
It's a long standing complaint that governments keep information about contracts secret for the benefit of the contractors. Now you're complaining that a contractor didn't keep information about their contracts adequately secured? Are you stupid or something? The US taxpayers have a right to know the details of these contracts.. but they are denied that by commercial confidentiality concerns. If you want to cry a river for someone, think about the shareholders, but don't go blathering on about "secret government contracts" because they simply shouldn't exist.
Re:Umm.. that's not how it works (Score:4, Insightful)
.I thought the same thing at first, but then I read the rest of the summary:
some of the documents talked about how to recruit airport screeners and several of them even covered data security practices
Typically we're interested in contracts during the bidding process (to make sure the public is not being ripped off), and later on, to see that the contractor actually delivers the goods. But "transparency" doesn't mean everyone needs to know the details of how Northrop Grumman builds its missiles or whatever.
Re: (Score:2)
some of the documents talked about how to recruit airport screeners and several of them even covered data security practices
Typically we're interested in contracts during the bidding process (to make sure the public is not being ripped off), and later on, to see that the contractor actually delivers the goods. But "transparency" doesn't mean everyone needs to know the details of how Northrop Grumman builds its missiles or whatever.
The whole TSA/airport security thing is theater, it would still be trivial to get a bomb onto a plane, or to get a squad of terrorists onto same with some crappy weapons. It is not possible that any meaningful details of airport security were leaked because:
Re:Umm.. that's not how it works (Score:4, Funny)
I think it's asking a bit much of the US taxpayer that he should be required to go to a local market in Ghana to buy the info. It should be provided by the government.
Besides, this is a company providing the info. I'm not really much into socializing everything, but dammit, there are some things that belong into government hands!
Still? (Score:2)
From the article:
The drive had belonged to a Fairfax, Virginia, employee who still works for the company...
But for how much longer?
Re:Still? (Score:5, Informative)
Did you even read the article? It doesn't appear that the employee was at fault. The computer was "disposed of" by some outside company. Allegedly, they are responsible for sanitizing the hardware prior to binning it or parting it out.
I would expect, however, that this "outside firm" is wondering if they still have their contract with Northrop Grumman. I suspect not.
Re: (Score:3, Interesting)
NG said it went through an outside firm, that doesn't mean it did. Not only that but this could have been from a personal computer.
Northrop Grumman is a business. Their employees don't take an oath to support (or defend) the constitution. It's all about the money.
Re: (Score:3, Interesting)
I'd say an Oath is a Moral "contract" and a Contract is a Legal "contract". God is not part of any oath i've ever taken. The US Constitution is the highest authority in the country.
It's nice to talk to a contractor that has had good experiences working inside the government. I'm being very honest, it's good to hear a gov employee say they take their job very seriously.
I have mostly dealt with KBR and NG which left a bad taste in my mouth. The worst cases being the $7,000 per month (rent) canvas tents my
Re: (Score:2)
I'll call you to come repair my HMMWV the next time it breaks down in the middle of a mortared hellhole fob.
We need soldier mechanics, soldier IT admins, soldier construction workers, and soldier doctors.
You can't elemenate those military jobs and make them civilian, even during peace time. Those soldier's need those jobs to practice and prepare for the day they are deployed. I do believe that civilian counterparts (as equals) in those positions for peace time continiuity and knowledge bases is an excelle
Re: (Score:2)
Gotta love modern business.
If some part of the business is expensive (usually because it requires following regulations or requires the company to be safe) it gets outsourced. The main qualification for the outsourcer is that they are dirt cheap and that they sign off that they do everything by the book. Then when it turns out that they don't do things by the book they get fired (after making profits for 10 years), and then the contract is put out for bid again and the cheapest supplier is again hired.
Mea
Bargain basement??? (Score:5, Insightful)
Re: (Score:3, Insightful)
Depends on how it was marketed. I mean, how much would you pay for a use HD from NorGrum?
I'm fairly sure a HD once used in the development area of MS can fetch a nice price.
Re: (Score:2)
marketed as 'working'
See? That's already a lot more than what can be said about other NorGrum hardware!
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
I think the "bargain basement" reference was to the value of the information contained on the hard drive, not the hardware itself.
Re: (Score:3, Informative)
Re: (Score:2)
$40 for a used hard drive of unknown provenance seems pretty high, unless you are talking about a considerably cooler than ordinary drive.
I paid $125 for my external hard drive, and that is STILL a good price (this was a year ago, on deep discount at costco)
$40 might be a fantastic price, especially in Ghana.
Erasure Device? (Score:2)
Does anyone know if there are any stand alone devices designed to erase the data on a hard drive? I am thinking something you plug in and it then goes about erasing all the data (I am thinking simpler and cheaper than a PC). I doubt a magnet would be a reliable solution. While destroying the HD physically is a solution, it prevents the drive being reused.
Linux CD (Score:2, Insightful)
Re: (Score:2)
Re: (Score:3, Insightful)
While destroying the HD physically is a solution, it prevents the drive being reused.
Destroying the drive physically has a benefit beyond the obvious that the data is rendered unrecoverable. The more critical benefit is that if you have two crates of disk drives to destroy, you can look at them and know that the crate full of smashed drives is the "done" crate. That's especially important when you have an unskilled labor pool doing the work. You post a guy at the door with a clipboard ensuring only smashed drives are allowed to leave the building. It doesn't take a computer scientist t
Re: (Score:2)
And it has cost: you have turned a useful piece of hardware into electronic waste. For all the waffle talked about using electronic microscopes, etc, to read a wiped drive, is irrelevant. This drive was not wiped. It was just unplugged and sold as-is.
I don't believe anyone has demonstrated being able to read data in any useful quantity (not just a few bytes here and there) from a wiped drive, even one simply overwritten with zeros in the most simple-min
Re: (Score:2)
Data recovery firms can recover data from formatting
For clarity, this is often since formatting simply writes the bare minimum for the disk to be useable. To be really sure you need a low-level format that writes random 1s and 0s to the whole disk.
Re: (Score:2)
Destroying the drive physically has a benefit ...
And it has cost: you have turned a useful piece of hardware into electronic waste.
That's the problem. You seem to be saying that "waste" and "cost" have some magically significant difference. But everything boils down to cost: smashing the drive into aluminum and glass and fiberglass shards costs you time, labor, disposal fees, and the lost opportunity to resell or reuse the device. Wiping the drive has a different cost: labor, tracking, and the risk that the drive will not be properly wiped before resale. My point is that risk has a higher cost than anything else above, by a very
Re: (Score:2)
Not for everyone. Creating toxic waste by destroying a useful article may financially be the optimal choice, but it's objectionable on other grounds; morality, social responsibility. But apparently you don't think these matter.
And if a company can't work out how to be sure they erase a disk before they dispose of it, I submit they can't be trusted to do much at all. Obviously they also thought "everything boils down to cost" and chose the lowest cost option, some contra
Re: (Score:2)
But everything boils down to cost:
Not for everyone. Creating toxic waste by destroying a useful article may financially be the optimal choice, but it's objectionable on other grounds; morality, social responsibility. But apparently you don't think these matter.
My opinion matters some, in that I have a say in how my corporation disposes of some of our used equipment. But my post is not just our experience, it's an observation of how most big corporations do business, and how engineers and managers are taught to evaluate decisions like these. Corporations make most decisions based on money, because it's the only universal score card they know. Some corporations certainly try to "do good" or "be green", (or at least take credit for it when it's easy to do so) bu
Re: (Score:2)
Yeah. And again, this is caused by simply trying to do it at the lowest possible cost. I could, in 5 minutes, work out a simple cheap, effective way to do this. (Old PC with removable drive bays: erase, image with FreeDOS, DSL or whatever and show a boot screen. Stamp drive with "CLEANED" label.) If it's an important problem -- and it is, as the "cost effective" method dem
Re: (Score:2)
I'd think anything that specialized would be so low volume as to be as expensive as a PC, even though it's much simpler.
My suggestion:
Next time you or a friend upgrades their computer, or you find one on the side of the road (maybe with data on it..), or whatever, grab it.
Pull all the nonessential parts - HD, vid card if it's got onboard or you have a low power junker sitting around - so it uses less power. Cut a hole in the side of the case, and run a PATA and SATA cable, and appropriate power cables out
Re: (Score:3, Informative)
DBAN http://dban.sourceforge.net/ [sourceforge.net]
Re: (Score:2)
At my last job, I used DBAN in combination with HDDErase when reassigning machines from one department to another.
HDDErase which tells the drive to do a secure erase on the controller level, erasing even remapped tracks. Then, I run DBAN, and it saves a confirmation that the drive was erased to a floppy, and that is kept as an audit log.
In reality, either method will do the job. However, HDDErase gets parts of the drive that DBAN doesn't, and DBAN generates a good audit file. Should something come up abo
Re: (Score:2)
This [ics-iq.com] company sells a thing called the "Wipemasster" for mass wiping of up to 9 hard drives at a time.
Simpler than a PC, definitely. Cheaper? Not really at $2500...
Re: (Score:2)
Just took a look. It isn't cheaper, but given the number of drives it can do at once, it is probably more convenient. I am sure their security budget would cover that easily.
Re: (Score:2)
I doubt a magnet would be a reliable solution.
I tested the magnet approach with a old laptop drive, it is not a effective method.
IE I got too of the best magnets I could find, 100# vertical hold stacked them on top of the drive, and booted the laptop. it booted, then started making scratching noises (apparently either the write head, or the disks were deflected by the force enough to rub) The drive did quickly become un-useable. 2 days later, still un-useable. 2 weeks later, the drive was 100% fine, whatever was magnetized/bent from the exposure re
Right in your garage (was:Erasure Device?) (Score:2)
It's call a power drill. Just fit it with a metal cutting drill bit and you're ready.
Geez. No excuse. EABOD. (Score:2)
How tough is it DBAN (Darik's Boot And Nuke) a PC before sending it to the disposal company?
This employee should be forced to EABOD (Erase A Bunch Of Disks).
Since when was data totally secure? (Score:2)
me smell's B.S (Score:2, Interesting)
not that this does'nt happen, i just find the story unlikely , reporters go to a random market in a random country and find this disk. more likely they had the disk beforehand and just made up the market bit.
Re: (Score:2)
... likely they had the disk beforehand ...'
As though getting hold of this disk beforehand isn't also a security failure? Where and how they got it isn't the real story.
Re: (Score:2)
I guess, that this is the openness of gov, that .. (Score:2)
They should implement... (Score:2)
They should implement a stronger punishment and reward scheme for this.Award a major amount of money for drives that are not wiped clean...this will lead you to the person who did the damage. So you pay to find out who, then that person in turn owes you back for the money you spent...so 1 or 2 cases like these will be enough to send a clear picture to the rest of them...its easy enough to use a data wiping software...turning all bits into zeros. Seriously...get educated if you handle getting rid of hardware
V.I. Lenin said it best (Score:3, Insightful)
"The Capitalists will sell us the rope with which we will hang them." -V.I. Lenin
Let's prove him wrong, eh?
--
Toro
Terrorism prevention is always going to be.... (Score:2)
It does bring up the point that you shouldn't count on contractors like Lockheed, Northrop, etc to keep us safe, they'll only do w
ACTA... (Score:2)
http://www.eff.org/press/archiveso/2009/05/06 [eff.org]
Yes, the military-industrial complex owns the government.
Drive disposal (Score:2)
The best way to dispose of a hard drive is to open it up to get the platters, blast them with a blowtorch until they become brittle, smash them to tiny bits/powder with a hammer then scatter the tiny bits into the ocean.
Re: (Score:3, Interesting)