Schneier on Security
A blog covering security and security technology.
« Huge Online Bank Heist |
| NSA Hiring Data Miners »
January 24, 2007
Kansas City Loses IRS Tapes
Second in our series of stupid comments to the press, here's Kansas City's assistant city manager commenting on the fact that they lost 26 computer tapes containing personal information:
"It's not a situation that if you had a laptop you could access," Noll said. "You would need some specialized equipment and some specialized knowledge in order to read these tapes."
While you may be concerned the missing tapes contain your personal information, Cindy Richey, a financial planner, said don't be too alarmed.
"I think people might be surprised at how much of that is already floating around out there," Richey said.
Got that? Don't worry because 1) someone would need a tape drive to read those tapes, and 2) your personal information is all over the net anyway.
Posted on January 24, 2007 at 1:04 PM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
So, no criminal has a tape drive?
Or perhaps the tapes were in a proprietary format?
The technology has existed for *YEARS* that allows for backup tapes to be encrypted. Will encryption only be used by the NSA, in SSL, and by a few paranoid hackers using GPG?
After all, the payoff from the fraud you can commit with the financial info of thousands of people isn't enough to cover the cost of a second-hand DLT drive to read it.
I think if the data was rot13'd they'd say it was unreadable. More likely it's just a tarball on a something-inch tape.
Can we get these people taught a lesson somehow??
I think using a big stick and not letting some jackass who's not used to running PR handling the press is a good start for preventing panic.
Of course, that's not likely to happen.
I work in Kansas City, MO. In fact, I'm in KC as I'm writing this.
Rather than contrition, we get this kind of "don't worry" PR. . .
As far as proprietary, and the IRS, they probably just converted from punch cards last week.
Great, now they'll probably have to raise the 1% earnings tax to pay for all of the security we taxpayers will demand. Damn.
Hi folks, public disclosure is the only way to ensure that Kansas City understands exactly how important this is. Digg has a news item I suggest we all go and "digg":
It might be encrypted using the EBCDIC character set.
Well, not a good PR move, but doesn't she kind of have a point? Doesn't Bruce say that the real problem isn't that people can find out your SSN and birthday, it's that banks (& credit card issuers, etc. etc.) are too willing to believe that anyone who knows your name, SSN and birthday is really you.
Not that I'm saying personal information should be given away at any opportunity (I'd support much much stronger data privacy laws in the US), but if your security depends upon nobody knowing your SSN and bank account #, then you're already screwed.
While it's a crap form of auth, I'm not convinced she should dismiss the danger or potential problem this dataloss presents for citizens. It's not like people have a choice in how their data is being handled.
Stupid, but at least he's honest! It in fact DOES require specialized tape readers, and in fact your information IS all over the net anyway! Loss of tapes that require specialized tape readers is, of course, one of the root causes as to why your information is all over the net... :-(
"""I think if the data was rot13'd they'd say it was unreadable."""
Well, it _would_ be illegal to reverse-engineer the encryption ...
I think the manager was trying not to say that there are a lot of tapes out there with data that no one knows what's in them.
Not that your data is in the web anyways why bother.
I think some readers on this site are pathetic, they want to hang everyone for "mistakes" ALL the time.
Bruce some of this is your doing, you are picking "useless" stories and hyping them to the dotts. You are becoming more of a loss-of-privacy-fear-creatorr-in-chief.
OK smart guy, put your data where your mouth is.
I want you to post the following here in the comments section, it's probably representative of the more interesting information on those tapes:
<>List of your dependents
<>Primary home address
<>Home phone number
<>Place of employment
<>Gross annual income
<>Name of your bank
<>Number of your primary bank acct
<>Photo of a pigeon or squirrel in your backyard
In regards to the original article, the IRS should have to pay a fine to every person affected by the breach. That would help mitigate the negative externalities involved in these kinds of situations.
I'm not worried. Since I am illegal, all of the information about me on the tapes belongs to somebody else...
You would also need the proprietary COBOL language to decode the data.
She should be fired for such a stupid statement. I hope HER info is on those tapes.
It's possible the tape requires something like an IBM 3490 or 3590 tape drive and a mainframe environment to match. The cost of obtaining the appropriate enterprise hardware (and the personnel to run it) could be quite prohibitive.
@Anonymous - Procuring a 3x90 tape drive with a SCSI attach is pretty straightforward and not really that expensive if you look on the used market. Once you have the drive it's a simple matter to dump the tape contents into a file on your server/workstation.
For that matter, you don't even need the hardware; just send the tapes to a service bureau for conversion to LTO.
Of course if she had said that the trade off between securing data that is out there already and just doing nothing when this happens we would still be pissed at her but this is essentially what she said. I think we should be pissed at Congress/Supreme Court/President/Governors/State Assemblies for allowing this situation to happen in the first place, not at a mindless drone too low in the totem pole to really do much.
I have a couple of questions, How many people are included in twenty five tapes?
are either kcmo and the the fed irs actually in trouble? Both should be.
kcmo for losing information and the irs giving information that should be classified. Did the city really need the bank account numbers along with names and social security numbers?
Also, is the irs going to give replacement tapes?
The news stations in kcmo don't even mention this any more. and as far as I know channel four mentioned it but I didn't hear anything about it on 41.
Worse yet: every bank and credit union in the usa must send "bank match" information to an office in Maryland each quarter.
This info includes your name, ssn, account numbers and account balances.
It is usually sent US mail and cannot be encoded. Just plain ascii text on disk or tape readable by any Apple IIe :)
I don't know if it is scarrier that the info is so insecure or that big brother has all your assets in one location under one number. This is (they say) for the purpose of catching deadbeat dads.
I used to work at the IRS. And one of the main causes I fell for this and other "stupid" actions arise from a HUGELY stupid action. The IRS and other governmental agencies have a tendency to out-source their IT department. The IRS calls it their MITS department. People dealing with information that is that sensitive should IMHO NEVER //NEVER// be out-sourced. This is one of the primary reasons why I left the IRS. Such blatantly unintelligent actions by people in power, and their adamant refusal to listen to reason from anyone lower. No matter how many years they worked there.
"You would also need the proprietary COBOL language to decode the data."
Ah, no. Even recent versions of COBOL don't do encryption natively. If COBOL wrote the data then most likely you are looking at fixed length records. Then only encoding is that the tape might be recorded using EBCDIC rather than ASCII. Such things are dealt with at the hardware or driver level these days.
I'm in Kansas City too. This goenrment needs to be held up to ridicule EVERY time they do something stupid like this. It's a great city with and oversized government.
Ok .... Every year I produce information for the IRS (1099-misc) and, guess what??? I don't use a tape to send the data .... Get internet access and log onto F.I.R.E. and dump the data to the IRS. OK ... The IRS *DOES NOT* use encryption. Any old tape transport (of the correct format of course) will read the plain-text records. No "specialized" equipment is needed (unless you consider the tape transport as specialized). And, ... you can download the format from the IRS (tech bulletin issued each year), so you don't even need to figure out what information is in what location.
Someone in IT should be shot for not changing to a different method of delivery of this information to the IRS. It is very hard to lose an electronic transmission :)
Loosing someones personal information is a real bad thing. There should be some level of security in order to ensure the safety of personal data. It should be stored with tight encoding scripts and kept with appropriate security.
Kansas Treatment Centers
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.