Schneier on Security

You shouldn't assume that the people who repair your computers don't do this. They can, so some of them will. Not just third-party techs, but in-house techs in your company too (and sysadmins, by the way). Not just porn, music and photos, but personal information and confidential company information (your e-mail in-box, for a start). We have to put a lot of trust in those people; inevitably a few don't live up to it. Be very careful.

I find it comical that people leave incriminating or sensitive data on a machine when they leave it in the care of someone they should not trust

Should also consider the risk that they'll put something on the HDD and then call the cops...

You mean the same people, that were accused of pirating sysinternals tools ?
No ... really ?
(http://www.foxnews.com/story/0,2933,191593,00.html)

Which is why my electronic book collection and Quicken records now reside on TrueCrypt-encrypted virtual drives, with password protection as strong as I can make it.

Your hard drive has just failed. For whatever reason, the backup isn't current. You need data that's on that hard drive.

Who ya gonna trust?

Are we all supposed to become computer savvy enough to get the data off a failed hard drive? My guess is that 80% of users out there barely know how to make a backup, let alone what's required in this sort of situation.

@Dweezil

"I find it comical that people leave incriminating or sensitive data on a machine when they leave it in the care of someone they should not trust"

Even if the PC still boots and the owner thinks to delete/remove any sensitive material prior to handing over the PC, what are the chances that the user will know how to prevent the deleted files from being recovered?

We can hardly expect the average user to understand computer forensics and files systems.

I think the word "comical" is inappropriate.

This should surprise absolutely noone with half a brain. I worked for CompUSA years ago, and it was fairly routine to do this. Sometimes the files were found totally by accident while looking through temp, etc...

I can remember a guy who came in for a printer install, and I opened a "New Text Document.txt" on his desktop (as a test print), and it was a letter he was typing to Penthouse. We found another 20 more.

Our reaction was usually, "Who's dumb enough to leave this stuff out there when they check their machine in?" It's like leaving a stash of porn in the glove box (or even the passenger seat) when you drop your car off for service.

If someone complains of getting Viruses and Spyware on their computers, it is generally a good idea to check their internet history to see where it might have come from. Often, virus files are in your internet temp... Too many users don't realize just how easy it is for a tech to stumble across this stuff without even looking for it.

I don't advocate snooping, but you don't ask a guy to install a spare tire when you've got a pound of weed in the trunk. There are plenty of times I've stumbled across things I wish I hadn't. It also makes good techs worry about trying to be too helpful lest they uncover your dark secrets.

Surely this is 'unauthorised access' under the UK Computer Misuse act ?

I'd like to see a test case, which would ensure the technicians keep their eyes on what they should, and away from what they shouldn't.

Though I'm sure PCWorld etc, would draw up some cunning legaleese to cover themselves, and their staff.

The consumerist link the article is referring to can be found here: http://tinyurl.com/2f6469

Here is another article about this story.

http://www.channelregister.co.uk/2007/07/09/geek_squad_sting/

Some of the comments are quite interesting.

I'm glad to see this has made the news. Perhaps it will persuade a few more people to learn how to use strong encryption for their personal files.

Rest assured, we're all safe:

>The company has rigorous privacy and security measures in place, including
>checking workers' bags before and after work.

Until somebody invents a device that can hold gigabytes of data that can be discretely slipped into ones pocket, we're perfectly protected by such measures!

Oh, never mind how little the make -- after the CircuitCity debacle this year, they know if they make too much money they'll just get fired for being an employee too long anyways.

Nothing pays off better than having your home partition encrypted in such cases.

I've done some work on a woman's PC. I maintain her website for her, but she asks me to come to her place all the time because she's computer illiterate to the point of not understanding how CDs work, etc. And yet she has a laptop, which I sometimes end up fixing up a bit.

Of course this woman isn't good enough with comps to actually have anything interesting on hers; she barely knows how to open up a browser.

The point I'm trying to make here is that there are A LOT of people who are illiterate enough about technology that they wouldn't know what the word 'encrypt' means, let alone how to do it and what to do it to.

The solution to this would be to not trust the underpaid and under-intelligent "Geek Squad", but instead hire trustworthy people, probably for a higher fee. Of course this approach fails too, if the employer can't tell a trustworthy person from a lowly thief.

I don't understand why any OS's ship without encryption of the user's home directory areas turned on by default. Making an encrypted partition and moving my home directory there is the very first thing I do with any new computer.

@Larry: "I don't understand why any OS's ship without encryption of the user's home directory areas turned on by default. Making an encrypted partition and moving my home directory there is the very first thing I do with any new computer. "

Because as has been mentioned above, 95% of computer users don't understand encryption or could care less. Most would end up forgetting the password and lose everything they were trying to protect - for good.

Even then, most users are going to give the techs whatever passwords they have so they can log in to fix the computer anyway!

Techs get exposed to parts of people's minds they wouldnt tell their doctors about. Just like tailors (when they existed) knew how much you were packing, its an invasion of privacy and a familiarity that can't be avoided.

The same rules about confidentiality should apply. Blur the faces before you sell your harvested ameteur pr0n on, that's all. :)

Temptation is nothing new...remember taking your film of that wild weekend to the FotoMat both in the grocery store parking lot in the mid 70's? You can bet the 'interesting' photos got printed once or twice extra and saved/distributed/shared among employees and employees' friends. Now the duplication is just a simpler task ... no high-cost photo paper and developer chemicals to try to cover up.

I guess the trick is instilling a sense of responsibility and ethical behavior in your entry-level employees ... or an adequate Fear of God and reprisal.

I wonder if the pictures were of Grandma Jo's birthday party if the story would have made the news....

I find it quite ironic that even www.boingboing.net described this as "stealing". It's not stealing, it's unauthorized copying and access. If it's porn and MP3s, it's almost a given that the customer themselves breached copyright law to get them in the first place, so to complain about someone else copying them in turn strikes me as a bit hypocritical.

RE: "Just how much are these people paid? And how much money can you make with a few good identity thefts?"

Bruce, I assume you know this, but the incentive driving these young male technicians to peruse people's private files is not money or identity theft. It's smut and boredom. Simple as that.

Getting Geek Squad to fix your computer is like hiring the 3 Stooges to fix your plumbing.

Photo caption: But some Geek Squad troubleshooters have acted less than police-like with some customers' computer files.

Or maybe they're acting entirely /too/ police-like?

'In June, he and a writer at the Consumerist installed software on a desktop computer that tracks every mouse click made by the user. Then they loaded onto the computer photos of attractive young women -- including some wearing bikinis.'

Anyone besides me wondering what the 'Geek Squad' guys are good for if they didn't catch that while they were "looking for malware"? ;-)

'In June, he and a writer at the Consumerist installed software on a desktop computer that tracks every mouse click made by the user.' ...

Anyone besides me wondering what these 'Geek Squad' guys are good for if they didn't catch _that_ while they were "looking for malware"? ;-)

I used to work for one of the big computer retailers. At minimum wage, with no training, I was frequently called upon to 'repair' computers.

That meant running the Trend Micro free online virus scan, and then using a pirated copy of Norton if something turned up. If Norton couldn't clear it, you were meant to call the customer and tell them that you needed to wipe the drive and start over.

All this happened with no training or supervision. You could have done literally anything with the machine, from installing keystroke loggers to copying the whole disk and posting it online.

When a shop relies upon untrained minumum wage employees to keep their prices down, you have no reason to believe that someone competent or trustworthy is working on your machine.

@HamNRye et al: You've got a really good point there.. I've done many service jobs in the past, where I was made to look at stuff I wish I hadn't ever seen. Animal or even child porn as desktop images, deep private insights as file names in the recently-used list (thanks, MS Office, for automatically suggesting the first line of text as filename..), office or audio files in AutoStart with much revealing content, illegal imagery trading sites in browser history. A few times I already considered asking customers for hush-up money.. but rather expressed it as compensation for making me throw up. All paid, not all expressed any shame.

This is the usual consequence of the geek God-complex: I am smarter than you, therefore I can do anything I want to you.

Probably caused by being picked on when younger, creating a "they pick on me because they can, and they can because they are stronger, therefore it is fair play if I pick on someone because I am smarter".

You'd be surprised at how many spend their adult lives getting back at the rest of the world.

@tcliu

I disagree. The type of people who get into computer repair and tech support jobs aren't really "geeks", and even when they are, not the genuinely smart ones (apart from some unlucky cases).

The motivation is more likely due to the usual job dissatisfaction.

Personally I keep three gigabytes of Goatse and Tubgirl JPEGs on my computer in anticipation of just this sort of unprofessional behaviour.

I have stumbled across stuff in temporary and working storage areas while working on other people's PCs. Some of it cant be avoided. However, if a tech goes SEARCHING for photos or spreadsheets; thats fraud. Why not simply have a digital camera recording all they do, archive it for a year, then delete the record if no court case comes up (I know, the temptation to keep stuff forever will prevail).

This happends all the time, it is a fairly standard bad practice, if you have sensitive stuff is quite obvious that you should either learn how to fix your computer or encrypt your data.

"I don't understand why any OS's ship without encryption of the user's home directory areas turned on by default. Making an encrypted partition and moving my home directory there is the very first thing I do with any new computer. "

Buy a mac, OS X has the ability to encrypt your home folder since october 2003 (OS X 10.3). All it takes is about 3 clicks of the mouse to set it.

@Ash, "If it's porn and MP3s, it's almost a given that the customer themselves breached copyright law to get them in the first place, so to complain about someone else copying them in turn strikes me as a bit hypocritical."

Not true.

Amateur porn or garage band MP3s aren't uncommon and require no breach in copyright for the origination. They would however be protected so the Peek Squad would be violating the law as well as the owner.

@Bob, "Why not simply have a digital camera recording all they do, archive it for a year, then delete the record if no court case comes up"

point is not having fodder for the legal system, it's purging the miscreants. If the snoopers know the bench is on camera they'll just boot the box on the floor, or the loading dock, to do their porn sweep.

Better idea is to use the mystery shopper approach, send in random tests with the consumerist approach. Fire the guys who snoop, promote the ones that find the click logger!

@Woo:
I'm not sure I read your post correctly. Are you saying you extorted your customers?

No surprises here. A couple years ago, I took my old laptop in to a local independent computer store for repairs, and when I went to pick it up, the tech started chatting with me about the personal photos of me that he'd looked at, asking me about the activities they portrayed me doing (nothing naughty, just sports stuff). I was so shocked I just answered his questions briefly and left as fast as I could. Wrote a letter of complaint to the shop manager, who called me very promptly to resolve the situation; I got my money back, it came out of the tech's paycheck, and he got a stern talking to (I was asked if I wanted him fired, I said no). I doubt he was the only one engaging in this behavior; he was just the only one who thought it'd be a good idea to tell the customer about his snooping around.

My current laptop is a warranty replaced laptop from Best Buy. I think they are an excellent place to purchase laptops from since if you are having unrepairable or costly to repair problems they will replace it out of the store stock. Now onto the issue at hand, about one year ago now I needed to have my laptop sent in to have it checked out. They wanted my password, etc... I insisted on removing the hard drive before handing it over, however, they did not want to do this. Instead they said I could *pay* for them to do a backup, and they showed me a privacy policy document saying they'd be liable for any wrong doing, etc. Ridiculous I said, shove a bootable cd in there and be done with it. Having put up a stink about the situation, I eventually walked out with my hdd in hand, and the Geek Squad tech took a blank one out of store inventory and put it in there. Good thing since I *never* got the laptop back. But when I did pick out my new replacement, which was much nicer, it had an extra hdd bay, bonus. The main point is you only have to be a little bit smarter, a little more insistent and not give your data over in those given situations and I don't care if it is in an encrypted volume given the ease of someone installing a rootkit when you give them admin access to your machine.

Obviously, none of us in the technical arena are surprised by this. The scary thing though, is that the common populace that *is* surprised by this, isn't going to react by thinking "hrm, I need to encrypt this". No, instead they are going to backlash against all the computery types they don't know very well but interact with, and assume we are all like this. Big crappy problem for everyone in this case.

As for what Bruce said, all of you are thinking about the pr0n and music, etc, because I would assume most folks here wouldn't actually take 'identity' information. But think like a criminal for just a moment. You don't make very much money, you see people's computers and information constantly. What's to stop you from selling that identity information that is readily available to you?

If you thought the Geek Squad might abuse your data, imagine what would happen if your private data were outsourced to another country, like Mexico for example:
http://www.ocregister.com/news/court-company-information-1788465-courts-data

This is hardly new. Back in the early 90's as a minimum wage slave I worked for a small company that built PC's (back when you could do that for a profit).

What's the first thing we'd do when a PC came in for repair? Looks for games and porn! Some customers would have us load up their new PC's with games and such when they bought them. First thing was to copy the disks for yourself, then go install the software on the customers PC.

Frankly I'd be shocked to hear this *wasn't* going on.

That said, there was an unwritten rule that you didn't tell anyone whose PC you found that donkey porn on, just simply came in on a customer PC.

old stuff.....

FBI asks computer shops to help fight cybercrime

By Peter Boylan

Agents with the Federal Bureau of Investigation's Cyber Crime Squad have been approaching O'ahu computer-repair specialists, network consultants and software developers and asking them to report any overtly criminal activity they find in customers' computers.

Owners of computer repair shops reported that FBI agents have come calling for at least a year.

Some business owners and network security consultants favor the approach, which enlists old-school police beat work to combat high-tech crime.

Others — like the executive director of the American Civil Liberties Union in Hawai'i and some local computer users — are wary of the tactic, saying it comes dangerously close to violating a person's privacy rights.
Special Agent Arnold Laanui said the FBI is taking a proactive approach to fighting computer crimes, which are ranked third on the agency's list of priorities, behind protecting the country against a terrorist attack and deflecting espionage.

"The computer arena is so broad and such a part of everyday life," Laanui said. "A good chunk of crimes out there have some sort of computer-based nexus to them."

The FBI primarily is looking for purveyors of child pornography, software used in the piracy of movies and music, and threats to national security.

Laanui said that computers are the "preferred way of trying to cover up sophisticated crime" and the FBI is reacting to that.
Each member of the computer crime squad is given a list of local businesses, Laanui said, with the idea of establishing a working relationship with all of them.

"We're going from gumshoes to gigabytes," he said. "We're not about sitting behind a desk and fighting computer crimes from behind computers."

Agents "are getting out in the public and seeing what's going on, and that is the only way it (computer crimes) can be fought."

..........

Highly skilled unit

Without revealing specifics, Laanui said the computer crime squad is a sizeable group of highly trained agents who are up to date on the latest viruses, of which there are more than 70,000.

The agents are highly skilled in a multitude of high-tech disciplines, like how to hack into a system covertly. They often go undercover online, attempting to lure child predators. Laanui said some agents are skilled in the precise practice of extracting information from Palm Pilots.

In addition to their daily duties, the agents spend time in the classroom to stay on technology's ever-evolving edge.

"We're trying to build a rapport with companies, a lot of computer guys don't necessarily know we exist," Laanui said. "Virtually anyone in the high-tech arena is up for a visit with the FBI."

Although Laanui declined to disclose specific numbers of arrests and prosecutions involving cooperation by computer-repair technicians, the squad has made some high-profile collars unrelated to the repair technicians.

.................

"This is hardly new. Back in the early 90's as a minimum wage slave I worked for a small company that built PC's (back when you could do that for a profit)."

Goes back a *long* ways. Remember "War Games"? That was 1983. Since then generations of "hackers" have grown up thinking it was fun to break into systems to explore and find interesting files...

Really, it's nothing new, it's been going on for decades.

When one encrypts home partition it's good to remember about swap and temporary files scattered on hard drive. They become far more interesting for an attacker.

And a possiblity of installing a keylogger or some other funny things on unencrypted parts of the disk.

I'm mentioning this just in case that someone less "literate" reads this post and comments.

@pj: "Temptation is nothing new...remember taking your film of that wild weekend to the FotoMat both in the grocery store parking lot in the mid 70's? You can bet the 'interesting' photos got printed once or twice extra and saved/distributed/shared among employees and employees' friends. Now the duplication is just a simpler task ... no high-cost photo paper and developer chemicals to try to cover up."

As someone who worked at a photo processing lab (they went back to the future) in the mid '80s I can verify that extra copies were printed. The film was inspected for physical flaws and massive overexposure. To check for overexposure we wound the film to a separate spool in front of a back-light. We quickly learned negative skin tones & could stop scanning when a lot of that showed up. You would be surprised at the pro/semi-pro photographers who used Meijer to develop their bikini & nude model shoots.

If wanted, those rolls were pulled, the copy count was upped, and they were appended to test runs, which the QC guy had to do frequently to make sure the equipment & chemicals were within tolerances. The extra copies were removed before the cutter/checker people ever saw them. I think there was enough inherent loss/waste of paper that the occasional extra paper usage was never noticed.

BTW nude photos were fine. Policy was "anything but penetration."

Even id you were to delete all files peronal information and files, a free program by the name of "Restoration" is available for recovering deleted files. Unless you have a program to actually overwrite the drive space the files remain. when you click "empty recylce bin" the files go nowhere. The computer symply marks the spage of the drive as "unused" and will later over write it.