Schneier on Security

"Oops" really sums up this topic.

Anyway, this seems to happen a lot recently, or is it just me?

Not to worry. If there was any personal information lost, they'll offer us a spiffy one year of free credit monitoring! Whee (/sarcasm)

"Oops!" was brought to you by erasers. Don't make a mistake without one!

Before everyone goes all nuts over an organization losing 400 laptops. I am just going to say this - a workforce losing mobile devices such as laptops and PDAs happens (either through theft, incompetence, luggage lost, etc). Its expected behavior. Every organization should have an action plan to track, protect, and provide incentives for it not to happen again. The unfortunate deal is that most organizations have no clue.

Heh.

Maybe the State Department should stop buying laptops and make the users get their own. People keep a much closer eye on something if they have to replace it when it's gone.

Not that this solves the data security problem in the slightest, but at least it will cut down on equipment costs.

At least 500 computers vanished from German authorities during the last few years, so it is definitely not only the UK and the US alone:
http://www.heise.de/newsticker/...
(sorry, German only ...)

This "scandal" strikes me as bearing more than a casual resemblance to the "missing hard drives" Los Alamos "scandal", which started out as a kerfluffle over an allegedly misplaced hoard of secret information that shut down the lab and damaged many careers, and then resolved itself into a feces-throwing fight between accountants who were pouty about record-keeping but who acknowledged that that the drives had probably never existed in the first place.

Please re-read that article for numbers. There are no "lost" laptops, just laptops for which there exists no book-keeping. This is an accounting/procurement dispute, not a security scandal. The security angle is getting bolted onto the side by politically-interested parties --- members of Congress with axes to grind, OMB in mid-power-play, security-posturing but substantially gossipy media sheets. Yes, State's accounting procedures suck, but no, it's unlikely any secrets have been violated here. Some bureaucrats are sniping at some other buraucrats, that's all.

The problem is real. Some of those laptops are "lost" in the realistic sense of being conveniently stolen or arranged to be lost/stolen. Lost is easier to explain when bad book-keeping is in vogue, which becomes stolen when accountability comes home to roost.

I can almost bet that these were not "lost" but conveniently misplaced into their sons/daughters backpacks.

These son's and daughters of our valiant crime fighting criminals are blogging their heart out to change the corrupt washington.

Irony. It's what's for dinner.

I'm almost sure the thieves are not intersted in the data on these devices, but rather that they have a good resale value

And this is the same government that wants to know everything about us, hold our email keys, and give us REAL ID...thinking we can trust them to protect our data and personal info? What a bunch of monkeys the feds have become. I've never seen such a group of goons and incapable misfits. How about 400 of these feds cough up the estimated $480,000.00 (estimated $1200 each laptop) to pay back us taxpayers or be fired.

"..to collect and register employee laptops .."

Perhaps register them before you hand 'em out?

Crypto is very hard to do today, thanks to a long protracted effort by the government...
Just a great thing that we lost critical technology, etc, all thanks to our loving enlightened government!
You tax dollars at work...

(wired news) Bruce, what your problem with TrueCrypt? I know your old buddy from PGPinc... PGP-open or PGP_ckt is old and dead. All anothers PGPs are not for our "homes".

"Home" security is not a buisness, its a boon of programmer and his open gift. As TrueCrypt(-traveler), as GPG/Enigmail, as KeePass1.x-portable and as Twofish. Thank you for our contribution. Dont thank you for viral *marketing*.

Another similar product to PGP is Free Compusec. Not open source, but free for "home". With a few german banks as reference http://www.ce-infosys.com/index.html
Not better o_O and not poorer than PGP whole disk.

PGP-Zip is for sure very good. Can YOU hack encrypted WinRAR 3.7x archives or, better, multiplatform available encrypted *7-zip* archives?
This is not your buisness blog. Right?

Greetings from germany. Tha nation with (way back) goverment sponsored GnuPG, CCC, few people than speaking very bad english ;-) and... the spirit of Tron.

2 Roo:
"How about 400 of these feds cough up the estimated $480,000.00 (estimated $1200 each laptop) to pay back us taxpayers or be fired"

$1200? No way. Look in the article: "Auditors found that the department had lost track of $30 million worth of equipment, according to one official, 'the vast majority of which ... perhaps as much as 99 per cent,' was laptops". So ($30M*0.99)/400 = $74250 a pop. Must be one hell of a laptop! ;-)

Even if monetarily the laptops were not 99% but just a mere 10% of overall losses, that would still make them hefty $7500 a piece. Gotta love efficient government spendings!

Pat Cahalan wrote:

"Maybe the State Department should stop buying laptops and make the users get their own. People keep a much closer eye on something if they have to replace it when it's gone.

Not that this solves the data security problem in the slightest, but at least it will cut down on equipment costs."

Excuse me! I won't be having any laptops with administrator access not configured by the IT Section connected to my network. Knowing the average user their kids will have been using them after installing god knows how many trojans and peer to peer software.

Personally I don't give a crap about the financial value of the laptops. What I care about is the information on the laptops. People could get killed if that information leaks. If the State Department did issue laptops that were not encrypted the responsible individual should be sacked. This is 2008. It is old news.

There is no excuse for not installing encryption software. Truecrypt in its latest version is free and a lot more admin friendly and will fully encrypt Windows partitions. Linux has dm-crypt which can be added during the installation. With the Ubuntu alternative-installer it is easy.

http://sathyasays.com/2007/10/13/...

OpenSuse, and Slackware both have good docs for doing this. FreeBSD and OpenBSD also have the capability. OSX has the Encrypted /Home but I do not think this is good enough for government work or financial sector work.

OpenSolaris is left out here. They do have a couple of projects underway to meet the encryption requirement which will be included soon.

There are plenty of free and proprietary alternatives out there.

In any organisation with thousands of employees laptops are going to be lost or stolen or "even sold to the insurance company" by dishonest employees.

Information Security professionals must take this into account.

All of the above applies to removable media.

So the dead man walking blog post explained the story much better than the article.

The real issue here seems to be accountability for the losses. The Dead Man Walking blog indicates that the Bureau of Diplomatic Security, the internal security arm of the Department of State, is not not accountable to the GAO or the normal internal review process of State. These losses were simply being cited as an example of why more oversight was needed.

The real issue, according to DMW blog, is that State Department Foreign Service officers are losing their Security Clearances for seeking mental health treatment for PTSD related illness incurred while on post in a dangerous area. Just the opposite of the policies that the Armed Services just enacted. The blog argues that the Diplomatic Security division should be held to the same standards as the military and held accountable (by someone).

@OSS
1. OT
2. I don't see any problem Bruce could have with Truecrypt. If you would search his blog you could see he mentioned it many times.
3. Speak for yourself and not for all germans.

The program must now be re-named:

The Terrorism Assistance Program

On the plus side - all department laptops are required to have whole disk encryption on them now.

Not an issue. To ''loose'' that many has only one plausible explanation: Theft by employees that know nothing will happen to them. The data is ergo still in the same hands as before. Will not say "good hands" though.

Not an issue. To ''loose'' that many has only one plausible explanation: Theft by employees that know nothing will happen to them. The data is ergo still in the same hands as before. Will not say "good hands" though.

Sorry for the double post. I checked befor trying again, but it seems the original posting was just delayed, not lost as the error message I got seemed to imply.

Fortunately for us, the State Department doesnt actually do anything, so nothing of value beyond the hardware was lost.

"Maybe the State Department should stop buying laptops and make the users get their own."

Haha, that's funny. A government agency that would let citizens decide something for themselves? That's a riot. Apparently we can't even get our own health care without being forced to use the government's solution. (coming soon!)

As far as security and trojans are concerned from an above comment, if the users were told to use and get an operating system not so susceptible to such things, it wouldn't be a problem.

Lemme guess...there were e-mails backed up on the laptops??

http://www.washingtonpost.com/wp-dyn/content/...

With luck, some brave citizen will recover one of these, perhaps with something interesting like the No Fly List on it, and publicize it for us all. I can think of nothing better to do to cause some beneficial change to happen. But I hope it doesn't have to be me. Don't think I'd enjoy gitmo.

They were reported recovered yesterday.

@Dirk
1. False. Link to wired news in blog entry.
2. Yes and not. Germ: Jein.
3. Of course. And? Without the Tron name ,I am speaking for me. Can you badder read then I write? o_O Ok, you have not the "spirit" of Tron. Sorry for this. But I am wonder about your /interesting/ IP... Have you any spirit? ;-)

> Bet you anything those laptops weren't
> encrypted.

Bet you anything the content of the disk drives on these laptops was totally worthless bureaucratic drivel, which had cost taxpayers arm and leg.

I guess the "losses" are a part of a very secret operation to drive terrorists crazy by having them to sift through mounds of bureaucratese verbiage only to find out that the most relevant memo was about procurement of TP for the Anti-Terrorist Feline Sandbox Defense Task Force.

Doesn't surprise me one bit that Jack Bauer and associates lost 400 laptops.

FreeBSD has a disk encryption, haven't used, however, OpenBSD does not, will not for a while, and thank god not! Implement your own bromide in some ways, you will be better off, although YMMV.
FDE is like walking in a minefield with a bunch of geese, you know things are going to get hectic.
Crypto is soooo uncool with all the issues today, part of the reason it has ~died out.

Gov even had a program to implement FDE, many issues with it were reported, search google, or BS probably knows.

NSA has repeatedly stated the do not care about software crypto, modern OS/software is that BAD! Rot13 crypto, just about all most is for those who really need it.

As someone reported above, they were reported recovered.
http://www.cqpolitics.com/wmspage.cfm?...

"The official who chaired the meeting, Christopher Flaggs, the department’s deputy chief financial officer, also asked the more than two dozen officials present about the security of laptops in the possession of private contractors. None of the officials knew whether the State Department required them to be encrypted to protect classified information, according to a person who attended the meeting."

You have a wonderful blog here! I'm going to add you to my feed for sure!