Schneier on Security
A blog covering security and security technology.
« The Doghouse: Onboard Threat Detection System |
| Friday Squid Blogging: Deep-Sea Squid Use Light in Attack »
February 16, 2007
The FBI: Now Losing Fewer Laptops
According to a new report, the FBI has lost 160 laptops, including at least ten with classified information, in the past four years.
But it's not all bad news:
The results are an improvement on findings in a similar audit in 2002, which reported that 354 weapons and 317 laptops were lost or stolen at the FBI over about two years. They follow the high-profile losses last year of laptops containing personal information from the Veterans Administration and the Internal Revenue Service.
In a statement yesterday, FBI Assistant Director John Miller emphasized that the report showed "significant progress in decreasing the rate of loss for weapons and laptops" at the FBI. The average number of laptops or guns that went missing dropped from about 12 per month to four per month for each category, according to the report.
The FBI: Now losing fewer laptops!
Posted on February 16, 2007 at 12:14 PM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Hey, at least it's a step in the right direction.
They refer to "lost", not "stolen"... I wonder how often stuff gets stolen from FBI agents. I imagine that would make for some interesting "dumb crook" stories.
One would expect they are encrypted. (haven't read TFA)
A lost "encrypted" laptop - meh. A lost unencrypted laptop - Yowza!
Most (99%) of government systems, even classified, don't encrypt data at rest.
'Losing' 160 laptops on 30, 762 employees. Hmm. Is there any data known from the commercial sector? How many laptops get lost/stolen there?
I had a bunch of data on that, but somebody stole my laptop.
That's a rate of 1 laptop per year per 192 employees. That sounds pretty horrible to me. Anecdotally, I don't recall anyone *ever* losing a laptop at any of the companies I've worked for in the last 15 years. Granted, most of these have been fairly small companies, maybe 100 employees, but I worked for about 2 years at a bank with about 1500 employees, many of whom had laptops (and traveled worldwide with them), and there was never a problem with lost hardware.
The closest I've seen is one person who accidentally exchanged laptops (same model) with another traveller at a TSA checkpoint. Fortunately, he didn't have anything confidential on it, and we were able to ferret out the owner of the one he got, track him down, and exchange back.
This still seems like a horrible track record.
Reminds me of (many) governments' take on debt - they don't get rid of the existing debt, and they don't even manage to balance their budgets so they don't have to borrow even more money, but they will still tell you that they're at least accumulating new debt at a *slower* rate than before now and spin that as good news.
Laptops get lost or stolen all the time. Its a simple fact of mobile devices that have a relatively high degree of value and can be flipped quickly (e-bay anyone?). This is not news.
The issue is that most companies don't keep metrics of lost or stolen devices and just issue new ones!
1 laptop per 192 per year is nearly identical statistic of my last employer (>10,000 employees).
We had an incident reported on our local listserv (Capitol Hill) reporting that a couple FBI cars had their trunks broken into and lost uniforms, body armor, radios, and automatic weapons. They were parked in open lots between the Capitol and Union Station over a weekend.
Brilliant way to arm the criminals!
Coupla FBI buddies commented on this:
a) all the laptops are encrypted (although I'm sure stickynote exploits are rampant)
b) many of the weapons are probably personal weapons that have been approved, so the pool of missing weapons is much bigger than you would think
c) it's apparently extremely common for this stuff to show up later, and it's unknown if this article reflects that
Funny thing is, these poor guys are constantly groping themselves to make sure they have their badges and weapons. Kind of sad to see a G-man reduced to that...
At my University (of Texas at Austin, a big school), the daily police reports list about 1-3 laptops stolen per weekday. Of course, you don't expect college students to be as secure -- but remember that we're not that rich; and have to replace the laptop out of our pocket. (Sure some rich bastards do have parents who make laptop loss an externality).
I would be interested to know how the FBI figures compare to the theft of personal laptops out of homes and coffee shops.
I found it more interesting just how many weapons they are losing.
"I put my gun down while getting a donut and forgot it on the counter."
The Common Law best practices for laptops is getting pretty tight (at least in Alberta, Canada). See page 8 of http://www.oipc.ab.ca/ims/client/upload/... (starting on page 4) for a decision by the Alberta Information and Privacy Commissioner (September 26, 2006) to see what "a properly protected laptop looks like."
... too bad the gap is so large between actual and best practice
"Most (99%) of government systems, even classified, don't encrypt data at rest."
That's scary.. if true, it means that 99% of the people handling our most critical information, are incredibly ignorant - or more likely (since everything needs approval), security-application deprived.
Fortune 500 companies misplace laptops. They also recover them.
True story: DEA agent is wrestling with criminal in the passenger terminal of an airport. Criminal is hooked up. DEA agent checks holster, finds gun missing!
Terminal is dumped. Fervent search using all available personnel. No luck, no joy. Reopen the next day and cross fingers.
Two weeks later, a woman is stopped at another airport's security checkpoint with a gun in her purse. The DEA agent's gun. Flew out of his holster, landed neatly in her purse, and she didn't notice before flying back home.
I'd really rather that FBI misplace a thousand MP-5s than a single laptop, given a choice. Automatic weapons can be recovered and aren't that useful to thugs anyway. Laptops can compromise the security of nations and empires.
"Laptops can compromise the security of nations and empires."
Giveme a break. Secrets that important arn't on laptops. Most that are stolen are to be sold on ebay and nobody cares about the data on them, except perhaps to add "windows pre installed" ..... Or perhaps you just really like show 24?
"Laptops can compromise the security of nations and empires."
Is that supposed to be bad? I'd think compromising security of an empire is something any decent person would want to do.
Anyway, as the old Soviet joke goes: "There are only two Military Secrets: the first is how screwed up the things are, and the secod is that there are no other secrets".
Every joke is partly joke, heh.
Remember, that every time you worry about information security of the government, you basically worry about the ability of the governemt bureaucrats to keep things secret from yourself.
How much would keeping the data files on a USB flash-drive and making sure it always travels in your pocket rather than the computer case add to the security of the data? The drive could also be encrypted. The question is, would Windows leave unencrypted temporary copies of working files lying around the hard drive (I'm no expert, but I think yes), and how much expertise is needed to find those files?
I do this, not for security, but because I use multiple computers in my work, not all on the same network. The biggest risk = forgetting to pull the drive and take it with me.
Police departments, the FBI, and security agencies shouldn't lose ANY guns, equipment, or laptops (stolen or otherwise). If dismissal were the result, it would stop happening.
I think many of the "stolen" or "lost" laptops end up in that status due to prior arrangement.
I am glad they are losing less laptops (and guns), but I couldn't help but think of an old commercial for Preparation H where they hold their hands up and say:
If is your problem, then
is no answer. ;)
@Bruce: "The FBI: Now losing fewer laptops!" - now, that's the FBI's latest and greatest slogan! ;-)
The FBI idiots for sure have jobs. Lost, Stolen excuses, excuses. If that happend to me at my job, i would probably get fired right after saying the word 'lost'.
And yet we have to depend on the idiots such as them for protection or whatever? Please..
As mentioned in our press release:
We now have an open source solution for secure laptops - 100% encrypted hard drives with loop-AES (AES 256, multikey) encrypted laptops.
Laptops boot from USB stick with key set protected by 10 word (128 bit) diceware passphrase.
We have linked to this blog on our site (Bruce, you rock). Windows users can continue to use it inside a Virtual Machine.
A Mac based notebook with Virtual Machines that makes Linux, Windows and Mac OS available simultaneously will be announced soon.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.