February 28, 2014 7:00 PM
Posted by: Sharon Fisher
, disaster recovery
Oh, no! The file/data/disk is gone!
How many times have you find yourself saying that? It’s a comfort to feel you’re not alone, which is why so many people like to seize on statistics like these from the Boston Computing Network, including some subset of the following statements:
- 6% of all PCs will suffer an episode of data loss in any given year. (The Cost Of Lost Data, David M. Smith)
- 30% of all businesses that have a major fire go out of business within a year. 70% fail within five years. (Home Office Computing Magazine)
- 31% of PC users have lost all of their files due to events beyond their control.
- 34% of companies fail to test their tape backups, and of those that do, 77% have found tape back-up failures.
- 60% of companies that lose their data will shut down within 6 months of the disaster.
- 93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately. (National Archives & Records Administration in Washington)
- Companies that aren’t able to resume operations within ten days (of a disaster hit) are not likely to survive. (Strategic Research Institute)
- Every week 140,000 hard drives crash in the United States. (Mozy Online Backup)
- Simple drive recovery can cost upwards of $7,500 and success is not guaranteed.
One of the best known, though, is the one that states, “80% of businesses affected by a major incident close within 18 months.” There’s dozens of variations of this on the Internet. It must be true.
Except it’s not. Not really.
“I have read many explanations of where this 80 percent myth originates from, but have never managed to find the original source,” wrote Mel Gosling for Continuity Central in what appears to be 2007. “It has, though, been repeated again and again over the years to frighten executives into developing business continuity plans, and just when I thought that the business continuity profession had decided to stop dragging out such a dubious statistic it has reappeared in all its glory.”
Not that frightening executives into developing business continuity plans is a bad thing, of course. Hey, whatever works.
In discussing the potential source of the quotation, it was tracked down at least as far as Amdahl in 1983. Others said they had heard it 30 years ago (from 2007, which tracks it back to 1977).
In 2009, Gosling went on to follow up on 29 of these and similar statistics, looking for their sources, and determined that in the vast majority of cases, they either couldn’t be sourced or were wildly out of date.
And yet the same data loss statistics still get quoted. Less than a year ago, business backup company Code 42 trotted them out again, attributing “60% of companies that lose their data will go out of business with 6 months of the disaster” to Computer Troubleshooters the previous year. If you go to Computer Troubleshooters, it in turn lists a whole series of statistics, attributed to VaultLogix – but with no source and no date. Moreover, the 60% VaultLogix statistic is quoted by other sites as well.
But while the provenance of the statistic is in doubt, it has what people call “truthiness” (which, incidentally, was the Merriam-Webster Word of the Year in 2006). It feels right. “Truthiness” was defined by the American Dialect Society as “the quality of preferring concepts or facts one wishes to be true, rather than concepts or facts known to be true.” As with urban legends, we’d all like to believe there’s a little boy whose dying wish is to get a lot of postcards or that Bill Gates will give money to people who share a link on Facebook. It fits our preconceived notions, so we jump on it without looking too carefully at where the data might have come from.
Now, does this mean that all such studies and quoted facts are suspect? No, not at all. A 2013 blog post from Backupify presented another list of data loss statistics. While it does include the lovely tautology “Data Loss is the #2 reason for data loss (up from #5 in 2010)” (one wonders what the #1 reason for data loss is, if not Data Loss), on the whole, the statistics it lists have more validity.
What makes these numbers more reliable? First, there’s the fact that they actually have dates attached to them, which gives them some context. Second, it’s possible to track down the actual sources of the statistics. It’s not a single out-of-context fact — or, worse, a whole list of them — passed down through the generations as gospel truth.
You really want to calculate some lost business? Figure out just how many person-hours have been wasted trying to find the source of this mythical statistic.
February 22, 2014 5:28 PM
Posted by: Sharon Fisher
Ethical issues aside — after revelations this week of a cache of as many as 28,000 documents obtained through an investigation into illegal use of Milwaukee County, Wis., staff for campaign purposes by now-Governor Scott Walker – one thing is clear: These people don’t know much about IT.
Here’s the tl;dr background: When Walker was County Executive, staff members worked on his gubernatorial election campaign, which is illegal under the laws of Wisconsin (and most other governmental organizations, including the federal government). They did this through a secret wireless router in the county office with staffers using their personal laptops and email accounts. The scheme was discovered through a raid on county and campaign offices, as well as staffers’ homes, on November 1, 2010 – the day before Election Day — and an investigation, which ended last year after six staff members were charged. The documents were released this week after a request by Wisconsin press agencies.
We’re not going to get into the actual contents of the messages, which journalists are having great fun ferreting out. Our interest is the IT angle, and the two really elementary mistakes that Walker and his staff made.
1. Just because you have a Seekrit Router and personal laptops and email doesn’t mean that investigators can’t still find this stuff. Anything that has governmental (or corporate) records on it can be seized in electronic discovery, even if it’s personal.
2. It isn’t clear from the investigation whether staff made any attempt to delete the messages, though it’s interesting to note that the investigation made a point of seizing the computers the day *before* Election Day — no doubt inspired by incidents such as Govs. Mike Huckabee and Mitt Romney wiping government-owned hard disk drives to stymie future investigations. If they did, staff either did a lousy job or didn’t realize that even deleted email could still be read from hard disks. Or maybe they really thought that by using their own laptops and a secret email router that nobody would find out?
(It’s apparent that staffers weren’t necessarily the sharpest tools in the shed about IT themselves. Regarding the original investigation, for example, the Milwaukee Journal-Sentinel wrote, “In one 2009 chat with Timothy Russell, a longtime friend and fellow Walker aide, [constituent services manager Darlene] Wink asked how she could clear a document from her chat session. Russell told her it would disappear when she logged out. ‘I just am afraid of going to jail – ha! ha!’ Wink wrote in August 2009. Russell replied, ‘You wouldn’t, not for that.’”)
This is just another example of Government Behaving Badly by using alternative email systems in an attempt to hide what it’s doing. Unfortunately, we’ve seen too many similar incidents in the past few years.
Walker, who has not been charged, has denied knowledge of the secret email system.
February 17, 2014 6:30 PM
Posted by: Sharon Fisher
If you needed any more persuasion that it was a good time to move away from physical storage of records, here it is: Nine first responders were killed and 12 others injured when an Iron Mountain document storage facility in Buenos Aires, the capital of Argentina, burned earlier this month. How many documents were destroyed wasn’t clear, but it took ten squads of firefighters to put out the fire.
Boston-based Iron Mountain Inc. reportedly manages, stores and protects information for more than 156,000 companies and organizations in 36 countries, according to the Washington Post. (The company has a fascinating history; it started as a mushroom farm. Really.) The 19th-century building stored largely paper records and was supposed to have been protected by multiple systems that were intended to preserve records, including halon.
This isn’t the first time Iron Mountain facilities have been struck by fire. In 2006, the company suffered two fires in a single month, including one that destroyed a London building and one, reportedly caused by roofing repairs, that damaged 3 percent of the files in an Ottawa building. Three other suspicious fires occurred in a single Iron Mountain facility in South Brunswick, N.J. in March, 1997. Both the London and New Jersey fires were later determined to be arson, the Post noted. A 2011 fire in Italy was thought to be electrical in origin. Lawsuits associated with the London fire amounted to some $33 million, according to the Iron Mountain 2007 annual report — which also mentioned that the sprinkler system in the London building had been “disabled” in two places, but it wasn’t clear whether the “disabling” was in connection with the fire.
Adding an additional layer of intrigue to this incident is the fact that the facility stored the records for the Argentine banking industry — just days after the Argentine Central Bank’s foreign exchange had come under criticism by JP Morgan, and just a month after the U.S. Supreme Court agreed to decide whether a holdout creditor for Argentina should be allowed to seek bank records about the country’s international assets, a case stemming from Argentina’s historic 2001 default, wrote the Wall Street Journal.
This has led some to speculate that there was a connection and that the Argentine fire was also arson. While Iron Mountain has not yet revealed the cause of the Buenos Aires fire, there are indications of arson, both because the fire started in at least three or four separate locations and that it appeared that the sprinkler system was sabotaged. Who might have set it and for what motivation are unknown.
Even before the 2006 fire was determined to be arson, it was prompting IT managers to look at electronic backup options such as mirrored replication. Eight years later, it’s a surprise that there’s still companies relying on single copies of paper records.
Admittedly, if your goal is to be able to destroy incriminating records should they become inconvenient, electronic records and multiple backups aren’t the best plan, but we’ll assume that’s not the case for the majority of companies. Certainly not the companies that just happened to store their records in the same facility.
February 8, 2014 8:40 PM
Posted by: Sharon Fisher
We already know that companies tend to be behind on e-discovery. Wearable technology such as Google Glass has the potential to make them behinder.
The whole point behind e-discovery is to put all the corporate records in one place, so that they can be managed, deleted when they reach a certain age, and protected if they could be needed in a litigation situation. IT and legal staff have a hard enough time preventing corporate and government employees from deleting things they’re supposed to keep, or making sure they aren’t using personal email and cloud storage accounts for data. So now they have to deal with people running around with little computers on their wrists and on their faces and God knows where else.
And it’s likely to be a big deal. According to a market report published last April by Transparency Market Research Wearable Technology Market – Global Scenario, Trends, Industry Analysis, Size, Share and Forecast, 2012- 2018, ”the global wearable technology market stood at USD 750.0 million in 2012 and is expected to reach USD 5.8 billion in 2018, at a CAGR of 40.8% from 2012 to 2018.” Credit Suisse was even more optimistic, predicting last May that “The wearables market is a lot bigger than investors realize, at perhaps $3 billion to $5 billion today, rising to perhaps $30 billion to $50 billion over the next three to five years,” writes Tiernan Ray in Barron’s.
So what next?
“While these products are only now moving from the public periphery, it is only a matter of time before they begin to cause headaches in litigation,” writes Frank Gorman in the eDiscovery Service Blog. “All of the aforementioned devices have a not-insignificant amount of local storage, meaning that the discovery net will have to widen to ensure data is collected from any wearable smart devices that could provide relevant ESI [electronically stored information]. The Galaxy Gear and Google Glass both have the ability to take pictures, share, post, and create documents more seamlessly than ever, all of which could easily affect litigation.”
“There is no doubt that courts will deem non-privileged, relevant electronically stored information (ESI) on these devices as a discoverable type of e-data,” agrees Michele Lange, an attorney, writer, marketer and e-discovery thought leader at Kroll Ontrack, in JD Supra Business Advisor. “The basic application of this inevitable ruling is pretty clear—videos and pictures stored or shared from the device will be discoverable.”
Moreover, Gorman adds, there’s the devices’ tracking potential. “If you have an employee suing for wrongful termination, it would certainly be pertinent to know that, on days they called in sick, their smart watch tracked them at a Cubs game or dancing to “Twist and Shout” in the middle of a parade,” he continues.
“If there were a case regarding a dispute over an individual’s location at a certain point in time, activity on the individual’s wearable device might be used as evidence,” writes Greg Cancilla, director of forensics for RVM. “The smart device might have automatically detected this metadata unbeknownst to the user, and could be used during the discovery process.”
Not to mention the wealth of data preserved by a FitBit.
Okay, but all this data is synced up to the cloud anyway, so what’s the problem? Plenty, Gorman writes. “A smart phone set to sync automatically with a wearable device that has discrepancies between the files found on each could indicate spoliation, whether intended or inadvertent,” he writes. “Google Glass, for example, syncs with Google Drive, so any case involving relevant ESI collected from the glasses will also certainly require access to a custodian’s Google Drive account, meaning that litigating lawyers must have the technical know-how to appreciate the connections between the two functionalities.”
Unfortunately, while attorneys with expertise in this area all agree that it’s really important and companies should start planning for it, they don’t say much about what companies should actually do. “Litigators need to be prepared for ways in which wearable technology will push eDiscovery even further,” Gorman writes. “If a critical mass of society actually adopts this technology, the revolution will come when the judiciary (and all of us) are forced to cope with a tsunami of duties to preserve this ESI, along with the ever-present threat of back-end spoliation sanctions that will follow,” chimes in Lange.
I am not an attorney. That stipulated, it would seem to make sense that the safest thing to do, if employees are starting to use wearable technology in your company — whether it’s for work or not — is to ensure that they are at least aware of the situation and make sure they preserve any data the devices collect, much as they would do in a BYOD smartphone situation. Cancilla appears to agree. “It is likely that the same policies that apply for the typical mobile devices would apply to these wearable gadgets,” though he goes on, with the same handwaving as the others, “Only time will tell how new policies or amendments to the policies will arise throughout the advancement of wearable technology. It is certain that as these technological changes progress, lawyers will be expected to be well-versed on the new guidelines relating these devices to litigation as well as the mechanics behind them from a strategic perspective.”
Keep in mind that, should you be called before a judge, “The dog ate my data” or any other technological equivalent isn’t going to help you. Judges don’t have much of a sense of humor about such things these days, and have slapped companies with hefty fines for not producing the information, aside from the value of the litigation itself.
January 31, 2014 11:17 PM
Posted by: Sharon Fisher
It’s shaping up to be an interesting couple of months in the cloud storage space. After multiple claims last year that Box was going to go public this year, and that perhaps Dropbox would as well, several sources are reporting that Box has filed for an initial public offering (IPO) using a relatively new procedure that lets the company keep it a secret.
Both companies provide cloud storage to individuals and corporations, though Box has tended to have more of a reputation for attracting the corporate market (such as its moves last year to make itself more appealing in the health market), while Dropbox has focused more on individuals and consumers. Both have also each had several rounds of fundraising that have had them competing for large valuations.
Box, for example, just raised $100 million last December, giving the company a total valuation of $2 billion. “Box has raised $409 million in venture capital, including $100 million in its Series F round in December from Telefonica Digital, DFJ Growth, Telstra, Mitsui & Co, and others,” writes Ken Yeung in The Next Web. “It’s believed that Box is valued at $1.2 billion based on 2012 venture rounds. It’s unclear about whether it’s a profitable company.”
Dropbox, for its part, has reportedly raised as much as $450 million, which would give the company a total valuation of nearly $10 billion, according to Silicon Valley Business Journal. Reuters also cited unnamed sources that the company intended to go public soon.
The downside with getting a big funding round is that eventually investors want to see some return on their investment — and typically that means either an IPO or an acquisition. Box CEO Aaron Levie told Bloomberg last year that since he didn’t want to sell the company, it would have to go public, and that he planned to do that this year. Each has been expected to go public at some point, though IDC predicted in late 2012 that Dropbox would be acquired in 2013, after spurning an $800 million acquisition offer from Apple early on. Dropbox has also had more negative press around the security and privacy of files on its system.
“Dropbox built up an impressive user base of about 200 million but most of those are consumers and small business owners. It only recently began trying to get a foothold in the medium and large enterprise markets where Box excels,” writes Silicon Valley Business Journal. “Levie concentrated early on the business market, and Box claims about 20 million users at about 180,000 businesses. That covers around 97 percent of the companies on the Fortune 500.”
Now, Quartz and the Wall Street Journal have each reported that Box has filed for an IPO. The 2012 Jumpstart Our Business Startups Act bill included a provision that allows companies deemed to be “emerging growth” — that is to say, with sales of less than $1 billion — to keep their IPO filing secret until 21 days before they go public. That enables a company to wait for an opportune time before going public — and doesn’t make the company look bad for just sitting around and never actually going public, writes the Journal. The move was also intended to make it more attractive for companies to go public rather than sell out. Financial analysts say that Twitter used the same method when it went public.
It isn’t clear when Box is actually going to go public, nor for how much, and in fact the company isn’t even confirming that it is — secret, remember? Certainly there will be a great deal of interest in its eventual valuation — currently estimated to be about $500 million — and all eyes will be on Dropbox to see if it follows suit — or, for that matter, whether it too has also already filed for a secret IPO and we just haven’t found out yet.
January 29, 2014 6:37 PM
Posted by: Sharon Fisher
You might expect that a company that uses 27,134 of a thing might be a pretty fair judge of what makes those things good or bad. That’s what makes a recent series of blog posts by BackBlaze so interesting. Basically, adding to its side business of storage design, it now has a side business of storage hardware reviews.
As you may recall, the company’s MO, instead of using real real big storage, uses a whole whole lot of commodity storage devices hooked together into “pods,” with as much of the extraneous stuff stripped off as possible. This reduces costs and is more scalable than large storage systems that require forklift upgrades to be expandable. Companies such as Netflix, are using it as well, and several vendors have started selling storage systems based on the Backblaze designs. While the company occasionally has trouble finding commodity disk drives, in general the system it works pretty well.
While the reviews – three of them thus far, on expected drive lifetimes, drive reliability, and “Which hard drive should I buy?” – do have a weensy bit of a BackBlaze sales pitch in them, they’re also crammed full of good information, including charts and graphs.
“Why do we have the drives we have?” writes distinguished engineer Brian Beach. “Basically, we buy the least expensive drives that will work. When a new drive comes on the market that looks like it would work, and the price is good, we test a pod full and see how they perform. The new drives go through initial setup tests, a stress test, and then a couple weeks in production. (A couple of weeks is enough to fill the pod with data.) If things still look good, that drive goes on the buy list. When the price is right, we buy it.”
All in all, the review features 15 common models of hard drives, from vendors such as Hitachi, Western Digital, and Seagate. It doesn’t claim to be the be-all and end-all of storage hardware product reviews – simply ‘Of the ones we used, these were our results.’
And BackBlaze seems to do a pretty good job of tracking those results. “We have detailed day-by-day data about the drives in the Backblaze Storage Pods since mid-April of 2013,” writes Beach in his drive reliability blog post. “With 25,000 drives ranging in age from brand-new to over 4 years old, that’s enough data to slice the data in different ways and still get accurate failure rates. We have data that tracks every drive by serial number, which days it was running, and if/when it was replaced because it failed. We have logged 14719 drive-years on the consumer-grade drives in our Storage Pods, [and]
613 drives that failed and were replaced.”
In addition to the reviews themselves, BackBlaze allows people to comment on them, so there’s all sorts of hard-core storage wankery to read, if you’re into that sort of thing. (If you’re really into that kind of thing, check out the Slashdot writeup and those comments.)
Needless to say, some of the computer magazines and websites whose bread-and-butter is product reviews aren’t quite sure what to make of this. Naturally, the BackBlaze data – whether you agree with it or not – is way cool to any reviews nerd, but somebody who has 27,000 disk drives in their shop and full statistics on them can have a little more credibility than someone who’s testing a single device.
“We chronicle Backblaze’s failed attempt to provide credible HDD reliability data,” writes Paul Alcorn in TweakTown, who goes on to criticize the event as a publicity stunt and to pick at its methodology. “Read on to find out why you should pay no attention at all.”
“I wasn’t impressed last week when I saw Brian Beach’s blog on what disk drive to buy,” concurs Henry Newman in enterprisestorageforum.com, who criticized the blog post because it didn’t account for the different levels of I/O the drives might be experiencing. “I wasn’t impressed due to the lack of intellectual rigor in the analysis of the data he presented. In my opinion, clearly Beach has something else going on or lacks understanding of how disk drives and the disk drive market work.”
Others defended the BackBlaze blog post. “I understand a test engineer’s desire for controlled environments and workloads for testing,” counters Robin Harris in ZDNet, criticizing the TweakTown critique. “But that isn’t the real world: some drives are busier; some have higher ambient temps; some come from a bad run; or get banged around in shipment.” He goes on to say, “So yes, as a consumer, I would look at Backblaze’s results. If I were upgrading my arrays tomorrow, I’d make an extra effort to buy Hitachi per the Backblaze experience. What they found squares with what I’ve heard from insiders over the last 10 years.”
Information like this, from mega users, could certainly revamp the entire testing industry. (Similarly, the company took it upon itself to declare in November that the Thailand-flood-caused drive shortage was over, based on what it saw for its purchasing.) Consumer Reports, with its emphasis on real-world testing, has to be paying attention too. And as content marketing, it couldn’t be beat.
Now, what would be interesting is if some of the other companies that work by using huge quantities of commodity devices – such as Google or Facebook – followed suit with their information. Facebook is already revealing what it’s learned about server and storage design; it wouldn’t be much of a stretch for it to do reviews of them like BackBlaze is doing.
(It turns out that this is a point Harris also made. “But rather than bash Backblaze for giving consumers the benefit of their experience, TweakTown should be asking, as I do, for other major drive users to come clean,” he writes. “I’m looking at you, Google, Amazon and Microsoft.”)
Of course, so could the NSA, but they aren’t talking.
Disclaimer: I am a BackBlaze customer.
January 27, 2014 5:39 PM
Posted by: Sharon Fisher
, federal government
, homeland security
In the tv show the West Wing, there’s an episode in the first season called “Take Out the Trash Day,” where Josh explains to Donna that in White House parlance, “take out the trash day” refers to the practice of releasing potentially embarrassing news stories at a time when people aren’t likely to see them.
On December 31, the Federal Judicial Court took out an epic piece of trash.
As you may recall, the Department of Homeland Security (DHS) announced in August, 2009, a policy regarding searches of computers at the border. As you may also recall, U.S. Customs and Border Protection has jurisdiction to enforce laws within 100 miles of the border. And while 100 miles of the border doesn’t sound like much, you may also recall that, according to the American Civil Liberties Union (ACLU), as of 2006, more than two-thirds of the U.S. population lived within 100 miles of the border. All together, it meant that anyone in that area with a laptop could have that laptop seized without a warrant, at any time, taken to a lab anywhere in the U.S., have its data copied, and searched for as long as Customs deemed necessary.
All caught up now?
In 2010, the National Association of Criminal Defense Lawyers (NACDL), the American Civil Liberties Union (ACLU), the National Press Photographers Association (NPPA), and the New York Civil Liberties Union (NYCLU) filed a lawsuit against this policy, saying it amounted to unreasonable search and seizure, particularly in the case of attorneys who might have information under attorney-client privilege or journalists who might have off-the-record information.
On December 31, Judge Edward R. Korman of the Federal District Court for the Eastern District of New York dismissed the lawsuit, saying, essentially, that it just doesn’t happen all that much (“10 in a million,” according to him, 6,500 between 2008 and 2010 according to the ACLU), the government needs to be able to search laptops to protect the country, and what are people doing taking such secure information out of the country anyway?
“While it is true that laptops may make overseas work more convenient,” Korman wrote in the decision, “the precautions plaintiffs may choose to take to ‘mitigate’ the alleged harm associated with the remote possibility of a border search are simply among the many inconveniences associated with international travel.” He also noted, “[I]t would be foolish, if not irresponsible, for plaintiffs to store truly private or confidential information on electronic devices that are carried and used overseas.”
As it happens, in March, the Ninth Circuit Court reached a somewhat different verdict on a similar case, United States vs. Cotterman, finding that government agents must have reasonable suspicion before engaging in a forensic search, which is a more detailed kind of electronic search — but which, as the Electronic Frontier Foundation pointed out, isn’t defined in the decision. In addition, that decision applies only to the Ninth Circuit.
Korman’s dismissal of the case means that in areas other than the Ninth Circuit, and for cases anywhere that are just a cursory search rather than a forensic search (for which probable cause is required), border agents are still authorized to conduct warrantless searches of electronic devices that store data. That’s not just laptops, but also other devices such as smartphones and electronic cameras. (States covered by the Ninth Circuit include California, Washington, Oregon, Idaho, Montana, Nevada, Arizona, Alaska and Hawaii, according to the New York Times.)
In June, in response to a Freedom of Information Act request filed by the ACLU, the DHS released its December 2011 Civil Rights/Civil Liberties Impact Assessment, which is what explained why the agency felt it needed the right to search people’s electronic devices without a warrant. According to that report, revealing the suspicion could be a matter of national security. In addition, the report continued, it would mean that agents couldn’t act on “hunches,” an opinion that the ACLU criticized. “As the Supreme Court explained in Terry v. Ohio, if law enforcement agents are allowed to intrude upon people’s rights ‘based on nothing more substantial than inarticulate hunches,’ then ‘the protections of the Fourth Amendment would evaporate, and the people would be “secure in their persons, houses, papers and effects,” only in the discretion of the [government],’” the ACLU wrote.
Politifact, in examining the case, pointed out that border searches have been legal for hundreds of years, and that the only difference now is that we’re talking about electronic devices that could have a great deal of data on them.
The ACLU and NPPA are considering whether to appeal Judge Korman’s decision — which could go as far as the Supreme Court.
While one can say, okay, fine, I’ll just encrypt my laptop, keep in mind that case law regarding encryption and whether a person can be compelled to produce the password is far from clear, with a total of half a dozen or so cases that are split pretty evenly. That decision, too, is expected to eventually reach the Supreme Court.
January 24, 2014 6:35 PM
Posted by: Sharon Fisher
Earlier this month, a couple of guys released a free app for the iPhone that they billed as “Snapchat for business.” The app, Confide, is intended to send messages secretly, doesn’t allow people to read over your shoulder or let you take a screenshot, and deletes the messages after they’re read. Moreover, the company uses end-to-end encryption, meaning it can’t read the messages, either, and the messages are never stored on the company’s servers. (Here’s a very detailed description of how it works and looks.)
So what’s wrong with that?
Plenty, and it’s not just the “Eek, people could use it for infidelity!” that the Huffington Post and the Daily Mail were handwringing about.
One use case, writes Business Insider, is the recent incident with Gov. Chris Christie in N.J., who’s accused of having his staff shut down part of a bridge as political payback, and where the staff had email messages incriminating them in this. “Now, if Christie’s aide had used Confide, this wouldn’t be happening,” Jay Yarow writes brightly.
And he thinks this is a good thing?
We’ve certainly seen many examples of government officials erasing messages, using personal email addresses, and otherwise trying to evade proper oversight by the people. If government officials could send email without fear that the messages could be retrieved later, what do we think could happen?
It’s not just in government that this app should scare us. It’s with corporations as well. Numerous legal cases, such as Apple-Samsung, have hinged on incriminating email messages. Moreover, there’s all sorts of regulatory, audit, and accountability issues that could be evaded with this app, writes Bloomberg Business Week.
“Companies face heavy regulatory pressure to preserve—not destroy—business e-mails, financial records, and other documents,” writes Sarah Frier, noting that Barclays was recently fined $3.75 million for failing to retain electronic documents. “If employees are discussing critical information or creating financial records, those probably need to be retained, says Scott Whitney, vice president of product management at social media compliance consultancy Actiance,” she adds.
What do the Confide developers say about the notion of it being used for nefarious purposes? “As for the possibility that professionals could use Confide to skirt legal duties (such as by-laws that require them to preserve corporate communications),” developer Jon Brod handwaved to GigaOm, “the app is simply a platform and that it would be up to individuals to comply with their obligations.”
January 1, 2014 1:01 AM
Posted by: Sharon Fisher
, memory stick
, thumb drives
Okay, here’s a new way to use memory sticks to spread malware — though to be fair, at least this method doesn’t rely on people being stupid enough to pick up strange thumb drives and stick them in their computers.
In a story that has “Law and Order — ripped from the headlines!” all over it, according to the BBC some bad guys in Germany figured out how to cut holes in an ATM, reach in with a thumb drive running a program, and plug it into the ATM’s USB port, upload the program, remove the thumb drive, plug the hole back up, and then use the program uploaded from the thumb drive, with a 12-digit PIN, to tell the ATM to empty its cash drawer. To show the care with which the bad guys wrote the program, it let them pick the biggest bills first, and it required a code from one of the other bad guys, to ensure that none of the bad guys went rogue and started going freelance. When the machine was empty, it would go back to its usual interface, reported the International Business Times.
Presumably the bad guys show up at night, when there aren’t employees around to hear the sound of dozens of bills going whfft-whfft-whfft out the ATM at once.
Because of the knowledge required to cut into the ATM at the right place, write the program, and plug in the thumb drive (ATMs have USB ports? Who knew? What for?), it’s thought to be an inside job, because they displayed “profound knowledge of the target ATMs.” You think?
Presumably the little program shuts down the ATM’s camera as well, because these bad guys haven’t been caught yet. In fact, we’re not really sure this is exactly how the thing works; the unnamed European bank where this is happening asked for help when ATMs’ cash drawers kept turning up empty, and this is conjecture from investigators. They did discover the little program is called hack.bat, which apparently was a Clue. The program has been found on four ATMs thus far.
Researchers — who asked to remain anonymous — revealed the system in a talk at the Chaos Computing Conference in Hamburg, Germany. (They may be anonymous, but they’re readily visible in the recording, and one of them is female, so it shouldn’t be that hard to figure out who they are.)
We’ve written before about the importance of securing USB ports to keep people from, deliberately or not, using them to download data or infect systems with malware, but using them to zombiefy an ATM is a new one. One presumes that ATM manufacturers will quickly be coming up with ways to secure the USB port. If nothing else, they could spend 75 cents and plug something into them so they’re less accessible. Setting up security cameras that aren’t controlled by the ATM is probably on the list as well.
Interestingly, the ATMs in question run Windows XP — yes, the same one that’s supposed to stop being supported as of April 8. It’s previously been said that the unsupported Windows XP could end up harboring all sorts of viruses after that date, which some people chalked up to Fear, Uncertainty and Doubt sowed by Microsoft to get people to migrate. But the notion of viruses targeting ATMs and teaching them to spew out money is an interesting one.
Naturally, the story is charming hackers of all stripes who are busily exchanging war stories about the insecurity of ATMs — models of which are readily available on eBay for convenient home research.
This raises the question of what other things these days have USB ports in in them, or run Windows XP, that could be exploited. Video poker machines? Candy and cigarette machines? Medical equipment?
Incidentally, security researcher Barnaby Jack, scheduled to give a talk earlier this year on hacking implanted medical equipment — who mysteriously died of unrevealed causes days before his presentation, though Reuters said law enforcement had ruled out foul play — presented at Black Hat in 2010 on exactly how to break into an ATM, including how he used social engineering to gain valuable information about the ATM.