Ethical issues aside — after revelations this week of a cache of as many as 28,000 documents obtained through an investigation into illegal use of Milwaukee County, Wis., staff for campaign purposes by now-Governor Scott Walker — one thing is clear: These people don’t know much about IT.
Here’s the tl;dr background: When Walker was County Executive, staff members worked on his gubernatorial election campaign, which is illegal under the laws of Wisconsin (and most other governmental organizations, including the federal government). They did this through a secret wireless router in the county office with staffers using their personal laptops and email accounts. The scheme was discovered through a raid on county and campaign offices, as well as staffers’ homes, on November 1, 2010 — the day before Election Day — and an investigation, which ended last year after six staff members were charged. The documents were released this week after a request by Wisconsin press agencies.
We’re not going to get into the actual contents of the messages, which journalists are having great fun ferreting out. Our interest is the IT angle, and the two really elementary mistakes that Walker and his staff made.
1. Just because you have a Seekrit Router and personal laptops and email doesn’t mean that investigators can’t still find this stuff. Anything that has governmental (or corporate) records on it can be seized in electronic discovery, even if it’s personal.
2. It isn’t clear from the investigation whether staff made any attempt to delete the messages, though it’s interesting to note that the investigation made a point of seizing the computers the day *before* Election Day — no doubt inspired by incidents such as Govs. Mike Huckabee and Mitt Romney wiping government-owned hard disk drives to stymie future investigations. If they did, staff either did a lousy job or didn’t realize that even deleted email could still be read from hard disks. Or maybe they really thought that by using their own laptops and a secret email router that nobody would find out?
(It’s apparent that staffers weren’t necessarily the sharpest tools in the shed about IT themselves. Regarding the original investigation, for example, the Milwaukee Journal-Sentinel wrote, “In one 2009 chat with Timothy Russell, a longtime friend and fellow Walker aide, [constituent services manager Darlene] Wink asked how she could clear a document from her chat session. Russell told her it would disappear when she logged out. ‘I just am afraid of going to jail – ha! ha!’ Wink wrote in August 2009. Russell replied, ‘You wouldn’t, not for that.'”)
This is just another example of Government Behaving Badly by using alternative email systems in an attempt to hide what it’s doing. Unfortunately, we’ve seen too many similar incidents in the past few years.
If you needed any more persuasion that it was a good time to move away from physical storage of records, here it is: Nine first responders were killed and 12 others injured when an Iron Mountain document storage facility in Buenos Aires, the capital of Argentina, burned earlier this month. How many documents were destroyed wasn’t clear, but it took ten squads of firefighters to put out the fire.
Boston-based Iron Mountain Inc. reportedly manages, stores and protects information for more than 156,000 companies and organizations in 36 countries, according to the Washington Post. (The company has a fascinating history; it started as a mushroom farm. Really.) The 19th-century building stored largely paper records and was supposed to have been protected by multiple systems that were intended to preserve records, including halon.
This isn’t the first time Iron Mountain facilities have been struck by fire. In 2006, the company suffered two fires in a single month, including one that destroyed a London building and one, reportedly caused by roofing repairs, that damaged 3 percent of the files in an Ottawa building. Three other suspicious fires occurred in a single Iron Mountain facility in South Brunswick, N.J. in March, 1997. Both the London and New Jersey fires were later determined to be arson, the Post noted. A 2011 fire in Italy was thought to be electrical in origin. Lawsuits associated with the London fire amounted to some $33 million, according to the Iron Mountain 2007 annual report — which also mentioned that the sprinkler system in the London building had been “disabled” in two places, but it wasn’t clear whether the “disabling” was in connection with the fire.
Adding an additional layer of intrigue to this incident is the fact that the facility stored the records for the Argentine banking industry — just days after the Argentine Central Bank’s foreign exchange had come under criticism by JP Morgan, and just a month after the U.S. Supreme Court agreed to decide whether a holdout creditor for Argentina should be allowed to seek bank records about the country’s international assets, a case stemming from Argentina’s historic 2001 default, wrote the Wall Street Journal.
This has led some to speculate that there was a connection and that the Argentine fire was also arson. While Iron Mountain has not yet revealed the cause of the Buenos Aires fire, there are indications of arson, both because the fire started in at least three or four separate locations and that it appeared that the sprinkler system was sabotaged. Who might have set it and for what motivation are unknown.
Even before the 2006 fire was determined to be arson, it was prompting IT managers to look at electronic backup options such as mirrored replication. Eight years later, it’s a surprise that there’s still companies relying on single copies of paper records.
Admittedly, if your goal is to be able to destroy incriminating records should they become inconvenient, electronic records and multiple backups aren’t the best plan, but we’ll assume that’s not the case for the majority of companies. Certainly not the companies that just happened to store their records in the same facility.
We already know that companies tend to be behind on e-discovery. Wearable technology such as Google Glass has the potential to make them behinder.
The whole point behind e-discovery is to put all the corporate records in one place, so that they can be managed, deleted when they reach a certain age, and protected if they could be needed in a litigation situation. IT and legal staff have a hard enough time preventing corporate and government employees from deleting things they’re supposed to keep, or making sure they aren’t using personal email and cloud storage accounts for data. So now they have to deal with people running around with little computers on their wrists and on their faces and God knows where else.
And it’s likely to be a big deal. According to a market report published last April by Transparency Market Research Wearable Technology Market – Global Scenario, Trends, Industry Analysis, Size, Share and Forecast, 2012- 2018, “the global wearable technology market stood at USD 750.0 million in 2012 and is expected to reach USD 5.8 billion in 2018, at a CAGR of 40.8% from 2012 to 2018.” Credit Suisse was even more optimistic, predicting last May that “The wearables market is a lot bigger than investors realize, at perhaps $3 billion to $5 billion today, rising to perhaps $30 billion to $50 billion over the next three to five years,” writes Tiernan Ray in Barron’s.
So what next?
“While these products are only now moving from the public periphery, it is only a matter of time before they begin to cause headaches in litigation,” writes Frank Gorman in the eDiscovery Service Blog. “All of the aforementioned devices have a not-insignificant amount of local storage, meaning that the discovery net will have to widen to ensure data is collected from any wearable smart devices that could provide relevant ESI [electronically stored information]. The Galaxy Gear and Google Glass both have the ability to take pictures, share, post, and create documents more seamlessly than ever, all of which could easily affect litigation.”
“There is no doubt that courts will deem non-privileged, relevant electronically stored information (ESI) on these devices as a discoverable type of e-data,” agrees Michele Lange, an attorney, writer, marketer and e-discovery thought leader at Kroll Ontrack, in JD Supra Business Advisor. “The basic application of this inevitable ruling is pretty clear—videos and pictures stored or shared from the device will be discoverable.”
Moreover, Gorman adds, there’s the devices’ tracking potential. “If you have an employee suing for wrongful termination, it would certainly be pertinent to know that, on days they called in sick, their smart watch tracked them at a Cubs game or dancing to “Twist and Shout” in the middle of a parade,” he continues.
“If there were a case regarding a dispute over an individual’s location at a certain point in time, activity on the individual’s wearable device might be used as evidence,” writes Greg Cancilla, director of forensics for RVM. “The smart device might have automatically detected this metadata unbeknownst to the user, and could be used during the discovery process.”
Not to mention the wealth of data preserved by a FitBit.
Okay, but all this data is synced up to the cloud anyway, so what’s the problem? Plenty, Gorman writes. “A smart phone set to sync automatically with a wearable device that has discrepancies between the files found on each could indicate spoliation, whether intended or inadvertent,” he writes. “Google Glass, for example, syncs with Google Drive, so any case involving relevant ESI collected from the glasses will also certainly require access to a custodian’s Google Drive account, meaning that litigating lawyers must have the technical know-how to appreciate the connections between the two functionalities.”
Unfortunately, while attorneys with expertise in this area all agree that it’s really important and companies should start planning for it, they don’t say much about what companies should actually do. “Litigators need to be prepared for ways in which wearable technology will push eDiscovery even further,” Gorman writes. “If a critical mass of society actually adopts this technology, the revolution will come when the judiciary (and all of us) are forced to cope with a tsunami of duties to preserve this ESI, along with the ever-present threat of back-end spoliation sanctions that will follow,” chimes in Lange.
I am not an attorney. That stipulated, it would seem to make sense that the safest thing to do, if employees are starting to use wearable technology in your company — whether it’s for work or not — is to ensure that they are at least aware of the situation and make sure they preserve any data the devices collect, much as they would do in a BYOD smartphone situation. Cancilla appears to agree. “It is likely that the same policies that apply for the typical mobile devices would apply to these wearable gadgets,” though he goes on, with the same handwaving as the others, “Only time will tell how new policies or amendments to the policies will arise throughout the advancement of wearable technology. It is certain that as these technological changes progress, lawyers will be expected to be well-versed on the new guidelines relating these devices to litigation as well as the mechanics behind them from a strategic perspective.”
Keep in mind that, should you be called before a judge, “The dog ate my data” or any other technological equivalent isn’t going to help you. Judges don’t have much of a sense of humor about such things these days, and have slapped companies with hefty fines for not producing the information, aside from the value of the litigation itself.
It’s shaping up to be an interesting couple of months in the cloud storage space. After multiple claims last year that Box was going to go public this year, and that perhaps Dropbox would as well, several sources are reporting that Box has filed for an initial public offering (IPO) using a relatively new procedure that lets the company keep it a secret.
Both companies provide cloud storage to individuals and corporations, though Box has tended to have more of a reputation for attracting the corporate market (such as its moves last year to make itself more appealing in the health market), while Dropbox has focused more on individuals and consumers. Both have also each had several rounds of fundraising that have had them competing for large valuations.
Box, for example, just raised $100 million last December, giving the company a total valuation of $2 billion. “Box has raised $409 million in venture capital, including $100 million in its Series F round in December from Telefonica Digital, DFJ Growth, Telstra, Mitsui & Co, and others,” writes Ken Yeung in The Next Web. “It’s believed that Box is valued at $1.2 billion based on 2012 venture rounds. It’s unclear about whether it’s a profitable company.”
Dropbox, for its part, has reportedly raised as much as $450 million, which would give the company a total valuation of nearly $10 billion, according to Silicon Valley Business Journal. Reuters also cited unnamed sources that the company intended to go public soon.
The downside with getting a big funding round is that eventually investors want to see some return on their investment — and typically that means either an IPO or an acquisition. Box CEO Aaron Levie told Bloomberg last year that since he didn’t want to sell the company, it would have to go public, and that he planned to do that this year. Each has been expected to go public at some point, though IDC predicted in late 2012 that Dropbox would be acquired in 2013, after spurning an $800 million acquisition offer from Apple early on. Dropbox has also had more negative press around the security and privacy of files on its system.
“Dropbox built up an impressive user base of about 200 million but most of those are consumers and small business owners. It only recently began trying to get a foothold in the medium and large enterprise markets where Box excels,” writes Silicon Valley Business Journal. “Levie concentrated early on the business market, and Box claims about 20 million users at about 180,000 businesses. That covers around 97 percent of the companies on the Fortune 500.”
Now, Quartz and the Wall Street Journal have each reported that Box has filed for an IPO. The 2012 Jumpstart Our Business Startups Act bill included a provision that allows companies deemed to be “emerging growth” — that is to say, with sales of less than $1 billion — to keep their IPO filing secret until 21 days before they go public. That enables a company to wait for an opportune time before going public — and doesn’t make the company look bad for just sitting around and never actually going public, writes the Journal. The move was also intended to make it more attractive for companies to go public rather than sell out. Financial analysts say that Twitter used the same method when it went public.
It isn’t clear when Box is actually going to go public, nor for how much, and in fact the company isn’t even confirming that it is — secret, remember? Certainly there will be a great deal of interest in its eventual valuation — currently estimated to be about $500 million — and all eyes will be on Dropbox to see if it follows suit — or, for that matter, whether it too has also already filed for a secret IPO and we just haven’t found out yet.
You might expect that a company that uses 27,134 of a thing might be a pretty fair judge of what makes those things good or bad. That’s what makes a recent series of blog posts by BackBlaze so interesting. Basically, adding to its side business of storage design, it now has a side business of storage hardware reviews.
As you may recall, the company’s MO, instead of using real real big storage, uses a whole whole lot of commodity storage devices hooked together into “pods,” with as much of the extraneous stuff stripped off as possible. This reduces costs and is more scalable than large storage systems that require forklift upgrades to be expandable. Companies such as Netflix, are using it as well, and several vendors have started selling storage systems based on the Backblaze designs. While the company occasionally has trouble finding commodity disk drives, in general the system it works pretty well.
While the reviews – three of them thus far, on expected drive lifetimes, drive reliability, and “Which hard drive should I buy?” – do have a weensy bit of a BackBlaze sales pitch in them, they’re also crammed full of good information, including charts and graphs.
“Why do we have the drives we have?” writes distinguished engineer Brian Beach. “Basically, we buy the least expensive drives that will work. When a new drive comes on the market that looks like it would work, and the price is good, we test a pod full and see how they perform. The new drives go through initial setup tests, a stress test, and then a couple weeks in production. (A couple of weeks is enough to fill the pod with data.) If things still look good, that drive goes on the buy list. When the price is right, we buy it.”
All in all, the review features 15 common models of hard drives, from vendors such as Hitachi, Western Digital, and Seagate. It doesn’t claim to be the be-all and end-all of storage hardware product reviews – simply ‘Of the ones we used, these were our results.’
And BackBlaze seems to do a pretty good job of tracking those results. “We have detailed day-by-day data about the drives in the Backblaze Storage Pods since mid-April of 2013,” writes Beach in his drive reliability blog post. “With 25,000 drives ranging in age from brand-new to over 4 years old, that’s enough data to slice the data in different ways and still get accurate failure rates. We have data that tracks every drive by serial number, which days it was running, and if/when it was replaced because it failed. We have logged 14719 drive-years on the consumer-grade drives in our Storage Pods, [and]
613 drives that failed and were replaced.”
In addition to the reviews themselves, BackBlaze allows people to comment on them, so there’s all sorts of hard-core storage wankery to read, if you’re into that sort of thing. (If you’re really into that kind of thing, check out the Slashdot writeup and those comments.)
Needless to say, some of the computer magazines and websites whose bread-and-butter is product reviews aren’t quite sure what to make of this. Naturally, the BackBlaze data – whether you agree with it or not – is way cool to any reviews nerd, but somebody who has 27,000 disk drives in their shop and full statistics on them can have a little more credibility than someone who’s testing a single device.
“We chronicle Backblaze’s failed attempt to provide credible HDD reliability data,” writes Paul Alcorn in TweakTown, who goes on to criticize the event as a publicity stunt and to pick at its methodology. “Read on to find out why you should pay no attention at all.”
“I wasn’t impressed last week when I saw Brian Beach’s blog on what disk drive to buy,” concurs Henry Newman in enterprisestorageforum.com, who criticized the blog post because it didn’t account for the different levels of I/O the drives might be experiencing. “I wasn’t impressed due to the lack of intellectual rigor in the analysis of the data he presented. In my opinion, clearly Beach has something else going on or lacks understanding of how disk drives and the disk drive market work.”
Others defended the BackBlaze blog post. “I understand a test engineer’s desire for controlled environments and workloads for testing,” counters Robin Harris in ZDNet, criticizing the TweakTown critique. “But that isn’t the real world: some drives are busier; some have higher ambient temps; some come from a bad run; or get banged around in shipment.” He goes on to say, “So yes, as a consumer, I would look at Backblaze’s results. If I were upgrading my arrays tomorrow, I’d make an extra effort to buy Hitachi per the Backblaze experience. What they found squares with what I’ve heard from insiders over the last 10 years.”
Information like this, from mega users, could certainly revamp the entire testing industry. (Similarly, the company took it upon itself to declare in November that the Thailand-flood-caused drive shortage was over, based on what it saw for its purchasing.) Consumer Reports, with its emphasis on real-world testing, has to be paying attention too. And as content marketing, it couldn’t be beat.
Now, what would be interesting is if some of the other companies that work by using huge quantities of commodity devices – such as Google or Facebook – followed suit with their information. Facebook is already revealing what it’s learned about server and storage design; it wouldn’t be much of a stretch for it to do reviews of them like BackBlaze is doing.
(It turns out that this is a point Harris also made. “But rather than bash Backblaze for giving consumers the benefit of their experience, TweakTown should be asking, as I do, for other major drive users to come clean,” he writes. “I’m looking at you, Google, Amazon and Microsoft.”)
Of course, so could the NSA, but they aren’t talking.
Disclaimer: I am a BackBlaze customer.
In the tv show the West Wing, there’s an episode in the first season called “Take Out the Trash Day,” where Josh explains to Donna that in White House parlance, “take out the trash day” refers to the practice of releasing potentially embarrassing news stories at a time when people aren’t likely to see them.
On December 31, the Federal Judicial Court took out an epic piece of trash.
As you may recall, the Department of Homeland Security (DHS) announced in August, 2009, a policy regarding searches of computers at the border. As you may also recall, U.S. Customs and Border Protection has jurisdiction to enforce laws within 100 miles of the border. And while 100 miles of the border doesn’t sound like much, you may also recall that, according to the American Civil Liberties Union (ACLU), as of 2006, more than two-thirds of the U.S. population lived within 100 miles of the border. All together, it meant that anyone in that area with a laptop could have that laptop seized without a warrant, at any time, taken to a lab anywhere in the U.S., have its data copied, and searched for as long as Customs deemed necessary.
All caught up now?
In 2010, the National Association of Criminal Defense Lawyers (NACDL), the American Civil Liberties Union (ACLU), the National Press Photographers Association (NPPA), and the New York Civil Liberties Union (NYCLU) filed a lawsuit against this policy, saying it amounted to unreasonable search and seizure, particularly in the case of attorneys who might have information under attorney-client privilege or journalists who might have off-the-record information.
On December 31, Judge Edward R. Korman of the Federal District Court for the Eastern District of New York dismissed the lawsuit, saying, essentially, that it just doesn’t happen all that much (“10 in a million,” according to him, 6,500 between 2008 and 2010 according to the ACLU), the government needs to be able to search laptops to protect the country, and what are people doing taking such secure information out of the country anyway?
“While it is true that laptops may make overseas work more convenient,” Korman wrote in the decision, “the precautions plaintiffs may choose to take to ‘mitigate’ the alleged harm associated with the remote possibility of a border search are simply among the many inconveniences associated with international travel.” He also noted, “[I]t would be foolish, if not irresponsible, for plaintiffs to store truly private or confidential information on electronic devices that are carried and used overseas.”
As it happens, in March, the Ninth Circuit Court reached a somewhat different verdict on a similar case, United States vs. Cotterman, finding that government agents must have reasonable suspicion before engaging in a forensic search, which is a more detailed kind of electronic search — but which, as the Electronic Frontier Foundation pointed out, isn’t defined in the decision. In addition, that decision applies only to the Ninth Circuit.
Korman’s dismissal of the case means that in areas other than the Ninth Circuit, and for cases anywhere that are just a cursory search rather than a forensic search (for which probable cause is required), border agents are still authorized to conduct warrantless searches of electronic devices that store data. That’s not just laptops, but also other devices such as smartphones and electronic cameras. (States covered by the Ninth Circuit include California, Washington, Oregon, Idaho, Montana, Nevada, Arizona, Alaska and Hawaii, according to the New York Times.)
In June, in response to a Freedom of Information Act request filed by the ACLU, the DHS released its December 2011 Civil Rights/Civil Liberties Impact Assessment, which is what explained why the agency felt it needed the right to search people’s electronic devices without a warrant. According to that report, revealing the suspicion could be a matter of national security. In addition, the report continued, it would mean that agents couldn’t act on “hunches,” an opinion that the ACLU criticized. “As the Supreme Court explained in Terry v. Ohio, if law enforcement agents are allowed to intrude upon people’s rights ‘based on nothing more substantial than inarticulate hunches,’ then ‘the protections of the Fourth Amendment would evaporate, and the people would be “secure in their persons, houses, papers and effects,” only in the discretion of the [government],'” the ACLU wrote.
Politifact, in examining the case, pointed out that border searches have been legal for hundreds of years, and that the only difference now is that we’re talking about electronic devices that could have a great deal of data on them.
The ACLU and NPPA are considering whether to appeal Judge Korman’s decision — which could go as far as the Supreme Court.
While one can say, okay, fine, I’ll just encrypt my laptop, keep in mind that case law regarding encryption and whether a person can be compelled to produce the password is far from clear, with a total of half a dozen or so cases that are split pretty evenly. That decision, too, is expected to eventually reach the Supreme Court.
Earlier this month, a couple of guys released a free app for the iPhone that they billed as “Snapchat for business.” The app, Confide, is intended to send messages secretly, doesn’t allow people to read over your shoulder or let you take a screenshot, and deletes the messages after they’re read. Moreover, the company uses end-to-end encryption, meaning it can’t read the messages, either, and the messages are never stored on the company’s servers. (Here’s a very detailed description of how it works and looks.)
So what’s wrong with that?
One use case, writes Business Insider, is the recent incident with Gov. Chris Christie in N.J., who’s accused of having his staff shut down part of a bridge as political payback, and where the staff had email messages incriminating them in this. “Now, if Christie’s aide had used Confide, this wouldn’t be happening,” Jay Yarow writes brightly.
And he thinks this is a good thing?
We’ve certainly seen many examples of government officials erasing messages, using personal email addresses, and otherwise trying to evade proper oversight by the people. If government officials could send email without fear that the messages could be retrieved later, what do we think could happen?
It’s not just in government that this app should scare us. It’s with corporations as well. Numerous legal cases, such as Apple-Samsung, have hinged on incriminating email messages. Moreover, there’s all sorts of regulatory, audit, and accountability issues that could be evaded with this app, writes Bloomberg Business Week.
“Companies face heavy regulatory pressure to preserve—not destroy—business e-mails, financial records, and other documents,” writes Sarah Frier, noting that Barclays was recently fined $3.75 million for failing to retain electronic documents. “If employees are discussing critical information or creating financial records, those probably need to be retained, says Scott Whitney, vice president of product management at social media compliance consultancy Actiance,” she adds.
What do the Confide developers say about the notion of it being used for nefarious purposes? “As for the possibility that professionals could use Confide to skirt legal duties (such as by-laws that require them to preserve corporate communications),” developer Jon Brod handwaved to GigaOm, “the app is simply a platform and that it would be up to individuals to comply with their obligations.”
Okay, here’s a new way to use memory sticks to spread malware — though to be fair, at least this method doesn’t rely on people being stupid enough to pick up strange thumb drives and stick them in their computers.
In a story that has “Law and Order — ripped from the headlines!” all over it, according to the BBC some bad guys in Germany figured out how to cut holes in an ATM, reach in with a thumb drive running a program, and plug it into the ATM’s USB port, upload the program, remove the thumb drive, plug the hole back up, and then use the program uploaded from the thumb drive, with a 12-digit PIN, to tell the ATM to empty its cash drawer. To show the care with which the bad guys wrote the program, it let them pick the biggest bills first, and it required a code from one of the other bad guys, to ensure that none of the bad guys went rogue and started going freelance. When the machine was empty, it would go back to its usual interface, reported the International Business Times.
Presumably the bad guys show up at night, when there aren’t employees around to hear the sound of dozens of bills going whfft-whfft-whfft out the ATM at once.
Because of the knowledge required to cut into the ATM at the right place, write the program, and plug in the thumb drive (ATMs have USB ports? Who knew? What for?), it’s thought to be an inside job, because they displayed “profound knowledge of the target ATMs.” You think?
Presumably the little program shuts down the ATM’s camera as well, because these bad guys haven’t been caught yet. In fact, we’re not really sure this is exactly how the thing works; the unnamed European bank where this is happening asked for help when ATMs’ cash drawers kept turning up empty, and this is conjecture from investigators. They did discover the little program is called hack.bat, which apparently was a Clue. The program has been found on four ATMs thus far.
Researchers — who asked to remain anonymous — revealed the system in a talk at the Chaos Computing Conference in Hamburg, Germany. (They may be anonymous, but they’re readily visible in the recording, and one of them is female, so it shouldn’t be that hard to figure out who they are.)
We’ve written before about the importance of securing USB ports to keep people from, deliberately or not, using them to download data or infect systems with malware, but using them to zombiefy an ATM is a new one. One presumes that ATM manufacturers will quickly be coming up with ways to secure the USB port. If nothing else, they could spend 75 cents and plug something into them so they’re less accessible. Setting up security cameras that aren’t controlled by the ATM is probably on the list as well.
Interestingly, the ATMs in question run Windows XP — yes, the same one that’s supposed to stop being supported as of April 8. It’s previously been said that the unsupported Windows XP could end up harboring all sorts of viruses after that date, which some people chalked up to Fear, Uncertainty and Doubt sowed by Microsoft to get people to migrate. But the notion of viruses targeting ATMs and teaching them to spew out money is an interesting one.
Naturally, the story is charming hackers of all stripes who are busily exchanging war stories about the insecurity of ATMs — models of which are readily available on eBay for convenient home research.
This raises the question of what other things these days have USB ports in in them, or run Windows XP, that could be exploited. Video poker machines? Candy and cigarette machines? Medical equipment?
Incidentally, security researcher Barnaby Jack, scheduled to give a talk earlier this year on hacking implanted medical equipment — who mysteriously died of unrevealed causes days before his presentation, though Reuters said law enforcement had ruled out foul play — presented at Black Hat in 2010 on exactly how to break into an ATM, including how he used social engineering to gain valuable information about the ATM.
Typically this blog focuses on the intricacies of preserving data, including backups and disaster recovery. However, this time we’re going to talk about destroying it — or, in other words, blowing *&(*&(& up.
The topic has been alluded to before, most recently in the context of the guy who threw a disk drive away and then was trying to figure out a way to find it in the landfill so he could retrieve the up to $7.5 million in Bitcoin from it. It was noted at the time that he could have had a problem with simply throwing away a disk drive in the first place, as the data was still accessible and could have been used for nefarious purposes had it been found, regardless of how much Bitcoin might be on it, and that people getting rid of PCs in the near future might want to be particularly careful because people might be cruising dumps for similar largesse.
This also being the end of the year, typically the end of the budget year when companies buy new equipment, and people get new electronic gadgets for Christmas — particularly for organizations with BYOD policies — means it’s a good time to discuss the proper method of disposing of the old stuff.
A survey last year from Fiberlink, conducted by Harris Interactive, showed the extent of the problem in connection with replaced BYOD devices. “Only 16% had the data professionally wiped from the old device and only 5% had the device securely destroyed,” the report noted. “The majority of respondents, 58%, said they kept the old device, although it remained inactive; 13% turned it over to their service provider; 11% said they donated the device, simply gave it away or threw it in the trash; and 9% did something else with their previous device.”
While there are a number of entertaining ways to destroy disk drives — melting them in acid, setting them on fire with thermite, taking them out to the desert and shooting them (popular here in Idaho) — a number of these methods are apparently not only dangerous but won’t necessarily destroy data on the drives. (Note, for example, that though Adam Lanza reportedly destroyed the hard drives on his computer before his Newton, Conn., shooting rampage, the final report includes information from his computer.)
So how do you get rid of the darn thing?
- Cornell University recommends that disks that will be reused be rewritten three times, following DoD standards, and that disks that are too decrepit to follow this procedure should be physically destroyed by methods such as drilling, hammering, or crushing. “Destroying the logic section of the drive without damaging the platters is insufficient and not recommended,” it cautions.
- In a very thorough 2010 article, Andrew Kelleher, president of Security Engineered Machinery (SEM), a direct supplier of high-security information destruction equipment, recommends a “belt and suspenders” system using at least two methods, such as degaussing the drive with a strong magnet and then shredding it. He also has a lot of contempt for some of the more fanciful methods of disk destruction. “Many so-called methods of destruction border on the insane and unsafe, not to mention the unreliable,” he writes. “Yes, some might be feasible if you have one or two hard drives to dispose of, but even those could pose huge liability risks when done for an employer. If you have time to waste, gloves on your hands, and safety goggles on your eyes, some of these methods might even work. But businesses that have to deal with liability, workplace safety, and the disposal of multiple hard drives should have a problem with these methods, not to mention they are just crazy dangerous! Besides, even if carried out as recommended, most of these measures are far less than 100% effective.”
- Remember to destroy SD cards, SIM cards, and other accoutrements, notes Dark Reading’s Kelly Jackson Higgins.
- Specifically for old ZIP disks, take them apart and run them through the shredder.
Fun as it might be, though, this really isn’t a situation for testing out the new Christmas Glock 9mm. Sorry. Christmas thermite, on the other hand…
Thoughts and prayers with the people of Washington, DC today as they deal with 2-3 inches of snow. Just know that you are in our hearts.
— pourmecoffee (@pourmecoffee) December 10, 2013
Joking aside — yes, admittedly places like Washington, D.C. don’t tend to have snowplows, salt, or people who grew up driving in snow — it’s not a bad idea to have snow on your disaster preparation list just like you would any other sort of emergency, even if you live in an area that doesn’t typically get snow.
In fact, it’s probably even more important to have a snow plan ready if you live in an area that doesn’t typically get snow. If you typically get snow, then the municipality and employees know how to deal with it and drivers have had a bag of kitty litter in the trunk since October.
The federal government has actually been leading the way on offering employees a telework option on snow days, ever since it was shut down for five days in 2010 due to snow. In some ways, it’s actually kind of a bummer for the employee because instead of having the snow day off, they have to work, because they can now work at home. But for the organization or agency, it’s an improvement.
“The federal government, in fact, was one of the early pioneers of telework, with the first push coming during the bird flu pandemic scare in the early 2000s, and the biggest push after the massive 2009-2010 snow storms, dubbed Snowmageddon, that shuttered the federal government for days and led to the Telework Enhancement Act of 2010,” writes the Washington Post earlier this month, the day after the entire federal government shut down due to snow. According to the Office of Personnel Management, the new program now saves the government up to $30 million per day, the Post reports.
The OPM announces early in the morning whether the federal government will be shut down or open later due to bad weather, and gives a time that teleworking employees must be either working or taking time off.
Though the telework program was originally set up for bad weather, employees are now taking advantage of it all the time in some agencies. Up to one-third of the U.S. Department of Agriculture teleworks at any one time, the Post writes.
What do you need to do for your employees to be able to telework during snow days or other inclement weather? Employees will need a computer at home — do they need to provide it, or will the company provide it? They’re also need an Internet connection — again, decide ahead of time who’ll pay for this perk — and whatever sort of security you deem appropriate for a remote worker, such as a virtual private network.
The most important thing is to test the setup ahead of time. 7:45 am on a snowy morning isn’t the time to find out whether the telework setup works — if only because the IT people might be stuck at home, too.