Yottabytes: Storage and Disaster Recovery

May 14, 2019  9:20 AM

The Strange Case of Seattle University’s ‘Lost’ Laptop

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Security

There’s been another case of Companies Behaving Badly with customer data: In this particular case, Seattle University’s “lost” laptop.

“On March 28, 2019, Seattle University was informed by an employee that an unencrypted university-issued laptop was lost while the employee was commuting on a bus on March 26, 2019,” noted the university in its report, entitled Data Security Incident.

There’s several things to unpack in that sentence.

How do you “lose” a laptop on a bus? I can understand “I *left* a laptop on a bus” or “My laptop was stolen on a bus” but how do you lose one?

(In general, that whole sentence is a lovely example of the passive voice being used to remove agency from someone. What’s wrong with “An employee told Seattle University that they had left a laptop on a bus”?)

If the employee “lost” the laptop on March 26, why did it take until March 28 before the employee reported it? It’s not like it was over a weekend; we’re talking a Tuesday and a Thursday.

Let’s move on.

“After learning of the situation, the university immediately began an investigation led by Information Technology Services and has been able to confirm there were files on the laptop that contained the names and Social Security numbers of 2,102 current and former faculty, staff, and their dependents. Although no files with sensitive data were saved directly to the local hard drive, an offline email cache file on the laptop contained attachments with personal information.  The main file of concern was the result of an isolated incident in which an outside vendor emailed the file in error.”

How do they know this? How can they tell what’s on the laptop?

What is an “offline email cache file” and how do they know what’s in it?

Why is an outside vendor emailing unencrypted personally identifiable information (PII) to an employee in the first place, accidentally or not?

How does a vendor accidentally email a file with more than 2000 records of PII?

What was special about these more than 2000 people that they were on a list?

Is Seattle University still using that vendor?

How long ago did the vendor email that file? In other words, how long has this unencrypted PII been sitting in the employee’s laptop?

And more.

“The university recently hired a Director of Cybersecurity and Risk who has been actively involved in leading the efforts to investigate this incident.  In addition, we are redoubling our efforts to encrypt data on all university-managed laptops.”

To what degree was that hiring in response to this incident? Or was this incident simply a great example of why that person needed to be hired? What else has happened that led to that person being hired?

What efforts had the university already made to encrypt data on all university-managed laptops? What was keeping those efforts from working? What does “redoubling” consist of in this case?

Both the Seattle Times and the Associated Press have done articles on the incident, but the articles are simply rewrites of the security notice and don’t provide any additional information.

This isn’t the first time such incidents have happened with Washington universities; the Seattle Times noted that both Washington State University and the University of Washington have had similar incidents.

April 30, 2019  10:56 PM

Mass Media Discovers Google Location Database

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Database, privacy, Security

Privacy advocates are getting up in arms about law enforcement asking Google for location data, and something might actually get done about it – but perhaps not the best thing.

Basically, law enforcement people investigating a crime ask Google for location data of cellphones near the crime, and Google provides them anonymized data. If some of the data looks particularly interesting, such as matching up very closely with the crime, law enforcement then gets a warrant and Google provides the identity of the phone in question.

If this sounds familiar, it’s because people have actually been talking about it for awhile. The difference? Now the New York Times is reporting on it.

That’s getting people’s attention.

“The leaders of the House Energy and Commerce Committee sent Google a list of questions Tuesday concerning a database maintained by the internet giant that tracks hundreds of millions of users’ locations and that is reportedly shared often with local, state and federal law enforcement agencies,” writes Benjamin Freed in StateScoop.  ““The potential ramifications for consumer privacy are far reaching and concerning when examining the purposes for the Sensorvault database and how precise location information could be shared with third parties,” reads the letter to Google CEO Sundar Pichai,” he writes.

Wait. Congress is blaming Google for this?

One could say, sure, of course it’s Google’s fault, because if the data weren’t there, law enforcement wouldn’t ask for it.

On the other hand, having that data can be handy for all sorts of legitimate reasons. It can be useful to see where one has gone over time. There are mileage trackers for expense reports and fitness, for example, that take advantage of location data.

Oddly, Congress doesn’t seem to be doing anything about, say, restricting law enforcement’s ability to gain access to this data. Maybe I’m weird, but it seems to me that that’s the path they should be going down.

Cellphone location data has been a big deal lately, with cases such as Carpenter limiting the sort of data that law enforcement can get from cell towers, which store location information from phones on a regular basis even if the phone isn’t being used (and even, apparently, if you turn location data off). The courts haven’t quite caught up to this particular issue yet, and to the extent that this has been litigated, thus far courts have ruled that “location dumps” are acceptable.

Consequently, Congress actually has the right – indeed, the duty – to write legislation to control the use of such data, once it’s collected.

But that doesn’t seem to be where Congress is going with this. It’s as if Congress discovered that people carrying large amounts of money could get robbed, but instead of making robbery the crime, they make carrying large amounts of money the crime.

And, of course, there are advantages to this line of thinking, if you can get people to go along with it. If you’re worried about people having too much control over their own destiny, limiting the amount of money they can carry — so they can’t easily leave the country without detection, for example — is an easy way to do it. All you have to do is convince the general public that only bad people — like crooks or drug dealers — would carry that much money, and people who don’t see reasons to carry that much money themselves will go along with it.

Tried to deposit or withdraw more than $10,000 in cash lately?

Similarly, people who don’t see why such location data has a legitimate purpose may easily be convinced that there’s something nefarious about the very collection and possession of that data. And if, for example, such data could be declared a public record when it’s about a public official, and if public officials don’t want such data about themselves made public. an easy way to prevent that is to stop the collection of that data in the first place.

If Congress is actually concerned about the nefarious use of such data, then let’s see them fix that problem instead. Update computer privacy laws that date from the 1980s. Ensure that people know that location data is being collected, and give them better tools to stop collecting it, check it, encrypt it, and delete it. Limit the ability of third parties — including law enforcement — to gain access to that data without the person’s permission. But don’t blame the data for the use that people are making of it.


April 26, 2019  8:36 AM

Remember the USB That Sets Computers on Fire? Somebody Used One. 66 Times.

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Longtime readers may remember a piece from 2015 about a USB drive that could hypothetically set a computer, or whatever else it was plugged into, on fire. At the very least, it could zap it dead. It turns out that there’s now a guy who just did that to 66 devices at his alma mater, which was not someplace in Silicon Valley but an Albany-based former Catholic school for girls.

The alleged culprit is said to be Vishwanath Akuthota, who graduated from the school in 2017 with a master’s in business administration, as well as a certificate in Computer Information Systems.

What’s kind of funny about the whole situation is that the guy was known. The College of St. Rose, where the incident allegedly occurred – on Valentine’s Day – still has an interview with the guy on its Facebook page, dating from 2016, when he was a graduate assistant in the music department.

Needless to say, the comments are interesting.

Akuthota also participated in GitHub starting in September, 2017, and that activity – culminating in 34 commits in January and 16 commits in February – abruptly stopped after that, which isn’t terribly surprising, as he was arrested on February 22.

Akuthota ‘s LinkedIn profile, however, has been taken down, though, as has his Facebook page.

His future goal, Akuthota said on Facebook at the time, was to be an entrepreneur, and one can imagine he’s rather kicked that plan into a cocked hat. But he did have a listing on AngelList, which is sort of a Monster.com for startups, where he said he was an application developer for the New York State Office of Information Technology Services, working on IBM’s Watson artificial intelligence system. “I want to contribute for the 4th industrial revolution with artificial intelligence. let’s make it great,” read his bio. As his achievements, he lists “I’ve lunched world’s first talking interface for the chatbot. I’ve lunched New York states first chatbot with in 4 days.”

Okay. So let’s hear how he lunched 66 devices.

“Akuthota admitted that on February 14, 2019, he inserted a ‘USB Killer’ device into 66 computers, as well as numerous computer monitors and computer-enhanced podiums, owned by the college in Albany,” reports the U.S. Attorney’s Office from the Northern District of New York. “The ‘USB Killer’ device, when inserted into a computer’s USB port, sends a command causing the computer’s on-board capacitors to rapidly charge and then discharge repeatedly, thereby overloading and physically destroying the computer’s USB port and electrical system.

“Akuthota admitted that he intentionally destroyed the computers, and recorded himself doing so using his iPhone, including making statements such as ‘I’m going to kill this guy’ before inserting the USB Killer into a computer’s USB port.  Akuthota also admitted that his actions caused $58,471 in damage, and has agreed to pay restitution in that amount to the College.”

How Akuthota’s going to earn that money isn’t clear. One might imagine that a computer career is not in the cards.

Akuthota pled guilty on a single count of causing damage to computers, and is scheduled to be sentenced on August 12, where he faces up to 10 years in prison, a fine of up to $250,000, and a term of post-imprisonment supervised release of up to 3 years.

There are still a number of remaining questions. The office noted that Akuthota is a citizen of India, residing in the United States on a student visa.  He has been in custody since he was arrested in North Carolina on February 22. Will he be deported? If so, before or after he serves his time and pays restitution? If he graduated in 2017, why was he still in the U.S. on a student visa in the first place? How did he come to be in North Carolina? What led him to do it?

Most notably, how could he do it? “The defendant did not have, and knew he did not have, permission from the College to insert the ‘USB Killer’ device into any of the College’s computer hardware or otherwise ‘kill’ the College’s computer hardware,” notes the plea agreement, just in case that was in question.

Does St. Rose typically let people who haven’t been in the school for two years come in and mess around with the computers unsupervised?

Hopefully they don’t now.








April 22, 2019  9:00 AM

Virginia Court Throws Out License Plate Readers Data Collection

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, Security

As you may recall, police departments and other organizations have been loading up on automated license plate readers that help them track automobile locations, and even selling the data. Now, at least one judge, in Fairfax County, Virginia, has told them they can’t do that.

“The ruling by Fairfax Circuit Court Judge Robert J. Smith is a victory for privacy rights advocates who argued that the police could track a person’s movements by compiling the times and exact locations of a car anytime its plate was captured by a license plate reader,” writes Tom Jackman in the Washington Post. “Police say they can, and have, used license plate location data to find dangerous criminals and missing persons. Privacy advocates don’t oppose the use of the technology during an active investigation, but they say that maintaining a database of license plate locations for months or years provides too much opportunity for abuse by the police.”

This has actually been an ongoing legal case. Originally, Smith had thrown the case out of court, saying that the data didn’t meet the statutory definition of “personal information” under Virginia’s “Data Act.” However, that ruling was overturned last year by the Virginia Supreme Court, which then sent the case back to him because it wasn’t sure whether the database met the statutory definition of “information system” under that same data act. Smith’s ruling is that it does.

Consequently, though the ruling technically applies only to Fairfax County, it’s likely that other Virginia counties also using license plate readers could also be stopped. The Fairfax County police chief has said he will appeal the ruling, and state legislators – who tried to pass a law limiting the collection of such data, which was vetoed by the governor – said bring it on. “Va. Sen. Chap Petersen (D-Fairfax), one of the founders of the privacy caucus and a sponsor of the failed legislation, told Jackman he was “very glad to see this ruling. I hope that Fairfax County appeals it to the Supreme Court so it can become a statewide ruling.”

Fairfax County Police, which had been storing data for up to a year, will be required daily to purge its database of license-plate reader data that isn’t linked to a criminal investigation and stop using license plate readers to passively collect data on people who aren’t suspected of criminal activity, writes the Electronic Frontier Foundation, which with the Brennan Center for Justice wrote an amicus brief to support the case, which was brought by the American Civil Liberties Union of Virginia.

“Often mounted on police vehicles or attached to fixed structures like street lights and bridges, ALPR systems comprise high-speed cameras connected to computers that photograph every license plate that passes,” the EFF writes. “The systems then log, associate, and store the time, date, and location a particular car was encountered. This allows police to identify and record the locations of vehicles in real-time and correlate where those vehicles have been in the past. Using this information, police are able to establish driving patterns for individual cars. Some ALPR systems are capable of scanning up to 1,600 plates per minute, capturing the plate numbers of millions of innocent, law-abiding drivers who aren’t under any kind of investigation and just living their daily lives.”

In fact, the Fairfax County system could scan up to 3,600 plates per minute, according to the Fairfax County Times.

The result was a gigantic database of people’s locations, including information that could be used for political purposes. “The state of Virginia knows the plate number of every vehicle that crossed a Potomac River bridge from Virginia into the District of Columbia on the day of the first Obama inauguration,” writes Clifford Atiyeh in Car and Driver, which isn’t where one often expects to find privacy information. “It also has the plate of every vehicle that showed up at the site of a Sarah Palin rally in a D.C. suburb. In fact, as of 2013, it had eight million license plates scanned and saved in a database. At our last count, there were three billion license-plate data points across the country, in states with little or no data privacy protections for drivers who’ve done no crime but drive.”

Similarly, the ACLU has disclosed that the federal Immigration and Customs Enforcement agency was tapping into a national database of police and private license plate readers, Jackman adds.

While 16 states have some sort of regulation on license plate reader data, the remaining 34 do not, Atiyeh writes.

Fox 5 DC pointed out a variety of cases where license plate readers had helped catch criminals, but that’s not exactly the point. There’s any number of techniques that can be used to help catch criminals, if you don’t care about protecting people’s privacy.

April 16, 2019  9:09 AM

Dear Secret Service: Don’t Poke USB Sticks in Things

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, Security

The Secret Service is scrambling to prove that its agents are, too, competent and know better than to poke USB sticks in things.

As you probably know, a Chinese woman was caught at President Donald Trump’s Mar-a-Lago resort with four cellphones, nine thumb drives, a laptop and an external hard drive, as well as multiple passports and so on. In the initial reportage of this, there was a throwaway line about the Secret Service discovering that the USB stick had malware –not just malware, but “malicious malware,” because that’s worse — by putting it in one of their computers and then yanking it out again.

Because that always works.

“Secret Service agent Samuel Ivanovich, who interviewed Zhang on the day of her arrest, testified at the hearing,” wrote the Miami Herald. “He stated that when another agent put Zhang’s thumb drive into his computer, it immediately began to install files, a ‘very out-of-the-ordinary’ event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich testified.”

Predictably, the Internet had kittens about how insecure that was and didn’t the Secret Service know better than to poke strange USB sticks in things?

At this point, the Secret Service started protesting. No, no, no, the Secret Service guy didn’t put the USB stick in his own laptop! He knows better than that! He meant to do that! It was a separate laptop with nothing in it and not hooked up to the Internet!

“A law enforcement source tells me that investigation was conducted according to protocol: A Secret Service agent loaded the drive onto a stand-alone computer that was segregated from government networks and watched as it did what malware is supposed to do — infect files and try to steal information,” writes Joseph Marks in the Washington Post.

Okay, says the security community. If that’s the case, and he did it on purpose, then why did he yank it out again, as if in a panic? Why didn’t he leave it in to finish seeing what the malware would do?

“In a lab, you want that malicious behavior to happen to its full level of badness so you can study how it operates,” Jake Williams, founder of the cybersecurity company Rendition Infosec, told Marks. “If he yanked the USB drive out to prevent further contamination, that’s highly indicative this wasn’t in a lab.”

There hasn’t been an answer to that one. “The Secret Service declined to comment about the disconnect between the agent’s actions and what cybersecurity experts described as standard procedure when investigating malware, citing the ongoing investigation,” Marks writes.

Incidentally, the head of the Secret Service, Randolph Alles, has lost his job, but we’re told that that was happening anyway and wasn’t related to this. “Alles was asked to plan his departure prior to Zhang’s arrest, two people familiar with the matter said,” writes Fortune. Oh, good. That’s reassuring.

It should really go without saying at this point: Don’t poke strange USB sticks in things.

March 31, 2019  10:48 AM

Could This be the End of World Backup Day?

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Backup, Storage

Could it be? Is World Backup Day actually dead?

I had speculated on this last year, noting that the site’s Facebook and Twitter pages hadn’t been updated in a year, and the text on the site’s web page had no specific dates on it. This year, not only are the Facebook and Twitter pages still not updated, but I got a timeout connection on the page.

Though, at least, it wasn’t a 404, “this site is for sale,” or a porn site using the same address. Thank goodness for small favors.

But on today of all days!

As you may recall, World Backup Day started in 2011 as a way to encourage people to back up their data, with the thought that they would be protected from any sort of problem based on April Fool’s Day. Each year, it was a fairly reliable source of tips and tricks, sales on storage equipment, and somewhat dubious statistics. Not to mention World Backup Day t-shirts. And to think that we’ll never again hear the Backing Up song. Sigh.

What a switch from the heady days of 2017, when the New York Times actually covered the event. This year, at least we have Fox News in St. Louis to help out.

It’s not terribly surprising. In 2012, 4500 people pledged to do backups. By 2013, it was down to 1800 people, though it did spring up to more than 2800 in 2015. But not long after that, it seemed that World Backup Day wasn’t even saying anymore how many people had taken the World Backup Day pledge.

Fortunately, several vendors are filling in the breach, as it were. And they offer a variety of advice, ranging from “Use flash!” to “Use cloud!” to “Use hybrid!”

The operative part is, use *something*. Dubious as the statistics may be, in this day and age of big data, losing data tends to be bad, and expensive, and keeping data tends to be good. And while of course their goal is to encourage you to use *their* products, the basic recommendations they offer are valid for any backup solution.

Backup up data regularly, and making sure that your backups work and can actually be used for recovery, is also important. Backing up your data once a year on World Backup Day probably doesn’t help much. To be particularly safe, have an offsite backup as well.

If you haven’t developed a backup strategy by now, this is a good time to do it, because a number of vendors in the market are having sales, whether it’s on backup services, hard disk drives, or SD cards.

And you can always remember the World Backup Day pledge: “I solemnly swear to backup my important documents and precious memories on March 31st. I will also tell my friends and family about World Backup Day – friends don’t let friends go without a backup.”

Maybe that explains what happened to the site: It got hacked and they didn’t do backups.

March 28, 2019  9:59 AM

Autonomy Civil Lawsuit Against CEO Mike Lynch Starts

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Autonomy, ediscovery

In what is sure to be the most exciting incident involving international accounting you’ll hear about all year, HP is suing Autonomy founder and CEO Mike Lynch for what it says is the way he deceived the U.S. company about the U.K. company’s profitability before its 2011 purchase.

As you may recall, the Autonomy-HP merger – officially the sixth-worst merger and acquisition of all time – HP chairman and CEO Leo Apotheker (who was fired later that year) paid $11.1 billion to acquire Autonomy, a European e-discovery company. By the following year, HP claimed that Autonomy had cooked its books to overvalue itself, wrote down the purchase a a $9 billion loss, and sold off the company’s remaining assets in 2016.

The companies have seemingly been in court ever since. They started with a shareholder lawsuit, which HP settled in 2015 for $100 million. Former Autonomy CFO, Sushovan Hussain, was found guilty in May on 16 counts of wire and securities fraud. HP also had a $5 billion civil suit scheduled to go to trial in London in 2019, a countersuit by former Autonomy CFO for $160 million, and an appeal by Hussain. Most recently, in November, actual criminal fraud charges were filed against Lynch, and were added to last week.

It’s the $5 billion civil suit that’s going on now. Basically, the arguments are the same as they ever were: HP says Autonomy pumped up its value, and Autonomy says that HP doesn’t understand British accounting and is trying to overcome its own incompetence at not successfully integrating the company.

But oh, the details.

“Robert Miles QC, representing Lynch, told the court that the US firm HP had taken an ‘aggressive approach designed to protect Meg Whitman [who took over as CEO after Apotheker] and others in HP.’ The case is an attempt to find someone to blame for HP’s business struggles,” writes Jasper Jolly in the Guardian.

That included contact with then prime minister, David Cameron, and letters to multiple coalition government cabinet members of the time, including chancellor George Osborne, business secretary Vince Cable and defense minister Philip Hammond, Jolly writes.

For its part, HP’s attorney Laurence Rabinowitz said that “Autonomy had engaged in “revenue-pumping” by encouraging customers to buy its products in exchange for buying goods from them that it did not need, restructuring deals to produce upfront license fees, and covertly selling pure hardware not even programmed with its software at a loss,” write Georgina Prodhan and Paul Sandle for Reuters.

Lynch’s lawyer countered that Lynch wouldn’t have done that because he had an executive position within HP. “The case that we’re now hearing being advanced entails that Dr Lynch must have been monumentally dim and, as you’ll see, there’s no chance that he is,” Prodhan and Sandle quote Miles as saying.

Professional soccer is even involved, because Autonomy sponsored the Tottenham Spurs and allegedly involved it in fraud. “Autonomy who sold software to Spurs for internal usage allegedly included a clause allowing the club to assign or share licence rights in the purchase order even though the firm knew that Spurs were not going to become a software licensor,” writes a website that follows the team. “The claimants further allege that Autonomy backdated a £3.9m-plus-VAT fee for providing Tottenham with software licences to June 2010, and that Spurs had ‘had no comprehension as to what they had purchased,’ with an agenda for a meeting in July 2010 between Autonomy and the club including ‘a look at/understanding of what we have purchased.’”

Other customers allegedly used in that way included the UK Ministry of Defense and the UK Serious Fraud Office – presumably the reason for the letters to UK government officials — Bank of America, and the BBC, according to the Irish Times.

And his emails. “On the first day of a civil trial in London, HP cited an email from Lynch to his senior management team about a contract with the U.S. Department of Veteran Affairs. He said: ‘If there is any problem I WANT TO KNOW ABOUT IT IN A F—ING MILLISECOND from all of you,’” writes Jonathan Browning in Bloomberg.

“Rabinowitz also referred to another email sent by Lynch to a sales representative in August 2010, which read: ‘You ever send me an email like this again AFTER the event and you are f****** toast, I swear if I could squeeze down a telephone line to California you would get to know directly how the f*** I feel about this,’” writes Stefan Boscia for the Daily Mail.

In another email, when Hussain was attempting to take leave, Lynch wrote to his finance chief: ‘Thank you for your threat to take five weeks off between now and the [year end]. Please do that and you will see the consequences … Sushovan I am sick of dealing with this shit from people … do what the fuck you like,’” writes Simon Goodley in the Guardian, which is brave enough to spell out the f-word.

Expect a lot more of this. The case is expected to last until the end of the year, and Lynch himself isn’t expected to testify until July, Prodhan and Sandle write. Not only that, but court hearings may last until 8 pm to accommodate the testimony of people in the U.S., such as former Autonomy CFO Sushovan Hussain, who was convicted of fraud associated with the case.

March 24, 2019  5:07 PM

Fun Hacking Salvaged Data Storage

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Security, Storage

Every few years, someone hits the papers—or, in this day and age, the Internet – by going out to eBay or Craigslist, buying a bunch of old computers, and checking out what data is still available on them.

This year, it was Josh Frantz, a senior security consultant for Rapid7, a security firm, and who writes a blog post every couple of months for them.

Instead of hitting up eBay and Craigslist, Frantz did it by simply going around to all the refurbished computer dealers in his Wisconsin town – 31 of them, he reports – and buying up whatever equipment they had that included storage. That consisted of 41 computers, 27 removable storage media, 11 hard disks, and 6 cell phones, for a total of $600.

Then Frantz developed or obtained software that systematically went through each one – helpfully providing the links so other people wishing to duplicate his feat could do the same.

“Whenever I brought a computer back, I booted it up to see whether it was bootable and whether it required a password to log in,” Frantz writes. ”I wrote a script in PowerShell that would run through and index all the images, documents, saved emails, and conversation histories through instant messengers. It would then zip it up nice and organized on the desktop, and I would pull it off with a USB drive (I know, you were expecting something much fancier).”

(Frantz is a funny guy. According to his LinkedIn profile, he just recently was promoted to senior security consultant, from security consultant. “I do the same thing as before, but this title makes me feel older,” his profile notes.)

Finally, Frantz wrote up the results. Altogether, the process took him six months.

Frantz’  operative point was to demonstrate that such companies, despite their promises, don’t always wipe storage the way that some of them claim. In fact, of the 85 devices, only two of them were properly wiped, and only three were encrypted, he writes. He did end up having to spring for $50 in chargers from eBay to charge the old cell phones, he notes.

(Interestingly, his blog post was apparently originally called “Exfiltrating Remaining Private Information from Donated Devices,” but as published, it was called “Buy One Device, Get Data Free: Private Information Remains on Donated Tech.”)

For the flash drives and other memory cards, Frantz plugged them in. It would have been ironic if one of them had been infested with malware, which could turn this into another treatise on “Don’t Poke USB Sticks in Things,” but if that happened, he didn’t say so.

Having downloaded the data, Frantz then wrote other programs to look for useful kinds of data. “I used pyocr to try to identify Social Security numbers, dates of birth, credit card numbers, and phone numbers on images and PDFs,” he writes. “I then used PowerShell to go through all documents, emails, and text files for the same information. You can find the regular expressions I used to identify the personal information here. Despite the fact that OCR is not 100% accurate and there could have been data I couldn’t extract from images by themselves or within PDFs, I can verify that the regular expressions used for Social Security numbers, credit cards, dates of birth, and driver’s license numbers were fairly comprehensive.”

Altogether, Frantz found more than 200,000 images, 3,000 documents, and almost 150,000 email messages on the storage devices. That included 611 email addresses, 50 dates of birth, 41 Social Security numbers, 19 credit card numbers, 6 driver’s license numbers, and 2 passport numbers, he writes.

Frantz didn’t report on whether he found any bitcoin or other cryptocurrency on the storage devices, so the guy who accidentally threw out $7.5 million on bitcoin on his hard drive is apparently still safe.

This isn’t just a U.S. problem. Last year, researchers in the U.K. performed similar tests, writes Anna Tobin in Forbes. “Two-thirds of second-hand memory cards left in mobile phones and tablets sold on the second-hand market in the UK still retained personal data from their former owners,” she writes. “Over a four-month period, the research team purchased one hundred used SD and micro SD memory cards from eBay, traditional auctions, second-hand shops and other sources. Most of the cards were found in resold smartphones and tablets and some came from second-hand cameras, SatNav devices and drones.”

Using freely available software, researchers were able to recover scans of passports, intimate photos, pornography, contacts lists and identification numbers, Tobin writes.

“Of the 100 cards assessed it was found that 36 percent had not been wiped at all,” Tobin writes. “29 percent had been formatted in an attempt to erase, but the data could still be recovered with the right know-how; 2 percent had had their data deleted, but it was found to be recoverable; 25 percent had been properly wiped using a data erasing tool that overwrote the entire storage area so that nothing could be recovered; 4 percent could not be accessed as they were damaged; and, 4 percent had no data present, but the reason for this could not be ascertained.”

The good news, sort of, is that for most criminal hackers, the expense and work that Frantz went through wouldn’t be worth it for most of them. “Researching further, I realized just how cheap it is to buy people’s information on the Darknet,” he writes. “Social Security numbers only fetch around $1 apiece, while full documents (dox) fetch around $3 each. Data leakage/extraction is so common that it has driven down the cost of the data itself. I saw several dumps of Social Security numbers on the Darknet for even less than $1 each. No matter how we calculate the value of the data gathered, we would never recoup our initial investment of around $600.”

Frantz went on to list a number of ways to fairly reliably destroy hard disk drives, ranging from hammers to thermite. And lest you think he was kidding about the thermite, he included a video of it as well.

March 17, 2019  9:55 PM

‘Lunar Library’ is the Ultimate Backup

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

No doubt you’ve heard the advice to keep at least one of your backups off-site. One company is taking that advice really seriously: It’s planning to store one on the moon.

The Israeli spacecraft Beresheet took off recently, and its cargo includes a 30-million page archive of human knowledge, etched onto a nickel disc the size of a DVD, writes Corey Powell for NBC News. The lunar lander – its name is Hebrew for “in a beginning” or “genesis” – is also the first-ever non-government-owned moon lander. If it is successful, Israel will become just the fourth country to land something on the moon.

“The Lunar Library, as the archive is known, constitutes a ‘civilization backup’ to help ensure that our distant descendants never lose humanity’s collective wisdom,” Powell writes. The project was spawned by the Arch Mission Foundation, a Los Angeles-based nonprofit. “The foundation is building a space-based archive designed to survive for 6 billion years or more — a million times longer than the oldest written records in existence today.”

Previous efforts included the Isaac Asimov Foundation trilogy in the glove compartment of an Elon Musk Tesla in solar orbit, and a digital copy of the English Wikipedia in earth orbit, both last year. And, not to put too fine a point on it, Arch is pronounced “Ark.” Get it?

So what sort of knowledge did the foundation think was worth preserving? “Included in the Lunar Library’s more than 200 gigabytes of data are the entire English-language version of Wikipedia; tens of thousands of fiction and nonfiction books; a collection of textbooks; and a guide to 5,000 languages along with 1.5 billion sample translations between them,” Powell writes.

Oddly, they didn’t specify which books, other than the ones included in Project Gutenberg and the Internet Archive at the time. “The matter of who exactly gets to be humanity’s representative to the stars has become a hot matter of debate in recent years, as advanced communication technologies have made it possible to beam all sorts of information including electronic dance music and Doritos commercials, into space,” writes Peter Hess in Inverse, adding that “while the Library is ostensibly a comprehensive accounting of human history and knowledge, it admittedly comes from a particular perspective,” noting that it includes the culture and history of Israel, songs, and drawings by children. “SpaceIL also included a photo of Ilan Ramon, an Israeli fighter pilot and the first and only Israeli astronaut, who died in the 2003 Space Shuttle Columbia disaster,” added Sebastian Kettley in the Express.

History used to be written by the victors. Now it’s written by the people who send up spacecraft.

That said, how does the technology work? It was created by a company called Nanoarchival. “All of that information is etched onto 25 stacked nickel disks, each just 40 microns (about 1/600th of an inch) thick,” Powell writes. The top part of the Lunar Library’s disc, which can be read with a 100-power microscope, is engraved with tiny images of books and other documents explaining human linguistics, along with instructions about how to build a player to read the library beneath, he explains. The remaining documents require a 1000-power microscope.

Admittedly, this has some limitations, noted Arch Mission Foundation co-founder Nova Spivack in an interview in Scientific American. ”It must be a lifeform that’s at least as intelligent as we are and that has eyes and can see in the visible spectrum,” he said. “If it’s a microbial civilization that’s so small that these things look like planets to them, that’s obviously not going to work.”

A library on the moon is just the start, Powell writes. “The goal is to flood the solar system with other versions of the Lunar Library: in caves and mountains on Earth, on other locations on the moon, on Mars and in deep space,” he writes. Just in case we lose the backup on the moon, or it doesn’t make it there safely; there were some early glitches. It’s scheduled to land April 11.



February 28, 2019  11:55 PM

Ready for the 1TB SD Card?

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
SD card, Storage

It wasn’t that long ago that I first heard about being able to get a terabyte on a laptop – which, of course, made me immediately want one – and it was even less time ago that I actually got one: 2013, to be exact. Not long after, in 2014, SanDisk announced an SD card that could hold half a terabyte.

You can probably see where this is going.

Yes, it’s true. Now, suddenly everyone is announcing one-terabyte SD cards.

At the risk of dating myself, I remember when getting a 10 MB hard disk drive cost as much and was the same size as the PC itself.

Shipping dates vary, with Lexar’s orderable – though not shippable until March 9 – for $399. Lexar was also the first to announce, in January.

Other companies that have announced them include SanDisk – now owned by Western Digital – and Micron – now run by the founder of SanDisk, and who helped arrange SanDisk’s merger with Western Digital. SanDisk’s will be released in April for $449.99, and Micron’s will be “priced competitively” and released during the second quarter.

Incidentally, someone has already gone to the trouble of calculating the bandwidth of a pigeon carrying these SD cards. As you may recall, there is a time-honored tradition of using carrier pigeons to carry data from one place to another, dating all the way back to teeny-weeny microfilm cameras during World War II. And whenever a major new storage medium comes out, people like to figure out what the new bandwidth number would be, whether the device is being carried in a station wagon or by a pigeon.

What it boils down to is that in the time it takes for a terabyte to be transferred over a 1GB Internet connection, a pigeon could fly almost 36,000 kilometers – further if you had a racing pigeon. “Because the distance is more than half of Earths circumference, sending 150 TB of bulk data between any two points is now faster than a gigabit connection,” writes the person who did the calculation.”If you use the competitive 160 Km/h speed, you can go around the globe once before the gigabit completes.”

This is, of course, making certain assumptions, such as:

  • Ignoring the time it takes to write/read SD cards
  • Instantaneous pigeon swap
  • Each pigeon operates at peak performance from start to end
  • No packet drop (actually literally in this case)
  • The 1GBit/s connection we compare this against is perfect (no delay, no packet drop, full speed)

As the poster himself admits, “I’ve got way too much time and not enough pigeons.”

Before you get too excited and start popping 1TB SD cards  into every SD slot you have, make sure the device you’re using knows how to handle them. A few years ago, I got a new state-of-the-art gigundo SD card—probably 64 GB or so by then – and while my camera pretended to play nicely with it, it lost all the pictures I took on it. A terabyte of pictures would be an awful lot to lose

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: