Yottabytes: Storage and Disaster Recovery


November 13, 2018  10:09 AM

The HP-Autonomy Merger Officially Sucks

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Autonomy, HP

Well, it’s official. The 2011 acquisition of Autonomy by Hewlett-Packard was the sixth-worst corporate merger and acquisition of all time.

That’s according to CB Insights, which recently generated a list it called Fools Rush In: 37 Of The Worst Corporate M&A Flops.Mergers and acquisitions are one of the most important ways a big corporation can stay competitive — when they work out,” the company writes, inspired by the recent Sears-Kmart debacle. ”Unfortunately many of these marriages don’t always make it. Below, we look at some the worst mergers and acquisitions undertaken by large corporations, and how the good times went bad.”

(Why 37? It didn’t say. They’re fans of prime numbers, maybe?)

“Chairman and CEO Leo Apotheker, during his brief time in charge at HP, backed the company’s $11.1B acquisition of Autonomy, a European data analytics company,” writes the company. ”Aside from baffling industry experts as to how the new company would fit into HP’s strategy, it came out in 2012 that Autonomy had cooked its books and had been massively overvalued during the acquisition. With Apotheker fired in 2011 for a slew of missteps that had contributed to the company’s massive losses, nothing ever came of the acquisition. Instead, Autonomy’s purchase was written down as a $9B loss and in 2016 HP sold off their Autonomy assets.”

It all started in August 2011, when HP took part in an industry-wide effort to acquire e-discovery vendors, using the Gartner Magic Quadrant “Leaders” quadrant as a shopping list. Symantec had acquired Clearwell, Autonomy itself had acquired Iron Mountain, and several other acquisitions took place over the next couple of years.

But Autonomy was considered the big fish, and the price tag proved it. Opinion at the time was that HP was aiming to follow IBM’s trajectory of moving from hardware to software and services, and while the Wall Street Journal noted that that wasn’t easy, the general consensus was that HP had made a wise purchase, though some did express unease at the high price tag.

However, it didn’t take long for the bloom to come off the HP-Autonomy rose. Little more than a year later, in November 2012, HP was forced to write off $8 billion of the acquisition due to what it said were accounting irregularities. By then, Apotheker himself was gone, and new CEO Meg Whitman was doing her best to pick up the pieces. And despite the praise of the acquisition a year before, suddenly there were all sorts of analysts coming out of the woodwork talking about how they’d said all along that HP had paid too muchand hadn’t done its due diligence.

While HP considered selling the beleaguered company, that didn’t happen. Instead, HP itself ended up splitting up.

Then the lawsuits began.

They started with a shareholder lawsuit, which HP settled in 2015 for $100 million.

Most recently, the former Autonomy CFO, Sushovan Hussain, was found guilty in May on 16 counts of wire and securities fraud. And there’s more. HP also has a $5 billion civil suit scheduled to go to trial in London in 2019, a countersuit by former Autonomy CFO for $160 million, and an appeal by Hussain.

All in all, it looks like the only people who ended up making money on the HP-Autonomy deal were the lawyers. And maybe the accountants, since so much of this seems to hinge on accounting, especially the differing accounting methods used in the United States and the United Kingdom.

HP and Autonomy weren’t the only technology merger to make the list. In fact, many of the mergers on the list were technology companies, including Microsoft-Nokia, Google-Nest, Yahoo!-Tumblr, Zynga-OMGPOP, and Google-Motorola.

October 31, 2018  7:18 PM

An Incredibly Gnarly Legal Encryption Discussion

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, Security

New news in the world of whether you can be forced to decrypt your phone by law enforcement.

As I wrote in May 2017:

As you may recall, the whole issue boils down to how a device is encrypted. Traditionally, courts have ruled that you can be compelled to give up something you have, such as your fingerprint, which is used to encrypt your phone, but you cannot be compelled to give up something you know, such as a password. That’s because simply admitting you have the correct password on a particular encrypted phone or other storage device could be considered self-incrimination.”

There’s been discussion and some case law recently about the self-incrimination part that looks like it will change. Because encryption is so common, the reasoning goes, it should be okay for law enforcement to force someone to decrypt their storage, if it is obvious that it belongs to the person. But law enforcement can’t use the mere fact that someone knows the password as evidence of guilt, that theory goes. (By the way, if you start researching this issue, there’s a commonly cited case, Fisher v. United States. It ain’t me.)

In a recent case, Judge Charles Breyer in the Northern California District Court ruled that a defendant, Ryan Spencer, did have to provide the encryption key for several devices in his home that law enforcement alleged contained child pornography, because it was a “foregone conclusion” that they were his, since they were in his home and he said they were.

In other cases, the “foregone conclusion” that had to be met was that the files law enforcement was looking for was on the encrypted devices, which was a much higher bar. However, the judge wrote, law enforcement wasn’t looking for a particular file; it was looking to decrypt the entire device.

“Turning over the decrypted devices would not be tantamount to an admission that specific files, or any files for that matter, are stored on the devices, because the government has not asked for any specific files,” Breyer writes. “Accordingly, the government need only show it is a foregone conclusion that Spencer has the ability to decrypt the devices. That the government may have access to more materials where it seeks a hard drive through a search warrant than it would have had if it sought specific files through subpoena is simply a matter of the legal tool the government uses to seek access. To the extent Spencer contends that the government has not adequately identified the files it seeks, that is an issue properly raised under the Fourth Amendment, not the Fifth.”

Does it seem unlikely to you that someone could know the password and yet not know what files are on the device? People could have files saved to their devices by other people in the household, other people who have remote access to it, or even by hackers. “I happen to know the passcode to my sister’s smart phone,” writes Orin Kerr in a forthcoming paper in the Texas Law Review on the subject. “I learned it at a family event when I wanted to use her phone to google something. I asked her for the passcode, and she told me. If the government obtained a court order requiring me to enter in the password, I could comply with the order because I know the password. But critically, I have no idea what files are stored in my sister’s phone. The only thing I know about my sister’s phone is its password. Unlocking the phone would admit I know the passcode, but it wouldn’t admit that I know what is on the phone. Because I don’t.”

The upshot of it all is that law enforcement may be able to force people to decrypt their drives, but not use the fact that he was able to do so as evidence of his guilt, Breyer writes. “Once Spencer decrypts the devices, however, the government may not make direct use of the evidence that he has done so,” he writes. “If it really is a foregone conclusion that he has the ability to do so, such that his decryption of the device is not testimonial, then the government of course should have no use for evidence of the act of production itself.”

Well, that’s something. In other words, they can’t have it both ways – if they’re going to say it’s a “foregone conclusion” that they’re his drives, they then can’t turn around and say it’s a surprise to them that he has the password.

And this stuff gets incredibly picky. In an amicus brief Kerr recently wrote, he lays out the distinction between a person giving law enforcement a password, vs. entering the password without law enforcement seeing it.

The reason this is all being discussed is that it’s a change. In 2013, for example, the Electronic Frontier Foundation and the American Civil Liberties Union submitted an amicus indicating that this kind of compelled decryption was a violation of someone’s Fifth Amendment rights. Basically, encryption is now common enough that simply knowing the password can’t be seen as incriminatory.

That’s not to say that the Fifth Amendment is never a protection against giving out passwords, Kerr notes. “Imagine the government obtains a search warrant to search a home for computer-stored images of child pornography,” he writes. “The home has three residents. The search yields one computer, and that computer has an encrypted hard drive that requires a password to use. Further assume that investigators have no evidence about which resident owns or uses the computer. In an effort to bypass the encryption, investigators obtain court orders requiring each of the three residents to enter the password. In such a case, each resident would have a valid Fifth Amendment privilege against complying with the order.”

In addition, hidden files, hidden volumes, and files that are themselves encrypted on the disk could also be protected under the Fifth, Kerr writes.


October 26, 2018  9:03 AM

Who Owns Your Car’s Data? Hint: It Isn’t You

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Automobile, car, privacy, Security, Storage

We’ve talked before about data storage on cars – why it’s important to delete it and how it’s going to be stored. But there is a more fundamental question to be discussed: Who owns it?

The Auto Care Association, an industry trade group, recently conducted a survey finding that 86 percent of consumers said vehicle owners should have access to driver and vehicle data, also known as telematics. Additionally, the survey found 88 percent of consumers believe a vehicle’s owner should decide who has access to this data.

However, that isn’t always the case, the association warned.

“Each year, vehicles get ‘smarter’ and infused with telematic technologies, which enable real-time, wireless transmission of information related to driving behavior, such as steering, acceleration and braking; and vehicle health, including fuel use, emissions and engine hours,” the organization writes. “However, as this technology has advanced, vehicle manufacturers are gaining exclusive access to vehicle data at the expense of consumers.”

As an example, the organization notes, remote diagnosis of vehicle problems is one of the primary selling points of telematics. “However, as of today, only vehicle manufacturers can take advantage of this information,” the organization writes. “As a result, vehicle owners have little to no choice when it comes to servicing their vehicle.”

The survey found 71 percent of respondents incorrectly assumed that the vehicle owner has access to driver and vehicle data, which was greater than the percentage of respondents who assumed the vehicle manufacturer and the dealership have access to this data (59 percent and 44 percent, respectively). And nearly half of respondents (45 percent) incorrectly believed that vehicle owners own their car’s data.

This is increasingly going to become an issue as cars become more automated, particularly as they become autonomous. Do you want your car reporting to your health insurance company how often it takes you to McDonald’s? Should auto manufacturers be able to sell your travel data to advertisers who can market businesses along your route? Will law enforcement use the concept of third-party doctrine to say it doesn’t need probable cause to get access to all your car’s data?

“By monitoring his everyday movements, an automaker can vacuum up a massive amount of personal information,” writes Peter Holley in the Washington Post.  This includes “everything from how fast he drives and how hard he brakes to how much fuel his car uses and the entertainment he prefers. The company can determine where he shops, the weather on his street, how often he wears his seat belt, what he was doing moments before a wreck — even where he likes to eat and how much he weighs.” In particular, he notes, health data collected by a non-health provider isn’t covered by the federal privacy rule known as HIPAA.

And automotive data has the potential to be a big market. “A 2016 white paper from industry research and consulting firm McKinsey projects a $450 billion to $750 billion industry for automotive data by 2030,” writes Jeff Plungis in Consumer Reports.

This is all part of a campaign by the Auto Care Association called Your Car, Your Data, Your Choice, intended to raise awareness of this issue. And to be sure, they have their own ax to grind. The organization represents 533,000 businesses in the auto care industry, including independent manufacturers, distributors, repair shops, marketers, and retailers – all of whom are afraid that they’re going to be locked out of this data by auto manufacturers in the future, and threatening their livelihood.

“By 2020, more than 90 percent of new cars will transmit real-time information about the owner’s driving behavior and the vehicle’s condition,” the organization writes. “More than 80 percent of car owners think that they should have control over their data. 93 percent of auto industry employees think car owners should control their own data.” And, to get to the crux of the issue, “90 percent of car owners think they could save more money by visiting an independent repair shop.”

According to the organization, it is trying to negotiate a settlement with automakers, who have reportedly proved recalcitrant. “Absent an agreement, the only apparent solution for ensuring consumer control and access to data is legislation, which we are actively working on via our government affairs department, our coalition partners and more,” the organization writes.

How well that’s going to work, in an administration that has thus far been more interested in protecting large companies than small ones, is going to be an interesting question.


October 23, 2018  9:12 AM

How Did You Celebrate ‘Electronic Records Day’?

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

So apparently Electronic Records Day is a thing. Who knew? In fact, it’s been going on for seven years. I knew about Ask an Archivist Day (which, this year, was celebrated October 3). Actually, they’re both part of American Archives Month, which is observed the entire month of October, though Electronic Records Day – this year observed on October 10 — is inexplicably missing from the American Archives Month calendar, which seems like an odd mistake for archivists to make. And just how many celebratory days and months do archivists need?

Anyway.

Unlike Ask an Archivist Day, which appears to be the first Wednesday of October, Electronic Records Day is always observed on October 10. Or 10-10. Like, bits and bytes. Get it?

Archivists are a funny bunch.

The purpose of Electronic Records Day is to share information managing state digital resources and to enlist help in preserving electronic records. But just because it’s intended for state records doesn’t mean you can’t use it for your personal and corporate digital resources as well. And although Electronic Records Day is already gone and past, the information that was generated and promoted about it is still around, and that’s actually got some pretty useful storage tips in it. A number of them were posted to Twitter using the hashtag #ERecsDay.

In addition, the Council of State Archivists (CoSA) held webinars in 2017 and 2016 about Electronic Records Day, and though they didn’t hold one on 2018, the older webinars are still available online. Because, you know, archivists.

This year, the Council of State Archivists generated a number of files – both in Word and in .pdf format, so that you could edit them if you wished – about electronic records topics, ranging from Electronic Government Records Overview to 10 Reasons for E-Records to Electronic Records Emergency Planning and Response to Why You Need More Than Backups to Preserve Records and so on. (Though I have to say, Word and .pdf? Don’t archivists frown on vendor-specific file storage formats?)

Electronic records awareness is important because increasingly government is moving to electronic records from paper ones. “Between 2006 to 2016, there was a 1,693 percent increase in state and territorial electronic records, according to a report published by CoSA,” writes Jared Beinart in StateScoop. “This increase has led to a 445 percent growth of electronic over paper records. ”There are, in fact, 1,371 terabytes of state and federal electronic records.

And as we all know about the “digital dark ages,” electronic records have …issues…compared with paper ones, especially in the context of preservation. But anyone who’s tried to get data off a ZIP drive lately knows the problem of incompatible formats, whereas we can still read things originally written on goat skins.

Actually, to look at the “10 reasons why we need to preserve electronic records” list, we might forget the actual advantages of electronic records. It’s easy to send electronic records around, and be able to read the information in them, they can store a lot of data in a small space, and they don’t get vermin. State archivists are still trying to encourage states to convert their paper documents to digital.

That also includes destroying them on a regular basis through a standardized retention schedule.

Sadly, Electronic Records Day doesn’t seem to generate the sort of sales and things that World Backup Day (observed on March 31) does, other than a single-day sale of 20 percent off on three digital records books. Perhaps next year. And in the meantime, we can Ask an Archivist (which, next year, should be October 2, though there’s no announcement about it yet) why Electronic Records Day isn’t listed on their calendar.


October 9, 2018  9:01 AM

New Zealand border phone searches cause outcry

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, Security, smartphone

We’ve had this in the U.S. for a while, but now it’s happening elsewhere: Enter New Zealand, and either be willing to hand over your smartphone and password, or pay a $3200 fine.

“New laws that came into effect in New Zealand on October 1 give border agents ‘…the power to make a full search of a stored value instrument (including power to require a user of the instrument to provide access information and other information or assistance that is reasonable and necessary to allow a person to access the instrument),’” writes Katina Michael for The Conversation. “Those who don’t comply could face prosecution and NZ$5,000 in fines. Border agents have similar powers in Australia and elsewhere.”

A “stored value instrument” includes a smartphone, tablet, or laptop. No word on whether cameras are included.

“As in many countries, customs officers in New Zealand were already able to seize mobile phones and other digital devices for forensic examination they believed contained evidence of criminality,” writes Bernard Lagin in the Sydney Times. “But the law did not previously compel travellers to open their devices for inspection, either by entering a password or using biometric data such as thumbprints or facial scans.” He also believed that New Zealand was the first country to implement a fine for noncompliance.

The new policy immediately caused an outcry.

“The practice of searching electronic devices at borders could be compared to police having the right to intercept private communications,” Michael writes. “But in such cases in Australia, police require a warrant to conduct the intercept. That means there is oversight, and a mechanism in place to guard against abuse. And the suspected crime must be proportionate to the action taken by law enforcement.”

Customs officials quoted by Lagin said that they needed a reasonable cause for suspicion, and that phones were examined in airplane mode, so they didn’t look at data in the cloud. The new policy was implemented in an attempt to fight organized crime, he writes. New Zealand Customs said the number of electronic devices examined is “very low,” 537 out of 14 million travelers in 2017.

The U.S. has had a policy for some time that border agents can demand access to a smartphone within 100 miles of the border – which covers much more U.S. territory than you’d think. According to the American Civil Liberties Union (ACLU), as of 2006, more than two-thirds of the U.S. population lived within 100 miles of the border. Altogether, it meant that anyone in that area with a laptop could have that laptop seized without a warrant, at any time, taken to a lab anywhere in the U.S., have its data copied, and searched for as long as Customs deemed necessary. And despite their objections, the policy has largely been upheld.

New Zealand doesn’t have an American Civil Liberties Union, obviously, but it does have a New Zealand one. “We note that the requirements and procedures in this new law are very lightweight, have no oversight, and compare badly to the procedures that must be followed by our Police and intelligence services,” the organization writes. “Customs originally demanded to be able to perform these searches without restrictions. The law now says they have to have reasonable cause, but they do not have to prove this before confiscating your device, nor is there a way to meaningfully protest or appeal at the time of confiscation.” The policy will also affect people traveling with devices or files from other people that they can’t unlock, the organization adds. (And yes, New Zealand has a Bill of Rights, too.)

To add insult to injury, “MicrosoftApple and Google all indicate that handing over a password to one of their apps or devices is in breach of their services agreement, privacy management, and safety practices,” Michael writes. “That doesn’t mean it’s wise to refuse to comply with border force officials, but it does raise questions about the position governments are putting travellers in when they ask for this kind of information.”

In the meantime, if you’re going to New Zealand (which is a lovely place, incidentally), be willing to hand over the password, or get a burner phone.


September 30, 2018  8:24 PM

Yes, You Can Use the Wayback Machine in Court

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Court

In this we-have-always-been-at-war-with-Eurasia era when websites, audio recordings, photographs, and video can be changed or created, it’s good to know that courts have ruled that stored images of websites from the Wayback Machine part of the Internet Archive can now be introduced as evidence.

It’s not that people haven’t tried using Wayback Machine images before. What’s new is that now they’re succeeding.

The distinction? In the case where it succeeded, prosecutors actually called staff at the Internet Archive to testify on how the Wayback Machine worked, and authenticated the images by demonstrating how the pictures submitted into evidence were the same as what the Wayback Machine was showing at that time.

This was all part of the case U.S. vs. Gasperini. The district court of Eastern N.Y. ruled in 2017 on the case, where prosecutors attempted to prove that Fabio Gasperini created and controlled an army of 150,000 computers around the world to run an auto-click scheme that defrauded online advertisers, according to a description written by his attorney, Simone Bertollini.

“The District Court sentenced Gasperini to 12 months in prison, a $100,000 fine, and 12 months of supervised release,” Bertollini wrote. “Experts confirmed that no one before had been given such an extreme sentence on a misdemeanor computer intrusion charge. Bertollini defined the sentence as ‘unconscionable,’ and indicated that an appeal to the Second Circuit has already been filed.”

Gasperini appealed the original decision partly due to the inclusion of the Wayback Machine images. His attorney pointed out that previous attempts to use Wayback Machine images had been turned down. “In support of his argument, the defendant relied on a 2009 case where the Second Circuit ruled only that the district court did not abuse its discretion by excluding screenshots for lack of authentication,” writes attorney Richard Newman in the blog Pacedm. “Interestingly, the Third Circuit considered the admissibility of Internet Archive records on a similar record in United States v. Bansal (3d Cir. 2011).”

But the Second Circuit Court, in its opinion affirming the original decision, noted the use of the authentication, which is what made the use of the images acceptable.

This decision is important because increasingly businesses need to rely on information posted on a website, writes Stephen Kramarsky in the New York Law Journal. “To get a more accurate picture requires a time machine capable of re-creating the web as it was on a given date,” he writes. “ Luckily, at least for many web sites, such a machine exists. A recent U.S. Court of Appeals for the Second Circuit decision describes how to use it, and how to properly introduce records from it so that they can be accepted as evidence in court. Attempting simply to introduce screenshots from a third-party archive may not meet with approval. Instead, that evidence should be supplemented with witness testimony describing the archive, how it works, and how the records to be introduced into evidence were produced and stored in the ordinary course of the archive’s business. This should address hearsay and authenticity issues, and go a long way towards ensuring that the evidence will be admitted.”

The appeal also referenced two other issues that have come up here at one time or another.

First, Gasperini allegedly sent someone to his office to remove or destroy his hard disk drives. Apparently whoever it was did a good job, because there hasn’t been any indication that the hard disk drives were found or that any data on them had been recovered. “After his arrest in the Netherlands, Gasperini deleted the contents of his Google account, deactivated his Facebook account, and instructed someone to discard the hard drives in his home and erase others,” notes the decision.

Second, one of the grounds by which Gasperini appealed his case was the original Microsoft decision. “A large part of the evidence introduced at trial consisted of emails sent and received by Gasperini,” Bertollini wrote. “Before trial, Bertollini had sought to suppress the emails, arguing that they were seized through to an extraterritorial application of the Storage Communication Act. Last year, the U.S. Court of Appeals for the Second Circuit decided—in the famous Microsoft case—that the SCA does not apply outside the United States.”

But as with the Wayback Machine attempt, Gasperini attempt to use the Microsoft decision didn’t work, either.  “Even assuming, arguendo, that the legal analysis in Microsoft was still correct, and that some of the data collected through the SCA warrants was located abroad, the Court nevertheless rejected Gasperini’s argument that such evidence should have been suppressed,” write Jason Vitullo and Harry Sandick in Lexology. “Rather, the Court explained, Gasperini’s challenges were statutory in nature, not constitutional, and the SCA explicitly limits the relief available for any statutory violation to various civil action remedies such as damages and associated legal costs. Accordingly, even if foreign data was collected in violation the SCA, such a violation did not warrant suppressing it in Gasperini’s criminal trial. The Court explained in a footnote that five other Circuit courts have ruled likewise with respect to the unavailability of suppression as a remedy for a nonconstitutional violation of the SCA.”


September 24, 2018  8:29 AM

Get Ready for the Microsoft Windows 10 Storage Fail

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Microsoft, Storage, Windows 10

Oh, this should be fun. Microsoft is warning users that the next Windows 10 update might kill their systems.

Pass the popcorn.

This all came out in a warning issued earlier this month from Microsoft. “On Microsoft Windows 10 systems that have limited storage space (such as thin clients or embedded systems), when you run Windows Update, the update initialization may fail.”

Of course, Microsoft doesn’t define “limited” or say how much storage space the update initialization actually takes, exactly how the update initialization may fail, what the repercussions of that are, or how to recover from it. If you can.

How much storage space do you need? Microsoft isn’t saying,” writes Kevin Murnane in Forbes, adding that last spring’s update needed 16GB of empty space for 32-bit systems and 20GB for 64-bit.

The company is, however, very clear on what causes it: “Windows Update does not check systems for adequate space requirements before it initializes.”

The note then launches into its Resolution section with seven separate steps detailing how users can delete files from their systems to increase the amount of empty storage space.

How about this Resolution: “We will hold off on this update until we instate the system space check, and in the meantime find out which bonehead authorized a system update without one.”

Murnane savages Microsoft for this move. “Microsoft’s decision to push out a major upgrade without warning the user if they don’t have enough free space to safely install it is unconscionable and outrageous,” he writes. “You would think the company had learned its lesson about arrogant disregard for the needs and desires of its customers after the epic fail of the Xbox One launch. Apparently not. Microsoft’s left you hanging in the wind so check to see how much storage space you have available and make space if you need it.”

The other interesting aspect is that Microsoft is replacing its venerable Disk Check utility with something called Storage Sense, which is a more automated version that puts some of your files into the cloud using Microsoft’s OneDrive.  And while that’s a useful function (assuming people know this, can find their files later, and security is taken care of), it’s going to be sad not using Disk Check anymore.

Admittedly, I’ve been using Crap Cleaner for years and usually only use Disk Check afterwards, just in case. But it was something I was used to. Of course, I’m old enough that I still remember running the defrag utility and being mesmerized by the little animation that showed exactly which block was being defragged and watching all the little squares change colors. I miss that, too, even though it would probably take hours to run with the hard disk drive sizes we have these days.

Meanwhile, it seems clear that a number of users won’t find out about the problem in time, won’t take sufficient steps to deal with it, and will end up crashing their systems – at which point, we’ll at least find out what that actually means.

Better get more popcorn.


September 17, 2018  8:59 AM

Schneider USB Malware Scare

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
malware, USB

We’ve talked before about security issues involved with USB drives, but here’s a new one: A vendor alerting us to malware on a USB drive that it’s shipping with its product.

Schneider Electric recently notified users of its Conext Combox and Conext Battery Monitor that USB removable media shipped with the products may have been exposed to malware during manufacturing at a third-party supplier’s facility.

Oops.

The Conext Combox and the Conext Battery Monitor are both used to monitor solar system harvest and yield of solar power systems, according to the company, which is based in France. This is somewhat concerning in the context of the security of the power grid.

It also isn’t known where the third-party supplier’s facility is, to help determine whether this is a state-sponsored activity. China? South Korea? Japan?

“Schneider Electric has determined that some USB removable media shipped with the Conext Combox and Conext Battery Monitor products were contaminated with malware during manufacturing by one of our suppliers,” the company said in its alert. “Schneider Electric has confirmed that the malware should be detected and blocked by all major anti-malware programs. Out of caution, Schneider Electric recommends that these USB removable media are not used. These USB removable media contain user documentation and non-essential software utilities. They do not contain any operational software and are not required for the installation, commissioning, or operation of the products mentioned above. This issue has no impact on the operation or security of the Conext Combox or Conext Battery Monitor products.”

Instead of using the documentation on the USB drives, Schneider recommends that people download the documentation from the company website.

This isn’t the first time something like this has happened. A year ago, IBM reportedly shipped some USB flash drives, containing the initialization tool for its Storwize storage system, that contained a file that has been infected with malicious code. IBM was similarly tight-lipped about how the malware came to be there.

In fact, there’s a security website (called “Rationally Paranoid”) that tracks such incidents, and it goes as far back as 2000. It doesn’t yet include the Schneider incident, nor any other incident from 2018.

With the Schneider incident, there are still a number of outstanding questions:

  • What kind of malware is it?
  • Who is the third-party manufacturer and where are they located?
  • What was the USB drives’ intended use? Did they get plugged into the solar device itself, or into PC?
  • Were these particular USB drives belonging to Schneider Electric targeted, or was it just run-of-the-mill malware? In other words, was someone trying to hack into the power grid this way?
  • Who else uses USB drives from that manufacturer? Are there USB drives infected too?

Companies are understandably reticent about such incidents, because they don’t want to give people ideas, nor set themselves up for liability. On the other hand, if we’re going to protect ourselves from such incidents in the future, it’s important to know all we can about them. “Security through obscurity” never works.


September 12, 2018  7:13 AM

Tape is Not Dead, Tape Manufacturers Say

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Tape, Tape backup

Every few years, tape manufacturers get together to remind us that tape is not dead.

And it’s not. You still get the most bandwidth for your buck using a station wagon full of tapes hurtling down a highway. Tape is the Internet’s attic, or basement – a pain in the ass to get to, but it’s nice to not have to trip over the Christmas decorations the rest of the year.

The result is that tape drive manufacturers shipped 108,457 petabytes (PB) of total tape capacity (compressed) shipped in 2017, an increase of 12.9 percent over the previous year. Admittedly, since they’re counting compressed capacity, that certainly reflects improvements in compression technology as much as anything, but it’s still a lotta tape. Though even the vendors had to admit that resulted in fewer unit shipments.

While hard disk drive manufacturers are having to resort to increasingly convoluted measures to continue adding capacity to their drives, tape drive manufacturers keep diligently releasing new versions of the Linear Tape Open (LTO) specification every few years, which typically double the capacity. They’re now up to version LTO-8, and have a roadmap for versions up to 12, which if they keep to their schedule should be announced around 2029.

“A modern tape cartridge can hold 15 terabytes,” writes Mark Lantz in IEEE Spectrum. “And a single robotic tape library can contain up to 278 petabytes of data. Storing that much data on compact discs would require more than 397 million of them, which if stacked would form a tower more than 476 kilometers high.”

Of course, part of the reason that tape still has room to expand its density is because people weren’t using it as much once hard disk drives came along, Lantz admits. “Early on, the areal densities of tapes and hard drives were similar,” he writes. “But the much greater market size and revenue from the sale of hard drives provided funding for a much larger R&D effort, which enabled their makers to scale up more aggressively. As a result, the current areal density of high-capacity hard drives is about 100 times that of the most recent tape drives.”

That also means that every few years, everyone still using tape needs to upgrade all their equipment and write all their data to the new format, because each new LTO version can read back only two generations. You can call that “planned obsolescence” or you can call it helping to ensure that the data survives. Either way, it helps keep the industry going.

(PS, tape organizations: If you want to convince people there’s a future for tape, you might want to redesign your websites and logos so they look like they came from this century.)

Tape manufacturers point out, rightly, that their products can be more secure against intrusion than hard disk drives because they can be “air gapped,” or not on the Internet unless they’re actually in use. “If a cartridge isn’t mounted in a drive, the data cannot be accessed or modified,” Lantz writes. “This ‘air gap’ is particularly attractive in light of the growing rate of data theft through cyberattacks.”

And, using a more recent consideration, they also don’t use energy when not in use, making them more “green.” “Tape is the greenest storage technology available for large amounts of inactive data,” writes the Information Storage Industry Consortium in its report, 2015-2025 International Magnetic Tape Storage Roadmap. “Its removable media consumes no power while not in use. Automated digital libraries consume very little power yet provide access to vast amounts of data. Tape’s footprint is also reduced, minimizing the square footage required.

Those benefits do come with a cost, though. Yes, a tape not in use isn’t as vulnerable and isn’t using energy. But if you do need something on that tape, the tape needs to be located, inserted into a reader (perhaps with a robot, as in the Rogue One Star Wars movie – and we saw how that turned out — but still), and then spun until the data shows up. That takes time. That’s why tape is dandy as a long-term cold storage medium, but not necessarily for data that you’re using right now.

Nobody, not even tape drive manufacturers, is trying to say that tape should be used for all storage solutions. But it can be handy to have. Just remember that when you’re getting the Christmas lights from the attic.


September 4, 2018  10:34 AM

Google’s hard disk drive – destroying robots

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Disk drive, Google, Hard disk, Robotics

Earlier this summer, we talked about machines that are intended specifically to destroy hard disk drives. But Google does it one better.

It has robots.

That’s according to Joe Kava, Google’s vice president of data centers. “Google first detailed its process for this back in 2011,” writes Yevgeniy Sverdlik. “A company-produced video showed wiped drives get punctured with a steel piston and then thrown into an industrial shredder. The tiny pieces of plastic and metal then got boxed and recycled. What happens to each drive being replaced in the company’s data centers today is still the same. What’s different is who’s doing it. It’s now done by robots in what Google calls a ‘fully-automated disk-erase environment,’ Kava said.”

(Sadly, videos showing this robotic process don’t seem to be available, though a photograph is.)

The advantage of having a robot do the destruction is it reduces the number of people who have to handle a hard disk drive, Sverdlik writes, therefore also reducing the amount of tracking that has to be done for each hard disk drive.

The hard disk drive destruction robots come in particularly handy when Google is doing a forklift upgrade of its hard disk drives, Kava said. This would seem to indicate that other companies with very large quantities of hard disk drives, such as Facebook or Backblaze, might use hard disk drive destruction robots, too.

That said, apparently humans still need to perform the actual disconnection of the hard disk drive from the system, Kava added.

Videos of Google’s data center seem to crop up every couple of years, and destroying the obsolete hard disk drives is always a major part of it.

Actually, an interesting nuance about Kava’s video was his explaining that the only hard disk drives that are destroyed are the ones that can’t be verified as 100 percent wiped. He didn’t explain how Google verifies this, or what would keep a particular hard disk drive from being able to be wiped. Reportedly, the hard disk drives that can be verified are sold to other companies, Sverdlik writes.

Developing a 100 percent way of wiping and verifying hard disk drives would also make it easier to recycle the material from which hard disk drives are made, writes Tom Coughlin in Forbes. There is, in fact, an entire organization — the Value Recovery From Used Electronics Project, organized by iNEMI (the International Electronics Manufacturing Initiative) – that is intended to help develop a more circular economy for hard disk drives, he writes.

“There are three major reason why HDDs are a good candidate for a circular economy: (1) the demand for data storage is increasing rapidly; (2) data storage demand is increasing significantly faster than increases in HDD storage density, and (3) industry output of HDDs (manufacturing capacity) is not expected to increase significantly, according to industry projections,” Coughlin writes. “This leads to a potential gap between estimated data storage needs and the estimated ability of HDD and SSD manufacturers to keep up with demand. There are a number of ways to fill this gap: continued investment in fabs and technologies to increase HDD and SDD storage, increase HDD reliability, and increase the reuse of used HDDs so that they are available to meet some of our global data storage needs.”

But practices such as Google’s make that difficult, Coughlin writes (though he notes that Google is participating in the project). “Some existing practices severely impede the overall value recovered from the products across the reverse chain of commerce,” he writes. “Data destruction demands by the last user, which are not always essential to meet justified data security needs, lead to wholesale HDD shredding, which precludes reuse and reduces material recovery options.” And while shredding does allow for recycling of the raw material, it “precludes reuse and can reduce recovery of trace, but highly valuable, materials (e.g. rare earth metals),” he adds.

In the meantime, shredding robots it is.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: