BreachExchange mailing list archives
Re: [follow-up] Boeing fires employee whose laptop wasstolen (fwd)
From: "ziplock" <ziplock () pogowasright org>
Date: Fri, 15 Dec 2006 21:03:46 -0500 (EST)
I'd like to see someone publicly volunteer, in a highly visible manner, to demonstrate that s/he can access data on an unknown, standard-issue laptop, without leaving traces. No actual cracking would be necessary; once the data is copied a statement could be made that it can now be attacked and explored at leisure. Perhaps if a known expert made this general challenge, technically aware activists could follow up with letters to the editor when these ridiculous claims are made by those CYA companies. The activists could directly challenge the company, via the press (for what good would it do, if not in the public eye?), to put up or shut up by providing a laptop for the demo. If the successful experiment itself gets any publicity, it could be used as proof of concept against all future similar reports. These companies and these reporters will stick to the script until they're publicly challenged and proven wrong. /z
Its about as much assurance, as we get from a laptop being recovered, encrypted or not. Mirror the disk, hand the laptop back, fears subside, while you have all the time in the world to work on the data. In a year or so, random names in the data start having identity theft problems. The recovery of lost or stolen data should never be the end of the case. Period!That is one aspect of the typical corporate response to data theft that irked me when I was writing about this topic for the latest issue of Baseline. No company can ever really know that data wasn't accessed or that thieves weren't after data, etc. -- a point on which I quoted a forensics expert from Kroll. It *is* such a smokescreen. -- Kim Nash Link to the article: <http://www.baselinemag.com/article2/0,1540,2069952,00.asp>http://www.baselinemag.com/article2/0,1540,2069952,00.asp -----Original Message----- From: dataloss-bounces () attrition org on behalf of B.K. DeLong Sent: Fri 12/15/2006 8:17 AM To: Roy M. Silvernail Cc: dataloss () attrition org Subject: Re: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) If you look through a lot of the dataloss articles, you'll see many media spokespersons claiming similarly that password protection is enough. Might be an interesting stat to track in the database. On 12/15/06, Roy M. Silvernail <roy () rant-central com> wrote:Gotta love this. security curmudgeon forwarded:Even though the employee data was not encrypted, the laptop wasturnedoff. That means the person who stole the computer would not be abletoaccess the employee data without a password to open the computeronce itwas turned on.Wrong. As I pointed out on my blog(<http://www.rant-central.com/article.php?story=20060914170634681>http://www.rant-central.com/article.php?story=20060914170634681),that's purely a CYA statement with no basis in fact. How long will these outfits be able to get away with this smokescreen? -- Roy M. Silvernail is roy () rant-central com, and you're not "It's just this little chromium switch, here." - TFT CRM114->procmail->/dev/null->bliss <http://www.rant-central.com>http://www.rant-central.com _______________________________________________ Dataloss Mailing List (dataloss () attrition org) <http://attrition.org/dataloss>http://attrition.org/dataloss Tracking more than 143 million compromised records in 507incidents over 6 years.-- B.K. DeLong (K3GRN) bkdelong () pobox com +1.617.797.8471 <http://www.wkdelong.org>http://www.wkdelong.org Son. <http://www.ianetsec.com>http://www.ianetsec.com Work. <http://www.bostonredcross.org>http://www.bostonredcross.org Volunteer. <http://www.carolingia.eastkingdom.org>http://www.carolingia.eastkingdom.org Service. <http://bkdelong.livejournal.com>http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: <http://foaf.brain-stream.org>http://foaf.brain-stream.org _______________________________________________ Dataloss Mailing List (dataloss () attrition org) <http://attrition.org/dataloss>http://attrition.org/dataloss Tracking more than 143 million compromised records in 507 incidents over 6 years. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 143 million compromised records in 507 incidents over 6 years._______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 143 million compromised records in 507 incidents over 6 years.
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 143 million compromised records in 507 incidents over 6 years.
Current thread:
- Re: [follow-up] Boeing fires employee whose laptop wasstolen (fwd) Nash, Kim (Dec 15)
- Message not available
- Re: [follow-up] Boeing fires employee whose laptop wasstolen (fwd) blitz (Dec 15)
- Re: [follow-up] Boeing fires employee whose laptop wasstolen (fwd) ziplock (Dec 15)
- Re: [follow-up] Boeing fires employee whose laptop wasstolen (fwd) Adam Shostack (Dec 15)
- Re: [follow-up] Boeing fires employee whose laptop wasstolen (fwd) Roy M. Silvernail (Dec 15)
- Re: [follow-up] Boeing fires employee whose laptop wasstolen (fwd) Al Mac (Dec 16)
- Re: [follow-up] Boeing fires employee whose laptop wasstolen (fwd) lyger (Dec 16)
- Re: [follow-up] Boeing fires employee whose laptop wasstolen (fwd) blitz (Dec 15)
- Re: [follow-up] Boeing fires employee whose laptop wasstolen (fwd) George Toft (Dec 16)
- Message not available
- <Possible follow-ups>
- Re: [follow-up] Boeing fires employee whose laptop wasstolen (fwd) Nash, Kim (Dec 15)
- Re: [follow-up] Boeing fires employee whose laptop wasstolen (fwd) Sean Steele (Dec 17)