[Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd)

ziplock ziplock at pogowasright.org
Fri Dec 15 21:03:46 EST 2006 

I'd like to see someone publicly volunteer, in a highly visible manner, to
demonstrate that s/he can access data on an unknown, standard-issue
laptop, without leaving traces.  No actual cracking would be necessary;
once the data is copied a statement could be made that it can now be
attacked and explored at leisure.  Perhaps if a known expert made this
general challenge, technically aware activists could follow up with
letters to the editor when these ridiculous claims are made by those CYA
companies.  The activists could directly challenge the company, via the
press (for what good would it do, if not in the public eye?), to put up or
shut up by providing a laptop for the demo.  If the successful experiment
itself gets any publicity, it could be used as proof of concept against
all future similar reports.

These companies and these reporters will stick to the script until they're
publicly challenged and proven wrong.

/z


> Its about as much assurance, as we get from a laptop being recovered,
> encrypted or not. Mirror the disk, hand the laptop back, fears
> subside, while you have all the time in the world to work on the
> data. In a year or so, random names in the data start having identity
> theft problems. The recovery of lost or stolen data should never be
> the end of the case. Period!
>
>
>
>>That is one aspect of the typical corporate response to data theft
>>that irked me when I was writing about this topic for the latest
>>issue of Baseline. No company can ever really know that data wasn't
>>accessed or that thieves weren't after data, etc. -- a point on
>>which I quoted a forensics expert from Kroll.
>>
>>It *is* such a smokescreen.
>>
>>-- Kim Nash
>>
>>Link to the article:
>><http://www.baselinemag.com/article2/0,1540,2069952,00.asp>http://www.baselinemag.com/article2/0,1540,2069952,00.asp
>>
>>
>>
>>
>>-----Original Message-----
>>From:   dataloss-bounces at attrition.org on behalf of B.K. DeLong
>>Sent:   Fri 12/15/2006 8:17 AM
>>To:     Roy M. Silvernail
>>Cc:     dataloss at attrition.org
>>Subject:        Re: [Dataloss] [follow-up] Boeing fires employee
>>whose laptop wasstolen (fwd)
>>
>>If you look through a lot of the dataloss articles, you'll see many
>>media spokespersons claiming similarly that password protection is
>>enough. Might be an interesting stat to track in the database.
>>
>>On 12/15/06, Roy M. Silvernail <roy at rant-central.com> wrote:
>> > Gotta love this.  security curmudgeon forwarded:
>> >
>> > > Even though the employee data was not encrypted, the laptop was
>> turned
>> > > off. That means the person who stole the computer would not be able
>> to
>> > > access the employee data without a password to open the computer
>> once it
>> > > was turned on.
>> >
>> > Wrong.  As I pointed out on my blog
>> >
>> (<http://www.rant-central.com/article.php?story=20060914170634681>http://www.rant-central.com/article.php?story=20060914170634681),
>> > that's purely a CYA statement with no basis in fact.
>> >
>> > How long will these outfits be able to get away with this smokescreen?
>> > --
>> > Roy M. Silvernail is roy at rant-central.com, and you're not
>> > "It's just this little chromium switch, here." - TFT
>> > CRM114->procmail->/dev/null->bliss
>> > <http://www.rant-central.com>http://www.rant-central.com
>> > _______________________________________________
>> > Dataloss Mailing List (dataloss at attrition.org)
>> > <http://attrition.org/dataloss>http://attrition.org/dataloss
>> > Tracking more than 143 million compromised records in 507
>> incidents over 6 years.
>> >
>> >
>> >
>>
>>
>>--
>>B.K. DeLong (K3GRN)
>>bkdelong at pobox.com
>>+1.617.797.8471
>>
>><http://www.wkdelong.org>http://www.wkdelong.org                    Son.
>><http://www.ianetsec.com>http://www.ianetsec.com                    Work.
>><http://www.bostonredcross.org>http://www.bostonredcross.org
>>Volunteer.
>><http://www.carolingia.eastkingdom.org>http://www.carolingia.eastkingdom.org
>>Service.
>><http://bkdelong.livejournal.com>http://bkdelong.livejournal.com
>>Play.
>>
>>
>>PGP Fingerprint:
>>38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE
>>
>>FOAF:
>><http://foaf.brain-stream.org>http://foaf.brain-stream.org
>>_______________________________________________
>>Dataloss Mailing List (dataloss at attrition.org)
>><http://attrition.org/dataloss>http://attrition.org/dataloss
>>Tracking more than 143 million compromised records in 507 incidents
>>over 6 years.
>>
>>
>>
>>
>>
>>_______________________________________________
>>Dataloss Mailing List (dataloss at attrition.org)
>>http://attrition.org/dataloss
>>Tracking more than 143 million compromised records in 507 incidents
>>over 6 years.
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 143 million compromised records in 507 incidents over 6
> years.
>
>
>

More information about the Dataloss mailing list