[Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd)

Adam Shostack adam at homeport.org
Fri Dec 15 21:46:35 EST 2006


Maybe a fun demo to do at Defcon this summer?  You could set it up as
a challenge--someone brings in three standard laptops, each with a
secret file.  You open one, hand them all back, they have to determine
which of the three were opened?


On Fri, Dec 15, 2006 at 09:03:46PM -0500, ziplock wrote:
| I'd like to see someone publicly volunteer, in a highly visible manner, to
| demonstrate that s/he can access data on an unknown, standard-issue
| laptop, without leaving traces.  No actual cracking would be necessary;
| once the data is copied a statement could be made that it can now be
| attacked and explored at leisure.  Perhaps if a known expert made this
| general challenge, technically aware activists could follow up with
| letters to the editor when these ridiculous claims are made by those CYA
| companies.  The activists could directly challenge the company, via the
| press (for what good would it do, if not in the public eye?), to put up or
| shut up by providing a laptop for the demo.  If the successful experiment
| itself gets any publicity, it could be used as proof of concept against
| all future similar reports.
| 
| These companies and these reporters will stick to the script until they're
| publicly challenged and proven wrong.
| 
| /z
| 
| 
| > Its about as much assurance, as we get from a laptop being recovered,
| > encrypted or not. Mirror the disk, hand the laptop back, fears
| > subside, while you have all the time in the world to work on the
| > data. In a year or so, random names in the data start having identity
| > theft problems. The recovery of lost or stolen data should never be
| > the end of the case. Period!
| >
| >
| >
| >>That is one aspect of the typical corporate response to data theft
| >>that irked me when I was writing about this topic for the latest
| >>issue of Baseline. No company can ever really know that data wasn't
| >>accessed or that thieves weren't after data, etc. -- a point on
| >>which I quoted a forensics expert from Kroll.
| >>
| >>It *is* such a smokescreen.
| >>
| >>-- Kim Nash
| >>
| >>Link to the article:
| >><http://www.baselinemag.com/article2/0,1540,2069952,00.asp>http://www.baselinemag.com/article2/0,1540,2069952,00.asp
| >>
| >>
| >>
| >>
| >>-----Original Message-----
| >>From:   dataloss-bounces at attrition.org on behalf of B.K. DeLong
| >>Sent:   Fri 12/15/2006 8:17 AM
| >>To:     Roy M. Silvernail
| >>Cc:     dataloss at attrition.org
| >>Subject:        Re: [Dataloss] [follow-up] Boeing fires employee
| >>whose laptop wasstolen (fwd)
| >>
| >>If you look through a lot of the dataloss articles, you'll see many
| >>media spokespersons claiming similarly that password protection is
| >>enough. Might be an interesting stat to track in the database.
| >>
| >>On 12/15/06, Roy M. Silvernail <roy at rant-central.com> wrote:
| >> > Gotta love this.  security curmudgeon forwarded:
| >> >
| >> > > Even though the employee data was not encrypted, the laptop was
| >> turned
| >> > > off. That means the person who stole the computer would not be able
| >> to
| >> > > access the employee data without a password to open the computer
| >> once it
| >> > > was turned on.
| >> >
| >> > Wrong.  As I pointed out on my blog
| >> >
| >> (<http://www.rant-central.com/article.php?story=20060914170634681>http://www.rant-central.com/article.php?story=20060914170634681),
| >> > that's purely a CYA statement with no basis in fact.
| >> >
| >> > How long will these outfits be able to get away with this smokescreen?
| >> > --
| >> > Roy M. Silvernail is roy at rant-central.com, and you're not
| >> > "It's just this little chromium switch, here." - TFT
| >> > CRM114->procmail->/dev/null->bliss
| >> > <http://www.rant-central.com>http://www.rant-central.com
| >> > _______________________________________________
| >> > Dataloss Mailing List (dataloss at attrition.org)
| >> > <http://attrition.org/dataloss>http://attrition.org/dataloss
| >> > Tracking more than 143 million compromised records in 507
| >> incidents over 6 years.
| >> >
| >> >
| >> >
| >>
| >>
| >>--
| >>B.K. DeLong (K3GRN)
| >>bkdelong at pobox.com
| >>+1.617.797.8471
| >>
| >><http://www.wkdelong.org>http://www.wkdelong.org                    Son.
| >><http://www.ianetsec.com>http://www.ianetsec.com                    Work.
| >><http://www.bostonredcross.org>http://www.bostonredcross.org
| >>Volunteer.
| >><http://www.carolingia.eastkingdom.org>http://www.carolingia.eastkingdom.org
| >>Service.
| >><http://bkdelong.livejournal.com>http://bkdelong.livejournal.com
| >>Play.
| >>
| >>
| >>PGP Fingerprint:
| >>38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE
| >>
| >>FOAF:
| >><http://foaf.brain-stream.org>http://foaf.brain-stream.org
| >>_______________________________________________
| >>Dataloss Mailing List (dataloss at attrition.org)
| >><http://attrition.org/dataloss>http://attrition.org/dataloss
| >>Tracking more than 143 million compromised records in 507 incidents
| >>over 6 years.
| >>
| >>
| >>
| >>
| >>
| >>_______________________________________________
| >>Dataloss Mailing List (dataloss at attrition.org)
| >>http://attrition.org/dataloss
| >>Tracking more than 143 million compromised records in 507 incidents
| >>over 6 years.
| > _______________________________________________
| > Dataloss Mailing List (dataloss at attrition.org)
| > http://attrition.org/dataloss
| > Tracking more than 143 million compromised records in 507 incidents over 6
| > years.
| >
| >
| >
| 
| 
| _______________________________________________
| Dataloss Mailing List (dataloss at attrition.org)
| http://attrition.org/dataloss
| Tracking more than 143 million compromised records in 507 incidents over 6 years.
| 


More information about the Dataloss mailing list