I will for go my 6 figger consluting fee this time but If I have to keep redoing my orignal work I might start charging
The government sent the security industry into gales of laughter today when it insisted that sensitive documents on Hazel Blears’ missing PC are quite safe, as the machine is “password protected”. The gov’s soothing words came amid speculation on what formal action, if any, communities and local government secretary Blears …
Well it is a step up from bunch of easy to read papers in a folder on the back seat as is normally the case
Not much of a step up however.
They really don't understand what they are talking about do they... and how easy a password is to crack.
Knowing the IQ of MP's the password was probably "password" or "holiday", or the dogs name.
Thanks for that, I need a new screen now, after spraying coffee all over it.
I know our government is monumentally crap at IT, even if it's just by the vast amount of my money they waste paying their corporate f***-buddies to screw up every NHS/Police/Tax/etc IT scheme going, but after the recent string of privacy breach idiocy and failed security, this just takes the biscuit.
Sadly, Paris, because we now have proof that she's significantly more intelligent and useful than my government
She really is neither use nor ornament. Fingers crossed for the message of 'unequivocal support' from No. 10.
Anyone else spot in the other article how her spokesdroid said she had both 'constituency' and 'departmental' data on the machine, but nobody should worry because there was no personal information contained in the departmental data? I can't see her keeping her job if she's exposed her own constituents to blackmail and identity theft.
I now feel thoroughly reassured about our governments understanding of digital security.
Can I suggest some possible passwords they can use for protecting machines holding sensitive material in future that would reflect this?
Or how about 'fuckw1ts' ?
"In the meantime, the government might do worse than despatch a crack MI5 team down to Waterloo Station to scour the trains post rush hour, as this seems to be the main clearing house for sensitive government information these days. "
One wonders why sensitive information is shared with them... these days.
Hazel's family members' bday
Tony Blur's bday
days Gordo has left in office
year Noo Laboor got into office
betcha it's something obvious! this is Noo Laboor, IT f*cktards one and all.
(where's the *I hate Labour because they are cr4p and ruining my income* icon?)
"In the meantime, the government might do worse than despatch a crack MI5 team down to Waterloo Station to scour the trains post rush hour, as this seems to be the main clearing house for sensitive government information these days."
Yes, but the American won't let Brown do that - we know that from Borg Ultimatum, don't we? The CIA keeps that playground to itself.
Civil servant breaks procedure by removing sensitive docs, leaves them on a train and gets suspended subsequent to probable sacking or demotion.
Minister breaks procedure by downloading sensitive docs, PC is pinched and the No. 10 spin machine whirs into action declaring that the free world is safe as the machine was password protected.
Now where's that Linux live CD that edits the Windoze SAM file...
Assuming it is a Windows machine with the encrypted file option available (Windows 2000 SP4 certainly has it) then it should be very difficult to get the contents of the file. But how many people know that option exists? Furthermore, how many people use it? Doh!
That being the case, you don't even need to crack a password. Remove the hard disk, stick it in a external USB case and mount on another machine. Da daahhh!!!
[Just passing it to Blears]
I'd love to know which password they are talking about, BIOS, Windows or MS office. The first two aren't just trivial to crack you don't even need to crack them to get to the files on the disk unless it's encrypted. I'd offer to demo how long it takes to crack their files but I don't invoice by the minute.
Ok first a lesson.
CD with SAM database password reset program. I now have local admin access to the machine and all data on the machine.
Now that's over with I highly doubt some local tea leaf will try and out any info on this machine as it's probably already been formatted and rebuilt with XP. That's not to say anyone with half a brain cell could interrogate the drive and get the docs back but you'd open yourself up to a charge of recieving stolen goods and maybe a nice spell in chokey while they wait to allow you access to Habeas Corpus.....
Really - Gov docs are mind numbingly boring to the average person so why nick a computer for that rather than the sum of it's parts.
So the potentially sensitive documents are safe because the machine has a password, well that's just fine then.....
What kind of *!$%ing idiots are running this country? Any they want to bring in national ID cards, they haven't a clue. If brains were dynamite they couldn't even blow their hats off.
Has to be Paris, she might not be the sharpest knife in the box, but she could show these prize muppets a thing or two.
".. cracking a password, as opposed to cracking an encrypted PC, is considered a trivial task."
Quicker to lift out the hard drive and install as D:\ on your own computer.
And if "the computer was password protected" is spokespersonese for "the documents were password protected" try opening a protected MS Word document with a text editor!
Put it in perspective - it's not like Hazel Blears will have access to any interesting information
"The Government was in turmoil today as it was revealed that the Secretary of State for Communities and Local Government lost her PC which was said to have secret plans for better provision of park benches and putting a microchip in your bin"
The only thing you'd get if you read the content of her secret files is really really really bored.
More data stored on a PC that shouldn't have any information on it. As for the governments belief that everyone in the UK will buy the "password protected" bull then they are dillusional.
What is even worst is that it isn't a laptop but a PC... Time people begun thinking about protecting OUR personal information. If this information is sitting on a PC or laptop we have a right to know that it is secure. At the moment no one can give us this 100% certainty. There are products out there like BackStopp from Virtuity (www.backstopp.com) that protect data from these types of theft, even protecting a desktop PC utilising RFID technology. If the machine leaves, the data is securely deleted. Now why aren't they using something like this to come out and say "A machine was stolen, but we know the data was securely removed an hour ago without being accessed"?
Since that shower of incompetents have proven time and time again they can't be trusted with anything more technical than a digital watch - take all the PCs from them and give them Thin Clients. The ones which *don't* have USB or any other way to get data off of them.
I'll happily do their Citrix rollout for ooohh - 250 million??
It might as well be encrypted, but with a password to log-on on the encrypted disk.. ?
Seriously, do you expect politicians to be able to explain to 'the masses' what they do with their computer or how it is protected ?
I can only imagine that it is as toe curling as a senior manager or a CEO doing an IT security pep talk.
On the other hand.. they seem to have proven that it impossible to underestimate their tech savviness or protection measures.
And I suppose that her password is/was ****** [because she couldn't remember 'password'].
Still nothing will happen to her. She's a Government minister and they don't have to follow the rules like the little (and poorer) people do.
And HOW ON EARTH did someone walk away with a DESKTOP machine? Without anyone noticing! Though I wouldn't mind betting that some clever sod held a door open for the guy taking "his" PC out to his car.
After years of attempts by HMG to secure quality information governance they really have only two lines open to them;
1. Formally discipline the person who breached security policy (in this case sack the minister not only from her post but from the government, she should also resign as a constituent MP. She can of course re-stand for her constituency, but let her constants hear ALL the facts before allowing a by-election. Let the people decide about data security). Ensure that this hard line is taken against ALL members of HMG and departments of HMG, and give the IT departments technical tools to enforce Information Governance policy.
2. Give up the pathetic pretext of information governance altogether. "sorry everybody we can barely keep secret data secret, your personal records don't stand a chance".
As it stands the minister will probably survive, and some highly paid member of the civil service will issue another letter saying “this kind of behaviour will not be accepted, in future…..”
HMG have exposed themselves more often than Paris has (shame or shame ?)
Will Hazel Blears be prosecuted for leaking?
"(1)Where a Crown servant or government contractor, by virtue of his position as such, has in his possession or under his control any document or other article which it would be an offence under any of the foregoing provisions of this Act for him to disclose without lawful authority he is guilty of an offence if—
(a)being a Crown servant, he retains the document or article contrary to his official duty; or
(b)being a government contractor, he fails to comply with an official direction for the return or disposal of the document or article,
or if he fails to take such care to prevent the unauthorised disclosure of the document or article as a person in his position may reasonably be expected to take."
Incidentally, I have experience of securing systems on which Home Office data relating to criminal prosecutions is stored. And the rules clearly state that the device has to be physically secure (ie bolted to something big).
My carere as a hax0r is over!!!
Unless I is very smartz and trys:
Her child's name? Noes...
Her hubby name? Noes...
Her dog's name?
SUXXESS!!! I IS HAX0R SUPREME!!!
and it probably is... the entire concept of a complex password to try and at least put SOME sort of speed-bump in the way would be far too difficult. Paris would encrypt....
We received a letter this morning from St Georges Healthcare NHS Trust informing us that details about our son (who recently underwent minor surgery) were among those on laptops recently stolen from St Georges Hospital in South London:
In the light of yet another government data security fiasco, I thought I'd share the following paragraph in the letter with El Reg readers:
"It is our policy to store such data on secure central network drives which saves data away from the hardware of a computer. However, due to a problem with the network drive this data was being stored temporarily on the laptops until the problem was resolved. We have now fixed this issue and we are reinforcing all security measures across the Trust to protect our patients' confidentiality.
As all computers were password protected, only authorised staff who had the correct password could access the data. Therefore, there is only a very small chance that any patient details have been passed on"
It would be interesting to know how long that period of "temporary" storage lasted, wouldn't it?
You had a good run son. You almost made it to 3 years of age before your medical records escaped onto London's trash-strewn streets like so much, errr, trash.
I work for a company that is cleared to handle and store documents up to and including Top Secret, these documents are usually to do with national security / intelligence etc.
Because we are a private company not a government department the amount of work we have to do to secure the information we have is amazing. The rules and regulations on what can and can't be done, who can and who can't see things, audit trails, physical as well as software security, air-gaps on machines, no cables crossing due to Temepst, the list goes on..
When I read a story like this it makes me wonder why we bother going to such lengths, the government don't seem to bother!
it is now an everyday event that sensitive information is stolen, mislaid, blah blah
and this is only the tip of the iceberg that we find out about......
We can have no confidence in any government that allows ministers to stay in place when such events occur.
As gordon brown would find out IF he bothered to ask security experts password protection is all but worthless and very very simple to crack probably the password was written on a post it note on the monitor.
It would appear that all government departments need to run an intensive security course and dismiss people who do not comply.
Only the thought of loss of lucrative employment combined with threat of legal action will change peoples attitudes.I hate to think what information they carry about on their phones.
There is shortly going to be a point reached where we all have had our personal information given out by the government is it a plan to stop us moaning about the id data base where they can quite rightly say "its only information that is in the public domain anyway" because we have put it there.
Imagine this hypothetical situation:
You work for a private company and have access to the HR database (including payroll). You've been given training on the procedures for protecting this sensitive data. You knowingly and willingly disregard this and take a copy home with you (but keep it in a hidden folder). It gets stolen.
How long before you get shown the door?
If ministers can do this, why are we all spending loads of tax payers money on encryption software.
I would be sacked if I had GPMS documents on an unencrypted laptop that was stolen. Or even if I had them unencrypted on my PCs at home.
This really is something that warrants a minister resigning, especially after all the fuss they have been making about civil servants and contractors doing it.
This post has been deleted by its author
the only solution, they cannot pass the computer test, then they cannot use it.
We do it for cars, and in someways there is less of a risk. They make blunders like this and they have points added to their license, in this instance it should be an automatic ban for at least 6 months, and a resit of the test.
If she needs to use a computer for her job, then she should either pay for a person out of her own pocket to use the computer for her, or she takes public computering - damn the analogy broke down just at the end.
Personally i'd just give them a thin-client on the laptop (or desktop) and store everything centrally in a hoofin' great server behind several feet on concrete, steel and armed guards. Then GIVE them strong passwords they CANNOT change and make it a "revocation of computer privaledges" offence to write it down or give it to anyone else. You can't do much more than that.
My work laptop IS password protected.
On Dell Latitude laptops, there is an option in the BIOS to set a password which protects the computer from booting. Works great!
Oh, and the whole drive is encrypted with TrueCrypt's System Partition encryption facility. Which is free. As in 'Don't have to pay for it."
Go look it up.
Which means Windows log on.
In separate news, "hackers" are requested to avoid all Linux Live CDs not because they allow the bypassing of most windows security, but because there's... err... a virus.
You've gotta wonder who'd nick a desktop from an alarmed office. More amazing still is that with all the CCTV going about no-one noticed anyone who looked suspiciously pregnant or overweight- just in a very cuboid way...
Anyone with a rucksack or with anything shoved up their jumper should be tracked down using the top-notch (you'd hope, given that it'd being inflicted on the rest of us) security there and kept in cells for questioning. For up to 42 days on the grounds that "the PC they improperly secured contained information potentially of use to Terrorists". See how they like it...
I think time has come for Politricians to be given a compitency test ?
How about general knowledge or even IT based testing Politicians versus 12 year kids ?
( I know who to bet on here the 12 year old would definitly have a few more brains cells than the whole of NU LABOUR cabinet.)
Or even better still how about Computers for Dummies to be sent to all law makers who try to create new laws in an environment they know nothing about ?
Well she would if she were a bloke.
It seems Portsmouth North MP, Sarah McCarthy-Fry had her Hotmail account 'hacked'.
The enterprising miscreant sent an e-mail to everyone in her address book claiming she was stuck in Nigeria (bit of a give-away, that) and needed £1000's to get home.
BBC News Story:
Paris, 'cos there isn't a dopey-looking MPess icon.
Frederick Karno wrote above:
"It would appear that all government departments need to run an intensive security course and dismiss people who do not comply."
I agree. We live in an information economy & society for gawd's sake. Our politicians and public servants should be obliged to obtain and *demonstrate* a working knowledge of data security technology and practices, together with performance appraisal to ensure that they can not only talk the talk, but are also walking the walk. As we know, security is as much about behaviour as technology.
Despite the fact that we live within an information society and are dependent upon an data-driven economy, we are still being governed by a generation of people many of whom barely understand the difference between hardware and software. Time for a forest fire. If you don't understand encryption and other security-related technologies, if you don't observe best security behavioural pratices, away for re-training with you! If you fail the courses, thanks for your efforts, but this is an information society we're living in here. Here's your (analogue) carriage clock. Next generation please!
It's always fun to bash New Labour, but if I park the actual contents of the machine to one side I'm a bit mystified why the woman (from the little data I have seen) gets bashed for having a DESKTOP PC stolen from an ALARMED room.
It's not like she walked out of teh building with the machine and forgot it on the train or, in a break with tradition, left it in a cab.
I'd first give building security a real roasting, and then use the opportunity as proof that the INSIDE of Whitehall et al needs fully saturated CCTV coverage :-).
I think you are all cruel. password protection on windows is in fact OVERKILL. I suggest that you just use a piece of selotape on to hold the lid down. That will fool anyone who goes to the trouble of breaking into a lock and alarmed room to steal a computer. They probable don't even have the right type of electricity.
Imagine the hilarity if every El Reg burned a CD filled with random data, labelled it with things like 'For Hazel B - URGENT!' and left them on trains and buses across the nation.
Okay I admit they'd be hard to find amongst copies of the Metro and all the legitimate government CDs that have been left behind, but it'd be amusing to see the PM standing in the Commons trying to work out if the disk called 'Iran Battle Plan' found on the 08:25 to Grimsby was genuine or not.
The only way to come up with a memorable secure password is to think of a life-changing event and then take the first letter of each word, include numbers and non-alphabetic characters, and vary the case of the letters.
In Hazel Blears case, a good password would be:
The life-changing moment: "I truly fucked up on 17/06/08 when I down-loaded files from 10 Downing Street and thought a password would keep the contents safe!"
Use that password to access the files encrypted by TrueCrypt as others have already suggested. Job almost done. "Almost" - because it's still not perfect, but it's a lot better than trusting in Redmond.
And a thousand times better than trusting in gov.uk.
Quoting AC above:
"...but do I have to see a picture of that ginger dwarf on the El Reg main page?"
Sorry AC but I'm beginning to think we should see more of her <shudder>. She should be on cctv full time, the same for all our politicians and senior civil servants, recording their every word and move - for their own protection, of course.
Nothing to hide, nothing to fear!
Im helpless with laughter at that statement, password protected only from those under the age of three years.
I suppose its just one very small rung up the security ladder than tossing 26 million records into the post & hoping they turn up at the right destination, but wait, they are going to shove every bit of data about us onto an ID card very soon, ram it down our throats & charge us £80 or so for the privilege, no doubt that data store will be 'password protected' as well.
could do better
Yes Labour are muppets, but most of the lapses so far are concerning the Civil Service not the actual politicians, apart from this loss.
Same problem would exist if The Cons were governing as well.
All these politicking to$$ers are as clueless as each other, regardless of party. Cameron and his sidekicks are similarly inexperienced as Labour in the real world. Can you imagine Cameron really understand what is going on rather than blaberring any old bull cr@p about things? They are mostly all the same, with only a few precious exceptions.
As for the Civil Service, well what a bunch of time wasting lay abouts.
So, all these idiots need an IT department that can effectively manage their stupid liabilities.
They also need me in charge of the country to tell them what is what.
It never ceases to amaze me, but the Govt keeps how you voted in a "confidential" database, and refer to it for "canvassing purposes" around election time.
Imagine that falling into the hands of extremists? Left, Right or religious nutters - no matter.
AC - cos at least here I *can*
.....but since the person who stated that it was password protected is not employed in a technical role, maybe the machine was decently encrypted and he just didn't know the difference because from his perspective 'you have to put a password in'....
even if i'm right, she should still get fired for storing classified stuff on an unauthorised machine.
Looks like ministers don't understand leet. H4x0r5 will have a birthday. Thing is in the c1v1l_53rv1c3 is they expect those who are c0mpu73r_l173r47e to help the ones who aren't.
Those who suggest trucrypt.com should set themselves up as consultants (cutting me in of course) to gain lots of t4xp43r5_d05h.
Assuming it's a windows XP or earlier pc, take the following steps to get around windows password protection
1 - take out the hard drive
2 - insert hd into usb caddy
3 - connect caddy to another computer
4 - fire up computer, login, and browse mounted hard drive to your hearts content.
I thought the upper echelons of our civilisation were supposed to be smatter than us and hence why they rule over us. Where did darwin go wrong and why didn't Guy Fawkes succeed?
Some people are incapable of learning from their mistakes.
You are suffering a serious lack of comprehension about our current government. In the same way they genuinely do not understand how they have pissed off the electorate in the run up to the local elections, they do not see this (and all the other data losses) as their mistakes. *Someone*'s mistakes but not *theirs*. In their eyes they really are the squeaky clean saviours they dream of being, instead of the dogshit Brown incompetents they really are.
That's the Dell boot password that protects the hard drive in a separate machine is it?
Truecrypt is another matter but it won't be implemented by the government as it's "open source and therefore not secure"
Digital security is easy for any intelligent person but totally beyond the wit of this shower.
Anonymouse cos I have to work for the clowns
We in government realise that the modern security challenge is defined by new and unprecedented threats: terrorism; global organised crime; organised drug trafficking and laptop trafficking. This is the new world in which government must work out how it best discharges its duty to protect people.
New technology is giving us modern means by which we can discharge these duties. But, as I have suggested recently, just as we need to employ these modern means to protect people from new threats, we must at the same time do more to guarantee our liberties. Among those liberties are the right to a government post for any New Labour member able to find a constituency amenable to his or her continual reelection.
Furthermore, we are assured by a consensus of experts that password-protected computers are worthless as anything other than paperweights, boat anchors, and souvenirs to any but their rightful owners. We are therefore pleased to reassure the British populace that all is well.
Here you go Mr Brown:
The 'buy it now' price is $4.00
I know the economy is in the toilet but surely you can stretch to that?
"would the Tories or the LibDems actually be any more computer savvy?"
Perhaps not, but neither of these parties is actively seeking to increase the amount of data the government holds. A sensible policy line after all these leaks would be something along the lines of:
"We know you value you your privacy and you don't want your data to find it's way into criminal hands, so we will now launch a review into the all government computer systems. On a case by case decide whether they are required or if the data the each system holds can be reduced."
No government will ever do that though, it'd be sensible.
That this is just sheer incompetence, but damn its as if this is part of some plan. I almost believe that some higher power is in control and its their plan to leak all off this stuff. Just keeping on putting Muppets in charge and they will keep on losing data . The muppets are not even aware that they are part of this plan.
As I am 99.999% sure this was a windows machine, here is how to get the information back easily.
1: Download knopix
2: Mount the drive
3: Get the files
O wait, maybe the ment a boot password? Then all you need to do is rip the HD out and put it in another machine first. But I doupt they went this far.
Or maybe (even less likely) the HD was locked using the ATA standard lock. Then I guess they just have to get the plater out and analyse that. Shouldn't be hard for someone who could break into such an office. But then again, chances are the only protection was the login password on windows ...
Paris, cause she was brilliant enough to listen to him when someone who knew security told her how not to get her stuff stolen anymore.
It is just incompetence and someone should be hauled up on the government IT side but you'll probably find there's no one specifically responsible (in that department) and to be honest most ordinary people (including MPs) have no idea about encryption or passwords or the difference between the two. Some years I worked in a Government owned organisation and my boss got PGP encryption (it was quite a while ago) installed on all the departmental laptops - we had huge grief from the users as they couldnt remember their passwords and weren't too happy to be told that we couldn't decrypt the drives (even though they'd been told that on numerous occaissions losing the passwords would mean data loss).
There's also some interesting thinking going on in this thread i.e. thin client yes centralised government DBs/Servers no? You'd probably find that thin client would be way more secure as you could enforce passwords/password complexity/access policies.....etc. What your seeing now is the general disorganisation in government (always been there but not as obvious) and the breakup into agencies....etc won't have helped either. Whoever gets in next time won't change it as they'll be too busy with 'getting' pointless 'things done' - probably by setting up some more agencies rather than sorting out the mess thats there ad infinitum.
If we all had ID cards, we needn't have worried about what went missing from HB's dekstop.
All our data would already be in the public domain, and we'd have nothing left to protect. Ergo, we need not worry about privacy / ID theft / etc.
ID cards solve all your problems.
Mine's the heavy one loaded with aromatic herbs in all the pockets.
The fact that the miscreant who made off with the machine got into the building by breaking a window makes me think that it's highly unlikely that said miscreant is any kind of l33t h@xx0r. More likely said miscreant had offloaded the PC at a car boot sale within 24 hours, and the buyer is e'en now stalking the streets of Mankchester with a baseball bat ready to be applied to the head of said miscreant. On the very reasonable grounds that when the buyer plugged it in and switched it on, it asked him for a password. Which he didn't know and, being ignorant of the machine's provenance, was unlikely to guess in a hurry.
Yes, ZaNuLabour and its mongrel hordes are seriously lacking in Clue when it comes to IT security, but how about, just for once, a sense of proportion?
Well, you're right there... It doesn't protect the hard disk when inserted into a computer which doesn't support this password protection feature.
Thank god, too! If it did, we'd NEVER be able to restore the data from these numpty idiots who forget their passwords, or hose the laptop by spilling coffee / wine / paint thinner on it.
As for TrueCrypt not being secure, I hope to GOD that you're being sarcastic. The ability to peer review open source code is simply THE most secure way a program can be released.
Legalised hacking would sharpen them up, after all its just the same as now except the law abiding cannot join in!
Really its time that Government data loss meant that the responsible person went to jail for a long time. Perhaps the simple word responsibility just doesn't register?
People love laptops, they are cool. Desktops are so last century, no one wants a big box with a separate screen and loads of messy wires that takes up a desk and therefore a room.
Imagine carrying that lot out of the building. I expect someone helpfully held the door open and maybe carried the printer.
On the otherhand, if they only took the base unit, that would indicate that they wanted the DATA. If they wanted the data then they would spend the time and crack the password. Like I said, if it was a laptop then that's because they wanted a laptop, no one steals a desktop, duh.
If you want data then look in coat pockets for USB sticks and PDAs.
By the time this government has finished, there won't be a single shred of information about UK citizen that isn't in the public domain. That will include all biometric details (courtesy of the lovely ID database).
How then, will commercial organisations like banks actually verify anything?
Reports seem to indicate that the documents in question were emailed to the minister. If the email system was Outlook and using an OST, then the data is inaccessible without the correct user authentication details (as anyone who has tried to recover data from an OST knows). An Outlook PST is not secure - nor is any other email local store.
The real problem is that there is no complete bottom up approach to security. For a secure system, documents (of any type) must be stored in a management system that enforces classification, and any access must conform to that appropriate classification. Media transfers must also conform (to disk or printer), and so must any other process such as email.
Of course, there is actually no such system that integrates classification for applications, user devices and server solutions, and there will not be while the Govt insists on buying COTs solutions. And the only way such a solution could be integrated would be via the Open Source community, where the ability to see and modify everything at the source code level for a customised solution beats the non-free world where you would have to get several hundred vendors to co-operate.
And that does not stop someone walking out of Whitehall with a printed copy of a secret document and leaving it on the train - when will printer paper with embedded RFID tags be available so they can be stopped at the door?
Biting the hand that feeds IT © 1998–2020