How Cornell Plans To Purge Campus Computers of Personal Data 164
and so forth writes "Cornell lost a laptop last year with SSNs. Now, they've mandated scanning every computer at the University for the following items: social security numbers; credit card numbers; driver's license numbers; bank account numbers; and protected health information, as defined by HIPAA. The main tools are Identityfinder (commercial software for Windows and Mac), spider (Cornell software for Windows from 2008) and Find_SSN (python script from Virginia Tech). The effort raises both technical questions (false positives, anyone?) and practical issues (should I trust closed source software to do this?). Have other Universities succeeded at removing confidential data? Success, here, should probably be gauged in terms of diminished legal liability after the attempted clean up has been completed." Note: this program affects the computers of university employees and offices, rather than students' personal machines.
Good Idea (Score:1)
Re: (Score:3, Informative)
It only seems like a good idea. Its likely to miss things, and have false positives.
A better idea is...mandate full disk encryption. I have done it on my linux based laptop for years, 3 years before my company mandated it. Now, its mandatory. They rolled out a canned solution for departments that want it and don't know any better, and to the rest of us just say "its your ass if its not encrypted" and they make everyone certify, every six months, that if they use a laptop for work, its disk is encrypted.
Prob
Re: (Score:2)
However, if this scanning were implemented, then your own personal data would cause false positives.
Also, while thats a great long term goal, it means that any work that currently involves storing this data on the local machine needs to be changed. That could be a problem in one place, for one reason, or it could be in many places for many reasons. In short, thats going to take time to sort out and migrate over to the new model.
In the mean time, you can mandate disk encryption and solve the most common case
This is easy (Score:4, Interesting)
After logging off, revert to the last backup. If there's no data on the computer, there's no personal data on the computer. Anything you need saved goes on removable storage.
Re: (Score:2)
Well, there are two possibilities in this scenario:
1. The process takes entirely too long and if the person doesn't wait and walks away or just turns it off, the thief could still get the data. They used rdist when I was in college for campus kiosk computers. It was fucking miserable to wait for one of these bastards to boot or shutdown in the case of there being a problem which required a reboot (at the time a frequent necessity).
2. The computer isn't permitted to store any data and thus becomes pretty use
Actually, storing no data can be a good thing (Score:3, Interesting)
In an age of always-connected, treating computers as "smart terminals" with no long-term local storage save an encrypted self-destructing-on-wrong-password cache can be very useful.
Re: (Score:3, Interesting)
That is, until you, as a professor, go to the slopes of Mt. Kilimanjaro for a month to do research. At that point, the assumption of 'always connected' is incorrect, and you must carry data with you. Frequently, you must also carry some forms of student information, too, in order to respond to emails that you get from students when you are in town at the internet cafe once per week.
Re: (Score:2)
Something tells me that the configuration used for desktops (which pretty much anyone can use in most cases and can be taken as always connected) and laptops (which typically are used by a single person and not always connected) will differ.
Re: (Score:1)
And then the staff store the data on the removable storage and it makes it even easier to walk away with. Now instead of a desktop security breach, someone drops their usb drive on the train...
Re: (Score:3, Informative)
"1. The process takes entirely too long and if the person doesn't wait and walks away or just turns it off, the thief could still get the data. They used rdist when I was in college for campus kiosk computers. It was fucking miserable to wait for one of these bastards to boot or shutdown in the case of there being a problem which required a reboot (at the time a frequent necessity)."
Eww, yea that's not the best way to do it at all (Having to wait on anything that is.)
For Windows XP I use a program called Wi [wikipedia.org]
Re: (Score:2)
Deleting the FAT entries doesn't delete the data. A regex scan through the disk blocks could still pick up candidate SSNs or whatever for closer examination.
Hit submit a bit too fast... (Score:2)
Of course, if it's a encrypted partition with a freshly generated key each time you boot that's most of the way there - it requires a very competent attacker to extract the key from powered down RAM.
Easy Internet Cafes in UK (was: Re:This is easy) (Score:2)
It's actually something I quite liked as an idea - taking a look at Stelios' Easy Internet Cafes in the UK - when the user logs off, the PC becomes unavailable for about 6-7 mins, while it completely restores the harddrive, from a multicast broadcast on the local network.
The storage on the machine is strongly limited - but you're sure that unless someone were to infect the master (difficult) that noone could leave anything on the machine that you don't like.
Combine that with user network storage, and the PC
Re: (Score:2)
After logging off, revert to the last backup. If there's no data on the computer, there's no personal data on the computer. Anything you need saved goes on removable storage.
The article pertains to staff computers.
Are you saying a prof can't use his university supplied staff computer to work up a lesson plan, unless he puts that plan on some other storage?
You pretty much remove a major portion of the utility of the PC when you start insisting the be reverted on every reboot.
Re: (Score:2)
Yes, everyone is moving this direction now. They don't use local storage for their lesson plans, they use a NAS. Now instead of the data being stuck on your desktop when you forget it, it's on an everywhere accessible network location.
Re: (Score:2)
That's pretty dumb. Removable storage just means some bad guy can walk away with the data on the external drive.
What Identityfinder does (our university mandated putting it on all faculty and staff computers at the beginning of the year) is force you to decide to either remove the data from the machine, or *encrypt it*.
Re: (Score:2)
Re: (Score:2)
Surely you mean anything you need saved goes to the university cloud storage, so they can keep it physically secured. Your usb flash drive is a bit easy to snatch.
Re: (Score:2)
Your solution is entirely inadequate. I am a professor at a Big10 university. I have 41GB of files and data in my Docs directory. The point is, how do I know which of these files are protected? Your quip of "Anything you need saved goes on removable storage" is ridiculous. How do you protect the removable medium? What happens if you lose it? It was the loss of a removable disk 4 years ago that caused our state (and ergo our university) to attempt this same exercise. All of the tools are pretty useless. Its
What does "computers of university employees" mean (Score:4, Insightful)
Does this include professors?
I know a lot of scientists who would be quite annoyed if the people from the IT department (who are clueless policy-obsessed wankers at my institution) came in and wanted to search through a bunch of simulation results and LaTeX files looking for SSN's.
Re:What does "computers of university employees" m (Score:5, Insightful)
a) too fucking bad.
b) Sign this waver that says you are legally responsible if your repository of data were to contain information such as SSN/Credit Card etc.
I don't get the premise of the article. Scanning for credit card data and SSN is quite easy and simple. It's no more intrusive than a virus scan. Being opened, or closed source doesn't make any bloody difference either.
Intrusion detection systems should also be running and scanning for data that conforms with SSN or creditcard formats.
Re: (Score:3, Interesting)
b) Sign this waver that says you are legally responsible if your repository of data were to contain information such as SSN/Credit Card etc.
Unless he then shoves the waiver up the manager of the IT department's nose, that waiver won't do anything, the IT department will refer him to a secretary who will refer him to some policy and the comittee for something or other who will meet once a year and won't discuss it with him. Universities are usually more bureaucratic and inflexible than your local DMV.
Which is why Cornell will try to scan every computer on campus, not just those ones which are likely to have student or employee information on th
Re: (Score:2)
Well, a closed source solution could intermittently save a convenient credit card, and send it over the network to the author.
I think not (Score:2)
The only difficulty with this attitude is that it's only going to work for the Russian and Dance Departments. If you try it in Physics or Chemistry or Engineering, where a generic professor can be responsible for $1 to $2 million a year in no strings attached research overhead that goes straight into the university's hungry coffers, you will be quickly educated in the different levels of deference applied to cost centers (like IT) and profit centers (like research departments).
I might add that it's possibl
Re: (Score:2)
When you are the legal entity responsible for the data you get to draw up the rules.
And, while these types of people like to think they are above and beyond rules and regulations the equipment they use is not their personal property. Property purchased, supplied, or on the premises of such an organization is subject to the rules and regulations.
This stuff isn't a game. It's not about building pyramids, pleasing egos, or otherwise.
By the way, being responsible for a couple million dollars / year is jack-squa
Re: (Score:2)
Why does a bunch of techies unrelated to any of the actual revenue-generating activity at a university (i.e. teaching classes and doing research) get to be legally responsible for the data?
Let people whose data it is be responsible for protecting it.
Re: (Score:2)
Because, point of fact, they do not know how to be responsible with it.
A professors priority is his/her research.
If the professor was held solely responsible for the data in the eyes of the law then there probably would not be an issue. Instead the organization that actually owns the facilities is responsible for it.
Professors are employees. I know they don't like to consider themselves as such, but they keep accepting paycheques and using the facilities.
Re: (Score:2)
"Scanning for credit card data and SSN is quite easy and simple"
Sure, if you don't mind a false positive rate of 99%, which is what a colleague of mine got when he ran an automated tool on his machine that contained hundreds of GBs of particle physics data. Shocking, but its not hard to find 9 digit numbers (SSNs) or 15-18 digit numbers (CC) when you look at large repositories of quantitative data.
So the problem is, if you are mandated to run such software, and you get 1 million possible #s, what do you do
Re: (Score:3, Insightful)
And a) is the reason my department does not trust IT cowboys with any of our data. This is data that cost actual money to generate, not some shit we downloaded off BitTorrent for fun. I hope you get fired.
Well are you an arrogant and self-important little bugger. The fact is that improperly retaining and losing privacy act data costs money and reputation too (just ask the Veterans Administration). Potentially a lot more than some professors grading data where he stupidly tracks students by their full soc number. Or the sociology researcher keeping a huge database of personal info on their test subjects. The mandate for this action did not originate with the IT folks, but they were tasked to implement the
Re: (Score:2)
As someone who works rather intimately with the department-level IT guys at a university, this would be a disaster. They don't have time to install automatic encryption software on everyone's disk, and *we* don't have time to wait on the computer to run crypto on it. Yes, disk encryption software is pretty fast -- but it's slower than the RAID we're pulling the data from, and the CPU is busy doing other things.
If you can't trust your professors to follow *reasonable* instructions about the protection of per
Re: (Score:2)
Well, I can tell you that at Ohio State University, this is exactly what has happened. Effectively, every single machine that _may_ have ever had 'sensitive' (FERPA or HIPAA or Grant-defined) data on it must be encrypted. If it is lost & not encrypted, then it is the owner's burden of proof to prove that no sensitive data was on the machine; which is only possible if you have a complete & recent backup.
So, it can be done, but it is very expensive (though much cheaper now--BitLocker is really nice on
Re: (Score:2)
Why exactly is it the job of IT cowboys (I'll reuse the term from earlier as it is apt) to make sure nobody anywhere on campus does something stupid with a computer?
It's not the job of the lab safety mavens to stop people from eating plutonium.
Re: (Score:2)
Potentially a lot more than some professors grading data where he stupidly tracks students by their full soc number.
How would a professor get the students' SSNs in the first place? The university should have no need for SSNs assigned to anyone except employees.
Re: (Score:2)
Potentially a lot more than some professors grading data where he stupidly tracks students by their full soc number.
How would a professor get the students' SSNs in the first place? The university should have no need for SSNs assigned to anyone except employees.
Obviously you are younger. It was very common practice for schools, universities, public libraries, health professionals, and even some small businesses to request and use your soc number as your ID. A good deal of this cleanup is to find that old data that probably isn't even being actively used anymore.
Also keep in mind that in some cases the University does need your soc number for doing tax forms and dealing with some govt grants. Obviously the profs don't need it and it shouldn't be your uni library
Re: (Score:2)
Re: (Score:2)
It depends on the field of research. Medical researchers will often have 'sensitive' (HIPAA in the US) data on their test subjects. My university, like many others, until recently, indexed all students with SSNs, and if I downloaded a roster for use in Excel, I got the SSNs with no option to delete them. That's what really angered me; I didn't want or need the data, but they (the Uni) shoved it down my throat & then threw a fit years later and pushed the cost of fixing the problem down to the department
Re: (Score:2)
Re: (Score:2)
I have 20 years of IT experience, including bringing a companies into PCI compliance after a breach.
Scanning data, identifying what it contains and locking it down are not difficult tasks. 99% of the data scanned is unlikely to trip false positives and is a complete non-issue. The remaining data can be quickly categorized as likely, or unlikely to be relevant with an appropriate perusal. The remaining data, actual non-compliant data, will consume the most time in dealing with properly.
The first step is to i
Re: (Score:2)
Re: (Score:3, Informative)
so what you are saying is that i need to be storing socials as integers rather than strings, so they don't look like socials?
No it means you need to be storing the data in an encrypted file/folder. Believe it or not, doing it right is sometimes easier than trying to hide what is arguably illegal activity.
Re: (Score:2)
Why does anyone ever need to store the SSN's of students, anyway?
Re: (Score:2, Insightful)
Because not so long ago, it was common practice to use a student's SSN as their student ID number. In ~2001 and ~2004, I attended schools which changed their policies on this matter in those years, respectively. For each school, I started with a student ID that was the same digits as my SSN, and when I was graduated, I had a new student ID that was an unrelated string of digits.
Using the SSN as an ID is very convenient. For every incoming person, you have a unique number that they probably already have
Re: (Score:2)
Seems like you need to stop using SSN's as ID numbers, then, or tell students that they have the option of choosing another student ID number (and that if they use their SSN and Bad Stuff happens then it's their issue).
Re: (Score:2)
Does this include professors?
I know a lot of scientists who would be quite annoyed if the people from the IT department (who are clueless policy-obsessed wankers at my institution) came in and wanted to search through a bunch of simulation results and LaTeX files looking for SSN's.
As someone who has worked in an academic research group, I can attest to that. If such a program were instituted at my university, myself and others in our group would probably be less than forthcoming about the number and location of computers in our group. We certainly wouldn't relish the idea of giving folks from the IT department root access to all our Unix/Linux boxes which they would probably need to perform the kind of scan they're trying to perform.
I'm guessing, however, that this measure applies
Re: (Score:1, Informative)
I work at a university, I generally agree with your assessment. The vast majority of academic types get uncomfortable with any kind of monitoring. They do seem to accept that IT has admin rights on most things. What's great is that they refuse to accept any kind of content filtering on the campus network connection. I've also heard of professors having their connections shutdown for excessive bandwidth use who raised hell because it interfered with their academic freedom. I remember one story about a profes
Re: (Score:2)
Luckily the physics department I work for has our own IT guy, who knows the students and faculty and can cut through the bullshit.
Re: (Score:2)
Yes it does include professors. As a Ph.D. doing medically related research at a university, I've got some PHI data I need to include in some studies. It's encrypted and stored on secured servers. That's the way it's supposed to be. All the scanning software does is make sure you have it encrypted and not just lying around. THAT'S A GOOD THING.
Other reasons professors who aren't working with medical research need to do it.. Some of our departments used to use student SSNs for a lot of things. Data te
Re: (Score:2)
Then the correct policy is "Don't haphazardly store personal data on machines without considering what you are doing". There is no reason to barge into Dr. Smith's office, who's madly creating his slides for the conference next week while trying to babysit a supercomputer at Berkeley while fending off emails from his students, and insist in a very bureaucratic tone that you have to scan his workstation, the RAID, his other computer, his student's computer, and the two computers used to monitor various instr
Re:What does "computers of university employees" m (Score:5, Interesting)
Then the correct policy is "Don't haphazardly store personal data on machines without considering what you are doing". There is no reason to barge into Dr. Smith's office, who's madly creating his slides for the conference next week while trying to babysit a supercomputer at Berkeley while fending off emails from his students, and insist in a very bureaucratic tone that you have to scan his workstation, the RAID, his other computer, his student's computer, and the two computers used to monitor various instruments (which the other students are taking data on) for SSN's.
Unfortunately, Dr Smith is taking his laptop to the conference. He's much too busy to go on travel without taking all of his data with him on the laptop, such as his students grading info (SSNs) or info on the other proprietary projects he's working on. He he's too important to worry about such trivialities such as data protection policies issued by those idiots on the Board of Directors. After all drive encryption slows things down too much he hears, but in truth he doesn't know how to set it up. Of course his laptop gets stolen and now the University has to report that data was compromised. Suddenly Dr Smith is no longer an asset to the university but rather a liability.
Sorry, but anyone who has worked in IT or even law enforcement knows damn well that users will ignore written policies unless there is some level of monitoring and enforcement. Just scroll up a bit and you'll see examples of those guys posting stuff like "just store the ssn as an integer so they scripts don't find it".
Re: (Score:2)
If the grading info requires SSNs, you have bigger problems.
Re: (Score:2)
No one barged into anyone's office at a moment's notice. They notified us months before that this would be coming down, and gave a few more months to install the scanning software. Why is everyone on the other side of the conversation so out of touch with reality?
Re: (Score:2)
Re:What does "computers of university employees" m (Score:2)
Are they employees? Do they conduct "university business"?
All employees must acknowledge their custodial responsibility for the university information on the computer(s) and associated storage they use in the conduct of university business, whether university property or personally owned. This includes:
I have, in the past, used my desktop system to order things from suppliers. That is clearly "doing university business". Sometimes I save mail messages on my file servers. I sometimes plug a USB stick into one of them. I have about two dozen USB sticks.
Re:What does "computers of university employees" m (Score:4, Interesting)
http://www.newsobserver.com/2010/10/14/739551/unc-cancer-scientist-appeals-her.html [newsobserver.com].
What researchers need to understand (Score:2)
Is that while they can have sensitive data, they need to protect it. That does often mean working with the "meal 'ole IT department." I highly doubt Cornell will say "Nobody can have any private data, at all, ever." Not only would it is dumb to preclude them from getting some grants, it wouldn't work since their student records, payroll, etc will have said info. What they are probably doing is making sure that if you do have it, you secure it.
This is a real problem with some researchers. They just wanna do
Re: (Score:2)
No not so much. I'm not an IT administrator, just an IT support guy, and I work for a very nice, very accommodating boss. I also work with a lot of idiotic researchers. Well ok not a lot, but a few. Most of the researchers are pretty reasonable people, but some aren't. They just want to do their own thing and not be bothered, and then wail and howl when something gets infected and we have the gall not to make it the #1 highest priority to fix (by departmental policy, research systems are 5th priority).
The p
Re: (Score:2)
"Why the $#%$ is the 834,734,123,233rd digit of pi wrong in my code?"
Then 6 weeks of debugging by a grad student...
Re: (Score:2)
It absolutely includes profs.
It's the people who believe they are above these rules that usually end up spilling personal data.
I've taught at a university. I can tell you right now I would definitely audit profs machines.
And to be honest to bad if they are annoyed. Suck it up as they say.
Re: (Score:2)
It absolutely includes profs.
It's the people who believe they are above these rules that usually end up spilling personal data.
I've taught at a university. I can tell you right now I would definitely audit profs machines.
And to be honest to bad if they are annoyed. Suck it up as they say.
Or another alternative is simply to lock the laptop in a desk drawer and when the IT guy asks if you have a computer in your office, say no.
Seriously though, why would you expect a professor to have credit card numbers or SSNs on a research computer? Would you mind if your home computer were searched to make sure that it isn't storing expunged criminal records from juveniles in Botswana?
Re: (Score:2)
You make the point for me.
"Seriously though, why would you expect a professor to have credit card numbers or SSNs on a research computer? "
This is exactly the reason for the scan.
My home computer is not a institutional computer. It does not carry a burden of trust. Thus is not under the dual responsibility of institutional governance and private. It's the institutional scan that is being discussed. They, the institution has a responsibility to scan it's equipment.
I of course also carry a moral responsib
Re: (Score:2)
My home computer is not a institutional computer. It does not carry a burden of trust.
If you mean by "institutional" that the computers are the property of the university, then I suppose they are but do they carry a "burden of trust"? I hardly think so.
I think it's relevant to ask what is the probability that these computers will be storing credit card numbers and personal data. I don't see why a physics professor's research computer would. Should the university also examine the contents of the professors pencil sharpener and coffee pot for state secrets? They are after all "institutiona
Re: (Score:2)
A physics professor is not exclusively involved in physics research. At some point almost every professor will also be and educator. As an educator they will come into contact with personal information that is put into there trust.
There are no exceptions. As coming into contact with personal information is likely for most institutional workers.
-- Note this article was about personal information. Not state secrets. That is a completely different matter when it comes to information handling. Thus the to
Re: (Score:2)
We're going to be doing this where I work. I believe it does, if the computer is University owned/administered. IIRC the software is not going to autoclean anything, just generate a list, which can then be followed up on by humans. The whole software installation and execution is centrally automated for desktops. Servers will probably need special attention, and as such, if a server cannot be reasonably expected to interact with personally identifiable information, it likely won't be scanned. However l
Re: (Score:2)
re: PeopleSoft:
I'm at University of Arizona. We switched to PeopleSoft this summer, at the cost of $60 million or so (which we can't afford at all -- maybe you have read about our crazy governor?).
Semester starts, grad students don't get paid (sometimes) for a month, grad students get bills for tuition we're not supposed to and get charged late fees, secretaries can't do their jobs helping students ... TOTAL NIGHTMARE, and everyone blames it on this PeopleSoft thing.
We'll get right on that. (Score:3, Funny)
We'll get on that, just as soon as our Y2K-bug vulnerability scan is done running.
Government, Corporate, and Institutional scanning. (Score:1, Troll)
I'm 100% for this. Personal computers account for very little in data losses. It's these "work" machines that account for the majority of the major information losses around the world.
As long as people are dumb / lazy enough to keep documents in the clear on their machines there will be losses.
I would also go as far as to make certain quantities of types information on a machine illegal as well. For example: 1,000 SSN's, stored on a portable data device un-encrypted is a fine of $10,000. 100,000 SSN's
Re: (Score:2)
Above got marked a troll?
It was not. It was an honest opinion.
The other half... (Score:2)
It sounds like they are looking to catch accidental leaks.
I would like to know if they have examined their policies to reduce over-collection of unnecessary data.
If they never collect it in the first place, then they never have to worry about losing control of it later on.
Re: (Score:2)
It sounds like they are looking to catch accidental leaks.
I would like to know if they have examined their policies to reduce over-collection of unnecessary data.
If they never collect it in the first place, then they never have to worry about losing control of it later on.
Most leaks aren't accidental. It's laptops which never should have had the data saved locally getting stolen, or systems getting hacked into. First step is understanding where the data is, the second step is removing it from where it shouldn't be, and third providing adequate protection for the areas it must remain (ie encryption).
You have an excellent point about it being overcollected in the first place. Technically the way most institutions use SSNs isn't legal anyway. In the US its only legal to use
Cautionary Tale: Rat Penis Data (Score:4, Funny)
http://www.langston.com/Fun_People/1994/1994AXP.html [langston.com]
Excerpt:
DBAN (Score:1, Offtopic)
Have they tried DBAN [dban.org]?
Re: (Score:1, Funny)
That being said DBAN is the right tool for the job all the time. I need to remove a folder.. I'll just dban the whole disk. The folder is now gone... Problem solved.
Re: (Score:2)
So the guy who makes the joke gets modded Offtopic, then the AC who explains it gets modded Funny.
I hear fdisk works well (Score:1)
DD is open source though, and it's hard to beat erasure-by-thermite for entertainment value.
Re: (Score:2)
Please FWD: (Score:2)
To Rice U.: http://www.media.rice.edu/media/NewsBot.asp?MODE=VIEW&ID=14734 [rice.edu]
Seriously. Has no one ever heard of encryption? Or just not allowing people to copy personal data onto computers/media not behind at least 1 locked door?
Re: (Score:2)
Disk encryption has some serious usability and productivity issues. Specifically: to have even 128 bits of encryption, you must have a twenty-character completely random password. And performance will be hurt with it--ALL data must travel through the CPU. There's no DMA with encryption.
Re: (Score:2)
We should also keep reminding ourselves that encrypted data is inherently full of false-positives, for any sort of data test you feed it to. Yes, the sane thing to do would be to note that a file is encrypted and thus not amenable to string-comparison testing. But experience shows that this is not the way it'll be done.
I've seen any number of false positives that resulted from scans of binary executables by programs that didn't verify that their data was even vaguely formatted like the expected data. The
Re: (Score:2)
Encryption servers is a waste of time. Anyone who has the data has the crypto keys, too. Only laptop encryption makes sense--and only when you never write your password down.
Encrypt active machines, secure wipe disposals. (Score:2)
Constantly scanning every machine for sensitive data is too difficult to be effective.
Simply encrypt active machines, and use secure erase/destruction policies for retired hard drives.
Re: (Score:1)
Re: (Score:2)
Seriosuly. There are a couple of full-volume encryption options available right now, Windows (Vista and up) even has a built-in one. Lacking that, encrypt individual files (all versions of Windows since 2000) or use an encrypted folder or volume image created using any number of third-party options.
At some businesses, especially ones handling sensitive data, having unsecured sensitive data (present in clear text on a removable device, including a laptop) is grounds for termination. I don't think a universit
Ohio State University (Score:5, Informative)
Not that bad (Score:1, Informative)
We did this where I work recently, small-ish private university, lots of science, a hospital, etc. All the faculty and staff had to run IDF. The tech guys came in and installed it and showed everyone how to run it but weren't allowed to see it being run. The person was required to run it and sort through the results themselves. All of my department ran it fine, no problems, no complaints, other than spending time sorting results. It really wasn't that big a deal.
So... (Score:3, Informative)
TrueCrypt is your friend! (Score:3, Informative)
The best solution is to use whole disk encryption with the free opensource TrueCrypt software.
Although it is a shame that TrueCrypt does not support whole disk encryption on the Mac yet. At least there are some less trust-worthy closed options like PGP Whole Disk Encryption, which would be better than nothing.
Re: (Score:2)
One place where PGP has a genuine advantage is manageability. With Truecrypt, the best you can do to recover from someone forgetting their passphrase is to keep a copy of a rescue CD (which is generated at encryption time) and hope they never get curious enough to decrypt and re-encrypt their drive - a function which can't be locked down. If they do, new keys will be generated and the CD will be useless.
Oh yes, and you need to store that CD somewhere safely. One CD for every computer. In a university wh
Trusting closed-source software (Score:3, Insightful)
Re: (Score:3, Insightful)
nor is a given piece of software magically better by virtue of being open-source, nor are open-source developers somehow better than those who develop closed-source software.
No, but it's easier to analyze source code than binaries.
Should you trust closed source software? (Score:4, Insightful)
Should you trust the bank managing your transactions?
Should you trust closed source software in medical equipment?
Should you trust SAP to manage your financial transactions?
Should you trust a Windows computer for anything more important than your gmail password?
Should you trust Google Chrome when logging into your netbanking?
You know what? I think on the grand scheme of things trusting a piece of closed source software specifically designed to search for information made by a company which would literally be sued into oblivion if they did what the article was hinting at, ranks pretty damn low on the list of things I worry about.
open source is less secure (Score:1)
Laptops, desktops, thin clients (Score:2)
a) Nowadays there is no reason that information (especially in something like a university network) is stored locally.
b) since windows, osx and linux have out-of-the box encryption there is no need to subscribe to any software beyond the normal distribution with support.
c) the most tasks which require ssn or any other information are so standardized that a thin client will do the job. A thin client can also be a laptop with 3g, no
infromation to be stored locally.
d) Use VPNs to avoid the rest of the trouble
Re: (Score:2)
Point b is only true upto a point; from memory most of the 'os native' encryption only provides for upto baseline encryption standard - which isn't sufficient to, for instance, downgrade restricted to not protectively marked (least in the security classification scheme HMG uses); enhanced grade products are needed which is likely to mean they've been through a certification scheme and only maintain the certification when deployed in accordance with the criteria used to certify the product in the first place
needle in a haystack (Score:2)
Alum/ex-employee here: (Score:2)
I worked in IT for Cornell both as a student and for a short time after graduating (8 years ago). This honestly isn't news.
Hardly any employee computers have this kind of stuff on them to begin with. Most of it is stored on servers and not in a format you can say 'dump to Excel on my laptop.' I did some work with the admissions database as a student and I had to promise in writing in triplicate that I would be very careful with that data Or Else and even so, I never needed to download any of it. If I'd sudd
Re: (Score:1)
Re: (Score:2)
What the heck did you major in? Do you have a good job now?
Re: (Score:1, Insightful)
As a member of IT at a health care based company I can tell you that the machine sitting in the cube really isn't the problem. The problem is the laptops that get stolen off site, the CDs/DVDs of data that don't get disposed of correctly and the e-mails that flow with data that should never been seen outside of the company. This is to say nothing for those who try to take the data out on purpose.
While whole disk encryption, disabled USB ports and
Re: (Score:2)
The biggest problem is that there are formats (.ppt for example) that contain lots of long numeric strings. If they are scanned it is very easy to find "interesting" patterns in plenty in them,
So such scanning might discourage people from using PowerPoint? Would Edward Tufte consider this a problem?
Re: (Score:2)