Forgot your password?
typodupeerror
United Kingdom Encryption

UK Prisons Ministry Fined For Lack of Encryption At Prisons 74

Posted by Unknown Lamer
from the not-like-prisoners-are-people-anyway dept.
Bruce66423 (1678196) writes The Guardian reports that the UK Information Commissioner has levied a fine of £180,000 on the Ministry of Justice for their failure to encrypt data held on external hard drives at prisons. The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability. Of course it's interesting to consider the dangers of this hopefully old way of storing backups; but the question of whether we do a lot better now is quite pointed. To make matters worse, one of the unencrypted backup hard drives walked away.
This discussion has been archived. No new comments can be posted.

UK Prisons Ministry Fined For Lack of Encryption At Prisons

Comments Filter:
  • by WarJolt (990309) on Wednesday August 27, 2014 @12:15AM (#47762645)

    I can't imagine the identities of a bunch of ex-cons are that valuable.

    • by crioca (1394491)
      I can’t say I agree, but regardless there’s plenty of other uses for a database of 16000 criminals.
    • I can't imagine the identities of a bunch of ex-cons are that valuable.

      In the US that's 1% of the population.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      One word: Pension

      The US, UK, Canada and many other countries have an old age pension system that are all very easy to exploit if you have the number. Crooks amass multiple numbers and then collect the pensions. The system is very lax and doesn't check whether someone who claims to be 104 years old is really still alive and at least looks like he is 104 for example.

      Whenever you hear of some Romanian peasant who reached the ripe old age of 120, it is simply because he adopted the identity of his parent, bur

    • by Cardoor (3488091)
      where do you think all the bond villains get their recruits? "Hello, Mister Job is it?.... Oh, it's Mister Oddjob? Sorry... I'm calling from Goldfinger Staffing Services. We happened to come upon your resume'..."
    • by mjwalshe (1680392)
      I am sure any tabloid paper would love to get there hands on that data.
    • by Qzukk (229616)

      Who's stealing the identity?

      The drive walks away one evening, then the next morning it shows up and oh hey it looks like Doctor Death is coming up for release, he's served 999.9 years of his 1000 year sentence, it says so right in this excel spreadsheet, and excel never lies.

  • The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability.

    It seems like the two clauses of that sentence are contradicting each other. How does a "pointless" fine show any accountability at all?

    • How does a "pointless" fine show any accountability at all?

      It is not pointless. Bureaucrats care very much about their discretionary budgets and perquisites.

      • by apraetor (248989)
        They particularly don't like having to explain to their superiors that the budget is down £180k because they failed to follow compulsory data privacy protection regulations, and that the fines will continue to recur until they implement appropriate security.
      • Outsource all of the government functions - put it all out for bid.

        Outsource the management too.

        Have elections to select which management firms are eligible to be in the random drawing for the next 1,2,4, or 5 year cycle...
        • outsource IT makes stuff like this more likely and can leave tech people in a place where they can't do stuff needed to make it work and or need to disable it to be able to get work done as some outside vendor picked something that does not work that well.

        • Outsource all of the government functions - put it all out for bid.

          Right. Just outsource IT to Oracle, SAP, or Microsoft. That is a wonderful solution.

        • The prisoner's will win with the low-bid...they'll watch themselves for the low-low fee of 10 pounds/hr [well, for 8 hrs a day, after that it's overtime, and then working on weekends and holidays].

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          Outsourcing is the main problem with modern British government, you stupid fuck. Profit motive means doing the MINIMUM work for the MAXIMUM personal gain - it is the very opposite of what you need in a prison system, where pretty much none of the humans are informed, rational, voluntary actors.

          And changing providers every few years just to suit your stupid ideology eliminates the efficiency of experience.

          There is almost no British government function that has been improved by outsourcing, and IT projects ar

    • The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability.

      It seems like the two clauses of that sentence are contradicting each other. How does a "pointless" fine show any accountability at all?

      Blame and hopefully a bit of shame perhaps, is better than nothing at all.

    • by denzacar (181829)

      Easy.

      You just have to realize that whoever wrote that "rather pointless" line is committing a fallacy.
      You know... by not grasping things like separation of branches of government or things like internal control or even the idea that THE LAWS STILL APPLY.

      He probably thinks that prison terms for government officials, be they politicians, soldiers, police or bureaucrats working in some office somewhere are equally pointless.
      After all, they are all government employees, just like the judges who would sentence t

  • To make matters worse, one of the unencrypted backup hard drives walked away.

    Of course it walked away. Thanks to Hitachi [youtube.com], they can even dance.

  • I can attest that the British MoJ is a Gilliamesque farce. It was as if an overzealous technocrat saw 'Brazil' and rebuilt the Civil Service in its image.

    I was an temp admin-monkey for 6 months after things went to shit in 2008/9, in what we called the 'Ministry of Paperwork'. The HR offices for the MoJ. Holders of 60k+ complete records of everyone who ever applied to work in the UK courts. Right up to the top judges and bigwigs.

    At this point we were using WinNT on boxes with XP CoAs and paying meeeelions
    • by JosKarith (757063)
      AFAIK Brazil was actually written partially based on Gilliam's dealings with the Civil Service. And MoJ is STILL using XP - they paid M$ £5m for the privilage of getting to use it for another year...
    • by dkf (304284)

      All built and supported by one of the most predatory firms in the UK, affectionately known as Twatos.

      Don't worry. They're just as bad in many other european countries too.

      Terry Gilliam must be laughing in his grave.

      Fortunately for him, Terry Gilliam appears to be still alive. Terribly selfish that, not dying on you just so that you could lazily use a cliché like that.

      • Maybe he keeps an (empty) one in hes back garden just for times when he feels like laughing a lot. He's a strange chap.
    • by Cardoor (3488091)
      does he hang out in his grave with his laptop/wifi and read /.? last i heard, we still could fog a mirror...
  • by countach (534280) on Wednesday August 27, 2014 @05:17AM (#47763407)

    I can picture a scenario that if they were encrypted, the recovery key would be lost, or the person holding it would die or resign or quit and suddenly all the backups are unrecoverable. You can say ok, so the key should be kept somewhere secure, but where? When you answer that question, then why not put the actual backups there? It's not like you could have just one key forever either. That would be insecure to never change it. But to change it means having some filing system to keep the whole list of them from years and years back and storing them so people can find them. Then how are you going to encrypt THAT?

    • by Kijori (897770)

      There are plenty of solutions to this problem that only marginally reduce security. For example, keep copies of the encryption keys on index cards in a safe at the Ministry of Justice head office. An attacker would need both the backup hard drive and the key, and they are now in separate, secure locations.

      As for why not move the backups off-site too - it sounds like that is the long-term plan, and this is just the stop-gap for prisons that haven't moved over to it yet.

  • by LWATCDR (28044) on Wednesday August 27, 2014 @07:58AM (#47763865) Homepage Journal

    " The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability"
      in the voice of Sir Humphrey Appleby.
    No minister it is not pointless at all. You get to show that their is some accountability at no cost to the government in monetary terms. The error will be shown to be a problem with a contractor that is following his original contract instead of the new updated rules so no one in the civil service will be held responsible and in the end nothing really will change and we can get on with the business of running the government.

  • This is just another example of the way the UK government and Civil Service, as institutions, do not understand IT. Down at the bitface, there may well be some very competent IT people - but their voices do not reach up to the levels that have control. The people who actually make the decisions, both politicians and civil servants, have no gut fel for IT. The assume that if you had over enough money to a plausible contractor, you will get something that works. The contractors, of course, are building someth

  • I don't believe fining it the correct punishment. I mean go ahead fine me, its not my money anyways. I really think that was travesty of justice the person in charge should be suspended or fired. One government office fining another is a slap in the face of the taxpayer who pay the fine.

Heuristics are bug ridden by definition. If they didn't have bugs, then they'd be algorithms.

Working...