Ohio governor and his IT manager
A data storage device with the Social Security numbers and other personal information on all 64,000 Ohio state employees was stolen from a state intern’s car last weekend, Gov. Ted Strickland said.
The governor’s office said the storage device also may have held information about participants in the state’s pharmacy benefits management program and the names and Social Security numbers of their dependents.
Strickland said it takes special equipment to access the information on the device, so he doesn’t believe the workers’ privacy is in jeopardy.
Deeper into the article, it says the special “device” was valued at $15. It probably was a thumb drive.
Under protocol in place since 2002, a first backup storage device is kept at a temporary work site for a state office along with the computer system that holds all the employee information, and a second backup device is given to employees on a rotating basis to take home for safekeeping!
What?
There are souvenir t-shirt kiosks at my local mall that have a better understanding of IT security than the Great State of Ohio. And the fracking governor.
A $15 device? Sounds like a thumb drive. And [to get the data] someone would really have to know what he was doing. You mean a high school kid with a computer and a USB port? Good Grief !!
Thus we’re not going to worry one bit about the FBI’s new 6 billion record database.
[Aside to Eideard — better be careful with those pix of Mickey, Disney’s watching and you’ll end up on that database. 😉 ]
I’ve been in that database since 1959.
I know why it’s hard to access…
http://www.dvorak.org/blog/?p=11490
There is no backup!
>Ohio governor and his IT manager
Which is the governor and which the IT manager?
That explains why the people of Ohio voted for Bush.
Incidents like this remind me ordinary people aren’t accustomed to the nature of digital information. It’s not that they’re terribly stupid, but we’re in a mid-generation where many still, and a good bit of the next generation, won’t understand the important of security that should be brought with the sensitivity. What makes even more sense is data like this will need to be less important through different ID authentication methods, aka voice and heuristic information of a certain person, instead of just a number that can be used to turn their life into a living hell.
#5 – Actually they didn’t… until the Repuglicants fixed the election.
#5 and #7 – Ted Strickland is a Democrat who won in the last election. He replaces the laughable Taft.
Bob Taft’s folks most likely set up this protocol. Heck It could go back to Jim Rhodes. So…. maybe the backups were on punch cards or 9 track 😉
Security thru unvailable hardware!
Strickland (who seems like a pretty good guy so far) has only been in office for a few months and I doubt he even knew about this procedure.
Thank you #9 for pointing out that Ted the guv is only recently elected and only responsible for it to the extent that it happened “on his watch”. I am so tired of the scapegoating in politics. The fault lies with the intern that left the backup in his car, parked in an apartment complex well known to the residents to have had many auto breakins in the previous months. His immediate supervisor (who thought the intern responsible enough to be trusted) should also hang.
While I think Strickland is a dip shit (for reasons going back several years and personal, a family thing), this isn’t his fault. He probably won’t get a second term, however, as he is well to the left of his state, only winning because of the complete stupidity of Ohio Republicans.
Anyone who believes the typical government agency understands security hasn’t been paying any attention to the media in the last ten years. From the Pentagon to the NSA, there have been so many well documented incidents of breech that a prudent person accepts if the government has it, so will a hacker. Your first clue the FBI, CIA, et al are not too swift is the ridiculously high number of cases involving totally wide open data where zero bits were encrypted.
As for USB drives – surely you jest? Their vaunted “biometrics” is a fingerprint which can be fooled by nothing more sophisticated than a Xerox copy. And most passwords are so lame they can be cracked with digital technology little more advanced than an Atari. USB encryption can be made sufficiently strong to deter all but the most determined, but you won’t be purchasing that level of strength off-the-shelf at Best Buy or Wal-Mart. In the interim, carry your USB where the sun don’t shine as that’s you best bet most won’t want to open ime That also lends a new meaning to “Brownie, you’re doing a heck of a job!”
Like most government pronouncements, it effluent level is very high. To set their hubris aside, consider that the government and corporate definition of adequate deterrence can be summed in four digits: a PIN. The very same PIN the banking industry adores. A PIN will break in under 30 seconds — even on a vintage 286 home computer. Remember boys and girls, 4 digits –that’s it- a variation on 0-9 with a very finite number of permutations. W’s is his birthday so most days he can remember it… unless he confuses the day month or year, and then he has to ask Laura or look at the Post It note stuck to his ATM card.
My apologies re the post filled with typos. I plead too many beers on a Saturday night and laughing so hard my eyes teared at the thought of the words ‘government’ and ‘security’ in the same sentence.
The only absurdity greater is Wal-Mart protecting your medical records on a their web site. That’s both hysterically funny and insanely naive simultaneously .
Why? Does a Lowly intern have this information!
#11, Thanks for the info on Strickland. I am impressed to the same degree as your predicting the 2006 Federal elections and McCain’s chances of becoming the Republican Presidential candidate. Maybe that should be one more reason I should like the guy.
13—I too blew beer thru my nose as I read your post. Must be a virus going around.
Very strong USB Encryption is super easy – just use TrueCrypt… it’s free, and works great!
Cheerio!
TrueCrypt truly is quite effective. Pray tell, where did you buy it off the shelf at Wal-Mart or Best Buy? And then there is TrueCrypt’s slight challenge re the user having administrator rights… or the user even knowing what administrator rights are (not to be confused with the Decider’s abilities).
The really sad chapter in all this is easy-to-use yet strong security is available. My associates and I offer a software product that employs triple encryption in such a manner that the user doesn’t even have to remember a password. (www.safekey.net). This is a factual statement and NOT to be confused with a plug for our product. Rather my comments are to toss some light on the fact that 99.9% of government and corporate employees (let alone the typical Wal-Mart shopper) would not know quality security if it danced in front of them in a red, white and blue outfit singing Yankee Doodle Dandy.
“$15.00 security device”… yeah, that’s the ticket to protect your identity or the personal information of all 64,000 Ohio state employees. Anyone who buys that “$15.00 security device”, will shortly be introduced to some folks with a hell of a deal on a bridge in Brooklyn.
#15…..you should love Strickland, he’s just like you…a far left liberal who spouts the daily liberal line even in his sleep. He never met a goverment give away he didn’t like or a tax he couldn’t double, a baby he couldn’t abort, or a leftist dictator’s ass he wouldn’t kiss.
It’s June Fusion….I still expect a McCain win for the Republicans. I don’t think Guiliani can make it, but Thompson very well could.
I now am convinced your party will self destruct and it will be Hillary.
Looks like I might be voting Libertarian next year.
Hopefully someone will read this late post — Ironkey is freeware and way cool for sending encrypted files. Its weakness, just like a one time pad — getting the key to the recipient. A phone call could do it.
http://www.kryptel.com/products/ikey/index.php
One of my hats is IT for a small company, and I’ve been backing up to a flash drive for quite some time. It’s a poor man’s off site backup, just in case the office burns down over night. I suspect some of the wiring may not be exactly code.
OmarTheAlien
Do an offsite backup via a secured VPN…
1. first encrypt the database,
2. use Public Key to assure sender and receiver,
3. and encrypt the tunnel.
4. automate the process so it happens every night without fail.
Nothing wrong with a USB device for backup, of course, but they are easy to lose and they are rarely adequately protected unless you purchase software to assure it can’t be accessed by anyone else.
Should you need something like this… http://www.safekey.net. I’ll be happy to provide substantial discounts to anyone from this blog so no one thinks we’re trying to profit from their needs. Once again, a disclaimer, there are other software programs that may offer similar protection.