Discussion:
VA fireing
(too old to reply)
redjacket
2006-06-01 13:57:54 UTC
Permalink
http://govexec.com/story_page.cfm?articleid=34212&dcn=todaysnews

VA official quits in aftermath of data theft
A high-ranking official in the Veterans Affairs Department has submitted
his resignation in the wake of the theft of personal data on millions of
veterans from an employee's home.

According to an Associated Press report, Michael H. McLendon, VA's deputy
assistant secretary for policy, said Tuesday he would leave his post on
Friday.

"Words are inadequate to describe how I feel about these recent events and
the impact on the band of brothers and sisters of service members and
veterans that we are supposed to serve," McLendon wrote in a letter obtained
by the AP.

"Given that this very serious and tragic event occurred on my watch and in
my organization, I feel it necessary that I tender my resignation," stated
the letter, which was submitted to the VA late Friday. "I would be modeling
the wrong behavior to my staff and others in VA if I took no action to be
responsible."

The theft of the data, which includes the names and birth dates of up to
26.5 million veterans, including about 100 spouses, occurred May 3 when the
home of a VA data analyst was burglarized in what authorities believe was a
routine break-in. Social Security numbers for some 19.6 million of those
veterans were on the stolen property, as was information relating to
employee disability compensation.

McLendon was appointed to his VA post in December 2003. According to a
biography of him issued by the 2005 White House Conference on Aging (on
whose advisory committee McLendon sat), he is the founder of McLendon &
Associates, a management consulting and public policy firm with clients at
all levels of government. Prior to joining VA, he worked on projects for the
Defense Department, U.S. Agency for International Development, World Bank,
Asian Development Bank, National Academy of Public Administration and other
organizations.

Last week, VA Secretary James Nicholson accepted responsibility for the
security breach and said the department is reviewing all positions requiring
access to sensitive data. Once this is complete, employees granted access
will undergo new security and background investigations.
La N
2006-06-01 14:04:10 UTC
Permalink
Post by redjacket
http://govexec.com/story_page.cfm?articleid=34212&dcn=todaysnews
VA official quits in aftermath of data theft
A high-ranking official in the Veterans Affairs Department has submitted
his resignation in the wake of the theft of personal data on millions of
veterans from an employee's home.
According to an Associated Press report, Michael H. McLendon, VA's deputy
assistant secretary for policy, said Tuesday he would leave his post on
Friday.
"Words are inadequate to describe how I feel about these recent events
and the impact on the band of brothers and sisters of service members and
veterans that we are supposed to serve," McLendon wrote in a letter
obtained by the AP.
"Given that this very serious and tragic event occurred on my watch and
in my organization, I feel it necessary that I tender my resignation,"
stated the letter, which was submitted to the VA late Friday. "I would be
modeling the wrong behavior to my staff and others in VA if I took no
action to be responsible."
The theft of the data, which includes the names and birth dates of up to
26.5 million veterans, including about 100 spouses, occurred May 3 when
the home of a VA data analyst was burglarized in what authorities believe
was a routine break-in. Social Security numbers for some 19.6 million of
those veterans were on the stolen property, as was information relating to
employee disability compensation.
McLendon was appointed to his VA post in December 2003. According to a
biography of him issued by the 2005 White House Conference on Aging (on
whose advisory committee McLendon sat), he is the founder of McLendon &
Associates, a management consulting and public policy firm with clients at
all levels of government. Prior to joining VA, he worked on projects for
the Defense Department, U.S. Agency for International Development, World
Bank, Asian Development Bank, National Academy of Public Administration
and other organizations.
Last week, VA Secretary James Nicholson accepted responsibility for the
security breach and said the department is reviewing all positions
requiring access to sensitive data. Once this is complete, employees
granted access will undergo new security and background investigations.
Why anybody would take highly sensitive confidential work-related
information home on a laptop is beyond my ken. That is just *so* wrong,
particularly when it relates to the personal data of millions of people.

- nil
j***@earthlink.net
2006-06-01 14:53:27 UTC
Permalink
Post by La N
Post by redjacket
http://govexec.com/story_page.cfm?articleid=34212&dcn=todaysnews
VA official quits in aftermath of data theft
A high-ranking official in the Veterans Affairs Department has submitted
his resignation in the wake of the theft of personal data on millions of
veterans from an employee's home.
According to an Associated Press report, Michael H. McLendon, VA's deputy
assistant secretary for policy, said Tuesday he would leave his post on
Friday.
"Words are inadequate to describe how I feel about these recent events
and the impact on the band of brothers and sisters of service members and
veterans that we are supposed to serve," McLendon wrote in a letter
obtained by the AP.
"Given that this very serious and tragic event occurred on my watch and
in my organization, I feel it necessary that I tender my resignation,"
stated the letter, which was submitted to the VA late Friday. "I would be
modeling the wrong behavior to my staff and others in VA if I took no
action to be responsible."
The theft of the data, which includes the names and birth dates of up to
26.5 million veterans, including about 100 spouses, occurred May 3 when
the home of a VA data analyst was burglarized in what authorities believe
was a routine break-in. Social Security numbers for some 19.6 million of
those veterans were on the stolen property, as was information relating to
employee disability compensation.
McLendon was appointed to his VA post in December 2003. According to a
biography of him issued by the 2005 White House Conference on Aging (on
whose advisory committee McLendon sat), he is the founder of McLendon &
Associates, a management consulting and public policy firm with clients at
all levels of government. Prior to joining VA, he worked on projects for
the Defense Department, U.S. Agency for International Development, World
Bank, Asian Development Bank, National Academy of Public Administration
and other organizations.
Last week, VA Secretary James Nicholson accepted responsibility for the
security breach and said the department is reviewing all positions
requiring access to sensitive data. Once this is complete, employees
granted access will undergo new security and background investigations.
Why anybody would take highly sensitive confidential work-related
information home on a laptop is beyond my ken. That is just *so* wrong,
particularly when it relates to the personal data of millions of people.
- nil
Did I ever tell you about the deputy ops chief who was selling his home
and to make the room he used as such look more like an office his wife
spread some of the papers from his briefcase on the desk? Someone
looking at the house recognized several exotic classifications on the
papers and called XIA security. The guy resigned within a week.
Rita Hansard
2006-06-01 15:55:19 UTC
Permalink
Post by La N
Post by redjacket
http://govexec.com/story_page.cfm?articleid=34212&dcn=todaysnews
VA official quits in aftermath of data theft
A high-ranking official in the Veterans Affairs Department has submitted
his resignation in the wake of the theft of personal data on millions of
veterans from an employee's home.
According to an Associated Press report, Michael H. McLendon, VA's
deputy assistant secretary for policy, said Tuesday he would leave his
post on Friday.
"Words are inadequate to describe how I feel about these recent events
and the impact on the band of brothers and sisters of service members and
veterans that we are supposed to serve," McLendon wrote in a letter
obtained by the AP.
"Given that this very serious and tragic event occurred on my watch and
in my organization, I feel it necessary that I tender my resignation,"
stated the letter, which was submitted to the VA late Friday. "I would be
modeling the wrong behavior to my staff and others in VA if I took no
action to be responsible."
The theft of the data, which includes the names and birth dates of up to
26.5 million veterans, including about 100 spouses, occurred May 3 when
the home of a VA data analyst was burglarized in what authorities believe
was a routine break-in. Social Security numbers for some 19.6 million of
those veterans were on the stolen property, as was information relating
to employee disability compensation.
McLendon was appointed to his VA post in December 2003. According to a
biography of him issued by the 2005 White House Conference on Aging (on
whose advisory committee McLendon sat), he is the founder of McLendon &
Associates, a management consulting and public policy firm with clients
at all levels of government. Prior to joining VA, he worked on projects
for the Defense Department, U.S. Agency for International Development,
World Bank, Asian Development Bank, National Academy of Public
Administration and other organizations.
Last week, VA Secretary James Nicholson accepted responsibility for the
security breach and said the department is reviewing all positions
requiring access to sensitive data. Once this is complete, employees
granted access will undergo new security and background investigations.
Why anybody would take highly sensitive confidential work-related
information home on a laptop is beyond my ken.
To finish up some work at home.

That is just *so* wrong,
Post by La N
particularly when it relates to the personal data of millions of people.
That's where the VA has been so negligent. Training as to the sensitivity of
the material and employees knowing that if they remove the property they are
going to face some very stiff penalties would be a very large step in
prevention. Sit 'em down, explain things to them, and then make 'em sign off
on it. Do it every 3 to 6 months until they understand the severity of the
issue. Just that little bit of added security would have most likely
prevented this disaster. And when I use the word "disaster" here, it is due
to the fact that now the feds are going to most likely make it mandatory
that the agencies which are not high-risk terrorist targets be upgraded to
the level of security of which some of the rest of us already have to
abide -- and it is going to cost SO MUCH MONEY. -- Everyone is going to
suffer. The taxpayer. Those who participate in the VA. The current
administration. The people who sell state-of-the-art security systems will
probably make out like bandits, but this moves it to the level as is with
everything else. It's probably going to work the same as what weapon is
issued for military personnel, and we all know that it ain't necessarily the
best one.

Rita
Post by La N
- nil
Zoltan
2006-06-01 18:49:12 UTC
Permalink
Post by Rita Hansard
To finish up some work at home.
That is just *so* wrong,
Post by La N
particularly when it relates to the personal data of millions of people.
It's going to happen.

The entire war plan for the Gulf war was on a laptop that was stolen in
London 30 days before the bombing was to start. See Colin Powell's "My
American Journey'.

What's inexcusable is that the stuff wasn't encrypted.

There's a lot of OTFE (On The Fly Encryption) software readily
available.

This software creates an encrypted 'container' on any storage medium
that is completely illegible without the passphrase.

Once the passphrase is entered, a new virtual 'drive' appears on the
computer.

All sensitive data can be copied to this drive; you can even install
software on it.

Once the encrypted drive is turned off (or the computer is rebooted)
the data is hidden in a completely uncrackable file. When it's needed,
the passphrase will recreate that virtual drive.

I create 4.37GB containers on my hard drives; that way they're easy to
back up to a DVD. The DVD is secure, and can also be mounted using the
passphrase.

A lost drive/laptop will not compromise any of the information stored
on that virtual drive.

I use it for personal and financial information, but certainly any
government agency that has sensitive information on external drives,
memory sticks, or laptops should be using this.

Some commercial vendors are Bestcrypt, PGP Disk, and Steganos Safe.

Free (and opensource) software includes FreeOTFE and TrueCrypt.

My personal choice is Truecrypt.

http://www.truecrypt.org/
Rita Hansard
2006-06-01 20:27:44 UTC
Permalink
Post by Zoltan
Post by Rita Hansard
To finish up some work at home.
That is just *so* wrong,
Post by La N
particularly when it relates to the personal data of millions of people.
It's going to happen.
They could and should have made training mandatory which would have
prevented it from being likely to happen. I disagree that it's "going to
happen," unless you have a bunch of idiots running the show. Yeah,
encryption should be mandatory, too, but not even making your employees
understand that they are going to face a heavy price for removal of
government property is outright stupidity, and the VA didn't take the time
to train their employees, in fact they made training mandatory after the
major cluster occurred.

If this had occurred where I work, I'd be facing termination, fines, and a
possible prison sentence.

Rita
Post by Zoltan
The entire war plan for the Gulf war was on a laptop that was stolen in
London 30 days before the bombing was to start. See Colin Powell's "My
American Journey'.
What's inexcusable is that the stuff wasn't encrypted.
There's a lot of OTFE (On The Fly Encryption) software readily
available.
This software creates an encrypted 'container' on any storage medium
that is completely illegible without the passphrase.
Once the passphrase is entered, a new virtual 'drive' appears on the
computer.
All sensitive data can be copied to this drive; you can even install
software on it.
Once the encrypted drive is turned off (or the computer is rebooted)
the data is hidden in a completely uncrackable file. When it's needed,
the passphrase will recreate that virtual drive.
I create 4.37GB containers on my hard drives; that way they're easy to
back up to a DVD. The DVD is secure, and can also be mounted using the
passphrase.
A lost drive/laptop will not compromise any of the information stored
on that virtual drive.
I use it for personal and financial information, but certainly any
government agency that has sensitive information on external drives,
memory sticks, or laptops should be using this.
Some commercial vendors are Bestcrypt, PGP Disk, and Steganos Safe.
Free (and opensource) software includes FreeOTFE and TrueCrypt.
My personal choice is Truecrypt.
http://www.truecrypt.org/
La N
2006-06-01 20:49:33 UTC
Permalink
Post by Rita Hansard
Post by Zoltan
Post by Rita Hansard
To finish up some work at home.
That is just *so* wrong,
Post by La N
particularly when it relates to the personal data of millions of people.
It's going to happen.
They could and should have made training mandatory which would have
prevented it from being likely to happen. I disagree that it's "going to
happen," unless you have a bunch of idiots running the show. Yeah,
encryption should be mandatory, too, but not even making your employees
understand that they are going to face a heavy price for removal of
government property is outright stupidity, and the VA didn't take the time
to train their employees, in fact they made training mandatory after the
major cluster occurred.
If this had occurred where I work, I'd be facing termination, fines, and a
possible prison sentence.
Ditto here. Add to that: sued, ostracized, blacklisted, shamed, kicked to
the curb, rendered friendless, exiled to the eastern Mongolian Steppes ...

- nilita
Yaketyak
2006-06-01 22:53:34 UTC
Permalink
you cant train common sense..









On Thu, 1 Jun 2006 16:27:44 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Zoltan
Post by Rita Hansard
To finish up some work at home.
That is just *so* wrong,
Post by La N
particularly when it relates to the personal data of millions of people.
It's going to happen.
They could and should have made training mandatory which would have
prevented it from being likely to happen. I disagree that it's "going to
happen," unless you have a bunch of idiots running the show. Yeah,
encryption should be mandatory, too, but not even making your employees
understand that they are going to face a heavy price for removal of
government property is outright stupidity, and the VA didn't take the time
to train their employees, in fact they made training mandatory after the
major cluster occurred.
If this had occurred where I work, I'd be facing termination, fines, and a
possible prison sentence.
Rita
Post by Zoltan
The entire war plan for the Gulf war was on a laptop that was stolen in
London 30 days before the bombing was to start. See Colin Powell's "My
American Journey'.
What's inexcusable is that the stuff wasn't encrypted.
There's a lot of OTFE (On The Fly Encryption) software readily
available.
This software creates an encrypted 'container' on any storage medium
that is completely illegible without the passphrase.
Once the passphrase is entered, a new virtual 'drive' appears on the
computer.
All sensitive data can be copied to this drive; you can even install
software on it.
Once the encrypted drive is turned off (or the computer is rebooted)
the data is hidden in a completely uncrackable file. When it's needed,
the passphrase will recreate that virtual drive.
I create 4.37GB containers on my hard drives; that way they're easy to
back up to a DVD. The DVD is secure, and can also be mounted using the
passphrase.
A lost drive/laptop will not compromise any of the information stored
on that virtual drive.
I use it for personal and financial information, but certainly any
government agency that has sensitive information on external drives,
memory sticks, or laptops should be using this.
Some commercial vendors are Bestcrypt, PGP Disk, and Steganos Safe.
Free (and opensource) software includes FreeOTFE and TrueCrypt.
My personal choice is Truecrypt.
http://www.truecrypt.org/
Rita Hansard
2006-06-01 23:33:22 UTC
Permalink
Post by Yaketyak
you cant train common sense..
Oh, yes you can. Give it a few minutes to think about prosecution due to
removal of federal property, and you can train the senses real fast.

Rita
Post by Yaketyak
On Thu, 1 Jun 2006 16:27:44 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Zoltan
Post by Rita Hansard
To finish up some work at home.
That is just *so* wrong,
Post by La N
particularly when it relates to the personal data of millions of people.
It's going to happen.
They could and should have made training mandatory which would have
prevented it from being likely to happen. I disagree that it's "going to
happen," unless you have a bunch of idiots running the show. Yeah,
encryption should be mandatory, too, but not even making your employees
understand that they are going to face a heavy price for removal of
government property is outright stupidity, and the VA didn't take the time
to train their employees, in fact they made training mandatory after the
major cluster occurred.
If this had occurred where I work, I'd be facing termination, fines, and a
possible prison sentence.
Rita
Post by Zoltan
The entire war plan for the Gulf war was on a laptop that was stolen in
London 30 days before the bombing was to start. See Colin Powell's "My
American Journey'.
What's inexcusable is that the stuff wasn't encrypted.
There's a lot of OTFE (On The Fly Encryption) software readily
available.
This software creates an encrypted 'container' on any storage medium
that is completely illegible without the passphrase.
Once the passphrase is entered, a new virtual 'drive' appears on the
computer.
All sensitive data can be copied to this drive; you can even install
software on it.
Once the encrypted drive is turned off (or the computer is rebooted)
the data is hidden in a completely uncrackable file. When it's needed,
the passphrase will recreate that virtual drive.
I create 4.37GB containers on my hard drives; that way they're easy to
back up to a DVD. The DVD is secure, and can also be mounted using the
passphrase.
A lost drive/laptop will not compromise any of the information stored
on that virtual drive.
I use it for personal and financial information, but certainly any
government agency that has sensitive information on external drives,
memory sticks, or laptops should be using this.
Some commercial vendors are Bestcrypt, PGP Disk, and Steganos Safe.
Free (and opensource) software includes FreeOTFE and TrueCrypt.
My personal choice is Truecrypt.
http://www.truecrypt.org/
Baldur
2006-06-02 00:30:22 UTC
Permalink
Post by Yaketyak
you cant train common sense..
VA management thought they could.
That's why this happened.
Post by Yaketyak
On Thu, 1 Jun 2006 16:27:44 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Zoltan
Post by Rita Hansard
To finish up some work at home.
That is just *so* wrong,
Post by La N
particularly when it relates to the personal data of
millions of
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
Post by Rita Hansard
Post by La N
people.
It's going to happen.
They could and should have made training mandatory which
would have
Post by Yaketyak
Post by Rita Hansard
prevented it from being likely to happen. I disagree that
it's "going to
Post by Yaketyak
Post by Rita Hansard
happen," unless you have a bunch of idiots running the show.
Yeah,
Post by Yaketyak
Post by Rita Hansard
encryption should be mandatory, too, but not even making your
employees
Post by Yaketyak
Post by Rita Hansard
understand that they are going to face a heavy price for
removal of
Post by Yaketyak
Post by Rita Hansard
government property is outright stupidity, and the VA didn't
take the time
Post by Yaketyak
Post by Rita Hansard
to train their employees, in fact they made training
mandatory after the
Post by Yaketyak
Post by Rita Hansard
major cluster occurred.
If this had occurred where I work, I'd be facing termination,
fines, and a
Post by Yaketyak
Post by Rita Hansard
possible prison sentence.
Rita
Post by Zoltan
The entire war plan for the Gulf war was on a laptop that
was stolen in
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
London 30 days before the bombing was to start. See Colin
Powell's "My
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
American Journey'.
What's inexcusable is that the stuff wasn't encrypted.
There's a lot of OTFE (On The Fly Encryption) software
readily
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
available.
This software creates an encrypted 'container' on any
storage medium
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
that is completely illegible without the passphrase.
Once the passphrase is entered, a new virtual 'drive'
appears on the
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
computer.
All sensitive data can be copied to this drive; you can
even install
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
software on it.
Once the encrypted drive is turned off (or the computer is
rebooted)
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
the data is hidden in a completely uncrackable file. When
it's needed,
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
the passphrase will recreate that virtual drive.
I create 4.37GB containers on my hard drives; that way
they're easy to
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
back up to a DVD. The DVD is secure, and can also be
mounted using the
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
passphrase.
A lost drive/laptop will not compromise any of the
information stored
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
on that virtual drive.
I use it for personal and financial information, but
certainly any
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
government agency that has sensitive information on
external drives,
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
memory sticks, or laptops should be using this.
Some commercial vendors are Bestcrypt, PGP Disk, and
Steganos Safe.
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
Free (and opensource) software includes FreeOTFE and
TrueCrypt.
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
My personal choice is Truecrypt.
http://www.truecrypt.org/
-=-
This message was sent via two or more anonymous remailing services.
Rita Hansard
2006-06-02 00:47:27 UTC
Permalink
Post by Baldur
Post by Yaketyak
you cant train common sense..
VA management thought they could.
That's why this happened.
No, apparently they didn't. They announced that security training would be
mandatory only after the breach.

Rita
Post by Baldur
Post by Yaketyak
On Thu, 1 Jun 2006 16:27:44 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Zoltan
Post by Rita Hansard
To finish up some work at home.
That is just *so* wrong,
Post by La N
particularly when it relates to the personal data of
millions of
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
Post by Rita Hansard
Post by La N
people.
It's going to happen.
They could and should have made training mandatory which
would have
Post by Yaketyak
Post by Rita Hansard
prevented it from being likely to happen. I disagree that
it's "going to
Post by Yaketyak
Post by Rita Hansard
happen," unless you have a bunch of idiots running the show.
Yeah,
Post by Yaketyak
Post by Rita Hansard
encryption should be mandatory, too, but not even making your
employees
Post by Yaketyak
Post by Rita Hansard
understand that they are going to face a heavy price for
removal of
Post by Yaketyak
Post by Rita Hansard
government property is outright stupidity, and the VA didn't
take the time
Post by Yaketyak
Post by Rita Hansard
to train their employees, in fact they made training
mandatory after the
Post by Yaketyak
Post by Rita Hansard
major cluster occurred.
If this had occurred where I work, I'd be facing termination,
fines, and a
Post by Yaketyak
Post by Rita Hansard
possible prison sentence.
Rita
Post by Zoltan
The entire war plan for the Gulf war was on a laptop that
was stolen in
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
London 30 days before the bombing was to start. See Colin
Powell's "My
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
American Journey'.
What's inexcusable is that the stuff wasn't encrypted.
There's a lot of OTFE (On The Fly Encryption) software
readily
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
available.
This software creates an encrypted 'container' on any
storage medium
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
that is completely illegible without the passphrase.
Once the passphrase is entered, a new virtual 'drive'
appears on the
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
computer.
All sensitive data can be copied to this drive; you can
even install
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
software on it.
Once the encrypted drive is turned off (or the computer is
rebooted)
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
the data is hidden in a completely uncrackable file. When
it's needed,
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
the passphrase will recreate that virtual drive.
I create 4.37GB containers on my hard drives; that way
they're easy to
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
back up to a DVD. The DVD is secure, and can also be
mounted using the
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
passphrase.
A lost drive/laptop will not compromise any of the
information stored
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
on that virtual drive.
I use it for personal and financial information, but
certainly any
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
government agency that has sensitive information on
external drives,
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
memory sticks, or laptops should be using this.
Some commercial vendors are Bestcrypt, PGP Disk, and
Steganos Safe.
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
Free (and opensource) software includes FreeOTFE and
TrueCrypt.
Post by Yaketyak
Post by Rita Hansard
Post by Zoltan
My personal choice is Truecrypt.
http://www.truecrypt.org/
-=-
This message was sent via two or more anonymous remailing services.
Baldur
2006-06-02 01:50:53 UTC
Permalink
Post by Rita Hansard
Post by Baldur
Post by Yaketyak
you cant train common sense..
VA management thought they could.
That's why this happened.
No, apparently they didn't. They announced that security
training would be
Post by Rita Hansard
mandatory only after the breach.
They had such training before the breach.

All government employees get it every year.


-=-
This message was sent via two or more anonymous remailing services.
Rita Hansard
2006-06-02 02:34:53 UTC
Permalink
Post by Rita Hansard
Post by Rita Hansard
Post by Baldur
Post by Yaketyak
you cant train common sense..
VA management thought they could.
That's why this happened.
No, apparently they didn't. They announced that security
training would be
Post by Rita Hansard
mandatory only after the breach.
They had such training before the breach.
All government employees get it every year.
And you know this how? Be specific. Do you work for all government agencies
or oversee all of their security measures? Just telling people they can't
remove property is not "security training."

Rita
Post by Rita Hansard
-=-
This message was sent via two or more anonymous remailing services.
Yaketyak
2006-06-02 23:49:05 UTC
Permalink
but it does constitute a rule to be complied with regardless of
training if it occerred.

On Thu, 1 Jun 2006 22:34:53 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Rita Hansard
Post by Rita Hansard
Post by Baldur
Post by Yaketyak
you cant train common sense..
VA management thought they could.
That's why this happened.
No, apparently they didn't. They announced that security
training would be
Post by Rita Hansard
mandatory only after the breach.
They had such training before the breach.
All government employees get it every year.
And you know this how? Be specific. Do you work for all government agencies
or oversee all of their security measures? Just telling people they can't
remove property is not "security training."
Rita
Post by Rita Hansard
-=-
This message was sent via two or more anonymous remailing services.
Rita Hansard
2006-06-03 08:03:57 UTC
Permalink
Post by Yaketyak
but it does constitute a rule to be complied with regardless of
training if it occerred.
I never stated otherwise. I've said that proper training would have likely
kept the stupidity from happening. I'm more concerned with prevention than
punishment. Once the material is out, it's out, and the VA should have taken
steps to teach their employees to protect the information with urgency,
which does a lot of good.

Rita

Rita
Post by Yaketyak
On Thu, 1 Jun 2006 22:34:53 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Rita Hansard
Post by Rita Hansard
Post by Baldur
Post by Yaketyak
you cant train common sense..
VA management thought they could.
That's why this happened.
No, apparently they didn't. They announced that security
training would be
Post by Rita Hansard
mandatory only after the breach.
They had such training before the breach.
All government employees get it every year.
And you know this how? Be specific. Do you work for all government agencies
or oversee all of their security measures? Just telling people they can't
remove property is not "security training."
Rita
Post by Rita Hansard
-=-
This message was sent via two or more anonymous remailing services.
Yaketyak
2006-06-03 10:42:59 UTC
Permalink
we agree. I woul;d just like to see punishment because it will be a
definite attention getter for those who conmtinue to work with others
private data. I havent followed it much since in the medai.. kinda
disappeared but this disk you mention.. was it a cd, dvd or the laptop
HD ?







On Sat, 3 Jun 2006 04:03:57 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
but it does constitute a rule to be complied with regardless of
training if it occerred.
I never stated otherwise. I've said that proper training would have likely
kept the stupidity from happening. I'm more concerned with prevention than
punishment. Once the material is out, it's out, and the VA should have taken
steps to teach their employees to protect the information with urgency,
which does a lot of good.
Rita
Rita
Post by Yaketyak
On Thu, 1 Jun 2006 22:34:53 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Rita Hansard
Post by Rita Hansard
Post by Baldur
Post by Yaketyak
you cant train common sense..
VA management thought they could.
That's why this happened.
No, apparently they didn't. They announced that security
training would be
Post by Rita Hansard
mandatory only after the breach.
They had such training before the breach.
All government employees get it every year.
And you know this how? Be specific. Do you work for all government agencies
or oversee all of their security measures? Just telling people they can't
remove property is not "security training."
Rita
Post by Rita Hansard
-=-
This message was sent via two or more anonymous remailing services.
Rita Hansard
2006-06-03 22:20:37 UTC
Permalink
Post by Yaketyak
we agree. I woul;d just like to see punishment because it will be a
definite attention getter for those who conmtinue to work with others
private data. I havent followed it much since in the medai.. kinda
disappeared but this disk you mention.. was it a cd, dvd or the laptop
HD ?
I don't have a problem with punishment. I just don't know what and how much
the law defines he can be punished, and I'm wary of civil suits against the
VA because it's going to hurt most those who use the facilities. It's really
all about money. Except for the lack of training. Whatever they "did" was
not effective training. A good guess as to what happened would be:

Okay, everybody, a meeting at 10 a.m. We're going to discuss how sensitive
information should be handled.

Meeting:

You people should not take sensitive material out of the office. Does
everyone understand?

Chorus:

Yes.

Training Crew:

We'll meet again in one year and discuss the situation. In the meantime, you
all can walk in and out the door with laptops and disks and God knows what
else cuz we've had our mandatory meeting.

Break time. Donuts for all. Take 'em to your desk and drop some of that
gooey dough on that letter the VA patient painstakingly wrote out by hand
explaining that his medicine had been changed and he should no longer be
charged for the old one.

Cripes.

Rita
Post by Yaketyak
On Sat, 3 Jun 2006 04:03:57 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
but it does constitute a rule to be complied with regardless of
training if it occerred.
I never stated otherwise. I've said that proper training would have likely
kept the stupidity from happening. I'm more concerned with prevention than
punishment. Once the material is out, it's out, and the VA should have taken
steps to teach their employees to protect the information with urgency,
which does a lot of good.
Rita
Rita
Post by Yaketyak
On Thu, 1 Jun 2006 22:34:53 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Rita Hansard
Post by Rita Hansard
Post by Baldur
Post by Yaketyak
you cant train common sense..
VA management thought they could.
That's why this happened.
No, apparently they didn't. They announced that security
training would be
Post by Rita Hansard
mandatory only after the breach.
They had such training before the breach.
All government employees get it every year.
And you know this how? Be specific. Do you work for all government agencies
or oversee all of their security measures? Just telling people they can't
remove property is not "security training."
Rita
Post by Rita Hansard
-=-
This message was sent via two or more anonymous remailing services.
Yaketyak
2006-06-04 00:47:32 UTC
Permalink
hindsight is always 20/20 I guess.. I just cant imagine the impact
this could have if all that information got into the wrong hands...





On Sat, 3 Jun 2006 18:20:37 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
we agree. I woul;d just like to see punishment because it will be a
definite attention getter for those who conmtinue to work with others
private data. I havent followed it much since in the medai.. kinda
disappeared but this disk you mention.. was it a cd, dvd or the laptop
HD ?
I don't have a problem with punishment. I just don't know what and how much
the law defines he can be punished, and I'm wary of civil suits against the
VA because it's going to hurt most those who use the facilities. It's really
all about money. Except for the lack of training. Whatever they "did" was
Okay, everybody, a meeting at 10 a.m. We're going to discuss how sensitive
information should be handled.
You people should not take sensitive material out of the office. Does
everyone understand?
Yes.
We'll meet again in one year and discuss the situation. In the meantime, you
all can walk in and out the door with laptops and disks and God knows what
else cuz we've had our mandatory meeting.
Break time. Donuts for all. Take 'em to your desk and drop some of that
gooey dough on that letter the VA patient painstakingly wrote out by hand
explaining that his medicine had been changed and he should no longer be
charged for the old one.
Cripes.
Rita
Post by Yaketyak
On Sat, 3 Jun 2006 04:03:57 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
but it does constitute a rule to be complied with regardless of
training if it occerred.
I never stated otherwise. I've said that proper training would have likely
kept the stupidity from happening. I'm more concerned with prevention than
punishment. Once the material is out, it's out, and the VA should have taken
steps to teach their employees to protect the information with urgency,
which does a lot of good.
Rita
Rita
Post by Yaketyak
On Thu, 1 Jun 2006 22:34:53 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Rita Hansard
Post by Rita Hansard
Post by Baldur
Post by Yaketyak
you cant train common sense..
VA management thought they could.
That's why this happened.
No, apparently they didn't. They announced that security
training would be
Post by Rita Hansard
mandatory only after the breach.
They had such training before the breach.
All government employees get it every year.
And you know this how? Be specific. Do you work for all government agencies
or oversee all of their security measures? Just telling people they can't
remove property is not "security training."
Rita
Post by Rita Hansard
-=-
This message was sent via two or more anonymous remailing services.
GL Fowler
2006-06-03 14:56:59 UTC
Permalink
On Sat, 3 Jun 2006 04:03:57 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
but it does constitute a rule to be complied with regardless of
training if it occerred.
I never stated otherwise. I've said that proper training would have likely
kept the stupidity from happening. I'm more concerned with prevention than
punishment. Once the material is out, it's out, and the VA should have taken
steps to teach their employees to protect the information with urgency,
which does a lot of good.
Rita
In a society that infers it must warn the end user not to put their
hands under a running lawn mower. You have waaaay more faith in the
general population than I!!

Jerry
Post by Rita Hansard
Rita
Post by Yaketyak
On Thu, 1 Jun 2006 22:34:53 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Rita Hansard
Post by Rita Hansard
Post by Baldur
Post by Yaketyak
you cant train common sense..
VA management thought they could.
That's why this happened.
No, apparently they didn't. They announced that security
training would be
Post by Rita Hansard
mandatory only after the breach.
They had such training before the breach.
All government employees get it every year.
And you know this how? Be specific. Do you work for all government agencies
or oversee all of their security measures? Just telling people they can't
remove property is not "security training."
Rita
Post by Rita Hansard
-=-
This message was sent via two or more anonymous remailing services.
A jury is 12 individuals who decides who has the best lawyer.
- Mark Twain
Rita Hansard
2006-06-03 21:55:30 UTC
Permalink
Post by Yaketyak
On Sat, 3 Jun 2006 04:03:57 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
but it does constitute a rule to be complied with regardless of
training if it occerred.
I never stated otherwise. I've said that proper training would have likely
kept the stupidity from happening. I'm more concerned with prevention than
punishment. Once the material is out, it's out, and the VA should have taken
steps to teach their employees to protect the information with urgency,
which does a lot of good.
Rita
In a society that infers it must warn the end user not to put their
hands under a running lawn mower. You have waaaay more faith in the
general population than I!!
In an information age which is increasingly becoming more and more
"insecure" because facilities are not meeting standards to protect the
general population, anyone who does meet the excellent standards which can
be attained does not do it on faith.

Rita
GL Fowler
2006-06-04 00:08:03 UTC
Permalink
On Sat, 3 Jun 2006 17:55:30 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
On Sat, 3 Jun 2006 04:03:57 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
but it does constitute a rule to be complied with regardless of
training if it occerred.
I never stated otherwise. I've said that proper training would have likely
kept the stupidity from happening. I'm more concerned with prevention than
punishment. Once the material is out, it's out, and the VA should have taken
steps to teach their employees to protect the information with urgency,
which does a lot of good.
Rita
In a society that infers it must warn the end user not to put their
hands under a running lawn mower. You have waaaay more faith in the
general population than I!!
In an information age which is increasingly becoming more and more
"insecure" because facilities are not meeting standards to protect the
general population, anyone who does meet the excellent standards which can
be attained does not do it on faith.
Rita
Well as you say, but you can't put the enterprise end-user in a brace
and read his pedigree for a half hour to get their attention. The
spectre of fine and or ... as the phrase oft read was a deterrent to
inadvertent disclosure. In this culture of finding someone else to
blame and no personal responsibility for your actions becomes the norm
rather than exception we have more and more of the same for the
future. There will be no more signs on desks as in Truman's' time.

You now may return to your regularly scheduled programming...

Jerry
A jury is 12 individuals who decides who has the best lawyer.
- Mark Twain
Rita Hansard
2006-06-04 00:43:55 UTC
Permalink
Post by GL Fowler
On Sat, 3 Jun 2006 17:55:30 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
On Sat, 3 Jun 2006 04:03:57 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
but it does constitute a rule to be complied with regardless of
training if it occerred.
I never stated otherwise. I've said that proper training would have likely
kept the stupidity from happening. I'm more concerned with prevention than
punishment. Once the material is out, it's out, and the VA should have taken
steps to teach their employees to protect the information with urgency,
which does a lot of good.
Rita
In a society that infers it must warn the end user not to put their
hands under a running lawn mower. You have waaaay more faith in the
general population than I!!
In an information age which is increasingly becoming more and more
"insecure" because facilities are not meeting standards to protect the
general population, anyone who does meet the excellent standards which can
be attained does not do it on faith.
Rita
Well as you say, but you can't put the enterprise end-user in a brace
and read his pedigree for a half hour to get their attention. The
spectre of fine and or ... as the phrase oft read was a deterrent to
inadvertent disclosure. In this culture of finding someone else to
blame and no personal responsibility for your actions becomes the norm
rather than exception we have more and more of the same for the
future. There will be no more signs on desks as in Truman's' time.
You now may return to your regularly scheduled programming...
Jerry
A jury is 12 individuals who decides who has the best lawyer.
- Mark Twain
Rita Hansard
2006-06-04 01:17:08 UTC
Permalink
Post by GL Fowler
On Sat, 3 Jun 2006 17:55:30 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
On Sat, 3 Jun 2006 04:03:57 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
but it does constitute a rule to be complied with regardless of
training if it occerred.
I never stated otherwise. I've said that proper training would have likely
kept the stupidity from happening. I'm more concerned with prevention than
punishment. Once the material is out, it's out, and the VA should have taken
steps to teach their employees to protect the information with urgency,
which does a lot of good.
Rita
In a society that infers it must warn the end user not to put their
hands under a running lawn mower. You have waaaay more faith in the
general population than I!!
In an information age which is increasingly becoming more and more
"insecure" because facilities are not meeting standards to protect the
general population, anyone who does meet the excellent standards which can
be attained does not do it on faith.
Rita
Well as you say, but you can't put the enterprise end-user in a brace
and read his pedigree for a half hour to get their attention. The
spectre of fine and or ... as the phrase oft read was a deterrent to
inadvertent disclosure. In this culture of finding someone else to
blame and no personal responsibility for your actions becomes the norm
rather than exception we have more and more of the same for the
future. There will be no more signs on desks as in Truman's' time.
Sorry, meant to answer the first time and hit the reply button too soon. I
have no defense for the person who took the information home. I also have no
defense for the VA which was supposed to train their employees to first and
foremost protect the vulnerable. As far as where the buck stops, I'm
certainly not giving either party any slack. If one adopts the attitude that
"training don't work," they're setting themself up for failure in that area.
If one adopts the attitude that training will work, they are strengthening
and empowering not only the employee, but the entire protective process. It
can be depended on, but not entirely to save the day all by itself. Done
right, it's a strengthening process working with other areas where an "it
can work" attitude adds to the overall success of the security. What's the
saying about a chain only being a strong as its weakest link?

Rita
Post by GL Fowler
You now may return to your regularly scheduled programming...
Jerry
A jury is 12 individuals who decides who has the best lawyer.
- Mark Twain
GL Fowler
2006-06-04 14:23:06 UTC
Permalink
On Sat, 3 Jun 2006 21:17:08 -0400, "Rita Hansard"
Post by Rita Hansard
Post by GL Fowler
On Sat, 3 Jun 2006 17:55:30 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
On Sat, 3 Jun 2006 04:03:57 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
but it does constitute a rule to be complied with regardless of
training if it occerred.
I never stated otherwise. I've said that proper training would have likely
kept the stupidity from happening. I'm more concerned with prevention than
punishment. Once the material is out, it's out, and the VA should have taken
steps to teach their employees to protect the information with urgency,
which does a lot of good.
Rita
In a society that infers it must warn the end user not to put their
hands under a running lawn mower. You have waaaay more faith in the
general population than I!!
In an information age which is increasingly becoming more and more
"insecure" because facilities are not meeting standards to protect the
general population, anyone who does meet the excellent standards which can
be attained does not do it on faith.
Rita
Well as you say, but you can't put the enterprise end-user in a brace
and read his pedigree for a half hour to get their attention. The
spectre of fine and or ... as the phrase oft read was a deterrent to
inadvertent disclosure. In this culture of finding someone else to
blame and no personal responsibility for your actions becomes the norm
rather than exception we have more and more of the same for the
future. There will be no more signs on desks as in Truman's' time.
Sorry, meant to answer the first time and hit the reply button too soon. I
have no defense for the person who took the information home. I also have no
defense for the VA which was supposed to train their employees to first and
foremost protect the vulnerable. As far as where the buck stops, I'm
certainly not giving either party any slack. If one adopts the attitude that
"training don't work," they're setting themself up for failure in that area.
If one adopts the attitude that training will work, they are strengthening
and empowering not only the employee, but the entire protective process. It
can be depended on, but not entirely to save the day all by itself. Done
right, it's a strengthening process working with other areas where an "it
can work" attitude adds to the overall success of the security. What's the
saying about a chain only being a strong as its weakest link?
Rita
Not a problem, had a moment tho when I thought the tri's had failed me
:-)
For all the 'opposed view' my posts may have generated, I'm really
more on your side of the aisle than not. I agree that training will
impart information and likely increase compliance, human nature being
what it is... Yes, VA management is where the ultimate blame lies,
fie on them for the 'head in the sand' mentality!!

Jerry
A jury is 12 individuals who decides who has the best lawyer.
- Mark Twain
Rita Hansard
2006-06-05 00:39:50 UTC
Permalink
Post by GL Fowler
On Sat, 3 Jun 2006 21:17:08 -0400, "Rita Hansard"
Not a problem, had a moment tho when I thought the tri's had failed me
:-)
For all the 'opposed view' my posts may have generated, I'm really
more on your side of the aisle than not. I agree that training will
impart information and likely increase compliance, human nature being
what it is... Yes, VA management is where the ultimate blame lies,
fie on them for the 'head in the sand' mentality!!
We're dealing with a huge challenge in that it's not just a problem with the
VA. The mindset of near about the entire country is 10-years outdated.
Private enterprise does a little bit better than the federal government
because of the expense. The highest-rated encryption software company in the
US is used by exactly 8 "customers" in the United States. Most employee
training is outdated by at least 10 years. (I know. I've had the "old"
standard of training and the new, and I don't even want to tell you of that
which consisted of the old "ethics" training, among other jokes which
constituted so-called "training:" in other areas.) Mandated security
measures overall fall in the same catagory. That's why the mindset of "won't
work" often applies to the security-training concept. No, it won't work
unless it's brought up to meet the ever-rising bar of technology and the
crime which goes with it. The VA just got caught. But thank you, and yes,
most people will see and get on my side of the aisle once it's understood
how my side of the aisle operates. It just takes a little time and good
communication. Unfortunately, I don't know how to help with the issue of
expense in other areas which are just as vital to security as that of a
well-trained employee.

Rita
Post by GL Fowler
Jerry
A jury is 12 individuals who decides who has the best lawyer.
- Mark Twain
l***@nospam.net
2006-06-05 04:00:02 UTC
Permalink
Post by Rita Hansard
Post by GL Fowler
On Sat, 3 Jun 2006 21:17:08 -0400, "Rita Hansard"
Not a problem, had a moment tho when I thought the tri's had failed me
:-)
For all the 'opposed view' my posts may have generated, I'm really
more on your side of the aisle than not. I agree that training will
impart information and likely increase compliance, human nature being
what it is... Yes, VA management is where the ultimate blame lies,
fie on them for the 'head in the sand' mentality!!
We're dealing with a huge challenge in that it's not just a problem with
the VA. The mindset of near about the entire country is 10-years
outdated. Private enterprise does a little bit better than the federal
government because of the expense. The highest-rated encryption software
company in the US is used by exactly 8 "customers" in the United States.
Most employee training is outdated by at least 10 years. (I know. I've
had the "old" standard of training and the new, and I don't even want to
tell you of that which consisted of the old "ethics" training, among
other jokes which constituted so-called "training:" in other areas.)
Mandated security measures overall fall in the same catagory. That's why
the mindset of "won't work" often applies to the security-training
concept. No, it won't work unless it's brought up to meet the
ever-rising bar of technology and the crime which goes with it. The VA
just got caught. But thank you, and yes, most people will see and get on
my side of the aisle once it's understood how my side of the aisle
operates. It just takes a little time and good communication.
Unfortunately, I don't know how to help with the issue of expense in
other areas which are just as vital to security as that of a
well-trained employee.
When are you people so sure it was a training problem? You people don't
have the facts of what happened.

And ...You all seem to think the guy was going home to play. How do you
know he wasn't one dedicated and over-worked person trying to keep up the
workload after all the bush VA cuts?
Post by Rita Hansard
Rita
Post by GL Fowler
Jerry
A jury is 12 individuals who decides who has the best lawyer.
- Mark Twain
Whitey Bulger
2006-06-05 04:36:50 UTC
Permalink
Post by l***@nospam.net
know he wasn't one dedicated and over-worked person trying to keep up the
workload after all the bush VA cuts?
So you're trying to defend someone who not only took sensitive and
confidential personal files out of his federal office to his home,
clearly against policy, and then managed to have the laptop and the
disks stolen?

Who will you defend next, Osama?
l***@nospam.net
2006-06-05 10:26:30 UTC
Permalink
Post by Whitey Bulger
Post by l***@nospam.net
know he wasn't one dedicated and over-worked person trying to keep up the
workload after all the bush VA cuts?
So you're trying to defend someone who not only took sensitive and
confidential personal files out of his federal office to his home,
clearly against policy, and then managed to have the laptop and the disks
stolen?
I figured you right wingers wouldn't get it, or work on getting the facts!


PS: I didn't know he "managed" to have it stolen. Aren't there "laws"
about managing to have things stolen, unless your a fat-cat with a
government contract in Iraqnam? Thanks for the tip. Where did you get
this "managed" fact anyway?
Post by Whitey Bulger
Who will you defend next, Osama?
Of course not, even though I'm smart enough to know that when you tell 1.4
billion people you're going to stomp out their religion -- like bush has
-- you're gonna have a bigger problem then you figured on.
Whitey Bulger
2006-06-05 16:16:59 UTC
Permalink
Post by l***@nospam.net
Of course not, even though I'm smart enough to know that when you tell 1.4
billion people you're going to stomp out their religion -- like bush has
-- you're gonna have a bigger problem then you figured on.
I've heard some stupid crap come out of Bush, but I have yet to hear
him say anything of the sort. He has consistantly differentiated
between the extremists/terrorists and the huge part of the Muslim
population that are not involved with them.

If you can quote him saying that with a date and place, let me know.
l***@nospam.net
2006-06-06 00:13:39 UTC
Permalink
Post by l***@nospam.net
Of course not, even though I'm smart enough to know that when you tell 1.4
billion people you're going to stomp out their religion -- like bush has
-- you're gonna have a bigger problem then you figured on.
I've heard some stupid crap come out of Bush, but I have yet to hear him
say anything of the sort. He has consistantly differentiated between the
extremists/terrorists and the huge part of the Muslim population that are
not involved with them.
Actually bush has told them God wants us to defeat them. You sure don't
know much about people and cultures, do you now.
If you can quote him saying that with a date and place, let me know.
Whitey Bulger
2006-06-06 20:21:19 UTC
Permalink
Post by l***@nospam.net
Post by l***@nospam.net
Of course not, even though I'm smart enough to know that when you tell 1.4
billion people you're going to stomp out their religion -- like bush has
-- you're gonna have a bigger problem then you figured on.
I've heard some stupid crap come out of Bush, but I have yet to hear him
say anything of the sort. He has consistantly differentiated between the
extremists/terrorists and the huge part of the Muslim population that are
not involved with them.
Actually bush has told them God wants us to defeat them.
"Them" who, precisely? All Muslims, or the al-Queda-type terrorists?
Yaketyak
2006-06-05 22:00:05 UTC
Permalink
wouldnt be the first time.







On Mon, 05 Jun 2006 00:36:50 -0400, Whitey Bulger
Post by Whitey Bulger
Post by l***@nospam.net
know he wasn't one dedicated and over-worked person trying to keep up the
workload after all the bush VA cuts?
So you're trying to defend someone who not only took sensitive and
confidential personal files out of his federal office to his home,
clearly against policy, and then managed to have the laptop and the
disks stolen?
Who will you defend next, Osama?
Fafnir
2006-06-02 03:09:05 UTC
Permalink
Post by Rita Hansard
Post by Zoltan
Post by Rita Hansard
To finish up some work at home.
That is just *so* wrong,
Post by La N
particularly when it relates to the personal data of
millions of
Post by Rita Hansard
Post by Zoltan
Post by Rita Hansard
Post by La N
people.
It's going to happen.
They could and should have made training mandatory which would
have
Post by Rita Hansard
prevented it from being likely to happen.
They did.
Every government agency has such training.
Even the Pentagon.
Post by Rita Hansard
I disagree that it's "going to happen,"
It did happen.

Many times.

This one just hit the newspapers.
Post by Rita Hansard
unless you have a bunch of idiots running the show. Yeah,
encryption should be mandatory, too, but not even making your
employees
Post by Rita Hansard
understand that they are going to face a heavy price for
removal of
Post by Rita Hansard
government property is outright stupidity, and the VA didn't
take the time
Post by Rita Hansard
to train their employees, in fact they made training mandatory
after the
Post by Rita Hansard
major cluster occurred.
No, they made REtraining mandatory.
Post by Rita Hansard
If this had occurred where I work, I'd be facing termination,
fines, and a
Post by Rita Hansard
possible prison sentence.
The employee who did that faces the same.

And it's going to happen again.
Post by Rita Hansard
Rita
Post by Zoltan
The entire war plan for the Gulf war was on a laptop that
was stolen in
Post by Rita Hansard
Post by Zoltan
London 30 days before the bombing was to start. See Colin
Powell's "My
Post by Rita Hansard
Post by Zoltan
American Journey'.
What's inexcusable is that the stuff wasn't encrypted.
There's a lot of OTFE (On The Fly Encryption) software
readily
Post by Rita Hansard
Post by Zoltan
available.
This software creates an encrypted 'container' on any
storage medium
Post by Rita Hansard
Post by Zoltan
that is completely illegible without the passphrase.
Once the passphrase is entered, a new virtual 'drive'
appears on the
Post by Rita Hansard
Post by Zoltan
computer.
All sensitive data can be copied to this drive; you can even
install
Post by Rita Hansard
Post by Zoltan
software on it.
Once the encrypted drive is turned off (or the computer is
rebooted)
Post by Rita Hansard
Post by Zoltan
the data is hidden in a completely uncrackable file. When
it's needed,
Post by Rita Hansard
Post by Zoltan
the passphrase will recreate that virtual drive.
I create 4.37GB containers on my hard drives; that way
they're easy to
Post by Rita Hansard
Post by Zoltan
back up to a DVD. The DVD is secure, and can also be
mounted using the
Post by Rita Hansard
Post by Zoltan
passphrase.
A lost drive/laptop will not compromise any of the
information stored
Post by Rita Hansard
Post by Zoltan
on that virtual drive.
I use it for personal and financial information, but
certainly any
Post by Rita Hansard
Post by Zoltan
government agency that has sensitive information on external
drives,
Post by Rita Hansard
Post by Zoltan
memory sticks, or laptops should be using this.
Some commercial vendors are Bestcrypt, PGP Disk, and
Steganos Safe.
Post by Rita Hansard
Post by Zoltan
Free (and opensource) software includes FreeOTFE and
TrueCrypt.
Post by Rita Hansard
Post by Zoltan
My personal choice is Truecrypt.
http://www.truecrypt.org/
Rita Hansard
2006-06-02 03:37:52 UTC
Permalink
Post by redjacket
Post by Rita Hansard
Post by Zoltan
Post by Rita Hansard
To finish up some work at home.
That is just *so* wrong,
Post by La N
particularly when it relates to the personal data of
millions of
Post by Rita Hansard
Post by Zoltan
Post by Rita Hansard
Post by La N
people.
It's going to happen.
They could and should have made training mandatory which would
have
Post by Rita Hansard
prevented it from being likely to happen.
They did.
Every government agency has such training.
Even the Pentagon.
I'm aware of certain areas of government having the highest level of
security training. I'm employed by one of them. One area of security
enforcement is in the area of compliance. The VA has publically stated that
they did not make training mandatory until after the breach. If you are
correct in that "all" agencies have such training, you now have the VA
putting itself in the position of criminal negligence. I've seen nothing by
way of professional opinion that the VA has engaged in criminal
noncompliance. The statement that "It's going to happen," is not necessarily
so when a facility is upgraded to top-level security, and apparently there
is no such law that all facilities be in that state of compliance.

There's been research into the government agencies and the overall grading
of most federal facilities falls into a D+ range and rated as being 10 years
behind in security measures.

I would appreciate your showing me by way of proof that all government
employees are given top-notch training and in what areas.

Rita
Post by redjacket
Post by Rita Hansard
I disagree that it's "going to happen,"
It did happen.
Many times.
This one just hit the newspapers.
Post by Rita Hansard
unless you have a bunch of idiots running the show. Yeah,
encryption should be mandatory, too, but not even making your
employees
Post by Rita Hansard
understand that they are going to face a heavy price for
removal of
Post by Rita Hansard
government property is outright stupidity, and the VA didn't
take the time
Post by Rita Hansard
to train their employees, in fact they made training mandatory
after the
Post by Rita Hansard
major cluster occurred.
No, they made REtraining mandatory.
Post by Rita Hansard
If this had occurred where I work, I'd be facing termination,
fines, and a
Post by Rita Hansard
possible prison sentence.
The employee who did that faces the same.
And it's going to happen again.
Post by Rita Hansard
Rita
Post by Zoltan
The entire war plan for the Gulf war was on a laptop that
was stolen in
Post by Rita Hansard
Post by Zoltan
London 30 days before the bombing was to start. See Colin
Powell's "My
Post by Rita Hansard
Post by Zoltan
American Journey'.
What's inexcusable is that the stuff wasn't encrypted.
There's a lot of OTFE (On The Fly Encryption) software
readily
Post by Rita Hansard
Post by Zoltan
available.
This software creates an encrypted 'container' on any
storage medium
Post by Rita Hansard
Post by Zoltan
that is completely illegible without the passphrase.
Once the passphrase is entered, a new virtual 'drive'
appears on the
Post by Rita Hansard
Post by Zoltan
computer.
All sensitive data can be copied to this drive; you can even
install
Post by Rita Hansard
Post by Zoltan
software on it.
Once the encrypted drive is turned off (or the computer is
rebooted)
Post by Rita Hansard
Post by Zoltan
the data is hidden in a completely uncrackable file. When
it's needed,
Post by Rita Hansard
Post by Zoltan
the passphrase will recreate that virtual drive.
I create 4.37GB containers on my hard drives; that way
they're easy to
Post by Rita Hansard
Post by Zoltan
back up to a DVD. The DVD is secure, and can also be
mounted using the
Post by Rita Hansard
Post by Zoltan
passphrase.
A lost drive/laptop will not compromise any of the
information stored
Post by Rita Hansard
Post by Zoltan
on that virtual drive.
I use it for personal and financial information, but
certainly any
Post by Rita Hansard
Post by Zoltan
government agency that has sensitive information on external
drives,
Post by Rita Hansard
Post by Zoltan
memory sticks, or laptops should be using this.
Some commercial vendors are Bestcrypt, PGP Disk, and
Steganos Safe.
Post by Rita Hansard
Post by Zoltan
Free (and opensource) software includes FreeOTFE and
TrueCrypt.
Post by Rita Hansard
Post by Zoltan
My personal choice is Truecrypt.
http://www.truecrypt.org/
Fafnir
2006-06-02 12:50:28 UTC
Permalink
Post by Rita Hansard
Post by Fafnir
Post by Rita Hansard
They could and should have made training mandatory which
would
Post by Rita Hansard
Post by Fafnir
have
Post by Rita Hansard
prevented it from being likely to happen.
They did.
Every government agency has such training.
Even the Pentagon.
The statement that "It's going to happen," is not necessarily
so when a facility is upgraded to top-level security,
I can't think of any agency more security conscious than the
Pentagon, nor any secret more closely guarded than a war plan
that was to be executed in thirty days' time.

Yet the Pentagon managed to lose a laptop containing just that.
Post by Rita Hansard
There's been research into the government agencies and the
overall grading
Post by Rita Hansard
of most federal facilities falls into a D+ range and rated as
being 10 years
Post by Rita Hansard
behind in security measures.
True.
According to the GAO report, the Pentagon got an F.
Fifteen years after the incident described above occurred.

That's why I am so flabbergasted that they haven't taken the
simple steps I suggested.

If they had, possession of that external hard drive with the VA
data on it wouldn't do the thief any good.

You say that you are involved in banking; don't banks encrypt
their transaction data before they transfer it?
I assume that banks are more security conscious than even the
government; a failure to secure their data would drive them out
of business.
Post by Rita Hansard
I would appreciate your showing me by way of proof that all
government
Post by Rita Hansard
employees
Read the post again.
Post by Rita Hansard
are given top-notch training
Read the post again.
Post by Rita Hansard
and in what areas.
Rita
Post by Fafnir
Post by Rita Hansard
I disagree that it's "going to happen,"
It did happen.
Many times.
This one just hit the newspapers.
Post by Rita Hansard
unless you have a bunch of idiots running the show. Yeah,
encryption should be mandatory, too, but not even making
your
Post by Rita Hansard
Post by Fafnir
employees
Post by Rita Hansard
understand that they are going to face a heavy price for
removal of
Post by Rita Hansard
government property is outright stupidity, and the VA didn't
take the time
Post by Rita Hansard
to train their employees, in fact they made training
mandatory
Post by Rita Hansard
Post by Fafnir
after the
Post by Rita Hansard
major cluster occurred.
No, they made REtraining mandatory.
Post by Rita Hansard
If this had occurred where I work, I'd be facing
termination,
Post by Rita Hansard
Post by Fafnir
fines, and a
Post by Rita Hansard
possible prison sentence.
The employee who did that faces the same.
And it's going to happen again.
Post by Rita Hansard
Rita
Post by Zoltan
The entire war plan for the Gulf war was on a laptop that
was stolen in
Post by Rita Hansard
Post by Zoltan
London 30 days before the bombing was to start. See Colin
Powell's "My
Post by Rita Hansard
Post by Zoltan
American Journey'.
What's inexcusable is that the stuff wasn't encrypted.
There's a lot of OTFE (On The Fly Encryption) software
readily
Post by Rita Hansard
Post by Zoltan
available.
This software creates an encrypted 'container' on any
storage medium
Post by Rita Hansard
Post by Zoltan
that is completely illegible without the passphrase.
Once the passphrase is entered, a new virtual 'drive'
appears on the
Post by Rita Hansard
Post by Zoltan
computer.
All sensitive data can be copied to this drive; you can
even
Post by Rita Hansard
Post by Fafnir
install
Post by Rita Hansard
Post by Zoltan
software on it.
Once the encrypted drive is turned off (or the computer is
rebooted)
Post by Rita Hansard
Post by Zoltan
the data is hidden in a completely uncrackable file. When
it's needed,
Post by Rita Hansard
Post by Zoltan
the passphrase will recreate that virtual drive.
I create 4.37GB containers on my hard drives; that way
they're easy to
Post by Rita Hansard
Post by Zoltan
back up to a DVD. The DVD is secure, and can also be
mounted using the
Post by Rita Hansard
Post by Zoltan
passphrase.
A lost drive/laptop will not compromise any of the
information stored
Post by Rita Hansard
Post by Zoltan
on that virtual drive.
I use it for personal and financial information, but
certainly any
Post by Rita Hansard
Post by Zoltan
government agency that has sensitive information on
external
Post by Rita Hansard
Post by Fafnir
drives,
Post by Rita Hansard
Post by Zoltan
memory sticks, or laptops should be using this.
Some commercial vendors are Bestcrypt, PGP Disk, and
Steganos Safe.
Post by Rita Hansard
Post by Zoltan
Free (and opensource) software includes FreeOTFE and
TrueCrypt.
Post by Rita Hansard
Post by Zoltan
My personal choice is Truecrypt.
http://www.truecrypt.org/
j***@earthlink.net
2006-06-02 13:05:45 UTC
Permalink
Post by Fafnir
Post by Rita Hansard
Post by Fafnir
Post by Rita Hansard
They could and should have made training mandatory which
would
Post by Rita Hansard
Post by Fafnir
have
Post by Rita Hansard
prevented it from being likely to happen.
They did.
Every government agency has such training.
Even the Pentagon.
The statement that "It's going to happen," is not necessarily
so when a facility is upgraded to top-level security,
I can't think of any agency more security conscious than the
Pentagon, nor any secret more closely guarded than a war plan
that was to be executed in thirty days' time.
Yet the Pentagon managed to lose a laptop containing just that.
Post by Rita Hansard
There's been research into the government agencies and the
overall grading
Post by Rita Hansard
of most federal facilities falls into a D+ range and rated as
being 10 years
Post by Rita Hansard
behind in security measures.
True.
According to the GAO report, the Pentagon got an F.
Fifteen years after the incident described above occurred.
That's why I am so flabbergasted that they haven't taken the
simple steps I suggested.
If they had, possession of that external hard drive with the VA
data on it wouldn't do the thief any good.
You say that you are involved in banking; don't banks encrypt
their transaction data before they transfer it?
I assume that banks are more security conscious than even the
government; a failure to secure their data would drive them out
of business.
Post by Rita Hansard
I would appreciate your showing me by way of proof that all
government
Post by Rita Hansard
employees
Read the post again.
Post by Rita Hansard
are given top-notch training
Read the post again.
Post by Rita Hansard
and in what areas.
Rita
Post by Fafnir
Post by Rita Hansard
I disagree that it's "going to happen,"
It did happen.
Many times.
This one just hit the newspapers.
Post by Rita Hansard
unless you have a bunch of idiots running the show. Yeah,
encryption should be mandatory, too, but not even making
your
Post by Rita Hansard
Post by Fafnir
employees
Post by Rita Hansard
understand that they are going to face a heavy price for
removal of
Post by Rita Hansard
government property is outright stupidity, and the VA didn't
take the time
Post by Rita Hansard
to train their employees, in fact they made training
mandatory
Post by Rita Hansard
Post by Fafnir
after the
Post by Rita Hansard
major cluster occurred.
No, they made REtraining mandatory.
Post by Rita Hansard
If this had occurred where I work, I'd be facing
termination,
Post by Rita Hansard
Post by Fafnir
fines, and a
Post by Rita Hansard
possible prison sentence.
The employee who did that faces the same.
And it's going to happen again.
Post by Rita Hansard
Rita
Post by Zoltan
The entire war plan for the Gulf war was on a laptop that
was stolen in
Post by Rita Hansard
Post by Zoltan
London 30 days before the bombing was to start. See Colin
Powell's "My
Post by Rita Hansard
Post by Zoltan
American Journey'.
What's inexcusable is that the stuff wasn't encrypted.
There's a lot of OTFE (On The Fly Encryption) software
readily
Post by Rita Hansard
Post by Zoltan
available.
This software creates an encrypted 'container' on any
storage medium
Post by Rita Hansard
Post by Zoltan
that is completely illegible without the passphrase.
Once the passphrase is entered, a new virtual 'drive'
appears on the
Post by Rita Hansard
Post by Zoltan
computer.
All sensitive data can be copied to this drive; you can
even
Post by Rita Hansard
Post by Fafnir
install
Post by Rita Hansard
Post by Zoltan
software on it.
Once the encrypted drive is turned off (or the computer is
rebooted)
Post by Rita Hansard
Post by Zoltan
the data is hidden in a completely uncrackable file. When
it's needed,
Post by Rita Hansard
Post by Zoltan
the passphrase will recreate that virtual drive.
I create 4.37GB containers on my hard drives; that way
they're easy to
Post by Rita Hansard
Post by Zoltan
back up to a DVD. The DVD is secure, and can also be
mounted using the
Post by Rita Hansard
Post by Zoltan
passphrase.
A lost drive/laptop will not compromise any of the
information stored
Post by Rita Hansard
Post by Zoltan
on that virtual drive.
I use it for personal and financial information, but
certainly any
Post by Rita Hansard
Post by Zoltan
government agency that has sensitive information on
external
Post by Rita Hansard
Post by Fafnir
drives,
Post by Rita Hansard
Post by Zoltan
memory sticks, or laptops should be using this.
Some commercial vendors are Bestcrypt, PGP Disk, and
Steganos Safe.
Post by Rita Hansard
Post by Zoltan
Free (and opensource) software includes FreeOTFE and
TrueCrypt.
Post by Rita Hansard
Post by Zoltan
My personal choice is Truecrypt.
http://www.truecrypt.org/
The Pentagon probably, especially in this administration, has more
outside people, people who have been writing for think tanks and
preaching their doctrine, that they miss the point that they are now
the Government. People who can tell "the little people" or "worker
bees" that they are above all these petty rules and would you--- mr.
PhD, ex Navy Captain, sometime war planner---roll up those top secret
five code word charts for me to take home so my teen-age son can see
how important I am?
Rita Hansard
2006-06-02 15:58:35 UTC
Permalink
Post by Fafnir
Post by Rita Hansard
Post by Fafnir
Post by Rita Hansard
They could and should have made training mandatory which
would
Post by Rita Hansard
Post by Fafnir
have
Post by Rita Hansard
prevented it from being likely to happen.
They did.
Every government agency has such training.
Even the Pentagon.
The statement that "It's going to happen," is not necessarily
so when a facility is upgraded to top-level security,
I can't think of any agency more security conscious than the
Pentagon, nor any secret more closely guarded than a war plan
that was to be executed in thirty days' time.
Well, there must not be the highest level of security, or there wasn't,
because laptops are not allowed in the area in which I work, and they damn
sure wouldn't be allowed out of the building if they were.
Post by Fafnir
Yet the Pentagon managed to lose a laptop containing just that.
Post by Rita Hansard
There's been research into the government agencies and the
overall grading
Post by Rita Hansard
of most federal facilities falls into a D+ range and rated as
being 10 years
Post by Rita Hansard
behind in security measures.
True.
According to the GAO report, the Pentagon got an F.
In that case, the Pentagon is not as secure as where I am. We got an A.
Post by Fafnir
Fifteen years after the incident described above occurred.
That's why I am so flabbergasted that they haven't taken the
simple steps I suggested.
It is a mess.
Post by Fafnir
If they had, possession of that external hard drive with the VA
data on it wouldn't do the thief any good.
Well, that's pretty much a given, however, we cannot assume that the disks
are going to get out. Every effort in the world can and has been made to
prevent that in "some" facilities and the upgrades are effective.
Post by Fafnir
You say that you are involved in banking; don't banks encrypt
their transaction data before they transfer it?
Yes.
Post by Fafnir
I assume that banks are more security conscious than even the
government; a failure to secure their data would drive them out
of business.
There are two areas of banking. One side is commercial and the other side is
federal. I work for the feds, and it was the government which made
compliance with certain conditions mandatory, or they would bar the door and
not allow us to do business. In other words, security in the extreme is
mandatory by law where I am. Security on the commercial end is also
mandatory by law, but it is not as stringent on a personal level as the
federal side. There's differences between us and the commercial end of
banking. One of these differences includes credit checks every five years
along with a background investigation, and credit criteria conditions are
stringent. I wouldn't even have to get close to bankruptcy in order to lose
my job, and we are not just given training. We are watched on the level of a
Vegas casino to see that we comply. What I don't know is how it is paid for,
but I believe it comes from the private sector, and it is beyond expensive.
Post by Fafnir
Post by Rita Hansard
I would appreciate your showing me by way of proof that all
government
Post by Rita Hansard
employees
Read the post again.
I see no proof other than your word that "such" training is mandatory in all
government facilities. The VA has publically stated that training was made
mandatory only after the breach. "If" top-level training were mandatory in
the first place, they right then admitted negligence. Apparently the extreme
security levels and training are not required in every government facility.
There may be "some" training that is mandatory, but I guarantee you, it is
not anywhere near the level of "such" the government has imposed on me and
what is necessary to prevent stupidity such as that.
Post by Fafnir
Post by Rita Hansard
are given top-notch training
Read the post again.
They are not. I'm sorry to tell you, but they are not, and especially in the
areas of information classifications.

For the sake of conversation, allow me to ask you a question, please. If you
are participating or doing business with a company you know and trust, and
for some reason they asked you to fax your SS number to them on a form where
other service-related criteria was also needed in a hurry, would you do it
and why or why not?

Rita
Fafnir
2006-06-03 04:04:30 UTC
Permalink
200606.rodent.frell.theremailer.net> wrote in
Post by Baldur
message
news:d9526
Post by Baldur
Post by Fafnir
Post by Rita Hansard
Post by Fafnir
Post by Rita Hansard
They could and should have made training mandatory which
would
Post by Rita Hansard
Post by Fafnir
have
Post by Rita Hansard
prevented it from being likely to happen.
They did.
Every government agency has such training.
Even the Pentagon.
See PL 100-235
Post by Baldur
Post by Fafnir
I can't think of any agency more security conscious than the
Pentagon, nor any secret more closely guarded than a war plan
that was to be executed in thirty days' time.
Well, there must not be the highest level of security, or
there wasn't,
Post by Baldur
because laptops are not allowed in the area in which I work,
and they damn
Post by Baldur
sure wouldn't be allowed out of the building if they were.
Many agencies _issue_ laptops; lots of work is done in the
field, not in an office.
The one with the war plan was stolen from a taxi in London.
Post by Baldur
Post by Fafnir
True.
According to the GAO report, the Pentagon got an F.
In that case, the Pentagon is not as secure as where I am. We
got an A.

I figured that banks would be more secure than the Pentagon.
Remember that the Pentagon has millions of workers, and it only
takes one screwup.

There's also the fact that the data lost by the VA wasn't
classified 'Confidential' or 'Secret' or 'Top Secret'; it was
probably 'FOUO' (For Official Use Only) and the analyst may not
have understood just how sensitive it was.

The Federal (and even more so, State and Local) government often
don't take individaul privacy all that seriously.
There are NO penalties prescribed for violations of the Privacy
Act. None.

Bear in mind that if the analyst hadn't voluntarily 'fessed up',
it's very likely that no one would ever have known about this.
And he wouldn't have lost his job.
I bet that's happened more than once.
Post by Baldur
Post by Fafnir
Fifteen years after the incident described above occurred.
That's why I am so flabbergasted that they haven't taken the
simple steps I suggested.
It is a mess.
Post by Fafnir
If they had, possession of that external hard drive with the
VA
Post by Baldur
Post by Fafnir
data on it wouldn't do the thief any good.
Well, that's pretty much a given, however, we cannot assume
that the disks
Post by Baldur
are going to get out. Every effort in the world can and has
been made to
Post by Baldur
prevent that in "some" facilities and the upgrades are
effective.

And yet laptops are lost or stolen and flash drives containing
classified information are sold in the Baghdad bazaar.
It IS going to happen, and the biggest mistake a manager can
make is to say "I order you to maintain data security!" and to
assume that that will happen.
Post by Baldur
Post by Fafnir
You say that you are involved in banking; don't banks encrypt
their transaction data before they transfer it?
Yes.
Post by Fafnir
I assume that banks are more security conscious than even the
government; a failure to secure their data would drive them
out
Post by Baldur
Post by Fafnir
of business.
There are two areas of banking. One side is commercial and the
other side is
Post by Baldur
federal. I work for the feds, and it was the government which
made
Post by Baldur
compliance with certain conditions mandatory, or they would
bar the door and
Post by Baldur
not allow us to do business. In other words, security in the
extreme is
Post by Baldur
mandatory by law where I am. Security on the commercial end is
also
Post by Baldur
mandatory by law, but it is not as stringent on a personal
level as the
Post by Baldur
federal side. There's differences between us and the
commercial end of
Post by Baldur
banking. One of these differences includes credit checks every
five years
Post by Baldur
along with a background investigation, and credit criteria
conditions are
Post by Baldur
stringent. I wouldn't even have to get close to bankruptcy in
order to lose
Post by Baldur
my job, and we are not just given training. We are watched on
the level of a
Post by Baldur
Vegas casino to see that we comply. What I don't know is how
it is paid for,
Post by Baldur
but I believe it comes from the private sector, and it is
beyond expensive.

It's pretty obvious that the government can't watch millions of
employees all over the world that closely.

But they COULD provide OTFE software on all computers.
Easily and cheaply.
TrueCrypt is free.
Even for commercial use.

It's not a panacea, but it would have taken care of the problem
in the three cases I've mentioned.
Post by Baldur
Post by Fafnir
Post by Rita Hansard
I would appreciate your showing me by way of proof that all
government
Post by Rita Hansard
employees
Read the post again.
I didn't say "all government employees", but 'all government
agencies'.
Truck drivers don't get the mandatory annual security training.
Post by Baldur
I see no proof other than your word that "such" training is
mandatory in all
Post by Baldur
government facilities.
If you work for a federal agency, you're responsible for knowing
about Public Law 100-235 which says, in pertinent part:

SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.
(a) In General.--Each Federal agency shall provide for the
mandatory periodic training in computer security awareness and
accepted computer security practice of all employees who are
involved
with the management, use, or operation of each Federal computer
system within or under the supervision of that agency. Such
training
shall be--

Your agency will presumably have an order implementing such
training which refers to that law.
Post by Baldur
The VA has publically stated that training was made
mandatory only after the breach. "If" top-level training were
mandatory in
Post by Baldur
the first place, they right then admitted negligence.
Which is why I doubt that they said any such thing.
They say on their website that the data analyst was not
authorized to take this data home, is being dismissed, and that
one of his managers resigned as a result of this fiasco, so
maybe they did...

But again, with millions of employees and millions of
laptops/flashdrives, security managers need to assume that
something like this will happen, and need to take steps to
mitigate the damage.

Secure areas of the Pentagon don't permit flashdrives (or IPods)
for just this reason, and search employees upon leaving the
building.

But they don't search the National Security Advisor, who got
caught taking a laptop full of classified information home.
Post by Baldur
Post by Fafnir
Post by Rita Hansard
are given top-notch training
Read the post again.
They are not. I'm sorry to tell you, but they are not, and
especially in the
Post by Baldur
areas of information classifications.
I never said that they are given 'top-notch training'.
Those are your words.
Post by Baldur
For the sake of conversation, allow me to ask you a question,
please. If you
Post by Baldur
are participating or doing business with a company you know
and trust, and
Post by Baldur
for some reason they asked you to fax your SS number to them
on a form where
Post by Baldur
other service-related criteria was also needed in a hurry,
would you do it
Post by Baldur
and why or why not?
A fax is far more secure than unencrypted TCP, but I'd still
resist.
On the other hand, private businesses are not constrained by the
Privacy Act; only government agencies are required to give you a
disclosure notice.

If you're trying to close on a house and the broker demands your
SSAN (by phone or fax), s/he can prevent your closing without
violating any law.

But I'd make sure I initiated the call to a number I knew.

On my laptop (in fact, on all of my personal computers), all my
sensitive information is encrypted with OTFE.
Unfortunately, computer security rules prohibit me from
installing OTFE (or any programs) on my government laptop.

Besides, the VA has compromised my SSAN now, anyway.
Rita Hansard
2006-06-03 07:50:19 UTC
Permalink
(Top Post)
Several points here, and I've got to make it quick. First, the information
taken from the VA was taken out on a disk, as far as I know. This was from
an office, not out in the field, where the Pentagon may or may not be
allowed to use them in certain ways. Encryption would have to be considered
as the uppermost security in the event of the Pentagon situation. From a
facility which should and can be controlled, but isn't, it should never have
gotton out of the door in the first place.

The VA made the statement that they were start making training mandatory.

http://www.thespectrum.com/apps/pbcs.dll/article?AID=/20060528/OPINION01/605280327/1014

"But what can be done so the United States government doesn't fall asleep
again? VA Secretary Jim Nicholson has promised to take necessary measures to
ensure a like occurrence does not happen again, including mandatory security
training for all employees with access to private information. That's a good
first step, but we'd like to know what the VA intends to do as a long-term
solution. The volatile information is always going to be at someone's
disposal."

If this employee already had "top-notch" training, his primary goal would be
to protect the client's information from the get to. That is the first step
in good security training. First and foremost, it is the client or customer
AND the agency which must be protected. If that sort of training is
provided, there is very little chance an employee is going to take a disk
home, regardless of whether or not if it is labelled or how. The end all is
not just encryption. An employee can look at information and write what he
or she likes down on a piece of paper, take it out, and do what he or she
likes "if" what goes into and out of these buildings is not controlled. So,
it is "not" necessarily going to happen "if" steps are taken to secure a
facility and employees are trained with "urgency" to protect private
information. If this type training does not occur, there has been no
"top-notch" training received.

I wrote:
"They could and should have made training mandatory which would have
prevented it from being likely to happen."



You wrote:


"They did."



No, they did not.



If someone asks you to fax in your SS number, you are taking a chance of the
information not being taken immediately from the fax machine and possibly
laying around in a basket for a good while. You don't necessarily know who
is in that office and can walk by and see it. It is not a good idea to fax
sensitive information such as a SS number anywhere. It may be legal in
certain areas, but it is not a "top-notch" protective measure. People who
are properly trained in information protection will not ask for this
information to be faxed in.



"Banks," if you understand "size," can have workers which reach in the
hundreds of thousands. Each and every employee can be trained to protect
personal information, although I do not know that "all" banks use the tool
of intense training. Where I am it is done by compliance to law, but the
same intense training should have been done already at the VA and every
government facility in the nation. War related material may have to be
viewed differently if sensitive material can get out of contained areas for
reasonable purposes, but if you get employees alert and aware at all times
of the urgency of information protection, it is a step which does not leave
everything dependent on software encryption.

Your Pentagon situation and thoughts do have merit, but we really can't
compare what happened at the VA with that. No disk with sensitive
information should have been taken out of the door if security were handled
properly. No database with sensitive information should be left unencrypted,
either, but this does not let off the employee who knew just from basic
rules that it should not have gone out. Given adequate training, it would
have been highly "unlikely" that this information would be taken from the
building.



Rita
Post by Fafnir
200606.rodent.frell.theremailer.net> wrote in
Post by Baldur
message
news:d9526
Post by Baldur
Post by Fafnir
Post by Rita Hansard
Post by Fafnir
Post by Rita Hansard
They could and should have made training mandatory which
would
Post by Rita Hansard
Post by Fafnir
have
Post by Rita Hansard
prevented it from being likely to happen.
They did.
Every government agency has such training.
Even the Pentagon.
See PL 100-235
Post by Baldur
Post by Fafnir
I can't think of any agency more security conscious than the
Pentagon, nor any secret more closely guarded than a war plan
that was to be executed in thirty days' time.
Well, there must not be the highest level of security, or
there wasn't,
Post by Baldur
because laptops are not allowed in the area in which I work,
and they damn
Post by Baldur
sure wouldn't be allowed out of the building if they were.
Many agencies _issue_ laptops; lots of work is done in the
field, not in an office.
The one with the war plan was stolen from a taxi in London.
Post by Baldur
Post by Fafnir
True.
According to the GAO report, the Pentagon got an F.
In that case, the Pentagon is not as secure as where I am. We
got an A.
I figured that banks would be more secure than the Pentagon.
Remember that the Pentagon has millions of workers, and it only
takes one screwup.
There's also the fact that the data lost by the VA wasn't
classified 'Confidential' or 'Secret' or 'Top Secret'; it was
probably 'FOUO' (For Official Use Only) and the analyst may not
have understood just how sensitive it was.
The Federal (and even more so, State and Local) government often
don't take individaul privacy all that seriously.
There are NO penalties prescribed for violations of the Privacy
Act. None.
Bear in mind that if the analyst hadn't voluntarily 'fessed up',
it's very likely that no one would ever have known about this.
And he wouldn't have lost his job.
I bet that's happened more than once.
Post by Baldur
Post by Fafnir
Fifteen years after the incident described above occurred.
That's why I am so flabbergasted that they haven't taken the
simple steps I suggested.
It is a mess.
Post by Fafnir
If they had, possession of that external hard drive with the
VA
Post by Baldur
Post by Fafnir
data on it wouldn't do the thief any good.
Well, that's pretty much a given, however, we cannot assume
that the disks
Post by Baldur
are going to get out. Every effort in the world can and has
been made to
Post by Baldur
prevent that in "some" facilities and the upgrades are
effective.
And yet laptops are lost or stolen and flash drives containing
classified information are sold in the Baghdad bazaar.
It IS going to happen, and the biggest mistake a manager can
make is to say "I order you to maintain data security!" and to
assume that that will happen.
Post by Baldur
Post by Fafnir
You say that you are involved in banking; don't banks encrypt
their transaction data before they transfer it?
Yes.
Post by Fafnir
I assume that banks are more security conscious than even the
government; a failure to secure their data would drive them
out
Post by Baldur
Post by Fafnir
of business.
There are two areas of banking. One side is commercial and the
other side is
Post by Baldur
federal. I work for the feds, and it was the government which
made
Post by Baldur
compliance with certain conditions mandatory, or they would
bar the door and
Post by Baldur
not allow us to do business. In other words, security in the
extreme is
Post by Baldur
mandatory by law where I am. Security on the commercial end is
also
Post by Baldur
mandatory by law, but it is not as stringent on a personal
level as the
Post by Baldur
federal side. There's differences between us and the
commercial end of
Post by Baldur
banking. One of these differences includes credit checks every
five years
Post by Baldur
along with a background investigation, and credit criteria
conditions are
Post by Baldur
stringent. I wouldn't even have to get close to bankruptcy in
order to lose
Post by Baldur
my job, and we are not just given training. We are watched on
the level of a
Post by Baldur
Vegas casino to see that we comply. What I don't know is how
it is paid for,
Post by Baldur
but I believe it comes from the private sector, and it is
beyond expensive.
It's pretty obvious that the government can't watch millions of
employees all over the world that closely.
But they COULD provide OTFE software on all computers.
Easily and cheaply.
TrueCrypt is free.
Even for commercial use.
It's not a panacea, but it would have taken care of the problem
in the three cases I've mentioned.
Post by Baldur
Post by Fafnir
Post by Rita Hansard
I would appreciate your showing me by way of proof that all
government
Post by Rita Hansard
employees
Read the post again.
I didn't say "all government employees", but 'all government
agencies'.
Truck drivers don't get the mandatory annual security training.
Post by Baldur
I see no proof other than your word that "such" training is
mandatory in all
Post by Baldur
government facilities.
If you work for a federal agency, you're responsible for knowing
SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.
(a) In General.--Each Federal agency shall provide for the
mandatory periodic training in computer security awareness and
accepted computer security practice of all employees who are
involved
with the management, use, or operation of each Federal computer
system within or under the supervision of that agency. Such
training
shall be--
Your agency will presumably have an order implementing such
training which refers to that law.
Post by Baldur
The VA has publically stated that training was made
mandatory only after the breach. "If" top-level training were
mandatory in
Post by Baldur
the first place, they right then admitted negligence.
Which is why I doubt that they said any such thing.
They say on their website that the data analyst was not
authorized to take this data home, is being dismissed, and that
one of his managers resigned as a result of this fiasco, so
maybe they did...
But again, with millions of employees and millions of
laptops/flashdrives, security managers need to assume that
something like this will happen, and need to take steps to
mitigate the damage.
Secure areas of the Pentagon don't permit flashdrives (or IPods)
for just this reason, and search employees upon leaving the
building.
But they don't search the National Security Advisor, who got
caught taking a laptop full of classified information home.
Post by Baldur
Post by Fafnir
Post by Rita Hansard
are given top-notch training
Read the post again.
They are not. I'm sorry to tell you, but they are not, and
especially in the
Post by Baldur
areas of information classifications.
I never said that they are given 'top-notch training'.
Those are your words.
Post by Baldur
For the sake of conversation, allow me to ask you a question,
please. If you
Post by Baldur
are participating or doing business with a company you know
and trust, and
Post by Baldur
for some reason they asked you to fax your SS number to them
on a form where
Post by Baldur
other service-related criteria was also needed in a hurry,
would you do it
Post by Baldur
and why or why not?
A fax is far more secure than unencrypted TCP, but I'd still
resist.
On the other hand, private businesses are not constrained by the
Privacy Act; only government agencies are required to give you a
disclosure notice.
If you're trying to close on a house and the broker demands your
SSAN (by phone or fax), s/he can prevent your closing without
violating any law.
But I'd make sure I initiated the call to a number I knew.
On my laptop (in fact, on all of my personal computers), all my
sensitive information is encrypted with OTFE.
Unfortunately, computer security rules prohibit me from
installing OTFE (or any programs) on my government laptop.
Besides, the VA has compromised my SSAN now, anyway.
Fafnir
2006-06-03 19:18:10 UTC
Permalink
Post by Rita Hansard
(Top Post)
200606.rodent.frell.theremailer.net> wrote in
Post by Rita Hansard
message
news:114a1
Post by Rita Hansard
Several points here, and I've got to make it quick. First, the
information
Post by Rita Hansard
taken from the VA was taken out on a disk, as far as I know.
A disk AND a laptop.

http://www.upi.com/SecurityTerrorism/view.php?StoryID=20060601-
021724-5701r
Post by Rita Hansard
This was from
an office, not out in the field, where the Pentagon may or may
not be
Post by Rita Hansard
allowed to use them in certain ways. Encryption would have to
be considered
Post by Rita Hansard
as the uppermost security in the event of the Pentagon
situation. From a
Post by Rita Hansard
facility which should and can be controlled, but isn't, it
should never have
Post by Rita Hansard
gotton out of the door in the first place.
So?
It DID.
Post by Rita Hansard
The VA made the statement that they were start making training
mandatory.
ht
tp
:/
/w
ww
.t
he
sp
ec
tr
um
.com/apps/pbcs.dll/article?AID=/20060528/OPINION01/605280327/1014

I've already told you that Federal law requires such training,
and has required such training for many years.
The article you quote does not say 'start'; the word 'start'
doesn't appear anywhere in the article.
I'm telling you that depending on ever-stricter laws and
training didn't work, and hasn't worked on many occasions in the
past.

It's time to stop redoubling your efforts and try something
different.
Post by Rita Hansard
training should have been done already at the VA and every
government facility in the nation.
As I've repeatedly pointed out to you, such training is mandated
by law.
I would find it hard to believe that the VA didn't have such
training.

IT DIDN'T WORK!

It's time to stop redoubling your efforts and try something
different.
Post by Rita Hansard
War related material may have to be
viewed differently if sensitive material can get out of
contained areas for
Post by Rita Hansard
reasonable purposes, but if you get employees alert and aware
at all times
Post by Rita Hansard
of the urgency of information protection, it is a step which
does not leave
Post by Rita Hansard
everything dependent on software encryption.
While the quality of the VA training may be questionable, I'm
quite confident that it was done.

On the other hand, I've been a battalion S-2, and I KNOW that
DOD training is intense and taken very seriously.

As we've seen in the war plans incident, IT DIDN'T WORK!

It's time to stop redoubling your efforts and try something
different.
Post by Rita Hansard
Your Pentagon situation and thoughts do have merit, but we
really can't
Post by Rita Hansard
compare what happened at the VA with that.
Of course we can.
The situations are IDENTICAL.
Except that the Pentagon material was TOP SECRET, while the VA
material was FOUO.
And the Pentagon training was as good as you're going to get,
while the VA training was probably a power-point presentation
that said 'be careful out there!'

THEY DIDN'T WORK!
Post by Rita Hansard
No disk with sensitive
information should have been taken out of the door if security
were handled
Post by Rita Hansard
properly.
We all agree on that. And tht was VA policy at the time.
Saying so doesn't make it happen, though.
I'm sure that the head of the VA thought that by providing the
briefing required by law he was covered.

As we've all seen, he wasn't.

It's time to stop redoubling your efforts and try something
different.
Post by Rita Hansard
No database with sensitive information should be left
unencrypted,

That's my point, and it's also mentioned as the subject of a
Congressional investigation in the UPI article.

Especially since it's trivially easy to do, and cheap, to boot.
Post by Rita Hansard
either, but this does not let off the employee who knew just
from basic
Post by Rita Hansard
rules that it should not have gone out. Given adequate
training, it would
Post by Rita Hansard
have been highly "unlikely" that this information would be
taken from the
Post by Rita Hansard
building.
Unlikely obviously isn't good enough.

You can't get better training than the Pentagon has.

IT DIDN'T WORK!

It's time to stop redoubling your efforts and try something
different.

Hanging low-level employees from the yardarm may make you feel
better, but it doesn't do anything to secure your data.
Rita Hansard
2006-06-03 21:49:39 UTC
Permalink
Post by Fafnir
As I've repeatedly pointed out to you, such training is mandated
by law.
I would find it hard to believe that the VA didn't have such
training.
IT DIDN'T WORK!
As I have repeatedly pointed out to _you_, whatever "such" training you
refer to didn't WORK because the employee WAS NOT trained. A TRAINED
seeing-eye dog does not lead a blind person into traffic. If it does, it is
not trained. An employee TRAINED to protect private information does not
take said information home with him. If security is at all set up right, an
employee does not get in and out of areas which should be controlled with a
laptop or a disk or pink panty hose if they are not supposed to. Guards go
through it. Cameras are "trained" on any and everybody from the time they
walk in the door to the time they leave, and unencrypted databases only
leave the building on a disk or a laptop or pink pantyhose if the place is
run by idiots.

(Snip-a-dee-do-dah.)
Post by Fafnir
While the quality of the VA training may be questionable, I'm
quite confident that it was done.
It was not done. The employee left with it. He was not trained. Whatever
they did which may have met mandated regulations was not "training."

(Snip.)
Post by Fafnir
Post by Rita Hansard
Your Pentagon situation and thoughts do have merit, but we
really can't
Post by Rita Hansard
compare what happened at the VA with that.
Of course we can.
The situations are IDENTICAL.
I do not think the VA is identical with the Pentagon. In fact, the VA
probably got an F rating while the Pentagon got a D+.
Post by Fafnir
Except that the Pentagon material was TOP SECRET, while the VA
material was FOUO.
And the Pentagon training was as good as you're going to get,
The Pentagon got a D+ rating. The facility run by the feds where I work
received an A. You have no idea what is as good as it's going to get. Or
how. Or who is trained.Or even how to protect your own self. Now go fax your
SS number to someone because you "trust them," and stop telling me what is
secure and taken seriously and who is trained. You don't even know how to
take care of yourself, much less judge the security of any facility, federal
or otherwise.

Oh, and "plonk." You cannot be trained. You're fired.

Rita
Emmanuel Goldstein
2006-06-04 00:44:16 UTC
Permalink
Post by Rita Hansard
Post by Fafnir
As I've repeatedly pointed out to you, such training is mandated
by law.
I would find it hard to believe that the VA didn't have such
training.
IT DIDN'T WORK!
As I have repeatedly pointed out to _you_, whatever "such" training you
refer to didn't WORK because the employee WAS NOT trained. A TRAINED
seeing-eye dog does not lead a blind person into traffic. If it does, it is
not trained. An employee TRAINED to protect private information does not
take said information home with him. If security is at all set up right, an
employee does not get in and out of areas which should be controlled with a
laptop or a disk or pink panty hose if they are not supposed to. Guards go
through it. Cameras are "trained" on any and everybody from the time they
walk in the door to the time they leave, and unencrypted databases only
leave the building on a disk or a laptop or pink pantyhose if the place is
run by idiots.
(Snip-a-dee-do-dah.)
Post by Fafnir
While the quality of the VA training may be questionable, I'm
quite confident that it was done.
It was not done. The employee left with it. He was not trained. Whatever
they did which may have met mandated regulations was not "training."
(Snip.)
Post by Fafnir
Post by Rita Hansard
Your Pentagon situation and thoughts do have merit, but we
really can't
Post by Rita Hansard
compare what happened at the VA with that.
Of course we can.
The situations are IDENTICAL.
I do not think the VA is identical with the Pentagon. In fact, the VA
probably got an F rating while the Pentagon got a D+.
Post by Fafnir
Except that the Pentagon material was TOP SECRET, while the VA
material was FOUO.
And the Pentagon training was as good as you're going to get,
The Pentagon got a D+ rating. The facility run by the feds where I work
received an A. You have no idea what is as good as it's going to get. Or
how. Or who is trained.Or even how to protect your own self. Now go fax your
SS number to someone because you "trust them," and stop telling me what is
secure and taken seriously and who is trained. You don't even know how to
take care of yourself, much less judge the security of any facility, federal
or otherwise.
Oh, and "plonk." You cannot be trained. You're fired.
Rita
Doing the same thing, over and over and over again, and expecting a
different result...

That seems to be the pattern of our current government, doesn't it?
Whitey Bulger
2006-06-03 23:11:43 UTC
Permalink
On Sat, 03 Jun 2006 21:18:10 +0200, Fafnir
Post by Fafnir
Post by Rita Hansard
(Top Post)
200606.rodent.frell.theremailer.net> wrote in
Post by Rita Hansard
message
news:114a1
Post by Rita Hansard
Several points here, and I've got to make it quick. First, the
information
Post by Rita Hansard
taken from the VA was taken out on a disk, as far as I know.
A disk AND a laptop.
How much disk space do you think these millions of records occupied?

I could easily see them on a hard drive, but on one (assuming) optical
disk? A CD or DVD?
Yaketyak
2006-06-04 00:54:01 UTC
Permalink
This sounds comparable.. got it here:
http://library.wustl.edu/~listmgr/imagelib/Aug1997/0014.html

1 scanned page (8 1/2 by 11 inches) (CCITT G4 compressed) = 50
KiloBytes
(KByte) (on average)

1 file cabinet (4 drawer) (10,000 pages on average) = 500 MegaBytes
(MByte)
= 1 CD ROM

2 file cabinets = 1,000 MBytes = 1 GigaByte (GByte); 10 file cabinets
= 1
DVD (see below)

2,000 file cabinets = 1,000 GBytes = 1 TeraByte (TByte); 2,000 file
cabinets = 200 DVDs

1 banker's box (2,500 pages) = 1 file drawer = 2 linear feet of files
= 125
MBytes

8 banker's boxes = 16 linear feet = 1 GByte; 8,000 boxes = 16,000
linear
feet = 1 TByte

1 roll of 16 mm microfilm (100 ft) = 2,500 letter size images = 1
banker's
box = 125 MBytes

1 roll of 35 mm microfilm (100 ft) = 5,000 letter size images (or
letter
size image equivalents) = 250 MBytes

1 microfiche (average) = 100 letter size images; 200 fiche = 20,000
images
= 1 GByte












On Sat, 03 Jun 2006 19:11:43 -0400, Whitey Bulger
Post by Whitey Bulger
On Sat, 03 Jun 2006 21:18:10 +0200, Fafnir
Post by Fafnir
Post by Rita Hansard
(Top Post)
200606.rodent.frell.theremailer.net> wrote in
Post by Rita Hansard
message
news:114a1
Post by Rita Hansard
Several points here, and I've got to make it quick. First, the
information
Post by Rita Hansard
taken from the VA was taken out on a disk, as far as I know.
A disk AND a laptop.
How much disk space do you think these millions of records occupied?
I could easily see them on a hard drive, but on one (assuming) optical
disk? A CD or DVD?
Don T
2006-06-04 03:25:42 UTC
Permalink
Well. A text only, unformatted, full length, King James translation of the
Bible only needs 5 Megabytes. You can purchase a "Fully Illustrated" version
of the KJ Version on a CD ROM ~ 650 Mb. Those records can easily be stored
on a laptop hard drive or a DVD RW. With room to spare. IIRC the NTFS
allocates 4Kb per record and each of those entries can be made on 4Kb pretty
easily so, depending on format, they would also fit well on a CD ROM or CD
RW disc.
--
Don Thompson

There is nothing more frightening than active ignorance.
~Goethe

It is a worthy thing to fight for one's freedom;
it is another sight finer to fight for another man's.
~Mark Twain
Post by Yaketyak
http://library.wustl.edu/~listmgr/imagelib/Aug1997/0014.html
1 scanned page (8 1/2 by 11 inches) (CCITT G4 compressed) = 50
KiloBytes
(KByte) (on average)
1 file cabinet (4 drawer) (10,000 pages on average) = 500 MegaBytes
(MByte)
= 1 CD ROM
2 file cabinets = 1,000 MBytes = 1 GigaByte (GByte); 10 file cabinets
= 1
DVD (see below)
2,000 file cabinets = 1,000 GBytes = 1 TeraByte (TByte); 2,000 file
cabinets = 200 DVDs
1 banker's box (2,500 pages) = 1 file drawer = 2 linear feet of files
= 125
MBytes
8 banker's boxes = 16 linear feet = 1 GByte; 8,000 boxes = 16,000
linear
feet = 1 TByte
1 roll of 16 mm microfilm (100 ft) = 2,500 letter size images = 1
banker's
box = 125 MBytes
1 roll of 35 mm microfilm (100 ft) = 5,000 letter size images (or
letter
size image equivalents) = 250 MBytes
1 microfiche (average) = 100 letter size images; 200 fiche = 20,000
images
= 1 GByte
On Sat, 03 Jun 2006 19:11:43 -0400, Whitey Bulger
Post by Whitey Bulger
On Sat, 03 Jun 2006 21:18:10 +0200, Fafnir
Post by Fafnir
Post by Rita Hansard
(Top Post)
200606.rodent.frell.theremailer.net> wrote in
Post by Rita Hansard
message
news:114a1
Post by Rita Hansard
Several points here, and I've got to make it quick. First, the
information
Post by Rita Hansard
taken from the VA was taken out on a disk, as far as I know.
A disk AND a laptop.
How much disk space do you think these millions of records occupied?
I could easily see them on a hard drive, but on one (assuming) optical
disk? A CD or DVD?
Yaketyak
2006-06-04 12:08:06 UTC
Permalink
just guessing but he probably had a "local' copy of a remote folder on
his HD because using a network shared folder in a large net can be a
real pain in the ass with latency and permission changes IT depts make
regularly.. not that he should have but it fits from my experience..
I tried to get spot inspection of people carrying briefcases and
folders home but the higherups didnt want to offend anyone.. their
concept is if we cant trust them after their checks we shouldnt have
hired them.. that mentality may also be part of the cause.
Post by Don T
Well. A text only, unformatted, full length, King James translation of the
Bible only needs 5 Megabytes. You can purchase a "Fully Illustrated" version
of the KJ Version on a CD ROM ~ 650 Mb. Those records can easily be stored
on a laptop hard drive or a DVD RW. With room to spare. IIRC the NTFS
allocates 4Kb per record and each of those entries can be made on 4Kb pretty
easily so, depending on format, they would also fit well on a CD ROM or CD
RW disc.
Yaketyak
2006-06-01 22:52:14 UTC
Permalink
because of its scope it is way beyond negligence.. criminal negligence
at the least...
they need to arrest and prosecute anyone involved directly or
indirectly if they even had an inkling this was taking place... and
they can tell exactly who, when, where and how.











On Thu, 1 Jun 2006 11:55:19 -0400, "Rita Hansard"
Post by Rita Hansard
Post by La N
Post by redjacket
http://govexec.com/story_page.cfm?articleid=34212&dcn=todaysnews
VA official quits in aftermath of data theft
A high-ranking official in the Veterans Affairs Department has submitted
his resignation in the wake of the theft of personal data on millions of
veterans from an employee's home.
According to an Associated Press report, Michael H. McLendon, VA's
deputy assistant secretary for policy, said Tuesday he would leave his
post on Friday.
"Words are inadequate to describe how I feel about these recent events
and the impact on the band of brothers and sisters of service members and
veterans that we are supposed to serve," McLendon wrote in a letter
obtained by the AP.
"Given that this very serious and tragic event occurred on my watch and
in my organization, I feel it necessary that I tender my resignation,"
stated the letter, which was submitted to the VA late Friday. "I would be
modeling the wrong behavior to my staff and others in VA if I took no
action to be responsible."
The theft of the data, which includes the names and birth dates of up to
26.5 million veterans, including about 100 spouses, occurred May 3 when
the home of a VA data analyst was burglarized in what authorities believe
was a routine break-in. Social Security numbers for some 19.6 million of
those veterans were on the stolen property, as was information relating
to employee disability compensation.
McLendon was appointed to his VA post in December 2003. According to a
biography of him issued by the 2005 White House Conference on Aging (on
whose advisory committee McLendon sat), he is the founder of McLendon &
Associates, a management consulting and public policy firm with clients
at all levels of government. Prior to joining VA, he worked on projects
for the Defense Department, U.S. Agency for International Development,
World Bank, Asian Development Bank, National Academy of Public
Administration and other organizations.
Last week, VA Secretary James Nicholson accepted responsibility for the
security breach and said the department is reviewing all positions
requiring access to sensitive data. Once this is complete, employees
granted access will undergo new security and background investigations.
Why anybody would take highly sensitive confidential work-related
information home on a laptop is beyond my ken.
To finish up some work at home.
That is just *so* wrong,
Post by La N
particularly when it relates to the personal data of millions of people.
That's where the VA has been so negligent. Training as to the sensitivity of
the material and employees knowing that if they remove the property they are
going to face some very stiff penalties would be a very large step in
prevention. Sit 'em down, explain things to them, and then make 'em sign off
on it. Do it every 3 to 6 months until they understand the severity of the
issue. Just that little bit of added security would have most likely
prevented this disaster. And when I use the word "disaster" here, it is due
to the fact that now the feds are going to most likely make it mandatory
that the agencies which are not high-risk terrorist targets be upgraded to
the level of security of which some of the rest of us already have to
abide -- and it is going to cost SO MUCH MONEY. -- Everyone is going to
suffer. The taxpayer. Those who participate in the VA. The current
administration. The people who sell state-of-the-art security systems will
probably make out like bandits, but this moves it to the level as is with
everything else. It's probably going to work the same as what weapon is
issued for military personnel, and we all know that it ain't necessarily the
best one.
Rita
Post by La N
- nil
Rita Hansard
2006-06-01 23:45:50 UTC
Permalink
Post by Yaketyak
because of its scope it is way beyond negligence.. criminal negligence
at the least...
I don't think so, at least not yet. We'll see how it unfolds. If the VA is
responsible for criminal negligence, well, so is every other federal agency
where it is not mandatory for security to keep up with technology, and
there's a whole lot of agencies which are not there. As an example, you may
take HUD, of which I don't know for sure is not adequately secured, but my
guess is that it is not.

Not to get into what should or should not be done, but I don't believe you
can make law retroactive. What I do see which *may* be criminal is the
removal of the property itself. The employee knew it shouldn't have been
removed. Perhaps Nigel can help us with current prosecution laws in that
area.

Rita
Post by Yaketyak
they need to arrest and prosecute anyone involved directly or
indirectly if they even had an inkling this was taking place... and
they can tell exactly who, when, where and how.
On Thu, 1 Jun 2006 11:55:19 -0400, "Rita Hansard"
Post by Rita Hansard
Post by La N
Post by redjacket
http://govexec.com/story_page.cfm?articleid=34212&dcn=todaysnews
VA official quits in aftermath of data theft
A high-ranking official in the Veterans Affairs Department has submitted
his resignation in the wake of the theft of personal data on millions of
veterans from an employee's home.
According to an Associated Press report, Michael H. McLendon, VA's
deputy assistant secretary for policy, said Tuesday he would leave his
post on Friday.
"Words are inadequate to describe how I feel about these recent events
and the impact on the band of brothers and sisters of service members and
veterans that we are supposed to serve," McLendon wrote in a letter
obtained by the AP.
"Given that this very serious and tragic event occurred on my watch and
in my organization, I feel it necessary that I tender my resignation,"
stated the letter, which was submitted to the VA late Friday. "I would be
modeling the wrong behavior to my staff and others in VA if I took no
action to be responsible."
The theft of the data, which includes the names and birth dates of up to
26.5 million veterans, including about 100 spouses, occurred May 3 when
the home of a VA data analyst was burglarized in what authorities believe
was a routine break-in. Social Security numbers for some 19.6 million of
those veterans were on the stolen property, as was information relating
to employee disability compensation.
McLendon was appointed to his VA post in December 2003. According to a
biography of him issued by the 2005 White House Conference on Aging (on
whose advisory committee McLendon sat), he is the founder of McLendon &
Associates, a management consulting and public policy firm with clients
at all levels of government. Prior to joining VA, he worked on projects
for the Defense Department, U.S. Agency for International Development,
World Bank, Asian Development Bank, National Academy of Public
Administration and other organizations.
Last week, VA Secretary James Nicholson accepted responsibility for the
security breach and said the department is reviewing all positions
requiring access to sensitive data. Once this is complete, employees
granted access will undergo new security and background investigations.
Why anybody would take highly sensitive confidential work-related
information home on a laptop is beyond my ken.
To finish up some work at home.
That is just *so* wrong,
Post by La N
particularly when it relates to the personal data of millions of people.
That's where the VA has been so negligent. Training as to the sensitivity of
the material and employees knowing that if they remove the property they are
going to face some very stiff penalties would be a very large step in
prevention. Sit 'em down, explain things to them, and then make 'em sign off
on it. Do it every 3 to 6 months until they understand the severity of the
issue. Just that little bit of added security would have most likely
prevented this disaster. And when I use the word "disaster" here, it is due
to the fact that now the feds are going to most likely make it mandatory
that the agencies which are not high-risk terrorist targets be upgraded to
the level of security of which some of the rest of us already have to
abide -- and it is going to cost SO MUCH MONEY. -- Everyone is going to
suffer. The taxpayer. Those who participate in the VA. The current
administration. The people who sell state-of-the-art security systems will
probably make out like bandits, but this moves it to the level as is with
everything else. It's probably going to work the same as what weapon is
issued for military personnel, and we all know that it ain't necessarily the
best one.
Rita
Post by La N
- nil
Mac
2006-06-02 01:01:52 UTC
Permalink
On Thu, 1 Jun 2006 19:45:50 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
because of its scope it is way beyond negligence.. criminal negligence
at the least...
I don't think so, at least not yet. We'll see how it unfolds. If the VA is
responsible for criminal negligence, well, so is every other federal agency
where it is not mandatory for security to keep up with technology, and
there's a whole lot of agencies which are not there. As an example, you may
take HUD, of which I don't know for sure is not adequately secured, but my
guess is that it is not.
Not to get into what should or should not be done, but I don't believe you
can make law retroactive. What I do see which *may* be criminal is the
removal of the property itself. The employee knew it shouldn't have been
removed. Perhaps Nigel can help us with current prosecution laws in that
area.
Rita
*******************************
Is there NOT in place restrictions upon removing from the premises
"sensitive" information ---especially pertaining to "clients",
"patients"??
Was this person authorized to remove those floppies, that information
to take home?
If he, as the story goes, was trying to do work at home, why not
simply go out to dinner at 1700-1800hrs AND THEN return to his office
and continue working for a couple of hours rather than remove so much
personal information??
---Mac
Baldur
2006-06-02 03:04:52 UTC
Permalink
Post by Mac
On Thu, 1 Jun 2006 19:45:50 -0400, "Rita Hansard"
Is there NOT in place restrictions upon removing from the
premises
Post by Mac
"sensitive" information ---especially pertaining to "clients",
"patients"??
Yes.
Post by Mac
Was this person authorized to remove those floppies, that
information
Post by Mac
to take home?
No.
Post by Mac
If he, as the story goes, was trying to do work at home, why
not
Post by Mac
simply go out to dinner at 1700-1800hrs AND THEN return to his
office
Post by Mac
and continue working for a couple of hours rather than remove
so much
Post by Mac
personal information??
I'll bet he wishes he'd done that.


-=-
This message was sent via two or more anonymous remailing services.
Rita Hansard
2006-06-02 03:12:51 UTC
Permalink
Post by Mac
On Thu, 1 Jun 2006 19:45:50 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
because of its scope it is way beyond negligence.. criminal negligence
at the least...
I don't think so, at least not yet. We'll see how it unfolds. If the VA is
responsible for criminal negligence, well, so is every other federal agency
where it is not mandatory for security to keep up with technology, and
there's a whole lot of agencies which are not there. As an example, you may
take HUD, of which I don't know for sure is not adequately secured, but my
guess is that it is not.
Not to get into what should or should not be done, but I don't believe you
can make law retroactive. What I do see which *may* be criminal is the
removal of the property itself. The employee knew it shouldn't have been
removed. Perhaps Nigel can help us with current prosecution laws in that
area.
Rita
*******************************
Is there NOT in place restrictions upon removing from the premises
"sensitive" information ---especially pertaining to "clients",
"patients"??
Yes, but, you have to remember that I am involved in the area of banking
where restrictions and compliance are defined by law. There are several
degrees of punishments depending on why the action occurred and who all was
involved in the process. By way of example, The Bank Secrecy Act defines
acts of noncompliance and areas of misdoings by listing the activities
mostly by intent. I don't remember them all exactly as written, but there's
one which covers mistakes, another which covers a willful "looking of the
other way" when something is seen but not reported. There's one which covers
an "intent" by an employee to engage in criminal activity, and there's yet
another one which covers the agency or facility and their "intent" to engage
in criminal activity.

If the employee took the material home with the "intent" of engaging in
criminal activity, there is I believe laws in every area of government and
private enterprise which allows for prosecution. If the employee took it
home for harmless intent, there may still be allowance for prosecution, but
I don't know for sure or to what extent. I'm hoping Nigel will show up and
help out on this one. Before we upgraded to the highest level of security, I
know it was up to the facility to discipline an employee when an act of
wrongdoing occurred. If one took something home on purpose, there would have
been immediate termination and/or prosecution depending on criminal
activity. If one took something home by mistake, and it can easily be done
if one is allowed briefcases in the areas, the severity of discipline was
reduced to an employee getting no more than a slap on the hand if no harm
occurred. It's different now. There is no way a disk can be hidden anywhere
because we cannot take boxes, bags, briefcases, et cetera, inside the
contained areas. If a disk were to get out, it would be no doubt by
intention, and it would take only a short amount of time to find out who did
it.

In both areas, really secure, and fly-by-night secure, the act of taking the
material home is known to be forbidden, however, prosecution was not
necessarily indicated until full compliance was undertaken by the facility.
That's why I said, sit 'em down every 2 or three months; drill it into them
what the rules are and what the punishments will be. Test them. Make 'em
sign off to the effect that they understand. You might think that employees
are aware of potential harm, but it is not always the case. In as little as
three years ago, all the trees were cut down outside the building where I
work and a rock wall was built around the perimeter. Most of us were just
looking around and wondering aloud when they were going to issue us all
Humvees. The everyday common employee was not made aware and did not see the
vast problem of identity theft that was coming. We were trained and trained
and trained until we all got it. That's the difference in employee
"attitude" and compliance where I am and what's going on with the VA at the
moment.

Rita
Post by Mac
Was this person authorized to remove those floppies, that information
to take home?
If he, as the story goes, was trying to do work at home, why not
simply go out to dinner at 1700-1800hrs AND THEN return to his office
and continue working for a couple of hours rather than remove so much
personal information??
---Mac
Yaketyak
2006-06-02 23:47:56 UTC
Permalink
Somehow I think I see a class action suit brewing against the VA..
lookout bureaucrats.
Post by Mac
On Thu, 1 Jun 2006 19:45:50 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
because of its scope it is way beyond negligence.. criminal negligence
at the least...
I don't think so, at least not yet. We'll see how it unfolds. If the VA is
responsible for criminal negligence, well, so is every other federal agency
where it is not mandatory for security to keep up with technology, and
there's a whole lot of agencies which are not there. As an example, you may
take HUD, of which I don't know for sure is not adequately secured, but my
guess is that it is not.
Not to get into what should or should not be done, but I don't believe you
can make law retroactive. What I do see which *may* be criminal is the
removal of the property itself. The employee knew it shouldn't have been
removed. Perhaps Nigel can help us with current prosecution laws in that
area.
Rita
*******************************
Is there NOT in place restrictions upon removing from the premises
"sensitive" information ---especially pertaining to "clients",
"patients"??
Was this person authorized to remove those floppies, that information
to take home?
If he, as the story goes, was trying to do work at home, why not
simply go out to dinner at 1700-1800hrs AND THEN return to his office
and continue working for a couple of hours rather than remove so much
personal information??
---Mac
Fafnir
2006-06-03 01:17:25 UTC
Permalink
Post by Yaketyak
Somehow I think I see a class action suit brewing against the
VA..
Post by Yaketyak
lookout bureaucrats.
The Federl Government, as well as State Governments, have
sovereign immunity against lawsuits.

You can't sue them unless they consent.
Post by Yaketyak
Post by Mac
On Thu, 1 Jun 2006 19:45:50 -0400, "Rita Hansard"
Post by Rita Hansard
Post by Yaketyak
because of its scope it is way beyond negligence..
criminal negligence
Post by Yaketyak
Post by Mac
Post by Rita Hansard
Post by Yaketyak
at the least...
I don't think so, at least not yet. We'll see how it
unfolds. If the VA is
Post by Yaketyak
Post by Mac
Post by Rita Hansard
responsible for criminal negligence, well, so is every other
federal agency
Post by Yaketyak
Post by Mac
Post by Rita Hansard
where it is not mandatory for security to keep up with
technology, and
Post by Yaketyak
Post by Mac
Post by Rita Hansard
there's a whole lot of agencies which are not there. As an
example, you may
Post by Yaketyak
Post by Mac
Post by Rita Hansard
take HUD, of which I don't know for sure is not adequately
secured, but my
Post by Yaketyak
Post by Mac
Post by Rita Hansard
guess is that it is not.
Not to get into what should or should not be done, but I
don't believe you
Post by Yaketyak
Post by Mac
Post by Rita Hansard
can make law retroactive. What I do see which *may* be
criminal is the
Post by Yaketyak
Post by Mac
Post by Rita Hansard
removal of the property itself. The employee knew it
shouldn't have been
Post by Yaketyak
Post by Mac
Post by Rita Hansard
removed. Perhaps Nigel can help us with current prosecution
laws in that
Post by Yaketyak
Post by Mac
Post by Rita Hansard
area.
Rita
*******************************
s***@hotmail.co.uk
2006-06-03 23:26:53 UTC
Permalink
Post by redjacket
http://govexec.com/story_page.cfm?articleid=34212&dcn=todaysnews
VA official quits in aftermath of data theft
A high-ranking official in the Veterans Affairs Department has submitted
his resignation in the wake of the theft of personal data on millions of
veterans from an employee's home.
I just found the following item posted over on the Khe Sanh Vets
website:

Quote:

Just in from Don Thorne.
----------------------------------
Retirees,

Subject: Fall out from Veterans Administration lost data has probably
started

The information recently passed on to us all concerning possible use of

information from the stolen disk containing many retirees, has come to
actuality. Today I had a new Bank of America Credit Card posted to my
Credit Report, with no account number. However, the card already has a
balance due of $3752. Upon notifying Bank America, they cannot locate
the
account by my name, passwords, or security protocols. I requested and
received a Dispute Claim and what may come of it is uncertain at this
time.


I would highly recommend everyone retired that may be on the disk(s)
stolen
from a "very smart" government employee, to constantly check their
credit
reports, and take prompt action on any disparities. This is real and
could
cause many of us personal and financial hardships if not handled
promptly.

R/S,

Don Thorne
MSgt (Ret) USMC

Open BCC to Approximately 1,000
(200+ potential employers and 800+ Marines and other
current or prior Service men and women)

Respectful Regards and Semper Fi'd I remain,
Max Wix

Unquote

STW (tm)
Continue reading on narkive:
Loading...