Originally published at:			https://boingboing.net/2018/04/18/stolen-department-of-revenue-h.html
…
I could see this happening quite innocently. There’s plenty of offices where awkward sized or hazmat trash will be left on a table to be disposed of properly and the cleaning staff know to look for that stuff. So somebody absentmindedly leaves a stack of backup drives there and our guy here says, “Sweet! Wonder if any of these still work enough to store my random unimportant crap on?” Etc
I certainly wouldn’t want to be the janitor here; but I’d agree with your assessment and also note that someone further up the food chain screwed up. It’s not exactly the “these are the mad skillz they pay me for” highlight of the job; but ceremoniously maintaining physical custody of sensitive storage media at least to the point of delivery to a suitably blessed-and-trusted-by-HQ vendor, often standing by to observe the shredding yourself, is an established IT honor guard thing you deal with when the locked junk drawer gets too full.
I don’t doubt that salvaging things out of the trash heap is against enough policies (and potentially laws) that you don’t want it to be you when the situation requires a fall guy; but the root mistake here is losing track of the sensitive media; which is just one of those things you don’t do.
I have visions of a palace honor guard with great pomp and circumstance transferring a case of hard-drives…
…and then marking them off in the special spreadsheet.
Thank god they were being put to good use, at least.
It’s not exactly a ceremony designed for television; or to stir the hearts of onlookers with the swelling warmth of knowing that this brave hardware’s struggle against bitrot was not in vain; but with operations that care enough there can be a sort of ceremony to it.
In more casual cases there’s just ‘the hard drive box’ living in whatever storage room seems most secure within reasonable range(not infrequently a switch closet or similar locked and unpeopled IT outpost) that people collect drives pulled from decommissioned hardware in. Since the drives are a lot smaller than the hardware the box can serve for multiple upgrade cycles, long enough time for people to leave, memories to fade, and inventory to get fuzzy. It’s assumed that anyone decommissioning something will put its drive in the box; and then eventually it becomes someone’s job to ensure that the entire box gets the “Yup, destroyed for real” treatment.
In less casual cases; you could probably die in a great many jurisdictions with less attention paid; though probably with more solemnity. That drive had a globally unique ID burned into it when we IT Lifecycle Managed its host computer into the organization; and the dead shall not rest quiet nor earthly debts be paid until its serial number is scanned and enshrined on a Certificate of Destruction duly signed by the agent of the destroyer and the duly authorized representative of the owner and onetime operator upon their personal witness of the passage into the shredder.
May the departmental inventory account in all balance and our adherence to procedure stay the fell hand of legal exposure.
I worked for a similar institution and, yeah, that was exactly the way old HDDs were stored, in a box on a desk, waiting for the hydraulic axe to bend them at right angles. They were in a semi-secure location but not one that someone didn’t make off with some CAT5 spools once.
The security of the ‘meh, box’ strategy is pretty tepid; but (aside from the vast virtue of simplicity and low overhead) that is somewhat mitigated by the fact that used HDDs are a pretty lousy thing to steal purely opportunistically(unreliability means low price for ‘working pulls’, scrap value lower than copper; value/saleability of data highly variable but institutional displeasure at having a potentially reportable data breach incident very unpleasant); and while a box with an only approximately known number of HDDs is absurdly vulnerable to an insider threat, who can trivially sneak the one he really wants out; the insider threat is almost as unhindered by the hardass inventory approach(can’t actually steal the drive; but unless you are inventorying SMART spinups or the like can clone it before disposal with nobody the wiser; or do any of the numerous other bad things that an insider threat in IT would do if he wanted to cause trouble or obtain data.)
It’s certainly not a bad thing to try to keep an eye out; but with the disk encryption options now available I have to wonder at the priorities of anyone trying to track down a population of practically disposable FRUs, which are often lost by users along with the computers they are in, rather than IT, unless they’ve already implemented a solid plan for encryption and still have caution left to spare; rather than the other way around.
Poor guy’s going to lose all his game save points, tho. 
This topic was automatically closed after 5 days. New replies are no longer allowed.