>>surely even a junior clerk would know that you don't send 25 million people-details to another department, without the right authorities?
But a senior official wouldn't? This is the British version of Dilbert, right? "Password-protected" could mean a lot of things not necessarily entailing encryption, or at least not meaningful encryption. It could be a password-protected Excel file, which is trivially-broken, at least until more recent versions. Some Office password protection schemes are only breakable through brute force and a long and complex enough key could make that hard. Or it could be a ZIP file with the default password protection, which takes about 5 microseconds to break. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drsolly Sent: Wednesday, November 21, 2007 2:38 PM To: Nick FitzGerald Cc: [email protected] Subject: Re: [funsec] Oops I read in the newspaper that it wasn't encrytped. I don't really understand what "password protected" means if it isn't encrypted. And apparently, according to the Opposition, this was all sanctioned at a pretty senior level. Which sounds plausible to me - surely even a junior clerk would know that you don't send 25 million people-details to another department, without the right authorities? On Thu, 22 Nov 2007, Nick FitzGerald wrote: > Drsolly wrote: > > > The Inland revenue have lost CDs containing the names, addresses, > > National Insurance Number and bank details, for about half the > > population of the country. > > > > http://news.bbc.co.uk/1/hi/uk_politics/7104840.stm > > But note -- "password-protected" CDs. > > OK, so some junior-ish clerks broke protocol and didn't use receipt- > required courier tracking (and maybe didn't use a suitably secure > courier service?), BUT the big issue is how strong is the "password > protected" bit of this? > > Unlike so many other recent data loss incidents, it seems that at > least the data is encrypted which means (if this bit was done properly > _AND_ the proper procedure was well-designed) that there is actually > no _data_ loss. "Noise loss" maybe, but no meaningful data loss. > > The authorities though don't seem to be stressing this so maybe the > "password protection" bit of this is known to be not very effective? > > > Regards, > > Nick FitzGerald > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
