On 7 Jun 2005 04:57:29 -0700, in bit.listserv.ibm-main you wrote: >> It is nothing less than "grossly irresponsible" to ship this type of >data > in an unencrypted format. > >According to your metric, probably 99.9% of companies worldwide are >"grossly irresponsible". I'm not defending them, I'm just saying that in >2005 almost no one encrypts tapes. > >Bob Shannon > While encryption might solve the problem of lost tapes, it has its own problems. The ability to decrypt the tape has to be somewhere separate from the tape and stored for the life of the tape. Actually I suspect that making certain that the tape is readable both physically and logically over the life of the tape is a greater problem. If this is a tape to be kept 7 years, then a drive capable of reading it will have to be available over that period. The program that reads the tape must maintain backward compatibility over that period. Then the individual files / database unloads / etc. must be logically accessible. That means the record layouts / data descriptions, etc. must be accessible and usable. Of course if you take the attitude that you just need the tape but nothing legally compels you to be able to read it these considerations are meaningless.
While I understand that having tapes that can be read by a utility is an exposure since a Hercules equipped PC with MVS 3.8 can be used to at least hex print them, getting the tape hardware and then the time to decipher them isn't completely trivial. However there are probably easier ways for people to get interesting information. The current issue (vol. 22 issue 1) of 2600, The Hackers Quarterly has several interesting cases of exposure including a couple of job application PCs at a major retail chain. I also note that many of the practices of major companies resemble those of phishers. For example, I think that the ZDnet (Ziff Davis) html newsletter has web bugs. The other day I received a promotion e-mail that I believe is from American Express (I have one of their cards) but I haven't checked it closely enough. For a while one of the major banks home page had a link to x.112.2o7.net, a usage tracking company. The vulnerability of the public face of most organizations and the questionable practices of many in terms of numbing us to dangerous exposures are of far greater concern to me than the lack of encryption on tapes. If I were a crook I would rather steal PC's from an organizations office because the data is more easily readable. There have been Canadian instances of just that as well as instances of misdirected confidential faxes from banks. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
