On 6 February 2015 at 15:47, Jousma, David <[email protected]> wrote: > I'll be honest. I do not understand the need for encryption at the disk > hardware control unit level. I get it for tape, if tape is being > transported, or handled by humans. Seems like that would *only* protect data > if the DASD box was being transported somewhere, or you threw the old disks > away with data still on them. Any of those situations are clearly > remediated by good procedures.
True enough. But those procedures may not be in place as they should be. I bought a couple of SATA SSDs from a recycler on eBay. Previous generation, just a few GB, but the price was right.When I looked at them on a PC, they each contained a bootable Windows XP system, with drivers and application software for controlling what I believe is some high end A/V gear - maybe for film/TV editing or the like. Among other data were credentials for accessing both other systems that had probably been networked locally, and the vendor's web site. Maybe there was more stuff; I formatted them both, but then I'm a "good guy". Presumably when the systems were decommissioned the hard drives were dealt with properly, but no one thought about little SSDs inside the box until the recycler stripped them out and sold them. Lots of things can go wrong when disposing of drives. And as with the NSA's "it's only metadata" protests, there may be great value in leftover data that describes other data. > The data stolen is much more damaging than bank accounts. Bank accounts can > be closed/changed, etc. This will haunt me, and family for life. I'm very sorry to hear this. The reports suggest that detailed data on medical diagnoses and treatments were not taken, but who knows. And of course it's not clear who would be going after this kind of data (beyond the associated financial info). Blackmailers? Other insurance companies? Spooks? Nonetheless the feeling of violation must be terrible. Ross Anderson at Cambridge, who has long been involved in medical records management research among his other security interests, has recently mentioned a report that he contributed to on "The collection, linking and use of data in biomedical research and health care: ethical issues". https://www.lightbluetouchpaper.org/2015/02/03/nuffield-bioethics-report/ It's a long paper, but it makes good reading for those interested in security, and perhaps for victims of records malpractice. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
