Submission + - Security leak or professional incompetance?
cdn-programmer writes: "Yesterday I purchased a DLT7000 drive in a Pawn Shop. A piece of media was in the drive. They have a 48 hour return if it doesn't work policy... so I immediately hooked it to my Linux desktop and tried to read the tape that came with it to see if (a) there is something on it that indicates who it came from in case it was stolen (the drive was really cheap — cheaper than the media) and (b) to see if the drive actually works.
Well — it does work. The 1st file was an HTML file — basically the backup of a website. I have now called the police to see if the organisation behind the website is missing a tape drive and I have calls into the organisation as well.
But something seemed funny. There seemed to be other stuff that said organisation would not have. So I ran strings on the file — huge — and there are many files on the tape and now I see a pattern.
This appears to be a backup tape from an accountant and the tape is full of her client's tax returns and other private data. It looks like her son was affiliated with the organisation and that the lady in question did the tax returns for the organisation. I now know who the person is. I have her phone number. Thing is I called her asking for her son because I thought I should get a hold of the organisation in charge of the website. Now I find she lives about 3-4 blocks from here and this tape drive must have been her's. What a dork she was on the phone! I don't enjoy rudeness and being hung up on when I'm trying to be honest and a nice guy and maybe do someone a favor.
What should I do? Erase the tape and forget it or call the local accountants regulatory body and advise them that one of their accountant members has so little concern for her client's private tax data that she totes her backup system containing all their tax data down to a pawn shop and sells it?
What do slashdot people advise? Blow the whistle or forget it?
Oh — strings furnished me a list of many of her clients complete with names, addresses, telephone numbers and their Social Security numbers too. I guess I could call them and ask them what they think about their accountant publishing their tax data via a pawn shop. How do I know how many pieces of media she had?
Note: this is NOT the first time confidential data has found its way into my hands. Several years ago I was hired to recover a backup tape. After finding the proper version of the backup program and after reading the tape I found the tape was full of a company's source code. So I called the company. They were shocked.
The tape was part of the disclosures for a discovery for a Court of Queen's Bench trail. It has been disclosed under seal. They and their lawyers definately wanted to meet with me and by then I had fired the tape off to my lawyer's offices. I found out the opposing counsel handed the tape to his client and the client sent it down to one of the devloper's competitors and the competitor handed it to one of their employees who chucked it into her back pack and peddled it across town and handed it to me to read.
So much for a legal undertaking of non-disclosure of confidential source code! That code put ME in a conflict of interest situation. In the end I was thanked by the developer's. The opposing counsel didn't get the tape back. I never got paid for the work I did because I couldn't give the tape back to the people who hired me. Of course I was out of pocket for having purchased about 3 versions of some backup software that I had no use for other than to read the tape I was handed.
How to read the DLT7000 tape?
mt -f /dev/st1 setblk 0
dd if=/dev/nst1 of=file1 bs=1024k count=
strings file1 | less
I don't think this contravenes any DMCA legislation and besides I bought the tape and I own it so it is perfectly legal for me to look on a tape I own. How is this any different than buying an unlabeled CD and playing it to see if it contains some music you like? Besides which I have not actually looked at these people's tax returns and strings won't show me anything more confidential than their names, addresses and social security and phone numbers. To actually recover the data I'd have to install the backup software and read it on my NT machine.
BTW — there is a bug in dd and when you do a setblk 0 dd then tries to allocate a buffer of zero (0) bytes and barfs. Its too bad we can't improve the code base... I have reported this before."
Well — it does work. The 1st file was an HTML file — basically the backup of a website. I have now called the police to see if the organisation behind the website is missing a tape drive and I have calls into the organisation as well.
But something seemed funny. There seemed to be other stuff that said organisation would not have. So I ran strings on the file — huge — and there are many files on the tape and now I see a pattern.
This appears to be a backup tape from an accountant and the tape is full of her client's tax returns and other private data. It looks like her son was affiliated with the organisation and that the lady in question did the tax returns for the organisation. I now know who the person is. I have her phone number. Thing is I called her asking for her son because I thought I should get a hold of the organisation in charge of the website. Now I find she lives about 3-4 blocks from here and this tape drive must have been her's. What a dork she was on the phone! I don't enjoy rudeness and being hung up on when I'm trying to be honest and a nice guy and maybe do someone a favor.
What should I do? Erase the tape and forget it or call the local accountants regulatory body and advise them that one of their accountant members has so little concern for her client's private tax data that she totes her backup system containing all their tax data down to a pawn shop and sells it?
What do slashdot people advise? Blow the whistle or forget it?
Oh — strings furnished me a list of many of her clients complete with names, addresses, telephone numbers and their Social Security numbers too. I guess I could call them and ask them what they think about their accountant publishing their tax data via a pawn shop. How do I know how many pieces of media she had?
Note: this is NOT the first time confidential data has found its way into my hands. Several years ago I was hired to recover a backup tape. After finding the proper version of the backup program and after reading the tape I found the tape was full of a company's source code. So I called the company. They were shocked.
The tape was part of the disclosures for a discovery for a Court of Queen's Bench trail. It has been disclosed under seal. They and their lawyers definately wanted to meet with me and by then I had fired the tape off to my lawyer's offices. I found out the opposing counsel handed the tape to his client and the client sent it down to one of the devloper's competitors and the competitor handed it to one of their employees who chucked it into her back pack and peddled it across town and handed it to me to read.
So much for a legal undertaking of non-disclosure of confidential source code! That code put ME in a conflict of interest situation. In the end I was thanked by the developer's. The opposing counsel didn't get the tape back. I never got paid for the work I did because I couldn't give the tape back to the people who hired me. Of course I was out of pocket for having purchased about 3 versions of some backup software that I had no use for other than to read the tape I was handed.
How to read the DLT7000 tape?
mt -f
dd if=/dev/nst1 of=file1 bs=1024k count=
strings file1 | less
I don't think this contravenes any DMCA legislation and besides I bought the tape and I own it so it is perfectly legal for me to look on a tape I own. How is this any different than buying an unlabeled CD and playing it to see if it contains some music you like? Besides which I have not actually looked at these people's tax returns and strings won't show me anything more confidential than their names, addresses and social security and phone numbers. To actually recover the data I'd have to install the backup software and read it on my NT machine.
BTW — there is a bug in dd and when you do a setblk 0 dd then tries to allocate a buffer of zero (0) bytes and barfs. Its too bad we can't improve the code base... I have reported this before."