I Can Never Return to that Pawnshop Again …

I Can Never Return to that Pawnshop Again …

Administrators: Force Secure Passwords Because Users are Lazy. This is the story of how a stolen laptop and a careless employee got me banned from my favorite pawn shop.

The Punchline

The punchline to this story is hidden in my phone call to a complete stranger:

Stranger: How do you know Bob?

Me: All I know about Bob is what I found on his laptop.

And later in the call:

Stranger (to someone in the office with him): This guy on the phone is standing outside a pawn shop in Houston and …

Loud voice in the background: OMG, he found our laptop?!

Author Note: Pawn shops are often a great place to find older camera equipment (I’m hunting for old 35mm Canon lenses for my XSI with adapter ring for artistic shots). I have the expectation that nothing for sale is stolen. This article is not about pawn shops, it’s about security. So no flames please. 🙂

While walking through the electronics section of a pawn shop, I noticed a Dell laptop in the WinXP screen-saver mode. Interested to see if it was worth the $200 price tag, I tapped the space bar for a closer look.

That’s when I met Bob.

There was no login password, dismissing the screen-saver took me right to Bob’s desktop. 2 seconds later, it was obvious something wasn’t quite right. If someone was going to sell their old laptop for a few bucks, chances are they would delete personal and company information; Bob didn’t give up this laptop voluntarily.

Sifting Through Data

Knowing that Bob would probably like to have his laptop back, I spent several minutes sifting through files looking for contact information. There was directory after directory of company financial data, historical pricing information, bid sheets (won and lost) and client contact information. Finally, in a online purchase receipt next to his credit card number, I found Bob’s company phone number.
I found enough information to contact Bob by rifling through the company’s sensitive financial information that was on public display in a resale shop

Calling Bob’s Boss

Bob didn’t answer the phone, but his boss did and was happy to get my call. He notified the police investigator working the recent office robbery and a few hours later, the pawn shop manager received a visit from two officers. After lifting some fingerprints, the nicked laptop was returned to its owners while the manager of my favorite pawn shop was out $200 bucks.

Apparently, the office robbery was perpetrated by someone looking to nab some computer equipment. But had Bob’s laptop been stolen by evil-doers from a rival company, the damage would be immeasurable. For the ripe sum of $200, anyone could have bought this company’s laundry and Bob’s credit card receipts.

Users Hate Security

When it comes to IT security policies, I’ve worked in polar extremes. At one design shop, every C:\ drive was an open share. On the other hand, when working IT litigation support for Enron, VPN was restricted to using company-provided software and our home PCs were required to have extreme password policies enabled. Logging in from home was a 5 minute, multi-step process that IT felt was warranted.

Secure systems are inconvenient for users. For the sake of efficiency, they may choose convenient passwords (or disable security entirely). Users may also prefer the same password for every system, even for their CBS Survivor fan site.

Statistics suggest as many as 600,000 to 1 million laptops are lost or stolen each year

Number of USB Keys lost or stolen yearly is impossible to calculate

Reduce Risk, Fix Bob, Bob is Lazy, Long Live Bob

System and site administrators have to design security with the expectation that users are lazy and have no concept of security. The majority of your users may be well-informed and aware of their responsibility to security. But it only takes one Bob to lose a laptop with a lousy password (if any) to put a business at severe risk.

Enact password and drive encryption policies in your organization to prevent an over-night robbery from turning into a company destroying event. This is not the job of IT managers, CEOs, CFOs or building security. It is the responsibility of system admins and developers. Your company’s data is in your hands, is it worth a $200 laptop resale?

Be a Company Hero

When a member of the sales team forgets his laptop in a taxi and his director storms in your office wanting to know the risks, you can confidently say there is no exposure. The hard drive was encrypted and the login password is impossible — the device is useless without reformatting first. Someone in the world gets a free laptop, but the company is not at risk.

As a side note, the pawnshop owner saw me standing by the laptop for several minutes. So now I can never show my face in that place again. Maybe that’s not a bad thing.

NOTE: I originally wrote this article while working for Dzone.com, August 23, 2008

Distilling the Scott Kelby anti-Drobo Comments

Distilling the Scott Kelby anti-Drobo Comments

Genesis

Yesterday I posted about Scott Kelby’s blog post, I’m Done with drobo. Although I am one of the folks who hasn’t suffered the Drobo-bricking, its easy to see why he would want to migrate to a different backup system.

His post churned up a nice bit of valuable comments.

Unfortunately, the comments are awash in a sea of “stuff”, such as folks making snarky replies to each other. There was even an brief argument of film vs. digital. But once the comment count reached 320, I did some data-mining. And yes, I read them all.

There’s some funny stuff here …

Several people suggested using old or discarded PCs to create RAID controllers. Using old hardware for mission critical work seems a bit risky. The film vs. digital, cloud vs. local, and various media type comments were interesting too.

Not everyone hates Drobo

So far after 4 years of Drobo ownership, I don’t hate it. It has issues (mentioned in my last post), but it does the job expected (so far).

There were plenty of “Me Too” Drobo-disaster stories among the comments. And one commenter insisted he read 70% of the replies, and there were no positive comments about Drobo. Granted, people usually don’t join a gripe fest with a heavy-hitter like Scott Kelby just to be contrary, but I read a few:

Excerpts from “I don’t hate drobo” people:

Commenter Comment
Michael Gowin I’ve been using a drobo for a couple years without any issues …
donnpr Based on your recommendations, I have been running a Drobo 1, 24/7 for about 4 years, no problem.
Marcus I have an early 3 bay FW800 Drobo (circa 2007 I think) which is still going just fine.
Terry White Luckily my 4 Drobo units have been running trouble free 24/7. … the key is to NEVER have your data in just one place.

And there were those who didn’t buy the drama:

Commenter Comment
Alan Hess Alan explained how to pull the drives out of one of the other 2 Drobos to recover the files.
follomobshawn I’ve got to ask, why not just pay the $300 (or just $100 now) and repair the [out of warrentee] Drobo?
Ron Feiner After a period of time all drives, or their interfaces, can fail.
Michael Kummer … always sign-up for extended warranty.
David 1. Let Drobo ‘repair’ your system, regardless of the cost. 2. After they fix your system, then work with them to improve their system as it will help all of us.
Mike Gee, I don’t know this is a tough one! Particularly if you are a PRIMA DONA …
And my fav is from coldFuSion This is ultra hilarious! you have 3 of these, and they sound like they are backups of each other. how are the pix lost?

Exactly what I said yesterday.

Side note: Behyer pointed out, (and I didn’t know this), that some Green drives, such as the WD Caviar Green, that spin down to save energy are known to cause problems in Drobos. That’s a pretty nice tip right there.

Ok, enough fun, where’s the real gems?

The comments were full of great suggestions for alternatives to a Drobo system. Some of them were pretty expensive, some were specifically cloud, software or hardware based. And the ones that were well-constructed offered a multi-tactic solution (hardware / cloud / offsite / etc).

Below is a list of the products and services mentioned in the post, aggregated into groups, and ordered by the number of times the product was “mentioned” in the first 320 comments.

Lots of Cloud Options

Cloud is big, and cloud storage had a fairly strong showing among Kelby’s fans.

Service Mentions Link
CrashPlan 29 link
Amazon-S3 20
Backblaze 19 link
LiveDrive 6 link
Smugmug Vault 6 link
Dropbox 5 link
Carbonite 4 link
Google Drive 3
Synform 2 link
pogo plug 1 link

The Hardware Options

Since it was a hardware discussion, there were plenty of hardware suggestions. Synology by far received the most mentions.

Service Mentions Link
Synology NAS 84 link
QNAP 37 link
LaCie 24 link
Promise 23 link
G-Tech 22 link
WD 14 link
BuffaloTech 13 link
Netgear NAS 11 link
Other World Computing 9 link
Seagate 8 link
HP 6 link
Sans Digital Tower RAID enclosures 6 link
Drobo (With Extended Warrenty) 3 link
NETAPP 3 link
WeibeTech 3 link
BRU 2 link
LTO-5 Tape Drive 2
Newertech 2 link
Proavio’s solutions 2 link
Savvis cloud 2 link
Thecus NAS 2 link
Unraid 2 link
ARCTICROC 4T 1 link
CineRAID CR-H458 1 link
DattoBackup 1 link
ioSafe 1 link
LSI MegaRAID SAS 1 link
MacGurus 1 link
NexStar Dock 1 link
Penguin Computing 1 link
Polywell Computers MiniStor 1 link
Voyager dock 1 link

Platform and Software Options

RAID was mentioned quite often, as well as the following OS Platform and Software options:

Service Mentions Link
ZFS 15 link
Freenas 8 link
HDFS (and a server cluster) 4 link
Iron Mountain 1 link
Acronis True Image 1 link
AllwaySync 1 link
ShadowProtect by StorageCraft 1 link
SpinRite 1 link
Superduper 1 link
Syncrhonize X Plus 1 link

Alternative Media Options

Who woulda thought anything other than HHD was an option?

Service Mentions Link
Floppy Disks 3
Gold DVD 1
Millenniata 1 link

Lots of Links

Hope you find this distilled list of backup options valuable. In the end, any backup system you use should include more than one copy, and more than one methodology.

Forcing Drupal into Perpetual Cron Jobs

Forcing Drupal into Perpetual Cron Jobs

Something went screwy. That’s the shortest explanation I can provide. To fix it, I had to run the Drupal Cron job hundreds of times until the queue drained.

Unfortunately, I wasn’t interested in sitting at my computer for hours clicking the Run Cron button. So I inserted this little hack into my page. Its an absolute total hack, and very temporary, but gets the job done.

try
{
	var i = document.getElementById('system-cron-settings');
	if (i!=undefined) i.submit();
}
catch(e){}

Pretty simple stuff. It looks for the cron form, and if it finds it, the cron is submitted. So each time the page refreshes, it automatically resubmits.