Just got a call from the IBTS to clarify the situation for me, here are the highlights;
1. Yes, the IBTS knew that employees of the NYBC would be transporting confidential data around on their laptops and bringing it home because they would have to be working late hours on this project, so the IBTS gave them permission to do this.
2. Regarding the statement in the letter that the data was "encrypted with a 256-bit encryption. Those records were transferred to a laptop and re-encrypted with a 256-bit encryption", the person I spoke to said that he didn't really know what that actually meant, maybe the data was unencrypted at some stage and maybe it wasn't, but was happy to confirm that, yes, the laptop mentioned here was the laptop that was stolen.
3. I queried the statement "To our knowledge there has never been a report of a successful attack against a 256-bit encryption key.", he said that this was what he had been told by the NYBC and they took care of all of the encryption stuff.
Friday, February 29, 2008
IBTS and the Missing Laptop - Part I
Yipee, it's like winning the lottery, I just got a letter today from the Irish Blood Transfusion Service (IBTS) telling me some great news, my donor records were one of the 171,324 records that were on a laptop that was stolen in New York on 7th February.
I have been dreading this since the news broke on the Irish news over a week ago. In summary, the IBTS 'loaned' this data to the New York Blood Centre (NYBC) because they need a new data extraction tool that it seems no one in Ireland is capable of developing. An employee of the NYBC had a copy of the data on his laptop and lost the laptop when he was mugged outside of his home. I find it very disturbing that anyone was allowed to bring this type of data outside of a secure centre.
According to the letter I recieved the data was "encrypted with a 256-bit encryption. Those records were transfered to a laptop and re-encrypted with a 256-bit encryption", what does this mean? Why did it have to be re-encrypted, does this mean at some point the data was unencrypted? If it was, and this is the same laptop that was stolen, that is bad news.
But it's OK because according to the CEO of the IBTS Andrew Kelly the chances of decrypting this information is "extremely remote", and, "To our knowledge there has never been a report of a successful attack against a 256-bit encryption key." He should read the 2005 paper "Cache Attacks and Countermeasures: the Case of AES" by Dag Arne Osvik, Adi Shamir and Eran Tromer who in one attack managed to obtain an entire 256-bit AES key after 65 milliseconds.
The Data Protection Commissioner undertook an investigation of the entire event and according to their conclusions the IBTS seems to have done everything correctly, well that's alright so.
I have been dreading this since the news broke on the Irish news over a week ago. In summary, the IBTS 'loaned' this data to the New York Blood Centre (NYBC) because they need a new data extraction tool that it seems no one in Ireland is capable of developing. An employee of the NYBC had a copy of the data on his laptop and lost the laptop when he was mugged outside of his home. I find it very disturbing that anyone was allowed to bring this type of data outside of a secure centre.
According to the letter I recieved the data was "encrypted with a 256-bit encryption. Those records were transfered to a laptop and re-encrypted with a 256-bit encryption", what does this mean? Why did it have to be re-encrypted, does this mean at some point the data was unencrypted? If it was, and this is the same laptop that was stolen, that is bad news.
But it's OK because according to the CEO of the IBTS Andrew Kelly the chances of decrypting this information is "extremely remote", and, "To our knowledge there has never been a report of a successful attack against a 256-bit encryption key." He should read the 2005 paper "Cache Attacks and Countermeasures: the Case of AES" by Dag Arne Osvik, Adi Shamir and Eran Tromer who in one attack managed to obtain an entire 256-bit AES key after 65 milliseconds.
The Data Protection Commissioner undertook an investigation of the entire event and according to their conclusions the IBTS seems to have done everything correctly, well that's alright so.
Tuesday, February 5, 2008
The Dangers of Teaching
I have just finished teaching a module on the D.I.T.'s MSc in Applied eLearning, which I really enjoyed doing. I always approach the idea of teaching other teachers or lecturers with a bit of trepidation since I never know what sort of interaction I’m going to get. It is one of the problems of being a lecturer or teacher that in your job you become used of coming into a room and everyone becoming silent and taking notes on everything you say. This can sometimes lead teachers to conclude that even in non-work situations they always have something significant or important to say. Round Table journal comparing Eamon de Valera to a teacher said ”He can lecture but cannot negotiate, and his enthusiasm for abstract propositions prevents him from facing realities”. I definitely feel there are times when this sort of characterization applies to all of us, so it’s always a bit of a worry teaching teachers, will they ruin the flow of the lecture by always trying to score points or will they be open to the process.
I think one of the few things keeping teachers from going totally over-the-top is the students, invariably there will be students who keep you modest either from their knowledge of the subject, or their genuine curiosity, or their remarkable humanity. This brings me back to what I started this posting about, which was teaching the D.I.T. lecturers, I was blessed with a group of colleagues who came to learn and share, there was no one-upmanship or showing off, so to them and to all students who are willing to participate in the process I offer you my sincerest thanks, in the words of Albert Schweitzer;
“Sometimes our light goes out but is blown again into flame by an encounter with another human being. Each of us owes the deepest thanks to those who have rekindled this inner light.”
I think one of the few things keeping teachers from going totally over-the-top is the students, invariably there will be students who keep you modest either from their knowledge of the subject, or their genuine curiosity, or their remarkable humanity. This brings me back to what I started this posting about, which was teaching the D.I.T. lecturers, I was blessed with a group of colleagues who came to learn and share, there was no one-upmanship or showing off, so to them and to all students who are willing to participate in the process I offer you my sincerest thanks, in the words of Albert Schweitzer;
“Sometimes our light goes out but is blown again into flame by an encounter with another human being. Each of us owes the deepest thanks to those who have rekindled this inner light.”
Subscribe to:
Posts (Atom)