'Progress' was a bad idea.
How many people do you know who don’t understand the difference between IE and the actual Internet? Who refer to Explorer’s ‘filmstrip’ view as ‘Powerpoint’? Who send emails with Word attachments that are just plain text with red underlines under all the British spellings? Who call you over every time they get sent a gzip, or transfer data between applications via a pencil and paper? I’ve known at least one person do all of those things, mostly people I worked with.
And that’s not their fault, generally. Please don’t think I’m mocking the ignorant here. My point is that people in charge should fix it. It’s a massive drain on resources. If you can spend a week training someone to use their computer efficiently, you’ll get that week back with interest within a year or two. I don’t understand why companies spend so much money on computers and software, then give them out to all employees without even explaining how to operate them, and then spend even more time and money trying to build a network so secure that their random clicking can’t do any damage. Why not just teach them how to correctly use the software and then let them get on with it? If you’re ignorant, you get training to fix it before you do any damage. You don’t get wrapped in cotton wool. That does nobody any good.
Today at work the IT department sent round information on how to encrypt sensitive data. They recommend TrueCrypt and Axcrypt, both of which are free. When something might affect the University’s reputation like a leak of personal data the IT department (who mostly actually do know what they’re doing) insist on doing things properly, and that means open-source.
Also today, the Pentagon shut down their website because someone at Wikileaks noticed a series of secret reports left in an unprotected directory on one of their public servers in the form of doc files encrypted with Word’s built in password feature and cracked them. The password was ‘progress’. That’s moronic. That’s the only way to describe it. The files should have been encrypted properly, with different, longer passwords with numbers and capitals and punctuation in. They should have been on a secure server where Joe Cracker couldn’t get them. Had they done that then the job of cracking them would have been intractable. As it is, it was inevitable.
I know a bit about this stuff, so to me, this is shocking. There is literally no excuse for doing something like that. Nobody that computer-illiterate should be ever have been allowed near the server. If you don’t know about online security then you might not realise how bad this is, so let’s be clear: this is much, much dumber than leaving an unencrypted USB stick on a train. I can see how that happens. I can see how you might leave encrypted files on a public server. They’re encrypted; it shouldn’t matter if people get hold of them. I cannot see how you accidentally choose a rubbish password and Word’s in-built encryption for official documents about a war. Ironically the document is about what information is public and what information is secret. This story – that the Pentagon is crap at security on a monumental scale – should be huge. Demonstrably it is not. I discovered it via a blog.