Hacker News new | ask | show | jobs
by ume 1457 days ago
I’ve undertaken information security training in a number of Japanese companies. They all had what I thought was a disproportionate weighting on the “blind drunk salaryman falls asleep on a train and leaves behind a laptop, mobile phone, USB stick etc.” scenario.

I stand corrected.

Edited for clarity
4 comments
lelandfe 1457 days ago
https://gizmodo.com/how-apple-lost-the-iphone-4-5520438

It can happen to Americans as well, as evidenced by an Apple engineer leaving an iPhone prototype at a bar after his birthday.

> "I underestimated how good German beer is," he typed into the next-generation iPhone 4

link
jrochkind1 1457 days ago
So I actually can believe it happens to Americans as much as anyone, but that story is a bit different -- the Apple employees were testing the devices "in the field", bringing them along with you in your daily activities including the bar was intentional and part of the assignment.

I don't know why you bring a USB stick with half a million people's data with you to the bar. Why is that even leaving the office?

I bring this up not to talk about differences between Americans and Japanese (boring, I think they are probably exagerated), but becuase these are different "threat models". You handle the "USB stick with company data" on it "threat" by training people... not to just stick sensitive data in their pocket as they go about their business? It should be on a USB stick for as little time as possible and that USB stick should be treated like it's worth a fortune (because it is). There's no reason you should be carrying that thing with you to the bar in the first place.

The iPhone case... eh, if you ask people to carry a device along with them in their daily lives, it's inevitable that someone will forget one someplace at some point. Maybe some kind of proximity alarm that beeps if you walk away from it?

link
galangalalgol 1457 days ago
I'm with you on asking why that data was even on a removable drive. What possible use case is there for that? And if there is one, like transferring between airgapped networks, it seems you'd encrypt it at least.
link
akg_67 1457 days ago
The USB key was used to transfer the data from a government office to a service firm reviewing Covid19 related benefit claims and fund distribution. The employee mistake was to not delete data from USB key after transferring to the firm's system.
link
IncRnd 1457 days ago
The data was planted on the usb by an Evil Maid[1], so the salaryman could gain face [2] as an everyman.

[1] https://en.wikipedia.org/wiki/Evil_maid_attack

[2] https://en.wikipedia.org/wiki/Face_(sociological_concept)

link
BiteCode_dev 1457 days ago
Also, it is suspected than Apple actually orchestrate those "leaks" for free publicity.
link
jrochkind1 1457 days ago
We live in a conspiracist society, any secret plan you can imagine has "been suspected", and generally people require no particular evidence other than "it would make sense to me" (as if there aren't plenty of things that would make sense to me that haven't happened!)

But if Apple actually wanted media outlets to cover it, having law enforcement seize and search the property of the editor that broke the story, and then banning the media outlet that broke it from WWDC... doesn't seem like the way to encourage anyone to cover it next time there's a leak, if you're actually hoping for coverage of secretly orchestrated leaks. https://www.pcmag.com/archive/gizmodo-banned-from-wwdc-25149...

link
samatman 1457 days ago
Does Apple do controlled leaks? Of course, any company which is able to keep secrets in the first place does.

For the iPhone 4? Absolutely not, the only other model which changed iPhone as much as the 4 was the X, Steve was still alive for the 4 and there is absolutely no way he would have approved just leaving it in a bar for hype.

Steve Jobs wanted to be the person who showed that to the world. Remember the first MacBook Air? Steve lived for that moment.

link
dmd 1457 days ago
[by whom?]
link
BiteCode_dev 1457 days ago
https://www.google.com/search?hl=en&q=apple%20ochestrate%20l...
link
0des 1457 days ago
I suspect it, tbh
link
belter 1457 days ago
It seems for the UK Ministry of Defense the going rate was 30 lost per year...

"...More than 120 USB memory sticks, some containing secret information, have been lost or stolen from the Ministry of Defence since 2004, it was reported earlier this year....Some 26 of those disappeared this year == including three which contained information classified as “secret”, and 19 which were “restricted”...."

"UK Ministry of Defense Loses Memory Stick with Military Secrets" (2008): https://www.schneier.com/blog/archives/2008/09/uk_ministry_o...

link
anonymousiam 1457 days ago
USB media is now prohibited on any classified system. They've even gone as far as disabling the USB storage drivers. Even having a USB memory stick in a closed area is a big no no.
link
0cVlTeIATBs 1457 days ago
And so the floppy lives on.
link
toyg 1457 days ago
Big if true. I mean, I don't put anything beyond UK authorities these days, but even just buying readers would be a struggle.
link
toyg 1457 days ago
I always assumed most of those sticks are simply stolen by employees, like pens.
link
jamal-kumar 1457 days ago
I always thought they did that "by accident" on purpose kind of thing. Like macrumors was always some kind of marketing ploy.
link
zaptrem 1457 days ago
Unlikely seeing as they blacklisted Gizmodo for life and (afaik) practically busted down the door of one of their reporters.
link
jamal-kumar 1457 days ago
I must be thinking of when this happened like at least two other times then [1]

[1] https://www.cnet.com/tech/tech-industry/apple-loses-another-...

link
iasay 1457 days ago
That was the usual loss vector when I was in the defence sector as well.
link
smoyer 1457 days ago
Interesting ... I came here to highlight the quote from the affected city:

> The company explained that the employee had drinks after work and later fell asleep on the street, but when he woke up he realized that he had lost the bag containing the USB.

My premise was going to be that perhaps this isn't the company you'd trust with the residents' subsidies but clearly I misunderstand the cultural aspect to this story. The other thing I didn't get is that the employee who "lost" the bag filed a police report for theft. If you're passed-out-drunk, how would you even know it was a theft?

link
amichal 1457 days ago
There is something like a 90% return rate on lost wallets in Japan. Failure to attempt to return a lost item of value is an actual crime... so if the bag was not sitting on the street next to him when he woke up and not returned by a kind soul it was by Japanese definition stolen

Edit: An eye opening video on how well this works https://www3.nhk.or.jp/nhkworld/en/ondemand/video/9999897/

link
Aeolun 1457 days ago
> If you're passed-out-drunk, how would you even know it was a theft?

Fall asleep thinking you are carrying bag. Wake up when slightly less drunk. No find bag. Freak out. Rush to report bag as stolen.

Later go back the all the bars in town (forgot where you went), and find the one where you left your bag behind.

link
totetsu 1457 days ago
Yes. They cover this exact situation. If you have work data in your bag, don't go drinking, don't put your bag in the coin locker, go directly back to the office.
link