
Stolen laptop contains cancer research data - lotusleaf1987
http://news.cnet.com/8301-17938_105-20028475-1.html?part=rss&tag=feed&subj=Crave
======
edw519
Sorry guys, but most of the comments in this thread remind me of why we IT
people have so much bad PR to overcome.

We're blaming the user for our mistake. That's like blaming the cow for
leaving the pasture because one of us forgot to lock the gate.

The simple fact is that this user should have never been able to be in a
position for this to happen.

Where were the IT security policies and procedures? Why was mission critical
data on someone's c: drive? When (if ever) was the last audit?

We curse enterprise IT departments because they are so slow at getting things
done, but they are really, really good at putting in place the things that
would _never allow this to happen_. I have customers with strict policies
regarding the protection of mission critical data, and I bet that none of it
is as important as what was routinely put onto this laptop and paraded around
town.

Public companies are responsible to their shareholders and the SEC. Private
companies are responsible to their investors and creditors. Why weren't the
same protections put in place to the trustees and taxpayers in this case?

Every nanosecond this researcher has to worry about performing routine IT
overhead is a nanosecond not spent on critical research. The technological
solutions to problems like this have been around for years. Why weren't they
in place?

It's about time for IT to stop blaming the user and fix the problem.

~~~
sophacles
I'm sick of this attitude of "Always be super nice and make sure you over
mother your users" crap. You know what: If my car engine seizes because I
haven't changed the oil, no one tells the car makers or the mechanics they
didn't do thier job right. If I leave the oven on all night and get CO
poisoning, no one blames the oven maker for it. If someone doesn't buy
renter's insurance we don't blame the apartment owner for them losing their
net-worth.

PCs have been almost ubiquitous for 20 years now. For my entire freaking life
I have been hearing about how "you need to back up your data". We have
consistently made better and better backup tools, like mozy, or backblaze. Yet
somehow it is our fault some idiot decided "It won't happen to me!". At some
point, we just have to have the users be a tiny little baby step of a bit
responsible for their stuff too. Just like accounting makes people responsible
for their inventory and expense reports. Just like HR makes people responsible
for their own insurance stuff. Sure they help, but crap - people need to be a
little grown up in their lives and actions.

Just because this person did not bother to find out about backups from her IT
does not make it ITs problem. Hell, you don't even know if there was or wasn't
the ability for backups in place. Most university IT shops have lots and lots
of capacity and backup options in place -- and they are documented, they just
don't force users to do it. You know why? Sanctimonious asshats come from the
other direction then, complaining not about how IT must mother the employees,
but instead must back off the draconian rules to make users feel more welcome.

tl; dr -- Users should be held to some standard of responsibility and IT is
damned when they do and when they don't.

~~~
edw519
_Just because this person did not bother to find out about backups from her IT
does not make it ITs problem._

It was IT's problem before this person ever came along. That's the whole
point.

A few quick questions:

1\. Are you capable of implementing an IT infrastructure where it is
impossible for a user to lose mission critical data? If not, then you're
incompetent. Move along, please.

2\. Are you willing to implement an IT infrastructure where it is impossible
for a user to lose mission critical data? If not, then you're insubordinate.
Move along, please.

3\. Is it possible for a user to lose mission critical using an IT
infrastructure that you have implemented and administer? If so, then you have
a problem. Fix it.

Again, in an institutional environment, it is _not_ the user's responsibility
to safeguard mission critical data. By definition, this is one of the primary
responsibilities of IT.

(Here's a hint: Mission critical data ever on a c: drive = IT failure)

 _I'm sick of this attitude of ..._

And your customers are sick of your attitude. Thanks for demonstrating my
point far more effectively that I could ever verbalize it.

~~~
sophacles
Bullshit. The vehicle fleet manager doesn't make it impossible to run out of
gas. The accounting department doesn't make it impossible to max the corporate
credit card you have. They provide infrastructure, you have responsibilities
in it too.

Further, and I'm really really suggesting you read this slow, and look up
words you don't understand in the dictionary, universities just don't work
this way. There is no central authority that can force this sort of behavior
in them. The researchers themselves push for it, and the people who pay IT
then demand it be set up that way. No matter how nice it would be to force
backups -- IT can't override the fucking dean. Researchers are to be given
autonomy is the usual directive. This leaves IT to provide easy access
infrastructure, but not go that last step, as they are forbidden.

Are you sure your customers love your "DO AS I SAY IT IS THE ONLY WAY DAMMIT"
attitude? Having dealt with sanctimonious asshats like you many times, and
further talked to the mormons and jehovia's witnesses at my door, I realize my
words won't sink in, but I will make a futile attempt anyway: Give up the
judgemental bullshit. Your way is not the one true way. Your smug little smirk
makes lots of people fucking hate you, and you know what, you don't even
realize they smile and agree with you just to get you to shut up and go away.

tl; dr- go jerk off to your authority some more, the rest of us have real
worlds to live in.

~~~
edw519
It would be nice if you could channel that energy into something more
constructive than personally insulting me. Others far more influential have
tried and failed to do much with that.

I do care, however, how your behavior affects this community. Others smarter
than either one of us have worked hard to keep it what it is. Please remember
the guidelines:

<http://ycombinator.com/newsguidelines.html>

Peace.

~~~
sophacles
1\. This is how I talk. I call BS when I see it.

2\. Follow the guidelines yourself, the condescending crap doesn't fly too
well, and is no more or less insulting than anything I said. Further look at
the insults you directed towards me. Do you really think your insults don't
count but mine do? That act you are committing there, it's called hypocrisy.

3\. It is sad you must fall back on pointing out the guidelines instead of
addressing the parts about how authority doesn't work according to your
claims. It is either an admission of ignorance of how things really work, or a
diversionary tactic to avoid having to admit wrong. (PS -- continuing hte
diversion about guidelines doesn't change this set of conclusions, no matter
how you justify it, the deduction doesn't change).

4\. I've been here about as long as you have. Feel free to peruse my comment
history. I gladly contribute nicely to non-moralizing discussions, and I call
people out when they act disingenuous or jerky. Your attempt to change your
moralizing into some sort of "look at me I'm a pillar of the community" is at
best an attempt to pull some dirty politics style trick. This loses you even
more of the moral high ground you pretend to argue from.

------
lkrubner
The reward is only $1,000. While their research may have offered some
interesting insights into cancer, they clearly didn't have an absolute cure
(for prostate cancer, which is mentioned in the article). If they had a real
cure, then around this moment Merk would step in and offer a $10,000,000
reward for the return of the laptop, in exchange for the right to
commercialize the technology.

I've several friends who have pursued biology in universities. They could
claim that their laptops have data offering possible cures for diabetes, high
blood pressure and AIDS. This is the kind of thing they will talk about when
we meet for lunch. I realize, of course, that they are not on the verge of a
genuine cure. But occasionally their research offers an important new insight.
I sense that these researchers, in the story, had info at that level.

Otherwise, the reward would be more than $1,000.

I do think the university should do more to help researchers manage their
data.

~~~
stevoski
The idea that a "cure" for any type of cancer would only be on one laptop is
absurd. It may work in a movie plot, but in real life, no way.

At best it would have info on how to possibly, vaguely minimise the suffering
in some situations. Cancer is not something that one brilliant researcher can
"cure" alone.

~~~
kylec
Besides, a researcher smart enough to cure cancer is smart enough to back up
their computer.

~~~
stevenbedrick
How much time have you spent around cancer researchers? I can assure you that
many of the most brilliant scientists I know are all almost entirely computer-
illiterate.

If I had a dollar for every lab computer I've seen whose desktop is full of a
few dozen Excel files ("data1.xls", "data2.xls", "new data.xls", "jim new
data.xls"...), I would never need to apply for another grant as long as I
live.

------
apl
That's grossly negligent behavior on her behalf.

Family pictures, unpublished novel and a gigabyte of emails? Fine. But
research data that only exists on _one_ consumer-level machine? Work that was
financed by her employer and various other organizations? Holy shit.

~~~
dabeeeenster
Surely it's grossly negligent behaviour on her employer's behalf?

~~~
Xurinos
I voted you up, but I wanted to note that I (we?) have no idea how her
department is run, and the negligence could rest as well in her hands as it
could in her employer's hands. Another post here said "Blame the IT department
for not establishing rigid policies." These sentiments are good, but...

What if the IT department clearly outlined policies for how to store and
secure the data? What if the researcher is one of those "This is how I have
always done it, and I am ignoring you" types? Given the kinds of data claimed
to be on the laptop, it sounds like a personal laptop, not a locked-down IT-
given laptop. What if that was the researcher's choice, the intentional
ignoring of IT policies in the name of convenience or whatever?

Either way, the article's message is good: back up your important data.
Whoever is to blame, the core message obviously bears repeating.

~~~
redacted
I work in the physics department of a top university. The majority of work
people in the department do involves a computer at some stage, from
computational physics (likely involving supercomputers and months of compute
time) at one end of the spectrum to using Excel as a data store at the other.

We do not have an IT department (we have one or two post-doctoral researchers
who keep a couple of servers running for undergraduates).

We do not have IT policies, outside of university-wide intellectual property
rules.

There are only personal laptops (in the sense that even though my machine was
bought for me, I have full control of it and there is no oversight of how the
machine is used).

To the best of my knowledge, this is true of the rest of the university
(possibly even worse in other departments).

~~~
Xurinos
To add to the anecdotal evidence, I have contacts in the strong IT department
of a top university near me. So it could indeed go either way.

------
radioactive21
I work for a University and I laugh so hard every time I hear this.

For the people that say this should be an IT policy issue let me explain to
you how academic people work.

Professors and researchers are KINGS and QUEENS. You CANNOT tell them what to
do, nor can you force ANYTHING on them.

The only exception are the engineering professors for obvious reasons they
have their shit together. Other faculty are just plain morons and think they
can do everything on their own.

Professors and researchers get to buy and chose their own laptops, and they
can do whatever they want. Unless they fall under the administration side, IT
cannot tell them what to put on or do with the laptop.

Just to get off my chess I'll tell you one of many stories. A faculty member
brought in his school paid laptop, and he obviously used it for personal
reasons. This is his main work laptop with all his data (again we can't force
them to follow our policy since they are not administration), so he has no
backups or any antivirus scans.

His laptop had over 5000 viruses when I ran a virus scan. This is no joke, I
have the screen shot somewhere. I refuse to clean and told him I will rebuild
it. Which I did and put all this files back. I explain to him exactly what I
did in an email, what he would lose (software etc) and he was okay with it,
remember I have this in email. Only when he agreed did I go ahead with the
rebuild.

He comes back and writes an email to the department chair that I had broke his
laptop and had to rebuild it. Then I lost his software which he paid for and
wants the school to pay for it back.

I almost kicked him in he face even if it got me fired. Luckily my boss
stepped in and took care of it.

~~~
nkassis
Just wanted to point out, in those situation keeping written records of
communications like you did can save your ass.

------
jacquesm
(1) whatever happened to backups?

(2) the hardware could have failed just as easy as the laptop got stolen who
would get the blame then?

(3) I don't buy the premise that there is 'cancer cure data' on this laptop to
begin with until after it has been recovered they come out with a cure for
cancer within measurable time.

(4) If the data is on the laptop it got _on_ to the laptop somehow, either by
doing experiments and recording the data or by copying it from some other
medium, data does not exist in a vacuum as it's 'only copy'.

(5) $1,000 reward? really? that must be some crappy cure.

(6) What if the researcher 'lost' their laptop on purpose? That's a stretch,
but with a claim this big I'd really like them to get to work on re-creating
their miraculous results rather than cry over spilled milk, after all,
recreating the results can't be nearly as much work as it was to do it all the
first time. Assuming the experiments were real there should be a whole pile of
knowledge that only needs to be verified rather than created from scratch so
this is just a matter of time.

(7) I had a laptop with the design for a small and safe nuclear fusion
reactor, unfortunately it got stolen...

What sickens me most about this whole thing is that the 'cure for cancer' gets
trotted out again giving a whole pile of people hope that there is such a
thing.

------
oscardelben
People need to learn the basics of _working with a computer_. I can't imagine
working for years on an important project without any backup system
whatsoever. Getting your computer stolen is only one of the tens of the
possible scenarios of things that could happen.

~~~
lylejohnson
> I can't imagine working for years on an important project without any backup
> system whatsoever.

I've "worked with computers" since I was a teenager, but for a long time I
didn't make backups even though I knew it was something I should have been
doing. It wasn't until I actually had a hard drive crash on me that I got
backup religion.

~~~
Splines
I'm in the same boat (still am). I hardly ever back up my data.

My employer though, uses source control rigorously and makes deployment and
usage of those tools dead easy. We also have folder redirection possible if
you wanted to make your "My Documents" folder available (and backed up
automatically) on the network. There's SharePoint too, but sometimes it's a
PITA.

My hypothesis is this: Given OU Medicine's student computer requirements [1],
I'm betting that these researchers just didn't have the patience or knowledge
in integrating a Mac into their Windows-centric network.

[1] <http://www.oumedicine.com/body.cfm?id=954>

~~~
nfg
> I'm in the same boat (still am). I hardly ever back up my data.

How much data are we talking about here? <10 Gigabytes? Solutions like Dropbox
are just so simple for data in that range that you'd be crazy not to use them.

~~~
Splines
The only irreplaceable data I have is photos/videos of the family. It's
getting to be about 10 GB - I've got two hard drives in my PC that I'm
planning to mirror the data across. At the very least it'll save me from hard
drive failure. Theft/acts of god are something I haven't planned for. I have
thought about burning a bunch of DVDs (of just the photos) and storing them
somewhere else (work/relatives/bank).

I use dropbox to sync passwords and some docs from work/home. I'd like to use
dropbox (or something like carbonite) to back up the rest, but frankly I'm too
cheap/lazy to go through with it.

~~~
jokermatt999
10 GB is also small and cheap enough to buy a USB drive for and back it up on.
It's what, $10 for a 16 gig thumbdrive or so? Afaik, they also have less
concern about bit-rot than DVDs or CDs, not to mention the ease of use.

------
ggordan
I would have thought the value of a possible cure for prostate cancer would be
far more than $1000.

~~~
lylejohnson
Was thinking the same thing. Maybe they're hoping the thief doesn't read
Hacker News (or CNET) and learn that little tidbit.

------
michael_dorfman
The more interesting question, to me at least, is whether or not the U of
Oklahoma will be taking some kind of disciplinary action against her.

~~~
maukdaddy
That would be absurd.

~~~
michael_dorfman
Why? They are, after all, her employers-- and they've got quite a bit of time
and money invested in her research. I have to assume that they have some kind
of standards for the care of data, and I certainly hope that keeping exactly
one copy of the dataset, without backups, on a laptop which frequently travels
out of the lab, is in serious contravention of a number of their policies.

~~~
maukdaddy
You're making way too many assumptions. You can't fire someone because a
laptop is stolen or lost. The University should have provided a means of
centralized backup for data.

~~~
michael_dorfman
I am making assumptions. So are you, of course.

I am assuming that the University _did_ provide a means of centralized backup,
and she failed to avail herself of it. This is based on the assumption that it
is more likely that one researcher screwed up, than that the entire University
is woefully incompetent.

Also, note that you assumed that I meant "firing" when I said "disciplinary
action." I was thinking more along the lines of a note in her file, and a
stern talking-to.

------
gilesc
I'm a student at OUHSC, and her husband, Dr. Janknecht, is one of my
professors. Although failing to make a backup is obviously stupid, he is an
extremely competent researcher (I don't know her). Clearly, calling the data
"a cure" is a bit of hype, but that exaggeration might help in convincing the
thief to bring the laptop back.

About computer knowledge in biological research, though -- the state of things
is generally abysmal. The average biology Ph.D. can use Excel to find means,
SDs, and do t-tests, and that's about it. Even my boss, who specializes in
bioinformatics, still uses VB6+MSAccess _shudder_. Most probably don't know
that hard drives CAN fail.

Yet, researchers are fiercely independent and would definitely resist any
heavy-handed mandates from campus IT forcing specific OSes or regular backups.

------
tmcw
So _this_ is why cancer hasn't been cured yet. Gotcha.

------
njharman
Not really, but kind of... the person doing Cancer Research (or other work
that is socially/culturally critical to the world) who did not back up their
data should be held criminally responsible.

Not so interested in the punishment as the (possibly non-existant) deterrent
effect such laws/prosecution would have. It's fucking ridiculous that in 2011
people are still not backing up their data.

~~~
nopassrecover
No idea why the parent got downvoted twice (i upvoted to counter one of them).
If (and I sincerely doubt it to be the actual case, but the story suggests it
is) the researcher is doing paid research and not backing it up at all, those
involved in process design (or the researcher themself if there was adequate
and clear process guidelines) should be held responsible for some kind of
recklessness bordering on fraud. After all, they cannot prove that they have
actually done any research right now and someone could similarly take millions
and just "lose a laptop". It is comparable to not keeping proper financial
records which is typically criminal.

------
siglesias
Time Machine. It works.

~~~
_stephan
Spideroak.com works too. It automatically backups your data to the cloud
(securely encrypted!). It synchronizes your data across multiple machines (and
multiple OS) and you can access all past versions of your files. It's free if
you don't need more than one or two GB. It's the ideal backup tool for
researchers that don't generate tons of data and want a simple backup
solution.

~~~
rarrrrrr
..and, by the way, there's an automatic 50% discount for anyone with a .edu
(or similar) email address. :)

------
dholowiski
This kind of thing makes me wonder... how long until backups are mandatory. I
mean, in Windows 10 or OS 11 (aka: IOS 5), will it just come with 10 or 20gb
of online storage that's automatically backed up, without the user's input
(and is difficult to disable)?

We already have crazy easy backup solutions like mozy, carbonite, backblaze
etc but the majority of people don't use them. What happens when the OS makers
force you to back up?

And yes... it is totally the IT people's fault for not forcing backups on
their users. Sorry but as an IT guy (I am one) it's your responsibility to
make sure your users don't get into this kind of a situation!

------
ajays
I wouldn't be surprised if the owner _deliberately_ didn't create backups.

I used to work in academia. Some of the academics I knew were extremely
paranoid about anybody (including SysAdmins) accessing their research. They
would go to great lengths to to keep their work away from the "prying eyes of
the university" (a phrase someone used once). This meant not allowing any
access to their personal desktops, laptops, etc. Admins worked around the
personal desktop issue by refusing to help them with the inevitable problems
unless they got access. But laptops were a different story.

------
tpinto
so years of work to find the cure for cancer is on a white macbook and the guy
didn't backup it? yeah right.

~~~
arethuza
If you've ever worked in an academic environment you wouldn't find this story
hard to believe.

------
mikerhoads
This is actually the plot of Johnny Mnemonic. I can't believe anything about
that movie's plot turned out to be realistic.

------
moondowner
It should be: "Stolen laptop may contain cancer cure data"

------
harrybr
If you buy a car, it comes with seat belts. Safety is not optional - it's
built in.

If you buy a computer, safety of your data is seen as a luxury add-on, like
leather seats.

It's crazy when you think about it.

~~~
redacted
It was a Mac, which most likely came with Time Machine - all she had to do was
connect a USB drive (as far as I remember, OS X even asks if you want to use
the drive for backups) and she would have had automatic versioned backups.

To be honest, I think most people need backing data up scared into them (e.g.,
I nearly lost a college project due a HD failure, and now I have multiple
redundant backups).

------
frank06
Did they set up DynDNS by any chance?
<http://www.youtube.com/watch?v=U4oB28ksiIo>

------
calebgilbert
Doh! Now where did that cure for cancer I had lying around here go...

------
sliverstorm
Step 1: Dropbox.

------
adammichaelc
Mozy, anyone?

------
ditojim
sounds like ouhsc.edu needs to go google!

------
lotusleaf1987
I find it hard to believe that someone with the possible cure to cancer
wouldn't bother backing it up. If this is legitimate, I think it's beyond
irresponsible. Also, why such a minimal reward?

~~~
stevenbedrick
Probably because it was coming out of her own pocket, and researchers
generally don't make that much (especially if she was a post-doc). I'm pretty
sure that the NIH won't let you charge "stolen laptop reward" to your grant,
and your university sure as heck isn't going to shell out for something like
that.

