Hacker News new | comments | show | ask | jobs | submit login
German Ministry of Education Throws Away PCs For 190,000 € Due To Infection (slashdot.org)
35 points by ditados 1664 days ago | hide | past | web | 21 comments | favorite

Other than the title might suggest this happened at the (second highest) administrative level, the federal state of Mecklenburg-Vorpommern (Landesministerium), not at the Bundesministerium. Also reportedly some of the machines were brand new so no need for "radical" upgrade methods for all of them.

The only good thing about this that federal auditing by the Landesrechnungshof seems to work, since they complained about it in their yearly report in the first place and it got only picked up by the press after that.

http://www.lrh-mv.de/land-mv/LRH_prod/LRH/Veroeffentlichunge... (german pdf, page 152)

IT departments generally run on extremely tight human resources and tend toward spending money on equipment rather than people, so I can kind of see this happening.

They did clean their servers. The slashdot title/summary are a bit misleading. Perhaps they wanted new PCs already and simply estimated that it might be a good time to upgrade rather than clean them?

Still wish they would've donated the PCs instead of throwing them away.

It's too expensive to make sure there's no recoverable data, that's why they generally don't. It's even too expensive to take them apart and parts are harder to donate as well (more work on the other end).

(On the other hand, if you're in IT there - very cheap computers! They usually trust their own personnel to be responsible and wipe everything properly/not look for anything before use. )

While it's sad I can understand where they're coming from.

Its even more sad since its not that expensive at all to just run `dd if=/dev/urandom of=/dev/sda1` on 170 computers, thats what, a days worth of work for one skilled sysadmin?

If one PC is missed and some sensitive data is sold to a recycling company, and somehow somebody finds it and reports it, there is hell to pay in the press and potential liability. Why take the risk? There is no incentive to re-use these computers. Plus, let's face it, nobody wants old pc's anyway. I tried putting up a bunch of them for free on our local equivalent of Craigslist last year and nobody wanted them, I ended up paying a recycling company to come pick them up. (~ 3-4 year old machines, admittedly with 21" CRT monitors)

I just got rid of 50 old pc's for one company I worked for, within seconds of placing an ad on marktplaats we had a taker, a couple of guys from Amsterdam came to pick them up an hour later.

I oversaw the hard drive removal, if you can't be trusted to be sure that you have removed the drives from those pc's before sending them to the recycler how can you be sure that you've done a proper job before sending them in to be scrapped? It's the exact same problem after all.

OK well fair enough but this is another thing I don't understand, maybe its cause I live in central europe but why the heck would you pay someone to recycle something? I gathered all my old hardware (~10 desktops) and sold it for scrap, theres actually lots of rare earth metals in there. All you have to do is take them apart and drive to your local metal recycling point, they give great prices by the kilo. You won't get rich but at least you know its not gonna pollute some dumpyard somewhere.

Its just weird for me because if you pay someone to recycle computers they do exactly that which means they get money from you and the scrap people for essentially just taking things apart (which is kinda fun right?).

The issue was mostly the CRT's - they're like 20 or 25 kg each, I would've had to lug all of them down 3 flights of stairs, plus I would've had to hire a van to bring them away or drive 5 times or so with my car. Plus there are hardly any metals in the monitors, so I wouldn't have gotten paid for them anyway. We were moving offices at the time, I had other things on my mind. I made a deal where everything including the CRT's and a bunch of really old stuff like old ink-jet printers etc. were taken away. Maybe I would've gotten paid a bit had I sold just the PC's - even then it would've been so little that it wouldn't have been worth my time, plus I would've had to pay more for the rest.

Regardless of whether it's possible to get some pocket change for old pc's, the point is: it's not cost effective, when you count the hourly salary of a professional, to do anything more than the absolute minimum to dispose of old computers. Especially for a government organization - bureaucracies are not designed for cost-effectiveness, but for predictability and accountability. That is not a value judgement, just an observation, but one that immediately dispels of 50% of whining about 'governments wasting money'.

Well, there are many reasons. For once, it might not be legal for companies to take apart and dispose of their own computers without a permit (for safety and pollution concerns). Those permits and regulations might also raise the costs of the recycling company, which may need special equipment or training for its employees. Then there's labor costs, which in Germany are well above the EU-27 average.

I'm no expert on these things, but my understanding is that simply doing `dd if=/dev/urandom of=/dev/sda1` is not enough to guarantee that the data isn't recoverable. In fact there seems to be some debate if any amount or combination of writes is enough to guarantee that the data is unrecoverable.

With modern drives, the problem isn't that you can recover data from "under" an overwrite. The problem is that hard drives have reserved sectors that are only visible to the drive controller itself, used as spare space in case of a bad sector elsewhere on the disk. (SSDs are even worse since they spread data across the "extra" space all the time, to extend the life of the drive.)

The only way to tell the drive to erase everything is to send the ATA Secure Erase command. This tells the controller to wipe the drive in a secure way. It is the only NIST-approved way to securely erase a drive. Lots of info from this discussion http://security.stackexchange.com/questions/5749/how-can-i-r...

Some combination has to be enough. Because otherwise you could use that property (plus error resistance coding) to store arbitrary amounts of data on your hard drive.

If you are able to get at the entire physical media then a certain combination of high and low bit writing is necessary or one can read some previous bits with specialized hardware. There is a DoD standard for writing enough combinations.

But with modern drives you are not getting at the physical layout. The drive may detect an error and remap surrounding data for you. Consequently, some data surrounding some badblock(s) in the past will potentially never be overwritten by your process. Someone with separate hardware or an alternate firmware could always retrieve it.

Yes, the badblocks argument is a good one.

I guess the right solution would be to store your data only in encrypted form on your drive. Then you will only have to worry about safely deleting the key.

The size of the error resistance coding you'll need will quickly dominate the size of your data. Also the argument is a probabilistic one. It's not that certain data will be recoverable, only that there may be a non-zero probability that some data may be recoverable.

Yeah, they simply decide to do an early upgrade instead of spending time to clean them then do a upgrade sometime later. I guess their only lack of foresight is for not donating these PCs away.

Depends who your donating them too, in my experience it's generally a really bad idea to donate them to staff members or even individuals outside the company. People tend to assume you wont mind helping out and with software installation etc. (even if you explicitly state that they are unsupported).

Sometimes the best thing to do is just give them to IT staff for training, if you can afford to pay someone to do it, put them on ebay or failing that throw them out.

Apparently they estimated 130.000€ for cleaning vs 187.300€ for upgrading. They decided to only clean the servers and upgrade the workstations. The actual problem was the lack of an "IT security concept".

german source: http://www.heise.de/newsticker/meldung/Schwerin-Virus-verseu...

The official report says this was more of an excuse to get rid of old hardware.

Talk about some inefficient spending on Germany! Thousands of dollars wasted, and to think in the states we waste billions.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact