Talk:Loss of United Kingdom child benefit data (2007)

Not News
There is no reason for this on the front page and it is not important to the world. —Preceding unsigned comment added by Rukaribe (talk • contribs) 13:04, 21 November 2007 (UTC)
 * I disagree. Such examples of massive security failures should be valuable to anyone, worldwide, who cares about the privacy and confidentiality of their own personal information. National ID agendas are being pushed by governments worldwide, and the continual barrage of such reckless and massive information security failures should underscore why even our governments are wholly incapable of sufficiently securing sensitive data, and hence why such agendas should be permanently shelved. At least shelved until simple information security practices, such as prolific usage of effective data encryption, effective application of SoD principals, and sufficient continual logging and subsequent auditing of information access, becomes commonplace. Erth64net (talk) 19:30, 21 November 2007 (UTC)

There is a reason for it as it affects millions of people in Britain and people around the world might want to look at what's going. p.s there are other stuff that appear on the front page that is of little concern to anyone else somewhere in the world. User:Pathfinder2006 —Preceding comment was added at 13:30, 21 November 2007 (UTC)

I would have thought that data security was of interest to any one and any nation using IT systems. —Preceding unsigned comment added by 217.205.224.155 (talk) 14:08, 21 November 2007 (UTC)

Image
Can someone supply an image of the HMRC building at Washington, as that was the location of the original foul up, not Nottingham? Yorkshiresky (talk) 23:25, 20 November 2007 (UTC)
 * Have a browse through the Geograph entries for the area, see if you get lucky. Those images are all under a cc-by-sa-2.0 licence, so feel free to upload an image to Commons if you can find one. GeeJo (t)⁄(c) &bull; 17:56, 21 November 2007 (UTC)

Without going into original research, what could this potentially mean?
Even if there are not references for this at the moment - what is the potential scale of this? What could the effects be? I'd like to get an idea of the magnitude of this from someone who knows more about this kind of thing than I do, whilst equally observing WP:NOT, so that it could be added to the article later if proven true.--h i s  s p a c e   r e s e a r c h 06:01, 21 November 2007 (UTC)

same shit happened in the U.S. not too long ago. —Preceding unsigned comment added by 68.161.204.86 (talk) 07:52, 21 November 2007 (UTC)

I'm not entirely sure that its worth having the opposition quoted so extensively when compared to the size of the article. Could we not just have links to comments that have been made regarding what the implications are. MLA (talk) 09:37, 21 November 2007 (UTC)
 * That would be just linking to news articles in the external links, which isn't the best MoS. Because the event was so recent it is difficult to select what is important and what is not. General practice seems to be to include a lot, and when time passes and that which is significant presents itself in the real world, then we can be selective in what we include in the article. Better too much than too little at this stage, I feel. SGGH speak! 10:00, 21 November 2007 (UTC)
 * I would caution against putting MoS concerns above neutrality though - I happen to disagree with a lot of MoS as much of the decision making there is for the editor rather than the reader but I do understand the value of direct quotes so long as a particular political spin is not the main thrust of the article. MLA (talk) 10:12, 21 November 2007 (UTC)

Stupid, incompetent and disgraceful...
While the politics do not interest me, the sheer stupidity and incompetence of the personnel and system revealed by this incident do - another example of Occidental "dumbing down"! And lest anyone take umbrage, consider this: how long has the UK been in the business of administrating? Is it conceivable that an SOP (Standard Operating Procedure) by any name does NOT exist for such data transfers? So unless this was an outright theft with inside help/information, this incident is disgraceful. Shir-El too (talk) 13:52, 21 November 2007 (UTC)


 * an sop exists and it was broken, hence the resignation. but i agree with you. when managers talk about mission statements and visions and forget to manage people then things mess up. i blame the trend in management schools that began in the 70s Mongreilf (talk) 15:54, 21 November 2007 (UTC)


 * Another benefit of the Global Village: Global education for mediocrity and slogan writing! I'm just afraid the resignee may actually have had nothing to do with the incident; and in any case I was taught the only way to atone for a mess was to stay on and clean it up. Shir-El too (talk) 23:36, 21 November 2007 (UTC)


 * What's remarkable isn't that the "junior official" broke the rules and did what he did, but that he could break the rules! AJKGORDON  «»  07:45, 22 November 2007 (UTC)


 * That would depend on what kind of work ethos/culture was in use. Where the emphasis is on results no matter the method, then rules are annoying, impractical details meant to be ignored... until someone is caught doing it. Shir-El too (talk) 17:13, 22 November 2007 (UTC)

All that data on 2 CDs?
Hang on a sec. One CD-ROM holds 700MB. So that's 1400MB for both disks. Divided by 25 million. That's 56 bytes per entry. How can you get full names, addresses and bank details into 56 bytes? AJKGORDON «»  11:08, 21 November 2007 (UTC)


 * The reference (#1) used to support the CDs claim does not say explicitly that CDs were used. So I've changed it to 'computer discs' which is the word that's been used in official communications. Pre1mjr (talk) 11:44, 21 November 2007 (UTC)


 * The 25 million figure quoted includes parents and children. (As one of those affected) I know that they would not have the bank account details of the children, just the parents.  The addresses of the parents and children would be the same (otherwise the parent couldn't claim the benefit) and you're not allocated a National Insurance number in the UK until your 16th birthday the children on the disks wouldn't have NI numbers.  So its not as much data as you might think.  Kelpin (talk) 19:12, 21 November 2007 (UTC)
 * They are disks, probably DVDs:

http://cgi.ebay.co.uk/The-Missing-Disks_W0QQitemZ150185957181QQihZ005QQcategoryZ16164QQssPageNameZWDVWQQrdZ1QQcmdZViewItem —Preceding unsigned comment added by 84.69.128.23 (talk) 13:40, 21 November 2007 (UTC)
 * (This spoof listing has now been removed from eBay) —Preceding unsigned comment added by Dsergeant (talk • contribs) 07:05, 23 November 2007 (UTC)


 * And it could even be hard drives. The information currently released gives so little to go on. At the moment you just have to take the word of Darling blown up by media spin. Not the sort of thing WP can report as hard facts... Dsergeant (talk) 11:55, 21 November 2007 (UTC)


 * Could have been a DVD, with 4.7GB or 8.54GB per disk. I would think 9.4GB would be enough for a database this size Kennedygr (talk) 09:42, 22 November 2007 (UTC)


 * "Discs" with a "c" rather than "disks" have been used consistently so CD/DVD is likely. Halsteadk (talk) 11:15, 22 November 2007 (UTC)


 * Data compression perhaps? personally, I'm wondering what "password protected" really means.  If the data was say AES encrypted and a passphrase is required, then the data is likely to be safe no matter what.  If the data was in a say an older version WinZip file with a password, it's fifteen minutes work to crack.  Toby Douglass (talk) 12:03, 21 November 2007 (UTC)


 * It would be very interesting to know the exact format of the data. Obviously, it should have been compressed and encrypted (ie with an industry-strength 128-bit key), but I wonder if these lowly officials were up to such a thing. I fear they might simply have dropped a rather large Excel file onto the DVD burner...--Oscar Bravo (talk) 15:07, 21 November 2007 (UTC)


 * According to the Indy, though the discs are believed to be password-protected, the infromation was not encrypted in any way. At all. Skittle (talk) 16:57, 21 November 2007 (UTC)


 * That is contradictory; how can data be password protected if it is *not* encrypted, with the password as the key? if the data in en clair, it can be read directly without supplying a password.  Toby Douglass (talk) 08:07, 22 November 2007 (UTC)


 * I think it is reasonable to assume security is not as good as it could be - "password protected" in the words of these people who have just lost your data may just mean an average user would need to enter a password to use some sort of user interface on the disc, but the data itself isn't encrypted so if you know what you're doing you can get to it (or bits of it) in some sort of form? Just speculation of course, but I don't think being "password protected" and "unencrypted" are necessarily contradictory. Halsteadk (talk) 11:15, 22 November 2007 (UTC)


 * Without knowing what format the actual data was stored in, any answer is shooting a bit in the dark, though to take a stab... Their claim of "password protection" could mean any combination of the following:
 * 1) Usage of a weak secret. Was the data "password" or "passphrase" protected? In ether case, was a strong secret used? Or did the secret just consist of an easily brute-forced string similar to "123456789"? If they used a weak secret, then even if the data was encrypted, there should be little confidence that the data is actually secured, or protected.
 * 2) Password protected through programming tricks only. Many common office productivity tools such as Excel, Word, and Access, provide a means of "protecting" documents from being opened, or modified, until a valid password is supplied. Such implementations of application-level "protection" often lacks the use of encryption. As a result, many readily available ~£10 tools can easily bypass the password, and fully-disclose the data.
 * 3) Weak encryption was used, instead of strong crypto. For example, ZIP files have historically been vulnerable to known-plaintext attacks, making it almost trivial for someone skilled in the art to gain full access to the data.


 * On the other hand, if they were using strong cryptography, a sufficiently complex passphrase, and tools which implement the process properly, then this effectively implies they knew how to properly secure the data. Any reasonable person could then conclude that they'd want the public to know their data was sufficiently protected as a result of their due diligence - largely to minimize an outcry or large upset. Given the severity of the issues, and the fact they've avoided making such a claim, it's only reasonable to conclude that they failed to follow basic security practices, and that the data is insufficiently protected. Erth64net (talk) 18:31, 22 November 2007 (UTC)
 * Agreed, if it was properly encrypted then they would presumably have just come out and said so to calm a displeased population of voters. Halsteadk (talk) 17:38, 24 November 2007 (UTC)

What really matters...
...is whether the data in the disks was strongly encrypted or not. If it was, with the relevant keys being sent later or using public-key crypto, then there is actually nothing to worry about, and i think it even shows proper procedure on their part: Sending the data itself in a inexpensive way, while still guarateeing total security.

On the other hand, if they use weak crypto (which is the standard in many office applications) or no crypto at all, then i still think that most of the public indignation is being misdirected: Data theft might have occurred not only now, but many times before, with thieves easily intercepting the disks in the mail (or even the government staff responsible for mailing), copying them, and sending them along unscathed to their intended recipients, raising no suspicions. If they send the disks in regular mail packages without any special precautions, as they apparently do, then this might not be too difficult. It just so happens that this time the thieves themselves might have goofed up and failed to restore the chain after intercepting the data. —Preceding unsigned comment added by 83.132.232.124 (talk) 17:13, 21 November 2007 (UTC)
 * The information on the discs was, apparently, not encrypted at all - only password-protected. Needless to say, that's very bad news. Terraxos (talk) 00:41, 22 November 2007 (UTC)

Orwellian title?
"Misplacement" is classic PR-speak, almost like it's deliberately worded to make it sound less bad. Wikipedia is no the UK's PR wing. The title should be data loss and on the main page, it should say it loses the data instead of misplaces it. —Preceding unsigned comment added by MrVoluntarist (talk • contribs) 20:27, 21 November 2007 (UTC)

Yes I was just about to comment on the title. It isnt brilliant is it? Any better suggestions anyone? 137.222.229.74 (talk) 23:08, 21 November 2007 (UTC)


 * The term "child benefit" probably means nothing to people outside of the UK, and "misplacement" is just silly. I propose "2007 UK Government data loss". No objections in 30 mins and I'll change it. Abc30 (talk) 01:09, 22 November 2007 (UTC)


 * I agree that a different term from misplacement should be used and that the article should probably be renamed, but a problem with the proposed title is that it suggests the news article is about all UK Government Data loss in 2007. So I say rename it to Data loss, but keep 'Child Benefit' in the title. Man from the Ministry (talk) 01:56, 22 November 2007 (UTC)


 * I disagree. Loss implies the data has gone completely.  Misplacement does sound a little PR-ey, but it's accurate. Thedarxide (talk) 10:18, 22 November 2007 (UTC)


 * How about "2007 Child Benefit Data Security Breach"? Or is that too wordy? AJKGORDON  «»  10:21, 22 November 2007 (UTC)


 * How about Data Protection rather than data security. That's the crux of the matter. Thedarxide (talk) 10:47, 22 November 2007 (UTC)


 * Hmmm... "2007 UK Child Benefit Data Protection Breach". Doesn't exactly roll off the tongue, does it? :) But that's probably what it is. AJKGORDON  «»  11:00, 22 November 2007 (UTC)


 * When you lose something, it is a "loss". After you find it, you can refer back to the event (and subsequent search) as a "misplacement".  The term can also refer to the expectation of finding the object during the search.  Breach suggests an act of malfeasance on the part of some other third party.  If someone comes into my home by breaking down the front door, it's physical security has been "breached".  However, if I just leave the door open, this is plain incompetence.  As with almost all mainstream references, spin is the order of the day.  I urge Wikipedia to avoid white-wash, and stick with plain English.  Even if the BBC refuses!  mdf (talk) 11:33, 22 November 2007 (UTC)


 * It's not that simple. They've still got the data. They lost a copy of the data but just using the word "lost" implies that they no longer have the data full stop. However, I'm inclined to agree with you. Lost is still lost, copy or not, and other words like "misplacement" smack of spin. And you're right about "breach" - that is the wrong word. My preference would now be for "failure". "2007 UK Child Benefit Data Protection Failure" Still wordy but... AJKGORDON  «»  11:41, 22 November 2007 (UTC)


 * I'm happy with that. Thedarxide (talk) 12:26, 22 November 2007 (UTC)


 * Despite the somewhat hysterical connotations - I'd go with 2007 UK child benefit data scandal. Failure doesn't seem to hit the mark to me and the current title sounds like a weasel world.  MLA (talk) 14:52, 22 November 2007 (UTC)


 * When I originally was going to start the article (having not found an existing one by that time) I was going for 2007 UK Child Benefits data loss or perhaps data leak but MLAs suggestion makes the best sense to me. SGGH speak! 17:37, 22 November 2007 (UTC)
 * Seconded. Or is it thirded? AJKGORDON  «»  18:44, 22 November 2007 (UTC)
 * Actually, that is a bit better. Either one of these suggestions is good for me.  It's been 12 hours soon, someone change it! Thedarxide (talk) 19:51, 22 November 2007 (UTC)
 * Done. I hope I did it right. There was a note about checking for double re-directs but I'm not show how :| AJKGORDON  «»  20:01, 22 November 2007 (UTC)


 * The new name is much better. You can check  list of double-redirects;  apparently none in this case.  The only after-shock I can spot is that we need a High Priest to bestow a sacrament upon the reference here in the ITN section of the main-page.  mdf (talk) 23:29, 22 November 2007 (UTC)

The People
Is it worth mentioning that a significant number the British public seem pretty furious about this? There's vast numbers of comments and letters being sent to news websites and papers condemning the Government over this. —Preceding unsigned comment added by Froggity-Frog (talk • contribs) 10:53, 22 November 2007 (UTC)
 * Not sure, it affects a huge number of people but if only 1% are writing letters then that's still a lot of people but not very significant as 99% might not be worried. And remember we're all more likely to put pen to paper to complain. Am sure there will be a way of proving that a significant number of people are very upset and worried, but this isn't proof of that. Halsteadk (talk) 11:19, 22 November 2007 (UTC)

Ok so 1% are writing letters, whats that in a figure? Its a lot when you think of it that way. Kennedygr (talk) 13:54, 22 November 2007 (UTC)


 * For every person who actually gets around to writing a letter/e-mail/blog or whatever, there are probably another 50 who strongly agree with hiim. Those who actually make a recordable protest are a extreme tip of the iceberg among those who are angry about the affair. It's like saying that since only 1 million people went on the Stop the War march, that's all that oppose it and the other 59 million are indifferent. --Oscar Bravo (talk) 13:13, 23 November 2007 (UTC)

What's the truth (without the media hype)?
Excuse my ignorance but what can a fraudster do with the information?

You can get DOB, childs name and address through public records (birth certificates and electoral register).

From what i've read the only risk to your bank account is if your banking security details are your childs name?172.207.192.97 (talk) 15:28, 22 November 2007 (UTC)


 * Unfortunately the professional con artist can think of any number of ways to use such information. I can think of one: A caller contacts a family, uses the data to 'prove' their bona fides as an official Government representative, then asks them to 'confirm' their additional data: guardian's name, birthday, banking information, social security number (or equivalent), etc.,etc. It's called "Identity theft" and is quite common today. With the additional data the con artist usually makes umpteen telephone purchases, taking delivery and making sure the payment method cannot be proved as bogus for some hours. A number of variations are in use around the world. Shir-El too (talk) 17:07, 22 November 2007 (UTC)


 * ID theft, primarily. It's not just name, address and DOB. It's bank details and NI number as well. ID theft happens regularly enough with less initial information than that. But sure, there's no more risk to your bank account than with a villain just reading the details on one of your cheques. AJKGORDON «» ]] 17:13, 22 November 2007 (UTC)

So when I pay by cheque, they know my name, address, bank account number and can find my DOB. The only thing extra this data has is NI number.172.207.192.97 (talk) 17:53, 22 November 2007 (UTC)


 * The information IS useful to a fraudster but I'm not going to elaborate on here in case the person who has the disks is reading. Kelpin (talk) 18:05, 22 November 2007 (UTC)


 * You think it's that likely that a comment on a Wikipedia talk page would be useful to a criminal involved in something of this magnitude? I'd like to hear more of your expertise on the subject.--h i s  s p a c e   r e s e a r c h 19:19, 22 November 2007 (UTC)


 * I'm a Chartered Accountant with 13 years post qualification experience. I have conducted 4 fraud investigations, and have also been the victim of identity theft myself.  Whoever has the disks (a criminal or someone who got the disks by accident who's wondering what to do with them) I have no intention of turning Wikipedia into a manual for would be fraudsters.  Kelpin (talk) 13:34, 23 November 2007 (UTC)
 * Given the sheer size and scope of WP, nothing is more likely! I'd also like to learn more, but only if it's in the Public Domain. Shir-El too (talk) 23:50, 22 November 2007 (UTC)


 * So when I pay by cheque, they know my name, address, bank account number and can find my DOB.


 * When you pay by cheque, you disclose your name and bank account number only. Your address is not on the cheque (and you should refuse to write it on the back if the teller asks you to). Your DoB is certainly not on a cheque.--Oscar Bravo (talk) 13:12, 23 November 2007 (UTC)


 * birth certificates and electoral register 172.207.192.97 (talk) 15:00, 23 November 2007 (UTC)


 * That might work if you happen to be called Fredisjar Zimpop-Wirtwistle. However, if all you have is cheque from "John Smith", you'll have a hard time pinning him down :-)--Oscar Bravo (talk) 19:05, 28 November 2007 (UTC)

TNT disclaims responsibility for loss
The article currently says "TNT stated that, as the delivery was not recorded, it would not be possible to even ascertain if it had actually been sent, let alone where it went. They also stated that they would not accept any responsibility for the loss of the discs.", and proceeds to cite a BBC source. Can anyone find a TNT disclaimer at that source? I'm asking because I removed that reference yesterday for a citation request, and now see the reference has been added back. mdf (talk) 03:40, 23 November 2007 (UTC)
 * It's in a cached version of a BBC article on the subject. The current article on the BBC site has been changed since then. 86.21.74.40 (talk) 04:16, 23 November 2007 (UTC)


 * Not again (see last paragraph). More and more I think (a) current events are not encyclopedic and/or (b) all media sources are fundamentally unreliable re: constructing an encyclopedia.  Ah well!  mdf (talk) 05:34, 23 November 2007 (UTC)

Updates
How do we incorporate the latest on this: that apparently the loss is not due to a low-level functionary acting outside his authority or contrary to procedure, but that senior management was consulted and acquiesced in the decision to send 2 discs by regular post? http://news.bbc.co.uk/1/hi/uk_politics/7109103.stm

WikiReaderer (talk) 16:42, 23 November 2007 (UTC)


 * I added something similar at the end of "The loss", but maybe it should be moved down to a new section/para near the end of the article. - Fayenatic (talk) 18:41, 23 November 2007 (UTC)

6 more discs lost
http://news.bbc.co.uk/1/hi/uk_politics/7111056.stm 86.21.74.40 (talk) 19:18, 24 November 2007 (UTC)

Title - POV?
Sorry to be a spoilsport but I am a bit concerned that the title of this article is POV; in particular the use of the word "scandal". I am not saying that it is not a scandal - I am a UK resident and it is clearly a really, really bad screw up that someone has made - but for Wikipedia should we not try to be a bit more neutral? The full impact of it has yet to be felt, so I am not sure how we could know whether or not it is scandalous yet. I would suggest a move to 2007 UK child benefit data loss or something. Any thoughts? Batmanand | Talk 10:25, 25 November 2007 (UTC)
 * While I do think it is a scandal, we should be guided by consensus of sources. A quick google search for scandal in this context does suggest it's a reasonable descriptor. MLA (talk) 10:47, 25 November 2007 (UTC)
 * The original proposer of the word scandal did comment on its possible shrillness but actually it is what it is. It's not POV - it is a scandal and I think it is perfectly neutral to title it as such. Loss, misplacement and other words discussed didn't seem to cut it because it is more than the physical loss of the discs. AJKGORDON  «»  19:01, 25 November 2007 (UTC)

Data transfer - why disks in the post?
Two CDs worth of data takes about an hour or so to transfer over the Internet. Why not encrypt and FTP? it seems strange to me in the first place that physical disks were sent in the post! Toby Douglass (talk) 13:18, 26 November 2007 (UTC)


 * The rate of a download/upload can vary, depending on connection speeds. For example, I can transfer a CD worth of data in roughly 10 minutes with my (very common) connection at home, my office's connection is even faster. Since a CD contains ~650MB of data, which translates into ~5.2Gbits, an OC-48 connection can transfer this much data in a little over 2 seconds. Even if using a connection limited by a THAMER, which can only transfer at ~2.048 Mbits/s, it would have taken roughly 45 minutes to transfer the data between sites. This is of-course assuming that the data was stored just on a CD, not other larger capacity disks. Erth64net (talk) 18:19, 26 November 2007 (UTC)


 * I don't suppose you've had much contact with the Government. Also despite what actually happened, your method is insufficiently secure for official business. MLA (talk) 13:21, 26 November 2007 (UTC)


 * I seriously doubt that security of the data was even a mild concern of theirs. To begin with, their internal procedures permitted a junior official complete and unrestricted access, who is to say this person couldn't have made 10 copies of the data - and walked away, undetected? Furthermore, sending unencrypted data, untracked, through the public postal system, and seeing their attitudes/behavior (emails) when the data was lost the first time around, is pretty clear indicator that even the most mildest forms of security were of absolutely no interest of theirs. Do you have an references which supports the claim that online data transfers are insufficiently secure for official business? Erth64net (talk) 15:42, 26 November 2007 (UTC)


 * The majority of government departments prohibit the sending of protectively marked material over the public internet, these instructions are also repeated in user syops even through the GSI/IGS network. The underlying framework for the transmission and storage of this material is covered by e-Government Strategy Framework Policy and Guidelines (see page 17, Level 3) and Infosec Memo 13 -  Protecting Government Connections to the Internet (published by CESG). It may be worth pointing out that in this particular case, the definition of 'disc' has not yet been determined, and also TNT is a private courier firm (also used by the MoD amongst others). The normal method of sending large volumes of data such as this would be by courier or via a dedicated link encrypted with a BRENT or THAMER or other encryption device. 84.65.85.58 (talk) 16:40, 26 November 2007 (UTC)


 * User 84.65.85.58, your "e-Government Strategy Framework Policy and Guidelines" link is not valid, could you provide a working link? Erth64net (talk) 18:19, 26 November 2007 (UTC)
 * The link works fine for me. Joeking16 (talk) 11:03, 28 November 2007 (UTC)
 * Wow, what an unstable website then... As it consistently didn't work for a few days, despite attempting from five different internet connections. Though I can confirm it's working alright now. What's the Wikipedia policy on mirroring such content, especially if the source is so unreliable? Erth64net (talk) 15:14, 28 November 2007 (UTC)
 * It isn't unrealibaly it is a government website. Joeking16 (talk) 17:01, 28 November 2007 (UTC)


 * Any data transfer method is secure if the data is encrypted with, say, AES. Toby Douglass (talk) 23:55, 26 November 2007 (UTC)


 * Toby Douglass, you are correct - at least for protecting assets within the US government; when using AES, the design and strength of 192 or 256 key lengths, are sufficient to protect classified information up to the TOP SECRET level. As long as the implementation of AES in products has been certified by the NSA prior to their acquisition or use. What about the UK though? A source would be an interesting piece of information to possibly add to the article, at the very least when further details are revealed regarding how the data was, or was not, protected in transit... Erth64net (talk) 04:07, 27 November 2007 (UTC)


 * There is an old joke that goes round MI5 that "Secret" means anyone can read it and that "Top Secret" means better pop it in a drawer when you go home. --Oscar Bravo (talk) 10:39, 18 December 2007 (UTC)
 * You worked at MI5???


 * 88.105.125.238 (talk) 21:18, 30 January 2008 (UTC)

Encryption
According to a post in the latest RISKS digest,, they were password encrypted using Winzip version eight, which is known to be be very weak, subject to a range of attacks. WinZip version *nine* introduced AES, and would have been safe. Toby Douglass (talk) 09:29, 31 December 2007 (UTC)
 * *Suspicious*
 * How does that guy -who posted that info on the webpage- exactly know about the way the discs are encrypted and which software was used................?
 * 88.105.125.238 (talk) 21:17, 30 January 2008 (UTC)

Methods of Encryption

What kind of "Key-scheduling" or hashing method used to derive the encryption key on both, old & new, versions of Winzip? And what are the modes of encryption? ECB? CBC? or LRW? 88.105.125.238 (talk) 21:40, 30 January 2008 (UTC)

Is this article biased?

The tone in the section of the article on the encryption feels biased, like reading a Reddit post on Edward Snowden instead of being purely factual and unbiased as Wikipedia aims to be. For instance, the used of quotes around password protection and 'anyone competent with a computer'. 81.155.42.240 (talk) 09:19, 2 April 2015 (UTC)

eg. Instead of saying "Anyone competent in computing would be able to break this protection by downloading readily-available tools.", an unbiased article should say "There are multiple tools online such as  capable of breaking this encryption so the data could easily be decoded." 81.155.42.240 (talk) 09:19, 2 April 2015 (UTC)

Response and Resignation
Didn't a very senior civil servant tender his resignation since he had overall responsibility for the department?AleXd (talk) 16:59, 27 March 2008 (UTC)

Update?
Did the disks ever turn up? --Richardrj talkemail 12:07, 22 May 2008 (UTC)

Nope. --Magus213 (talk) 16:13, 21 October 2008 (UTC)

Delivery people lost the CD's and nothing happened, what a partisan twaddle. 23:26, 11 March 2010 (UTC)