Secure IT Disposal



  • Big organisations, especially ones that deal specifically in IT an electronics, produce a lot of electronic waste which has to be properly disposed of for environmental reasons.

    A lot of this is old computers which as I'm sure you all understand have to be treated carefully because they may contain information, you don't just chuck old research kit in the trash and wait for your nuclear submarine designs to show up on ebay. :)

     

    There are companies that exist to do exactly this kind of thing, you chuck anything electrical in a locked room, tell them to come and pick it up, they shred the hard disks for you and dispose of, re-use or recycle the electronics properly. You get an inventory and a certificate to say that you properly disposed of it. They also charge you for the privilege, which is taking the piss when you consider that re-use means "Stick a new hard disk in it and sell it on".

     

    At my last employer we had one approved supplier for such services but it seems the boss didn't entirely trust them, to be honest neither did I or anyone else who had ever met them.

     

    Our desktop life cycle went something like this, we had computer labs ranging from 'Shit hot' to 'Only really keeping desktops around to interface with some bit of kit', we'd buy new kit for the 'Shit hot' lab and cycle the machines through lower priority areas until eventually they became desktops for admin staff or suchlike. When they finally became five or six years old we disposed of them.

    Everything would come with a three year warranty so I didn't have to do much if anything went wrong, by the fourth year obviously there are going to be a few disk failures, fans that need changing, power supplies that die. My solution was to nick bits out of the end-of-line kit awaiting disposal rather than buy in new parts for a PC which would likely be retired next year anyway.

     

    The WTF was what happened to kit when it did eventually reach the end of the line, the procedure went something like this:

    I'd erase the disk, even though they were supposed to do that for us, sometimes we just had to know that the information was erased before it left the building, as I say we didn't entirely trust the disposal firm.

    I'd have to make an inventory of everything in the store and check it against their inventory to make sure nothing had gone missing, because we didn't entirely trust the disposal firm.

    The boss then asked me to stop taking parts out of old scrap kit because the disposal firm was actually complaining that some of the computers were incomplete and couldn't be sold on, instead we ending up buying new parts to repair old machines.

     

    I did try pointing out that if I'm basically going to do their job for them because we don't trust them, why don't we just dis-assemble the machines ourselves? The data would be erased, we'd get a stash of spare parts for free, we could sell the cases as scrap metal and just chuck anything electrical we didn't want in a bin and have it taken away as electrical waste.

    That apparently wasn't an option because we had to get this particular certificate from this particular approved supplier.

     

    Eventually the boss started complaining about how much they were charging, we worked out that it was because of their pricing structure. They had set amounts for a desktop, a server, a CRT and so on... the problem was little things like faulty parts, a hard disk here or an old tape drive there would class as another individual item and up the cost.

    Now there was even more to do as it was realised that we could cram four dead hard disks into a non functioning desktop and only get charged for disposing of one desktop.

     

     

     



  • You actually thought a good idea that makes your job easier and saves the company money would just be accepted and gone ahead with? Yeah right, you couldn't possibly be working in a corporation for more than 6 months and assume logic and common sense would be used?



    Since we're on the topic of disposal, i once happened to be enjoying a snack in the break area when the cleaning crew arrived to empty the bins. They casually took all the different recycling bins one by one and poured all the contents into one big bag.

    Needless to say, I haven't been paying much attention to what i throw away in which bin since...



  •  Thanks for your story. Was fun to read. Especially:

    @EncoreSpod said:

    The boss then asked me to stop taking parts out of old scrap kit because the disposal firm was actually complaining that some of the computers were incomplete and couldn't be sold on, instead we ending up buying new parts to repair old machines.



  • @EncoreSpod said:

    I'd erase the disk, even though they were supposed to do that for us, sometimes we just had to know that the information was erased before it left the building, as I say we didn't entirely trust the disposal firm.

    Anacedotes I've heard (about untrustworthy firms):

    • a "security conslutant" that bought some disks at random off ebay, then trawled them for useful information (cookies, etc) and used that identifiable information to contact the previous owner. In many cases, they were company disks that weren't wiped properly, and the company then launched legal action against the disposal firm.
    • an individual that periodacally buys HDs of specific make, model and size off eBay and compares the serial numbersin their inventory to see if any disks weren't properly disposed off
    •  someone that blanked disks then left a file on containing contact information with a reward. As soon as someone made contact, they used it as evidence that the disposal firm weren't properly wiping the disks but just selling them on.

    In one of these cases, it was down to "a temporary summer employee" that swiped a few disks out of stock and thought he'd make money on the side selling them to eBay. The story didn't quite wash since it implied the disposal firm were leaving unblanked disks in an unsecured location that allowed an employee to easily steal a few - but it's always a junioremployee, summer intern, ain't it?

    @EncoreSpod said:

    The boss then asked me to stop taking parts out of old scrap kit because the disposal firm was actually complaining that some of the computers were incomplete and couldn't be sold on, instead we ending up buying new parts to repair old machines.

    Sorry, I thought this was a disposal firm...? You're paying them money to dispose of it, and they're complaining they can't make MORE money out of the "disposal"?

    ObSnopes: spray a black or bright green alien head on the side of the cabinet and leave it on a park bench. It'll be gone once you return.



  • @Cassidy said:

    @EncoreSpod said:
    The boss then asked me to stop taking parts out of old scrap kit because the disposal firm was actually complaining that some of the computers were incomplete and couldn't be sold on, instead we ending up buying new parts to repair old machines.

    Sorry, I thought this was a disposal firm...? You're paying them money to dispose of it, and they're complaining they can't make MORE money out of the "disposal"?

     

     

    Yup. :) It was such a WTF deal from the start, they took our stuff away, charged us to take it away then wherever possible sold it on and were completely up front about it. They even had to nerve to bullshit the boss with "Thats why our service is so cheap, because we can pay for some of the disposal using the profits from refurbishing old machines."

    But the man had to have his certificate, from an 'approved' supplier, of which there was only one. I wouldn't be very surprised if the disposal firm was the head of procurement's cousin or something. They had management by the balls and could bill us thousands of pounds for a piece of paper that says "Yeh we taked away dat toxic shit and didn't sell it down the pub or dump it in the river or nuffin".

    But then this was the man who used to VOLUNTEER to go to Microsoft conferences all over europe where they would stick him in a hot lecture feature with no air con and talk bollocks until he got sleepy, then, catch him with the suggestive messages whilst in a trance like state.

    Every year he'd come back saying "must... purchase.... <insert product>... license. must... turn... PDF's... into DOCX" I swear one year he is gonna come back just going "Bwwaaiiinnnsss.. BWWAIINNSNSSSS!". Fortunately I don't work there anymore so my brains are safe, for now.

     

     



  • @EncoreSpod said:

    There are companies that exist to do exactly this kind of thing, you chuck anything electrical in a locked room, tell them to come and pick it up, they shred the hard disks for you and dispose of, re-use or recycle the electronics properly.
    I know of at least one major bank which has half the basement of their London office full of kit waiting for secure disposal. For obvious reasons it has to be disposed of properly, but for non-obvious reasons they've decided that it can't leave their building until it has been securely destroyed. Since no-one with appropriate certification is willing to come and do the work in the basement/boiler-room/rubbish store/underground car-park, there it sits - several years' worth at a minimum.

    The space the kit sits in could be rented out for maybe a quarter of a million quid a year, but that's only the start. Every machine there gets the usual PAT checks, inventorying, and so-on. Since the bank still owns them, they get included on support contracts. They paid to move them all from one building to another a couple of years ago. Oh, and they've only recently agreed that monitors cannot contain proprietary information once unplugged, regardless of how confidential the information they were displaying was, so up until recently they were keeping old monitors too.

    The best bit? That despite all that, the security is so loose that I nicked various gubbins from the store, including hard disks - and I'm far from alone. Yes, this is one of the banks which received a particularly large bail-out...



  • @EncoreSpod said:

    It was such a WTF deal from the start, they took our stuff away, charged us to take it away then wherever possible sold it on and were completely up front about it. They even had to nerve to bullshit the boss with "Thats why our service is so cheap, because we can pay for some of the disposal using the profits from refurbishing old machines."
    I like that business model. Recently there have been a lot of empty property management companies springing up with a very similar model: you pay us to look after your empty property, and then we'll rent it out at market rates. Again, the only thing they provide is a guarantee.



  • @EncoreSpod said:

    But the man had to have his certificate, from an 'approved' supplier, of which there was only one.

    Then I'd refrain from scrubbing/touching any of the HW, on the grounds that this the "approved" supplier's responsibility.

    And if any precious data is found to have been lost out in the wild, then you've got a certificate identifying the person responsible...



  • @EncoreSpod said:

    they shred the hard disks for you and dispose of
    ...
    The boss then asked me to stop taking parts out of old scrap kit because the disposal firm was actually complaining that some of the computers were incomplete and couldn't be sold on, instead we ending up buying new parts to repair old machines.
    Am I the only one who heard the warning bells when reading this? You'd take a hard disk out of a dead machine (where it was supposed to be shedded anyway), and they'd complain because the machine couldn't be resold without one?



  • Yup - which is why I queried their organisation name of "disposal" versus "reseller". They're not actually disposing of the kit, they're just a "collection for repurposing" bunch.

    Ender: what's with your tags? I see some detritus all over your post.


  • Trolleybus Mechanic

    @fterfi secure said:

    Oh, and they've only recently agreed that monitors cannot contain proprietary information once unplugged, regardless of how confidential the information they were displaying was, so up until recently they were keeping old monitors too.
     

    There's TRWTF. Have they never heard of [url="http://en.wikipedia.org/wiki/Screen_burn-in"]Screen Burn-In?[/url]  Those CRT are a treasure trove of information just waiting to be stolen. After all, it's the information that's on the screen for the longest period of time that gets burned in, and it's the largest clients who are on screen the most. Someone is going to steal all the big clients-- you know, the ones that matter and that can sue!

    Put this in a power point, add a few bar graphs, and you can convince the suits to permanently store CRT monitors. They can add a nice, huge number on the books that say "Income: Prevented privacy lawsuits". They won't notice the actual, real huge number on the other side of the books that say "OMFG paying for storage!". You just might drive them out of business.

    For bonus points, you can sell them the method to securly destroy information that may have been burned onto the screen, which is, of course, displaying an ultra-bright white image until the entire screen is burnt in. Can you imagine it? The entire dodgy basement alight in a sea of humming, flickering white light from below. And they must be left running 24/7 until ever bit of secure data is gone-- all running off the bank's electricity, of course. It might be too much of a drain on the grid. Get them to build their own nucular power station just to support it. No pixel left unscorched.

    Depending on the spectrum those CRTs put out, you might be able to rent out the basement as an light-therapy room. Or a tanning salon. Or both.

    If they complain about the heat, start a "greening initiative" company. Sell them on heat reuse to save the environment. After your large consulting fee, and "green premium" service, go in and spend 10 quid to run a vent into the air intake system. Instant heating in the winter! Fold the company by summer.



  • @irreal said:

    Since we're on the topic of disposal, i once happened to be enjoying a snack in the break area when the cleaning crew arrived to empty the bins. They casually took all the different recycling bins one by one and poured all the contents into one big bag.
    Needless to say, I haven't been paying much attention to what i throw away in which bin since...
    I saw the same thing happen at our break room.  Cleaning lady dumped the trash into a big bin, and then moved on to the recycling bin and dumped it into the same big bin.  I was laughing so hard on the inside, because less than a week earlier I threw a cardboard container for my lunch into the trash and a coworker reached into the trash and pulled it out and dropped it into the recycling.  He then gave me the look like I had just killed a puppy.

    Back on topic... I fully understand wiping hard drives before passing them on for destruction.  We had one server room that contained sensitive personally identifiable information on it and the client had specific requirements with proper usage and storage of said data, so we had to wipe all the hard drives before they could even leave the server room and go to destruction.  As for that other stuff if that company just changed their job description from disposal to repurposing/selling I would be ok with it, but they are obviously misadvertising their type of work which aggrevates me, and if they are selling the stuff then they should be paying you for the stuff.

    I was told a funny story once from a guy who had Secret clearance, about one of his idiot coworkers who decided to plug his ipod into a Secret level work station so he could charge it.  Needless to say the guy siezed his coworkers ipod and slapped a Secret label on it and had it flagged for disposal.  The coworker was pissed and winey about losing his ipod, but when the boss pointed out everything he could do to him, the idiot became much more cooperative.


  • ♿ (Parody)

    @Anketam said:

    I was told a funny story once from a guy who had Secret clearance, about one of his idiot coworkers who decided to plug his ipod into a Secret level work station so he could charge it.  Needless to say the guy siezed his coworkers ipod and slapped a Secret label on it and had it flagged for disposal.  The coworker was pissed and winey about losing his ipod, but when the boss pointed out everything he could do to him, the idiot became much more cooperative.

    Sounds reasonable. I'll bet the document disposal guys got a kick out of burning the iPod. For more fun, convince more gullible cow-orkers that the stuff in the hole punch and the crap in the vacuum cleaner must be disposed of as classified waste.



  • @Anketam said:

    ..secret ipod...

    For the queen !!



  • @Lorne Kates said:

    There's TRWTF. Have they never heard of Screen Burn-In? 
    There are two WTFs there, actually. The first is that as far as I know that's where they got the idea in the first place. The second is that these were first-gen TFTs, not CRTs.



  • @irreal said:

    Since we're on the topic of disposal, i once happened to be enjoying a snack in the break area when the cleaning crew arrived to empty the bins. They casually took all the different recycling bins one by one and poured all the contents into one big bag.

    Our recycling company does that, they have a mechanical sorter which (apparently) smooshes everything into tiny bits, then can sort out the different materials from the pile of bits. Our local government actually got rid of the 3 recycle container system and just replaced it with one.

    Not necessarily a WTF, in other words.



  • @blakeyrat said:

    Not necessarily a WTF, in other words.

    Okay, I'll accept that, but then what's the point of having separate bins? Get a single large one, or leave the three that we now have but drop the labels and instructions that demand you put the right trash in the right bin.


    BTW, I'm not really complaining about this hard, just thought it was interesting and remotely relevant to the topic.

    Compared to my last job, this place is a heaven and surprisingly lacks any major WTFs so far. The biggest WTF yet is calling TrueUp Report Data TURD. That's pretty low on the WTF scale, especially seeing as it's a fortune 100 company. Then again, chances are I just haven't been around long enough to discover horrifying stories.



  • @irreal said:

    Since we're on the topic of disposal, i once happened to be enjoying a snack in the break area when the cleaning crew arrived to empty the bins. They casually took all the different recycling bins one by one and poured all the contents into one big bag.

    Needless to say, I haven't been paying much attention to what i throw away in which bin since...

    I always get a chuckle watching everyone meticulously separate their garbage into several different recycling bins in the break room. Every once in a while I point out to someone that we only have a cardboard bin in the back, so the janitors are just picking out the aluminum cans for themselves and dumping everything else in the trash.



  • @fterfi secure said:

    @EncoreSpod said:
    There are companies that exist to do exactly this kind of thing, you chuck anything electrical in a locked room, tell them to come and pick it up, they shred the hard disks for you and dispose of, re-use or recycle the electronics properly.
    I know of at least one major bank which has half the basement of their London office full of kit waiting for secure disposal. For obvious reasons it has to be disposed of properly, but for non-obvious reasons they've decided that it can't leave their building until it has been securely destroyed. Since no-one with appropriate certification is willing to come and do the work in the basement/boiler-room/rubbish store/underground car-park, there it sits - several years' worth at a minimum.

    The space the kit sits in could be rented out for maybe a quarter of a million quid a year, but that's only the start. Every machine there gets the usual PAT checks, inventorying, and so-on. Since the bank still owns them, they get included on support contracts. They paid to move them all from one building to another a couple of years ago. Oh, and they've only recently agreed that monitors cannot contain proprietary information once unplugged, regardless of how confidential the information they were displaying was, so up until recently they were keeping old monitors too.

    The best bit? That despite all that, the security is so loose that I nicked various gubbins from the store, including hard disks - and I'm far from alone. Yes, this is one of the banks which received a particularly large bail-out...

    Perhaps they could save some money by simply burning the building down?



  • All confidential information is always encrypted. So I don't care who gets the drives when I'm done with them.



  • @morbiuswilters said:

    All my confidential information is always encrypted. So I don't care who gets the drives when I'm done with them.

    FTFY



  • @Anketam said:

    the boss pointed out everything he could do to him

    What would that be?



  • @toon said:

    @Anketam said:

    the boss pointed out everything he could do to him

    What would that be?

    Fire him and/or have his clearance revoked.  It would be impossible for him to ever get any kind of clearance again.  Getting another job would also likely be difficult, depending on how long he was there (the longer the gap, the harder it is to explain away in an interview).



  • @toon said:

    @morbiuswilters said:
    All my confidential information is always encrypted. So I don't care who gets the drives when I'm done with them.

    FTFY

    Wow, did you just learn how to read or something? Thanks for pointing out the obvious.



  • @morbiuswilters said:

    All confidential information is always encrypted. So I don't care who gets the drives when I'm done with them.
    Wait, so you're telling me "Recycle Bin" on my "Desktop" isn't a secure means of information disposal?  Shit, I gotta make a few calls...



  • @C-Octothorpe said:

    @toon said:

    @Anketam said:

    the boss pointed out everything he could do to him

    What would that be?

    Fire him and/or have his clearance revoked.  It would be impossible for him to ever get any kind of clearance again.  Getting another job would also likely be difficult, depending on how long he was there (the longer the gap, the harder it is to explain away in an interview).

    Ah, I didn't gather that from the original comment. To me it sounded like a guy with security clearance slapped the sticker on a clueless coworker with no clearance at all... Makes much more sense. :)


  • @morbiuswilters said:

    @toon said:
    @morbiuswilters said:
    All my confidential information is always encrypted. So I don't care who gets the drives when I'm done with them.

    FTFY

    Wow, did you just learn how to read or something? Thanks for pointing out the obvious.

    No sir. I was quoting someone who was trying to point out that information that's secure should always be encrypted or it's their own fault. The thought that it might be a typo hadn't occurred to me. (not being sarcastic; it honestly hadn't.)



  • @toon said:

    @morbiuswilters said:
    @toon said:
    @morbiuswilters said:
    All my confidential information is always encrypted. So I don't care who gets the drives when I'm done with them.

    FTFY

    Wow, did you just learn how to read or something? Thanks for pointing out the obvious.

    No sir. I was quoting someone who was trying to point out that information that's secure should always be encrypted or it's their own fault. The thought that it might be a typo hadn't occurred to me. (not being sarcastic; it honestly hadn't.)

    It wasn't really a typo, the "my" was implied.



  • If you want a recycling WTF, check out what happens to recycled glass. A large proportion of it gets ground up into sand so we can say it's been recycled, even though that takes much more energy than chucking the glass in a hole in the ground and digging out some more sand.



  • @Lorne Kates said:

    There's TRWTF. Have they never heard of Screen Burn-In?  Those CRT are a treasure trove of information just waiting to be stolen. After all, it's the information that's on the screen for the longest period of time that gets burned in, and it's the largest clients who are on screen the most. Someone is going to steal all the big clients-- you know, the ones that matter and that can sue!

    Put this in a power point, add a few bar graphs, and you can convince the suits to permanently store CRT monitors. They can add a nice, huge number on the books that say "Income: Prevented privacy lawsuits". They won't notice the actual, real huge number on the other side of the books that say "OMFG paying for storage!". You just might drive them out of business.

    For bonus points, you can sell them the method to securly destroy information that may have been burned onto the screen, which is, of course, displaying an ultra-bright white image until the entire screen is burnt in. Can you imagine it? The entire dodgy basement alight in a sea of humming, flickering white light from below. And they must be left running 24/7 until ever bit of secure data is gone-- all running off the bank's electricity, of course. It might be too much of a drain on the grid. Get them to build their own nucular power station just to support it. No pixel left unscorched.

    Depending on the spectrum those CRTs put out, you might be able to rent out the basement as an light-therapy room. Or a tanning salon. Or both.

    If they complain about the heat, start a "greening initiative" company. Sell them on heat reuse to save the environment. After your large consulting fee, and "green premium" service, go in and spend 10 quid to run a vent into the air intake system. Instant heating in the winter! Fold the company by summer.


    Does anyone know whether Simon Travaglia reads TDWTF?



  • @pjt33 said:

    Does anyone know whether Simon Travaglia reads TDWTF?
     

    Since his best stories are from the olden days (1990s) he pre-dates TDWTF! Here's your 4MB home space!



  • @Zemm said:

    Since his best stories are from the olden days (1990s) he pre-dates TDWTF!


    Indeed, but El Reg are still publishing his new material, and this is better than a lot of it. Maybe Lorne could moonlight as his ghostwriter.



  • @fterfi secure said:

    The second is that these were first-gen TFTs, not CRTs.
    My old TFT (Hansol H530) had a nice burn-in of the minimize/maximize/close buttons in the top-left corner, though that did go away after a few months when I repurposed it for my (text-only) Linux server.



  • @blakeyrat said:

    @irreal said:
    Since we're on the topic of disposal, i once happened to be enjoying a snack in the break area when the cleaning crew arrived to empty the bins. They casually took all the different recycling bins one by one and poured all the contents into one big bag.

    Our recycling company does that, they have a mechanical sorter which (apparently) smooshes everything into tiny bits, then can sort out the different materials from the pile of bits. Our local government actually got rid of the 3 recycle container system and just replaced it with one.

    Not necessarily a WTF, in other words.

     

    Right, the recycling bins here, you can put anything recyclable in, and don't have to worry about differentiating. (Except glass, not because they can't sort it from the other stuff, but because broken glass is a health and safety risk.) Seems like a better option than making people split, to me.

     



  • OP:  So, the real WTF is that you're bosses are adament on spending money on a private firm specializing in secure computer disposal, of which you and your bosses are openly distrustful of, which does the same things your internal IT does, to the point that they give you orders to condition junked PCs for the firm so they don't complain, just so you can get a certificate from them, a company you openly distrust?

    I swear, if I ever run a huge company, and I hear about anything like this ridiculous crap costing us even one penny, people are getting fired.



  •  yeah :D



  • Here is what you should do. After you erased the disk, install an image with some autorun program that will phone home by sending an HTTP request to your server, or like that.



  • @Lorne Kates said:

    @fterfi secure said:

    Oh, and they've only recently agreed that monitors cannot contain proprietary information once unplugged, regardless of how confidential the information they were displaying was, so up until recently they were keeping old monitors too.
     

    There's TRWTF. Have they never heard of Screen Burn-In?  Those CRT are a treasure trove of information just waiting to be stolen. After all, it's the information that's on the screen for the longest period of time that gets burned in, and it's the largest clients who are on screen the most. Someone is going to steal all the big clients-- you know, the ones that matter and that can sue!

    Put this in a power point, add a few bar graphs, and you can convince the suits to permanently store CRT monitors. They can add a nice, huge number on the books that say "Income: Prevented privacy lawsuits". They won't notice the actual, real huge number on the other side of the books that say "OMFG paying for storage!". You just might drive them out of business.

    For bonus points, you can sell them the method to securly destroy information that may have been burned onto the screen, which is, of course, displaying an ultra-bright white image until the entire screen is burnt in. Can you imagine it? The entire dodgy basement alight in a sea of humming, flickering white light from below. And they must be left running 24/7 until ever bit of secure data is gone-- all running off the bank's electricity, of course. It might be too much of a drain on the grid. Get them to build their own nucular power station just to support it. No pixel left unscorched.

    Depending on the spectrum those CRTs put out, you might be able to rent out the basement as an light-therapy room. Or a tanning salon. Or both.

    If they complain about the heat, start a "greening initiative" company. Sell them on heat reuse to save the environment. After your large consulting fee, and "green premium" service, go in and spend 10 quid to run a vent into the air intake system. Instant heating in the winter! Fold the company by summer.

    You should go work for the US Department of Defense. Instead of "income" you can just call your central figure "deficit reduction."

    The DOD has plenty of money to spend on that kind of crap. They stole it from my children.



  • @bridget99 said:

    You should go work for the US Department of Defense. Instead of "income" you can just call your central figure "deficit reduction." The DOD has plenty of money to spend on that kind of crap. They stole my children.

    MICFY


Log in to reply