How taxing is it to read a tape?
In “Athenian Economy and Society: a banking perspective,” Edward Cohen uses the fascinating technique of trusting in offhand comments. He uses the technique to analyze court records to reconstruct banking. You might not be able to trust the main testimony in a trial, but no one will offhandedly say something shocking and strange, because it will undermine their credibility. (For example, “it’s snowing in Jamaica” makes no sense as a parenthetical, and would undermine my credibility if I said it.)
So I found an offhand comment reported by Beth Pariseau in “IRS sent tax database on unencrypted tapes” [link to http://searchstorage.techtarget.com/originalContent/0,289142,sid5_gci1293698,00.html no longer works] to be fascinating:
The IRS confirmed to SearchStorage.com that copies of its tax database were distributed to state agencies on unencrypted tapes before Sept. 30, 2007. A source at one state agency said the tapes were also sent using common carriers, such as FedEx.
The source, whose agency received the database information on a regular basis, said the IRS had formal guidelines for agencies to place the tapes behind three layers of physical security — inside a locked box, for example — and restrict access to “need-to-know” personnel. He added a fourth layer of physical security, but that still didn’t make him feel comfortable. “These were standard IBM mainframe tapes,” he said. “It didn’t take anything special to read them.”
I found this really interesting because our anonymous source tosses off the idea that reading a tape is easy. This is in stark contrast to everyone who reports breaches, who goes on and on about how hard it would be to read their DLTs.
This expert didn’t give that nonsense a second thought. Journalists should be more skeptical, and so should you.
Interestingly, there’s a second tie to Cohen’s book. In it, he lays out how the Athenians, worried about the taxman, created private banking. The taxman has rarely worried about the welfare of the taxed.
[Update: An anonymous correspondent points to “Who Must File Magnetically,” which points to IRS publication 1220. Encryption is specifically forbidden (“Do not send encrypted data.”), and the tape format is clearly documented. See part C.05 on page 35 of the PDF, or printed page #29.]
Photo: IBM 3410 tape system. Image courtesy of IBM. Story via PogoWasRight [link to http://www.pogowasright.org/article.php?story=20080114101326115 no longer works].
Hi Adam
It depends on how old the tape is–the older it is, the less chance you have of being able to read it. Truth be told, I found a DLT in my building lobby and did not successfully identify the owner of the tape, even though we tried to read it–after a dozen man-hours, we had reached the point of diminishing returns.
Just because you have a mysterious tape doesn’t mean you have either the right version of equipment (DLT-IV v/s DAT) nor the right version/kind (NetBackup v/s Backup.exe) of backup software nor the right application (MS Word v/s binary backup of Oracle data) to read it.
I think the key is that it’s hard for the average person to read tapes if they found/stole them, but for a moderately-large organization/attacker, it’s possible.