So You Followed Proper IT Security Procedures and Still Got Burned? (Part 2 of 2)

Continued from Part 1 of So You Followed Proper IT Security Procedures and Still Got Burned?

My innocent laptop computer was stuck in a dreamless sleep because my password no longer worked – even though I had followed the manufacturer’s own procedures when setting up and updating security on the machine. According to the tech wizards at the manufacturer, the only thing that could awaken the computer from the dead was a $1,300 motherboard.

I didn’t believe them.  I went online and instantly found a company that specialized in just this kind of problem: Datronics Custom Computers. They said they could fix it, and for a lot less than the manufacturer was asking for a new motherboard. They had hundreds of glowing testimonials from people all over the world.

It looked legit… but how could this be? The manufacturer insisted the only thing they could do for me was provide a new motherboard. But if Datronics had enough clients to justify a full-time business, that meant two things: the password protection was next to useless (since it can be removed by a third party at no significant cost), and the manufacturer was not offering this effective and much cheaper solution to the hundreds and potentially thousands of customers affected by this bug.

I gave Datronics a call. They confirmed everything on their website. I was still a little leery because of what the original manufacturer was saying, but for $75 Datronics quoted to fix the problem, I’d give it a try.

I shipped them the computer. In about a week, I had it back – working just fine. My password with the unusual characters that the patched BIOS had rejected was erased from the motherboard. Now I could set up my computer’s password again.***

But I’m left feeling unsettled. The password on this laptop (and possibly on many other brands) will only protect my information from being accessed by my kids, or someone in my office who might want to snoop on my work.  It does not stop a tech-savvy thief from stealing my laptop and sending it off to a legitimate company to remove the password.

Three morals to my true story:

1. Improving IT security is still a reasonable goal for all organizations and claims by vendors that their technology solution will improve security may still be trusted (after undertaking due diligence). But be wary of any business claims of having an “unbreakable” security solution. According to Datronics’ Ali Dabiri, they could read and replace my supposedly unbreakable password in minutes using their own technology solution.

2. Password security is just one part of an overall security strategy to ensure your data is protected. See my tips on laptop security and the value of website security.

3. Your IT security technology and procedures may not work the way you think it should. This is the sad truth that most IT experts won’t want you to hear.

But as my loyal readers know, I am concerned with the current state of the IT industry, which allows some vendors to get away with products that don’t work the way they should.