I can only agree with Young: With others taking out that information, concealing it himself for any longer would have only put others at risk. He clearly took necessary precautions to hide that information, and only released it once it was known that the names were being used by others. Blaming him for this mistake is as pointless as blaming the person who noticed those Los Alamos laptops were missing (rather than the people who lost them or allowed security to slip). He could only be at fault if he had been irresponsible with his knowledge--and yet he didn't let anyone but the Times know about what had happened until the mistake had become public knowledge through others.

The fault here rests entirely with the Times, which handled sensitive information in a crude, even stupid manner. The only true way to conceal that information is to delete it, not to cover it; if the original document's information remained intact enough that such information could be retrieved only by someone with extreme skill, then it's still at risk. It must be removed entirely or else someone, someday, can read it. One can't help but wonder how many people with such skills and a stake in reading those names used more complex techniques to try to retrieve the information before Young's method came to light.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/51/2288#2288