We're blaming the user for our mistake. That's like blaming the cow for leaving the pasture because one of us forgot to lock the gate.

The simple fact is that this user should have never been able to be in a position for this to happen.

Where were the IT security policies and procedures? Why was mission critical data on someone's c: drive? When (if ever) was the last audit?

We curse enterprise IT departments because they are so slow at getting things done, but they are really, really good at putting in place the things that would never allow this to happen. I have customers with strict policies regarding the protection of mission critical data, and I bet that none of it is as important as what was routinely put onto this laptop and paraded around town.

Public companies are responsible to their shareholders and the SEC. Private companies are responsible to their investors and creditors. Why weren't the same protections put in place to the trustees and taxpayers in this case?

Every nanosecond this researcher has to worry about performing routine IT overhead is a nanosecond not spent on critical research. The technological solutions to problems like this have been around for years. Why weren't they in place?

It's about time for IT to stop blaming the user and fix the problem.

PCs have been almost ubiquitous for 20 years now. For my entire freaking life I have been hearing about how "you need to back up your data". We have consistently made better and better backup tools, like mozy, or backblaze. Yet somehow it is our fault some idiot decided "It won't happen to me!". At some point, we just have to have the users be a tiny little baby step of a bit responsible for their stuff too. Just like accounting makes people responsible for their inventory and expense reports. Just like HR makes people responsible for their own insurance stuff. Sure they help, but crap - people need to be a little grown up in their lives and actions.

Just because this person did not bother to find out about backups from her IT does not make it ITs problem. Hell, you don't even know if there was or wasn't the ability for backups in place. Most university IT shops have lots and lots of capacity and backup options in place -- and they are documented, they just don't force users to do it. You know why? Sanctimonious asshats come from the other direction then, complaining not about how IT must mother the employees, but instead must back off the draconian rules to make users feel more welcome.

tl; dr -- Users should be held to some standard of responsibility and IT is damned when they do and when they don't.

It was IT's problem before this person ever came along. That's the whole point.

A few quick questions:

1. Are you capable of implementing an IT infrastructure where it is impossible for a user to lose mission critical data? If not, then you're incompetent. Move along, please.

2. Are you willing to implement an IT infrastructure where it is impossible for a user to lose mission critical data? If not, then you're insubordinate. Move along, please.

3. Is it possible for a user to lose mission critical using an IT infrastructure that you have implemented and administer? If so, then you have a problem. Fix it.

Again, in an institutional environment, it is not the user's responsibility to safeguard mission critical data. By definition, this is one of the primary responsibilities of IT.

(Here's a hint: Mission critical data ever on a c: drive = IT failure)

I'm sick of this attitude of ...

And your customers are sick of your attitude. Thanks for demonstrating my point far more effectively that I could ever verbalize it.

Further, and I'm really really suggesting you read this slow, and look up words you don't understand in the dictionary, universities just don't work this way. There is no central authority that can force this sort of behavior in them. The researchers themselves push for it, and the people who pay IT then demand it be set up that way. No matter how nice it would be to force backups -- IT can't override the fucking dean. Researchers are to be given autonomy is the usual directive. This leaves IT to provide easy access infrastructure, but not go that last step, as they are forbidden.

Are you sure your customers love your "DO AS I SAY IT IS THE ONLY WAY DAMMIT" attitude? Having dealt with sanctimonious asshats like you many times, and further talked to the mormons and jehovia's witnesses at my door, I realize my words won't sink in, but I will make a futile attempt anyway: Give up the judgemental bullshit. Your way is not the one true way. Your smug little smirk makes lots of people fucking hate you, and you know what, you don't even realize they smile and agree with you just to get you to shut up and go away.

tl; dr- go jerk off to your authority some more, the rest of us have real worlds to live in.

I do care, however, how your behavior affects this community. Others smarter than either one of us have worked hard to keep it what it is. Please remember the guidelines:

http://ycombinator.com/newsguidelines.html

Peace.

2. Follow the guidelines yourself, the condescending crap doesn't fly too well, and is no more or less insulting than anything I said. Further look at the insults you directed towards me. Do you really think your insults don't count but mine do? That act you are committing there, it's called hypocrisy.

3. It is sad you must fall back on pointing out the guidelines instead of addressing the parts about how authority doesn't work according to your claims. It is either an admission of ignorance of how things really work, or a diversionary tactic to avoid having to admit wrong. (PS -- continuing hte diversion about guidelines doesn't change this set of conclusions, no matter how you justify it, the deduction doesn't change).

4. I've been here about as long as you have. Feel free to peruse my comment history. I gladly contribute nicely to non-moralizing discussions, and I call people out when they act disingenuous or jerky. Your attempt to change your moralizing into some sort of "look at me I'm a pillar of the community" is at best an attempt to pull some dirty politics style trick. This loses you even more of the moral high ground you pretend to argue from.

Laptops are powertools, use them well and they'll do you good, abuse them and they'll eat your research data.

Odds are the researcher messed up and uses the 'theft' as an excuse for something or other, otherwise that reward would have been a bit higher, $1,000, $500 of which is probably the second hand value of the laptop, that can't have been much data.

I agree with your basic premise that we collectively should help to make stuff like this impossible (dropbox is a nice step in the right direction making it easy to have multiple versions of your stuff) I just don't believe this particular case is a good example of what happens when 'we' fail. This user carries the blame and responsibility, not the IT staff there, nor the manufacturer of the gear.

Smart enough to use a laptop? -> Smart enough to burn a DVD once a week or so. Maximum loss is one week of data, and that's assuming you place those DVDs in a different physical location from the laptop.

Of course that's too much of an investment for such valuable data.

Bosses don't always let you stick truecrypt on everything, especially if they say, have macs.

Most companies aren't run by the IT guy, and no universities are. You don't get that authority most places.

Impossible? Why is perfection the standard? At a minimum she could have bought a $50 external drive at Best Buy, used the back-up software included in the OS, and the probability of this outcome occurring drops substantially.

This is basic stuff that anyone doing cancer research should understand. The fact that she admits to feeling guilty is an indication that she knows better.

Blaming the IT department, in this instance, would be like not brushing your teeth and blaming your dentist when they start falling out.

We're talking about mission critical data. Data, without which the mission cannot succeed. It was not even backed up. That's not the users fault, it's a systemic failure of the organization, a failure it was/is ITs responsibility to fix.

Oil can't be regenerated. When gas burns, it emits CO. Catastrophes that might hit an apartment are usually out of the architect's control. There are protection schemes, but they're only protection, and they're often expensive.

In contrast, software authors are working in a world where they define the laws of the equivalent of physics. It's hard to define them so that nothing bad can happen, and they may be expensive in terms of memory or time, but there's still a big difference between problems in software and problems in the real world.

I create a new computer company, and put automatic backing up to my servers In said OS. It's part of the price when you purchase. It is fully encrypted, and strictly there to alleviate these problems -- you can always restore backups from our servers. You know what happens? It isn't heralded as a bright and sunny day where the evil programmers and computer wizard finally did something right. Instead it is the "Worst Thing Ever"(tm) and we are invading the privacy of millions. We must be trying to rape children and torture puppies. We will be branded as evil and Fox News will call for our assassinations.

Just because we make the rules of the software does not mean we make the rules of the society and people who use them.

{edit}

Some of your users might well be incompetent computer users and wont pass the "test".

I have often thought about why people dont do backups even when the new tools are easy for most to handle. I think the reason is psychological in nature.

Backup implies that you are at least cognizant of the impending disaster scenario. many people avoid even thinking about this, why think of bad news?. Engineers are accustomed to this way of thinking, its a different mental makeup, we shouldn't assume the general public shares this point of view, especially since most of the time they are led through their computing experiences by "wizards" and "guides" might as well be priests.

I own a car, pay insurance on it, but never in my life had a driver license. My wife drives it, working on my insurance bonus. But since it's my vehicle, am still responsible for all the stuff around maintenance, meeting requirements for road worthiness, etc.

Sorry, this doesn't pass the absurdity test.

Whether the current IT plans have survived contact with the end-users.

If IT assumptions and approaches and plans aren't working and if errors are repeating, then IT is left to continue to spend on and work on More Of The Same and on Just Try Harder solutions, or IT can look at different approaches and different solutions. At performing some Root Cause Analysis, or whatever that might be called, and at shifting strategies and tactics.

Computer hardware and software vendors have the same issues, too. Sooner or later, the "blaming the users" for a repeating failure modes isn't going to be a viable product strategy, and somebody (else) then ends up owning the problems and the costs, or your product ends up cast aside.

Look to ways the most serious of these repeating problems can be eliminated.

Backups? IT has to expect some users won't do backups. Something akin to Apple Time Capsule with Mac OS X Time Machine is an absolute killer feature for home users. Your data ends up archived with minimal end-user involvement.

Passwords? How long will we repeat the IT password mantras? IT has to expect some users will continue to pick passwords. So what to do about that?

With a large enough breach or a large enough data loss, IT can be forced start deploying its own CA chains and certificates, and moving to tokens or analogous. Or backups. Or whatever. Why not start ahead of that breach?

As for alternatives and depending on your local user requirements, look to add and to migrate to embedded and tablet devices and automatic backups; trump the problems where you can. At certificate chains and VPNs. At automated backups.

Look for, but don't repeat mistakes.

...Don't expect existing mistakes to fix themselves.

...Don't assume that longstanding approaches and solutions are still the best available solutions.

...And don't plan that end-users will grok IT. They know and think about cancer research, or whatever their job is. Not about IT.

Academics react extremely badly to being told to follow procedures as part of their daily workflow, especially ones they don't understand the importance of. In fact, a big part of the reason that they're in academia in the first place is that they're not able to handle the mundane requirements that are usually in place in the "real world."

For example, someone I work with complains incessantly about the fact that department IT forced him to upgrade from pine — pine, in 2010 — because it is no longer supported. If the IT folks tried to institute rigorous procedures, they would be instantly vilified (and ignored). Unlike in a company where there's a hierarchy, professors don't have anyone above giving them orders, and aren't used to the concept.

Of course, scientific protocols themselves often require lots of procedures, but this is very different because it comes from within and is well-motivated from the point of view of the scientist.

Let me clarify: I do think it is very important that what happened here doesn't happen again, but ensuring that is much harder than someone not familiar with the system might assume. It probably needs to be a mixture of carrots and sticks; I'd say a lot more carrots than sticks.

I got some fire and ire, restricting users software choices and tools, as it was a zoo before. It is too bad, I dont want to restrict anybody, but to maintain the integrity of the organization information, offer reliability and keep cost low, choices and policy have to be enforced.

Every desktop folder and user folder is synced to a server, restrictions on personal data stores are monitored, and enforced. critical data is copied to an onsite and offsite datastore. I am met with some dissatisfaction by more advanced users at times, but when their desktop/laptop gets fucked (3 year avg for laptop harddrive it seems) login on to a spare and having your desktop just the way you left it, is a huge relief for users.

and we are just a museum, we are not solving the worlds most dire problems.

I've several friends who have pursued biology in universities. They could claim that their laptops have data offering possible cures for diabetes, high blood pressure and AIDS. This is the kind of thing they will talk about when we meet for lunch. I realize, of course, that they are not on the verge of a genuine cure. But occasionally their research offers an important new insight. I sense that these researchers, in the story, had info at that level.

Otherwise, the reward would be more than $1,000.

I do think the university should do more to help researchers manage their data.

At best it would have info on how to possibly, vaguely minimise the suffering in some situations. Cancer is not something that one brilliant researcher can "cure" alone.

If I had a dollar for every lab computer I've seen whose desktop is full of a few dozen Excel files ("data1.xls", "data2.xls", "new data.xls", "jim new data.xls"...), I would never need to apply for another grant as long as I live.

(I'm not saying research is worthless. I'm saying that, on the whole, plink a random study and all the research behind done for it and the world won't be very different on the whole. The whole matters more than the parts.)

Still worth $1000 to get it back, for both the data and the career.

Family pictures, unpublished novel and a gigabyte of emails? Fine. But research data that only exists on one consumer-level machine? Work that was financed by her employer and various other organizations? Holy shit.

What if the IT department clearly outlined policies for how to store and secure the data? What if the researcher is one of those "This is how I have always done it, and I am ignoring you" types? Given the kinds of data claimed to be on the laptop, it sounds like a personal laptop, not a locked-down IT-given laptop. What if that was the researcher's choice, the intentional ignoring of IT policies in the name of convenience or whatever?

Either way, the article's message is good: back up your important data. Whoever is to blame, the core message obviously bears repeating.

We do not have an IT department (we have one or two post-doctoral researchers who keep a couple of servers running for undergraduates).

We do not have IT policies, outside of university-wide intellectual property rules.

There are only personal laptops (in the sense that even though my machine was bought for me, I have full control of it and there is no oversight of how the machine is used).

To the best of my knowledge, this is true of the rest of the university (possibly even worse in other departments).

For the people that say this should be an IT policy issue let me explain to you how academic people work.

Professors and researchers are KINGS and QUEENS. You CANNOT tell them what to do, nor can you force ANYTHING on them.

The only exception are the engineering professors for obvious reasons they have their shit together. Other faculty are just plain morons and think they can do everything on their own.

Professors and researchers get to buy and chose their own laptops, and they can do whatever they want. Unless they fall under the administration side, IT cannot tell them what to put on or do with the laptop.

Just to get off my chess I'll tell you one of many stories. A faculty member brought in his school paid laptop, and he obviously used it for personal reasons. This is his main work laptop with all his data (again we can't force them to follow our policy since they are not administration), so he has no backups or any antivirus scans.

His laptop had over 5000 viruses when I ran a virus scan. This is no joke, I have the screen shot somewhere. I refuse to clean and told him I will rebuild it. Which I did and put all this files back. I explain to him exactly what I did in an email, what he would lose (software etc) and he was okay with it, remember I have this in email. Only when he agreed did I go ahead with the rebuild.

He comes back and writes an email to the department chair that I had broke his laptop and had to rebuild it. Then I lost his software which he paid for and wants the school to pay for it back.

I almost kicked him in he face even if it got me fired. Luckily my boss stepped in and took care of it.

(2) the hardware could have failed just as easy as the laptop got stolen who would get the blame then?

(3) I don't buy the premise that there is 'cancer cure data' on this laptop to begin with until after it has been recovered they come out with a cure for cancer within measurable time.

(4) If the data is on the laptop it got on to the laptop somehow, either by doing experiments and recording the data or by copying it from some other medium, data does not exist in a vacuum as it's 'only copy'.

(5) $1,000 reward? really? that must be some crappy cure.

(6) What if the researcher 'lost' their laptop on purpose? That's a stretch, but with a claim this big I'd really like them to get to work on re-creating their miraculous results rather than cry over spilled milk, after all, recreating the results can't be nearly as much work as it was to do it all the first time. Assuming the experiments were real there should be a whole pile of knowledge that only needs to be verified rather than created from scratch so this is just a matter of time.

(7) I had a laptop with the design for a small and safe nuclear fusion reactor, unfortunately it got stolen...

What sickens me most about this whole thing is that the 'cure for cancer' gets trotted out again giving a whole pile of people hope that there is such a thing.

I've "worked with computers" since I was a teenager, but for a long time I didn't make backups even though I knew it was something I should have been doing. It wasn't until I actually had a hard drive crash on me that I got backup religion.

My employer though, uses source control rigorously and makes deployment and usage of those tools dead easy. We also have folder redirection possible if you wanted to make your "My Documents" folder available (and backed up automatically) on the network. There's SharePoint too, but sometimes it's a PITA.

My hypothesis is this: Given OU Medicine's student computer requirements [1], I'm betting that these researchers just didn't have the patience or knowledge in integrating a Mac into their Windows-centric network.

[1] http://www.oumedicine.com/body.cfm?id=954

How much data are we talking about here? <10 Gigabytes? Solutions like Dropbox are just so simple for data in that range that you'd be crazy not to use them.

I use dropbox to sync passwords and some docs from work/home. I'd like to use dropbox (or something like carbonite) to back up the rest, but frankly I'm too cheap/lazy to go through with it.

Of course, she knew about backing up, but who has the time to do it? After all, who wants to figure it out, install stuff, port stuff or even choose a service! Who has the time...

Such things really aren't a result of ignorance, but laziness. Yet again are we any different?

I am assuming that the University did provide a means of centralized backup, and she failed to avail herself of it. This is based on the assumption that it is more likely that one researcher screwed up, than that the entire University is woefully incompetent.

Also, note that you assumed that I meant "firing" when I said "disciplinary action." I was thinking more along the lines of a note in her file, and a stern talking-to.

About computer knowledge in biological research, though -- the state of things is generally abysmal. The average biology Ph.D. can use Excel to find means, SDs, and do t-tests, and that's about it. Even my boss, who specializes in bioinformatics, still uses VB6+MSAccess shudder. Most probably don't know that hard drives CAN fail.

Yet, researchers are fiercely independent and would definitely resist any heavy-handed mandates from campus IT forcing specific OSes or regular backups.

Not so interested in the punishment as the (possibly non-existant) deterrent effect such laws/prosecution would have. It's fucking ridiculous that in 2011 people are still not backing up their data.

We already have crazy easy backup solutions like mozy, carbonite, backblaze etc but the majority of people don't use them. What happens when the OS makers force you to back up?

And yes... it is totally the IT people's fault for not forcing backups on their users. Sorry but as an IT guy (I am one) it's your responsibility to make sure your users don't get into this kind of a situation!

I used to work in academia. Some of the academics I knew were extremely paranoid about anybody (including SysAdmins) accessing their research. They would go to great lengths to to keep their work away from the "prying eyes of the university" (a phrase someone used once). This meant not allowing any access to their personal desktops, laptops, etc. Admins worked around the personal desktop issue by refusing to help them with the inevitable problems unless they got access. But laptops were a different story.

If you buy a computer, safety of your data is seen as a luxury add-on, like leather seats.

It's crazy when you think about it.

To be honest, I think most people need backing data up scared into them (e.g., I nearly lost a college project due a HD failure, and now I have multiple redundant backups).