Comment by jacquesm
8 years ago
This is a really nice bit from TFA:
"FBI special agent Justin Garrick told a federal court that Winner – a cross-fit fan who graduated high school in 2011 and was in the US Air Force apparently as a linguist – confessed to reading and printing out the document, despite having no permission to do so. "
So, she joined the company 3 months prior, and it was 'permission' rather than enforced access rights that they relied on for new trainees not to color outside of the lines.
It's not about 'permission', it is all about 'capabilities'.
It's the same with the NSA's excuse.. "Yes we gather Americans' communications, but there are rules against agents listening to that!".
Or Facebook apps, "Yes apps can see your name, dob, email and your friends list, but they are not allowed to abuse this information"... Thanks, I feel secure now.
You feeling secure now, that must be Security as a Service, i guess?
People could break your door and rob but don't. Punishment and deterrence work in real life.
They work sometimes, sometimes people do rob you. That's still a thing that happens. So I lock my door to deter thieves, and buy insurance so that if I do get robbed I'm not doomed.
The NSA's statements aren't "we've lowered risk to an acceptable level, and put in safeguards for when leaks inevitable occur". They're "we're the only ones using this data, so there's no problem". That's provably false several times over.
To continue the metaphor, they didn't buy insurance because they trusted their home security so highly, and lately it's starting to look like they also forgot to lock the door.
Physical security metaphors are irrelevant to the Internet because there is no physical equivalent to issuing one command that will simultaneously try to break into every door in the United States and report back to you the ones its succeeds with. That is just one example of a relevant difference that prevents physical metaphors from working. I could come up with half-a-dozen more without hardly trying, but one is adequate.
Well, you did start with the assumption the door would be locked. If you left it open that would be the rough equivalent of what happened here.
1 reply →
you find that level of permission quite common across many different employers. until employers (government or otherwise) treat security properly there will always be means to circumvent security in name only.
Great point and a dose of reality for admins out there.