March 21, 2008
How Does Your Brain Work?
I ran across 2 stories today. It's rather odd how the world works at times. As if it was meant...
From Bruce Schneier we go
Inside the Twisted Mind of the Security Professional
While my brain is not quite as devious as Mr. Schneier's, I can switch back and forth in my view of the world. I am able to walk into stores without checking out the various glaring security lapses... but if you ask me to think about it, I can most certainly jump directly into that mindset. I may not pick up quite as many vulnerabilities as he does (I am willing to concede I am not anywhere near him in terms of brilliance) but I bet I could find a goodly number.
As it is, I have gotten sighs of "geeze lighten up, you're worried about nothing" far too often in my life. I've always (even as a child) tried to have plans and back up plans and even double back up plans in case something fails.
It is definitely a mindset. It's one I find most people do not possess and they don't understand.
Which leads me to the big breaking news of today.
Contractors Fired Over Candidate Passport Breach Worked for Va. Firm
This is a failure of security in multiple areas. Of course we don't want anyone and everyone snooping around in our records. I can also see many people saying "well what's the big deal... so someone looks at passport records... so what?"
I'm not in a huge panic (they aren't my records after all - how's that for cynicism) that the passport records of "the big three" have been compromised, I'm concerned. The glaringly obvious point is that we have a security problem tied into the passport records of everyone, not just those running for President. I highly doubt, if someone snoops my records, I'm going to get a call of apology from Condi Rice.
Think about how you secure this. It's not as easy as you might think. All of the people caught were cleared to work with passport records. It's not like someone broke in from the outside. They had the ability to look at any record - the tacit assumption was "they will only look at the records they are supposed to look at".
This was bound to happen. You have training going on and instead of using a training database, or ordering them to use specific names, they "saved money" by using the real database and counted on the people they were training to conduct themselves in a certain way. Why would they do that?
Because, in the same circumstances, the people doing the training would follow instructions and enter a family member's name. For any one of a number of reasons, it would never occur to them to enter the name of a celebrity or government official. Like most people in the world, they believe everyone thinks the same way they do and everyone will act the way they do. To a security person, this is a glaring affront to any type of logic or reason, yet it happens all the time.
The real questions we should be asking are the following: What about the passport information of people who are not high-profile enough to warrant a flag? What if one of these employees has an ax to grind with a relative or other acquaintance? All they have to do is find them in the database and viola! They can get all their information in one fell swoop. What if they have an unknown affiliation with "bad guys"? How easy is it for the "bad guys" to get them to tap into certain records and pick up or even change information?
Perhaps it would be a good idea to go over the types of data classifications.
Once again - what are the checks in place to keep this from happening to regular everyday citizens? I'm going to take a wild guess and say that there are none. I might be wrong about that - but this one little sentence tells me there is no protection for any American who is not considered important:
You will note the term high-profile. I'm not even sure what they mean by that.
Of course there is a security report card on government computer security... it comes out every year. Every year the "grades" are terrible. Every year nothing happens. We shouldn't be surprised about any security breach. We should be surprised it's not seen more often!
I fully expect there will be hearings with indignant Senators hogging microphones and getting inches of news print (not to mention television air time). I also fully expect NOTHING will change. Because there is no change in mindset.
This is a flash in the pan outrage - taylor made for television, blogs, and guaranteed to get sympathy for Presidential candidates. That's all it will ever be. And next year this will all be forgotten. Your records will remain just as safe as they are now.
Doesn't that give you a nice warm squishy feeling.
From Bruce Schneier we go
Inside the Twisted Mind of the Security Professional
Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it.
While my brain is not quite as devious as Mr. Schneier's, I can switch back and forth in my view of the world. I am able to walk into stores without checking out the various glaring security lapses... but if you ask me to think about it, I can most certainly jump directly into that mindset. I may not pick up quite as many vulnerabilities as he does (I am willing to concede I am not anywhere near him in terms of brilliance) but I bet I could find a goodly number.
As it is, I have gotten sighs of "geeze lighten up, you're worried about nothing" far too often in my life. I've always (even as a child) tried to have plans and back up plans and even double back up plans in case something fails.
It is definitely a mindset. It's one I find most people do not possess and they don't understand.
Which leads me to the big breaking news of today.
Contractors Fired Over Candidate Passport Breach Worked for Va. Firm
Hillary Clinton and John McCain were informed that their files were improperly accessed not long after Secretary of State Condoleezza Rice apologized to Obama for a similar incident. The two contractors were fired, and a third was disciplined, after his records were inappropriately accessed on three separate dates this year.
This is a failure of security in multiple areas. Of course we don't want anyone and everyone snooping around in our records. I can also see many people saying "well what's the big deal... so someone looks at passport records... so what?"
I'm not in a huge panic (they aren't my records after all - how's that for cynicism) that the passport records of "the big three" have been compromised, I'm concerned. The glaringly obvious point is that we have a security problem tied into the passport records of everyone, not just those running for President. I highly doubt, if someone snoops my records, I'm going to get a call of apology from Condi Rice.
Think about how you secure this. It's not as easy as you might think. All of the people caught were cleared to work with passport records. It's not like someone broke in from the outside. They had the ability to look at any record - the tacit assumption was "they will only look at the records they are supposed to look at".
McCormack said the Clinton breach occurred in summer 2007 during a training exercise in which employees were asked to search the electronic file by entering a name. While the employees were encouraged to enter family names, one employee entered Clinton’s name.
This was bound to happen. You have training going on and instead of using a training database, or ordering them to use specific names, they "saved money" by using the real database and counted on the people they were training to conduct themselves in a certain way. Why would they do that?
Because, in the same circumstances, the people doing the training would follow instructions and enter a family member's name. For any one of a number of reasons, it would never occur to them to enter the name of a celebrity or government official. Like most people in the world, they believe everyone thinks the same way they do and everyone will act the way they do. To a security person, this is a glaring affront to any type of logic or reason, yet it happens all the time.
The real questions we should be asking are the following: What about the passport information of people who are not high-profile enough to warrant a flag? What if one of these employees has an ax to grind with a relative or other acquaintance? All they have to do is find them in the database and viola! They can get all their information in one fell swoop. What if they have an unknown affiliation with "bad guys"? How easy is it for the "bad guys" to get them to tap into certain records and pick up or even change information?
Perhaps it would be a good idea to go over the types of data classifications.
- unclassified
- sensitive but unclassified
- confidential
- secret
- top secret
Once again - what are the checks in place to keep this from happening to regular everyday citizens? I'm going to take a wild guess and say that there are none. I might be wrong about that - but this one little sentence tells me there is no protection for any American who is not considered important:
McCormack said the Obama violations were detected by internal State Department computer checks, which flag certain records of high-profile people when someone tries to access the records improperly.
You will note the term high-profile. I'm not even sure what they mean by that.
Of course there is a security report card on government computer security... it comes out every year. Every year the "grades" are terrible. Every year nothing happens. We shouldn't be surprised about any security breach. We should be surprised it's not seen more often!
I fully expect there will be hearings with indignant Senators hogging microphones and getting inches of news print (not to mention television air time). I also fully expect NOTHING will change. Because there is no change in mindset.
This is a flash in the pan outrage - taylor made for television, blogs, and guaranteed to get sympathy for Presidential candidates. That's all it will ever be. And next year this will all be forgotten. Your records will remain just as safe as they are now.
Doesn't that give you a nice warm squishy feeling.
Posted by: Teresa in
WebTech
at
08:13 PM
| Comments (6)
| Add Comment
Post contains 1141 words, total size 8 kb.
1
I totally have the mindset you have.
Posted by: dogette at March 22, 2008 06:50 AM (q/UVc)
Posted by: Cappy at March 22, 2008 07:40 PM (ePH5d)
3
Have a Happy Easter!
Posted by: Americaneocon at March 22, 2008 08:58 PM (QZUiU)
Posted by: Teresa at March 23, 2008 01:39 PM (rVIv9)
5
You will note the term high-profile. I'm not even sure what they mean by that.High-profile == "Politicians, bureaucrats, and celebrities, all far more important than you, peon! Now shut up and pay your taxes." ;-)
Posted by: Old Grouch at March 24, 2008 09:57 AM (ILBHh)
6
Old Grouch... ROFLMAO - of course! Why didn't I think of that... writing my check now.
Posted by: Teresa at March 24, 2008 10:16 AM (rVIv9)
28kb generated in 0.0454 seconds; 71 queries returned 220 records.
Powered by Minx 1.1.4-pink.
Powered by Minx 1.1.4-pink.
