Slashdot Mirror
Employees Are The Biggest Security Threat
blankmange writes "BBC News is reporting that the employees of a company pose the biggest threat to security. "Digital cameras, MP3 players and handheld computers could be the tools that disgruntled UK employees use to sabotage computer systems or steal vital data, warn security experts. The removable memory cards inside the devices could be used to bring in software that looks for vulnerabilities on a company's internal network. The innocent-looking devices could also be used to smuggle out confidential or sensitive information." Unfortunately, this is not news, but it is amazing how slowly the general public, corporations included, comes around on issues like these. "
What's next on slashdot? Stores must be vigilant because it has just been proved that a big proportion of theft is commited by employees?
You could just bring a floppy/cd with you - if the companys security is already so tight that you forbids those, the fact that you can use stuff like digital cameras, mp3 players or usb keyrings to bring in data shouldn't come as a surprise.
Resistance is not futile - www.gnu.org
If ".. this is not news, but it is amazing how slowly the general public, corporations
included, comes around on issues like these",
then why was it posted?
Thanks in advance.
420 Lewis !
I've had 10 time more computer problems with users trying to install thier own software than any virus.
Plus when someone is about to be fired they try to e-mail 500 megs of files to thier 10 meg home account. E-mail Bounce of Death anyone?
You say things that offend me and I can deal with it. Can you?
oh NO. better take my PEN and PAPER so i don't smuggle out sensitive information!! oh no! pens
if we outlaw paper, only outlaws will have paper
what stupid fud.
p.s.:FIRST POST!!
Yes, sounds stupid, but I would find it to be a better idea than to implement some kind of 1984/Farenheit 451 security "utopia". It should also help the companys success in the future. Happy people work better and doesn't try to screw you over (in the bad sense that is).
Ultimately it is employers who set the tone for a company. Employees actions are (in part) a reflection of how they are treated by employers.
call the BSA hotline.
Like I said in one of my previous posts on the subject (that I cannot find now for the life of me!), the company that I work for is already very wary of it's data and the "toys" people bring into the office. And now thanks to those keychain-sized USB drives, every guest has his keychain checked before he enters, and has to empty his pockets. Of course, you could still sneak one in, anything is possible as we aren't going to be implementing strip searches anytime soon. ;)
In the mean time, we keep all the sensitive data as locked down as possible, and hope for the best. I suppose in the end it is just part of human nature; even the most honest, trustworthy of people will steal from you if given the right motivation. Caring managers and a good working environment go a long way to prevent theft (and general unhappiness/turnover!), perhaps even moreso than good security personnel.
Sig: What Happened To The Censorware Project (censorware.org)
Unfortunately, this is not news, but it is amazing how slowly the general public, corporations included, comes around on issues like these.
Employees could bring in matches and burn the building down too. You need to have employees you can trust. Sometimes you will get it wrong and one of them will betray you.
People who have access to your premises or systems could misuse that access.
Nothing new here, so what issues are people slowly coming around on?
I just thought of something, if a person wanted to KILL a whole bunch of people...they probably could. DUH!!
This is some serious social breakdown we're seeing here. I remember the days when you would get hired by a company, and then not only would your employer actually give a fuck about you...they would assume that you were on their side by default. Maybe this should tell us something about the mindset of modern management. They hate us...they naturally assume that we hate them. Gattaca here we come.
It's much easier to bring in a floppy or ls-120 disk, we even have several cd burners around here.......no one can install any new hardware on any of the pc's.....
--fetch daddy's blue fright wig, i must be handsome when i release my rage
Every PC in this office has a CD-RW in it. If I wanted to grab the source code for a particular product and take it home there would be no problem doing so.
They used to have a network drive that had several application on it so the sys admins could just mount the drive and install from there. If somebody wanted to copy those apps to a CD and take them home, that would have been easy too.
Why bother transfering your l33t r00tk1t James Bond style on an MP3player, when you could just FTP an encrypted package from the Internet? Or is it really the case that someone clever enough to use their MP3 player to do this would be stupid enough to leave a non anonymous FTP download of r00tk1t.tgz in the logs?
Ne mæg werig mod wyrde wiðstondan, ne se hreo hyge helpe gefremman.
Reading the article I went "duh." But why are these "non-conventional" things getting blamed? How is this more dangerous than bringing in a floppy disk or a "music" cd with a data track on it?
This bit of lucidity brought to you by..something!
As Hemos said, this really isn't news.
The government (especially the military) has been worried about this for some time. Pretty much since the first portable computer with a serial port came out.
It's amazing how slow the corporations are when it comes to realizing the security issues of portable computers (PDAs, laptops). It's like they expect all the people they hire to toe the line and not do anything dastardly after the company fscks them.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
Oh yes, we should definately come around on issues where the 'biggest threat' is from the people with the 'inside track'. There's no better way to raise a generation on folx free from the confines of ethics and responsibility .. where anything that they can do technically and physically must be AOK, or else it would be impossible to to it.
You really have to be kidding me here. If your employees are truely taking their time to use their mp3 players to screw your business, you have more pressing concerns than the 'vulnerability' of the systems from the people who built them.
I suppose since most premeditated murders happen between people who know each other, we'd better wake up and start hiring personal bodygaurds to protect us from our loved ones too!
"Old man yells at systemd"
Isn't this a reason for corporations to be using Linux?
Microsoft has loaded up their system with so many features that its almost impossible to stop someone finding a backdoor way in. While you can pretty much tie up a M$ system, its not easy to do and you will probably be patching it till the cows come home. Surely better to have *nix systems which can really lock down the user to the required tasks? Particularly with regard to things like file accesses and so on? I still think that there is a huge potential here for *nix OS's - anything to do with security generally leaves M$ smelling less that rosy.
My 2c worth,
Michael
There is no cryptographic solution to the problem where the intended receiver and the attacker are the same entity.
If you're really worried about corporate security, that kind of stuff is a real risk. It's not even the employees who are doing it, it's just the fact that there is a channel that data is flowing on in and out of the company that isn't protected and not subject to it. Once that exists, it's just a matter of someone hijacking it to use it for their own plans.
Another cause is common stupidity / ignorance. My wife works in a bank. Last year this bank interrogated two employees regarding theft of quite a large sum of money. It turned out to be one of their collegues, who used their terminals to make a few transactions. Those two wrongfully accused employees had a habit of not logging out or locking their terminal when leaving the desk. Cases like this make you wonder how often does this happen in other companies?
I have, and have for the last 7 years been in position of trust. I have earned that trust, I have never "screwed" any of my former employers even though I am generally so rooted into their systems , removing any and all access can be nearly impossible. BUT I wouldnt ever screw anyoneover and they know it. I am, the biggest potential hazzard to any company I work for, I once had a company take out 250,000 insurance policy on me for th company, It was matched by a personal policy of the same amount, they figured that was about what they would lose in 1-3 months following an early demise on my part.
My (ex-wifes) Uncle was a VP of a F-250 in HR, He had been out of work almost a year when he got the Job and was only there 2 years, He quit, we all thought him quite mad. He was going to start a company specifically for consulting of HR risk managment, it had an IT Slant, all the major companies putting these 200 million dollar implementations of ERP's in place made for a lot of problems if a 6$ an hour lackey ordered 10000 of something by accident and didnt catch it, the real time nature of the transactions througouth the company from purchasing to production to HR makes for a lot of fear on the corprate side. Fear SELLS Simply put. He is now about 40 and worth well over 5 million, 7 years ago he couldnt pay his morgate, all money made on the fears, and(solutions) to fear based on employee liability.
The company is made by employees, it can be broken by the employees, very simple........
Sig went tro...aahemmm.....fishing........
"I don't think its a coincidence that most employee sabotage is done by employees." - Scott Adams
-- Probability does not dismiss possibility --
It would be very simple to burn CDs
and Fedex them out. A lot of companies
have Fedex boxes on-site.
Companies will have a tough time protecting themselves from disgruntled employees, especially
now in 'paper-less' enviroments where information
is more so in digital formats.
It's the employees themself. It really doesn't matter if you use copy.com eða cp to steal corporate data, does it?
The innocent-looking devices could also be used to smuggle out confidential or sensitive information
Do the sexy new Powerbooks qualify as innocent-looking devices ? :)
I've been working at my current place of employment for 3 years. It wasn't until we just switched over to a new collections/order entry system (which btw, runs on Linux) that anyone became concerned about preventing unwanted access. Of course, the older system was based on DOS (eech!) and so security is/was not a consideration.
Of course, and I highly suspect it, I may be talking out of my ass. -oqti
The basic principle here is ; trust.
You also trust your employes not to burn down
the office, but you are still allowing them
to use matches. How is that different?
Simply put, it's very hard to keep something secure when a person's well-being is threatened. If someone held me up at an ATM, building entrance, anything with password access, you'd bet I'd most likely give up the information to survive.
It's interesting to note that the article mostly focuses on malicious intent on the part of employee. That's not surprising, but far more surprising are the holes left by the everyday user. Take a look around the non-development areas of your company. How many have passwords on post-its? How much good will a secure network do if the front door to the building isn't locked down just as tight?
For this reason most companies have a BOFH. But he could be dangerous too!? Oh hell, why not replace all humans by unintelligent computers ... uh-uh
Life sucks.
These companys should ask the RIAA for advise. Their very talanted at stopping people from moving/copying data without permission.
...before giving-up your badge, just grab the hard-drive and run as fast as you can !
I think companies (the one I work for included) spend more time & money trying to weed out certain computer abuses by purchasing hardware and software to "police" employees than it would be to just fire them. No matter what sites and protocols we try to block to save our bandwidth the lowlifes will always find something new to avoid doing their job. Policing employees has become a full time job. The worst offenders are the tools like AIM and Real Player, that crap can bring the network to its knees.
If your security as as lax as my company's, the artical is easy to believe. I work on PCs in my depatment while the company itself handles thousands of consumer electronic components list above per day. Sure, you go through a metal detector and the guard wands you, but I swear i could sneak out with a full desktop stashed in my pants and still get away with it. It's for show. Then when they actually find something missing, security gets intense for about a month with people removing everything from their pockets, jackets, etc. After a month, it goes back to being business as usual. If these other companies are as irresponsible as mine, I could easily see the trend. Hmf. Must be desperate for when this post makes for slashdot news but the cool planetary alignment doesn't? Mod me down, bay-bay!
And for cryin' out loud, You with anal ascii pic, grow up. How many sites do you visit with that pic anyway? "hehe! Hehe! *snort* It's the highlight of my day! *snort* hehe!" Get a life.
You need a FREE iPod Nano
Whats why you have to authorize yourself before accessing files and network. And you must sign NDA before getting any sensitive information.
I looked at that, and had to laugh. I'm just waiting for someone to complain about the data carrying capability of my CD/MP3 player when I am expected to take my laptop with a 30 Gig hard drive home each night.
Are they going to ban CDs too?
I know that employees are the biggest security risks, but there has to be some sort of diminishing return in this. Besides, locking down your network on both the internal and external side is work that can't be avoided or established through policy.
I thought that is why we have e-mail, "hum, I want to work with that at home, I'll just e-mail it to myself."
or worse... what happens when someone realizes that instead of a 500 dollar mp3 player... they can use a 5 cent floppy disk! Lord no! we must eliminate such things.
Help Brendan pay off his student loans
That was ontopic and funny. Or is there some automatic mod down of any goatse link?
Idiots
The removable memory cards inside the devices could be used to bring in software that looks for vulnerabilities on a company's internal network. The innocent-looking devices could also be used to smuggle out confidential or sensitive information.
... and we're soon expecting also FBI to realize that even floppy disks can be used for similar purposes.
Even innocent looking floppy disks (i.e. the kind that doesnt have "Warning, contains Virus and/or other malicious code!" printed on it) may soon be concidered a threat to the company security.
1 Earth is warming, 2 It's us, 3 it's royally bad, 4 we need to take action NOW
When CD-R disks are so much more abundant/convenient?
--
Repeal me, NOW!!!
Thank you.
If people consider PDAs, MP3 players, and digital cameras a security threat as a channel for bringing data in and/or out of a company, just wait for the next generation cell phones/PDAs. When you have a 3G/GPRS/GPS/Bluetooth/802.11/IrDA/Ethernet/USB/Fir ewire/etc. capable personal phone, would employers let you bring it into work? Even if you had no hostile intentions yourself, your phone might be compromised by a trojan or virus that might attempt to spread from your phone into the corporate network over whatever communications medium is available.
With the wireless connectivity becoming so common, network security is losing its "air gap".
It might be noted that the IP Rights protection software might end up being a problem for Open Source software acceptance in the market and work place. Not necessarily due to (most) corporations really concerning themselves about people copying music, but with employees copying confidential files to unsecured devices.
An operating system/networking system that provided built-in guards for transferring confidential/private data from secured/official devices to unsecured/private devices might have a lot more appeal to a corporation than one that has no protections against random file copying.
(Given that we are reaching the point where we have more memory and CPU power in computers than we know what to do with, I would be highly interested in seeing more OS development that allows for (security) meta-data to be associated with areas of memory as far as the permissions/state of that memory goes. It would be really nice to see a system where, say, image data loaded from a website might be marked in the OS as "image (jpeg) from foo.bar.com -- unauthenticated, non-executable", so that if some thing else tried to trigger the CPU to jump to that area of memory and execute it, the OS would reject the attempt. This is going to be more important with Bluetooth/ad-hoc connectivity, 'media' which are almost programs in themselves (Flash, Java, JavaScript, etc.) -- simply turning off all support for 'dangerous' media may not be practical if their use becomes wide-spread. This sort of internal OS meta-data system would have a high overhead, of course. And yes, the side effect is that it makes IPR-type enforcement much more possible, but the security issues may start pushing systems development in that direction. Free software folks should think about this one -- it would be highly ironic if by implementing IPR management software in Windows, Microsoft then stepped up and managed to make an OS with a superior internal security model based on extending the IPR system to manage internal data/executable security. Better start looking for quad Athlon servers...)
for instance, where i work, they've decided to block any web-based email (through a fairly thick piece of software, which just blocks any site with sendmail includes). This makes some sense, because you really can't trust people, no matter how many times you tell them, not to open attachments... they can't filter through each of these sites which bypass the main email systems..
however... here's the absurd part... they still seem to allow rampant use of peer-to-peer connections. People use AIM all the time... as if this were secure! And security argues that it serves a "business need." ahem.
I can't believe it's not lard!
So that's the problem! That's it, I'm getting rid of all my employees!! In today's day and age, how can any company risk having autonomous entities of unknown motivation and capability wandering around?!? touching the company's stuff?!!? accessing the company's data?!!!? looking at things?!!!!? Ahhckg!!! Fire them all!!!!!
"I don't know half of you half as well as I should like, and I like less than half of you half as well as you deserve."
I visited a large Asian electronics manufacturer last year. When entering the facility, they inspected every piece of electronics I entered with. Cameras (both film and digital) had to be left at the desk. Laptops had their memory slots and peripheral slots covered with company-issued security tape to be sure I didn't add or remove anything. CDs, tapes, and other recording media were not permitted in the building. When leaving, my bags were X-rayed to be sure I wasn't taking anything forbidden out.
Yeah.. well even before we had things like palm pilots or digital cameras or *gasp* the macintosh piratier(er I mean MP3 player).. there was e-mail. All you really need is e-mail at work.. and e-mail at home.. and a cable modem (or dial-up if your paitent). But for those really big documents there's always FTP.. FTP up and then FTP down.
Many companies leave their "usual" security too simple anyway. Take the financial trading company I work for as an example (name and url left out intentionally). Sometimes a 50k jpg or mpg attached to an e-mail coming into the intranet through our firewall is moved into a "safe zone" where the employee gets notified he/she must call the help desk to request it. Other times the jpg's and mpg's of any size come through fine while only exe's and vbs's (VB Scripts) are blocked. However, all outgoing attachments are allowed, with the understanding that they're monitored. But since I know they're using Outlook and Lotus Notes on Windows to monitor, I can rename a zip file of data to .mpg, comment on the funny joke I pretend is inside, and send corporate info into or out of our intranet.
Another brilliant common hole (at least in financial companies): block ports 21 and most others through the firewall so employees won't ftp files to or from their workstations over the intranet. Of course no employee is smart enough to configure their ftp client to use port 80.
Companies are getting scared of the latest techie gadgets, but so often don't even take care of what should be obvious to any educated IT security employee.
Developers: We can use your help.
Little chance of this being modded up, I know, but I have to post as AC 'cos wires have ears...
And my favourite horror-story... the alpha-geek (before I arrived) at a VERY large, household name, SECURITY SOFTWARE VENDOR (and if anywhere should be clueful, you'd think it would be security software vendors, right?) -- I was ranting to him that I'd worked at a web development house with 35 employees that had better security than $major_vendor{$site}; dear lord, we didn't even use ssh - we used NetBIOS shares and ftp, EVERYWHERE! including machines used to post software updates to the web... his response? "We don't need ssh. We're on an internal LAN."
True story, I swear it. And I bet a number of you reading this are running this vendor's software.
There are much easier ways to bring information and programms in and out than using flash cards and MP3 players.. This article is just nonsense..
-- -- Warning. Do not stare directly at the sun.
Big Corporate Manager: "Goodness, it says here that our biggest security threat is our employees! Well, I suggest that in order to keep them under control, we should institute a set of draconian rules on their behavior and treat them with the utmost resentment possible! Also, take this down, we should constantly address them like they are a liability instead of an asset."
Big Corporate Lackey: "We already do that, sir!"
Big Corporate Manager: "Damn, that was a close one! I thought for a moment there we had a security breach on our hands. Good work. Let's go play some golf."
Big Corporate Lackey: "I'll get the clubs, sir!"
I've been receiving spam at work and found all employees internal email addresses are on web pages at our site. I notified management and after some poo-pooing about tempest in a teapot, nothing has been done. Another ludicrous spam arrived this morning and I'm just counting the days until we have a worm attached and working it's way through our server (yeah, they went with that companies 'solution', moo.)
A feeling of having made the same mistake before: Deja Foobar
I usually find management and owners are the biggest threar to security, not employee's. At lease not the tech ones.
There's some things money can't buy, for the rest; raid the retirement fund.
Duh.
And here I thought the biggest security threat to companies was runing Windows.
We had a SW Architect who was really anything but. He WAS a great salesman and was able to BS his way out of trouble for ~2 years before they tossed his butt out. When he left, I had been there for ~6 months. In that time, he had burned roughly 150 CDs, he said for backup of our project (our TOTAL source was less than 2 floppies). He also password protected all of his PCs (forcing us to remove the BIOS battery).
Further, on the server, about 7GB of a 13GB HDD was of a format not recognized by the Mandrake installer. The only thing I could think of was that it was encrypted. Who knows what data was taken or what was on that partition. We reported what we saw and re-formatted...
Add another 4 months. They fired this guy but didn't revoke his user/pass. So he manages to find a server with telnet exposed to the internet and "hack in" (using his still working user/pass). He then procedes to go to every server he can find and rm -rf on every directory where he has access. They ended up rebuilding 3 Sun boxes.
No charges in either case.
Computer Science is Applied Philosophy
This is the same debate that rages on over MP3's, video games, guns, etc. Is the video game to blame for violence, or is the player's lack of self control to blame when he/she goes postal? Is it the software that allows CD's to be converted to MP3's to blame, or the person who posted them to the internet illegally? IMHO, it is always the person who should be held responsible, not the hardware/software or its designers. Alfred Nobel created dynamite to help miners, not to hurt people, and when his invention was used for harm rather than good, people blamed him. Just my $0.02
today is spelling optional day.
The "biggest threat to security" is almost always the folks working in the Security Department. This has been the case for more than 50 years.
There could be a good research paper here. Is it because these folks have too much idle time on their hands? Is it because the line of work keeps them focusing on negative activities? Is it because they are exposed to the company's weaknesses and become tempted by them? Is it because this line of work attracts thieves? Is it because companies use the 'it takes a thief to catch a thief' philosophy? Do 'Heads of Security' purposely hire thieves to keep levels of theft up, so as to justify bigger budgets? Outsourcing 'Security' does not solve the problem, it just makes it into someone else's profit center.
My father tells the story of a guy working at an auto assembly plant who took home an entire car -- piece by piece!
This 'article' is not News. Look at it's source. It's a marketing piece. Slashdot fell for someone's FUD marketing. I know it's Monday morning, but still...
paa gaa bug chinese plane doo....
The way an employee acts, in many cases, is a direct reflection of how you're treated by your employer.
In my last (regrettable) job, everyone was treated as an enemy (unless you were related to the boss, but lets not go there). The way people were scrutinized and monitored was ridiculous. Even those of us who'd been there for a while, and had proven ourselves 'loyal' were given this scrutiny. It ended up creating an environment where resentment and suspicion made one feel they were under seige. That atmosphere fostered more employee dishonesty than anywhere i've worked before or since. I still remember the
Of course, the places I worked before and after treated people with a 'we'll trust you until you do something to destroy that trust' mentality, which I'm finding is rarer and rarer these days. But you know what? The crew at the place I'm at now is completely loyal, the turnover is practically nil, and the job satisfaction surveys are at about 90%. Compare that to my last job...
In summary, do unto others yadda yadda... if you treat your employees like criminals from day one, they won't disappoint you.
Moral indignation is jealousy with a halo - H. G. Wells
The Security team and the IT department are a bunch of bungling boobs.
If you have your NT boxes (assuming you are a Windows shop, you have NT or one of the NT variants.. 2000 and XP are NT no matter what microsoft says.. if you have 98 then please slap a giant L on your forhead)
and you dont have them locked down so that only members of the administrator group can add hardware (USB smartmedia/cf/memorystick/whatever reader) then you deserve having your employees trash your systems and network. Mp3's and digital cameras are not a threat at my facility except for taking photos of sensitive materials.. of which they dont have access to even see. the bigger threat is a CD with the offending software on it.. (Yes, I have the CD drives locked down, and no floppy drives are installed. or just emailling themselves the hackerware..
So what do you do? well everyone has a simple linux box running a network intrusion detection system right? A simple Linux box with multiple network cards and Demarc Pure secure.
Heck it even catches virii coming in throught the router from corperate..
If your IS/IT personell has no skills in security.. It's time to train them or hire a security person. Any company the runs without a IT/IS person full time..... I shudder to think about the quality of the system let alone how secure it is.
Do not look at laser with remaining good eye.
Take away their incentive to cheat and steal and they won't.
Sounds simple but somehow everyone misses the obvious. Sure you could ban all forms of toys and otherwise fun. Sure you could declare martial law. Sure you can make it a living hell to work there.
Or you can just be fair to your employees, be honest and above all treat them like people not assets.
I mean if I were making 20$/h at a job where I was doing something useful and was comfortable I wouldn't go out and start stealing. Why ruin a good thing?
Sure your always gonna have those few who are never happy but the problems they discuss wouldn't be so wide spread if management stopped lying to their employees [cough cough Nortel Networks...]
Tom
Someday, I'll have a real sig.
What's interesting about this is how different it is from the world of physical security. Consider a bank, for example. In that case, it's nearly impossible for employees do any damage, and very easy to cover what limited exposure there is.
I saw a good talk by Dr. Richard Walton, the director of the Communications Electronics Security Group.
To paraphrase, he said, "Currently we know that about 80% of threats come from inside. But no one ever asks what the desirable value for this number should be. I propose that it should be 100%." He said we should trust insiders rather than outsiders, and trust people rather than machines. Or again paraphrasing, he said that we can trust machines to correctly do whatever they are told, unfortunately machines can't distinguish whether a set of instructions are "good" or "bad", whereas most of the time, most of the people inside your organization will do the right thing.
I suppose this is just another attempt by clueless Pointy Haired Bosses (PHB) to undermine the advance of the (more?) technically literate upstarts and protect the PHB's base of power.
" Screw the cause, blame that thingie-ma-jiggy. "
I figured out early on that not only can you get pictures out of digital cameras, you can put them in as well. I grabbed his memory stick, put it in my memory stick reader, and downloaded some juicy pr0n and mixed it in with the photos.
He had a very hard time explaining where the photos came from.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
I've advised many people that if they want to improve computer security they should put a good grievance procedure in place.
Then they immediately ask me for penetration testing.
MP3 players and handheld computers could be the tools that disgruntled UK employees use to sabotage computer systems or steal vital data, warn security experts.
;-P
mp3 players? are they afraid employees will steal this vital data?
(i was clued into this awful reality by this story.)
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Here is a link to the original report on which the article is based. I'd like to point out that the report actually states that the percentage of "worst incidents" caused by insider attacks has gone down, starting on page 11 of the document.
Looks like this is it: http://mywebpages.comcast.net/jeffreyschwartz/The% 20Consultant.htm
Just how exactly does it improve the security of your systems to punish employees for exposing flaws? This guarantees that the only people scanning for vulnerabilities are outsiders and insiders with evil intent. Give scanning tools to employees and offer to pay them a bonus for reporting problems!
There is so much wrongheaded thinking out there, it is no wonder to me that security problems remain so numerous.
Companies and government agencies have found that people with sufficient I.Q. are a threat to security. People with significant intelligence can often circumvent security measures installed by large agencies and are therefore circumvention devices and considered illegal through the DMCA.
Preliminary testing will be started in the second half of this year with disposal of the offending intellects beginning early next year.
Yes, that's the one - he also posts to misc.survivalism
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
Studies also indicate that most computer-related difficulties are caused by people actually using the machines. If the boxes sat alone in an isolated room, disconnected from the network, and just ran quietly the way God intended, virtually all crashes, data theft, and viral infections could be averted.
But no, companies insist on not only having employees, but letting them come in and paw at the computers every day. No wonder there are problems!
[sarcasm off]
What was thas BSA hotline nunber again?
;)
Recently scientist found the astonishing amount of dead that have lived at some time before their demise.
Prof. Harald Dumpfbacke Radab claims that by removing all living people from society, death could be reduced by up to 99.8%!
We suffer more in our imagination than in reality. - Seneca
Ever heard of information wants to be free?
I work for a fairly large company. (Aren't going to specify because I'd like to not get fired.)
;)
Anyways, the've got a proxy where they supposedly monitor and also prevent certain sites.
However, the proxy only works on port 21, 80, and the standard proxy port (8080?), but you get unfiltered access to all other ports (No inbound connections however, so only passive-mode ftp)
Anyways, so what I ended up doing was:
telnetted into my box at home, installed a proxy, set it up to use an odd port, and wa-la. Along with I installed Cygwin, ssh into my machine, and use my machine as if I was there
A lot of people seem to be posting comments that amount to "well, Duh!" in response to this, but I think there are some interesting tidbits. Specifically the observation that "48% of large companies blame their worst security incident on employees" but "75% of those questioned named external hackers and criminals as the biggest threat to security." The BBC article doesnt seem to want to extrapolate on the reason for this, but I'm willing...
Companies like labelling the nefarious and elusive "black hat" as the primary risk because it makes it incredibly easy for them to say "There's nothign we can do!" or, perhaps in more cases, "We're doing everything we can!" This is roughly equivalent to a heroin addict telling someone that they've done everything in their power to avoid being gunned down in cold blood by their dealer. Never mind the fact that more junkies die from overdoses than from being gunned down by their dealer. Admitting the greater risk would entail acknowledging that employees aren't happy and might want to cause the company harm. This in turn indicates some flaw in the way the company conducts business, and opens them up for criticism. It's not surprising in the least that companies fear black hats more than they fear their own, because to fear their own would be to admit fault.
I'm just curious, of the 48% that report insiders as he cause of their greatest breaches, what percentage of those could be chalked up to insane or psychotic renegade employees as opposed to employees that may have had a semi-legitimate complaint that were driven to malice by a company's own policies and practices.
And all this USB key chain/MP3 player crap, I mean come on. If an insider wants to move data out of a company, its easy. In this arena these new devices are about as original as the floppy disk. Virtually anyone could e-mail attachments of reasonable size off site. I've never worked for a company with a proxy that blocked HTTP uploads (although I'm sure they exist) and what about the xerox machine? Should we get rid of that too?
This too shall pass.
I originally thought the same thing - the employers are making the crappy workplace. That may or may not be the case. Over the last 8 years, I have seen so many slackers, dead-wood employees that have been kept on for no good reason. I started to wonder why. Then I heard about the pending lawsuits from former employees. Nowadays, you can't even fire someone without getting sued. It is stupid. People get stuck in a hole, and the company doesn't want to give them anything worth doing. Since they can't fire them for being un-driven losers, they give them crap jobs. Instead of working harder to actually reverse the situation, the employee just gets more bitter and lazy. I have seen people steal many many things from a company, because they feel the company "owes them". In one case, a guy claimed 20 hours of OT every week for about 8 months. His manager signed off on it because he was too spineless to challenge him. I know he didn't work it, because *I* was working it and he was nowhere to be found. In true corporate fashion, when it was discovered (by me), nothing was done. Nobody wanted to confront the situation. The guy eventually got PROMOTED! I figure he made out with about $30k.
I guess my argument is that no matter what your environment is like, people are going to try to screw the company. Granted, the worse the environment, the more it probably happens, but there are always going to be those disgruntled nut-jobs who feel the world owes them something. And I have seen companies do pretty crappy things too, like during the company meeting, announcing layoffs and those who weren't at the meeting were being escorted out of the building by police. This was to "preserve their dignity". Uh-huh.
Believe me, I know what it is like to be unhappy at a job. But you know what I did? I left. Employers have to cover their asses even more nowadays, when someone with the knowledge could easily F up their network, steal code/secrets, etc. Saying "don't piss off your employees" is no solution. Of course companies should have a good work environment, that is a no-brainer. But there will always be someone who wants more. You let people wear jeans, someone wants to wear shorts. Let them wear shorts, someone walks in with their bag hanging out. Let them wear sandals, someone walks around barefoot. No matter where I have worked, there has always been someone who was unhappy.
My beliefs do not require that you agree with them.
Then they immediately ask me for penetration testing.
;)
Can you sue them for sexual harassment?
[ wink wink nudge nudge ]
deus does not exist but if he does
The only employee who should be 'scanning for vulnerabilities' here is me. Anybody we catch scanning without express written permission (generally from the CTO) is assumed to have 'evil intent'.
You can't just go off on your personal quest for vulnerable systems randomly on your employer's network, unless you actually want to end up like Randal Schwartz
Speaking of 'wrongheaded thinking'. Consider the risks of encouraging random scans by non-security employees:There are numerous reasons not to encourage random employeers to scan your network.
- Some badly-written scanners will DOS even well-written OSes and applications.
- Some legacy systems still running in corporate networks react badly to being scanned. This isn't good, but it is a reality.
- Who needs 1,000 identical 'Tool X' scan reports of the same network?
- Scanning generates extra network traffic and 'hits' on IDS systems. See previous item.
- Allowing random 'good' employees to run scans will make it harder to detect the 'evil' employees.
- How do you detect when a worm (Nimda?) or a trojan included in some shareware package starts scanning your network without the user's knowledge?
- What happens when 'Tool X' is distributed with a trojan, or simply hacked to silently CC the report summary to scanreport2002@hotmail.com?
- When 'Joe minimum wage' finds an easily exploited hole in the payroll server, you expect him to report it before trying it out for himself?
- Scanning random remote IP ranges can 'bring up' backup ISDN and other toll circuits, incurring a real expense.
- Do you encourage your average employee to check for unlocked doors and cabinets outside of their own work area, or do you have dedicated security personnel?
I agree that somebody should be scanning the internal network, just as somebody should be checking for unlocked doors. But that somebody should not be just any random employee who takes it upon themselves to test security....
I do not deploy Linux. Ever.
Employees might "betray" their employer when they leave, because the employer is a total git. Often there's nothing wrong with the employer per se, but a certain employee doesn't fit in, has a conflict or difference of opinion with other employees or whatever, and leaves. Even in such cases the employee may leave with bitter feelings towards his employer and be tempted with taking some juicy info with him. Other employees have personal problems or debts, and might be tempted by the money. In fact, these are things closely investigated when people apply for a security clearance. That has nothing to do with lousy employers.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
An obvious approach would be to copy the file to a diskette or CD an place it in one's bag. Most email is archived so you could get caught after the fact.
Woe be on to them, all who rise against poor people, shall perish in a the end. Buju Banton
The "biggest threat to security" is almost always the folks working in the Security Department. This has been the case for more than 50 years.
Sed quis custodiet ipsos custodies? loosely, "But who will guard the guards themselves?")
Obviously it's been a problem for a lot longer than 50 years.
deus does not exist but if he does
And yes, some employers are enforcing security measures that would do Dilbert's boss proud. And yes, employers should work on a basis of trust with their employees.
But to ignore the security issue is very, very wrong for a number of reasons.
- In some cases, the employer's clients may demand certain measures be taken to protect ther data.
- In some cases, not having proper measures against theft of confidential data, can make one liable for *huge* lawsuits if the data is stolen. (Think medical records).
- Most importantly: in any group of employees, there'll be a couple of rotten apples in the bunch, no matter how nice and cuddly the employer. Those same employees are the ones that might steal wallets or other stuff from their co-workers desks. It's sad, but it happens everywhere, and to not be on your guard against it is plain silly.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Network security should be different. I know plenty of 'reformed hackers' who are now in the "Information Security" business, and none of them collect and keep customer data that they should not have.
A big part of the reason physical security is a cause of internal theft is that most of the guards have time on their hands and get paid not much more than minimum wage. Neither should be true for information security :-)
Anybody have a link to the old joke about they guy who worked in a government factory during the war and wanted his own jeep. So each day he would steal a different part, and after two years, he put it all together in his basement and had himself a beautiful new anti-aircraft gun?I do not deploy Linux. Ever.
Comment removed based on user account deletion
Is your father Johnny Cash?
A classic song. Find the lyrics here.
The cure for cancer is coming: Reovirus
With ext3 filesystem?
http://acl.bestbits.at/
With xfs filesystem?
http://oss.sgi.com/projects/xfs/
Just add samba 2.2.3a that has acl support and stir. What did I need that NT server for again?
It's funny. The best jobs I've had (and the worst) have nothing to do with how much money I made or the number of benifits... and everything to do with how I was treated as a human being, if I was allowed the tools and resources to do my job, if I was reconized for my accomplishments, and let known that I was a valuable part of the orginization, I would typically not be unhappy at the company.
Then there are the places where I hated the envrionment. Management carried unrealistic expectations, and refused to give us the tools (responsibility) needed to reach the goals they set. I've never stolen from or willfully damaged company property, but I knew others who did, and understood why they did that.
It seems that naming your employees as your primary security risk, and taking severe actions against them is throwing oil on the fire. With an attitude of 'We don't trust you, and we are going to assume you've done something wrong' is going to do nothing but make the borderline employees even more pissed off and likely to do something damaging.
I don't think anyone starts a new job with the exepectation of being bitter, lazy, or vindictive. It takes months to years of abuse by a company before they get that way.
The Internet is generally stupid
...and it didn't cost me a dime.
My father tells the story of a guy working at an auto assembly plant who took home an entire car -- piece by piece!
Your father is probably a Johnny Cash fan (One piece at a time, its on The Essential Johnny Cash, but I don't know what album it came from originally).
-- Point? None! Cob.
And how do I stop employees from bringing in these things? Metal detector and searches at the door? How long do you think my employees will stay?
Further, if it was my intent to hack a network I would use something like Soekris' net4501 set up to bridge across the net ports and put it inline with my PC at the office. Let it sit and collect information all day then unplug it and take it home at night to see what it found.
I think a lot of peeps here have made the accurate point that if you treat your employees better than slaves that (typically) your employees will be more concerned about the wellbeing of the company and won't do things to damage it. Exceptions do exist but how much money and time should you expend to oppress the innocent just to prevent the guilty from harming you? (For those looking for greater meaning, yes this argument can be extended to our current problems with terrorism in America)
Gee Ma, this game looks really fun!
"I think we should tax people who stand in water! " - Mr. Gumby
This is a quote quoted in The CSI/FBI Computer Crime and Security Survey:
"Over its seven-year life span, the survey has told a compelling story. It has underscored some of the verities of the information security profession, for example that technology alone cannot thwart cyber attacks and that there is a need for greater cooperation between the private sector and the government. It has also challenged some of the profession's 'conventional wisdom,' for example that the 'threat from inside the organization is far greater than the threat from outside the organization' and that 'most hack attacks are perpetrated by juveniles on joy-rides in cyberspace.' Over the seven-year life span of the survey, a sense of the 'facts on the ground' has emerged. There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace. Post-9/11, there seems to be a greater appreciation for how much information security means not only to each individual enterprise but also to the economy itself and to society as a whole. Hopefully, this greater appreciation will translate into increased staffing levels, more investment in training and enhanced organizational clout for those responsible for information security."
In other words, please give up on this nonsense about how there's more risk from the inside. It's kind of obvious, really: how many more people are there on the internet than there are inside a typical organization? I personally have dealt with 10's if not 100's of external breakins. I've only dealt with one internal breakin, and that one started from on-campus, looped through an offcampus host, and only then came back oncampus.
Well, that's a start, but my point wasn't that the Microsoft permissions were so spectacular, but that Linux wasn't any better and in many cases was worse. Having to resort to patches and add-ons to extend the flawed and simplistic *nix permission system so that it is almost kinda sorta equivalent to the microsoft offering is absurd. Any *nix should be better than Microsoft on any aspect of security right out of the box, no exceptions, no excuses.
The existing *nix file permission structure has simply outlived it's usefulness, and needs to be discarded entirely rather than kept hobbling along with stopgap code. I find it irrational that with all of the advances and alternative file systems being developed for Linux - and with all of the emphasis put on security - that there is not a new file system available or in development with built-in support for a permission structure at least equal, if not in every way superior, to what is available elsewhere. Is everyone just hoping the NSA will do it for you? Open Source software allows developers to draw on the strengths of decades of good work in *nix development. It shouldn't, however, be forced to keep old weaknesses, too.
You're just jealous 'cuz the voices talk to *me*
Maybe he should cross-post with rec.kitchen-implements.tinfoil.hats
The removable memory cards inside the devices could be used to bring in software that looks for vulnerabilities on a company's internal network. The innocent-looking devices could also be used to smuggle out confidential or sensitive information.
Which is why such personally owned recording devices of any kind are verboten on the LAN at many .gov sites.
It's a RPITA sometimes and sometime in the future I expect there will have to be some relenting as the price and ubiquity of personal recording (and communicating) devices continues to plunge.
"Provided by the management for your protection."
"Hi, this is Pete with Help Desk. We need to migrate your account to a new system this weekend, and will need your password . . ." and while you're at it, why don't you give me your SSN and any credit card numbers you have.
I would guess that a small percentage of employees who pose security risks are actually disgruntaled. They're not actually stupid, either - just unaware of the danger, or feel that the danger doesn't affect them.
Smoking causes cancer, yet I puff down a pack a day. Yeah, I should probably quit.
We don't support Outlook, and ask people not to use it - but that's what they like, so they still use it - and then their whole network is infected with viruses. They're not disgruntaled.
They run Morphius on their desktops so they can listen to music while they work - and bring in a bunch of viruses. Not disgrunataled.
I have only once in my career had 'problems' with a disgruntaled employee. We let him go, locked him out of the system, and removed any software that he had installed that wasn't being used (and checked what was being used). Saw a couple of failed logins, but that was it.
I've seen many more security problems with the well-intentioned (gruntaled?) employee.
"The large print giveth, and the small print taketh away" -- "Step Right Up", Tom Waits
Well I don't know where the acl code came out of for the ext3 patches. But the acl code for XFS came out of the whole XFS/Irix structure. They have simply merged their code together so that they can talk to each other.
That the acl code may not be in the production kernel is a matter of bad timing (end of 2.4 beginning of 2.5) rather than anything patchwork or stop gap about it.
Recently, scientists have discovered the existence of what they're calling "eyeballs" inside the heads of employees. Upon following the nervous pathways, they further discovered expanses of memory - they've labelled this "the brain". It is highly advised that employers insist on lobotomies and blinding for all employees in order to protect sensitive data.
This actually isn't just FUD.
I've worked in both a very secure environment and as a developer developing security software. The number one concern is absolutely always internal theft.
Take a look at high security environments like the FBI, CIA, or NSA. Is there an outer security threat to these places? Not really. These places are smart enough to have their internal networks physically seperated from the internet.
The threat to these types of companies are internal. That is why they spend an aweful lot of energy on ethics training and on internal policing. All it takes is for one bad employee to do a lot of damage.
It's definitely not FUD, although by the same token, it isn't anything new.
int func(int a);
func((b += 3, b));
Could it be there are more arrogant programmers out there because of the crazy hiring habits of internet gold rush, or are there more unstable managers today than before?
was to prevent employee theft.
This is not a new concept.
There are really three kinds of internal vulnerabilities from employees.
First, the headline grabbing disgruntled hacker. Very dangerous, but they comprise only a very small part of many companies. I mean really, how many people in Big Co. really know what a DNS server is?
Second, and sometimes noted in the press, are the hordes of ingenues that Point `n Click their way past security policies in ways that would make your blood curdle. There are lots of such people in any organization, running Outlook, clicking on attachments, downloading something cool, etc.
Third, there are CIOs without Clues. They're making big decisions about deployments based on heat they get from upper management, who, frankly , are more likely to belong to the second class of vulnerabilities than to the first class of vulnerabilities. If their decisions are a little bit misguided (let's run IIS as a web server on our externally exposed machine!), then it can cause a fair amount of grief.
Unfortunately, all you're likely to hear about on the news is the first group.
"Provided by the management for your protection."
I used to work in the security department of a large retail organization for 4 years. I'd regularly point out why the modem on the CEO's desk that went into our corp network was a risk, and I'd be told to just overlook that one. Etc, etc.. After seeing every executive and his secretary overstep security policy, it made me believe that corporations don't believe in security as a whole.
Beauty is truth, truth beauty. That is all ye need to know on Earth, besides TCP/IP.
Especially since its a USB device and I work in an Windows NT-based development shop.
I'm soon going to purchase an iPod, which easily transfers data easily from your standard corporate Dell PC. [/sarcam]
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
> Believe me, I know what it is like to be unhappy at a job. But you know what I did? I left.
It must be nice to have the luxory to leave a job you don't like. I am working two jobs I hate right now because there are NO JOBS. I've been applying like mad for the last 6 months to EVERYTHING that comes up (even things that have nothing to do with my field) and the only job I've found pays $5.40/hour part time.
*sigh*, so much time wasted on my degree...
this article could be a piece of shit
I can say from personal experience from having worked at a defense lab for admin IT that the things we worried about the most were:
1. The guys in the information warfare/security group
2. Security staff
Guess which group had abused their privileges more than once? Hint, they are not group #1
Some of the security staff I wouldn't trust to watch my lunch.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
I agree. We need to make sure the employees are happily gruntled. As long as they are treated well, and have fun, interesting jobs, they'll keep gruntling away.
In the lates issue of Duh! magazine:
Health: Cigarettes cause cancer!
Politics: Research shows politicians like money.
Business: Profit helps businesses grow.
Computer security: Your employees' root access is a security threat!
... "Give me a woman who loves beer and I will conquer the w
We all know insiders are your greatest risk. The point is in their irrelevant drivel about digital storage devices. It's just another hysterical "BAN SOMETHING!" article, like parents at a school board meeting when 2 or more kids have something in common (besides equipment for team sports)...
skateboards, pagers, rollerblades, cellphones, pdas, "heelies"... In junior high, there were three or four girls who liked flavor straws, so they banned them. It's the mindset that anybody who uses something you don't see a good use for, so all you can think of is bad uses.
"They're all doing it! We have to stop them!"
People can copy things using these devices! oh no! Now they won't give themselves away by running a loud floppy drive. What the heck does portable storage have to do with this at all?
heh. knowledge is never wasted though.
XYZ news reports that citizens are seen as subversive to their governments.
Seemingly innocent items such as paper, automobiles, computers, and currency can all be used to undermine government authority, homeland security experts warn.
The dangers disgruntled citizens posed was highlighted by a survey showing that almost half of the anti-government incidents recorded last year were instigated by a government's own citizens.
By contrast, 75% of all government officials questioned in 2001 named "the axis of evil" as the biggest threat to security.
Many governments are now installing software that watches for citizens doing things on a domestic territory that they should not be doing.
Citizens can be a security hazard in other ways too.
Citizens unfamiliar with their government or who blithely repeat statements made by outsiders could kick off propaganda outbreaks or inadvertently aid terrorist "sleeper cells" trying to get access to a government's internal infrastructure.
"Activist Mahatma Ghandi has gone on record to say that that he rarely used firearms," said senator Chris Dick of the USSA. "Instead, he used social engineering to spread the information he wanted."
Senator Dick said the Homeland Security office had been created to advise governments on the best way to educate staff about citiznes.
Properly educated staff will choose legalese that were hard to understand, knew to be suspicious of unsolicited e-mails bearing criticism, and refused to divulge confidential information, he said.
Why do they get angry at the company they work for? Because the company that they work for treats them like an expendable, replaceable resource. And especiallylike an expendable, replaceable resource whose output is directly proportional to the pressure applied to get work out of it.
Sure sounds like the problem here. (Is your washroom breeding Bolsheviks?)
You have to wonder how much longer the company might have lasted had they treated their workers like people and not hemmhoraged inventory out the dumpster in back.
And now, because someone has to draw the parallel... almost the same principle can be used to explain any increase in the use of P2P software, music sharing, CD burning, etc. -- some people might be interested in spreading the tunes, but a few, sick of being treated like criminals by the music and video industry anyway, decide they have nothing to lose and want some way to lash out.
In the above post, certainly that $500 stereo didn't do anything to hurt anybody. And yet...
You cannot truly appreciate Dilbert until you read it in the original Klingon.
In my company they just take the whole machine, but since we dont have secret stuff ( we are a Public News Broadcasting Company ) it doesnt matter to much and ensurance will pay up eventualy. If they dont take the machine the Employers will take the Memory or the Harddisks, damn they even take the UTP cable's, else they hook up own modems to download pr0n files from phone only site's.
Ex-Employe's of the IT department get Lost and take there Laptops with and you never find there address again.
I just take the old not anymore going to be used old PC hardware to build Linux Boxes =)
Quazion.
Wanna hack at work? Stuck with a useless Windows Box? Uhmmm, IT department allows you to boot from CD with no BIOS protection? One word my friend:Trinux. Make a nifty wallet size bootable Trinux disk and rock the house. Turn any box into a hacking arsenal instantly with no mods to the original installation. Have fun.
In some organizations, it's just not worth trying to clean house. Firing someone is like prosecuting OJ Simpson. Gather all the evidence you want, expend lots of time and money, but it may not do any good. Sometimes, the best you can do is sweep the dirt into a corner and declare victory.
In the back of every manager's mind is "workforce reduction". When it's your turn to toss something into the bonfire, it actually helps if you have some dead wood lying around, so as to protect the people who are trained, motivated, and expensive to replace.
There is a concept that I will call "containment mode". Let's say you have a person who is incompetent or unmotivated, but not to the point where you can build a good case to get rid of them. I'm not saying it's good or bad, but it works like this: The manager looks for harmless, boring, dead-end tasks to be assigned to the "containee". As assignments are divided among the staff, the containee gets the low-profile, not-fun, tedious, junk work. Take all of the things they teach managers to motivate people and make the process run in reverse. The people in "containment mode" are generally whiners in the first place, so a few more complaints from them is not going to accomplish anything. Played properly, everyone thinks that giving the containee the junk work is absolutely correct, based on their whining, attitude, and skill level. After all, why alienate the good workers when you can demotivate someone who is already a problem? Essentially, the manager is saying, "I don't like you, I don't like the work you do, but I won't expend the effort to fire you. You can stay here as long as you want, but you won't enjoy it and your career will go nowhere. When you figure this out and become someone else's problem, I will not shed any tears."
It starts with communication. Employees don't need unrealistic benefits. They simply need to know they are being treated fairly. Thus, companies need to open the books a bit and let employees know how the company and it's higher ups are doing. Many small companies find this very difficult, but a successful company needs to do this.
Another issue is that many companies regard everything of value no matter how trivial it is. I have seen companies that regarded absolutely everything to be a "trade secret". These companies often think employees have stolen important assets simply because they have taken a job with a competitor. Most of these companies are only fooling themselves; and this costs them dearly because they usually miss whatever it is that they actually do well.
With this in mind, I think a lot of companies would do well by Open Sourcing many of their minor utility programs. Doing this will keep employees from "stealing" things which aren't of that much value in the first place; and make the employees happy at the same time.
---------
Executive Director - LinuxFund (www.LinuxFund.org)
Executive Director - LinuxFund.org
You can email things from work but it's far from untracable. Yes of course it's encrypted, but when did you last check your work machine for key-loggers (software _or_ hardware, they only cost $50 now) ? (hint: you need a different and temporary PGP key to use at work)
And to think that emails to your home account are unmonitored... surely those attract the most suspicion. And no, steganography doesn't work, as you'll find out the first time you try to explain emailing a 200Mb wave file.
Honestly, why worry about physical devices? I've got a nice net connection...
/path/to/critical/files me@mydomain.com:ripoff/
scp -r
or for windows users
pscp -r g:\path\to\critical\files me@mydomain.com:ripoff/
Monday is a horrible way to spend 1/7 of your life.
My father tells the story of a guy working at an auto assembly plant who took home an entire car -- piece by piece!
That's a Johnny Cash song. It's called "One Piece at a Time"
Lyrics to "Once Piece at a Time"
I think the problem with your specific situation could have been the very existence of the union. Unions are a prime example of how a good idea without proper vigilance turns into an even worse tyranny than what it claims to fight. It is therefore no wonder that socialism, the great experiment as seen by union fanatics can only be achieved as a table made of the broken backs of labor and the working man, all the while keeping everyone under constant suspicion.
in the computer security journal "Duh"
Several years ago i scored a free palm from a friend who was working for the government at the time. The site he worked on had high security so all PIM's were bared. His new toy ended up being b bit of a waste of cash. Oh well, i got a nice toy out of it.
Robert Philip Hanssen in the FBI.
Aldrich Ames in the CIA.
Enough said.
Man, I read this article before it was on slashdot and I decided against submitting it.
And it ended up here anyway... doh!
NT4 is a very secure operateing system. in fact it is rated to the DOD's Orange book Standard for data confidentiality. this is something that linux has yet to achive.
However, this goes all to hell the miunte you plug that box into a network, or install other apps on it.
NT4 IS more secure then linux, just not in a useable fasion
I am a telecomm/computer tech...
as such I get a job every six months or so where the customer has just been screwed. I get to go in and try to find/hack the passwords to everything and rescue whatever information/evidence I can. After this I have to rebuild their office and setup some security for them. All because of an angry IT manager...
now even if the employer sucked those actions are wrong. There is no single scapegoat for this. Some employers are bad, and they tend to set things up so that people act out badly. Other times, Employees who all are held at a certain level of trust,(they wouldnt have a job otherwise) go bad and do some very nasty things. I belive that the article was ment to reprise a warning that current technology is getting to the point that they are even easier to abuse than just a couple of years ago.
Remember, the general public need LOTs of repetition before they understand Simple concepts...
At least someone is helping with that.
Thanks Slashdot!
stirge
Digital cameras, MP3 players and handheld computers
Interesting that these are the same things that can make also make the employee more productive.
im the head of a major software company and this article has helped me decide to dissalow employees bringing in any digital or analog device, and has also prompted me to dissalow the use of computers that are connected to the internet or can be connected to the internet.
ps does anyone know a good antique shop where i can buy a few thousand Lisa's
Companies should fire everybody.
1. Use software with real users and permissions.
2. The company is root, the employee is a user.
3. The company's safeguards information is kept on a carefully controlled set of locked up computers that serve encrypted data. The rest is free.
While this might sound draconian, it's just the opposite. Easing the company's fears is good for employees. The employee won't have to be subject to humiliating email monitoring, personal searches and all that bad news. The employee can bring as many toys and as much personal information to share with others as they wish. Made right, you can even give your employees compilers, encrypted email and other dignity protecting software. Good control prevents abuses. Bad control makes them needed.
Compare this with some systems where third parties can install listeners, aka "upgraders", and other spyware without the user or company's knowledge. How broken. The future of portable memory devices is here and growing. Companies must learn to live with it. Those that don't will end up x-raying their emplyee's teeth every day before it's over. Why can't your employees bring in USB keychains? It's because you can't tell your sensitive data from Britany Spears, much less control it.
user@reason:~$ mount /dev/usb0 /tmp
mount: only root can do that
user@reason:$
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
This is just an attempt to stir up paranoia about ordinary devices, probably brought up by the RIAA or something. If I want to steal sensitive company data I just email the stuff to an anonymous hotmail account (we all know how secure THAT is!). Or burn a CD of it... yep, got a CD burner at my very own desk, and if I didn't I bet I could find one. Or hell, just "borrow" a company laptop for an evening. Cloak and dagger stuff with MP3 players and digital cameras is entirely unnecessary. Even when I was working in a high-security place where recordable storage media wasn't allowed, I could have easily taken any data I wanted; the rules against recordable media were IMO more to protect against casual mistakes than malfeasance. It's like DRM; you've got to let your employees see your sensitive data, and if they can see it they can copy it. Take away all recordable devices, disconnect from the net and lock down the machines so hardware can't be added, and you can slow it down. But even then you can't stop it.
Is capitalism any less of an experiment than socialism? Yes, its great in theory. But what about the worker? Well, in theory, a happy worker is more productive, so an employer will take care of the workers. Also, an employer with a reputation for treating workers fairly and with respect, will have a larger pool to hire from. Unfortunatly, things don't work like that. Unions aren't perfect, but they do give the common worker the means to improve their working conditions. It seems that our current system, blending parts of capitalism and socialism, is about as good as we can do. Maybe eventually someone will come up with a way to protect worker's rights and protect capitalist ideals, but until then, I think we need unions.
Of course employees are the biggest security threat, and its not just because of technology! Do they really think that there are sensitive things that can't just be printed out or copied onto a piece of paper and shoved into a pocket?
Working for the goverment are we?
Were that I say, pancakes?
Anonymous coward says:
It is so kewl when people lose it over grammar...
Its even better when dey looze it over zpeling
No sig for the moment.