Slashdot Mirror


Punishing Security Breaches

Schneier has a story on his blog this morning about punishing security breaches. This one is in response to the tale of Gray Powell, the Apple engineer who left an important bit of technology in a bar recently. You might have heard of it. You also might have been on either the breacher or the corporate side. I'd hate to be in either position myself.

4 of 151 comments (clear)

  1. Re:Too Bad We Don't Know Apple's Policies by Monkeedude1212 · · Score: 3, Interesting

    Yeah, I would place him as a mail-room clerk until he proves he can handle sensative information without releasing it to the public.

    You know, we get the occaisonal user who manages to get a trojan or a worm on their computer at work. When we get the request ticket in, first thing we do is remotely check their Browser history and cache. Generally it boils down to a Russian or Korean website that was visitted. In some cases, it gets referred to by a rollover ad on a legitamit web page, so we don't punish them, but there are other times when you see them visitting some chinese news blogs about a hundred times a week. In this even, we walk over, unplug everything, and take the tower away, telling them we need to clean it ASAP and we don't want to risk spreading the infection. You or I would know this is highly unlikely, I've never encountered malware that has spread to a network drive, but I wouldn't put it past black hats to do such a thing if they wanted. Then we spend the next day or two cleaning the machine. Yeah, it usually only takes a few hours, slave it on our AV machine. But the idea is to teach them a lesson about visitting those websites. After they've been without their computer for a couple days, we tell them where they got the virus from, and warn them not to visit those sites.

    It appears to be working.

    The only other situation of security we've really come across was some guy in another department who clearly knew a bit about computers. He managed to tunnel into his own VPN to get past our firewall to run bittorrent and download movies, which he burned onto disc and was selling them apparently. When the IT manager, (My Boss) found out he went into quite a fit, launched a full IT investigation of the whole building, and in the end, so many people in that department were found to be visitting sites they shouldn't be, that half the department was canned.

    I think it was a little overboard, but I guess the message was very clearly sent and recieved, that building has had no problems ever since.

  2. Re:Fired and sued by timeOday · · Score: 3, Interesting

    Next you sue them for major damages. Make an example out of them.

    In this case, what are the damages exactly?

  3. Re:Gizmodo May Face Felony Charges by carvalhao · · Score: 4, Interesting

    Well, since that model of iPhone hasn't been released yet, how can you prove that it's over $950?

  4. Re:Gizmodo May Face Felony Charges by Sandbags · · Score: 4, Interesting

    They paid $5K for the STORY, as registered journalists, and only after discussing this with lawyers, and after both Giz and the device's finder BOTH contacted apple and apple DENIED the prototype being lost. Gizmodo acquired the device under the promise to return it to it's rightful owner should one come forward, and the person who gave them the device could not be blamed for handing it over to an organization with known internal ties at the company.

    Gizmodo never bought the phone, only the story. This has been upheld NUMEROUS times in local and federal courts. Thanks for playing...

    --
    There is no contest in life for which the unprepared have the advantage.