Slashdot Mirror
Schneier Explains How To Protect Yourself From Sony-Style Attacks (You Can't)
phantomfive writes: Bruce Schneier has an opinion piece discussing the Sony attack. He says, "Your reaction to the massive hacking of such a prominent company will depend on whether you're fluent in information-technology security. If you're not, you're probably wondering how in the world this could happen. If you are, you're aware that this could happen to any company." He continues, "The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations—gossip, medical conditions, love lives—exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now. This could be any of us."
Related: the FBI has officially concluded that the North Korean government is behind the attack.
But you can mitigate the hell out of it, I suggest air gapping.
Om, nomnomnom...
Well that makes it easy
We are talking a proportional response right?
Or maybe we can just send a few bloviating politicians over and throw in some mass drops of MP3 players loaded with Sony tunes on the country.
Nobody mentioned "The Interview" or North Korea until days after the attack, then it simply appeared from nowhere and asserted itself as the truth. The emails from the hackers are in the stash, and reputable sources who have time to read such things have reported that not a single email from GOP prior to the release mentioned The Interview, only demands for money.
"blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations—gossip, medical conditions, love lives—exposed."
If you had personal conversations—gossip, medical conditions, love lives in your work email, then it was not private anyway.
Something not much discussed, if outsiders were able to liberate "terabytes" of data from Sony Pictures, just how good was the corporation's computer security? There's been a lot of outrage over the data theft, but did it happen despite Sony's protective measures, or because of them.?
Security is not easy, but it can be done. But most companies like security theater it's cheaper, until something like this happens.
Ding! Problem solved!
Because of that, they’ve had their most personal conversations—gossip, medical conditions, love lives—exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now. This could be any of us.
If they have nothing to hide, they shouldn't worry. Who cares about their boring lives?
Sony's reaction is exactly the same as a college pulling a speaker because of protests.
If you think Sony should still release The Interview, I sure hope you don't support and aren't involved in shouting down and heckling speakers you disagree with.
Nope, it couldn't be any of us. Some of us "tin foil hat wearers" AKA paranoids anticipate this kind of thing and act accordingly. Everyone who's quick to dish out the word "nutter" or "conspiracy theorist", keep enjoying being a dumb bitch!
Likewise, how long does it take to download 100TB of data? I'm guessing that this was probably something that took a bit of time to pull off, and they probably should have found something while all this data was flying out of their system.
XDInd
it happened to the blameless random employees who were just using their company's email system. Because of that, they've had their most personal conversations -- gossip, medical conditions, love lives -- exposed
If you were using your company's Exchange server for gossiping and thought it was safe (i.e. the IT department would never have access to this, oh no) then you're stupid and deserve whatever fate you get.
I can sympathize with the people whose SS numbers were stolen out of no fault of their own. But Amy Pascal making Obama black jokes on company email was just stupid as hell and she deserves whatever scorn people will heap on her.
I ask the same question again, why put this stuff online at all? Why are critical systems for infrastructure online? Why is anything of any importance for our government and nation available to the general Internet?
The only answers I've come up with are either cost related or they want them to be targets.
"If any question why we died, Tell them because our fathers lied."
Why is the FBI spending their time helping a Japanese company?
The answer is don't be an idiot. Only have sensitive conversations in person, and don't connect to the internet with sensitive data on your computer. Keep all important files on a storage computer that has no internet connection, and if you need any files from that computer transfer them via flash drive. That way most of your important data is protected.
No
While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:
* Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
* The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
* Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
"First they came for the slanderers and i said nothing."
For all we know, Sony did invite this attack and opened its doors wide for anybody wanting in. At the very least you can make this hard for the attacker and add a high risk if early detection. Saying "you can't protect yourself" is sending entirely the wrong message.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Complete nonsense.
I keep reading about this attack, like it was magical...
Then there's an article on Slashdot today about programming being a superpower?
I'm starting to think this entire thing was designed to have this very affect.
So what's next? The government protects us? We need more electronic surveillance?
Hacks based on Zero-day exploits are hard to protect against. But they are smash and grabs, and once you see the data leaving, you shut things down until you can patch. But this Sony thing? They had basically complete control over their entire infrastructure. No hack would ever result in that kind of control unless Sony basically had no protection or planning at all. Which is what I think this was... Sony being completely irresponsible. The fault here is with Sony. Yea, the hackers are bad guys to... but there's absolutely no reason they should have gotten what they did. In particular the Executive that had the entires companies Salary in an XLS document on their hard-drive should be fired immediately.
They had/have their own ISP and email service, so employees were probably using that even when home. I had that ISP before they yanked it from public use and made it only available to sony employees.
Anyone who uses email for anything other than business-related missives at work is asking for trouble. I don't even discuss my private life over my personal email account, and I use encryption. Email is akin to a postcard. Talk in private, face-to-face for the juicy stuff. I'm sorry these people were targeted, but Sony knew their security was not up to par.
Security is a process. not a product. Good IT security pros do what the guys at OpenBSD do -- they continually audit themselves and their processes and devices for things that are not quite right. This was wholly preventable, to be honest. No such thing as 100% safe, but honestly, as a guy with years of IT security under my belt, I can safely say, no servers I have been responsible for have been breached. That's not bragging. I really do care about security and the processes that make it work well.
- Disallow USB ports that work on business machines. There is no need for them.
- Encrypt all email end-to-end. We do. It's not that difficult.
- Audit all servers, machines, processes monthly and make improvements as you go. Document everything.
- Reduce the number of people who can access the network from outside the network. People think they need access; unless you're a road warrior, you don't. Disallow people working from home. If you cannot do it in 8-10 hours at work, leave it until tomorrow. I refuse, personally, to ever take work home. I'm not being paid to work at home and neither are most people.
- Use Radius, Kerberos, SSH for everything possible. We do. It works. We force a key-pair change yearly since we use keys to authenticate, not passwords.
- Audit, audit, audit your network and processes. Every week, every month, with software and physically.
- Disallow the connecting of personal devices to work networks. Full stop. This is non-negotiable. I see this all the time and it's a nightmare for security. People's devices are hideously maintained and frequently harbour malware. Not on my network. Get pissed off, it's a work network. Use your own data plan -- you pay for it.
easy peasy: Don't put the family jewels on a public network.
For all the talk that's popped up about Sony being a "coward' or kowtowing to threats for not releasing The Interview, it's one of their more business-savvy moves. It's a movie that was already going to tank, add in the FUD of an active terrorist attack on theaters showing it (which never would have been followed through on, but enough to stop a decent chunk of people from going to see it) and the fact that Sony IS an international conglomerate, with its headquarters in Japan which has a history of tensions towards Korea altogether - what they're doing is building buzz for the movie by not releasing it, ensuring that it isn't just forgotten about as "that one weird movie where Seth Rogen and James Franco have to kill Kim-Jong Un," and it ends up having very robust DVD sales and becoming something of a historical marker of this very weird chain of events.
It's a smart move on their part, there's little reason for them to actually release the movie right now besides "Show them turrist that American can't be threat! Wo ho! No no terrism!"
Did Schneier really use a false dichotomy ? : >> will depend on whether you're fluent in information-technology security. If you're not, .... If you are ...
Seriously ?
I'd say the IT department are mostly to blame. I work for a multi-billion euro company which still uses winxp on around half the internet connected machines, still uses IE as the default browser, still uses various version of adobe acrobat from 8 upwards and has even the most simple-minded employee running as admin.
You cannot stop retarded employee number 764 from double clicking "not_a_virus_honest_guvnor.pdf.exe" but you can make sure that only whitelisted EXEs run, that appalling messes like IE aren't used, that said employee runs as unprivileged and that operating systems and commonly used applications are kept up to date.
I'm frankly flabbergasted that the above isn't considered the norm in any commercial environment when there is a constant stream of attempted or actual industrial espionage from all corners of the world.
The other advantage of the air-gapped network is that you no longer "need" to update the computers within the network with most of the security updates that come across Windows Update. Build them from DVDs & SPs with known hash values, never having connected them. Who cares if those PCs are still stuck on Win7-SP1 or Win8.1 RTM. Their primary attack vector (e.g. the big bad Internet) is unavailable. Even if these machines are built with malware, the worst that could happen is that they get erased, but the data still doesn't go out.
But what about e-mail? IM? Interwebs? Facebooking? Really??? Buy a 2nd, low end PC, wirelessly connect it to the corporate network, and volia! Hell, you could even use a KVM for this purpose, if you'd rather not spring for the expensive $400 laptops. Don't take the easy approach of connecting the networks in a way that only allows for RDP sessions--a determined hacker with unlimited funds (e.g. state sponsors) would figure that one out.
But what about Adobe Cloud or whatever program needs to connect to the Internet? Most such programs have alternative options for air-gapped networks (e.g. a license server), and a company like Adobe could be brow-beat by a company like Sony into disabling phone home. For high-risk applications where you can't talk your vendor out of phone-home, it's time to look for a new vendor...
Windows 3.1x calc: 3.11 - 3.10 = 0.00
Because of that, they’ve had their most personal conversations—gossip, medical conditions, love lives—exposed.
Why are people gossiping about this stuff in company emails? Aside from probably violating company acceptable-use policies (except maybe discussing medical stuff with HR), don't people realize that company emails are discoverable during lawsuits? Hackers be damned, don't put anything in corporate email you don't want to be read aloud in court.
... email, and anything else you do on the internet or with your cell is not private.
Never put anything in email, or text messages, or twitter or random internet forums that could potentially embarrass you or anyone you care about.
Sad that this needs to be pointed out, but clearly it does.
XML is a known as a key material required to create SMD: Software of Mass Destruction
The KGB? The KGB hasn't existed since the USSR existed. Let's call that 25 years.
Let's just say for argument's sake that the OSS has blamed North Korea. Make sense?
Here's a dumb question: Why can't a company simply block a country's IP address range? I have plenty of servers, and I block every country's ip address range that we don't do business with. It has MASSIVELY cut down on spam, attacks, or any other nefarious things that we could potentially endure.
Also, what about fail2ban? That program has been a godsend to my company.
Finally, what about a physical gap between the internet and all this information?? We have information that's critical, but it's not available to anyone outside of the internal company. Sure, I get some people who complain about convenience, but I point them to things like what happened to Sony, and simply say "Do you want every conversation you've ever had available on the internet?"
http://i.imgur.com/B9y8q9L.jpg
From TFA: "Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable."
Sounds like a good followup to Schneier's Law
This could be any of us. We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.
Bullshit. There's always a choice. It's often less convenient, but that's a far cry from not having one.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
you've fallen for the FBI's psyop again american, congrats
How else would we have found out about the MPAA's secret plan (https://www.eff.org/deeplinks/2014/12/hollywood-funds-sopa-revival-through-state-officials-google-and-internet-respond) to bribe state Attorneys General to censor the internet starting with Google search results?
One way to increase that "expected gain" is to take a slightly wider view of what security is. Security is more than just locks and passwords - it includes defense against denial of service attacks, for example. A useful definition of system security is:
A secure system is one that continues to work properly, even in the face of attack.
An example is one of the most common security issues, SQL injection. My work place had a typical example:
INSERT INTO users SET fname='$fname', lname='$lname';
From a traditional security perspective, we worry about an attacker entering a "name" that includes quotes marks and such. However, the same issue also meant that things broke nicely when Tom O'Reilly tried to register, using his real name.
Fixing that issue meant that attackers couldn't mess up the system - and the "random" errors in the system stopped.
As another example, we provide a service called Clonebox. With Clonebox, if a customer's web server is hacked or otherwise damaged, we can switch it over to a ~read-only mirror. Sure that protects against hackers, and some customers have been hacked and used the protection. More often, customers simply screw up and delete important files or databases. Either way, they are protected - our customers' web sites keep working, even when they screw up, even when hardware fails, and even when they are hacked.
So the pitch, and the cost/benefit calculation is this:
How much is it worth to have systems that just keep working, that don't screw up, that handle any input gracefully?
It can be good to ask that question right around the time some executives are cursing the current system.
SQL injection. My work place had a typical example:
INSERT INTO users SET fname='$fname', lname='$lname';
Apart from the fact that you're mixing UPDATE syntax with INSERT syntax, substitution is perfectly valid so long as each string has been sanitized in the correct manner for a particular database connection (that is, not addslashes()). For the MySQLi client library, it looks like this:
Don't get me wrong; it's bad practice to escape manually unless you're using operator IN on a database client library that supports neither array parameters nor named placeholders (such as MySQLi). But code that correctly uses $db->escape_string() (or the equivalent for other languages or database drivers) should be safe from SQL injection, just as code that correctly uses htmlspecialchars() should be safe from script injection.
With Clonebox, if a customer's web server is hacked or otherwise damaged, we can switch it over to a ~read-only mirror. Sure that protects against hackers, and some customers have been hacked and used the protection. More often, customers simply screw up and delete important files or databases.
But how long do you keep these mirrors around, in case there's a screw-up that goes undiscovered for a while?
... anything.
TFA is a waste of time.
There's no best practice revelations or stuff.
It's just a repeat of what every news site and pundit has said already.
It little behooves the best of us to comment on the rest of us.
> Apart from the fact that you're mixing UPDATE syntax with INSERT syntax
Works in MySQL and MS SQL, ymmv for any other RDMS.
In regards to both escape_string() and htmlspecialchars(), two words: character sets.
They are not fundamentally any better than addslashes(). They just have a bit more duct tape.
the FBI has officially concluded that the North Korean government is behind the attack.
Due to the sensitive nature of the investigation, you'll have to trust us on this, just like with that other big thing 13 years ago.
“He’s not deformed, he’s just drunk!”
One way to avoid being hacked like this is to not paint a gigantic bulls-eye on your back and beg for attacks.
Am I the only person that thinks its *not* OK to threaten to kill a head of state? Even if its a pariah? If a prominent Japanese company made a comedy film about killing a US president, imagine the criminal investigation and outcry there would and should be to punish that company. I thought what Borat did to Kazakhstan was in really bad taste but this is just ridiculous and way beyond being in really bad taste.
I'm not defending the hackers and I'm certainly not anti-free speech let alone pro-North Korean. I just don't think what Sony did is OK. Hate speech is not protected under the US constitution.
Advice to Sony - change the ending of the movie so everyone can save face - and even come out ahead.
Advice to North Korea - show the world you can take a joke and use this for positive PR.
Advice to hackers - quit being anti-social criminals and get a job.
"The worst invasion of privacy from the Sony hack didn't happen to the executives or the stars; it happened to the blameless random employees who were just using their company's email system. Because of that, they've had their most personal conversations (gossip, medical conditions, love lives) exposed."
What kind of retarded fuckwad uses their COMPANY email to gossip and discuss personal situations?
Fuck them, and they deserve what they get.
You can't air gap that crap and keep it useable, however you could pgp/gpg it. Sure they'd still be able to take it, maybe even grab some keys and decrypted mail, but they'd have to hit a lot more PCs than just the servers.
Might be funny if American hackers (our any hacker that wanted to see 'The Interview') started a game of it. What group can steal the movie and copy it to the most North Korean government PCs.
I for one am waiting to hear what Bennett Haselton has to say.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Like you, I want the facts. I have seen no facts that implicate the DPRK over the people who claimed responsibility initially (GOP). Wired had an article on it two days ago when the first stories started to attempt to pin the hack on the DPRK which has been ignored by all US and UK media. Not only have all US media outlets jumped on the "it was those dirty North Koreans" bandwagon, but the BBC has become complicit in this as well.
I fairness, I was able to do some digging to find more information on the BBC that I could not in US media. Let me go through the evidence. and comment on each after that.
Before doing so, let me explain something critical. In order to teach hacking, a person has to have access to the internet. This is a huge dilemma for the DPRK who has to risk any Internet access with the knowledge that the person with access _WILL_ see information damaging to their loyalty to the DPRK. There are no computer cafe's in North Korea where guys can go learn to hack to make a couple extra bucks, in fact unless you have explicit Government approval you can not have a computer. Even if you are a "tourist" you must have permission and you will not be able to take your laptop wherever you wish.
This means that the only hacking that could come from the DPRK is Government sponsored, and the amount of hackers they have would be tiny. They don't have the money for "new" or unique equipment either, so any computer hardware they have is going to be 2nd hand junk that China no longer wants. What the Military has for hacking tools would be 2nd hand script kiddie tools or, provided by China.
Not only does an extraordinary claim require extraordinary proof, but in this case US Politicians have lied so often I don't trust a damn thing I'm told any longer. Our "media" follows the scripts they are handed just like the politicians, and I don't trust them either. So here is the claim summary.
First, the FBI says its analysis spotted distinct similarities between the type of malware used in the Sony Pictures hack and code used in an attack on South Korea last year.
So we turn to another, better clue: IP addresses - known to be part of "North Korean infrastructure" - formed part of the malware too. This suggests the attack may have been controlled by people who have acted for North Korea in the past.
That's it folks, that is all we have. The "Hacks" last year (actually since 2009) which were never tracked to the DPRK are the first reason they believe this hack was. Wow, that's quite a leap in logic. DarkSeoul is still anonymous and there is no evidence that links them to North Korea. Lots of claims that China is training and letting the DPRK use their resources, but no evidence that the group is even operating out of China. Finally we have IP addresses, which any Script kiddie knows to spoof with someone's IP address you hate! I'm positive that the FBI can not be that goddamn dumb, they have to realize IPs can be spoofed too!
Ok, time to get off my soap box...
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Release the movie as a free download with no strings attached. That should shut up KimNoBalls.
To employees: Don't do personal stuff on the company web.
To companies: Don't overwork employee where they need a company phone, allow home access, VPN, etc...
Rule No. 1 of corporate life:
if you don't know everybody to know about it, don't put it in writing, ever. Yes, SMS/chat/whatever is writing. Even talking on mobile phone could be "writing".
Work email is for work. I wouldn't want a hacker in my personal business but likewise I wouldn't want the email admin or a person in a position to influence him to be in my personal business either. Keep the two separate. If you are unable to use a web email service or a smartphone (or SSH or a remote desktop type service), that becomes difficult, of course but in that case, be aware of what you're doing and who might have access to it.
Of course, there is the next level, monitoring web access, screen scraping etc. I'm not too worried about that (though it's not like I think it couldn't possibly happen, I just feel the risk is low *enough*) but email is stored and so is vulnerable after the fact.
And too, the places I do use for personal email are potentially vulnerable also but the risks are quite different. Someone cracks my company email server like Sony's was, other people would know my emails were out there to be found. If hotmail (I don't use them) is compromised, it's less likely anyone is going to go looking for my stuff there.
And because people are aholes, I think I'm going to AC this lest I wake up tomorrow to find my life laid out for all to see.
Ecept it's not going to go out on DVD or any other form whatsoever.
It's very easy these days to have all the accounting software on a separate machine to the one that downloads infected emails - consider remote desktop, citrix, VNC and X windows. If you had "understanding of modern IT" you would have considered them wouldn't you?
The ones where there is only a URL and no payload astonish me - somehow just clicking on the link and letting IE loose on it is enough for the user to infect their machine with a virus. No "do you really want to run this thing as admin" box or anything - immediate infection with no other user interaction. Microsoft have been dealing with the internet for nearly two decades and such a thing can still happen with their software.
north korea? give me a break.
this is the biggest deflection ever.
of course it wasn't their internal security people who were all laid off. no way, I mean the malware had hard coded paths, user id's and server names, obviously the kind of stuff someone living in NK would be privy to.
but this is the typical inside job == some dude in a cave.
^ Goddamn is this post full of fucking bad advice. All PHP developers please commit ritual suicide immediately, or at the very least STFU about your personal "Worst Practices".
Partially, yes, for three reasons:
So yes, I wholeheartedly dispute your blanket analogy on the grounds that is a flawed analogy, and that we don't know enough about our planet to make any intelligent predictions or models at this time. Indeed, every model we have, when fed historical temperature data, says we should be at much higher temperatures than we are now. Most assume some kind of blanket model, but since none match our measured results, we can conclude that a simple blanket model does not match the complex reality of the systems on Earth.
Beware of bugs in the above code; I have only proved it correct, not tried it.
"Galactica is a reminder of a time when we were so frightened by our enemies that we literally looked backward for protection..."
... and, of course ...
"... But I will not allow a networked, computerized system to be placed on this ship while I am in command."
We live in a world of Cylons.
MediaWiki is written in PHP. Would you really prefer a world without Wikipedia?
Posted as AC, rather the info I post not end up being used where I used to work, by leaving out my alias that should take care of it...
I worked a Credit Union with around 10 branches in the USA. I started off as a part time tech, doing lower end stuff. We only had about 2 IT techs and one manager that had very outdated tech experience. Within the first few days I was given Enterprise Admin on the domain. I very quickly noticed a lot of security problems and most all of them they were very aware of but had not addressed. Every single computer (not servers) had Domain Users added to the Administrators group. Not only did this give them Admin on their PC it gave them Administrative share access to every single normal PC, from the CEO, to my PC to payroll. I brought this to the attention of the Network Administrator, he knew about it but had never addressed it (or didn't know how). I then noticed the user drives mapped to say drive X: where we told people to put their stuff they cared about (so it would be backed up) was a free for all, everyone had at least read access to everyone elses folder.. They knew about that too. There was only one network, no vlans. The tellers were on the same network as the office employee playing on facebook and installing trojans, along with the core server. Anti-virus solution was like 8 years out of date, while it still got definition updates, they had not made a product by that name in so long it was actually hard to find information on it. The IT Manager skills honestly were mainly from Novell days, but he has some Server 2000 experience that rolled over to 2003 for the most part.
Few months in I was Network Administrator. First week as Network Admin I took away the local admin from everyone with only one or two people being affected due to file permissions, which was fixed in a matter of minutes. No one even knew they lost it. I fixed the user share folders where users could only traverse the to their directory and fixed the permissions of all of them (batch file did all the work), never affected a single user. Started fixing a lot of other stuff (some machines missing 100+ updates, all sorts of stuff. Made new domain policies (but the IT Manger kept breaking them and bitching at me, after I told him he had to use Remote Server Administration tools since the servers were Server 2003 and the polices I was making were aimed at Windows 7, I gave up and resorted to more of a login script that did regedits in place of the polices for the most part. More and more the IT manager didn't understand what was going on.
He decided I had to start doing Request for Chance forms.... I was a little annoyed but okay. I filled out one, submitted it... then a few more.. maybe 5 total.. He ignored them for a month.. I didn't know that was an option. I went to the CEO at some point, she had no idea what the hell she was talking about, I left the office figuring I just made a mistake.. She ended up talking to another lady there that knows IT pretty well, few days later this lady calls me in, we talk and I explain a lot of this.. She is horrified.. Next thing I know they say to write up my own job description and implied he was going to be fired monday...
Monday came, the CEO backed down they kept him, he is still there to this day and so is a good majority of those security holes, not to mention a ton of bad practices.
My new job while not perfect, they actually understand security, have qualified people, follow PCI Compliance, etc...
How about paying a substantial fraction of what the CEOs get. Won't stop hacking, but while prevention is half the game, motivation would go quite a bit, I think. Personally, I am pretty sure a lot of these 'hacks' are just former employees that got screwed and was offered a whole bunch of money for very little knowledge by someone else. An NDA isn't Captain America's shield when the employee was pretty much broke anyways.
Never play chicken with a passive aggressive.
Or at least your company can. Any network is vulnerable in the sense of someone wondering around campus and finding an an unlocked PC, but what you can do from there varies tremendously. Ideally, the company itself doesn't have employees' SSNs or banking information anywhere on it's network. Rather, this is handled by a payroll vendor that specializes in handling just that task securely and nothing else. Now you have a much smaller and constantly audited target to hit. Likewise, highly sensitive projects can be siloed in a way that most employees or intranet can not access them any easier than a random outsider.
Mr. Gingrich obviously never read Schneier's informative and professional response. Doing things like that would only slow mr. Ginrich down.
No. Mr. Ginrich has made up his mind already and frames as war what is basically a combination of poor security (both protection and response were found to be sub-par), unprofessional conduct (mean-spirited, abusive, and racist comments), user stupidity (entrusting highly personal information to a company email system), and bad luck (being targeted by a persistent and capable attacker).
The only way Mr. Ginrich can achieve his national cyberspace defense "Defending America against foreign enemies is the duty of the United States government." is to monitor all traffic entering and leaving the US plus all internal traffic, and being able to selectively cut any of it off on basis of suspicion alone. To use mr. Ginrich's words: "No one should kid themselves.". This is the only possible outcome if his ideas are adopted.
It's like the NSA's dream come true. Not only will they be allowed to tap into everything, Mr. Ginrich's ideas (if adopted) mean that they will now actually be tasked to do that. Plus they get to design and implement some fine-grained kill-switch. Oh, can encrypted communications by private individuals be tolerated? Risky, that. Any non-government or non-whitelisted corporate entity that uses encryption could be a hostile nation in disguise, eh? best to put a stop to that right now. Or err risk "loosing the cyber war".
How to protect yourself from Sony-style attacks:
Step 1. Don't be Sony.
> Because of that, they’ve had their most personal conversations—gossip,
> medical conditions, love lives—exposed. The press may not have divulged
> this information, but their friends and relatives peeked at it. Hundreds of personal
> tragedies must be unfolding right now. This could be any of us."
No it could not be any of us. It could be just the ones of us who uses companys email system for gossip, medical conditions, love lives etc. - which is just plainly stupid. Maybe just do not use your company email system for anything other than work related stuff? Maybe if you are sane just dont use Internet to send your medical data? How hard is that to understand? Just keep your private life separated from work and you shall avoid such trouble.
encouragement of corruption
Or encourages corrupt behaviour.
People resorting to criminal acts to get around new restrictions that were probably not worth implementing in the first place.