Slashdot Mirror


Schneier Explains How To Protect Yourself From Sony-Style Attacks (You Can't)

phantomfive writes: Bruce Schneier has an opinion piece discussing the Sony attack. He says, "Your reaction to the massive hacking of such a prominent company will depend on whether you're fluent in information-technology security. If you're not, you're probably wondering how in the world this could happen. If you are, you're aware that this could happen to any company." He continues, "The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations—gossip, medical conditions, love lives—exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now. This could be any of us." Related: the FBI has officially concluded that the North Korean government is behind the attack.

12 of 343 comments (clear)

  1. Official Conclusion by Anonymous Coward · · Score: 5, Insightful

    Nobody mentioned "The Interview" or North Korea until days after the attack, then it simply appeared from nowhere and asserted itself as the truth. The emails from the hackers are in the stash, and reputable sources who have time to read such things have reported that not a single email from GOP prior to the release mentioned The Interview, only demands for money.

    1. Re:Official Conclusion by xaotikdesigns · · Score: 4, Insightful

      Step one: Extort a hell of a lot of money Step two: Wait for the press to guess who is behind it all Step Three: Take their wild guesses and run with them. Cause as much chaos as you can. Step four: While everybody is looking at the wrong people, gather up all the money/info you can sell, and disappear.

      --
      XDInd
  2. Blameless employees? by Spy+Handler · · Score: 4, Insightful

    it happened to the blameless random employees who were just using their company's email system. Because of that, they've had their most personal conversations -- gossip, medical conditions, love lives -- exposed

    If you were using your company's Exchange server for gossiping and thought it was safe (i.e. the IT department would never have access to this, oh no) then you're stupid and deserve whatever fate you get.

    I can sympathize with the people whose SS numbers were stolen out of no fault of their own. But Amy Pascal making Obama black jokes on company email was just stupid as hell and she deserves whatever scorn people will heap on her.

  3. Re:You can stop those type of attacks by phantomfive · · Score: 5, Insightful

    Security is not easy, but it can be done

    Probably not. Do you think your Linux box has no vulnerabilities? (hint: it does). Even if you run OpenBSD (which still has vulnerabilities), are the employees at your company going to use a browser? That will have vulnerabilities, too.

    Which brings us to the biggest security vulnerability, employees. Remember that the most valuable information a company has isn't the root password, it's the documents and emails the employees are working on and have access to.

    So not only do you need to have a perfectly secure operating system (which doesn't exist), you're also going to need secure employees. Good luck at that.

    --
    "First they came for the slanderers and i said nothing."
  4. Re:Sure... by EndlessNameless · · Score: 5, Insightful

    If you air gap email and financial systems, you're stepping right back into the mid-1900s. Back when it took an entire office of secretaries to process correspondence, and another office full of accountants to handle billing and ledgers. Because if those systems are disconnected, someone will have to transfer reams of data in and out of them. That is no longer feasible.

    Your suggestion is so completely impractical, I wonder why you joined slashdog in the first place. You clearly have no understanding of modern IT.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  5. Re:Sure... by the_B0fh · · Score: 4, Insightful

    Seriously? Keeping your personnel files on paper and not the computer? And you think getting checks is slow now? BWAHAHAHAHA

  6. Re:Sure... by mythosaz · · Score: 5, Insightful

    No, foo. It's called basic common sense -- keeping confidential medical records, SSNs, and personnel files in paper format only, and not allowing them to be scanned or placed in a system connected to the general business intranet, or "the cloud".

    Oh man, you had me going there for a second. I almost thought you were serious.

    Let's all go back to using a typewriter to file our taxes, and when my small-town radiologist wants a consulting opinion on my X-ray, lets have a courier drive it into metropolis for him. He can use a quill to write down his diagnosis and seal the letter with wax and a stamp from his ring.

  7. Re:Sure... by Nutria · · Score: 5, Insightful

    Keeping your personnel files on paper and not the computer?

    Of course, there's always keep your personal shit off the company servers!!! And keep what you do write in company documents at a professional tone.

    That would sure have mitigated a whole lot of personal pain by these supposedly blameless Sony employees.

    --
    "I don't know, therefore Aliens" Wafflebox1
  8. Re:Sure... by DougOtto · · Score: 5, Insightful

    Unfortunately, security is a cost center, not a profit center. That doesn't sit well with the MBA types. Security does not support the success of a business in any obvious way - so we have to use metrics to show value.

    --
    Solving Unix problems since 1989...
  9. Re:Sure... by ColdWetDog · · Score: 4, Insightful

    Every. Fucking. Hospital. Everywhere.

    The only thing that keeps this from being a problem is that the gory details of most people's lives are really not interesting to anybody and they are hard to monetize. I would imagine that hospitals and clinics around Hollywood have been hit multiple times. If you are a 'high value target', ie, nobody here on Slashdot, I'd be worried.

    Very worried.

    --
    Faster! Faster! Faster would be better!
  10. Re:Sure... by ColdWetDog · · Score: 4, Insightful

    Really. This. How hard is it NOT to flame people on a COMPANY EMAIL system? Even if some hacker doesn't get to you, your boss or some HR flunky might. Leave the immature conversations to places like Slashdot. It's what we do ....

    --
    Faster! Faster! Faster would be better!
  11. Re:Sure... by ZeroPly · · Score: 4, Insightful

    No. Security is NOT a profit center. If you think it is, then you are not understanding what the term "profit center" means. A profit center for a decentralized business generates revenues as well as incurs expenses. Most IT departments are not profit centers BY DEFINITION.

    --
    Support microSD: in a post 9/11 world, it is unwise to carry your data on media that you cannot comfortably swallow.