The Macrosite for News, Analysis and Opinion about the Future of the Internet
Paul Doyle

Web 2.0's Security Infotainment

Written by Paul Doyle
7/21/2008 7 comments
no ratings
DISCUSS   Digg   Del.icio.us   Reddit   Email This   TWEET THIS

Does the name Terry Childs mean anything to you? What about Roger Duronio? Chris Harn or Jerome Kerviel? How about Marie Lupe Cooley?

They are all examples of trusted insiders alleged to have gone bad -- to have abused their positions for personal gain, financial benefit, or, in some instances, simple gratification or revenge. And they're all making big headlines.

These fascinating cases are a new entertainment form brought to you courtesy of Web 2.0.

Childs holds the virtual keys to the city. Though having pleaded not guilty to all sorts of malfeasance, he's still being paid his $127,735 annual salary as a network administrator in the City of San Francisco's technology department.

Childs is alleged to have manipulated the system to give him singular control of the city's new FiberWAN network -- the backbone of the city's applications and data management systems -- controlling an estimated 60 percent of all its data, including public safety, law enforcement, payroll, and email. This story is a great big jelly doughnut -- take even a small bite and some of the filling invariably squirts out in all directions. Messy but good! In the meantime, everybody else is locked out of the city's system and networks.

Here's San Francisco Mayor Gavin Newsom's spin: "There's nothing to be alarmed about, save the inability to get into the system and tweak the system. Nothing dramatic has changed in terms of our ability to govern the city."

Really? So why the $5 million bail for Childs? Why all the stories in the media? Why the press conference by the District Attorney's office?

The mayor has said that the city has brought in experts from Cisco to help them solve the problem. They are hoping to break into the network. How beautifully ironic... only the bad guy can get in.

According to San Francisco's mayor, if the experts cannot get in, the entire network may have to be rebuilt, which will take at least eight weeks, at significant expense. Wow! One guy seems to have caused quite a problem. Or has he? Blogger Paul Venezia is not convinced it's that a big a deal. If his assumptions are close to being right, he suggests that he could fix the problem in less than a day, saying it can't be as hard as it sounds. However, it also can't be all that easy, because the problem persists.

One quick conclusion: Security is a media event that can quickly become a feeding frenzy. There have been dozens and dozens of stories being run in major tech news venues. Just Google "Terry Childs" and see for yourself. As a security professional, be sure to keep this in mind: Today’s breach is tomorrow’s headline.

These kinds of stories expose the many new realities of IT, info-security, and today's networked world. They include trusted insiders; public figureheads; mainstream media; the blogosphere; network architecture and design; business continuity and disaster recovery; risk analysis; the legal process, and probably at least a dozen more.

Here is another conclusion: The notion of a completely trustworthy insider has been assaulted. And the price will be paid by every legitimate and trustworthy insider out there. So as a trusted insider, the question now becomes, how would you prove your own good conduct?

There are several other takeaways here. First, it shows how vulnerable systems and networks really are. Secondly, it erodes the inherent trust that insiders receive -- but maybe this is a good thing after all. The kneejerk response to this supposition from the security community is likely to be "What, are you crazy?" Should everyone, even IT insiders, be continually under suspicion, or do we really need to be able to trust someone? Email me here and let me know. I'll report back after compiling the results and give you my perspective as well.

— Paul Doyle, independent consultant and co-founder of the Information Assurance Consortium

This blog is part of Internet Evolution’s Security Clan, which looks at the present and future threats to Internet security and the methods being used to defend and protect users and organizations. Register here to join the Security Clan, and you might become eligible to win one of our limited edition T-shirts. Or maybe a padlock. Use it to conceal that Post-It with all your passwords on it.
DISCUSS   Digg   Del.icio.us   Reddit   Email This
Current display:       newest comments first       display in chronological order
Paul Doyle
Thinkernetter
Monday July 28, 2008 1:46:17 AM
no ratings

This is an iceberg of an issue.  The part that people seem to focus on is the minority.  That which is in plain sight, easy to see and identify.  There is SO much more below the surface and if we don't actively look for it, we run the risk of being sunk by that which is just beyond our immediate vision or cursory effort.  From a probability perspective, it is a "prove the negative" problem for trusted insiders....how do you prove you did not do something when you possess the knowledge, skill, access and someone else believes you have the motive...especially for the most competent IT and infosec professionals? 


Terry Childs is undergoing two trials right now considering we all sit in the court of public opinion.  Is Terry being treated fairly or is he being set-up?  We don't have enough of the facts.  What if it were you?  What if somehow things started going very "wrong" at work and all the indications pointed to you?  By coincidence, today there was a headline of injustice done 60 years ago to Samuel Snow (link: http://seattlepi.nwsource.com/local/372448_snow28.html).  While, yes, this might be an extreme example, ask yourself what you would do if the 'powers-that-be' wanted you to be seen as nefarious and judged the 'guilty party'?  What if someone truly nefarious selected you as their scapegoat?  Bad people tend to not care about hurting the innocent.

Speak up!  Give this some thought and then give us your answers.

Paul Doyle
Thinkernetter
Monday July 28, 2008 1:10:01 AM
no ratings
Trust is a funny thing.  It is a word that gets used a LOT in security, but my sense is that few have thought deeply about it....and the implications of trust or trusting.  Trust involves giving away control....and taking risk.  In the Terry Childs case, my question is "Why?".  What was behind the act of trusting Terry...and who ultimately deserves responsibility for the failure?
Michael Singer
IQ Crew
Tuesday July 22, 2008 3:16:33 PM
no ratings

Paul,

In the Terry Childs case you certainly have a big fat warning sign.

From the article: "His supervisors' concerns grew when they discovered he had given himself exclusive access to the system and had developed a way to spy on his bosses' e-mails related to his conduct."

More subtle are the new tools that IT department staffers are using on each other like PhishMe

A great quote comes to mind here:

"Anyone who goes through life trusting people without making sure they are worthy of trust is a fool. Yet there are people who may be trusted, men as well as women. There are are as many difference in their natures as there are flowers in these meadows."

-- Elizabeth Aston, The Exploits & Adventures of Miss Alethea Darcy, 2005

Mr. Roques
Researcher
Tuesday July 22, 2008 9:58:26 AM
no ratings
It's true, there needs to be a trusting employer/employee relationship but no one can be that naive.
hounhosp
Researcher
Monday July 21, 2008 6:35:00 PM
no ratings

Even if security threats could come from inside the company, it is not for that reason the company should be a place where employees will be subject to constant suspicions. The success of an enterprise depends on the trust relationship between all the employees and the staff. The only thing that could be done is to enforce the security policies and help everyone abide by that policies by doing frequent controls and auditions.

In the case of Jerome Kerviel you mentioned, it was proved that his intentions were not to make personal profits. But rather he was trying to recover from losses that he has accumulated throughout years. What his supervisors should have discovered if they have been more vigilant.

Mr. Roques
Researcher
Monday July 21, 2008 4:19:20 PM
no ratings

Just last week, the former VP of HP who was accused of releasing confidential information from his former employer, IBM, pleaded guilty.

Corporate spying is getting more and more difficult to detect as the technology to prevent it is always at least one step behind.

Mary Jander
Thinkernetter
Monday July 21, 2008 3:12:53 PM
no ratings

I'm left wondering how I'd prove my safety as a trusted user, and I'm stumped. I mean, even signing a contract doesn't ensure that a network admin won't go berserk or hold an organization hostage.

Just HOW would one prove their trustworthiness?

The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Paul Doyle
Paul Doyle
Paul Doyle   9/24/2008   5 comments
As it looks to stake out and control strategic ground in national and international e-commerce, the U.S. Postal Service has set its sites on trusted time-stamping, which can be thought of as an electronic postmark. Unfortunately, the way it plans to certify licensees violates both common sense and the basic tenets of solid information security policy.
Paul Doyle
Paul Doyle   8/27/2008   21 comments
Nobody knows you're a dog on the Internet, right? Establishing identity is a big deal and a big challenge when the parties with whom one is interacting reside on the other side of a network, especially this big anonymous network known as the Internet.
Paul Doyle
Paul Doyle   8/12/2008   15 comments
We in the security game consider many if not all the adversaries we face to be criminals deserving to be ensconced behind bars wearing striped suits. But, is the next significant adversary we should be prepared to face as a CSO, CISO, or infosec professional already wearing stripes? Not the stripes we metaphorically associate with convicts behind bars but rather the pinstripes of a custom tailored suit adorning an Ivy League-educated, $500+-per-hour attorney? What is the connection? The answer is three letters: ESI (electronically stored information).
Paul Doyle
Paul Doyle   8/4/2008   6 comments
It's not such a big leap from Terry Childs to Erik Prince, when you consider what happens when lots of centralized power gets abused and, in the case of Prince, involves big bucks.
5
of
IETV: the thinkerNet on film
5
of
2pm EST
Tue
Dec 1st
an IBM information resource
sponsored content
big blue blog
Todd Watson
Todd Watson   11/20/2009   Post a comment
While Google introduces its new Chrome OS (which I'm hearing will be widely available in one year?  Did I mishear that?), IBM announced 10 new products today to help companies using IBM System z mainframe technology.
white papers & case studies
an IBM information resource
sponsored content
Smarter Collaboration: How to Thrive in a Challenging Business Environment
Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Copyright © 2009 United Business Media Limited - All rights reserved.      About Us  |  Privacy Policy and Terms of Use  |  Contact Us
CMP Media LLC
Internet Evolution – not for thickies
To Cloud or Not to Cloud: IT Vendors Ponder the Question
Gordon Haff
Arms merchant or army? That's a fundamental question for vendors in the cloud computing space. Do they just sell their tooling to any and all comers, who then become the actual purveyors of hosted infrastructure, developer platforms, and software? Or do they offer their own cloud-based services, perhaps even keeping much of their technology in-house for competitive advantage?
CLICK FOR MORE
Groups Join Fight to Keep Big Brother Offline
Don Reisinger
Much has been made over the possibility of the U.S. government spying on Web users. There is a fear that through advanced technology, loopholes in federal regulations, and sheer gall, government officials will engage in acts that put the U.S. citizenry at risk. But whether or not the government is actually engaging in any activities online that puts its intentions into question is up for debate.
CLICK FOR MORE
Banks Cooperate for Better Risk Analytics
Mary E. Shacklett
With the value of toxic assets on the rise, large U.S. and European banks face many challenges on the road to recovery. Sharing key information may help these firms effectively track the way forward.
CLICK FOR MORE
How to Score, Not Bore, With Web Newsletter Graphics
Dan Cypra
A picture is worth a thousand words, or so the old saying goes. So understanding how to use images in e-newsletters effectively is quite important. Here are a few tips to ensure that your images in email newsletters work to your advantage.
CLICK FOR MORE
Reiter's Block
Tweeting for Customer Support
11|18|09   |   2:20   |   No comments

When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
Sweeney Blog
Microsoft's Relevance in the Windows 7 Era
11|13|09   |   2:17   |   3 comments

The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Tom Nolle
Stop Raining on the Cloud, Google!
11|10|09   |   2:18   |   No comments

Cloud computing is being dampened by the lack of local application support for offline use. Google's partnership with open-source should encourage it to build tight integration between Google Docs and OpenOffice, and thus boost the cloud and counter Microsoft at the same time.
The Incredible Hultquist
Tweet Less, Get More Clicks
11|9|09   |   2:24   |   No comments

Evidence shows that you can tweet too much. Sites and services like Twitter and Facebook are a good place to reach your audience, but think quality over quantity.
Jart Armin
Methods From the Dark Side: RFI Attacks
11|6|09   |   2:22   |   No comments

Exploring methods from the 'Dark Side' of the Internet – in this case 'Remote File Inclusion.'
The Incredible Hultquist
Web 2.0 – Just Being There Isn't Enough
11|3|09   |   2:15   |   9 comments

As enterprises leap into the Web 2.0 world of blogging, commenting, and social networking, just 'being there' won't deliver ROI. You may want a 'Web Evangelist' to systematically harvest the feedback in order to polish your product or service.
Rob Salkowitz
Generation Blend Revisited
10|30|09   |   2:23   |   2 comments

Boomers are getting more comfortable with Web 2.0. Does that end the 'digital age gap' in the enterprise or just make it more complex?
Steve Saunders' Outernet
The Death of Anonymity: Part 4
Part 4 of 4   |   See complete series
10|29|09   |   1:40   |   7 comments

In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
Steve Saunders' Outernet
The Death of Anonymity: Part 3
Part 3 of 4   |   See complete series
10|28|09   |   1:35   |   4 comments

What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
Steve Saunders' Outernet
The Death of Anonymity: Part 2
Part 2 of 4   |   See complete series
10|27|09   |   2:08   |   8 comments

By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
what.the.ferraro
Facebook Lacks Social Skills
11|20|09   |   1:53   |   No comments

Facebook's 'Suggestions' for users demonstrate how little social networking sites understand about true social relationships.
Singer at C-Level
Smart Grid Opportunities
11|20|09   |   2:49   |   No comments

Industry initiatives and government stimulus funds are giving enterprise software vendors a great opportunity to help build out and manage smart grid technologies.
Tom Nolle
Total Telephony Transcends Telepresence
11|20|09   |   2:11   |   2 comments

The problem with telepresence is that it's not universally accepted, because video calling isn't. While we can all do video calling, we also apparently worry too much about how we look. If we want HD telepresence in our future, we have to dress down, mess up our hair, and dive into our online life.
what.the.ferraro
ThinkerNet Wins Min's Award for Best Blogs!
11|19|09   |   1:13   |   4 comments

ThinkerNet wins the Min's award for 'Best Blogs' – Internet Evolution's fifth award this year!
Full Nelson
SanFran.gov
11|19|09   |   8:51   |   No comments

Fritz has an exclusive talk with the mayor and CTO of San Francisco about that city's latest e-government efforts.
Robert D. Atkinson
America Has Much to Learn About Digital Piracy
11|18|09   |   2:09   |   No comments

The US loses about $20 billion a year on pirated software, movies, and music. But public policy can help stem the tide of digital theft. For example, France has recently passed a 'three strikes and you’re out' law, whereby if after two warning letters an individual continues to download pirated software then his Internet access will be cut off. US policy makers should consider adopting similar policies.
Singer at C-Level
Connecting Stakeholders: Part 3
Part 3 of 3   |   See complete series
11|18|09   |   2:09   |   No comments

Financial management planning does not need to include Voodoo economics, but it does help to tap into the knowledge base of your team through some sort of real-time system. We explore your options.
Reiter's Block
Tweeting for Customer Support
11|18|09   |   2:20   |   No comments

When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
what.the.ferraro
Dogster.com More Popular Than Gov 2.0
11|17|09   |   2:05   |   1 comment

A lot of attention is being paid to launching Gov 2.0 Websites, but these sites aren't attracting a lot of visitors.
Reiter's Block
Is the BlackBerry 9700 'Bold' Enough?
11|17|09   |   3:07   |   4 comments

The successor to the BlackBerry Bold 9000 – the Bold 9700 – will be available soon in the US. Is it worth upgrading? Reiter's got one, and offers advice.
TechWeb The Global Leader In Technology Media