The Macrosite for News, Analysis and Opinion about the Future of the Internet
Paul Doyle

Web 2.0's Security Infotainment

Written by Paul Doyle
7/21/2008 7 comments
no ratings
DISCUSS   Digg   Del.icio.us   Reddit   Email This   TWEET THIS

Does the name Terry Childs mean anything to you? What about Roger Duronio? Chris Harn or Jerome Kerviel? How about Marie Lupe Cooley?

They are all examples of trusted insiders alleged to have gone bad -- to have abused their positions for personal gain, financial benefit, or, in some instances, simple gratification or revenge. And they're all making big headlines.

These fascinating cases are a new entertainment form brought to you courtesy of Web 2.0.

Childs holds the virtual keys to the city. Though having pleaded not guilty to all sorts of malfeasance, he's still being paid his $127,735 annual salary as a network administrator in the City of San Francisco's technology department.

Childs is alleged to have manipulated the system to give him singular control of the city's new FiberWAN network -- the backbone of the city's applications and data management systems -- controlling an estimated 60 percent of all its data, including public safety, law enforcement, payroll, and email. This story is a great big jelly doughnut -- take even a small bite and some of the filling invariably squirts out in all directions. Messy but good! In the meantime, everybody else is locked out of the city's system and networks.

Here's San Francisco Mayor Gavin Newsom's spin: "There's nothing to be alarmed about, save the inability to get into the system and tweak the system. Nothing dramatic has changed in terms of our ability to govern the city."

Really? So why the $5 million bail for Childs? Why all the stories in the media? Why the press conference by the District Attorney's office?

The mayor has said that the city has brought in experts from Cisco to help them solve the problem. They are hoping to break into the network. How beautifully ironic... only the bad guy can get in.

According to San Francisco's mayor, if the experts cannot get in, the entire network may have to be rebuilt, which will take at least eight weeks, at significant expense. Wow! One guy seems to have caused quite a problem. Or has he? Blogger Paul Venezia is not convinced it's that a big a deal. If his assumptions are close to being right, he suggests that he could fix the problem in less than a day, saying it can't be as hard as it sounds. However, it also can't be all that easy, because the problem persists.

One quick conclusion: Security is a media event that can quickly become a feeding frenzy. There have been dozens and dozens of stories being run in major tech news venues. Just Google "Terry Childs" and see for yourself. As a security professional, be sure to keep this in mind: Today’s breach is tomorrow’s headline.

These kinds of stories expose the many new realities of IT, info-security, and today's networked world. They include trusted insiders; public figureheads; mainstream media; the blogosphere; network architecture and design; business continuity and disaster recovery; risk analysis; the legal process, and probably at least a dozen more.

Here is another conclusion: The notion of a completely trustworthy insider has been assaulted. And the price will be paid by every legitimate and trustworthy insider out there. So as a trusted insider, the question now becomes, how would you prove your own good conduct?

There are several other takeaways here. First, it shows how vulnerable systems and networks really are. Secondly, it erodes the inherent trust that insiders receive -- but maybe this is a good thing after all. The kneejerk response to this supposition from the security community is likely to be "What, are you crazy?" Should everyone, even IT insiders, be continually under suspicion, or do we really need to be able to trust someone? Email me here and let me know. I'll report back after compiling the results and give you my perspective as well.

— Paul Doyle, independent consultant and co-founder of the Information Assurance Consortium

This blog is part of Internet Evolution’s Security Clan, which looks at the present and future threats to Internet security and the methods being used to defend and protect users and organizations. Register here to join the Security Clan, and you might become eligible to win one of our limited edition T-shirts. Or maybe a padlock. Use it to conceal that Post-It with all your passwords on it.

DISCUSS   Digg   Del.icio.us   Reddit   Email This
Current display:       newest comments first       display in chronological order
Paul Doyle
Thinkernetter
Monday July 28, 2008 1:46:17 AM
no ratings

This is an iceberg of an issue.  The part that people seem to focus on is the minority.  That which is in plain sight, easy to see and identify.  There is SO much more below the surface and if we don't actively look for it, we run the risk of being sunk by that which is just beyond our immediate vision or cursory effort.  From a probability perspective, it is a "prove the negative" problem for trusted insiders....how do you prove you did not do something when you possess the knowledge, skill, access and someone else believes you have the motive...especially for the most competent IT and infosec professionals? 


Terry Childs is undergoing two trials right now considering we all sit in the court of public opinion.  Is Terry being treated fairly or is he being set-up?  We don't have enough of the facts.  What if it were you?  What if somehow things started going very "wrong" at work and all the indications pointed to you?  By coincidence, today there was a headline of injustice done 60 years ago to Samuel Snow (link: http://seattlepi.nwsource.com/local/372448_snow28.html).  While, yes, this might be an extreme example, ask yourself what you would do if the 'powers-that-be' wanted you to be seen as nefarious and judged the 'guilty party'?  What if someone truly nefarious selected you as their scapegoat?  Bad people tend to not care about hurting the innocent.

Speak up!  Give this some thought and then give us your answers.

Paul Doyle
Thinkernetter
Monday July 28, 2008 1:10:01 AM
no ratings
Trust is a funny thing.  It is a word that gets used a LOT in security, but my sense is that few have thought deeply about it....and the implications of trust or trusting.  Trust involves giving away control....and taking risk.  In the Terry Childs case, my question is "Why?".  What was behind the act of trusting Terry...and who ultimately deserves responsibility for the failure?
Michael Singer
IQ Crew
Tuesday July 22, 2008 3:16:33 PM
no ratings

Paul,

In the Terry Childs case you certainly have a big fat warning sign.

From the article: "His supervisors' concerns grew when they discovered he had given himself exclusive access to the system and had developed a way to spy on his bosses' e-mails related to his conduct."

More subtle are the new tools that IT department staffers are using on each other like PhishMe

A great quote comes to mind here:

"Anyone who goes through life trusting people without making sure they are worthy of trust is a fool. Yet there are people who may be trusted, men as well as women. There are are as many difference in their natures as there are flowers in these meadows."

-- Elizabeth Aston, The Exploits & Adventures of Miss Alethea Darcy, 2005

Mr. Roques
Researcher
Tuesday July 22, 2008 9:58:26 AM
no ratings
It's true, there needs to be a trusting employer/employee relationship but no one can be that naive.
hounhosp
Researcher
Monday July 21, 2008 6:35:00 PM
no ratings

Even if security threats could come from inside the company, it is not for that reason the company should be a place where employees will be subject to constant suspicions. The success of an enterprise depends on the trust relationship between all the employees and the staff. The only thing that could be done is to enforce the security policies and help everyone abide by that policies by doing frequent controls and auditions.

In the case of Jerome Kerviel you mentioned, it was proved that his intentions were not to make personal profits. But rather he was trying to recover from losses that he has accumulated throughout years. What his supervisors should have discovered if they have been more vigilant.

Mr. Roques
Researcher
Monday July 21, 2008 4:19:20 PM
no ratings

Just last week, the former VP of HP who was accused of releasing confidential information from his former employer, IBM, pleaded guilty.

Corporate spying is getting more and more difficult to detect as the technology to prevent it is always at least one step behind.

Mary Jander
Thinkernetter
Monday July 21, 2008 3:12:53 PM
no ratings

I'm left wondering how I'd prove my safety as a trusted user, and I'm stumped. I mean, even signing a contract doesn't ensure that a network admin won't go berserk or hold an organization hostage.

Just HOW would one prove their trustworthiness?

The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Paul Doyle
Paul Doyle
Paul Doyle   9/24/2008   5 comments
As it looks to stake out and control strategic ground in national and international e-commerce, the U.S. Postal Service has set its sites on trusted time-stamping, which can be thought of as an electronic postmark. Unfortunately, the way it plans to certify licensees violates both common sense and the basic tenets of solid information security policy.
Paul Doyle
Paul Doyle   8/27/2008   21 comments
Nobody knows you're a dog on the Internet, right? Establishing identity is a big deal and a big challenge when the parties with whom one is interacting reside on the other side of a network, especially this big anonymous network known as the Internet.
Paul Doyle
Paul Doyle   8/12/2008   15 comments
We in the security game consider many if not all the adversaries we face to be criminals deserving to be ensconced behind bars wearing striped suits. But, is the next significant adversary we should be prepared to face as a CSO, CISO, or infosec professional already wearing stripes? Not the stripes we metaphorically associate with convicts behind bars but rather the pinstripes of a custom tailored suit adorning an Ivy League-educated, $500+-per-hour attorney? What is the connection? The answer is three letters: ESI (electronically stored information).
Paul Doyle
Paul Doyle   8/4/2008   6 comments
It's not such a big leap from Terry Childs to Erik Prince, when you consider what happens when lots of centralized power gets abused and, in the case of Prince, involves big bucks.
5
of
IETV: the thinkerNet on film
5
of
2pm EST
Tue
Feb 23rd
2pm EST
Thu
Mar 4th
3pm EST
Tue
Mar 9th
an IBM information resource
sponsored content
big blue blog
Todd Watson
IBM is announcing today the first of its Power7 processor-based systems and the Power7 processor itself at an event in NYC.
white papers & case studies
an IBM information resource
sponsored content
Smarter Collaboration: How to Thrive in a Challenging Business Environment
Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success.

READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!

REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
CMP Media LLC
Internet Evolution – not for thickies
Congress Hits the Snooze Button With China
Ira Winkler
In his
recent Congressional testimony, Dennis Blair, the U.S. director of national intelligence, stated that the U.S. is "severely threatened" by cyber attacks and that the recent Google (Nasdaq: GOOG) attacks should serve as a wake-up call.

CLICK FOR MORE
Singer at C-Level
Goldilocks & the Data Center

2|4|10   |   3:39   |   2 comments


What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Rob Salkowitz
The Use & Abuse of BI

2|1|10   |   2:19   |   4 comments


Data mining of social networks means people might face unforeseen consequences as a result of their seemingly innocuous personal choices and associations.
Full Nelson
Unified Collaboration Telepresence: Part 2

1|27|10   |   2:41   |   No comments


There are a few practical and affordable tools to help get people collaborating within enterprises. In Part 2, the Fritzoid talks about three of them.
Full Nelson
Unified Collaboration Telepresence: Part 1

Part 1 of 2   |  
See complete series
1|26|10   |   2:29   |   No comments


The promise of Unified Communications, Collaboration, and Telepresence are compelling, but it all sounds pretty pie-in-the-sky to the Admiral.
Reiter's Block
Beware Blippy's Credit Card Service!

1|25|10   |   3:07   |   13 comments


Some of the "cool" people are testing a new Web service: Blippy. It could be a great data source for corporations to glean info about customers’ credit card purchases. But it has all sorts of possible privacy and security problems. Buyer beware!
Tom Nolle
How 2010 Will Be Like 1984

1|4|10   |   2:13   |   19 comments


Microsoft reportedly has plans to integrate Windows Live and even Xbox with Windows Mobile. That may provide them a strategic advantage, but what will the cost be to your privacy? Tom explains all.
John Soat
Technology Santa Claus

12|23|09   |   2:06   |   2 comments


In the holiday spirit of giving, Technology Santa Clause offers a few words of advice to struggling IT professionals: ‘Be careful what you wish for.’
what.the.ferraro
More Pitiful Privacy from Facebook

12|16|09   |   02:08   |   2 comments


Facebook's new privacy controls just don’t cut it with little miss 'Air Quotes.'
John Soat
E-Discovery Limits Are Set. Maybe

11|30|09   |   3:04   |   4 comments


E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
Sweeney Blog
Financial Services Awaken to Cloud Computing

11|23|09   |   2:13   |   No comments


The sooner purveyors of cloud computing services can pass muster, security-wise, with financial services companies, the sooner cloud computing will really go mainstream.
Lee H. Berke
The Decline & Fall of Broadcast Television

2|9|10   |   1:00   |   No comments


Want to know the future of broadcast television? Take a look at broadcast radio’s past.
Tom Nolle
Everything New Is Old Again

2|9|10   |   2:13   |   6 comments


Research shows that the youth of today like Facebook – but not blogging or Twitter. Does that mean Facebook has won, or just that it's not yet out of favor? Will all the services we see today fade into Ovaltine-or-Wheaties status in just a few years?
what.the.ferraro
Email Marketing Gets Desperate

2|8|10   |   2:31   |   4 comments


Promotional emails will use just about anything timely to get people to buy things. Seriously, anything.
Steve Saunders' Outernet
America, Truck Yeah!

2|8|10   |   1:42   |   5 comments


Steve likes his new Dodge Ram 1500, but hates Chrysler's Web non-sales strategy. Rant on, li'l buddy.
what.the.ferraro
Twits Go Wild for Resignation Tweet

2|5|10   |   1:48   |   4 comments


Jonathan Schwartz is the first Fortune 200 CEO to resign via Tweet. Can he walk on water, too?
Full Nelson
Go With the FLO, Part 2

Part 2 of 2   |  
See complete series
2|5|10   |   2:17   |   3 comments


Fritz and his sweater continue their review of Qualcomm's FLO TV.
Singer at C-Level
Goldilocks & the Data Center

2|4|10   |   3:39   |   2 comments


What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Full Nelson
Go With the FLO, Part 1

Part of 2   |  
See complete series
2|4|10   |   2:39   |   1 comment


Qualcomm's FLO TV gizmo streams live TV shows. Tragically, they include the O'Reilly Factor
Eurotrash
High & Dry in Barcelona

2|3|10   |   1:08   |   No comments


Ray’s heading to Barcelona for the Mobile World Congress, and he’s not happy about it, the miserable git.
Sweeney Blog
No Sex, Please... It's the Super Bowl

2|3|10   |   2:24   |   2 comments


The Super Bowl ads that CBS rejected are turning up online, generating lots of attention but zero revenue for the broadcaster.