Re: Clinton's Office Says Her Passport Files Also Breached

[Rich Kulawiec <rsk () gsp org>]

Was it really necessary to full-quote nearly 300 lines AND top-post?
Sheesh!  I realize that my words of deathless prose deserve to be
inscribed in stone and thereby preserved for future generations,
but this is really too much. ;-)


> "haven't even bothered to notice your name", or what I've been saying
> either, wherein lies the entire absurdity of this thread.

No, it's a reflection that I don't know who you are and don't care.  You
could live down the street or work at one of my clients for all I know.
What I do care about is the cavalier attitude toward security and privacy
demonstrated by someone, anyone, who should know much, much better.

That's why I un-attributed this response: it's not about you.  It's not
about me.  It's about our responsibility to not just gloss over things
like this and write them off as "business as usual", but to demand --
of ourselves and of others -- that we and they do better.

> One, the absurdity of political candidates falling all over themselves
> trying to get to a microphone to get on TV.

Irrelevant to this story.  Candidates are afforded innumerable opportunities
to do so during a presidential campaign (including some they'd no doubt
rather *not* have) and have no need to artificially generate more.

> Two, that this is not a *newsworthy* story.

Irrelevant.  The gravity (or lack thereof) is not determined by a story's
newsworthiness, but by its intrinsic merits.  For example, there has been
very little coverage of the RBN in the mainstream media, yet it is arguably
one of the most significant threats to the entire Internet.  On the other
hand, if [celebrity] [foolish action] with [another celebrity] then it
will be on every cable news channel for the next 24-72 hours.

s/celebrity/Paris Hilton/
s/foolish action/belly shots/
s/another celebrity/Gadi Evron/

> In the time it took you to type this, [...]

Irrelevant.  Yes, the world keeps marching on, and yes, there are other
problems...but we're not talking about them.

> The information in a passport file is really low on the list of systems that
> need to be hardened inside the federal government.

You're not in a position to make that call.  That information doesn't
belong to you: it belongs to the people.  And as one of those people,
I consider my personal information (passport or otherwise) to be at the
*top* of the list.

That's true whether the information is held by a government, or a
corporation, or a non-profit, or anyone else.  It is insufficient for
those entities to use a standard of care determined by *their* needs:
it is mandatory that they use a standard of care unilaterally dictated
by the owners of the information.  Failure (massive, repeated failure)
on the part of those entities to grasp this rudimentary point and to
subsequently allocate sufficient resources to implement it is why
incidents like this, or TJX, or any of the others that show up on
"dataloss" or "Pogo was Right" every day continue to happen.

But it's especially important in the case of a government: a government
which cannot master the elementary task of safeguarding the private data
of its own citizens is severely dysfunctional.  It can't govern, at least
not competently.

> Even a step further, this shit has taken place in every political campaign
> for high office since the dawn of elections... why are we getting bent out
> of shape now?

For the same reason(s) we got bent out of shape every other time.

> So you misattributed my original post to something I did not intend, made
> one character attack about my professionalism [...]

But I really don't care who you are, it's not worth my trouble to find out
or remember.  I care that some random person who claims to have various
security-related certifications has said some appalling things
about a security/privacy issue.  If you were indulging in music criticism
or a discussion of topiary, I probably wouldn't even have noticed or
cared in this context.  (If it was topiary, I probably wouldn't even be
able to tell.)  I expect much, much better of people in this profession.

Unlike the many companies out there who follow up the latest egregious
breach with a press release that says "We take this matter seriously..."
I really *do* take it seriously.  I've fired people for things like this
(and not just those at the bottom of the food chain) because I felt that
it was my responsibility to do so.  Moreover: I regard the fact that it
was *necessary* to fire those people as a prima facie indicator that there
were serious problems that hadn't been addressed: if things were working
they way they should have been, then it would have never been necessary.
This probably means that *I* screwed up.  So it's insufficient to just
discipline those responsible and then go back to work: it's necessary to
understand how things got that way and to do whatever-it-takes to fix it.
And even *that* isn't enough: it's necessary to try, as best as humanly
possible, to anticipate problems like this and design them out.

Those of us who work in the security area should be the most adamant about
protecting private data.  We should be in the front lines fighting for it
at every opportunity.  We should never give anyone (including ourselves)
a free pass.  We should never accept feeble excuses.  It's our social
responsibility, as the people who either have this expertise or claim to
have it or both, to be the vigilant watchdogs -- with a bark and a bite.

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.