funsec mailing list archives
Re: Clinton's Office Says Her Passport Files Also Breached
From: Rich Kulawiec <rsk () gsp org>
Date: Wed, 26 Mar 2008 10:21:53 -0400
Was it really necessary to full-quote nearly 300 lines AND top-post? Sheesh! I realize that my words of deathless prose deserve to be inscribed in stone and thereby preserved for future generations, but this is really too much. ;-)
"haven't even bothered to notice your name", or what I've been saying either, wherein lies the entire absurdity of this thread.
No, it's a reflection that I don't know who you are and don't care. You could live down the street or work at one of my clients for all I know. What I do care about is the cavalier attitude toward security and privacy demonstrated by someone, anyone, who should know much, much better. That's why I un-attributed this response: it's not about you. It's not about me. It's about our responsibility to not just gloss over things like this and write them off as "business as usual", but to demand -- of ourselves and of others -- that we and they do better.
One, the absurdity of political candidates falling all over themselves trying to get to a microphone to get on TV.
Irrelevant to this story. Candidates are afforded innumerable opportunities to do so during a presidential campaign (including some they'd no doubt rather *not* have) and have no need to artificially generate more.
Two, that this is not a *newsworthy* story.
Irrelevant. The gravity (or lack thereof) is not determined by a story's newsworthiness, but by its intrinsic merits. For example, there has been very little coverage of the RBN in the mainstream media, yet it is arguably one of the most significant threats to the entire Internet. On the other hand, if [celebrity] [foolish action] with [another celebrity] then it will be on every cable news channel for the next 24-72 hours. s/celebrity/Paris Hilton/ s/foolish action/belly shots/ s/another celebrity/Gadi Evron/
In the time it took you to type this, [...]
Irrelevant. Yes, the world keeps marching on, and yes, there are other problems...but we're not talking about them.
The information in a passport file is really low on the list of systems that need to be hardened inside the federal government.
You're not in a position to make that call. That information doesn't belong to you: it belongs to the people. And as one of those people, I consider my personal information (passport or otherwise) to be at the *top* of the list. That's true whether the information is held by a government, or a corporation, or a non-profit, or anyone else. It is insufficient for those entities to use a standard of care determined by *their* needs: it is mandatory that they use a standard of care unilaterally dictated by the owners of the information. Failure (massive, repeated failure) on the part of those entities to grasp this rudimentary point and to subsequently allocate sufficient resources to implement it is why incidents like this, or TJX, or any of the others that show up on "dataloss" or "Pogo was Right" every day continue to happen. But it's especially important in the case of a government: a government which cannot master the elementary task of safeguarding the private data of its own citizens is severely dysfunctional. It can't govern, at least not competently.
Even a step further, this shit has taken place in every political campaign for high office since the dawn of elections... why are we getting bent out of shape now?
For the same reason(s) we got bent out of shape every other time.
So you misattributed my original post to something I did not intend, made one character attack about my professionalism [...]
But I really don't care who you are, it's not worth my trouble to find out or remember. I care that some random person who claims to have various security-related certifications has said some appalling things about a security/privacy issue. If you were indulging in music criticism or a discussion of topiary, I probably wouldn't even have noticed or cared in this context. (If it was topiary, I probably wouldn't even be able to tell.) I expect much, much better of people in this profession. Unlike the many companies out there who follow up the latest egregious breach with a press release that says "We take this matter seriously..." I really *do* take it seriously. I've fired people for things like this (and not just those at the bottom of the food chain) because I felt that it was my responsibility to do so. Moreover: I regard the fact that it was *necessary* to fire those people as a prima facie indicator that there were serious problems that hadn't been addressed: if things were working they way they should have been, then it would have never been necessary. This probably means that *I* screwed up. So it's insufficient to just discipline those responsible and then go back to work: it's necessary to understand how things got that way and to do whatever-it-takes to fix it. And even *that* isn't enough: it's necessary to try, as best as humanly possible, to anticipate problems like this and design them out. Those of us who work in the security area should be the most adamant about protecting private data. We should be in the front lines fighting for it at every opportunity. We should never give anyone (including ourselves) a free pass. We should never accept feeble excuses. It's our social responsibility, as the people who either have this expertise or claim to have it or both, to be the vigilant watchdogs -- with a bark and a bite. ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Clinton's Office Says Her Passport Files Also Breached Paul Ferguson (Mar 21)
- Re: Clinton's Office Says Her Passport Files Also Breached John C. A. Bambenek, GCIH, CISSP (Mar 21)
- <Possible follow-ups>
- Re: Clinton's Office Says Her Passport Files Also Breached Paul Ferguson (Mar 21)
- Re: Clinton's Office Says Her Passport Files Also Breached John C. A. Bambenek, GCIH, CISSP (Mar 21)
- Re: Clinton's Office Says Her Passport Files Also Breached Rich Kulawiec (Mar 21)
- Re: Clinton's Office Says Her Passport Files Also Breached John C. A. Bambenek, GCIH, CISSP (Mar 21)
- Re: Clinton's Office Says Her Passport Files Also Breached Rich Kulawiec (Mar 22)
- Re: Clinton's Office Says Her Passport Files Also Breached John C. A. Bambenek, GCIH, CISSP (Mar 22)
- Re: Clinton's Office Says Her Passport Files Also Breached Dennis Henderson (Mar 22)
- Re: Clinton's Office Says Her Passport Files Also Breached Rich Kulawiec (Mar 26)