Punishing Security Breaches 151
Schneier has a story on his blog this morning about
punishing security breaches. This one is in response to the tale of Gray Powell, the Apple engineer who left an important bit of technology in a bar recently. You might have heard of it. You also might have been on either the breacher or the corporate side. I'd hate to be in either position myself.
Could this be some kind of cleaver marketing ploy? (Score:2, Interesting)
Re:Too Bad We Don't Know Apple's Policies (Score:4, Interesting)
Yeah, I would place him as a mail-room clerk until he proves he can handle sensative information without releasing it to the public.
You know, we get the occaisonal user who manages to get a trojan or a worm on their computer at work. When we get the request ticket in, first thing we do is remotely check their Browser history and cache. Generally it boils down to a Russian or Korean website that was visitted. In some cases, it gets referred to by a rollover ad on a legitamit web page, so we don't punish them, but there are other times when you see them visitting some chinese news blogs about a hundred times a week. In this even, we walk over, unplug everything, and take the tower away, telling them we need to clean it ASAP and we don't want to risk spreading the infection. You or I would know this is highly unlikely, I've never encountered malware that has spread to a network drive, but I wouldn't put it past black hats to do such a thing if they wanted. Then we spend the next day or two cleaning the machine. Yeah, it usually only takes a few hours, slave it on our AV machine. But the idea is to teach them a lesson about visitting those websites. After they've been without their computer for a couple days, we tell them where they got the virus from, and warn them not to visit those sites.
It appears to be working.
The only other situation of security we've really come across was some guy in another department who clearly knew a bit about computers. He managed to tunnel into his own VPN to get past our firewall to run bittorrent and download movies, which he burned onto disc and was selling them apparently. When the IT manager, (My Boss) found out he went into quite a fit, launched a full IT investigation of the whole building, and in the end, so many people in that department were found to be visitting sites they shouldn't be, that half the department was canned.
I think it was a little overboard, but I guess the message was very clearly sent and recieved, that building has had no problems ever since.
hmm (Score:3, Interesting)
Re:Fired and sued (Score:4, Interesting)
In this case, what are the damages exactly?
Re:Gizmodo May Face Felony Charges (Score:5, Interesting)
Re:Gizmodo May Face Felony Charges (Score:4, Interesting)
They paid $5K for the STORY, as registered journalists, and only after discussing this with lawyers, and after both Giz and the device's finder BOTH contacted apple and apple DENIED the prototype being lost. Gizmodo acquired the device under the promise to return it to it's rightful owner should one come forward, and the person who gave them the device could not be blamed for handing it over to an organization with known internal ties at the company.
Gizmodo never bought the phone, only the story. This has been upheld NUMEROUS times in local and federal courts. Thanks for playing...
Re:Gizmodo May Face Felony Charges (Score:3, Interesting)
Meh.. in most cases I would agree with you, but Gizmodo made it known that they had the property (after the finder himself tried to contact Apple), and returned it to the rightful owner when asked. Purchasing the property may have been an offense within the letter of the law, but it's a very weak chain of events for claiming damages when the property was promptly returned.
The only real damage here was the loss of confidentiality. But if Apple didn't want the information in public, they (or Mr. Powell acting as their agent) shouldn't have brought the phone out in public. If they didn't give him permission, then he's really the one to blame. But if they did, which is probably the case, then it was a risk they deemed acceptable. Even if they didn't consider the possibility outright, that would be negligence; i.e. not an excuse.
Something's wierd about this (Score:3, Interesting)
I know Apple is famous for "accidentally" leaking hints of upcoming technologies out to generate buzz, but this is strange. If I were in a highly-competitive market and wanted to not give the Chinese knockoff makers a head start on my design, the last thing I'd do is let it out of the building.
I could see Apple anonmyously leaving photos or spec sheets around. Maybe they might even take a -mock-up- out in the wild like car companies do when they are track-testing a new model. (iPhone in a Samsung case? :-) ) But there's no real reason for them to "field-test" a device like that. Apple has a large corporate campus, and I guarantee they have the strongest ATT signal in the entire country. Plus, if you're testing stuff like GPS, you don't have to go across town, you just have to go across the building. Nah, this guy just had to show his buddies, and he lost it. That really sucks for him, because no matter what actually happened, he's never going to be trusted to work on secret products again. Even if Steve Jobs himself said, "Go take this phone for a spin." and he can prove it, there's always going to be the doubt that he has the self-control to keep quiet about what he's doing.
I know people who work in high-security environments, where they design products in a race to be the first to the Patent Office. Most are absolutely forbidden from even talking about what they're working on. I highly doubt that Pfizer or Bristol-Myers allows their researchers to take their lab notebooks anywhere outside their labs. People desiging the next netbook or mobile phone are in a similar situation -- 10 seconds after a prototype gets out, it will be glommed up, reverse-engineered, and a cheaper faster version will be out a week before yours.
Given all the draconian stuff I've heard about Apple being a wierd place to work, I'm sure they have an incredibly strict policy about secrecy...that is, they control the message, not the employee working on it.
Re:Too Bad We Don't Know Apple's Policies (Score:3, Interesting)
> Regardless of how lax their security measures are you might
> misplace a phone while drinking so don't bring it drinking!
> If you want to or accidentally take it drinking, you're
> accepting the risks.
Unless one of the reasons you have the thing is to test it under "realistic conditions".
If that's the reason Apple let him off their campus with the iPhone prototype (and, given how they camouflaged it as a 3G, I's say it was meant to be used where random non-Apple people would see it) then I'd say he did exactly what he was supposed to do... tested the remote disabling function by getting shitfaced and losing "his" phone.