Forgot your password?
typodupeerror
Iphone Security Apple

Punishing Security Breaches 151

Posted by CmdrTaco
from the it-has-to-happen dept.
Schneier has a story on his blog this morning about punishing security breaches. This one is in response to the tale of Gray Powell, the Apple engineer who left an important bit of technology in a bar recently. You might have heard of it. You also might have been on either the breacher or the corporate side. I'd hate to be in either position myself.
This discussion has been archived. No new comments can be posted.

Punishing Security Breaches

Comments Filter:
  • by willabr (684561) on Monday April 26, 2010 @11:18AM (#31984720)
    I wonder if this was a way to let people know another one is on the way. The way the "Blogosphere" is intentionaly manipulated by corporation is obvious to me. This whole scenario seems unlikely to me.
  • by Monkeedude1212 (1560403) on Monday April 26, 2010 @11:30AM (#31984860) Journal

    Yeah, I would place him as a mail-room clerk until he proves he can handle sensative information without releasing it to the public.

    You know, we get the occaisonal user who manages to get a trojan or a worm on their computer at work. When we get the request ticket in, first thing we do is remotely check their Browser history and cache. Generally it boils down to a Russian or Korean website that was visitted. In some cases, it gets referred to by a rollover ad on a legitamit web page, so we don't punish them, but there are other times when you see them visitting some chinese news blogs about a hundred times a week. In this even, we walk over, unplug everything, and take the tower away, telling them we need to clean it ASAP and we don't want to risk spreading the infection. You or I would know this is highly unlikely, I've never encountered malware that has spread to a network drive, but I wouldn't put it past black hats to do such a thing if they wanted. Then we spend the next day or two cleaning the machine. Yeah, it usually only takes a few hours, slave it on our AV machine. But the idea is to teach them a lesson about visitting those websites. After they've been without their computer for a couple days, we tell them where they got the virus from, and warn them not to visit those sites.

    It appears to be working.

    The only other situation of security we've really come across was some guy in another department who clearly knew a bit about computers. He managed to tunnel into his own VPN to get past our firewall to run bittorrent and download movies, which he burned onto disc and was selling them apparently. When the IT manager, (My Boss) found out he went into quite a fit, launched a full IT investigation of the whole building, and in the end, so many people in that department were found to be visitting sites they shouldn't be, that half the department was canned.

    I think it was a little overboard, but I guess the message was very clearly sent and recieved, that building has had no problems ever since.

  • hmm (Score:3, Interesting)

    by nomadic (141991) <nomadicworld@gma ... inus threevowels> on Monday April 26, 2010 @11:35AM (#31984916) Homepage
    As much as everyone had been beating up on gizmodo for leaking this guy's name, I would not be surprised if the only reason he kept his job was because of the publicity.
  • Re:Fired and sued (Score:4, Interesting)

    by timeOday (582209) on Monday April 26, 2010 @11:39AM (#31984956)

    Next you sue them for major damages. Make an example out of them.

    In this case, what are the damages exactly?

  • by carvalhao (774969) on Monday April 26, 2010 @11:41AM (#31985004) Journal
    Well, since that model of iPhone hasn't been released yet, how can you prove that it's over $950?
  • by Sandbags (964742) on Monday April 26, 2010 @11:44AM (#31985060) Journal

    They paid $5K for the STORY, as registered journalists, and only after discussing this with lawyers, and after both Giz and the device's finder BOTH contacted apple and apple DENIED the prototype being lost. Gizmodo acquired the device under the promise to return it to it's rightful owner should one come forward, and the person who gave them the device could not be blamed for handing it over to an organization with known internal ties at the company.

    Gizmodo never bought the phone, only the story. This has been upheld NUMEROUS times in local and federal courts. Thanks for playing...

  • by StikyPad (445176) on Monday April 26, 2010 @12:08PM (#31985374) Homepage

    Meh.. in most cases I would agree with you, but Gizmodo made it known that they had the property (after the finder himself tried to contact Apple), and returned it to the rightful owner when asked. Purchasing the property may have been an offense within the letter of the law, but it's a very weak chain of events for claiming damages when the property was promptly returned.

    The only real damage here was the loss of confidentiality. But if Apple didn't want the information in public, they (or Mr. Powell acting as their agent) shouldn't have brought the phone out in public. If they didn't give him permission, then he's really the one to blame. But if they did, which is probably the case, then it was a risk they deemed acceptable. Even if they didn't consider the possibility outright, that would be negligence; i.e. not an excuse.

  • by ErichTheRed (39327) on Monday April 26, 2010 @12:38PM (#31985686)

    I know Apple is famous for "accidentally" leaking hints of upcoming technologies out to generate buzz, but this is strange. If I were in a highly-competitive market and wanted to not give the Chinese knockoff makers a head start on my design, the last thing I'd do is let it out of the building.

    I could see Apple anonmyously leaving photos or spec sheets around. Maybe they might even take a -mock-up- out in the wild like car companies do when they are track-testing a new model. (iPhone in a Samsung case? :-) ) But there's no real reason for them to "field-test" a device like that. Apple has a large corporate campus, and I guarantee they have the strongest ATT signal in the entire country. Plus, if you're testing stuff like GPS, you don't have to go across town, you just have to go across the building. Nah, this guy just had to show his buddies, and he lost it. That really sucks for him, because no matter what actually happened, he's never going to be trusted to work on secret products again. Even if Steve Jobs himself said, "Go take this phone for a spin." and he can prove it, there's always going to be the doubt that he has the self-control to keep quiet about what he's doing.

    I know people who work in high-security environments, where they design products in a race to be the first to the Patent Office. Most are absolutely forbidden from even talking about what they're working on. I highly doubt that Pfizer or Bristol-Myers allows their researchers to take their lab notebooks anywhere outside their labs. People desiging the next netbook or mobile phone are in a similar situation -- 10 seconds after a prototype gets out, it will be glommed up, reverse-engineered, and a cheaper faster version will be out a week before yours.

    Given all the draconian stuff I've heard about Apple being a wierd place to work, I'm sure they have an incredibly strict policy about secrecy...that is, they control the message, not the employee working on it.

  • by c (8461) <beauregardcp@gmail.com> on Monday April 26, 2010 @12:39PM (#31985698)

    > Regardless of how lax their security measures are you might
    > misplace a phone while drinking so don't bring it drinking!
    > If you want to or accidentally take it drinking, you're
    > accepting the risks.

    Unless one of the reasons you have the thing is to test it under "realistic conditions".

    If that's the reason Apple let him off their campus with the iPhone prototype (and, given how they camouflaged it as a 3G, I's say it was meant to be used where random non-Apple people would see it) then I'd say he did exactly what he was supposed to do... tested the remote disabling function by getting shitfaced and losing "his" phone.

"Look! There! Evil!.. pure and simple, total evil from the Eighth Dimension!" -- Buckaroo Banzai

Working...