Punishing Security Breaches

Schneier has a story on his blog this morning about punishing security breaches. This one is in response to the tale of Gray Powell, the Apple engineer who left an important bit of technology in a bar recently. You might have heard of it. You also might have been on either the breacher or the corporate side. I'd hate to be in either position myself.

Too Bad We Don't Know Apple's Policies

[eldavojohn]

If someone wants to take something classified out of a top secret military compound, he might have to secrete it on his person and deliberately sneak it past a guard who searches briefcases and purses. He might be committing a crime by doing so ...

Are you joking? Try losing their security clearance, being court marshaled and a probable investigation into 1) what motive you had removing classified material 2) where it was going and 3) how many other violations you knowingly committed.

... the corporate rules might have required him to pay attention to it at all times ...

I've gotten a corporate laptop with semi-sensitive material on it about the company I work for. I was given it when I traveled to various states. The guidelines were very clear. From locking it in the safe when I left the hotel room to not leaving it in my car. While it's less likely that someone would show up at a bar with a laptop, this is outright out of the question. Regardless of how lax their security measures are you might misplace a phone while drinking so don't bring it drinking! If you want to or accidentally take it drinking, you're accepting the risks.

It'd be hard for me to imagine that Apple -- the pseudosecretive company that it is -- wouldn't have stringent policies in place. Still, firing Powell would look less than heartless. I'd be shocked if any company as big as Apple didn't have such policies explicitly spelled out.

How can they?

[Alexvthooft]

A PR agent finally does what he is supposed to (for once in his life with great succes) and they punish him for it. Apple's 1997 slogan goes to waste here Think different? Yeah right!

Fired and sued

[BadAnalogyGuy]

There's only one way to take care of someone who leaks mission critical information.

First you fire them. No sense in keeping them around if they are going to fuck up like that.
Next you sue them for major damages. Make an example out of them.

Since a corporation has no way to punish someone with actual jail time, the next best thing is to make sure people think twice before making big mistakes again.

Re:Gizmodo May Face Felony Charges

[Rogerborg]

Beat me to it.

[Gizmondo] "didn't know this was stolen when we bought it."

Riiiight. The difference between "found" and "stolen" is entirely in the mind of the... "finder". Heck, you can "find" a bike in the street... if you jump on it quick enough. Hang around gas stations, and you may "find" a car with the keys still in the ignition.

Go into Gizmondo's office late at night - "find" an open window - and wow, look at all the gear just ripe for "finding". After all if it's not grasped tightly in someone's hand at that very moment, it doesn't belong to anyone, right?

They paid $5000 for something that they knew - by their own admission - did not belong to the seller. If that's not dealing in stolen goods, then I don't know what is. You don't even have to know the law to be sure - a child could tell you that it's unethical and wrong.

STOP ADVERTISING FOR APPLE

[Anonymous Coward]

Please stop these stupid articles about someone fucking up or planting a phone.

Stop it.

Stop advertising for them.

Re:Gizmodo May Face Felony Charges

[Pharmboy]

The question is: will they simply pay a fine, or will someone actually get to face a criminal charge? All too often (in the US) people get off free because the offense is blamed on the Corporation® and not the individual acting on behalf of the corporation. If this is knowingly purchasing stolen goods, then it should be treated like any other case of the same.

Re:Fired and sued

[IndustrialComplex]

There's only one way to take care of someone who leaks mission critical information.

First you fire them. No sense in keeping them around if they are going to fuck up like that.
Next you sue them for major damages. Make an example out of them.

Since a corporation has no way to punish someone with actual jail time, the next best thing is to make sure people think twice before making big mistakes again.

Then you wonder where all the job applicants went.

Ummm WTF?

[hellfire]

Firing, I can understand, but suing? No one was publicly humiliated or libeled. No one was physically harmed or killed. No one else suddenly lost their job. No one was discriminated against or denied rights or equal protection under the law. No one cheated or stole anything. No one was placed in potential harms way.

IANAL so I won't comment on if someone could be legally sued for this right now in the US. But I will say that I don't think anyone should be sued for this nor do I think the law should allow it. The guy goofed by leaving a phone in a bar, this isn't like falling asleep while monitoring a nuclear power plant. Being fired is enough punishment.

Re:Gizmodo May Face Felony Charges

[zero_out]

You don't even have to know the law to be sure - a child could tell you that it's unethical and wrong.

Call me cynical, but law doesn't often follow ethics. There are so many instances where something is "wrong," but not illegal, for me to even begin citing them. Okay, I'll give you one. Adultery. Sure, there are some places where it is outlawed, but what percentage of instances does it fall into the realm of the illegal? At any time, if I were to have improper relations with a neighbor, I would not be breaking a law. It would be about as unethical as any civilized society could imagine, but not illegal.

Back on the topic at hand, yes, it was unethical for Gizmodo to do this. Did they know it was illegal? Possibly, but not necessarily. Even if they did know, I'm sure they did a cost/benefit analysis, and determined that the benefit outweighed the punitive damages. What a wicked world we live in, where someone weighs the cost of doing something unethical, against the gains for doing it.

For Now

[FreeUser]

Apple's got no trouble attracting applicants.

They might do, if they continue to grow a reputation for Stasi style tactics and policies that make Orwell look like an optimist. Which firing and suing this guy would certainly do.

How far Apple is from the tipping point of going from "a cool place to work" to "last chance saloon for those desperate enough and unable to get work elsewhere" is an open question, particularly in today's economy. But one thing is certain...they are closer to that point now than they were two years ago, and will be a whole lot closer still if they act in a vindictive manner toward a guy who simply made a mistake any of us could have made.

After all, who hasn't lost a cell phone at least once in their life? (A good reason to never volunteer to test prototypes, especially if your lifestyle includes the occasional pub visit)

Shittiest example

[jim_v2000]

of a security breach ever. A viral marketing campaign where someone "loses" a prototype phone at a bar does not count as a "security breach".

Re:Gizmodo May Face Felony Charges

[QuantumRiff]

The device is not worth $950. The price is the value of the item stolen, not what some idiot is willing to pay for it. If someone pays $10,000 for a stolen car that has a bluebook value of $3,000, it is recorded as a $3000 theft.

However, gizmodo said at the beginning that they had no intention of keeping the phone. In fact, the person that found it, and Gizmodo both tried to return it, many times. The finder cause it was the right thing to do, and Gizmodo, because then Apple would be acknowledging that it was, in fact, and Apple device and not a cheap chineese knockoff.

If someone steals your car, and I buy it from the, but give it back to you, am I a criminal?

Re:Fired and sued

[baKanale]

Since a corporation has no way to punish someone with actual jail time

Because a world where that happens is a world I'm sure we'd all fucking love to live in.

Re:Gizmodo May Face Felony Charges

[Hatta]

There are so many instances where something is "wrong," but not illegal, for me to even begin citing them.

There are also many instances where something is illegal, but not wrong.

Re:Too Bad We Don't Know Apple's Policies

[Bing Tsher E]

Yeah, I would place him as a mail-room clerk until he proves he can handle sensative (sp.) information without releasing it to the public.

That's sort of ironic, given that the job responsibility of a mail-room clerk is to handle sensitive information while releasing it to the public.

Lessons unlearned...

[BrokenHalo]

We could pursue the DRM issue forever, but there's a completely unrelated lesson Apple could learn from this debacle if they cared to. If the offending phone was indeed left on a barstool, a question arises (in my mind at least): If Apple are so damned clever, why can't they make their phones small enough to fit in a pocket of your jeans?

Then nobody would have to leave the device out in plain view for anyone to pinch.

Re:Gizmodo May Face Felony Charges

[nanoakron]

Uncorrupt?

The amount of leeway a DA has in laying charges, and the fact that they are elected to office, are precisely the reasons why the US legal system appears more corrupt than our own here in the UK. Placing all that power and discretion in the hands of one individual is like playing with fire - if you commit a crime that belongs on their 'pet hate' list, they may level tougher charges than might otherwise seem appropriate.

Moreover, plea bargaining is a despicable idea in a supposedly free society, particularly when it amounts to nothing more than bullying and intimidation to extract a 'confession' (the plea) - and we all know confessions obtained under duress are entirely untainted don't we...This is why plea bargaining is rare in almost every other civilised nation.