Discussion on:

Ethics vs. Whitewash

It seems every week there's some big company letting a laptop or some other database containing item walk out the door. Any bets on who will be this weeks example?

but it could be anyone!

just about any federal government agency I can think of. US government is pretty inept when it comes to, well just about anything.

red teams for laptops and backup media.

.

eof

I think the answer is probably "everyone", but a more pertinent question would be to ask who will own up to having done so, and how quickly.

It's only the responsible or publicly caught that you see in the headlines.

Customers warned of data grab



UNK Computers Hacked



Laptop Losses Total 12,000 Per Week at US Airports

Nearly 70% are never recovered; many go unreported

I mean those who stole the property and those within the "victim" companies that try to gloss over the loss.

Imagin if that airport statistic included all the laptops with open shares coaxed into joining ad-hoc networks.

What's that, like, all of 'em?

Boy do you get looked at strange when not under the info security dept at work and you ask "do we mitigate the threat of the flaw allowing Windows too be connected to an Ad-Hock wifi network without user intervention?"

(we'll see how the latest question, receiving uname/passwd sent through plain text email, goes over.)

I hear fishign for cellphone activations is popular at airports still. If you can't get 'em by notebook waiting for the flight in the lounge, get 'em turning on the leash when they pass that "cell phones must be turned off" sign on the way back out.

(Damn me and my ethics. I'd be rich by now if I didn't have those. )

I was reading a posting by some guy who got fired as a security risk because he was pointing out terrible security problems (like, none at all) to his employers (a hospital system, I believe).

Talk about funny looks.

The security through obscurity model is so entrenched that anyone who knows something about security, but is not a member of some official security department, is viewed as suspicious, or a threat to security (or somebody's job).

I had considered that outcome in my own doings but I figured I either get noticed by info security or a warning first. The worst case I considered was being called into a "stop pointing these things out to us" meeting or having my HR profile marked as "if dismissed, escort out by security and a desktop tech".

I get strange looks for my choices of casual reading which I don't feel the need to hide (2600 quarterly, inch thick textbooks on technology, ..). My current casual reading; "Security Power Tools" has been a great book reviewing what I know and adding in lots of things I've not had reason to learn yet; I got a strange look in the elevator from my VP over that one.

I've also seen a friend driven from more than one IT job by the "old gaurd" mentality. He's not the most diplomatic of people but he knows his tech. At this point, he's a job offer away from leaving the industry all together because of the mentality in big business. (Only MS can provide, Security is an expense we need to minimize, Your just a desktop tech; what could you possibly know about anything at 'our level', ..)

Your story does not surprise me. I can see it happening in many businesses.