The FBI illegally obtained thousands of Americans' telephone records during the Bush administration. The individuals involved apparently used a variety of methods, often with the cooperation of phone company employees.
NPR recently published the story at http://www.npr.org/templates/story/story.php?storyId=122774614
"They [phone company employees] worked in the FBI building, and agents would do what they called "sneak peeks" — basically, looking over a phone company employee's shoulder to get information from the computer screen without going through any formal channels."
The questions around this report go far and wide. What I wonder is: did everyone know what was going on? I doubt it. I suspect there were some phone co execs who were aware and felt it was the right thing to do, but there were others who would not have been ok with it. Phone companies are big and complicated, and it would be hard for anyone to know what everyone else was up to. Let's just say the guys who were sure it was the right thing to do probably gravitated to a position where they could enable that information sharing.
What really struck me about the report was the realization that we (Oculis) could have stopped these leaks. This "social hack" of letting FBI read the data over the shoulders was used because it was an easy way of subverting the security and audit controls without notice. The info security industry has good solutions for securing data in electronic form, but when it gets to the computer display it's simply broadcast out there for anyone to see.
Oculis is all about solving this problem. We're protecting that last 2 feet in the chain - from the screen to you. With PrivateEye running on those machines it would not have been possible for FBI to simply shoulder-surf the information. There would have been an audit trail, there would have been physical evidence that someone else was looking at company confidential material.
PrivateEye would have stopped the shoulder surfing. The rule-breakers would have had to find another way around, and they probably could, but each additional step increases the chance of detection. At a certain point the rule-breakers would have weighed the risks and decided it would be better to just follow the rules.
If you build a security system for the purpose of protecting information then do it right - don't stop 2 feet short of the goal.
Bill
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment