Vapix
msg tools
mbmbmb
This is best interpreted as a lesson in why serious IT security is so rare.

It's hard for amateurs (e.g. 99% of IT managers) to understand what they need to do; security specialists (like network specialists) are exceptionally hard to understand, even by the standards of IT tech staff; and it's relatively expensive to set up and maintain good security.

Until people start caring about IT security (instead of just pretending) this kind of thing will remain the norm.
3 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Chris Binkowski
United States
Rochester
Michigan
flag msg tools
mbmbmb
Drew1365 wrote:
galad2003 wrote:
Bentel should be fired if he still works there.


These people don't get fired. They are invited to "retire to spend more time with family" and given a huge severance package and pension.


Our true fate always awaits until afterwards.
 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
non sequitur
United States
Elk Point
South Dakota (SD)
flag msg tools
Mandelbrot/Simurgh hybrid etc etc
badge
I made both of these fractals, hurray!
Avatar
mbmbmbmbmb
Sarxis wrote:
Drew1365 wrote:
galad2003 wrote:
Bentel should be fired if he still works there.


These people don't get fired. They are invited to "retire to spend more time with family" and given a huge severance package and pension.


Our true fate always awaits until afterwards.


"God works in mysterious ways" is not a sufficient answer to the question of evil.
1 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Steve K
United States
flag msg tools
galad2003 wrote:
A good read.

http://www.thedailybeast.com/articles/2016/07/24/the-missing...

More insight into the corruption of Clinton and State Department in general. It's a shame he was given immunity, as an IT professional he should have damn well known better what the laws were or if he didn't he had no business being hired on like that. He should have had top certifications in security and should have had a security clearance and been briefed on what he can and can't do IT-wise. I'm floored that no one at the State Department knew what he did.

Also good:

Quote:
Clinton’s political opponents aren’t the only ones to have questioned how State Department emails were preserved. Two technology employees told the inspector general that in late 2010 they “discussed their concerns about Secretary Clinton’s use of a personal email account” with John Bentel, who was then the director of Information Resource Management in the office of the Executive Secretariat, where Pagliano worked.

“In one meeting, one staff member raised concerns that information sent and received on Secretary Clinton’s account could contain Federal records that needed to be preserved in order to satisfy Federal recordkeeping requirements,” the IG found. “According to the staff member, the Director [Bentel] stated that the Secretary’s personal system had been reviewed and approved by Department legal staff and that the matter was not to be discussed any further.”


Bentel should be fired if he still works there.


Who ran the State Department?
1 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Born To Lose, Live To Win
United States
South Euclid
Ohio
flag msg tools
badge
Avatar
mbmbmbmbmb
Drew1365 wrote:
These people don't get fired. They are invited to "retire to spend more time with family" and given a huge severance package and pension.
Maybe he got invited to work on her campaign along side DWS.
 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Chengkai Yang
United States
Cupertino
California
flag msg tools
badge
Avatar
mbmbmbmbmb
Vapix wrote:
This is best interpreted as a lesson in why serious IT security is so rare.

It's hard for amateurs (e.g. 99% of IT managers) to understand what they need to do; security specialists (like network specialists) are exceptionally hard to understand, even by the standards of IT tech staff; and it's relatively expensive to set up and maintain good security.

Until people start caring about IT security (instead of just pretending) this kind of thing will remain the norm.


Eh, I find its usually one of 2 things. Either your getting audited regularly and your in CYA mindset or your one of those groups that gives no shits because you have little oversight and just cut corners. This sounds like their shop was the latter, and their security guy was prob just snoozing away as they were likely their own accreditor.
 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Vapix
msg tools
mbmbmb
draxx01 wrote:
Vapix wrote:
This is best interpreted as a lesson in why serious IT security is so rare.

It's hard for amateurs (e.g. 99% of IT managers) to understand what they need to do; security specialists (like network specialists) are exceptionally hard to understand, even by the standards of IT tech staff; and it's relatively expensive to set up and maintain good security.

Until people start caring about IT security (instead of just pretending) this kind of thing will remain the norm.


Eh, I find its usually one of 2 things. Either your getting audited regularly and your in CYA mindset or your one of those groups that gives no shits because you have little oversight and just cut corners. This sounds like their shop was the latter, and their security guy was prob just snoozing away as they were likely their own accreditor.

Some things that caught my eye in the (very few) articles and posts I read on this topic:

The US State Department appears to have major problems with security policy in general:
* There were numerous mentions of information that was originally ok to send in an email, and was then reclassified to a higher level later. Similarly there were differences in classification level between different US Government organizations, with State normally the one that was least cautious
* At least one of Clinton's predecessors (Colin Powell?) used a private email server - so either there wasn't a policy against it, or policy enforcement even at that simple level wasn't serious

Neither of these are necessarily implementation failures as such - they are indications of "security theater".

The first means that incoming emails can become problematic - this effectively delegates security to the receiver rather than a serious process/system - of course it will fail sometimes. The second suggests that there might be rules, but they're not applied to everybody.

After I read those I stopped paying attention to the details /lol.

It was obvious there would be a few stored emails that weren't correctly secure. Percentage-wise it actually wasn't many, which suggests Clinton herself is quite careful. But that's the thing with serious security - if it's not 100% effective it fails, so depending on individuals to always act correctly is impractical.
It was equally obvious they'd never be able to prove their network security and authorization were at least as good as the organization's standard email servers.
 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Steven Woodcock
United States
Unspecified
Unspecified
flag msg tools
mbmbmbmbmb
Kinda surprised he hasn't had a "tragic accident" yet.....
 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Xuzu Horror
United States
Milwaukee
Wisconsin
flag msg tools
mbmbmb
Vapix wrote:
draxx01 wrote:
Vapix wrote:
This is best interpreted as a lesson in why serious IT security is so rare.

It's hard for amateurs (e.g. 99% of IT managers) to understand what they need to do; security specialists (like network specialists) are exceptionally hard to understand, even by the standards of IT tech staff; and it's relatively expensive to set up and maintain good security.

Until people start caring about IT security (instead of just pretending) this kind of thing will remain the norm.


Eh, I find its usually one of 2 things. Either your getting audited regularly and your in CYA mindset or your one of those groups that gives no shits because you have little oversight and just cut corners. This sounds like their shop was the latter, and their security guy was prob just snoozing away as they were likely their own accreditor.

Some things that caught my eye in the (very few) articles and posts I read on this topic:

The US State Department appears to have major problems with security policy in general:
* There were numerous mentions of information that was originally ok to send in an email, and was then reclassified to a higher level later. Similarly there were differences in classification level between different US Government organizations were mentioned, with State normally the one that was least cautious
* At least one of Clinton's predecessors (Colin Powell?) used a private email server - so either there wasn't a policy against it, or policy enforcement even at that simple level wasn't serious

Neither of these are necessarily implementation failures as such - they are indications of "security theater".

The first means that incoming emails can become problematic - this effectively delegates security to the receiver rather than a serious process/system - of course it will fail sometimes. The second suggests that there might be rules, but they're not applied to everybody.

After I read those I stopped paying attention to the details /lol.

It was obvious there would be a few stored emails that weren't correctly secure. Percentage-wise it actually wasn't many, which suggests Clinton herself is quite careful. But that's the thing with serious security - if it's not 100% effective it fails, so depending on individuals to always act correctly is impractical.
It was equally obvious they'd never be able to prove their network security and authorization were at least as good as the organization's standard email servers.


That's exactly what I thought as well.

Hopefully these things are now uniform policy across all departments (ie, they all use the same systems; with strict divisions of course, but the same system) - maybe sometimes with some added security and such.

It just seems like something that should have very strict policies involved. I have not read to see further though.

But, the fact that I hear more about the minutia of Clinton's case, but not heard as many details in if this situation is being prevented in the future. Of course, they probably aren't going to go into details about how they do secure their e-mail, but it'd be interesting to know if they hodge podge it or have standardized.
1 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Front Page | Welcome | Contact | Privacy Policy | Terms of Service | Advertise | Support BGG | Feeds RSS
Geekdo, BoardGameGeek, the Geekdo logo, and the BoardGameGeek logo are trademarks of BoardGameGeek, LLC.