Baseball Toaster Fairpole
Unauthorized Access, Please Enjoy
2008-03-21 10:33
by Ken Arneson

Simple question I haven't seen anyone asking:  if the software is capable of detecting unauthorized access to the passport files of Obama, Clinton, and McCain, why doesn't it just block access?

Blocking access should be simpler to program (just throw an error--one line of code) than sending a notification in the background while allowing access to continue.  Right?

2008-03-21 10:46:15
1.   dianagramr
Even money says that will be a plot device in the upcoming season of "24" ... :-O
2008-03-21 11:13:18
2.   Linkmeister
1 And evener money says Rove will appear in the credits for that episode.
2008-03-21 11:22:28
3.   rbj
You do realize this is the federal government we're talking about.
2008-03-21 12:06:55
4.   capdodger
These people probably had need-to-know based access to this class of data (passport info), but no bussiness reason to access this data. Browsing data, even data that you have work-related access to, for non-work related purposes can get a Fed or a contractor in hot water. The water is even hotter if you illegally pass on said data for a non-work-related purpose. It's all audited though, (or is supposed to be), so their browsing was probably just caught that way(yay FIPS).

Now, if you'll excuse me, I need to get back to my Title 13 and 26 training.

2008-03-21 12:26:34
5.   capdodger
The better question is why it took so long for it to work it's way up the chain. I can understand a week or a month depending on when you grep the logs, but two months is a bit excessive, even for the US Gov't. To me, it indicates a bit of CYAism or they were possible be that they were being very thorough. After all, these guys were contractors, and easy to dump or replace.
2008-03-21 13:36:40
6.   JL25and3
0 "No... that's just what they'll be expecting us to do!"
2008-03-21 13:56:45
7.   capdodger
So now I'm seeing that the way the system works at state is that a supervisor is notified whenever someone hits a flagged record. (

This says to me that it was just unauthorized browsing and a super dropped the ball by incorrectly allowing access. Furthermore, the error was compounded by not promptly up the chain once it was determined that browsing was going on.

2008-03-21 14:17:55
8.   Ken Arneson
7 Yeah, but why not just block access to the flagged record by default, and make the supervisor have to override the default? That would be the textbook way to program a system that you would hope is somewhat secure.
2008-03-21 14:28:34
9.   scareduck
8 - I see you're new here.
2008-03-21 16:36:34
10.   capdodger
8 - It comes down to the nature of the data. In this case (and ones I work with) every single record has PII in it, and all users have been sworn to uphold applicable regs, policy, and US Code. Supervisors would probably tell you they have better things to do than allow access to records to people who've already taken an oath to only access said records in the course of their work. See, as an employer, the Federal Gov't has one extra tool to enforce it's HR or business policies. Violate your oath and you could end up not just losing your job, but paying a big fine and severing time in Federal PMITA prison. That, plus the knowledge that most everything is audited, keeps people in line. These guys were just idiots, but that's what you get for the lowest bid.
2008-03-21 16:56:34
11.   capdodger
The other think to consider is the amount of requests and where they're coming from. From what I've read, this is a pretty active DB with requests coming in from numerous Fed, State, Local agencies, so there's chain-of-command issues as well. Better to hold everone to a high standard and lock them up when they fail.
2008-03-21 17:55:59
12.   Ken Arneson
Stealing from my car is illegal too, but that doesn't mean I shouldn't share the blame if I leave $1000 just lying in clear view on the front seat, and then walk away without locking the door.

Yes, you can depend on the kindness of strangers. Or, you can hide the cash and lock the door. Like I said, it's not rocket science. It's basic security.

2008-03-21 19:36:32
13.   capdodger
12 - This isn't a "kindness of strangers" situation though. It's more like someone you let into your car to count your money stealing from you while you watch them.

Like I said: Stupid. The problem isn't that they looked up Obama, Clinton, or McCain, it's that they looked up anyone without a business reason. The record they browsed just happened to have a tripwire. It's a pretty good honeypot to catch browsers if you ask me.

2008-03-21 21:05:19
14.   capdodger
Strictly speaking, there wasn't even any "unauthorized access", as the people in question were authorized to access the data. It's may just be lazy reporting, but I guess "unauthorized database browsing" doesn't make quite as good a headline.

Comment status: comments have been closed. Baseball Toaster is now out of business.