We had remote access to their networks at times. My very first day I was amazed how much access I had at will.
One day it was announced that a customer had come to us and demanded everyone had to meet X requirements to be able to work on their networks.
Not long after another financal institution made a similar request.
Some folks inside the company were a bit riled up by the requirements (background checks, some other things). They felt the requirements were absurd.
Considering the access we had I thought they weren't strict enough. As just a lowly support dude hired during the dot com boom because the company needed warm bodies (who could do some independent thinking / troubleshooting) ... I had a lot of access.
I don't know if they were thinking about spying like this, but I'm always amazed how much access people have to data and etc just from a technical support perspective (forget developers...).
Later the company outsourced support to other countries... I'm not even sure you need spies in the US / would know anyone was spying under those circumstances.
Support teams are probabbly a hell of a lot cheaper / easier to infiltrate / they get little / poor management / oversight. I saw tons of strange choices by our outsourced technical support staff, every single time I raised concerns it was discarded by something to the effect of "yeah they suck".
And that doesn't account for all the financial institutions who outsourced their own direct ops teams to other countries ... I'd call them and if they ever were capable of following instructions 9x out of 10 they'd open up the wrong network / modems / etc.
My side is that I worked for a bank on the brokerage side for ten years in different positions. What always struck me was that my access was very carefully controlled, I was a background checked employee and had to meet with compliance once a year, etc etc.
However when a law firm asked for anything or consultants said they needed more data they just sent massive data dumps to the network admin guy, no questions further asked. At least not at my pay grade.
As I've consulted I ask for only what I need to keep my own risk down but it is always a surprise to my clients I don't want PII I don't need and only the data that my model will help enhance.
Some of our customers did have pretty strong proesses in some places... but then zero when a process changes or something like that.
Lots of: "Oh no we can't do that because <security>".
Ok makes sense. It's a hassle but it is a good policy.
"But you can..."
All sense out the window, everything is undone.
That doesn't protect you from accessing and leaking data.
Senior managers don't need to control the servants' access because they won't take your job, they're lesser beings in the caste system. The control is there for those who might take your job or customers because they are caste equivalents.
At no stage are customers' concerns so much as considered. Control is not of the data, it's the vital control of peers and rivals. If you're not a rival, who cares?
Data security is a myth.
The knowledge level on those staff's is often near 0, they operate with wonky budgets (here is a gazillion dollars for ipads... no money to maintain them or the rest fo the systems), and are just making do the best they can.
The IT staff at one complained to me the librarian at one elementary school kept changing things on them. In reality she had a clue and they couldn't even operate rudimentary role based access type system to stop her.
I expect FAANGS to do the same.
My other comment was sent to oblivion because it is politically incorrect, but the reality is that a lot students have loyalties to the old country. Also when you add the family back there and corruption being a normal way of getting things done, these things are bound to happen. I don't suggest to freeze them out, just don't be surprised.
Note that there are many different types of background checks, varying from things like "working with children" checks, to financial status checks, to security checks of different kinds.
You are correct - it's very hard for a foreign person to pass some types of these. In some cases that means it's very difficult for them to get one of these jobs.
Let’s say an IC designer offshores some work, that company has other clients as well and the off shore company has access to a lot of the R&D of the client company. Lots of things can happen in that situation and does happen.
Another branch where you might expect security awareness is anti virus companies. I'm a pentester and in smallish companies everyone knows everyone, but nobody knows me, yet most days I can tailgate into the office without question. This morning a lady asked suspiciously "are you looking for someone?" and I just replied that I know where to go, thanks. I walked on and she didn't pursue. Free rein.
I don't have to mention any specific company, this happens everywhere. Helpful, trusting that everything will be alright, clicking links... Vulnerabilities help but they are optional.
I wish I could tell people that having that much access raises legal issues for me.
It's not enough to have them sign a contract limiting liability because as a business they have far more lawyers than I do.
When I work on a contract I want to be able to say in court that I couldn't possibly be in any way related to the event of a bug, security breach or data loss because I simply do not have access.
It is genuinely worrying on my part to carry around credentials with that much data. What if my laptop is hacked or stolen? I do not want to be sued (again it doesn't matter if they have a valid case or not, I don't want to deal with legal fees or anything.)
This is what I wish.
Obviously things are far from that.
BMO and another org in 2018. BMO's security was atrocious, for a while they had you use your 4-digit pin to log into online banking. One of the reasons I ended up switching to Tangerine...
It’s not to verify identity. It’s more like imprimatur (anointed by Twitter as whatever). And that is stupid because it’s basically up to the whims of the company and becomes open to abuse internally and externally.
Unfortunately, there's a strong correlation between "useful to verify" and "important", so pretty quickly it became a status symbol, especially for marginally notable people. And some people really like status! It's very similar to the problem Wikipedia has, where they daily have to delete a lot of BS biographies from the would-be famous.
This means that the program has been a headache for Twitter for a long time. I know when I worked there in 2017 they announced that they were suspending the program pending a major revamp of how it works. As far as I know nothing came of that; I think they quietly started giving out blue checkmarks again a while back.
Personally, what I'd like to happen is that they make it much broader and roll it up in a "Premium Twitter" feature. I pay them $50/year, they verify that I'm who I say I am, get rid of ads, and throw in a few other features. But I doubt that will happen, as IMHO Twitter is incredibly bad at getting anything done.
There are some groups that take it as a warning sign for craziness. Funnily, it often seems they are onto something.
I think that is precisely the purpose. If you’re looking for Donald Trump’s Twitter profile the idea is the blue tick helps you find the right one rather than a parody.
For example both Sanders and Trump have a blue tick. They obviously can’t simultaneously be representative of a majority of Twitter’s staff’s views, can they? And I’d estimate Trump isn’t representative of a substantial number of these west-coast tech workers at all. So that doesn’t seem to hold up.
https://qz.com/519388/this-saudi-prince-now-owns-more-of-twi...
"Prince Alwaleed Bin Talal Bin Abdulaziz Alsaud, who in 2011 invested $300 million in the social network, now owns 34.9 million shares of Twitter’s common stock, according to a new regulatory filing (pdf)."
That is from 2015, but as far as I know he still owns a huge stake in the company. It would seem relevant when discussing SA's influence on Twitter, but I don't see it mentioned in the article for some reason.
https://www.nytimes.com/2017/11/04/world/middleeast/saudi-ar...
he does not seem to be part of the "saudi intelligence community"
It would seem to be a concern they would have to follow up on. You can put in all the procedures you want and declare compliance to auditors but it only serves to make paper pushers happy.
API leak is one hypothesis, another one is that they got a mole there too.
The same goes to Facebook. A number of FB users got detained in China with no better explanation than MSS getting access to FB's internal information like phone ID and IMSI data in user database.
The most probable explanation people have crafted is following:
1. Using internal or external tips, MSS gets user account info of a person of interest
2. Their mole accesses the user database for info on cookies, IMSI, advertising ID and such
3. MSS than cross-references the data with data on the open market, like IMSI databases sold by mobile advertising companies
4. One way ticket to Heilongjiang is issued the next day, once the identity of the person is confirmed using logs of phone companies or ISPs.
Then the company can do the liability minimization dance when the FBI comes and points out that they are running a cheap data service for foreign spies. "We, uh, had no idea..."
But what should large tech companies do? Avoid hiring people from certain countries/heritages? Obviously that's not fair and not a good look. Same for putting extra monitoring on them. This is independent of Twitter apparently trying to downplay this and cover it up, which of course is wrong. It just seems like preventing this is really tough unless you state "we won't hire anyone who's lived in, was born in, or whose parents are from China, Iran, Saudi Arabia, or Russia", which is untenable.
"If these contractors can't breach a target, intelligence officers assigned to specific cases come into action. They operate on the ground, near targets, by recruiting company insiders, or even coercing Chinese employees to aide their hacking efforts using blackmail or threats against families living at home." [1]
[1] https://www.zdnet.com/article/fbi-is-investigating-more-than...
I don't think this is correct. The legislation as drafted didn't seem to claim extra-territoriality and courts will basically never interpret legislation as being extra-territorial without an explicit clause.
There's also the point that if you are overseas and refuse to comply with a request by ASIO or whathaveyou, they can't legally arrest you outside of Australia. In theory they'd need to ask for your extradition, but that requires equivalent laws to be in operation in the country you're extraditing from. But you'd be at risk of arrest upon returning to Australia.
That doesn't stop it from being a terrible law. And it also doesn't stop me from not being a lawyer who isn't giving legal advice.
I eagerly anticipate their downfall. Just like I did MySpace. And hopefully someday, Facebook. Fuck these parasites.
Ok, how could you possibly know that? That's a pretty good guess, but writing it like it was the start of a novel… fells like read bait, really. Especially given the following:
> Alzabarah, Abouammo, and al-Asaker did not respond to requests for comment.
Slightly off-topic: I feel that gives a good idea of how much information can be extracted from very simple metadata (here timestamp and number called) in that kind of context.
The process does not include firing the employer first thing in the morning. It includes calling the equivalent of the FBI for your country.
The way Twitter failed to handle this case is staggering.
I'd be interested in seeing perspectives on how you avoid this scenario. While you could isolate data access by team in many models, you're still going to have engineers who have access to valuable data. Random access audits? But what about the scenario where your database lives on someone else's hardware?
I guess you could always decide you want to use your cloud providers FedRAMP-compliant offerings.
Money is not an issue for a nation state and then they can fix things for family back home etc etc so they are bound to find people that say yes.
