If they took a decent picture, then they could identify something that looks like the license plate and then use OCR to compute the number and store that.
They have a joint venture with DEA to have fairly comprehensive coverage of interstates. Also, private companies offer LPR services and sharing, not sure if this company did or if that database was breached.
anyone ? Why is a 3rd party given the ability to store such a large database to conduct such business ?
They should at most store the last 3 months border documents, nothing older than this.
> On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network
> CBP ... is closely monitoring all CBP work by the subcontractor
What. In the private sector, they'd have been fired and probably legal action levelled against them. The CBP's punishment for this is 'monitoring'? Please tell me I'm reading this wrong...
Sounds like pretty standard PR legalese to me. I guarantee that the same is going to happen to the subcontractor (after a lengthy investigation, to be sure), but it's bad practice to go throwing around public legal threats, especially for the government which likely has a multi-hundred page contract with these people, and especially at such an early point in any investigations going on.
This is unless the corruption includes those who are managing the subcontractor identified. In which case, the subcontractor is blacklisted and the people responsible move onto another company (ie, Initrode vs. Initech).
Yea, that's one of the more disturbing modern trends - especially at the C-level, once someone is in that cloud they tend to just rotate jobs consequence free... and maybe occasionally run for president after doing their best to bankrupt HP.
I agree that an individual unfairly blamed by a company for their failure should be able to move on with their life but... we've seen plenty of clearly guilty people get out with a golden parachute and turn to serving on the board of directors of companies for the ridiculous sum that tends to net you.
Playing devil's advocate (and this is likely to be downvoted by the "we hate all management" crowd on HN), but the reality is that there isn't exactly a very large pool of people who have experience running/directing multi-billion dollar companies. If you start blacklisting every single C-level that was ever involved in a controversy, the only choices you're going to have for your board of directors are going to be people that have very limited experience making executive decisions.
IME, this is especially the case for security positions like CISOs, where the pool of people with such experience is excruciatingly limited to begin with (and no, a high level engineer/developer does not have the same skillset as a security professional).
There's also something to be said for allowing people to learn from their mistakes. It's obviously higher stakes for an executive, but it's along the same vein as how we don't blacklist-for-life the developers who write vulnerable code.
This has come up a number of times and I semi-agree with you. It's definitely true that C-level positions do take a special kind of problem solving to navigate with a high emphasis on time management skills that other people (even upper management) can usually delegate up... That said, the only thing restricting new entrants into that market is the resistance of that market. The skills it takes to be a CEO of a multi-billion dollar company are certainly beyond me currently, but it's a skill I could train up to if I tried - especially if I had chosen to do so earlier in life. And these positions do come with a high amount of responsibility, buuut... they don't produce value for the company at all in line with their salaries and they're certainly not irreplaceable.
I don't hate management, I've worked for some great middle managers that have made my life easy - and for some terrible ones that constantly over-promised and pushed the weight down on us in the trenches. For upper management I've worked for three main veins of persons, the ones that micromanage and attempt to constantly invest themselves in every problem - leading to an inability to make good high level decisions... the sort that are removed from business by such an extent that they are unable to reason about direction decisions and fail to support a company's natural growth.. and those that are approachable but limited, who will voluntarily back out of any low level decision discussion but coordinate what decisions are being discussed and what those decisions mean for other portions of the company.
So mainly I'm rejecting your assumption that the pool is limited to begin with - people do come from famous families and waltz into the field with no prior experience, and those who try to work their way up tend to be stifled due to their lack of experience.
I'm not sure I agree with your first paragraph. I mean no disrespect to you or your abilities, but being a C-level executive, especially in a large corporation, isn't something that someone can just "train up to". These types of positions really do require a specific personality, specific desires, often a specific ethic (work ethic and otherwise), specific connections, and more. These are the things, along with the fact that due to organizational hierarchy, there are naturally less CEOs in the world than there are entry level workers, that limit the pool.
I'm certainly not saying that all C-levels possess these necessary traits in a positive way, and there are definitely some C-levels that only got where they are because of nepotism or luck, but I also disagree that there is a significant 'stifling' of newcomers. Nearly every company I have worked at has had a specific "track" for its employees to pursue management (including C level) positions, but my experience is that most people just aren't cut out for it (either because they self-selected that they didn't want/enjoy it, or because they didn't have the necessary personality for it). More specific to the tech industry, I've often seen/heard of Silicon Valley companies having separate "Individual Contributor" versus "Management" tracks. Many engineers self-select the IC track because they don't enjoy management aspects.
And that's not necessarily a bad thing, either. Not everyone is destined to be a CEO, nor should that be everyone's goal, and there's definitely nothing wrong with not being a possessor of the negative-in-many-aspects cutthroat ethics that being a CEO often requires. It's not all too dissimilar to how not everyone is destined to be a programmer, and you can't take just anyone off the street, hand them a programming textbook, and turn them into Linus Torvalds, nor should you.
> I mean no disrespect to you or your abilities, but being a C-level executive, especially in a large corporation, isn't something that someone can just "train up to".
My hunch is that this is no more true of C-levels than it is of any other profession where some natural aptitude (eg. above average intelligence) is required. In other words, I think the "pool" of C-levels is small almost solely because of organisational hierarchy; for every C-level there are many more people with the required natural aptitude who are not C-levels. Of course, for a sufficiently narrow domain, the intersection of people with the required natural aptitude and people with the required years of domain experience may become very small.
In that sense, I think being a C-level is something that many people can just "train up to," if given the right opportunities. I'm not sure if there is any empirical evidence that could tell us who's right.
I've seen enough "emergency temporary promotions" succeed in their job that I tend to agree with you and not with the self-serving "I am special" arguments you hear from people in these circles.
I feel that your thesis is broken by definition: if there is such a small pool of people with this level of experience - so small that they are worth the money and are super difficult to replace - shouldn’t they have already made all their mistakes? Isn’t the board, by definition, paying for people who have a very high chance of making good decisions?
> shouldn’t they have already made all their mistakes?
Is there some finite limit of mistakes that humans make over their lifetimes? In fact, it would be the opposite - those who are making more decisions are by definition likely to make more wrong decisions, as compared to someone who doesn't make as many decisions.
> Isn’t the board, by definition, paying for people who have a very high chance of making good decisions?
Yes, which is why the salaries for such positions are often so high.
> Yes, which is why the salaries for such positions are often so high.
The demonstrable lack of financial repercussions for failure, which you are arguing is justified in some cases, belie this causal relationship. I'd echo Taleb and sat that if an elite class is to be healthy, incompetence must swiftly and summarily result in expulsion.
> If you start blacklisting every single C-level that was ever involved in a controversy, the only choices you're going to have for your board of directors are going to be people that have very limited experience making executive decisions, and the usual explanations proffered by the "we hate management" crowd - of nepotism, insiderism, back-scratcher-ism - are more likely valid.
If we revert from "involved in a controversy" back to "has demonstrated extreme incompetence", your argument carries less weight. We can at least say that the inexperienced new guys haven't been tested and found wanting. The
Only politically connected companies, if you and I ran a business like that the outcome would have been different. The state has no problem going after small businesses.
“In the private sector” covers a lot of ground and I have extreme skepticism about your faith in the process unfolding that way: ask yourself how many breaches you’ve been part of and whether anything more than a press release happened along with waiting for the news to die down. How many customers did Experian lose?
(In the enterprise software world, I can tell you how epic failure to perform on an 8+ figure contract unfolds: the sales guy takes a VP out to the next game so they can discuss it over drinks in the corporate box and nothing will change)
I don't have _much_ experience with this but when I worked for a UK based e-commerce SaaS provider (which was focused on image, so, ymmv) we completely buried a contractor for using sub-contractors which didn't follow our data security standards (which the contractor knew about).
a breach wasn't found, but that contracting company eventually became bankrupt under the weight of our negative press and litigation. I know that this is essentially bullying but it was used as an example to other contractors who might try something like that.
Incidentally the SaaS provider no longer exists, gobbled up by netsuite (which was, itself, acquired by Oracle).
There's pretty strong selection bias in information about data security standards. The companies that have strong ones will go out of their way to publicize that fact, but companies with weak or nonexistent ones will never admit that fact to the general public or news media, and the only thing you may hear about it is when disenchanted employees make anonymous posts on web forums.
If a company with weak data-protection standards wins out over a company with strong ones, it's never because of their lack of data-protection standards. Rather, it'll be because all the other features, pricing, marketing, etc. they can do that's the opportunity cost of decent security. So as far as the information available to laypeople is concerned, most companies do a decent job with security and it's just a few bad apples that happen to be gigantic like Equifax, Facebook, Target, Yahoo, Anthem, and the U.S. government that are screwing things up.
(FWIW, at Google we took security very seriously and implemented some truly heroic measures to keep your data safe.)
Experian didn't lose any customer data, though. They only lost data on their products. Their actual customers had no reason to stop paying for their services.
It think it's telling that, in this instance, it really doesn't matter. It could have been Experian, with the wave of a butterfly's wings in Himalayas, it was Experian and nothing changes in that alternative universe.
Don't you remember how Equifax was hacked into and their stock price briefly dropped? Then they were burdened with all those email addresses people entered to check their credit... And they had to pay the ultimate price by spamming those addresses constantly with advertisements, and that's not cheap!
And as a free service, I can now have them email me whenever my credit score changes, so I can log in and see that I fluctuate up and down 2 points routinely for "algorithm changes". Take that, Experian!
The issue in question isn't so much the breach, but the misuse of data by the subcontractor. I've personally witnessed people be fired for this, and know of lawsuits that exist for this specifically, and that's just at the company I work for...
They probably are doing some sort of critical service that can't be immediately stopped. That doesn't mean they will get contracts in the future or won't get legal action taken, but it takes time to review all that with the DOJ and decide how to proceed.
Ha. In the private sector, we discovered a vendor was using an actually health database with real users in it for testing their app. It was all covered up, with no monitoring, because we recently bought that vendor.
I'd expect at least huge fine and re-evaluation of the whole contract (it could be they are unique provider that can not be replaced, but more likely there are other options). Looks like causing private data of hundred thousands of people to be stolen is regarded as a minor thing not worthy of real punishments.
The sad truth is Congress is the biggest offender of poor network security practices. Every time they bring in Equifax, DHS, etc to explain why they didn't practice basic IT security due diligence or due care I am reminded of the time smart people were hired to implement basic network security for Congress. Once they realized Joe in IT (who was hired to keep hackers out) can see Congressman Bob has a foot fetish, fish fetish, whatever, Congress told IT to turn everything off.
There were more serious allegations against the individual, but the gov't dropped those claims. All that was left was the fact this individual had extensive access to Congressional servers.
If only someone could have seen this coming, you know, outside of the thousands of people that saw this coming. This is just one of many reasons why mass surveillance is a terrible.
Why is it terrible. Sure this has the potential to have negative consequences for the people who's data it was but as far as the government cares it's working fine.
Well, I guess I believe the whole government for the people by the people bit so something that is bad for the people should be bad for the government.
That would imply that security is irrelevant. Maybe you should re-work your rule the say that it will attempt to be hacked. Therefore you should always worry about security.
I kind of think you've misunderstood something. This person said "You will be hacked". A guaranteed absolute. If that were the case then why bother protecting anything?
His wording was misleading. Not his intentions. Nobody is in disagreement that security is very important.
I disagree, his wording was pretty spot on. Don't collect personal data - it will be hacked. At many of the businesses I've worked at I've made an effort to lower our PII data blob purely to reduce liability for when it was compromised. If you can see some information, a hacker eventually will.
Granted, lowering liability is apparently something I shouldn't worry about since no one is ever held to account for breaches these days.
It doesn't imply that security is irrelevant - it's just that you shouldn't really expect to succeed in preventing all attacks (since noone does), just reducing their number.
This implies that in addition to reducing the likelihood of breaches, you should also focus on all the other aspects of security, especially detection and mitigation; and for databases one of the main ways of reducing the impact of breaches is to avoid storing sensitive information as much as possible. In this particular example, was it really necessary to store pictures of license plates beyond a very limited period of time? A breach can't leak what you don't store, and you will get some breaches.
Security is not irrelevant, but that doesn't mean that everyone won't be hacked. There is a saying in the security world: "there are two types of companies: those that have been hacked, and those that just don't realize yet that they've been hacked".
Of course we shouldn't just 'give up' and stop trying to improve our security, but the unfortunate truth is that breaches are practically inevitable. In addition to constantly striving to improve our security, our society also needs to start investigating ways to make it so that breaches are less impactful (for example, stop using SSNs as any type of secret identifier, so that if an SSN database is breached, it doesn't matter).
That's absurd. This statement is exactly why we use algorithms like bcrypt to store passwords. If we could be confident that our database wouldn't be hacked, we could just store passwords in plain text and save a whole lot of CPU cycles.
Sorry I was unclear and linked to the wrong article, I meant that wapo journo poking around led to DHS & CBP responding on the record. It was one in the line of recent articles about facial recognition that travelers can opt-out of but nobody is sure how exactly you are supposed to do so. The wapo article I linked did attribute The Register info linking Perceptics. Both wapo articles are linked in this tweet: https://twitter.com/geoffreyfowler/status/113817627922244403...
> And on Monday, after I published this column online, Department of Homeland Security officials called me to disclose that photos of travelers were recently taken in a data breach, accessed through the network of one of its subcontractors.
Seems reasonable for the federal government to pay states to send new license plates to affect the compromised ones? I'm not under the impression license plates aren't recorded in public anyway, but still.
Fair compensation to those whose biometric information has been compromised should, at the very minimum, include free plastic surgery - in similar situations where social security numbers have been offered the government has provided new replacement social security numbers, so there is precedent. Seriously though, this highlights the danger of databases of biometric information, there's no way of remedying the damage because there's no credible way of altering one's personal biometric markers.
If CBP is not directly forthcoming with facts relating to the breach (specifically, whose information was unlawfully taken from the CBP production network) how does one seek redress for the harms created by the actions of the contractor?
This is yet another reminder that managing the security of your company's third party contractors is just as important as managing your own company's security. Security is a game of weakest links, and it wouldn't have mattered if CBP's internal security was the best in the world if they were allowing access to a third party that doesn't have good security.
It is naturally very difficult to enforce security mandates on a company that isn't your own, but I feel that this is one of the best ways we can improve security overall in our society: companies need to start requiring that everyone they do business with have a strong, independently certified security program, or else no contract will be signed. This is already done for things like data center contracting, but it should be much more widespread and encompass every type of b2b deal.
According to the report, CBP is passing the buck on this one.
They created policies that could be ignored. That’s on them. They shouldn’t be able to use their position to avoid accountability or to scapegoat their contractors (that they likely hired without due diligence).
Government agencies should never be seen as victims. They hold power and authority that nobody else can hope to enjoy. There is no higher power to hold them to account because the electorate had already been subverted to maintain their position. So they should not be protected from fucking up. In this context, God or the Lord is not a higher power, it is also a scapegoat.
With great power comes everybody else’s responsibility... said only by people in this century.
Edit: to follow this up, CBP is also the agency that sucks up all the data on your phone and laptop. They have treasure troves of license plates, passport photos, and titty and dick pics.
They cannot absolve themselves of liability when they are invading everybody’s privacy. If they say they don’t use the data, and they are acting out of ignorance, then that’s a solid case for not collecting it in the first place.
Given that the contractor violated the data handling rules in their contract, the only possible remedy is revocation of their facility security clearance, followed immediately by revocation of the personnel security clearances of everyone who claimed that these systems were operating in accordance with their SSPs.
I'd like to believe that this will happen, but I've seen plenty of cause for FSCs to be revoked and almost no FSC revocations.
Nah, Americans can be subject to their own laws, they were voted for. I'd go for remunerations for non-US citizens who had no choice in the matter (e.g. by being sent to the US for work.) Maybe see us as a bit more equal.
> made the choice to subcontract w/o proper controls
seems to have worked out very well for the army, and their contractors.
So well in fact, that a senator is on a campaign to pass legislation to specifically address the military case (leaving cases like the CBP which should be as obvious as from the get go, to be dealt individually too). The system is so broken in its lack of accountability that even well intentioned people are driven to insanity as the norm.
Government agencies should never be seen as victims.
That's a weird absolute, and that's before the side dish of theology and... Spiderman? You can be powerful or negligent or whatnot and still be a victim.
You can bear responsibility for something and still be a victim. It's really bizarre to suggest this is somehow not the case and to try to support that point with deities, comics and a call for GDPR legislation (for US federal agencies?). This kind of comment is the Markov chain with which threads are anchored to the bottom of the Abyss of Meaninglessness.
There’s a lot going on here, and I’m no fan of CBP but this is pretty much a low-grade by the book contractor failure here. They receive training on all of these things, and have gone through a lengthy award and due diligence process and then all it takes is one person thinking “hey I think I’ll take a sample dataset back to my Dev laptop to test things.” Could be a newbie or a senior - who knows, but it’s happened before.
Go after CBP for constitutionality of collection, for working outside of borders where they are legally not allowed to work, etc, but in this case I’d say let’s not blow things too out of proportion.
Remember when OMB lost hundreds of thousands of detailed compromising personal background check reports with all the identifying information including biometrics? This sounds like some port of entry data you could get with a camera in public.
Further: they are not absolving themselves. They are probably working their asses off right now to make sure this never happens again but somebody is going to pay for credit protection and insurance, and it should be the contractor that ignored their contract and all sensible security policy. So, there is is in the press release.
Lastly: I don’t think GDPR fixes this. Government (especially intel community and law enforcement) keeps the data as long as their record schedules allow.
Thankfully, laws about breaches required them to reveal this to us within a certain time. Privacy Officers have really hard jobs. To do them well is hard and thankless. Glad this one stuck to the law.
> There’s a lot going on here, and I’m no fan of CBP but this is pretty much a low-grade by the book contractor failure here.
Maybe government agencies shouldn't be allowed to contract out. And if they are, then they should be held ultimately responsible for their choice of contractors.
Non-military, executive branch headcount has remained relatively consistent in absolute numbers since the 1950s, believe it or not, at ~2 million, even though the budget has expanded enormously. Sources:
A concurrence in my assessment: https://www.nationalreview.com/2017/02/federal-government-gr... ("So, since 1960, federal spending, adjusted for inflation, has quintupled and federal undertakings have multiplied like dandelions, but the federal civilian workforce has expanded only negligibly, to approximately what it was when Dwight Eisenhower was elected in 1952." Note I'm not necessarily agreeing with the sentiments expressed elsewhere in that article.)
AFAIU for over half a century there's been something of a gentlemen's agreement in Congress among Democrats and Republicans that keeps the official headcount fixed while expanding government through contractors--the closest thing to a wide-spread "conspiracy" (tongue-in-cheek) I've ever seen. Of course, lobbyists and the contracting industry play a huge part in maintaining the system, but IMO that overlays the long-term political equilibrium reached in Congress.
One reason I finger Congress, and not lobbyists, as the principal supporters of the system is that Democrats would much rather have full-time federal employees, so they're clearly compromising. It's hard to say what Republicans want, but to many Republicans hiring contractors 1) squares limited government with electoral pressures to "do stuff" at the federal level, and 2) superficially provides better price signaling through competitive bidding (though if we're honest that's... complicated). Note how the numbers remain conspicuously stable across major domestic and international political shifts. It's fascinating.
State and local government workforces have ballooned, and a lot of federal expenditures are administered via state-based programs. But that doesn't conflict with the "conspiracy" noted above, it's arguably just a way for the Democrats and Republicans to jockey around it.
I’m shocked that there aren’t a bunch of public resignations. I’m also shocked that there aren’t more details - for example - let us know the scope of all the data that company had access to, so we can get an idea of the maximum exposure the public faces.
> “Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” the statement read.
Could this lead to criminal charges? Perhaps charging the contractor under CFAA for unauthorized access?
Only if the contractor was not meant to have access to this data. I would put money on them being contracted to "securely manage" the data CBP accrued without consent.
This is, of course, a serious breach and there will and should of course be consequences for the negligent parties
but
I am struggling to see the threat model being faced here.
biometric data is just a username. I flash my face around all day, and am careless as to where I leave my thumbprint.
The loss of so many photos and names is unlikely to have national level consequences (Compare this to say the Office Of Personnel management breach from some years back - that has horrible implications for US National security for decades) and the personal level consequences are ... hard to see
What this does underline is that we are outrageously careless as an industry with our data (comparable to early industrial "pollution" as Schneier points out). And it is not going to get better without a) career and business ending consequences b) new ways to store / secure data c) a new way of thinking about who owns and what is personal data
Personally I think we need a new form of intellectual property (just as we are trying to work out what kind of company FAANG are (not telcos, not newspapers, what is a platform?) we need to ask what is personal data
This comment is presumed under law to be my property, my copyright. I might license that property away (dunno never read HN T&Cs) but it is mine. But google and apple and others will track that I sat down at a certain time and place to write it, my ISP will see when I sent to which servers.
All of that data is also created by my conscious actions - should that data not also be my property. And if need be licensed - and compensated for its use?
And when (if) my data is held - then we should presume that it can be accessed by my agents for my benefit (from spending patterns to heart data). I would argue that Sometimes surveillance can be good for us - but only in ways similar to doctors knowing more about me can be good for me - the entire industry of medicine has individual interests at its heart and took a long time to get there.
We are heading in that direction (perhaps) but till we get there, carelessness will be the cheapest option, surveillance always bent agansit is (by state or other actors). We should rail against this stupid dumb breach, but punishing the "bad guys" is not even the first step on the road.
If I can make a bad analogy - It's not one incident that people got sick from one chef badly cooking chicken - it's we need to look at factory farming and meat consumption and healthy eating and marketing bias as a whole.
>I am struggling to see the threat model being faced here.
We don't really know the full details of the breach, but if the facial recognition database contained names in a column associated with pictures, that data can absolutely be leveraged and cross-referenced against other "fullz" for fraud that even passes a lot of online verification procedures.
I agree that we don't know what was lost, and it could easily be waaay worse than I imagine
But this kind of comes back to my point - why do we have online verification systems that rely on things like knowing my address in the last three years - Equifax breach should have meant we gave up on using a credit risk scoring system as an identity provider.
But we don't.
We need to rethink what is identity (start with web of trust) and who owns data that links to that identity.
I mean this could be the start of a positive identity provider - grab that downloaded database and provide a system that says this is a picture of Paul Brian's face, and his passport, and on the 20th August last year a official of the US government compared them
in real life and verified they matched (there may even be a hash of the digital images made at the time but I should not get my hopes up)
Now make that globally available. Is that useful and valuable - I think so. I would prefer if I had been able to upload my public key to that at the same time (I can always visit NYC again) but you get the idea. This leads to question like why does my passport not generate a key pair for me to use? Can I use facial recognition to match my gravatar / facebook / twitter ? Why is knowing a non-secret (mother's maiden name, passport or drivers license number, three digits on back of credit card) seen as security?
Why is it we use what we have to hand and not what is needed? Why don't american banks use chip and pin?
It's not bad that my online identity is clear and visible - as long as the legal and practical frameworks exist to support it - which they basically don't right now but we could make it happen
206 comments
[ 3.1 ms ] story [ 223 ms ] threadNothing else in the article.
They have a joint venture with DEA to have fairly comprehensive coverage of interstates. Also, private companies offer LPR services and sharing, not sure if this company did or if that database was breached.
[1]: https://goo.gl/maps/Nfk1XjUFGsNh5QD29
> CBP ... is closely monitoring all CBP work by the subcontractor
What. In the private sector, they'd have been fired and probably legal action levelled against them. The CBP's punishment for this is 'monitoring'? Please tell me I'm reading this wrong...
I agree that an individual unfairly blamed by a company for their failure should be able to move on with their life but... we've seen plenty of clearly guilty people get out with a golden parachute and turn to serving on the board of directors of companies for the ridiculous sum that tends to net you.
IME, this is especially the case for security positions like CISOs, where the pool of people with such experience is excruciatingly limited to begin with (and no, a high level engineer/developer does not have the same skillset as a security professional).
There's also something to be said for allowing people to learn from their mistakes. It's obviously higher stakes for an executive, but it's along the same vein as how we don't blacklist-for-life the developers who write vulnerable code.
I don't hate management, I've worked for some great middle managers that have made my life easy - and for some terrible ones that constantly over-promised and pushed the weight down on us in the trenches. For upper management I've worked for three main veins of persons, the ones that micromanage and attempt to constantly invest themselves in every problem - leading to an inability to make good high level decisions... the sort that are removed from business by such an extent that they are unable to reason about direction decisions and fail to support a company's natural growth.. and those that are approachable but limited, who will voluntarily back out of any low level decision discussion but coordinate what decisions are being discussed and what those decisions mean for other portions of the company.
So mainly I'm rejecting your assumption that the pool is limited to begin with - people do come from famous families and waltz into the field with no prior experience, and those who try to work their way up tend to be stifled due to their lack of experience.
I'm certainly not saying that all C-levels possess these necessary traits in a positive way, and there are definitely some C-levels that only got where they are because of nepotism or luck, but I also disagree that there is a significant 'stifling' of newcomers. Nearly every company I have worked at has had a specific "track" for its employees to pursue management (including C level) positions, but my experience is that most people just aren't cut out for it (either because they self-selected that they didn't want/enjoy it, or because they didn't have the necessary personality for it). More specific to the tech industry, I've often seen/heard of Silicon Valley companies having separate "Individual Contributor" versus "Management" tracks. Many engineers self-select the IC track because they don't enjoy management aspects.
And that's not necessarily a bad thing, either. Not everyone is destined to be a CEO, nor should that be everyone's goal, and there's definitely nothing wrong with not being a possessor of the negative-in-many-aspects cutthroat ethics that being a CEO often requires. It's not all too dissimilar to how not everyone is destined to be a programmer, and you can't take just anyone off the street, hand them a programming textbook, and turn them into Linus Torvalds, nor should you.
My hunch is that this is no more true of C-levels than it is of any other profession where some natural aptitude (eg. above average intelligence) is required. In other words, I think the "pool" of C-levels is small almost solely because of organisational hierarchy; for every C-level there are many more people with the required natural aptitude who are not C-levels. Of course, for a sufficiently narrow domain, the intersection of people with the required natural aptitude and people with the required years of domain experience may become very small.
In that sense, I think being a C-level is something that many people can just "train up to," if given the right opportunities. I'm not sure if there is any empirical evidence that could tell us who's right.
I've seen enough "emergency temporary promotions" succeed in their job that I tend to agree with you and not with the self-serving "I am special" arguments you hear from people in these circles.
Is there some finite limit of mistakes that humans make over their lifetimes? In fact, it would be the opposite - those who are making more decisions are by definition likely to make more wrong decisions, as compared to someone who doesn't make as many decisions.
> Isn’t the board, by definition, paying for people who have a very high chance of making good decisions?
Yes, which is why the salaries for such positions are often so high.
The demonstrable lack of financial repercussions for failure, which you are arguing is justified in some cases, belie this causal relationship. I'd echo Taleb and sat that if an elite class is to be healthy, incompetence must swiftly and summarily result in expulsion.
If we revert from "involved in a controversy" back to "has demonstrated extreme incompetence", your argument carries less weight. We can at least say that the inexperienced new guys haven't been tested and found wanting. The
(In the enterprise software world, I can tell you how epic failure to perform on an 8+ figure contract unfolds: the sales guy takes a VP out to the next game so they can discuss it over drinks in the corporate box and nothing will change)
a breach wasn't found, but that contracting company eventually became bankrupt under the weight of our negative press and litigation. I know that this is essentially bullying but it was used as an example to other contractors who might try something like that.
Incidentally the SaaS provider no longer exists, gobbled up by netsuite (which was, itself, acquired by Oracle).
If a company with weak data-protection standards wins out over a company with strong ones, it's never because of their lack of data-protection standards. Rather, it'll be because all the other features, pricing, marketing, etc. they can do that's the opportunity cost of decent security. So as far as the information available to laypeople is concerned, most companies do a decent job with security and it's just a few bad apples that happen to be gigantic like Equifax, Facebook, Target, Yahoo, Anthem, and the U.S. government that are screwing things up.
(FWIW, at Google we took security very seriously and implemented some truly heroic measures to keep your data safe.)
Experian didn't lose any customer data, though. They only lost data on their products. Their actual customers had no reason to stop paying for their services.
Tell me again one meaningful action against a data leak in the private sector. I'll wait.
Requires, but how do they enforce it?
[1] https://en.m.wikipedia.org/wiki/Imran_Awan
> [1] https://en.m.wikipedia.org/wiki/Imran_Awan
I don't see how that link supports your conclusion? From my reading of it, no data was stolen by Imran Awan?
It's just a pile on at this point.
His wording was misleading. Not his intentions. Nobody is in disagreement that security is very important.
Granted, lowering liability is apparently something I shouldn't worry about since no one is ever held to account for breaches these days.
This implies that in addition to reducing the likelihood of breaches, you should also focus on all the other aspects of security, especially detection and mitigation; and for databases one of the main ways of reducing the impact of breaches is to avoid storing sensitive information as much as possible. In this particular example, was it really necessary to store pictures of license plates beyond a very limited period of time? A breach can't leak what you don't store, and you will get some breaches.
Of course we shouldn't just 'give up' and stop trying to improve our security, but the unfortunate truth is that breaches are practically inevitable. In addition to constantly striving to improve our security, our society also needs to start investigating ways to make it so that breaches are less impactful (for example, stop using SSNs as any type of secret identifier, so that if an SSN database is breached, it doesn't matter).
> And on Monday, after I published this column online, Department of Homeland Security officials called me to disclose that photos of travelers were recently taken in a data breach, accessed through the network of one of its subcontractors.
how many individuals and vehicles has been impacted?
anyway we can hold the agency and its contractors accountable for this issue?
https://www.washingtonpost.com/technology/2019/06/10/your-fa...
It is naturally very difficult to enforce security mandates on a company that isn't your own, but I feel that this is one of the best ways we can improve security overall in our society: companies need to start requiring that everyone they do business with have a strong, independently certified security program, or else no contract will be signed. This is already done for things like data center contracting, but it should be much more widespread and encompass every type of b2b deal.
No, actually your system was compromised by allowing the subcontractor to copy the data to another, more insecure network.
As a start how about requiring ISO 2700x security certification?
They created policies that could be ignored. That’s on them. They shouldn’t be able to use their position to avoid accountability or to scapegoat their contractors (that they likely hired without due diligence).
Government agencies should never be seen as victims. They hold power and authority that nobody else can hope to enjoy. There is no higher power to hold them to account because the electorate had already been subverted to maintain their position. So they should not be protected from fucking up. In this context, God or the Lord is not a higher power, it is also a scapegoat.
With great power comes everybody else’s responsibility... said only by people in this century.
Edit: to follow this up, CBP is also the agency that sucks up all the data on your phone and laptop. They have treasure troves of license plates, passport photos, and titty and dick pics.
They cannot absolve themselves of liability when they are invading everybody’s privacy. If they say they don’t use the data, and they are acting out of ignorance, then that’s a solid case for not collecting it in the first place.
As it stands, the US needs a GDPR.
I'd like to believe that this will happen, but I've seen plenty of cause for FSCs to be revoked and almost no FSC revocations.
seems to have worked out very well for the army, and their contractors.
So well in fact, that a senator is on a campaign to pass legislation to specifically address the military case (leaving cases like the CBP which should be as obvious as from the get go, to be dealt individually too). The system is so broken in its lack of accountability that even well intentioned people are driven to insanity as the norm.
That's a weird absolute, and that's before the side dish of theology and... Spiderman? You can be powerful or negligent or whatnot and still be a victim.
It's not _the people_ who made the decision to collect this data.
This is incorrect. They can absolve themselves of liability an act with impunity.
You and I might not like that, but it is fact.
I think that giving the benefit of objectiveness makes it easier for them to continue down this path.
Go after CBP for constitutionality of collection, for working outside of borders where they are legally not allowed to work, etc, but in this case I’d say let’s not blow things too out of proportion.
Remember when OMB lost hundreds of thousands of detailed compromising personal background check reports with all the identifying information including biometrics? This sounds like some port of entry data you could get with a camera in public.
Further: they are not absolving themselves. They are probably working their asses off right now to make sure this never happens again but somebody is going to pay for credit protection and insurance, and it should be the contractor that ignored their contract and all sensible security policy. So, there is is in the press release.
Lastly: I don’t think GDPR fixes this. Government (especially intel community and law enforcement) keeps the data as long as their record schedules allow.
Thankfully, laws about breaches required them to reveal this to us within a certain time. Privacy Officers have really hard jobs. To do them well is hard and thankless. Glad this one stuck to the law.
Maybe government agencies shouldn't be allowed to contract out. And if they are, then they should be held ultimately responsible for their choice of contractors.
Historical table: https://www.opm.gov/policy-data-oversight/data-analysis-docu...
A concurrence in my assessment: https://www.nationalreview.com/2017/02/federal-government-gr... ("So, since 1960, federal spending, adjusted for inflation, has quintupled and federal undertakings have multiplied like dandelions, but the federal civilian workforce has expanded only negligibly, to approximately what it was when Dwight Eisenhower was elected in 1952." Note I'm not necessarily agreeing with the sentiments expressed elsewhere in that article.)
AFAIU for over half a century there's been something of a gentlemen's agreement in Congress among Democrats and Republicans that keeps the official headcount fixed while expanding government through contractors--the closest thing to a wide-spread "conspiracy" (tongue-in-cheek) I've ever seen. Of course, lobbyists and the contracting industry play a huge part in maintaining the system, but IMO that overlays the long-term political equilibrium reached in Congress.
One reason I finger Congress, and not lobbyists, as the principal supporters of the system is that Democrats would much rather have full-time federal employees, so they're clearly compromising. It's hard to say what Republicans want, but to many Republicans hiring contractors 1) squares limited government with electoral pressures to "do stuff" at the federal level, and 2) superficially provides better price signaling through competitive bidding (though if we're honest that's... complicated). Note how the numbers remain conspicuously stable across major domestic and international political shifts. It's fascinating.
State and local government workforces have ballooned, and a lot of federal expenditures are administered via state-based programs. But that doesn't conflict with the "conspiracy" noted above, it's arguably just a way for the Democrats and Republicans to jockey around it.
Could this lead to criminal charges? Perhaps charging the contractor under CFAA for unauthorized access?
This is, of course, a serious breach and there will and should of course be consequences for the negligent parties
but
I am struggling to see the threat model being faced here.
biometric data is just a username. I flash my face around all day, and am careless as to where I leave my thumbprint.
The loss of so many photos and names is unlikely to have national level consequences (Compare this to say the Office Of Personnel management breach from some years back - that has horrible implications for US National security for decades) and the personal level consequences are ... hard to see
What this does underline is that we are outrageously careless as an industry with our data (comparable to early industrial "pollution" as Schneier points out). And it is not going to get better without a) career and business ending consequences b) new ways to store / secure data c) a new way of thinking about who owns and what is personal data
Personally I think we need a new form of intellectual property (just as we are trying to work out what kind of company FAANG are (not telcos, not newspapers, what is a platform?) we need to ask what is personal data
This comment is presumed under law to be my property, my copyright. I might license that property away (dunno never read HN T&Cs) but it is mine. But google and apple and others will track that I sat down at a certain time and place to write it, my ISP will see when I sent to which servers.
All of that data is also created by my conscious actions - should that data not also be my property. And if need be licensed - and compensated for its use?
And when (if) my data is held - then we should presume that it can be accessed by my agents for my benefit (from spending patterns to heart data). I would argue that Sometimes surveillance can be good for us - but only in ways similar to doctors knowing more about me can be good for me - the entire industry of medicine has individual interests at its heart and took a long time to get there.
We are heading in that direction (perhaps) but till we get there, carelessness will be the cheapest option, surveillance always bent agansit is (by state or other actors). We should rail against this stupid dumb breach, but punishing the "bad guys" is not even the first step on the road.
If I can make a bad analogy - It's not one incident that people got sick from one chef badly cooking chicken - it's we need to look at factory farming and meat consumption and healthy eating and marketing bias as a whole.
We don't really know the full details of the breach, but if the facial recognition database contained names in a column associated with pictures, that data can absolutely be leveraged and cross-referenced against other "fullz" for fraud that even passes a lot of online verification procedures.
But this kind of comes back to my point - why do we have online verification systems that rely on things like knowing my address in the last three years - Equifax breach should have meant we gave up on using a credit risk scoring system as an identity provider.
But we don't.
We need to rethink what is identity (start with web of trust) and who owns data that links to that identity.
I mean this could be the start of a positive identity provider - grab that downloaded database and provide a system that says this is a picture of Paul Brian's face, and his passport, and on the 20th August last year a official of the US government compared them in real life and verified they matched (there may even be a hash of the digital images made at the time but I should not get my hopes up)
Now make that globally available. Is that useful and valuable - I think so. I would prefer if I had been able to upload my public key to that at the same time (I can always visit NYC again) but you get the idea. This leads to question like why does my passport not generate a key pair for me to use? Can I use facial recognition to match my gravatar / facebook / twitter ? Why is knowing a non-secret (mother's maiden name, passport or drivers license number, three digits on back of credit card) seen as security?
Why is it we use what we have to hand and not what is needed? Why don't american banks use chip and pin?
It's not bad that my online identity is clear and visible - as long as the legal and practical frameworks exist to support it - which they basically don't right now but we could make it happen
That's one way of looking at it.