The cost of incompetent IT and lack of planning on a Nation and your business.
By Lawrence and Melissa Ross
Normally I am NOT one to comment on things that are happening that may have a political consequence because frankly I'm a businessman not a politician, however I am a huge privacy advocate and my customers appreciate that.
I do want to clear up some things that I've seen in the media that are polarizing and politicizing what happened tragically in San Bernardino,so let me give you a little rundown of what we know as of 19th February 2016:
- The locked iPhone in question IS the property of San Bernardino County.
What does that mean? That means that they could have called Apple and say we have a terminated employee and we’ve not been given the unlock code, can you help me? Maybe tell me what the most recent backup is? Apple Enterprise Support will verify that the person on the other end of the phone is in fact the registered owner and THEN HELP THEM.
- San Bernardino County apparently doesn't have an exit interview policy/lost device policy.
Now here's where the “incompetent IT” I mentioned comes in. And yeah I'm going to get kind of hot about a few of them. There are simple steps to ensure that you have policies and procedures in place so that when you let an employee go and/or you no longer have access to their equipment. You, as the rightful owner can still access that device or at least the data.
- The San Bernardino County IT Department were unaware corporate assets hadn’t been backed up in a month and a half.
BUT this should not be an issue. You, whether State or Private, should have steps in place to know when someone’s corporate assets haven’t backup up in a month and a half. Such as was the case in California.
- Apple’s representatives probably assumed that since you’re the IT Representative, you know what you are doing.
Here's the thing, Apple and Google understand you might have inadvertently hired an incompetent who didn’t develop a data safety policy. Or understand how to manage the devices in their care. So when a call comes in and you say I'm changing the password and maybe the person on the other end of the phone says you're in a trusted Wi-Fi location right? Without that the phone won’t sync before so you can pull the data off of it. Or they might not, presuming that since you're in the IT department you know what you're doing. Unlike the person who changed that pass code and never put that phone somewhere where it is synchronized beforehand, or a device policy that would have alerted IT about the backup issue.
So I have a couple of questions and comments.
- Why isn’t that IT person in jail for obstruction of justice?
Because that's what that person did. Except being bad at your job isn't a crime. And no, I don't care if it was with or without the County's permission. In fact that just tells me that they don't have any oversight or competence.
- So what’s the big deal with helping out the FBI?
Here's the thing, the FBI can’t ask for the iCloud data and Apple be glad to give it them. Because the passcode was changed and the unbacked up data on the phone is encrypted and after 10 unsuccessful tries to unlock the phone, the data will delete itself. be irrevocably deleted
So they are asking Apple to create a version of the iOS system (that's on your iPad, on your iPhone, on your Apple TV, on everything that runs with the iOS) that would bypass every security protocol and safety built in. You want that in the wild? ?I damn sure don't. The precedent that this sets for our last bastions of privacy that this nation was founded on is truly devastating.
I mean this in a slightly tongue-in-cheek manner, but only slightly, the NSA probably already has a back door. Edward Snowden is a treasonous twat but through WikiLeaks we learned that the National Security Agency has been able to look at HTTPS traffic and SSL traffic for years. No warrants, no requirements, just that technical ability. Once people knew it existed. It got built again. I now have the ability to do that, bad guys have the ability to do that, if we don't have to develop a technology that circumvent something let's not. Okay?
Now for the slightly less crappy news than the Courts ordering Apple to give the specialized code to the FBI, Apple can retain custody of the software at all times:
A federal magistrate on Tuesday ordered Apple to provide the FBI with highly specialized software that could be loaded onto the work-issued iPhone 5C used by Farook. Although the judge instructed Apple to create the software for the FBI, she said it could be loaded onto the phone at an Apple facility. Further, the Justice Department made explicit Friday that Apple could retain custody of the software at all times. The specialized software would bypass a security time delay and self-destruct feature that erases all data after 10 consecutive, unsuccessful attempts to guess the unlocking passcode. Friday, prosecutors explained that investigators would be willing to work remotely to test passcodes, while Apple retained both possession of the phone and the technology itself.
What is your takeaway from this, as a business owner?
- Make sure that synchronization is happening. If it’s not, make sure the device locks if it can't talk to the “mothership” Mine do both. Many of my clients do this as well.
- Here's what I want you to ask the IT department at your office.
- Do our mobile devices backup automatically?
- Can we prevent an employee from locking us out of company assets and information?
- Are they using cloud storage we can't access?
- Do all our phones have lock screens?
I need everybody to hear that there were ways to prevent this courtroom drama, this additional chink in our security, there are simple ways to have had the information right now.
And none of them involve busting down privacy bastions and the courts. It involves having a good, educated, IT team and leadership.
(on an aside, I don’t think there is anything on the phone. The other two phones found were smashed to destruction and those probably were the “burner phones”, so what little options to privacy we have are being given away for a fishing expedition)
