Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Pennsylvania CISO Fired Over Talk At RSA Conference

timothy posted more than 4 years ago | from the perfecting-the-art-of-the-ham-fist dept.

Censorship 147

An anonymous reader writes "Pennsylvania's chief information security officer Robert Maley has been fired for publicly talking about a security incident involving the Commonwealth's online driving exam scheduling system. He apparently did not get the required approval for talking about the incident from appropriate authorities."

Sorry! There are no comments related to the filter you selected.

DANG TPS Reports.. (2, Funny)

Mekkah (1651935) | more than 4 years ago | (#31444332)

Must have not got the memo..

Re:DANG TPS Reports.. (1)

rednip (186217) | more than 4 years ago | (#31444614)

Don't worry, I'll send it over right now.

Re:DANG TPS Reports.. (1)

conspirator57 (1123519) | more than 4 years ago | (#31444906)

did you use the new cover sheet?

Re:DANG TPS Reports.. (1)

Sulphur (1548251) | more than 4 years ago | (#31445838)

For the last time, we will not read upside downy faxes.

Motormouth failed his talking test? (3, Insightful)

AliasMarlowe (1042386) | more than 4 years ago | (#31444352)

What's the story here? He blabbed on a security issue without approval, and got his ass roasted.

Re:Motormouth failed his talking test? (5, Insightful)

DoofusOfDeath (636671) | more than 4 years ago | (#31444416)

What's the story here? He blabbed on a security issue without approval, and got his ass roasted.

The same reason I don't want nuclear regulators getting fired for admitting when there was a heavy water leak into an aquifer.

Re:Motormouth failed his talking test? (4, Insightful)

HungryHobo (1314109) | more than 4 years ago | (#31444486)

If this were a private company I'd be of the opinion that their internal security is their concern but this is a government office and the people who pay the bills have a right to know what's going on.

Maybe sometimes, but not always (5, Interesting)

Mathinker (909784) | more than 4 years ago | (#31445078)

If this were a private company I'd be of the opinion that their internal security is their concern but this is a government office and the people who pay the bills have a right to know what's going on.

If the internal security failure lead to your private information being leaked and the possibility of financial loss to you, I think that you might be of the opinion that there should be legislation which deals with disclosure. Actually, there is such legislation in many jurisdictions. And you also have Sarbanes–Oxley stuff which is supposed to encourage whistleblowing.

Some "internal" things are more internal than others....

Re:Maybe sometimes, but not always (0)

Anonymous Coward | more than 4 years ago | (#31446376)

I think the guy who got fired would agree that more that internal they sound like anal.

Re:Motormouth failed his talking test? (1)

gamecrusader (1684024) | more than 4 years ago | (#31447416)

maybe he should now tell the world how the system works after all he got fired whats the worst that can happen, he could claim the right to free speach to cover his already flamebroiled ass on a burnt bun.

Re:Motormouth failed his talking test? (1)

OverlordQ (264228) | more than 4 years ago | (#31444542)

The same reason I don't want nuclear regulators getting fired for admitting when there was a heavy water leak into an aquifer.

Apples and oranges, one is a health risk, one isn't.

Re:Motormouth failed his talking test? (3, Insightful)

DoofusOfDeath (636671) | more than 4 years ago | (#31444582)

Apples and oranges, one is a health risk, one isn't.

Apples and near-apples from my perspective. Both types of problems can have negative consequences if allowed to continue due to lack of public scrutiny. And in neither problem type is there a compelling public interest in secrecy.

Re:Motormouth failed his talking test? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31444994)

Secret while it's a security issue until it's fixed. Public after that.

Re:Motormouth failed his talking test? (4, Insightful)

meerling (1487879) | more than 4 years ago | (#31445116)

Government (and bureaucracies) tendency to not fix anything like that until they have to.
Public outcry over the situation is one way to increase the 'have to' value.
Also, keeping problems secret has always been a major dodge for not having to deal with an issue.

Re:Motormouth failed his talking test? (1)

Anonymous Coward | more than 4 years ago | (#31446396)

Government (and bureaucracies) tendency to not fix anything like that until they have to.
Public outcry over the situation is one way to increase the 'have to' value.
Also, keeping problems secret has always been a major dodge for not having to deal with an issue.

Most large companies don't either if they can help it. That's why we have class action lawsuits: a bunch of little guys banding together can be as powerful as the corporate behemoths, who could otherwise pick off individuals one by one. Look at the stonewalling Toyota did. It finally came back to bite them in the ass.

You'll also note that there was a flurry of other recalls in recent weeks in addition to Toyota's. The various car companies probably figured that there's safety in numbers instead of being the lone duck announcing one.

Re:Motormouth failed his talking test? (5, Insightful)

plover (150551) | more than 4 years ago | (#31445414)

There is a distinction between "acknowledgment" of an already known problem and the "announcement" of a brand new one. Hackers know about the problem already, and apparently it was widely known how to game the system, so this was only an acknowledgment. The CISO didn't reveal anything new, although it was apparently new to this particular audience.

By making future CISOs afraid for their job, the governor has poisoned the CISO's ability to actually perform their duties.

Re:Motormouth failed his talking test? (5, Funny)

Hatta (162192) | more than 4 years ago | (#31445028)

Apples and oranges, one is a health risk, one isn't.

Which one is it?! Who knew picking from the fruit basket would be like playing russian roulette?

Re:Motormouth failed his talking test? (3, Funny)

geekoid (135745) | more than 4 years ago | (#31445662)

Simple, take the banana and shoot the guy holding the basket.

Re:Motormouth failed his talking test? (3, Funny)

Hatta (162192) | more than 4 years ago | (#31445784)

But what if he has a pointed stick?

Re:Motormouth failed his talking test? (4, Funny)

spun (1352) | more than 4 years ago | (#31446322)

Ooh, ooh, ooh; want to learn how to defend yourself against pointed sticks, do we? Getting all high and mighty, eh? Fresh fruit not good enough for you, eh? Well let me tell you something lad! When you're walking home tonight and some great homicidal maniac comes after YOU with a bunch of loganberries, don't come cryin' to me!

Re:Motormouth failed his talking test? (0)

Anonymous Coward | more than 4 years ago | (#31446362)

Apples taste good, oranges taste good.

Apples can be made into juice; oranges can be made into juice.

Your move, bub.

Re:Motormouth failed his talking test? (1)

geekoid (135745) | more than 4 years ago | (#31445740)

You also do not want a nuclear regulator spilling his guts about an ongoing investigation.

Re:Motormouth failed his talking test? (1)

gamecrusader (1684024) | more than 4 years ago | (#31447472)

actually with a nuclear ongoing investigagtion the world has to know about that one.
unless the CIA has some involvevment then everyone has to know.

Re:Motormouth failed his talking test? (1)

blair1q (305137) | more than 4 years ago | (#31445820)

He wasn't blowing a whistle, he was making conversation.

As an employee, he's required to follow the organization's policies, one of which is that releases of information go through information-release channels, at least for approval.

If he'd asked for approval, and been denied, but decided it was an ethical problem that could only be resolved by releasing the info anyway, he might be protected by whistleblower laws. If merely applying for approval might have compromised his safety or rights, he might be protected by whistleblower laws.

Neither was the case here. He just yapped without checking.

Which is just sloppy corporate citizenry.

Rule 1: if you don't want to follow rule 2, stop reading the job application now.

Re:Motormouth failed his talking test? (2, Insightful)

crymeph0 (682581) | more than 4 years ago | (#31446034)

...He just yapped without checking.

Which is just sloppy corporate citizenry.

Except his employer isn't "corporate", they're a U.S. state, funded by taxpayers. As a taxpayer, I demand to know if there are security (or "configuration") holes that have been actively exploited at the institutions my taxes fund, unless the dissemination of such knowledge would hurt an ongoing police investigation. There is no mention in the story of such a request from the police, just a general indication that the police are investigating.

Re:Motormouth failed his talking test? (1)

dieth (951868) | more than 4 years ago | (#31446762)

He was the "Chief Information Security Officer" who was he going to get approval from? Sounds like it's already his job to make the decision regarding the release of information, and this is just a pissy Governor who doesn't know fuck all about what's going on.

Re:Motormouth failed his talking test? (1)

Qzukk (229616) | more than 4 years ago | (#31446882)

He was the "Chief Information Security Officer"

It's a government. His title puts him in line behind the 5000 other Czars and Rulers and Gods and Donors and Nephews and...

Re:Motormouth failed his talking test? (0)

Anonymous Coward | more than 4 years ago | (#31447036)

Of course the only reason that a heavy water leak would be problem, assuming no PCBs, dioxin, or dangerous contamination, is due to the waste of heavy water. As you're no doubt aware, heavy water is almost completely innocuous, unless you're drinking almost nothing but heavy water. It seems a heavy water leak would be more of an issue for the accountants than the nuclear regulators.

Re:Motormouth failed his talking test? (1, Insightful)

djupedal (584558) | more than 4 years ago | (#31444470)

The 'story' here is actually more of a question.

If the CISO treats one rule casually, what is the dolt liable to ignore next?

I'm guessing a list of at least primary concerns wouldn't include abuse of parking privileges...

Re:Motormouth failed his talking test? (4, Insightful)

Fjandr (66656) | more than 4 years ago | (#31445094)

If the CISO treats one rule casually, what is the dolt liable to ignore next?

This is probably one of the most specious arguments anyone ever trots out about someone breaking (or overlooking) a rule, especially in organizations known for coming up with rules for every single thought or action one engages in (e.g. a bureaucracy). Unless the incident was actually ongoing, or had the potential to risk the security or integrity of the systems it was his job to oversee, talking about a past incident germane to the topic of the conference is what people do at conferences. That's the entire point. Yes, he violated a minor rule. "Oh lordy lordy, who will he kill next?" is not really the best response to the situation.

Re:Motormouth failed his talking test? (1)

bzipitidoo (647217) | more than 4 years ago | (#31445678)

I wonder what more there is to this story. Was this his third strike or something, or just they just up and abruptly fire him without so much as a warning? Or was that the pretext to cover up some sort of personal issue someone had with him? Perhaps a vendetta? Or an attempt to cover up something? The article makes it sound like PA was completely unreasonable about it. Certainly possible, but I'm skeptical. It's like being executed for littering. Every time the media has reported on something I knew about personally, I was always shocked at the number and magnitude of factual errors they made, the twisting of focus away from the main issue.

Re:Motormouth failed his talking test? (2, Interesting)

Fjandr (66656) | more than 4 years ago | (#31446840)

Every time the media has reported on something I knew about personally, I was always shocked at the number and magnitude of factual errors they made, the twisting of focus away from the main issue.

I agree 110%. The stories I've seen broadcast about events I had personal knowledge of made it so I trust the media story about as much as I'd trust a junkie with the safekeeping of a kilo of heroin.

I was mostly responding to the theory that if someone screws up once in a (seemingly) minor way they are untrustworthy to do anything ever again. Hell, even if they screw up in a major way (assuming something short of gross negligence). If that was the case, there would be almost nobody employed anywhere. The story was taken at face value simply for the sake of argument. It's unlikely that a single person here actually knows the real story to any major degree, so discussion is pretty meaningless without taking it at face value. It all ends up being theory and conjecture anyway.

Re:Motormouth failed his talking test? (1)

precariousgray (1663153) | more than 4 years ago | (#31445572)

Except this "rule" has no useful purpose. See other relevant comments.

They followed policy. It'll be okay. They followed policy. Lord Policy is Absolute. He shall keep us safe.

Re:Motormouth failed his talking test? (0)

Anonymous Coward | more than 4 years ago | (#31446936)

Parking privileges are one thing, but this guy took my stapler - he deserved all he got and more.

Re:Motormouth failed his talking test? (1)

Threni (635302) | more than 4 years ago | (#31444528)

It's not that I'm surprised he got fired. I can understand the cause-and-effect that went on at the company. It's that the policy is stupid, and brings the stuff the spoke about to the attention of a far wider group of people than would have heard about it had he not been fired. The policy fails to do its job spectacularly. This failure is amusing to some people, including myself; hence its appearance on Slashdot. Got it now?

Re:Motormouth failed his talking test? (2, Informative)

ircmaxell (1117387) | more than 4 years ago | (#31444560)

You do realize that he didn't work for a company, don't you? He worked for the state government...

Re:Motormouth failed his talking test? (1, Informative)

Anonymous Coward | more than 4 years ago | (#31444556)

You really don't see the story? This is a security breach involving a public computer system. That is, a system paid for by taxpayers and affecting said taxpayers.

THERE SHOULD BE NO SECRETS WHEN TAXPAYERS' MONEY IS INVOLVED.

Any and all information about a breach like this needs to be public immediately.

SO THERE SHOULD HAVE BEEN NO NEED TO GET "AUTHORIZATION" BEFORE DISCLOSING IT.

Is that clear enough for you? Sheesh, it's no wonder America's in such a sad state these days.

Re:Motormouth failed his talking test? (2, Funny)

Locke2005 (849178) | more than 4 years ago | (#31444666)

"You want the truth? You can't handle the truth!"

Re:Motormouth failed his talking test? (1)

OzPeter (195038) | more than 4 years ago | (#31444812)

You really don't see the story? This is a security breach involving a public computer system THERE SHOULD BE NO SECRETS WHEN TAXPAYERS' MONEY IS INVOLVED.

Do you really want the taxpayers having the root password?

Re:Motormouth failed his talking test? (5, Insightful)

plover (150551) | more than 4 years ago | (#31445468)

Do you really want the taxpayers having the root password?

I'll give them to you. There are actually two root passwords to the Constitution: "terrorism" and "child pornography". By using either password, you can bypass any of the security protections or protocols built into the document, and you can invalidate its signatures.

Re:Motormouth failed his talking test? (2, Funny)

Chris Burke (6130) | more than 4 years ago | (#31446444)

Just a practical note from personal experience. Screaming "child pornography" at the top of my lungs did not let me undo the Constitutionally granted power of the Executive Branch to create law enforcement agencies to enforce federal laws while agents of said agencies were hauling me away. Quite the opposite in fact.

Re:Motormouth failed his talking test? (2, Informative)

Anonymous Coward | more than 4 years ago | (#31446550)

Do you really want the taxpayers having the root password?

I'll give them to you. There are actually two root passwords to the Constitution: "terrorism" and "child pornography". By using either password, you can bypass any of the security protections or protocols built into the document, and you can invalidate its signatures.

Four actually:

http://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalypse

Re:Motormouth failed his talking test? (5, Insightful)

firewrought (36952) | more than 4 years ago | (#31444844)

What's the story here? He blabbed on a security issue without approval...

The firing seems heavy-handed. Don't you want your Chief Information Security Officer participating in industry security conferences, selectively sharing the experiences of your organization with security professionals so as to help find long term solutions? Who knows... maybe he shared some sort of special classified/secret/private data that he really ought not to have, but it sounds like good old bureaucracy + control freaks at the top who think it's all about militaristic need-to-know.

Re:Motormouth failed his talking test? (2, Interesting)

OzPeter (195038) | more than 4 years ago | (#31445052)

What's the story here? He blabbed on a security issue without approval...

The firing seems heavy-handed. Don't you want your Chief Information Security Officer participating in industry security conferences, selectively sharing the experiences of your organization with security professionals so as to help find long term solutions?

Do you want this happening while there is apparently an on going investigation? There are reasons why there are approval rules and they aren't about old bureaucracy and control freaks

Re:Motormouth failed his talking test? (1)

dimeglio (456244) | more than 4 years ago | (#31446064)

I consider him a martyr. How are we to learn anything is no one talks about how they dealt with security issues.

Re:Motormouth failed his talking test? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31446964)

I work for a state agency in IT. Not a bench tech but up the chain a bit. We have all signed forms saying that we will not divulge anything about our environment - what we run, any breaches, etc. Talking to the media is out of the question. Talking to a group is allowed IF the content is very general. One of our guys talked to the media once (and slammed the state in the process) and got slapped so hard he ended up leaving.

I have to wonder if the person who fired him was a real IT person who would learn from him sharing his story or someone who was appointed after years of doing something else and thought that his talk revealed a hack. I used to work for an IT person who was a social worker and climbed the ranks.

The story is that blabbing is a good thing (0)

Anonymous Coward | more than 4 years ago | (#31447356)

The story is that it is extremely undesirable for that to be the policy. It is in the public interest that government employees blab a lot, especially about things that have gone wrong.

BTW, it's the same where I live, in New Mexico. Only the Ministry of Truth (actually, I think the title is something else, "Public Relations") is allowed to say anything publicly. Any grunt who happens to know about massive, overwhelming inefficiencies or incompetence, isn't allowed to talk to the press. That's a firing offense and I can't imagine how many millions of dollars per year it is costing the taxpayers; I just know how much I hear off-the-record you-can't-quote-me-or-I'll-be-fired from just one person alone (my girlfriend, a state employee). Really hurts because I work for the press. Every few weeks she tells me mindblowing stuff that the public never finds out about, and would be insanely furious if they did.

The amount of money being wasted is just amazing. Seriously, if only you knew. And they claim to have budget problems!!

The government is made of cockroaches and badly in need of light.

Good job... (5, Insightful)

kurokame (1764228) | more than 4 years ago | (#31444388)

Firing the guy will absolutely convince the public that you've fixed your security problems.

Re:Good job... (0)

Anonymous Coward | more than 4 years ago | (#31446992)

It will in Pennsylvania, a state deep in the Dumb Belt.

His story is NOTHING to my story (5, Funny)

Anonymous Coward | more than 4 years ago | (#31444412)

(had to make sure I hit the "Post Anonymously" button...)
I'm one of many server administrators for LUTX, the (US) Federal Government IT "swat team" that was put in place during the Clinton Administration. One day I was working on a code-blue 456 system using the X-K-Red-27 technique and suddenly a bunch of drunken Canadian's broke in and try to SSH the HTTPS server. Well, as you can imagine, all hell broke loose and we had to double-slot the uranium deuteride fast on the flip-flop before the Russkies could notice.
I hope I don't get fired for sharing this amazing story with Slashdot

Re:His story is NOTHING to my story (0)

Anonymous Coward | more than 4 years ago | (#31444654)

pfft... that happens all the time.

Re:His story is NOTHING to my story (3, Funny)

OzPeter (195038) | more than 4 years ago | (#31444772)

(had to make sure I hit the "Post Anonymously" button...) I'm one of many server administrators for LUTX, the (US) Federal Government IT "swat team" that was put in place during the Clinton Administration. One day I was working on a code-blue 456 system using the X-K-Red-27 technique and suddenly a bunch of drunken Canadian's broke in and try to SSH the HTTPS server. Well, as you can imagine, all hell broke loose and we had to double-slot the uranium deuteride fast on the flip-flop before the Russkies could notice. I hope I don't get fired for sharing this amazing story with Slashdot

Its times like this that I really want to apply a Post Humously moderation

Re:His story is NOTHING to my story (1)

thomasdz (178114) | more than 4 years ago | (#31445222)

did you catch my Fish Called Wanda reference?

Re:His story is NOTHING to my story (0)

Anonymous Coward | more than 4 years ago | (#31445612)

I see you Thomasdz! So much for that "post anon" checkbox you were so careful about before in the parent post!

I'll be at your cubicle in five minutes. Time to do a little KY-Red-27 technique, maybe that will teach you and the rest of our administrators not to talk about the anadiancay's and the usskiesray's on lashdotsay!

huh-huh-huh (1)

conspirator57 (1123519) | more than 4 years ago | (#31445006)

Many Shuvs and Zuuls knew what it was to be roasted in the depths of the Slor that day, I can tell you!

Re:His story is NOTHING to my story (0)

Anonymous Coward | more than 4 years ago | (#31446146)

Jeff, is that you?

He is hitting "legacy" PR control (1)

yuhong (1378501) | more than 4 years ago | (#31444434)

Yep, he is hitting what I call "legacy" PR, which is based on controlling the message.

reasonable? (5, Insightful)

DaveGod (703167) | more than 4 years ago | (#31444438)

Seeing as careless talk can lead to image problems and/or lawsuits (or harming your case if prosecuting them). If you're in a senior position and you talk publicly in a work-related context, you talk on behalf of the organisation whether you intend to or not. OTOH if you are "blowing the whistle" on wrongdoing, there is a specific procedure for that which offers protection.

Re:reasonable? (0)

Anonymous Coward | more than 4 years ago | (#31444920)

as a "C-level" executive, shouldn't he be the one giving permission to discuss incidents relating to his department?

Re:reasonable? (1)

zero0ne (1309517) | more than 4 years ago | (#31445442)

Agreed

Re:reasonable? (1)

DaveGod (703167) | more than 4 years ago | (#31446652)

People giving authority are usually doing so within boundaries. You don't get given authority to say what you please, you get given authority to apply policy. Everyone has their boss.

Kill the Messenger (1)

rockclimber (660746) | more than 4 years ago | (#31444452)

has always worked

except on windows xp...

Re:Kill the Messenger (0)

Anonymous Coward | more than 4 years ago | (#31444750)

It's never worked.

But damn it feels good.

Re:Kill the Messenger (0)

Anonymous Coward | more than 4 years ago | (#31445310)

Worked fine using the GRC tool.

www.grc.com

Check it out

hmm (1)

snmpkid (93151) | more than 4 years ago | (#31444464)

Are they hiring now?

C Level Sec Exec is Fired? (3, Interesting)

introspekt.i (1233118) | more than 4 years ago | (#31444610)

Who fired him? Sounds like he made the wrong people look bad. Rules are rules, I suppose, but if the problem has been fixed, isn't talking about security and attack vectors generally a good thing?

Re:C Level Sec Exec is Fired? (1)

slashdottedjoe (1448757) | more than 4 years ago | (#31444984)

Obviously, holding security conferences and having everybody tight-lipped makes no sense. This is only about making the state look bad.

He may have been paid good, too. So, they may have just been looking for an excuse to bring in a recent college grad for chump change

Re:C Level Sec Exec is Fired? (1)

hrimhari (1241292) | more than 4 years ago | (#31445110)

Obviously, his manager doesn't read /.

He was fired by Brenda Orth, CIO in the OA (4, Informative)

tlambert (566799) | more than 4 years ago | (#31445254)

Who fired him?

According to public records having to do with reporting structure, he would have been fired by Brenda Orth, CIO (Chief Information Officer) in the OA (Office of Administration, Commonwealth of Pennsylvania). The reporting chain is easily verifiable using either the Google cached copy of their page, or the Internet Way Back Machine.

She basically reports to the state Governors staff, so there's no telling how far up hill you'd have to go to find the source of the firing, but as his immediate supervisor, whe would have been the one to pull the trigger.

-- Terry

Re:He was fired by Brenda Orth, CIO in the OA (1)

xenocide2 (231786) | more than 4 years ago | (#31446812)

I guess the next question is, isn't disclosure the sort of thing the CISO signs off on?

Good move dumbasses! (4, Insightful)

haruchai (17472) | more than 4 years ago | (#31444616)

Now all your remaining security issues will fix themselves. But, don't worry, I'm sure Robert Maley will be happy to help you out - at 5 times what you were paying him.

The key paragraph (5, Informative)

Wintermute__ (22920) | more than 4 years ago | (#31444716)

The important paragraph in TFA:

"Maley's dismissal comes amid ongoing budget and staff cuts at Pennsylvania's IT security organization, the source said. Over the past 18 months to two years, the administration has cut information security budgets by close to 38%, and staff by 40%. They also put a "lockdown" on talking about cybersecurity, the source claimed."

Now there's a good plan: If you don't talk about it, no one will know you have a problem, and you can save all that money you were spending on those annoying security types.

Re:The key paragraph (5, Insightful)

timothy (36799) | more than 4 years ago | (#31446198)

Howard County, Maryland (back when I was living there -- might be many other places like this, too) decided to make the local parks "trash free." By removing the trash cans. I leave the results as an exercise for the reader ;)

timothy

Easy fix? (3, Insightful)

Shadyman (939863) | more than 4 years ago | (#31444720)

From TFA: Over the past 18 months to two years, the administration has cut information security budgets by close to 38%, and staff by 40%. They also put a "lockdown" on talking about cybersecurity, the source claimed.

So instead of paying people to fix our security holes, we're just not allowed to talk about them?

Re:Easy fix? (1)

plover (150551) | more than 4 years ago | (#31445594)

So instead of paying people to fix our security holes, we're just not allowed to talk about them?

It's a hell of a lot cheaper that way. (Except for the parts where the bad guys break-in and steal your stuff; yeah, those are kind of expensive, but fixing them doesn't come out of the CIO's paycheck.)

Therefore this is all your fault for complaining about your taxes. You said to your lawmakers "we want less state services and lower quality workers" and there you go! You got exactly what you voted for.

Re:Easy fix? (1)

syntaxeater (1070272) | more than 4 years ago | (#31445878)

It's hard to feign innocence and blame a chinese hacker if people are "talking."

Spill the rest of the beans (4, Interesting)

Archangel Michael (180766) | more than 4 years ago | (#31444738)

If I were him, I'd start spilling all the info I ever had on security for the state. No amount of money or threats would stop me.

I mean any and every item. I'd expose every stupid supervisory move that compromised security and my ability to protect the network. EVERYTHING would be exposed.

Nothing worse than people getting their panties all in a wad over a "talk" about a well publicized incident, of which all the bad guys already knew about.

There is only one thing these people understand, and that is how to look good. Ruin it for them.

Re:Spill the rest of the beans (3, Insightful)

plover (150551) | more than 4 years ago | (#31445660)

Compromising your own ethics for revenge is a net loss. A vengeful, spiteful CISO would have about 0.00% chance of a new job that paid anything above "volunteer" wages.

Remember, CIO already jokingly stands for "Career Is Over." I don't think he needs to pile on "Career Is So Over" limiting moves by acting like a 13-year-old dumped by his first girlfriend.

Re:Spill the rest of the beans (1)

ScrewMaster (602015) | more than 4 years ago | (#31446086)

Compromising your own ethics for revenge is a net loss. A vengeful, spiteful CISO would have about 0.00% chance of a new job that paid anything above "volunteer" wages.

Remember, CIO already jokingly stands for "Career Is Over." I don't think he needs to pile on "Career Is So Over" limiting moves by acting like a 13-year-old dumped by his first girlfriend.

True enough, but then again ... he could just post anonymously.

Compromising your own ethics for revenge (1)

jeko (179919) | more than 4 years ago | (#31446108)

And exactly how do you think most whistleblowers get their start?

Every whistleblower ever gets painted first as a "disgruntled employee crying for attention." When that doesn't stick, they move on to "violating security by disclosing classified information."

The problem is, we never find out about bad behavior covered by secrecy from people who are happy and secure within the organization. Criminal enterprises both in and out of government usually get uncovered when they try to screw over one of the lower guys who still knows enough about where the bodies are buried.

Re:Compromising your own ethics for revenge (3, Insightful)

plover (150551) | more than 4 years ago | (#31447162)

A whistleblower reveals secret information to right a wrong. Perhaps there's a safety issue that is going uncorrected, or an unfair pay gap, or workplace racism, or where the bodies are buried. Those are kept secret to keep costs down at the expense of human health, or to protect the criminally negligent or guilty.

The GP said:

If I were him, I'd start spilling all the info I ever had on security for the state. No amount of money or threats would stop me. I mean any and every item.

There are plenty of legitimate secrets a CISO is expected to keep. Plans for upgrades that reveal current deficiencies but can't be implemented yet due to budget constraints. Ongoing operational security tasks. Or command and control structures: a list of the three key people without whom an emergency response would fail would provide a juicy target list for a serious attack. The identities of sting or honeypot operations. Those are all perfectly legitimate security items that should be kept secret.

A whistleblower is trying to correct an inequity. A traitor provides secret information only to damage an organization. See the difference?

Re:Spill the rest of the beans (1)

geekoid (135745) | more than 4 years ago | (#31445692)

"No amount of money or threats would stop me."

You hold onto that thought when no one will hire you.

Re:Spill the rest of the beans (2, Insightful)

Kittenman (971447) | more than 4 years ago | (#31446768)

If I were him, I'd start spilling all the info I ever had on security for the state. No amount of money or threats would stop me.

Tut. Not sure how it is in your part of the world but some of us sign confidentiality agreements. I've worked for the British home office, some 30 years ago. I'm still bound by the "Official Secrets Act" that I signed then.

I'm not saying that some stories shouldn't be blabbed, but we're professionals. We do what we're paid to. If we're not happy, move on. But don't air dirty laundry. Especially not someone else's.

Re:Spill the rest of the beans (0)

Anonymous Coward | more than 4 years ago | (#31447362)

Guaranteed he's lining up the public disclosure requests for all email having to do with this termination for maybe months prior. They wanted him out and this was a handy mechanism.

BTW, he IS the authority to authorize discussion of the event. I was at that panel discussion, and it was one of the best talks I attended at the conference. No FUD, no vendor bullshit.

And while I'm at it, RSA - we're done for the next few years at least. Vendors controlling the conversation and being enabled by an incompetent federal government ("we just need solutions from the private sector") has become comedic... or it would be if it wasn't so ultimately dangerous.

Re:Spill the rest of the beans (1)

Securityemo (1407943) | more than 4 years ago | (#31447510)

I agree partially, but as a state employee you should only do so if you believe that your actions would benefit the overall organization/the people. The (perceived) narcissism of the managers above you does not factor into it; if they are so destructive, you have a civic duty to do something about it before getting fired. Just dumping "any and every item" is, well, treason if it's not just childish and useless shit-flinging. And I can't believe someone competent would willingly work in public sector security outside three-letter-agencies and not have this mindset.

sounds like an invitation (2, Informative)

oh-dark-thirty (1648133) | more than 4 years ago | (#31444828)

Another telling fact from the article is that the security staff and budget have both been cut by upwards of 40%...no wonder they don't want anybody talking...

Cluetrain... (2, Insightful)

jacks0n (112153) | more than 4 years ago | (#31444896)

Cluetrain Manifesto.... Dead. Slashdot Confirms.

I'm personally not interested in what comes out of any organization's public orifice because it always looks and smells like BS.

When they shut down their non-public orifices they become more and more useless. They lose value. real, actual dollars value.

In a way I'm more worried about this from a public organization because they have a monopoly on governance

and when they're doing it wrong they can keep doing it wrong a lot longer than a private company.

Re:Cluetrain... (1)

plover (150551) | more than 4 years ago | (#31445686)

They may not get the government they need, but they'll always get the government they deserve. The citizens always have the option to "t'row da bums out!"

Not that the bums on the other side of the fence are somehow better bums, but at least they're not the same bums.

Re:Cluetrain... (1)

geekoid (135745) | more than 4 years ago | (#31445726)

"and when they're doing it wrong they can keep doing it wrong a lot longer than a private company."
No, private companies do the same thing. It happens in any bureaucracy.

With a public organization, at least you individual has power.

Re:Cluetrain... (1)

/dev/trash (182850) | more than 4 years ago | (#31446976)

People are still buying into that crap?

"Lockdown" is the problem with Security (3, Insightful)

Anonymous Coward | more than 4 years ago | (#31444926)

I'm simply rehashing the same thing I wrote over at SC Magazine's site:

We do not know all the facts behind the termination, but if was based primarly on his RSA appearance, that's a shame. There are so many variants of qualitative and quantitative risk assessment, that regular meetings with your peers seems to be just as critical with regards to understanding the important controls which need to be put in place. The days of leading with FUD appears to be in our rear view mirror, and building up a positive outlook in security by learning from the past and attempting to stay ahead of the curve is imperative to our support of the business or the public entity. What was the common theme with all the CISO's at RSA? Information sharing is critical and we're way behind. We don't share information, we put ourselves on "lockdown" and don't get invited to the table anymore as security professionals. We're seen as roadblocks, as negative drags on the bottom line. Something has to change or else we're going to lose ground as a country. In fact we already have.

Sharing information with other professionals is now critical to any InfoSec career. We do need to account for privacy, so a balance must be achived. Maley may have violated a confidentiality component of his employment, but that doesn't make the spirit of what he did wrong in any way. If anything, some clear guidance on what types of information is shared behind closed doors at peer review and group meetings at RSA should be discussed. You can't vette everyone who attends the meetings, but openness is a good thing, not a bad thing. More transparency is needed across the public and private sectors. More openness is needed among security professionals. The state of PA has it wrong. Lockdown is not a way to progress forward out of this losing battle with regards to properly securing the infrastructure while allowing the inevitable growth of technology and information.

Re:"Lockdown" is the problem with Security (3, Interesting)

chill (34294) | more than 4 years ago | (#31445644)

Except this is an ongoing police investigation. There is a difference. And a panel discussion isn't necessarily the best way to network with peers on issues like this. He made a mistake and paid for it. It was a bit harsh, but not totally out of line.

Re:"Lockdown" is the problem with Security (0, Offtopic)

ldconfig (1339877) | more than 4 years ago | (#31446300)

Maybe if we rehired back American coders at a fair wage and enough of them to do the job right instead of paying HB-1 visa imports at poverty wages and work them to near death would help with these issues and our economy.

Re:"Lockdown" is the problem with Security (1)

Securityemo (1407943) | more than 4 years ago | (#31447224)

But to understand that realistic risk assessment requires organizations to huddle together, you need to understand the technical reasons and dynamics of the situation. "Lockdown" seems like a reasonable thing to do, if you have no idea or realistic capacity to learn what you're doing in that dimension, and no money to hire someone for advice.

lucky not to be in jail as other who have (1)

Joe The Dragon (967727) | more than 4 years ago | (#31445164)

lucky not to be in jail as other who have came out with info on security incidentes / holes have been locked up.

Broke the Golden Rule of Conferences (3, Funny)

BlueBoxSW.com (745855) | more than 4 years ago | (#31445444)

Didn't he know that you're only supposed to talk at conferences when A) you have something to sell, or B) you're being paid in a round-about way to promote a product while appearing to have no conflicting interest?

No one does a post-mortem of ACTUAL issues that matter to ACTUAL people, anymore.

hack or not to hack (2, Interesting)

Anonymous Coward | more than 4 years ago | (#31445916)

However, she contested several media reports that have described the incident as a hacking attack, and said that as far as the the department was aware, there had been no hack or breach of the system.

Don't you hate it when people imply that their system was not "hacked" simply because they didn't provide the proper precautions to stop the leaking of internal data or changing database information in a way it was not intended?

According to our current definitions... IT WAS A HACK. Whether something is a hack is not determined by the ease in which they are preformed or the impact size of the damage no matter how minimal.

She is describing "hack" in terms of ramifications.

This is concept is almost as silly as attempting to make breaking DRM code illegal without considering the quality of code or logic/math behind it. For example, I could take code an increment each character. ie: a => b, b => c, ... z => a. and then call this "DRM". Now if any pre-teen tries to run this through their decoder ring to "break it"... they get a free pass to jail.

First rule (4, Funny)

93 Escort Wagon (326346) | more than 4 years ago | (#31446058)

The first rule of Commonwealth's online driving exam scheduling system is: You don't talk about Commonwealth's online driving exam scheduling system.

Anyone think (1)

dbrower (114953) | more than 4 years ago | (#31447314)

The incident may have been a pretense to jettison someone whose departure was desirable for other reasons. That the budget is being cut might be reason enough to try to offload the (probably) most expensive guy on the payroll. Maybe he was a squeaky wheel and wanted more security than was determined to be affordable, and just wouldn't shut up about it. Invent your own possible ulterior motives...

-dB

plu5 2, Troll) (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#31447400)

continues to lose this very moment, that ssuports
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?