March 19, 2004

Sloppy SysOp led to Senate MemoGate: Calpundit

Sloppy work by an inexperienced system administrator exposed every sensitive Senate Judiciary Committee file created since August 2001, according to Calpundit's analysis of the Pickle Report. Authors of comments to his post disagree on whether or not the exploitation that resulted was criminal; most agree it was predictable given the lack of basic security precautions. Calpundit: Memogate

One might ask what has changed since the revelations, and how many other governmental networks are run with a similar level of security.

Thanks to Ernie the Attorney "Oops! - my computer system accidentally gave the enemy a look at my information"

See also:

  • "Senate Judiciary Computergate: Criminal?" (Unintended Consequences 1/28/04)
  • "Pickle Report Names Staff in Judiciary Files Scandal" (Unintended Consequences 3/6/04)
  • "Bipartisan Call For Special Counsel in Judiciary Committee Files Scandal" (Unintended Consequences 3/13/04)

    DougSimpson.com/blog

    Posted by dougsimpson at March 19, 2004 05:36 AM | TrackBack
  • Comments

    I walk down the street and a store is having a 'sidewalk sale'. There they are: nice new products sitting on a table with no clerks standing watch. There is no security so they must be free! Right? NO!

    Common sense applies here too. These people took something that did not belong to them. End of story.

    Why is it that rules that apply to behavior everywhere else are suddenly suspended if your hands are touching a keyboard?

    Madness!

    Posted by: Brian Kennemer at March 19, 2004 02:09 PM

    Brian, your position is like that of most opinions I've seen, that the misuse of easy access to the files was wrong. Whether or not it violates a criminal law is another question on which there is a greater difference of opinion.

    In the example of the goods on the sidewalk table, wrongful taking of the item deprives the rightful owner of its possession and use. Thanks to centuries of experience, criminal laws are usually clear on those facts.

    They are less clear about wrongful access to information goods. Merely reading information goods does not deprive the rightful owner of their possession and use, as does a theft of physical goods. This makes it harder to apply a simple analysis based on the traditional concepts of theft. The whole realm of the law of intellectual property (copyright, trademark, fair use, free speech) addresses the latter cases, often with some controversy.

    The Calpundit analysis sets aside the issue of legality and ethics of the misappropriator and addresses the competence of the custodian: Should the management at the Judiciary Committee have exercised greater care in the methods of protecting the files of its members?

    Going back to your sidewalk analogy, say the items on the unguarded tables were real diamond jewelry, not just the inexpensive items we usually see at sidewalk sales. Who would be shocked to find some missing at the end of the day? What insurance company would continue to cover that business against theft? What manager would continue to employ the clerk who put such valuable material in an unguarded place?

    I think Calpundit's message is aimed more at the leaders at the Judiciary Committee, for allowing this event to be as easy as it apparently was. If we can agree that the choice of security was inadequate, doesn't the incident make clear that security practices need to improve at the Judiciary Committee? And where else?

    Doug

    Posted by: Doug Simpson at March 20, 2004 05:08 PM

    I agree with Doug. Regardless of how the documents came to be, it still shows criminal intent by politicians loyal to money and special interest groups. These same gripers would use it to full effect should they have gotten hold of similar info under the same circumstances.

    Posted by: Daniel Strahan at April 4, 2004 01:30 AM

    These and other issues will be the subject of a short interactive seminar program I'm moderating on June 7 as one of the breakout sessions at the Connecticut Bar Association's annual meeting. We'll have a state and federal prosecuting attorney, an IT Security head for a large insurance company, a senior Intellectual Property attorney and a staff attorney from the ACLU.

    More details soon, after the CBA publishes them at http://www.ctbar.org

    Doug Simpson

    Posted by: Doug Simpson at April 4, 2004 06:30 AM