This image is an excerpt from Microsoft senior security strategist Steve Riley’s “It’s 11:00 PM—Do You Know Where Your Data Is?” presentation at TechEd New Zealand. If you haven’t seen Steve present before, then this should give you a good idea of his style presentation.
I work for you. You’re paranoid.
You want me to update a document, but you’re terrified I will “steal” the information in that document somehow.
You secured your data against someone copying the contents. You don’t want it printed, so you’ve taken away my printer.
You’ve disabled the CD-Writer and the Floppy Disk drive.
You block USB pen-drives from being installed.
I’ve just taken a photograph of my screen, with your secret document open on the desktop.
Your move.
Unfortunately Steve doesn’t have a solution to this problem, yet.
29 Comments
Koogle
hahah nice post.. paranoid people = stupid
Zack
Once again, I’m slightly perplexed. Can someone explain it to me? Sorry for being such a n00b :$
Zack
Does it mean that no matter how much you secure your system – TPM, EFS, BitLocker, and all these security tools… you can still take a photograph of the document on someone’s screen? *-)
Marco
of course – but isnt that obvious?
Long Zheng
@Zack: You’re thinking too much into it. This can mean several things. People will always try to get around security. There will always be flaws. Complex security systems can be compromised by primitive technology.
Simon
> Unfortunately Steve doesn’t have a solution to this problem, yet.
You mispelled “Fortunately”.
Seriously: Does not the fact that no authoritarian government, company, or organization has yet found a way to selectively prevent any and all ability to exchange information contribute to why 1984 *wasn’t* like 1984 (Steve Jobs’ jab at IBM nonwithstanding)? Would you really like to live in a world where governments have the ability to close the analogue hole?
Zim
If you say to a kid “don’t touch that”, you can be sure he’ll try to touch it. Is the same thing with security!
BenN
I believe that some of the more “paranoid” (or companies that really need to keep data secret) prevent cameras being taken into buildings as well. Of course, searching every employee for a camera isn’t a viable option for most companies, and the rise of mobile phones with cameras has made the whole task more difficult anyway.
Marco
@Long
thanks for this funny news
[off topic begins]
is it possible that you make a news about the performance of windows server 2008 and the implications of its kernel to vista? id love to read about that. i really wonder if that can improve vista’s performance.
ive tried windows server 2008 june build and i was amazed how responsive and quick it is. definately running better (in my personal opinion) than vista.
any chance?
[off topic ends]
Ajeet Khurana
Wasn’t it Andy Grove of Intel who wrote a book titled, “Only theParanoid Survive.” Though I agree with the cat-and-mouse game that this screen-shot (literally) implies. But, that is no reason to stop working on security.
Ceesar
Reminds me of when I was working in ASIC design, and we were evaluating a new processor to use in our chip.
The company (that I shall call company X) technical sales rep turned up in our office with a Sun workstation with the USB ports blocked off, no serial port, no parallel port, DVD and floppy drive removed, etc and the case padlocked shut with a steel cable … at which point he proudly proclaimed “we’ve got to protect our intellectual property, let’s see you get information off that machine”, with a big smile on his face.
One of my team then piped up – “that’s fine, we’ll just take a digital photo of the source code being displayed on the nice monitor you provided, then run it through optical character recognition”.
The sales rep smile faded. Fast.
Lesson of the day – never EVER throw do a gauntlet like that to an office full of engineers.
Zack
@Long – makes sense now
Thanks!
Leopard
Does anyone here realize that taking a snap of the screen with a camera overrides all security technologies? This includes TPM, BitLocker, EFS, IRS, “Vista Ultimate Security”, etc.
Oops, I nearly forgot that human memory overrides these too
Jono
Indeed – in fact here in Australia people who work in any government department that require any kind of security clearance (more than you’d think do) have to leave their camera phones at the front desk.
Tomer Chachamu
Very few places have that security and /don’t/ check for cameras.
PL
The technologies metioned are digital protections in the digital world, they are for protecting documents from being copied and read by those that are not authorized.
Taking a picture does not void these technologies, taking a picture requires you to be physically on location in front of someones open desktop that is displaying the supposedly protected document.
If someone can gain access that way then you have a whole other problem and you really need to get some locks for your office, or just put a password on you screensaver and maybe even a security guard for your building.
Although, if they can gain access that way they can jsut steal your harddrive or the whole computer instead.
JoH
Foo. The issue is trust. And trust is a a social issue. Social issues cannot be solved through technology. And as such, interpersonal trust cannot be replaced by technology.
Sure, you can can have your emplyoees make surveye each other and foster a climate of ultimate distrust, but at which price? And who watches the watchers?
Quintessence: If I do not trust my employee enough to keep NDA information confidential, then I should not trust them with such tasks. Tough call, welcome to the reallife.
Jon
Email, anyone?
Brice
Just because your paranoid, doesn’t mean that someone isn’t out to get you! lol
Anoynmous
The human memory issue is the kicker here. Even if you searched people for cameras, or even made sure they didn’t copy information down with a pen and paper, you’re still going to wind up with some guy with a photographic memory.
But even that isn’t the real point. The kind of “secret data” that companies might get into this kind of paranoid tizzy over is usually CREATED by the very people they’re worried about stealing it. It’s not unusual for an NDA or some other terms of employment to require people to waive the rights to IP they create for someone else– but if they are doing the physical/mental work to produce the data, you certainly can’t force them to purge their own memories of their work.
If they make something, they’re probably going to be familiar with it, and there’s nothing anybody can do about that, until memory-erasing rays come on the market. Most projects don’t have the kind of schedule that would require complex development within a single work day, so all a potentially dishonest employee would have to do to “steal” his own work would be to memorize the parameters of the task he was asked to perform, then do duplicate work on it at night and on weekends, on his own machine– where nobody from work can get at it (hopefully).
But the point all the security alarmists miss is that even if somebody does make off with IP and use it for their own purposes…well, that’s what contracts and NDAs are for. The COURTS are there to protect and redress this stuff.
Some guy designs a million-dollar patent that he actually signed away the rights to already cause he was making the damn thing for you? Well, fine. Sue him, get the million dollars (plus legal fees) and thank him for saving you the production costs you would have spent making the thing yourself.
Looking at it that way, provided you have kick-ass lawyers, it’d be nothing short of a WINDFALL every time someone steals something.
MedievalNoMore
Quote: “Unfortunately Steve doesn’t have a solution to this problem, yet”….
Com’on, we already have built-in camera’s on our laptop, therefore we can record every move within its perimeter. And ofcourse, we do this only on times when we are opening highly confidential data, wherein you want every activities to be recorded/logged…
You will never know the importance of security unless somebody screwed up your valuable data.
Endgame
If you want to keep secrets, be prepared to go all the way. After the Pharaoh’s engineers finished the pyramids, he had them killed so grave robbers wouldn’t know where to find treasures. Today when the engineer completes the code for a fighter radar or key satellite system, he has a stroke or car wreck or is bludgeoned to death by a junkie wielding a can of spam. Security is easy if you are ruthless enough. If you think that governments and corporations don’t dabble in murder when the situation warrants, think again.
Bob Sherunkle
You work for me, you’re irresponsible.
I want you to update a document but I want to be sure that you dont messup and lose your laptop/usb key/floppy like you always usually do.
I would prefer to know that, even when you somehow manage to mess up looking after sensitive information, that it will not find its way into the wrong hands of someone competent. If you printed it out you would probably lose it in the same way you misplace every report I ask for.
I’ve disabled the CD-Writer, USB Pens and the Floppy Disk drive because it would be stupid to try and protect something from your own stupidity by letting you put it on your ipod or some other small, lose able, unencrypted device.
You’ve just taken a photograph of your screen, with our secret document open on the desktop. And posted it on the net. Nice going!
I’ve just taken a box and had all your personal effects left at reception with your Pink Slip.
Move on.
James
That’s just like my school’s computers (Mt. Roskill Grammar School, Auckland, New Zealand)
Harry Barracuda
Hell, with the technology available today, who needs a photo of the screen? Unless its emissions are controlled, they can be read and reproduced from the office car park…..
Ajeet
This only proves that security can be bypassed. That goes against the spirit of respecting security.
Justin
Uh, you guys are looking into this from the normal end user perspective.
Yeah, there’s reasons that the IT department locks down the companies computers. One of the biggest reasons is because the general end user is a total moron who uses the company machine for their own personal use. When this happens, they go to websites that infect their machines with crap like WinAntivirusPro, they install software that load software and don’t have the common sense to uncheck the “install Yahoo bar”, install “google bar”, install this and that.
The reason that machines are locked down is because the general user lacks any and all common sense to actually protect their data. I could give two caca’s about users taking pictures of their screens, big deal. They cannot be trusted with their machines. Plain and simple.
Fredro
Justin you’re not seeing the point. It is the fact that no matter what you do to protect a confidential document from being copied or stored, a simple picture will bypass all of those security measures for copying.
Hivemind
The point is here that ONCE you give access to a document or some information to someone then they can, if they wish, completely copy it.
However, this voids no existing security measures, which prevent UNTRUSTED people getting access to the information in the first place. As soon as you share trusted info with an untrusted party you have a security breach, this is obvious.
Leave a Reply
Paranoia 101 « The Enigm@ Chronicles
[...] 30th, 2007 at 3:58 pm (Humour) Picked up from IStartedSomething – great blog on Microsoft from Down Under [...]
Das Leben und Ich - Datensicherheit - Paranoia
[...] Gerade gefunden. [...]