The article leaves out whether or not the FBI asked Apple to decrypt the perp's iPhone.
I'm guessing yes.
A rogue IT manager has been sentenced to 30 months in prison after he changed jobs and decided to take revenge on his former employer. From 2007 to March 2012, Nikhil Nilesh Shah, 33, worked at mobile apps developer Smart Online in North Carolina, US. After moving on to another job, Shah accessed his old company's servers …
It's interesting your 'cloud' data are not protected by the very same companies who resist unlocking a phone. Apple too handed over iCloud backups and no one complained. Why backups should not be protected as much as the phone itself? And it's an implicit admission cloud data are accessible by the cloud company. So the iPhone battle is just a marketing stunt to try to sell more. And maybe Apple already breaks in them routinely - secretely - to sell them in places like China.
Never put your rights in the hands of someone moved only by money interests.
Apple handed over the iCloud data to a company owned phone - so the data was not legally Farook's and Apple had no issue about handing over Govt Agency data from a Govt Agency Phone, to another Govt Agency - because that mechanism already exists (Apple says your iCloud data is safe as long as it's legal - it's in their T&Cs)
Farook's iPhone could have had an app installed that would have given the phone's legal owners the ability to prevent him putting in his own passcode to lock the phone as it is now. But they bought the software, but never got round to installing it. This is their fault, not Apple's.
The crack that the FBI require to the 5C does not exist, Apple will have to engineer it - it will still only give the FBI the ability to initiate a brute-force attack on the passcode - they may still not actually ever (in a sensible time) find the passcode and therefore unlock the phone's secure partition.
As has been said many of thousands of times - it's not really about the data on the 5C any more - it's about setting a legal precedent so that Apple (and no doubt other manufacturers eventually) can be compelled to do this repeatedly until it becomes necessary to simply install a backdoor into the device.
You should probably read more of the background to the story before making stupid comments - is this why you posted as AC?
I don't know anyone who would remote in after leaving to do it. Do it whilst you are there, set it to go off well after you've left etc.
Employers are typically very bad at handling staff leaving, personally now I work in IT security I'd like admin rights stripped from any staff the moment they hand their resignation in.
> I'd like admin rights stripped from any staff the moment they hand their resignation in.
How would this help? If this is a known policy, then surely a nefarious individual would do all the naughty stuff before handing in their resignation?
(As you said in your first paragraph...)
And most people who leave or resign as opposed to being fired or made redundant are not nasty little shits out for revenge and are likely to remain productive while working out their notice period. After all, they may want references in the future or even to come back at some stage.
I have never worked or met a fellow IT person that would do this utterly stupid stuff, maybe because we all know we would not do well in prison.
Yes, I'd be very popular in prison, which is why I really don't want to go there!
No matter what kind of bad joke company I may be working for, there's nothing they can do to me that I'm going to feel is worth being made to shower with a bunch of men that haven't seen a woman in years or decades, and who've been busy hitting the gym while I've been hitting the burger bar.
Three dumbs and... not quite out: at least he had the sense to plea bargain a relatively short engagement at Club Fed, followed by a decade or more of abject poverty, which he'll be able to savour while walking aimlessly about, or--if he's lucky--from job interview to job interview. Don't do the crime...
Yep, disable is, in my experience, best. Cos then you pretty quickly find which critical services they'd set to run as their own user account. Which can then be fixed properly.
Then someone has the lovely task of sorting all switches, service providers, routers and other kit/services not using centralized authentication.
But I know a lot of places that wouldn't even have a list of what needs changing.
Wait, what? I was always under the impression telco's only ever stored info about the cell you were connected to and that they only triangulate on request? There's a big difference between you being within a certain radius of a cell tower and actually triangulating you to within a few meters...
Your mobile phone always (well, almost - when possible) will maintain connection with many available nearby MBS, because it needs these to take over your active connection when you move (e.g. travel). Hence it is entirely possible to triangulate your position from MBS logs.
It's part of the protocol for GSM et al. To fit the transmissions from the phone into the timeslot properly, the delay (== distance) to the base station must be known. So as long as the phone sees more than one base station, triangulation is essentially always done. However, the telco may not actually store the data, or keep it around for very long.
Also it's worth pointing out that in the inner city cells are often so small that just knowing which one is the closest is enough to put you within a couple of blocks at most. (And that some telcos leak this info to the whole world over the SS7 network. Wonderful times we live in...)
1) disable AD account, (no permitted logins) <evict active sessions>
2) disable (Lock password, expire account) all unix accounts <kill active sessions>
3) change permissions on .ssh/authorized_keys to 744 < handy trick that most security folks DO NOT have in their processes> where the file exists.
Go back through the loop and modify the username details to include appropriate tagging that indicates the account is owned by someone no longer with the company.
and if your VPN isn't attached to AD or a unix account somewhere, *remove* the token generator from the system, and then lock the serial number out.
Oddly I've seen stupid s&&t like this done. Not once, but twice. Both times in our case was HR leaking details to the wrong bodies prior to the action. Both times, offsite tape backups to the rescue.
This just goes to show that Cloud is as light and fluffy as the name.
As for the commentary about the fibbies and the iPhone.
METADATA!!!! they have the cloud backups and they have the metadata. This is a legal move to set a legal precedent, and if Appple wins, it becomes even worse.
You forgot to go through all of your switches, routers, VPN appliances etc. and remove any logins, and/or change the admin password. Oh, and don't forget your physical security, change keys that they've had access to (they could have duplicated them), and change any security codes they may have had.
(and I'm sure I've forgotten some other possible problems as well)
^This just shows its not as simple as people think to simply lock an ex admin out of systems after they leave.
Unless you have a solid system for managing access, and I'm yet to find one thats perfect, or even close, then you'll most likely never think of everything they could access. Domain accounts, local accounts, could be created by the admin that don't appear related. I can even remember a couple of obscure passwords from service accounts that were randomly generated. They could have easily leave this stuff lingering and it'd be tricky to spot.
You have to do something but no guarantee it'd ever be enough.
The amount of places I've worked I could still access is untrue. Luckily for them I'm not as bitter, or stupid as this chap.....
If this is like most federal prison sentences, he'll be out in about half the sentence time after being given credit for time served during the trial, time reduced for good behavior and time reduced because the prison system needs more space.
The compensation won't happen because, as is obvious, he's got no career ahead of him. Without a big score in Lotto winnings, it's a debt that will never be paid.
So it looks like the sentencing is largely posturing for the justice system. They want the next fool to know what he's in for.
".....but bankers and assorted wall street financiers still haven't paid for what they did in 2008....." LOL! If they had done something illegal then you can bet your pension that Obambi and chums would have rushed to court. They loved blaming the crash on "The Bankers" because it absolved them of all blame for buying votes with their broken sub-prime mortgage policies, starting with the Community Reinvestment Act (https://en.wikipedia.org/wiki/United_States_housing_bubble). But there was nothing illegal in trading in securities, including mortgage debt, and still nothing illegal in doing so even today. So there was plenty of bluster about "criminals on Wall Street" but no desire amongst Obambi's chums to actually take any of them to court and have their policies examined.
Biting the hand that feeds IT © 1998–2021