Today, one key but very negative part of our industry is emerging front-and-center: data breaches. We should be thinking ahead now as to how this thing, I think "inevitably," will soon play out. The repercussions could easily impact a great many of our comfy jobs.

Right now, we're trying to persuade folks that all of these intrusions are happening because of people "from far, far, away, of course" are somehow penetrating all of our corporate defenses to systematically reach deep into multiple protected layers of security, to steal things without being detected. (And, strangely, they seem to know their way around the place ...) We say this, not so much to protect our digital practices, but our employment practices and our management practices.

It is not escaping anyone's attention today that there is a far more plausible and logical explanation: "It Was An Inside Job.™"

Think about it. You probably do know the production database password, and probably do have access to it, even if you're "not supposed to." You know it because you write applications that have to know it. Your employer puts up a good face but it's for show. (Yeah, maybe your company is the exception. Goody for you.)

Likewise: we're eagerly crowing about "The Cloud.™" (Which translates to: "you don't have to care where in the world your data is, as long as electrical power, and staff, is cheap over there.") Think that's gonna keep flying?

Likewise: "any employee from a far-away land where labor's cheaper is just as good as the more-expensive citizens we just laid off." Really? Today it's harder to become a construction worker than it is to be a computer programmer. You have to have a license to install an air conditioning system, or even the wiring and plumbing that connects to it, but you must have nothing to get your hands on terabytes of profoundly sensitive data ... and walk right out the door with it on a thumb drive. And, not only do you have the "means" to commit the crime, you also have the "motive" and the "opportunity."

We created a vision of a perfect worldwide digital Utopia which was Utopian because it didn't have real people in it. We promised everyone that we could secure this Utopia with technology alone. We encouraged them to blab every conceivable personal detail about themselves ... and some of us became quite rich in the process. But the times they are a'changin'. The realization of "the down-side of the Internet," and of predatory employment practices, and of the lack of professional licensure and legally enforceable standards ... is coming home to roost.

We'd better all be ready for that.

Well said. +1

I'm getting really tired of seeing this post every month or two.

Although I don't work in the programming field, I guess that being from a South American country and having worked for a couple of companies located in Europe I qualify as "an employee from a far-away land." In any case, I can assure you I don't have any "motive", even if I had the "opportunity" and "means" (and in both companies I have worked with confidential information). So, I'm not sure what exactly do you mean.

Anyway, what makes you think "employees from far-away lands" (as you call them) have motives to commit any crime regarding sensitive data? Or rephrasing my question, what makes you think they are more likely to steal sensitive information than employees from your own country?

In earlier posts, he's said explictly that he views competition from "foreign" workers as a threat to his personal livelihood, and that that is his real motive for scaremongering and demanding protectionist measures such as licensure.

This is one of the posts I was thinking of. There were probably others:

http://www.linuxquestions.org/questi...9/#post5242317

Sundialsvcs, stop posting barely-coded racist screeds about people from India and Bangladesh (both of which are countries that you've again, explicitly named in previous posts) being inherently-dishonest job stealers. That is what every "licensure is coming" post you've ever made here was really about. It's really disappointing to see this crap from someone with such a progressive posting history.

I see. I guess that answers my question.

So, your mad he is racist and yet you choose to keep reading his posts, rather then just adding him to your ignore list?

You have a point.

"Mad racist?" Uhhh, no.

I am a software consultant ... in the literal sense ... who regularly has to deal with the question of business risk. And I can definitely assure you that this question is coming up a lot.

Some companies are in "regulated industries" (under US Law), where existing regulations such as Sarb-Ox and/or HIPAA are imposing strictures upon data-processing practices and expectations. Others are not ... yet. But I think that everyone sees it coming, now. It's no longer credible to dismiss the growing phenomenon of data insecurity, nor the growing concern of what else might be done with a mass of even "marketing" data (if it has your name on it ...), nor to accept that purely technical strictures (firewalls, VPNs, etc.) are really doing the job.

This data is disappearing, right out from under people's noses, from what are thought to be very securely locked places. The frequency by which this is happening clearly demonstrates that current human practices are insufficient, and that present assessments of business risk (and risk factors) are nonsensical.

Furthermore, it is always possible for "any one honest-man (in South America or anywhere else "honest people" may be found, which BTW is everywhere ...) to poke his hand up and say, quite truthfully, "but I'm honest!" And thus to dismiss a statement such as mine ... either as "racist" or as "some old-phart who can't keep up and who's worried about losing his job." In any case, to dismiss a statement such as mine.

That, I think, would be a grave mistake. It doesn't really matter whether any particular person is or isn't honest; does or doesn't have self-proclaimed integrity.

In a world of 100,000 "honest men," it only takes one. One weak link, and you can't inspect all the links. That's why security and integrity are business process issues, not just technical ones. It means bluntly assessing the risks, and all potential sources of risk, and then making sure that processes are in place which assuage those risks to a business-acceptable and legal-acceptable degree. Right now, we are busily talking about "crypto," and of how long it might take to break through a cipher system, and, well ... we're still coming up with the self-assessments that "there's really no problem at all," "look at us, we're all honest guys here," and yet, Sony Picture's equivalent of a Rembrandt painting is gone from just-the-right locked storeroom and none of the alarms went off. Companies are being penetrated every week. Lots of them. It's growing. Fast.

My point is simply that we'd better be looking at this problem in the same way that others now do, and that we must anticipate (and seek to positively influence) what the legislative responses are going to be. This is the headlights of a very rapidly approaching train.

• We've been living and working in a world-wide, virtually un-regulated industry for a very long time. Now, we're starting to see legislation which talks about "electro-mechanical practices."
• Every other industry of similar social impact has many regulations concerning the people who are allowed to practice. Very soon, we're going to see regulations that apply directly to us.
• It is entirely reasonable to presume that practices and strictures which long ago were imposed upon everything from architecture to plumbing will very soon apply to us ... as people. Regulation customarily seeks to re-use known ideas and tested legal principles instead of coining new ones from scratch.
• Data-processing has managed to call itself "exceptional" for far too long. But we now employ tens of millions of people world-wide and touch every aspect of society, far more so than any other profession. Any other profession!

Right now, people trust us. If we say and if we demonstrate that we can do the exacting technical work, anyone's allowed to do it and, usually, to have (far more than ...) the access needed to do it. We've suggested to the world that "anywhere in the world will be fine," both for our computer-center locations and for our staff, without (for example) considering what set of laws apply. (European? South American?)

If a South American firm were engaged to build a skyscraper in London, or a train that will travel 200 miles per hour and carry hundreds of commuters, then there would be no such questions in that mature engineering discipline, as there are now in our "cavalier-ly immature one."

Honestly, I am trying to start a discussion here ... n-o-t to be "racist," and by-the-by also n-o-t for lack of business (of which I have a'plenty). Perhaps we're not used to having our ways, our professional practices, our strategies and project management questioned, let alone regulated turned end-for-end. But, we'd better be anticipating this. It's not far away.

This paragraph is addressing two separate issues.

1 - Whether or not programmers are licensed has no relevance to who has access to sensitive information. (Although your concern about access control is understood.)

2 - Any employee from a far-away land where labour's cheaper is just as good as the more expensive citizens we just laid off?
Why not? Production costs, including labour, are determined by cost of living. Australians are paid about double what Canadians make. So Australians are richer and better educated than Canadians? Or does it mean taxes are higher in Australia? In places like India and China, taxes are MUCH lower than in Europe and North America. One of the results is much lower wages. Personally, I do see why an Indian is any less capable of working in a call centre than and American or Briton. The low-paid American employee is just as likely to use sensitive information as a low-paid Indian employee (cost of living makes wages relative). The problem, as you have pointed out in several threads, is lack of adequate access control to the data. That situation exists everywhere.

I just tried writing a response, but, naah, I had nothing to add for now. (Especially since I'm not going to waste time repeating points here that he's ignored in previous threads).

His posts may be repetitious, but his concern for the impact unsecured access to personal information will have on society is valid. This thread is a slight departure from his regular theme, but those horrifying predictions are real. It truly is only a matter of time.

I think the main points of discussion are "issues". I do wonder about the level of prospective damage.

Think of the "information" grid as the power grid.

You can have a very large disruption to the power grid, but the grid as a whole can survive it. The memory of the power grid are physical things.

OK the information grid is much, much less physical. But "we" are physical, and further physical are things like "historical data", "distributed data", "simple realities of life".

To make me "disappear" you'd have to systematically search a wide variety of not just databases, but also actual documents. You'd have to attack the IRS, the State of Massachusetts, my banks, my house, and so forth. Not saying that you can't cause some major disruption to the financial system which would cause me great harm, one certainly could. But ultimately, I'd still be physically here. And these presumptions also are about broad scoped damage, not identifiable damage just to one.

Well, that would be something people would notice. We're not talking about stealing the 1/2 cent from everyone's paycheck so that no one would notice. Richard Pryor already did that in a 'B' movie. Instead we're talking that suddenly millions of persons' banking or payroll information was made to be corrupt.

Well, there is some semblance of historical data. I got paid last week, the week before, and for many, many weeks before and therefore given that I say still have my job, even though my company can't suddenly pay me through ADT, the reality is that they normally would. Further, if the company's assets were attacked, a similar thing is that to some large degree, their information could be reconstructed from backup up information, documents, etc.

I'm just thinking that it's good to have defense in depth, and also what one or more solutions are given these dire problems you speak of. And I came to think of communications, power, and physical services disruption and recovery in disaster areas. The power grid, communications, water, sewer, gas, etc, many of these public utilities have backup plans and alternate routes so that if they lose a main, they may lose an area of service which they have to repair, but they can minimize the damage.

Just thinking that as long as "information" is a key asset, and this seems to be true; it will be attacked. So ... what can you do to fix it?

True, if there's some highly focused attack on one individual by a very power entity, government or private billionaire with the intentions to erase a person entirely, then that's bad and a made for TV movie. I don't think that was the focus here, but instead a global concern that all of a sudden, things go poof because of the concept that everything is ephemeral. Well, it is and isn't ephemeral, and there are also backups, many backups, and probably should be more, and done in a more organized fashion.

Dugan, I do respect you. And, I respect your opinions. I sincerely hope that nothing that I would say here would be dismissed ... by you or by anyone, either as "racist" or as "a rant." I am not attempting to usurp this august forum merely "to vent my spleen." I am not writing here to waste bandwidth, or to earn my place on someone's "ignore list." I am, in fact, "perfectly calm, and extremely concerned."

For example: "Albus, your reply begins: 'why not?'" And my reply to this is: "this is precisely my point." Thus far, we have calmly suggested to the world that "production costs are lower <<there>>," and "all the good folks that I've ever encountered <<there>> are good folks." (And let me be very quick to say that my personal experiences have been the same!) But this is not the full extent of the question. The world upon which we have overlaid this magical computer network is a world of ... humans.

But, even if we set-aside "the international issue" <<pick any two nations ...>>, we still are left with "a crisis of confidence." No matter how many technological buttresses we throw into "the ever-growing and ever-more-obvious 'hole in the dike,'" we just can't keep explaining-away the human element. We just can't keep expecting that the governments of our respective nations ... or the corporations who do business there ... will continue to accept technological answers to what is (plainly ...) (also ...) a very human problem. We're crazy to expect that the laws of our nations will not very soon be regulating us.

If they regulate air-conditioning contractors and low-voltage wiring, you can absolutely expect us to soon be regulating us, and imposing high-dollar financial exposures against which we will be legally required to post bond.

It is not a question of: should there be regulation?; but, how much regulation should there be? The problem is governments are rarely content to implement reasonable levels of control. The spectre of oppressive control is too great for them to resist.

Should there be common sense regulations regarding access to information? Yes. The difficulty will be preventing (or more accurately, trying to prevent) over-regulation.
Unfortunately, that human element is the root of the problem. Why do employees at many companies have access to information they should not have access to? The fault lies with the people in those companies who should be controlling access. If security is weak, people will take advantage of it. When that happens, the blame is on the people who do not know how to do their jobs (controlling access to their companies' information), not on the low-paid employees. Is ensuring those people are properly trained (certified) part of the answer?