

An Ambassador Who Worked from a Nairobi Bathroom to Avoid State Dept. IT - AndrewKemendo
http://arstechnica.com/information-technology/2015/03/the-ambassador-who-worked-from-nairobi-bathroom-to-avoid-state-dept-it/

======
vezycash
The real lesson missed by the author is much simpler.

Security software and networks should be easy to use. If not, normal human
beings would not use them. They'll rather use an "insecure" but easy to use
software.

This is the reason pgp and it's equivalent have languished in obscurity.

~~~
kh_hk
If you see a diplomat as a passive subject then I do agree. It's in human
behavior to bypass complex procedures just to get the task done.

But if you can't expect an US diplomat to follow his country regulations and
security requirements, maybe he is not qualified for the task.

~~~
CHY872
I don't think that holds much water. Users obviously have some concern for
security, but you can't expect them to care as much as the security people.
Furthermore, that goodwill only gets you so far - they have their own jobs,
which are unconnected to security.

He's obviously far beyond what's acceptable, but if he finds doing his job
difficult because of poor IT, it's exactly what you'd expect.

If requirements are far too onerous, you expect people to work around them.

~~~
kh_hk
I do agree in most of what's been said. Poor knowledge, an understaffed IT
department and no support from Washington sounds like a recipe for disaster,
even more if the guy just wanted to get his job done.

Do note however that being a diplomat is hardly unconnected to security. I
would root for anyone that goes against procedures because they know better.

------
na85
It's telling that the US embassies and State dept. are using Microsoft
products. Aged ones.

Shows that they must not really handle any particularly sensitive information.

~~~
CHY872
Microsoft's desktop software only gained a reputation for insecurity because
until relatively recently (early 2000s), the rational move for them was to not
secure it. Their software designed for governments etc - that doesn't have the
same motivations. Also, you'd expect the classified stuff to run on an
airgapped network (or equivalent), so that there's no real attack vector
anyway.

~~~
na85
Well, stuxnet showed us that the vector is real and does exist.

