

SEC Employees Bring Laptops w/ "Blueprints of Wall Street" to Black Hat Con. - rpm4321
http://abcnews.go.com/Business/sec-shut-wall-street/story?id=17730628

======
incision
The linked article is so overly dramatic that it was hard to read.

It's an opinion piece written by a guy who's in the business of scaring people
about identity / data theft and such [1].

He's writing about a Reuters story [2] which itself is based on impressions of
a yet-to-be-released SEC report.

Sure, the large point about data security is valid, but don't bother reading
this piece, just jump straight to the Reuters stories [2] or the Huffington
Post summary [3].

1: "Adam Levin is chairman and cofounder of Credit.com and Identity Theft
911."

2: [http://www.reuters.com/article/2012/11/09/net-us-sec-
cyber-i...](http://www.reuters.com/article/2012/11/09/net-us-sec-cyber-
idUSBRE8A804P20121109)

[http://www.reuters.com/article/2012/11/16/sec-cyber-nyse-
idU...](http://www.reuters.com/article/2012/11/16/sec-cyber-nyse-
idUSL1E8MG95K20121116) -

[http://www.reuters.com/article/2012/11/09/sec-cyber-
report-i...](http://www.reuters.com/article/2012/11/09/sec-cyber-report-
idUSL1E8M9CMI20121109)

3: [http://www.huffingtonpost.com/2012/11/08/sec-cyber-
attacks_n...](http://www.huffingtonpost.com/2012/11/08/sec-cyber-
attacks_n_2096640.html)

------
tptacek
I'm one of several people on HN that have experience with this particular area
of technology --- we assess trading exchanges --- and I find this story highly
implausible.

* Modern trading exchanges cannot be broken into simply by knowing "how their computers are linked together".

* Every exchange I know of spends millions every year on software security and has an operations team dedicated to the proposition that they are continuously under attack.

* The interface to a typical trading exchange is a trivial message protocol like FIX which doesn't do much other than allow order entry and management, is authenticated, and is usually wired directly to a dedicated line.

* Exchanges _are_ under attack --- by their own customers, who are actively looking for ways to screw with their endpoints to get the jump on their competitors.

* Modern trading exchanges are just big message-oriented enterprise systems anyways; they aren't nuclear reactors.

* Knowing one exchange is going to tell you virtually nothing about any other exchange. What, the SEC has "the blueprints" for every trading exchange? That's a whole shitload of Visio diagrams if my experience with just a subset of them is an indication.

* Finally, the SEC isn't some kind of trading cyber secret police; they're a slow-moving bureaucratic regulatory agency. I'm sure there is some kind of national emergency management plan for shutting down the markets (like we have during disasters). So what?

I think I basically just call bullshit on this whole story.

------
Robin_Message
But the security should not depend on the plans being kept secret. I mean, in
practical terms, there is some security through obscurity, and possibly such
laptops might contain passwords and things (but then what if they got lost on
a flight or in a cafe?) which would make an attacker's job easier; but the
best security would be if they could hand all the plans over to Black Hat Con
and not take a single hit in their security.

------
Breakthrough
I'm having a tough time understanding what compelled SEC employees to bring a
laptop to such a convention.

"We dodged a bullet this time."

More like the SEC employees tried to fire at us, but missed.

This isn't about policy. This is about common sense. Why wasn't the data
encrypted? Why were the employees allowed to leave the company buildings with
the information? Why didn't they have the common sense to leave them at home
before attending said conference?

And, that being said... You would assume that those attending a hacking
convention would normally be smart enough to know the risks (and _especially_
not to bring an official work laptop). Alas, it's funny and worrisome to see
that Wall Street is being run by people incompetent with technology.

~~~
DanBC
Indeed, common advice to people attending Black Hat conventions is to take a
semi-disposable computer. You install an OS before you go. You reformat when
you get back.

That's perhaps paranoid, but a bit of paranoia isn't harmful in such a
situation.

~~~
raverbashing
And maybe create a honeypot in a VM just in case

Have some important looking documents in an open SMB share for example (or put
a password for those past security 101)

Have a WiFi AP 'free' (or maybe with a simple password) see who tries to use
it, log connections, maybe even try to MITM some popular sites (this may be
illegal)

------
Zenst
The classic lets bring secure information to a insecure location/enviroment
issue always crops up. Usualy funny, usualy lamentably stupid.

This fits into the whole group of peole who are not hackers attending a
hackers conference. All trades have there initiation practices, in the
building trade noobies are asked to go to the store for a long wait/weight
etcetc.

Why did the SEC have employee's at the event who were not properly trained,
would you send the head of HR to a financial meeting, no.

Security is an illusion after all at a point in time and whilst a system is
secure today, tomorrow it may not be due to some expliot and with that was not
exactly secure the day you thought it was secure. With that the best security
is when you don't need to secure something at all.

The need for laptops with such data in such area's is sily.

Sadly until somebody invents proximity based data encryption which only allows
you to access that data at certain locations, whilst not foolproof, it would
help. Take the data outside area's it should not be then you can't read it.

Still people just don't think, imagine if they had a iPhone or other mobile
with lots of office pictures, that is harmless to many but useful to others
and with that is data that gets overlooked much more.

------
wildranter
It's an opinion piece based on this article [1] where the author advocates for
making legislation to regulate computer systems security. Very sensationalist,
classic link bait.

However, that worries me anyway. Piracy fighting initiated with pieces like
this, and now we have legislation that threatens our freedom of speech.

[1] [http://www.huffingtonpost.com/2012/11/08/sec-cyber-
attacks_n...](http://www.huffingtonpost.com/2012/11/08/sec-cyber-
attacks_n_2096640.html)

