
Use of Yammer by VA staff was a major security risk, investigation says - jeo1234
http://www.theguardian.com/us-news/2015/aug/22/veterans-affairs-chat-network-major-security-risk
======
fapjacks
There is another article on the internet describing recent findings at the Los
Angeles VA regional office where "erroneous shredding" of veteran benefit
applications was ubiquitous.

As a veteran using VA services, I beg Americans to raise their own awareness
of the criminal negligence occurring at the VA. Law currently provides that
the VA may not fire or reprimand VA employees based on past performance.
That's right: VA employees cannot be fired for shitty performance (or
"erroneous shredding").

The phrase we use to describe the VA is "delay or deny until they die" and
it's absolutely the truth. A very good friend of mine was murdered by VA
doctors who prescribed him drugs with deadly interaction. His family can't do
anything about it, and those doctors are still working at the VA, prescribing
medications to veterans.

If any government organization needs a complete overhaul, an across-the-board
firing of all employees (and a permaban of all of those employees from ever
working for the government ever again), it's the Department of Veteran
Affairs.

~~~
Asbostos
Can't you use normal healthcare? Soldiers aren't given insurance like other
employees?

~~~
athenot
It wouldn't be free.

Loved or hated, the VA is a large HMO set up as a benefit for veterans to help
them because many of them have had to sacrifice their personal health to
fulfill orders their were given.

Any healthcare system is riddle with anecdotes of failures, but if you look at
it from a population health perspective, as a whole the VA has been able to
care for its patients with a pretty good quality if you consider the cost
constraints they are working with. I'm not aware of any private health system
that's as efficient as the VA.

Also, the VA has had a fair amount of innovation that then trickles down to
the rest of the healthcare systems. One example is BlueButton, a method to
obtain a dump of all your healthcare records as a patient. Eventually CMS
(Medicare) enhanced it and started promoting for everyone else, under the spec
"BlueButton Plus".

~~~
fapjacks
From what are you basing your opinion about the VA being able to take care of
its patients with "pretty good quality"? Are you a veteran? Have you actually
used VA services? As a former NCO and one of the first in my unit to get out
of the service, I have led about thirty or forty guys through getting
healthcare at various VAs around the country. One of those guys is now _dead_
because of the VA, and the VA is explicitly forbidden from being sued for
murdering patients, or from firing people for making those kinds of deadly
mistakes. My guys wait _months_ for appointments, and people die while waiting
_years_ to see specialists at the VA. Whatever you have read about the VA is
plainly wrong, if it leaves you with the impression that their care is of
"pretty good quality".

~~~
athenot
I am sorry to hear about that wrongful death. Nobody deserves that.

On that topic, the US as a whole ranks 24th in the world in terms of
preventable deaths[1], and we spend twice per capita as the highest-performing
country on the list. Our healthcare has A LONG WAYS TO GO to improve.

Back to the original topic, I'm not speaking from the POV of someone having
experienced the VA care system. I'm speaking from having worked in population
health. Quality is defined by specific measures that compare _in aggregate_
the outcomes of patients given particular co-morbidities. That doesn't make it
perfect, it just means that as a whole, the VA treats people as good or better
than the private system.

As for wait times to see providers, keep in mind that many people on the
private system may be able to see specialists but just can't afford it, so
they never get treated... until it's too late. Part of the quality-based
initiatives are to nudge providers (via reimbursements/penalties) to treat
things while it's early enough, both for the health of patients and cost
reduction—instead of waiting for complications.

[1]
[http://www.oecd.org/officialdocuments/publicdisplaydocumentp...](http://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=DELSA/HEA/WD/HWP\(2011\)1&docLanguage=En)

~~~
fapjacks
I am genuinely curious: Do you have links to more information about this
aggregated health information? I would like to understand your perspective,
but my prejudice against the VA system is telling me there may be an end-run
around on a technicality, for example does the VA population count _all
veterans_ in their population, even if they have never sought healthcare at
the VA? Does it exclude certain patients that otherwise would negatively
affect the data? I am having a hard time accepting that the VA produces a
population about as healthy (in aggregate or not) as the regular American
population, especially given the conditions largely affecting only combat
veterans (Agent Orange, Gulf War Syndrome, depleted uranium, Project SHAD,
TBI, PTSD, etc), and the number of veterans with these conditions.

~~~
athenot
Unfortunately I don't have the reports handy but one of things is that they
achieve outcomes similar to private health systems given much less money _per
capita_.

Outcomes do take into account the starting conditions ("comorbidities") so
this doesn't necessarily mean that the actual health of that population is
better than average population. Because as you pointed out, service people get
a pretty raw deal when it comes to occupational hazard. ;(

Additional info:

RAND analysis about VA and non-VA care --
[http://www.rand.org/blog/2012/08/socialized-or-not-we-can-
le...](http://www.rand.org/blog/2012/08/socialized-or-not-we-can-learn-from-
the-va.html)

Meta-study commissioned by the VA looking at existing studies comparing
quality of care in VA and out of VA --
[http://www.hsrd.research.va.gov/publications/esp/quality.pdf](http://www.hsrd.research.va.gov/publications/esp/quality.pdf)

~~~
fapjacks
Thank you, these links are very interesting.

------
lokedhs
We were looking at using these kids of tools, but having your internal
corporate communication hosted on an external site which you have little
control over wasn't really something we wanted to do.

We ended up developing our own system which ended up a bit similar to Slack.
Of interest to the crowd here, the server side is implemented in Common Lisp.
We'll release it as open source as soon as we've cleaned it up a bit.

I have an externally available demo system, but I don't want to reveal the URL
to it publicly right now since it runs on the smallest possible Google Cloud
instance. If anyone is interested in testing it, send a private message to me,
or wait until we release it.

~~~
tedsuo
Just pointing out that none of the security issues written about in the
article appeared to be related to it being an external service. Their problems
seemed to be:

a) no one actively admining the service, in particular removing accounts when
people left.

b) users themselves were communicating things they were not supposed to, like
instructions for circumventing other security procedures.

You can just as easily have these problems with an internal service.

Telling is that the illegal advice VA staff were giving each other had to do
with circumventing other security procedures that were interfering with their
ability to work effectively (like needing to be available via email but not
having access to email on an available device). These are issues all big
organizations face, regardless of whether they are purchasing IT services or
implementing themselves.

~~~
solipsism
_You can just as easily have these problems with an internal service._

Not for the typical definition of " _internal_ ". Typically to reach an
_internal_ service you have to be on the internal network. Removal of an ex-
user's intranet credentials is usually something IT handles well.

------
lo_fye
They didn't setup an admin account and disable ex-employees' access. How is
this Mucrosoft's fault?

~~~
makomk
The reason they didn't do that is because this wasn't an official VA system
and their employees weren't meant to be using it:
[http://www.militarytimes.com/story/veterans/2015/08/21/conce...](http://www.militarytimes.com/story/veterans/2015/08/21/concerns-
va-yammer/32106117/)

Basically, it seems Microsoft designed Yammer so that any employee of any
organisation can start/join a Yammer network for their employer just by using
their work e-mail address. If the employer then wants to actually administer
the internal social network that they've unexpectedly wound up with - for
example, to remove ex-employees - Microsoft charge them a substantial monthly
per-user fee.

~~~
narrowrail
That is how Yammer worked before MS bought it. They didn't change anything
about it (rightly or wrongly).

------
douche
I've also never really figured out what value Yammer, and other similar
products, like Chatter from SalesForce, or IBM's Lotus Connections, was
supposed to provide. As best I can tell, the rationale must have been
something like:

1.) Well, our employees spend a lot of time screwing around on Facebook, so
let's build something that looks almost identical, but that is supposed to be
used for posting status messages about work, instead of BuzzFeed listicles,
baby pictures, and venting!

2.) ?????

3.) PROFIT!!!!

~~~
itaysk
Social network tools were found as very productive (since ppl are familiar
with them from home). This caused employees to form work groups on commercial
products like Facebook, WhatsApp, etc... companies want to give employees
those same tools but under the control of the company and with enhanced
governance.

~~~
douche
Having seen a lot of the content that goes through these products, from the
compliance side, I'm not sure that they are particularly "productive." Where
they have any uptake at all (surprisingly rare, for such expensive products,
that require so much work to implement and roll out), it's pretty... meh.

It seems like "social" is a buzzword that is finally starting to lose it's
luster, but it was pretty ridiculous for a while - IBM changing the name of
Lotusphere to IBM Connections, all of these business Facebook-clones,
Microsoft spending a boat-load of money on Yammer, then letting it languish,
while building more or less parallel features into SharePoint and Office365.

So much hype about "transforming the way people work" and some truly
disturbing rhetoric about enabling the blurring of personal and work life.
Good riddance.

~~~
a3n
People know how to work. Work gets done despite the lack of these "enabling"
social tools, or even despite their presence.

People like to play around with how to arrange metawork. Mangers especially
like this. A lot of it is yak shaving.

~~~
devonkim
The level of productivity in so many megacorporations is so low it's just
plain alarming. I've commented before at work that if this is all I was able
to do in the time I've had at most smaller companies we'd either have gone
bankrupt or I'd have been fired. When something as simple and necessary to do
your job as "I need access to a gig repo to fix a defect, here's the patch"
takes weeks or months, you may get some work done but the rate of actual
accomplishments would become basically negative.

Enabling users to get something done while adhering to corporate policies
effectively is a problem I don't believe anyone has solved for the Fortune 500
as a whole. If they did, I assure you that several billion of a market cap
would be a small fraction of their likely valuation. Slack isn't allowed in
most places in the F500 as shadow IT goes, for example, but they hit the
billion dollar club within months practically because they approached chat in
a small manner that Salesforce did. Even a small, tiny win is a billion
dollars across these kinds of companies.

~~~
a3n
> Enabling users to get something done while adhering to corporate policies
> effectively is a problem I don't believe anyone has solved for the Fortune
> 500 as a whole.

Well, they must have figured out how to get _something_ done, to have survived
long enough to get into the Fortune 500. :)

~~~
devonkim
Most big companies primarily grow through acquisitions and just gluing
together innovative efforts and hoping that results in sufficient value after
the attrition common after companies are acquired. If big companies could grow
like start-ups often, we'd have a very different business climate.

It's why big companies are more concerned about losing revenue than growing it
- this is the opposite with start-ups. It's what seems obvious when you're
near your market cap.

------
freshyill
Meanwhile I've had two companies attempt to get employees to try to use this.
If I can/want to deal with coworkers in person, I will. If I can't/don't want
to, I've got real-time tools to do it. Where does this fit in? It's one more
layer of crap to get in between me and getting my work done.

------
cs702
As Randall Munroe has cleverly illustrated, a system is only as secure as its
weakest point: [https://xkcd.com/1200/](https://xkcd.com/1200/)

IT administrators can secure everything under their control really well, but
if a third-party web application used by employees is successfully penetrated,
poof! IT infrastructure is now exposed to threats from the inside. Meanwhile,
the only people who can evaluate and improve the security of that web
application are the people selling the application.

------
astazangasta
My IT department is a menace. In the name of security we have all been forced
into a shitty Juniper VPN with no Linux support, ssh and http access is
curtailed campus wide and we must install some tracking software so IT can
"monitor our patch status".

Whether this improves anything in terms of data breaches I don't know. But as
far as I can see "security" is the literal opposite of freedom and openness.

------
douche
The compliance tools for Yammer are pretty rudimentary. I've actually worked
on a product for automating the Yammer data export, converting the raw data
that that dumps to you (what looks suspiciously like a straight table dump,
converted into an archive of CSV files), and pushing that into various
compliance management systems.

------
mercurial
> When quizzed about how exactly the network was supposed to stay secure
> without oversight, an official whose name is redacted from the document told
> the investigators: “It’s kind of like a self-policing, everybody’s job is to
> be responsible.”

So their security policy was to not have a security policy, essentially.

