Comments

ThaumaTechnicianAugust 24, 2017 7:20 AM

Too often, the wrong people are in charge...

A few days ago, I had to talk to middle manager type who was supposed to 'help' me logging on to a badly-designed website. (Imagine being asked, so as to select the size of no-volume-control video it'll send, to select between a 100Kb/s or 300Kb/s connection.)

MM: OK, so what's your logon password?

Me: Ready? it's 'c6U9WaGZrX19XY'.

MM: What kind of password is that?!

Me: Uh, it's a random, computer-generated, cryptographically secure password.

MM: Hmmph.

Me: (to myself) Uh, did company policy mandate that the only password allowed was 'monkey'?

Jan HAugust 24, 2017 7:23 AM

The headline is slightly misleading though; the systems were not migrated to IBM, they remained in the same datacenter as before. IBM staff, though, or rather sub-contractors to IBM, were however tasked with system, network and database administration with full access rights. And the agency's top-level management not only allowed it to happen, they pushed the transition against the advice of their own information security staff as well as the Swedish security agency.

A SwedeAugust 24, 2017 7:39 AM

In a similar vein the Swedish Fortifikationsverket an agency responsible for all Swedish military facilities has ended up giving thousands of building blueprints to the Chinese. Here's 2 Swedish news articles:

Main story
Confirmation that schematics ended up in China

Summary of the story is that Forifikationsverket wanted to digitalize old blueprints and following the law and having the lowest bidder perform the job they ended up with a small company with a Chinese subcontractor doing all the actual work. From this it appears they didn't place any appropriate demands on subcontractos and who would have access to the blueprints during digitalization, allowing for Chinese subcontractors to have full access to thousands of building blueprints.

Forifikationsverket claims to have taken some minimal countermeasures by scrubbing the the location and purpose of the buildings from the blueprints, but I expect it isn't that hard to piece much of that together from areal maps and the layout of the buildings. Another is that this is only the open and not the secret collection of facilities being affected (öppet & slutet bestånd).

Even if the buildings are in the non-secret (öppet bestånd) most of them are still classified as protected locations (skyddsobject), where it among other things is usually forbidden to take any photos of the location, due to the risk of revealing too much information.

So currently it seems the Swedish government is pretty bad at making sure secret/protected information isn't unduly revealed to foreign parties.

WinterAugust 24, 2017 7:46 AM

The article makes a point of painting the director as the "criminal". However, the underlying defect in the system is that "a" director could supervise and manage such a hoard of sensitive data on her own, without oversight.

But I must admit that on a scale of cluelessness, this must rank very high. Especially the part with sending out secret addresses to marketing people and then point out to them which are the sensitive addresses.

Next question, what did happen elsewhere that we did not hear about?

CaridonAugust 24, 2017 8:40 AM

@Winter.
The Director Is a criminal. She signed documents approving "avsteg från gällande lagstiftning" (roughly "Exemption from current legislation") something she had no right to do. (A director can not magically select to not obey the law )

The interesting bit is that she got of with a administrative fine given out by the prosecutor. This is something that should only be done for routine transgressions where the law has been used a long time. This was the FIRST time this law was applied.

As this fine cannot be overturned if accepted the public will now not see the police documentation in this case.

65535August 24, 2017 8:57 AM

The data was move to the “Cloud” … a vapor type notion in and of itself.

I would guess moving data to large data centers offshore or in some type of “Mirror – RAID” configuration where the owner of the data is not the owner of the hardware is not a smart.

Someone once said actual ownership of items [or possessions] is Nine Tenths of the Law and the other ten percent “we don’t care about” ...which applies to data.

If one doesn’t own or have control of the hardware where said data is stored then so called ownership of the actual data is dubious at best.

If the Danes don’t care about buying the necessary backup hard drives plus facilities and keep control over them I have huge doubts if said data will ever remain secure. Take note all you data backup Techs.

The so-called “Cloud” is not safe at this time. It is only good for storing useless pictures, videos, games and the like.

The Danes should have known better than to trust the “Cloud” for mission critical data [if the story is correct].

This same ownership of back-up hard drives plus facilities and ownership should probably apply to any country or government entity that wants to truly secure their data.

This principal should also apply to individuals and small business who expect to keep their mission critical data secure.

I would assume in the future there will be some extremely “high-tech” encrypted data warehouses with nuclear or bullet proof data centers distributed across the mystical ocean which will actually do that type of secure data storage… a high cost… but not in this current data theft climate.

Store your "critical data" in the "cloud" at your own risk.

keinerAugust 24, 2017 9:47 AM

..if you read "IBM" and "cloud", what could possibly go wrong?

:-D

Just kidding! IBM kicked out the personal to service and maintain the "local server" business, everything should be "cloud". So the one to blame here is IBM. Swedes were naive and "progressive", as usual (proud of "most modern country in the world", what ever that means, e.g. for the health care system or police, where you end up in telephone cue for 20 minutes and then have a police station some 100 km away to "help" you...).

Clive RobinsonAugust 24, 2017 10:21 AM

@ 65535,

The data was move to the “Cloud” … a vapor type notion in and of itself.

Back when SaaS (both storage and software) was first touted, I warned that security was realy at threat, and further prophesied "Security Disasters" would cost mote than any savings...

So far things are inline with my expectations....

The thing is that there are a number of things senior managment see in prefrence to realistic security, as I mentioned a little over a year ago,

https://www.schneier.com/blog/archives/2015/06/should_companie.html#c6698191

There used to be an industry joke of "Whatever the question is... The answer is not MicroSoft". Just substitute "cloud" for "microsoft" to bring it upto date (you could add it after MicroSoft, but then I might be accused of bias ;-)

What a bunch of Swedes!August 24, 2017 11:18 AM

Sweden’s Transport Agency moved all of its data to “the cloud”, apparently unaware that there is no cloud, only somebody else’s computer. In doing so, it exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation. Names, photos, and home addresses: the list is just getting started.

Incompetence rather than malice? I don't think so. These people are professionals. They know what they are doing. To even collect this information in the first place and store it in any kind of government database: this is white national socialism, risen again from the ashes of defeat of WWII.

The Fourth Reich.

Det Fjärde Riket.

WaelAugust 24, 2017 11:33 AM

@keiner,

nationwide face recognition. UN-BE-LIEVABLE.

The technology has been used in the U.K. (and other places) for quite some time! They call it AFR.

Expect everyday to be Halloween after country-wide deployment. I reccomend you buy some stocks in one of the mask-making companies.

keinerAugust 24, 2017 11:38 AM

@What a bunch...

Swedes try to erase cash, so you can track and trace everybody even without a mobile phone, by tracking parking, using train/bus etc. using toll roads (bridges and ferries anyway the only way to enter the "island", i.e. 100% surveillance).

All tax data for each and everyone available in the public domain. And: use of streets in Stockholm/Gothenburg is a TAX, so publicly available when you drive into the city.

Really a nightmare for everybody with some brain capacity used for privacy (and not for shopping, buying next boat/car/house...).

JeanAugust 24, 2017 11:50 AM

If this is the same breach, this resulted when IBM moved the data and the management of the servers to another European country. The director may have been fined half a month's paycheck, two ministers already resign for that: Article on CNN.

Chairman MaoAugust 24, 2017 12:05 PM

@65535

The so-called “Cloud” is not safe at this time. It is only good for storing useless pictures, videos, games and the like.

The Danes should have known better than to trust the “Cloud” for mission critical data [if the story is correct].

This same ownership of back-up hard drives plus facilities and ownership should probably apply to any country or government entity that wants to truly secure their data.

If you recall, I spelled out the actions of Obama and his shoplifter-CIO who farmed all USGovt data to Google, Amazon, and Salesforce. And, how that same shoplifter-CIO is now an officer of OUTCOME.COM -- a distributor of healthcare and insurance claims data valued at $5.5billion for an IPO.

LOL

HenningAugust 24, 2017 12:32 PM

As a Swedish Citizen I have been following this incident for some time and first of all, the incident is very serious.
However, the article is misleading and we do not have the full picture (nor will have for quite some time as a lot is classified).

We currently do not know what information was leaked, nor if any was. Most of the alleged leaked in the article are speculations based on what the organisation might have access to and some of it is already debunked (for example we have multiple registers for military vehicles and only some are part of the civilian, which is the one affected).

The problem is that operators (with yet published access-levels or position) without a security clearance got to work with information that needs a security clearance.
We currently do not know what registers or database that the operators in question had access to, if any, or if it was direct or indirect.

Exact which operators or what they had access to is not public. All we know is that the military and security services (SÄPO) was involved from early 2017 (before it went public) and took precautions. The official statement is that it is serious but it has not caused any considerate effect on the military capabilities:
http://www.forsvarsmakten.se/sv/aktuellt/2017/07/ob-ingen-pataglig-paverkan-pa-var-samlade-operativa-formaga/ (Swedish source)

We do not know if these operators that was hired (by IBM or a subcontractor) has leaked or misused anything. We do not know if there are logs of it or what kind of access they had.

Two ministers and one general director have been sacked due to this. The main reason for the ministers to leave was that they had not properly informed the prime minister. The general director was

A full inquiry is currently being performed by the Committee on the Constitution to look how the government have handled the issue, which is currently the main issue in Sweden.
I am not aware of any public reports of what actually happened, but I expect that the Committee of Constitution will put forward a bit more details than what is currently known, once they have investigated.


Also, as a side-note, the incident referenced by "A Swede" above is a non-issue. It was non-classified, public data that was handled and a few newspapers wanted to make a deal of it.

MikeAAugust 24, 2017 12:35 PM

@65535
--
Someone once said actual ownership of items [or possessions] is Nine Tenths of the Law and the other ten percent “we don’t care about” ...which applies to data.
--
I believe the original was "Possession is nine _points_ of the law" (out of an unspecified total number of points), although I agree that it has been quoted as nine _tenths_ since at least the 1950s.
Also, I agree with the gist of:
--
If one doesn’t own or have control of the hardware where said data is stored then so called ownership of the actual data is dubious at best.
--

But I am typing this on a laptop which, if I updated it to the latest, or even oldest supported, O.S. version, I would technically "own" but would not "control".

I'm still wondering how many more years before only computers with hardware/firmware backdoors will be "modern" enough to access the "more secure" (for who?) web.

Before the "Use only Open Source" crowd gets started: Been there, done that. Rant's too long already, but unless you have personally audited every line of whatever distro you are running (and do so with every update), "Many eyes make all bugs shallow" is a statement of faith, not fact.

WaelAugust 24, 2017 12:55 PM

@MikeA, @65535,

I would technically "own" but would not "control".

You would be given the perception that you control it. Still, your control of the device is necessary, but not sufficient. Your control must be complete and execlusive! It doesn't help if there is another entity that "shares" control of your device, especially if their control overrides yours, which is the case on many devices today.

I'm still wondering how many more years before only computers with hardware/firmware backdoors will be "modern" enough to access the "more secure" (for who?) web.

That'll be an interesting discussion. There are several perspectives to this,

Been there, done that. Rant's too long already

Right on!

JorgeAugust 24, 2017 5:01 PM

Breathtaking... between things like this and the refugees Sweden is done, stick a fork in it.

Sancho_PAugust 24, 2017 6:34 PM

@65535 re data in the cloud

Ownership of items [or possessions] says it all: This is thinking in the tangible world.
But “data” is intangible, as are thoughts, both are not in our possession even if we own the hardware (the drive or brain mass).
We may own and secure our back up hard drives, but not the data.
This is a principle we have hard problems with, because we live in the tangible world.

To cite @Clive Robinson: "Paper, paper, never data" - But the issue remains ;-)

65535August 24, 2017 9:50 PM

@ Clive

I hear you.

“…the immediate financial cost and reputational cost get pushed out in time via dull legal claims and court cases that will take years to resolve by which time any sensible senior manager will have pulled the rip cord on their golden parachute and landed in a new company, by being able to claim success even though it will turn out to be a fail in a year or two…”

How true.

I don’t like “Software as a Service.” I would prefer to own both the hardware and the software that my “data” is on. The multiple permeations of data theft: key logging, screen captures and the like are huge, including various combinations of such. The “cloud” as a secure place is not going to happen soon.

The idea of encrypting and storing data on someone’s different server seems too risky to me. Call me old fashioned but sending your sensitive data to some other company’s data center reeks of insecurity – the increasing chances of theft, the increasing cost of storage and so on. I would rather store my encrypted data on a Two Terabyte hard drive then on Google or Microsoft’s servers [Hard drives are no that expensive]. That is my preference. The same goes for SaaS – it got too many holes of phoning home with your data or other points of failure.

@ Chairman Mao

“I spelled out the actions of Obama and his shoplifter-CIO who farmed all USGovt data to Google, Amazon, and Salesforce. And, how that same shoplifter-CIO is now an officer of OUTCOME.COM -- a distributor of healthcare and insurance claims data valued at $5.5billion… LOL”

That sounds like Obama’s CIO wanted to data mine US Government data for his own ends. That is not a good thing for people in that data collection.

@ MikeA

“I'm still wondering how many more years before only computers with hardware/firmware backdoors will be "modern" enough to access the "more secure" (for who?) web.”

From the Danes point of view – not long at all. I would guess the Danes are in a semi-state of shock.

@ Wael

“You would be given the perception that you control it. Still, your control of the device is necessary, but not sufficient. Your control must be complete and execlusive! It doesn't help if there is another entity that "shares" control of your device, especially if their control overrides yours, which is the case on many devices today.”

That is a very important observation. If you have a digital device that you really don’t control you are up the creek without a paddle – so to speak.

@ Sancho_P

I don’t really disagree with thrust of what you are saying. If you are saying we don’t own our own digital work by sending it out to the so called “Cloud” I think you are probably correct. If you have another point then give an exact example.

What a bunch of Swedes!August 24, 2017 10:05 PM

@keiner

... All tax data for each and everyone available in the public domain. And: use of streets in Stockholm/Gothenburg is a TAX, so publicly available when you drive into the city. ...

Yep. They've been told time and time again, and ignorance is no excuse on their part. We are left with malice, and that is all happening in the United States, too.

They talk about the "big-city triangles" or "triads" in Sweden and Finland: Malmö/Göteborg*/Stockholm and Turku/Tampere/Helsinki, respectively.

* "Göteborg" is the correct spelling. "Gothenburg" sounds like you're talking with your mouth full of sushi. Even Helsinki is called "Helsingfors" in Swedish. The southernmost district or county ("län") of Sweden, Skåne, which includes the city of Malmö, is variously called "Scandia" or "Scania" in officially commissioned English translations of Sweden's tourist literature. That's as bad as the Russians with their phonetic transliterations into the Roman alphabet.

What a bunch of Swedes!August 24, 2017 10:19 PM

@2^16-1

I don’t like "Software as a Service."

Well, it's been served to you on a silver platter with a shiny dome over it, the tablecloth spread, real silverware, cloth napkins, candles lit, and would you like a glass of our house wine while you wait for your meal, sir.

WaelAugust 24, 2017 10:20 PM

@65535,

That sounds like Obama’s CIO wanted to data mine US Government data for his own ends.

I hear he's preparing for his next conjob interview! You know that Hawaiian shirt you wear on Fridays? Well, he's looking for it, and now that he has your address, you had better watch your back. It's your worst nightmare: a shoplifter with your address and a list of your clothes collection. You'd better believe it.

Chairman MaoAugust 25, 2017 1:10 AM

@65535

That sounds like Obama’s CIO wanted to data mine US Government data for his own ends. That is not a good thing for people in that data collection.

Don't forget that:

1) Kundra is/was a psych-major (not CS)
2) FBI said he accepts bribes
3) FBI said he accepts kickbacks
4) FBI said he approves fake billings
5) FBI said his accomplices included a birth certificate forger (Acar)
6) FBI also said that his other accomplice had the last name "Awan"

Sad but true.

65535August 25, 2017 3:56 AM

@ What a bunch of Swedes!

“And: use of streets in Stockholm/Gothenburg is a TAX, so publicly available when you drive into the city...”

That’s wonderful. All that information is exposed. Great.

“it's been served to you on a silver platter with a shiny dome over it”

I see it all the time. I see it from spreadsheets to tax software. I wonder who exactly benefits from the Software as a Service. The user or some clever data miner… I stay away from it as much as possible because of the chance it is being MitM’d. I don’t use office 365 or the like. I don’t think I will be using Windows 10 any time soon. I would guess there will be a huge data leak from it in the future which may get people’s attention.

@ Wael

“I hear he's preparing for his next conjob interview!”

What a total Dink. He should be collecting trash for some big city.

@ Chairman Mao

‘Don't forget that:
1) Kundra is/was a psych-major (not CS)
2) FBI said he accepts bribes
3) FBI said he accepts kickbacks
4) FBI said he approves fake billings
5) FBI said his accomplices included a birth certificate forger (Acar)
6) FBI also said that his other accomplice had the last name "Awan"”

The guy should not be in IT at all. He should be a guest of the Federal clanger.

keinerAugust 25, 2017 4:43 AM

@65535

"I would guess there will be a huge data leak from it in the future which may get people’s attention."

No, they will never learn. People get f*cked right between the eyes and make the same mistake the very next moment. Use sh*tty software, vote idi*ts for government, all around the world, 1000 years ago, last year, next year, for every. There is no such thing as progress or things like that. If you take away the jobs, people what n*zis to lead them to doomsday.

keinerAugust 25, 2017 4:50 AM

...need an example:

"Dass der hessische Verfassungsschutz seinen Abschlussbericht zum NSU-Komplex für die Rekordzeit von 120 Jahren gesperrt hat, wertet Ayse Gülec als „Schuldbekenntnis“."

The German secret service blocks publication on the NSU murder for 120 years. 120 years. No joke.

http://www.fr.de/rhein-main/nsu-untersuchungsausschuss-temmes-aussagen-fuer-kassler-initiativen-nicht-nachvollziehbar-a-1338183

And people buy it. Don't ask any questions. Scary, as in the USSR. Or Putin Russia. Or... name it...

vas pupAugust 25, 2017 8:00 AM

@Bruce:"a good example of the dangers of blindly trusting the cloud."

http://www.bbc.com/news/technology-41034618

"The search giant has partnered with the US National Alliance on Mental Illness (NAMI) to roll out the project which is currently only for US users.
Users searching for depression will be prompted to “check if you’re clinically depressed”.
“While this tool can help, it’s important to note that PHQ-9 is not meant to act as a singular tool for diagnosis,” NAMI said.

Google product manager Vidushi Tekriwal said users who fill out the test will not have their answers logged by the company, nor would advertising be targeted to them as a result."

Could trust the statement above? I doubt.

CallMeLateForSupperAugust 25, 2017 12:30 PM

"[...] moved all of its data to “the cloud”, apparently unaware that there is no cloud, only somebody else’s computer."

I've harped on this point ever since "cloud" became a thing, but I worded it a little differently: "Cloud" is just a warm-and-fuzzy metaphor for "somebody else's hard drives".

When I was conversing with friends, I went further: "My two hard drives are really big; for a small fee I would safely store all your backups for you." Never got a taker. Strange.

What a bunch of Swedes!August 25, 2017 12:51 PM

I don’t use office 365 or the like. I don’t think I will be using Windows 10 any time soon.

That's what I do anymore. Dump that shovelware for Fedora when I buy a new computer. Or Ubuntu or one of the BSDs. LaTeX if I'm feeling technically inclined for document preparation, otherwise LibreOffice for a basic office suite.

I don't even bother with Microsoft Access or clones, either. I just go straight to MySQL or better yet, PostgreSQL if I need a database for something. Just about any free webhost will give you access to a basic database if you really want it "in the cloud," and you can almost certainly install phpMyAdmin if they don't have it already.

Point being, there are choices and alternatives when you make that effort to free yourself from vendor lock-in and bondage to the Egyptians.

What a bunch of Swedes!August 25, 2017 12:56 PM

@Wael
You know that Hawaiian shirt you wear on Fridays?

Oh, you mean that "loud" print cotton shirt?

EvilKiruAugust 25, 2017 3:40 PM

@CallMeLateForSupper: "Never got a taker. Strange."

Not strange to me. Most people never do backups. Your offer to be their backup destination just adds another complication to an effort they've either already decided to do without or already have a solution and no desire to make any changes to it.

WaelAugust 25, 2017 4:09 PM

@What a bunch of Swedes!,

Oh, you mean that "loud" print cotton shirt?

That's right! The type of shirt suitable for a scumbag's interview ;)

What a bunch of Swedes!August 25, 2017 4:29 PM

When I say that they've been told time and time again, I mean that, and clearly, even on this forum, they've been told time and time again. Bruce Schneier may aver, "Seems to be incompetence rather than malice," but there is no excuse for such ignorance or incompetence. They have heard, they have seen, they have listened, they have read and learned what we have told them and demonstrated for them, and written out in great detail for them. We are witnesses to their denialism and refusal to acknowledge fundamental truths of computer security, and we only seek such a great standard of proof because it is only at the peril of our own lives that we are able to speak the truth and issue such condemnations over these matters, even from behind a mask of anonymity online.

Is there any praise or thanks due to the CamelCase "BroGrammers?"

No. They never build anything they can't break themselves.

Sancho_PAugust 25, 2017 5:06 PM

@65535

”I don’t really disagree with thrust of what you are saying. If you are saying we don’t own our own digital work by sending it out to the so called “Cloud” I think you are probably correct. If you have another point then give an exact example.”

My point is not focussed on digital work, the cloud or any location, it is very basic.
Intangible means items that are neither here nor there nor anywhere.
You can’t grab them, so in my opinion our traditional thinking regarding possession of objects isn’t adequate.
We can’t own what is not there: We may own the media (physical impressions, ...) but not the meaning behind the “dots” [1].
Law and justice evolve with time + experience, so what we have today only represents the tangible world, and “our” data still is in limbo: Loss of data isn’t punishable or a crime, at best it’s a “sorry”.
Did you never have an e.g. email account simply closed because of “suspicious activity”, no further explanation from their “security team”, no access, not even a chance to regain “your” data? [2]).

”I would rather store my encrypted data on a Two Terabyte hard drive then on Google or Microsoft’s servers [Hard drives are no that expensive]. That is my preference.”

Well, that’s a possibility, but doesn’t (can’t) solve the basic problem.
Examples often do not reflect all aspects, but let me try:
Some days ago I was going back in my Apple’s Time Machine (data on a external USB drive) to check a file version from February. I already saw the file, but then it disappeared, together with the fancy Finder-display, suddenly I was told “can’t access the drive”.
I disconnected the drive, tried again - TM can’t access the drive. Same in Win and Linux, only my Mac’s disk utility can connect, but there is no file system, no data on the drive.
Now I could send it to a professional data recovery service - but the drive was encrypted, so chances would be very low to regain any valuable data (don’t need it, have a second drive).
So what do / can I own, a drive or the data?

[1] This relates to our thoughts: We (may) own the brain, but we do not own our thoughts - We don’t know where they come from, why, where they are or where they go. For sure you already had a great idea when sleeping or at the bathroom. But where did it come from, was it yours?
I don’t believe in any religion, but this keeps me thinking about what we are.

[2] Think of online banking, “No Sir, you don’t have an account with us.”.
Hard time to prove you have (happened to me with a travel insurance).
Good luck to the Swedes when everything is online!

What a bunch of Swedes!August 25, 2017 7:44 PM

Think of online banking, “No Sir, you don’t have an account with us.”

Translation: "Well, if you got your hair cut, you might have an account with us." In other words, it's time to sic the Greeks on these F-ing Swedes.

Loss of data isn’t punishable or a crime, at best it’s a “sorry”... Did you never have an e.g. email account simply closed because of “suspicious activity”, no further explanation from their “security team”, no access, not even a chance to regain “your” data?

Happens not just to data but to tangible and even real property: my car disappeared when the States implemented Torrens registration for ownership of automobiles rather than a legal ownership based on a title and bill of sale. Actually the cops simply confiscated it, parted it out, and fenced the parts, because they thought it wasn't reliable, and it was an eyesore because I might not have driven through the carwash recently, and they just didn't want me driving it on the road, not that I committed a motor vehicle traffic infraction of any sort or anything like that. I mean, dude, this is Michigan. Your car just isn't roadworthy if you don't spend >$20,000 on it, and for chrissake buy a new car, we just can't have those old clunkers rolling on the road.

65535August 25, 2017 9:17 PM

You have a high level of thought here. It is understandable.

“We (may) own the brain, but we do not own our thoughts - We don’t know where they come from, why, where they are or where they go….”

Some phenomena are not understood or well explained to the average Joe/Jane. The list is long and the reasons complex.

https://en.wikipedia.org/wiki/List_of_natural_phenomena

But, in the end there is an explanation. I don’t know if that is what you are trying to express.

Your problem with an encrypted backup on Apple’s Time machines is an example. But, those incremental and proprietary backups by Apple’s time machine have been discussed widely. You many not know the exact reason but there probably is a reason. The backup process is a complex subject.

https://www.macobserver.com/tmo/article/why-apples-time-machine-utterly-fails-user-needs

and

https://en.wikipedia.org/wiki/Time_Machine_(macOS)

“[2] Think of online banking, “No Sir, you don’t have an account with us.”.
Hard time to prove you have (happened to me with a travel insurance).
Good luck to the Swedes when everything is online!”

The above could be anything from a confidence game, a digital error, to a customer’s error. There are some things that are difficult or impossible to explain. And, I somewhat understand your point.

But, working with confidential data on the Cloud is not the most secure way of doing things. The Cloud is a clever confidence game coupled with a semi-secure data center(s). I don’t think the so called "Cloud" was actually designed to be a secure method of storing data – and should be clearly labeled as such.

DroneAugust 26, 2017 9:11 PM

"Massive Government Data Leak in Sweden. Seems to be incompetence rather than malice, but a good example of the dangers of blindly trusting the cloud."

A good example of the dangers of blindly trusting BIG GOVERNMENT.

ATNAugust 29, 2017 5:07 AM

I am not sure the problem is even the exposure of information to anyone who try, the main problem may be the modification (write access) of such information - and it seems to be the first level (trusted) database.
It would mean (for instance) european mafias would be able to register as Sweden-national any and every refugee from non-EU country (for a sizeable amount of cash), full passport, friendly-face recognition, everything.
Obviously everyone working for mafias would get their judiciary records cleaned as part of first "employment contract", or first "yearly bonus".
It would probably mean you can get someone killed by registering some details against that person, so that some security agency would take care of the (unverified/certified by Swede) problem...
Only solution being to roll back database to a stored backup before moving to the cloud and redo every update after verification...

Gunter KönigsmannAugust 30, 2017 1:28 PM

What I wonder is: people without security clearance might have had r/w access to data. People with security clearance had access to the same data, too...

... might show that bad things might have happened without anybody noticing. Which is really bad. Also it shows that the process that ensures security isn't followed which is bad, too.

But would people with security clearance really have been more secure than the ones without?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.