Monthly Archives: August 2013

There is no ‘I know what I am doing’ trump card in security

Ever since Edward Snowden revealed details of the NSA‘s PRISM program, I had been wanting to write something about it.

While most people in the security community are rather unhappy, if not outraged, about PRISM, a lot of focus has been on the fact that the NSA is apparently evil.

While this may be true, I don’t think this is relevant. Of course, no one wants to be spied upon by an organisation they consider evil. But what I think is relevant here is that even if the people at the NSA are good and well-meaning, mass-surveillance is still very wrong. (As Robert Graham put it: “NSA is wrong, not evil”.)

So, inspired by the Black Hat keynote given by the NSA‘s director gen. Keith Alexander, I wrote a blog post about it:

We have all been there. To continue the product you’re working on, you need to get some extra permission: a port needs to be opened, or perhaps some files need to be uploaded onto a protected system. You ask the IT department for this permission and, much to your frustration, they won’t give it to you until you’ve explained in full detail why you need it, and even then they will have to check with their management.

“But I know what I’m doing. And my manager says it is fine.”

Read the rest of the post at Virus Bulletin.