His name is Steven Barnes, and he’s going to jail.
Techworld reported on Election Day that Barnes, a former IT manager for a California Internet media company, had been sentenced to a year and a day in prison, to be followed by three years probation – not to mention over $50,000 in restitution. On Jan. 8, Barnes will report to prison … where he will begin the rest of his life. That life will be forever divided in his mind and the minds of his peers as before and after his life-altering crime.
What did Barnes do to throw away his career and his future prospects? According to the Techworld report, several months after the company fired him, he tried his old login and was astounded to discover it was still valid. He then damaged the company’s e-mail system, deleting some files and otherwise rendering it inoperable. The real damage, however, he did by configuring the company’s e-mail system as an open relay.
According to Whatis.com, an open relay (also called a third-party relay or an insecure relay) is an e-mail server that, in allowing a third party to relay mail through it, “makes it possible for an unscrupulous sender to route large volumes of spam” by “processing mail that is neither for nor from a local user.” In other words, Barnes threw open the virtual doors of his former employer’s e-mail server, allowing spammers elsewhere on the Web to funnel their advertisements for penis-enlargement pills and stock scams and whatever else through that server. The company was subsequently “blacklisted” by at least one anti-spam watchdog group, because for all intents and purposes, it had become a spammer. It is not uncommon for hackers to break into e-mail servers for this purpose, victimizing the organizations penetrated. In this case, however, Barnes invited the security breach – the Internet equivalent of dropping the drawbridge leading inside a fortress surrounded by barbarian hordes.
While Steven Barnes blamed everyone for his crimes but himself – it was to his “complete disbelief” that his old password had not been changed – his claim that he was suffering from various substance addictions when he perpetrated his crime did not save him from a prison sentence. His sad tale of self-destruction, however, highlights a fundamental issue of technology and security that actually has nothing to do with the hardware involved.
Basic IT security policy concerning former employees should dictate, of course, that a Steven Barnes who has been let go for cause should not be allowed access to the network from the moment he has been told he is fired. I’ve personally worked in a high-tech environment where I gave two-weeks notice to take another job – and was graciously shown the door immediately, while being told I would be paid for those two weeks, thank you very much. The reason for my sudden egress was simple: an employee who had announced his intention to leave the company was deemed a security risk, and therefore was not to have access to the company network. I’m quite certain that any passwords, keycards and other means of access I had to that building and its computers were changed that same day, and for good reason. This is entirely expected and simply good IT policy (though at the time I do remember standing in my parking lot with my freshly written final paycheck and my box of personal effects, wondering exactly what had happened).
Barnes was quoting by Techworld as saying he was surprised to find “no firewall” in place when he used his old password. How such a firewall would have stopped him from opening the company’s e-mail server is unclear, as he could simply have disabled such protection once inside the formerly secured network. The security issue here, then, is not the software or hardware run by the company to protect itself. It is not that the passwords used simply weren’t “strong” enough. It is not that something crashed, or ran inefficiently, or did not operate as it was configured to operate. It was not even that the company was vulnerable to a motivated, knowledgeable hacker who broke in using extralegal and hostile means. No, the company simply trusted too much. In failing to consider the possibility of deliberate hostile action by a former employee, the California-based firm in question missed the most obvious IT security exploit of all: a single human being.
Technology is not magic. It cannot think for you, no matter how advanced it is. It cannot make you smarter. Technology is a tool, a means to good or to ill based only on the intentions of the user. There is no panacea, no global solution, to make technology safer or to secure the average network. By this I am saying that there is no technological means to remove the human element from the equation. Human beings will always be the measure and the method whereby any network, any piece of IT infrastructure and any technological endeavor succeeds or fails. Just as we regularly virus-scan a home computer, just as we do not operate on the Internet without some sort of firewall to protect the network being used, and just as we use strong passwords to guard our accounts, we must regularly and routinely be suspicious of any human being who has access to any point within or connected to our network. Each and every one of those human beings is a point of failure, a moving part that, at least potentially, may introduce catastrophic loss of function to the technological whole.
We can never be machines, and we will never be perfect. This must, therefore, be taken into consideration whenever we consider network security and IT infrastructure. The watchwords are no longer “Trust, but verify.” They are now, “Trust no one, and remain vigilant.” Human nature is an IT security exploit. It can never be otherwise.