Don’t Lay Out the Money on the Front Stoop of the Bank
Documents themselves are a source of risk
With Miroslaw Manicki
How is it that a 21-year-old had access to such a treasure-trove of sensitive information? Certainly, young people can move up the ranks fast with qualifications, but why should they have access to wide-ranging information in the first place? Why should anyone?
This is an echo of the Snowden disaster. Few discuss the real question — how is it that such valuable information is left as if it were “on the front stoop of the bank” rather than securely placed in the vault?
This is reflected in a major systems error brought on by a long series of missteps, greed-induced purloining of long-established standards of security and responsibility, and overt moves to convert information systems into means of surveilling and fleecing the masses.
Why would you design a system the provided a young system administrator with the opportunity to ever see the “crown jewels” of the organization, let alone take them? How is it that this could happen? Why does such information exist at all in such a form that it could simply be accessed in any way except under the narrow and explicit conditions and contexts for which it is intended?
To understand how this might happen, let’s go back to the beginnings of the personal computing revolution, where the problem germinated in the first place. In my educational process and early in my career, I witnessed many such early developments. After the first couple of decades of institutional computing, in the 1970s, computing functionality was limited to very large, understandably powerful mainframe computers. They were housed in large, windowed, limited-access rooms. Interaction to them was limited to passing cards and magnetic tapes on reels in and out of the rooms via holes in the wall and such. The workers in the rooms often wore white coats, enhancing a whole ‘sanctity’ effect of the process. A view of the complex process can be seen below, sans the ominous windows between most of the people and the computers.
There was always something of a ‘winner-take-all’ aspect to technology leadership. First was IBM, the king of the road, whose hegemony was softened by Burroughs, Amdahl, and a few other mainframe manufacturers. Then there was Digital Equipment Corporation (DEC) and their minicomputers, working out of the Mill in Maynard, Massachusetts, which I used to run past on my daily regimen one summer. One development from the prolipheration of DEC equipment was that users began to have direct keyboard access to the system, even from outside of the main computer rooms. This would give you immediate feedback, something that could not be obtained with cards or magnetic tape.
Faced with such limitations, people sought a new level of freedom and creativity. They wanted access to computing resources on their own. In the mid-70s, there were some prospects for limited systems in popular electronics and trade magazines. This was enhanced by the work of the Homebrew group in the Bay Area, who were working to break through the traditional barriers, which they did to the point of personal computers that functioned, but were outside of the accepted circle of computing tools until IBM entered the fray. I first learned of spreadsheets in Boston in 1980, newly-available on the little Apple II machine. In the next year or so, I first layed out financial forecasts using a rented machine from a guy in Laguna Beach, California.
IBM tried to participate, but they couldn’t in any meaningful way. I was working on a project with them in Atlanta in 1985 and accidentally used the word “exclusive” in one of our planning documents. That brought a horde of attorneys into the room, each pointing out that they had just extracted themselves from a very testy anti-trust lawsuit with the federal government that disallowed such talk.
IBM had the name and the mandate. Not being able to use it, they signed up with Microsoft to move forward, nonetheless. Bill Gates & Co. was able to eventually extract the mandate from IBM. Coolness, however, emerged in the form of Apple and its graphical Macintosh. I know. I got one of the early ones. As seen below, the personal computer revolution brought a lot of things to light. As can be noted, neither ‘increased context’ nor ‘security’ can be seen among them.
Therein lies the rub. The coolness factor came from the mouse, the graphical images on the screen (which could be printed out nicely) and the famous desktop metaphor. This worked because it converted arcane computer functions to the kinds of things that people would find on their desks. Key among these was the simulated manila folder. You could put your documents in there. You could play with this — putting folders within folders, naming them, and copying them for transmission from machine to machine and ultimately via online means.
In March of 1984, Apple Computer put a full-page advertisement in the Wall Street Journal offering to let anyone take a Macintosh home overnight by simply leaving a credit card with them. The machine in question can be seen below.
I took them up on it; I worked throughout the night on the machine, creating reports with charts and graphs that were not possible before. I bought the machine the next day and never looked back. I was not alone in this.
How was it that this worked? According to Steve Jobs, who had somewhat effortlessly extracted the model from Xerox’s PARC Laboratories in Palo Alto, the graphical interface and the desktop metaphor made personal computing ‘fun’ (Waldrop, 441). It all could be dressed up in color and eventually movement, leading to today’s multimedia extravaganza on devices of all kinds.
At what cost?
With all of the folderol of ubiquitous graphical interfaces, internet connectivity, and complex middleware and database technologies, we are still left with the desktop metaphor. There are documents and there are folders and apart from tepid means of limiting access to them, they are typically available to any snot-nosed system administration with root or administrative access and a desire to rummage through the ‘sandbox’ to see what he or she can find.
Without resolving that problem — and it is clear that many organizations have not — it doesn’t matter so much what efforts are taken to infuse integrity into the people or punish them for their crimes if they do not successfully get away.
There needs to be a more detailed and nuanced way to make use of information in systems. As seen below, there are many factors that must be considered before access to data is provided. Much more care is needed to match outcomes to such detailed factors.
The contemporary document-centered model — a direct result of the desktop metaphor from the personal computer revolution — results in a very murky relationship between access and context and resulting information-gathering. It should be, as seen below, that much greater care should be taken to match specific conditions and personnel with disclosures.
Detail is important; context is critical. If the requirements are not met, no way should any of the crown jewels be made available, as seen below.
The fundamental question exists in this light. Contemporary systems are very messy. In part, this can be attributed to prevalent social media systems, which are designed with the specific purpose of taking and using user data. This function of user surveillance is a form of original sin. Greed is a big factor. How do you sequester and control data when data itself is the fuel for system implementation and justification?
There may be those that say that controlling such functions is not practical, nor even possible. That may be true. Using the tools they use, under the assumptions they work under, this may not be possible.
Perhaps such an effort is not ‘fun’ in the traditional information processing way. I have another story on that front. I once asked a system administrator friend about this. He said there was no such thing as a secure system. I asked him, what if a system was designed with one port — a secure browser access with multimedia capability — with one secure login based on multiple biometric validations, strong encryption, and no other means of access or intrusion. Would that be secure?
He responded, “Yes, but what would be the fun in that?”
Enough said.
References
Waldrop, M. M. 2001. J. C. R. Licklider and the revolution that made computing personal. New York: Penguin Books.