Carry On Leaking: When Corporate Security Goes Really, Really Wrong
I had a nice time being interviewed by The Guardian regarding my disclosure of a password leaked from the Nuclear Regulatory Commission. While the NRC insists that this is a non-issue (and in the case of this protected system was the case), it exposes a deeper and more fundamental problem regarding how systems are secured in the first place. First, the fact that this one file and nothing else in that directory was visible indicates Discretionary access controls rather than Role-based or mandatory. Furthermore, it shows that this type of problem can lie unsolved for years and affect more systems than people realize.