Who will buy, our wonderful snake-oil?

February 8, 2014

“I am patient with stupidity but not with those who are proud of it.” — Edith Sitwell

In my previous job; which was online-moderation, I did some technical-support for a while. I didn’t last long because their naivety and lack of understanding of their basic profession simply astonished me. One of the things we had a huge difference of opinion about was trust. In my mind and experience, if you are going to trust somebody to login to a client’s accounts with the power of a moderator then you have to have some basic trust in them in the first place. In the three years that I worked for the company this went from being the default position to being a completely foreign concept. By the time I left, the utter contempt that the moderators were held in (and bear in mind that 80% of my job was moderation) actually shocked me.

When they took the conscious decision to stop trusting their moderators and started implementing procedures to deal with this, they also started assuming that this now made them secure. What’s more, they then took this completely naive and false view and used it to implement even more procedures in a similar vein. To cap it all, they then started selling themselves as experts in this field.

“Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.” — Martin Luther King, Jr.

As a former social-psychologist I think that Groupthink is one of the things that still fascinates me most about all forms of the security industry (and I include warfare in this too). It’s almost like a purpose built Petri-dish for watching terrible concepts grow to such a size that nobody can see they are based on nonsensical premises which anybody who dares to question is immediately mocked.

“Доверяй, но проверяй.” — Ronald Reagan.

Part of the problem I have seen over many years is an obsession with not trusting your own people. I think there is a British/American divide here to a degree since I remember the big kerfuffle when the Americans discovered that the nuclear missiles on the British submarines were only secured by cheap bicycle locks. The experienced security people I know understand that the initial vetting and ongoing good treatment of staff is much more important than any amount of internal security. If Edward Snowden had really wanted to leak those documents then it’s unlikely that increased security measures would have stopped him. Security may be effective for stopping short term whimsical abuses but is no substitute at all for trust and respect in stopping long-term ones. The more oppressive and divided you make a work environment and the more obstacles you put in the way; the more you lose the respect of the workforce. In fact the more inviting you make yourself to exactly the abuses you are attempting to stop.

I saw another moderation company advertise that every keypress their moderators made was monitored in real-time by supervisors – I suppose this may be something approaching a solution but who would want to work for a company that did that? Do they expect to employ happy competent and experienced professionals?

“To forget one’s purpose is the commonest form of stupidity.” — Friedrich Nietzsche

Back to my original topic – My former employers; who out of politeness I will leave nameless. I will take one example of which they seem to be particularly proud: their secure login system. When I started at the company, they had a system that would allow the moderators to login to the various clients they worked on with a single icon press. It was nice and convenient and people sometimes used it. It wasn’t compulsory, it wasn’t made for high-security and when it was broken for some reason; the moderators would just ask somebody for the direct login passwords and they would use them instead.

Then they got a new technical/security manager, with no technical background at all and no experience at all in either security or moderation. He had a lot of bright ideas and talked the talk well enough though; it would seem.

They replaced the former login system because the old one was closing down. This wasn’t a bad idea and I still was with them so far. It was a nice convenience to have! But then they made the mistake of assuming this was a secure answer to all their prayers; and this is where their problems started.

For a start, the system they used (Onelogin) was only ever as secure as the people using and managing it, and the person managing it didn’t have a clue what he was doing. Although it is possible to setup secure conduits and exchange passwords securely this was never considered to the point where it took about 10 seconds to get a password out of the system. One of my supervisors asked me to write them a guide to “hacking” Onelogin so they could get the passwords out to give to their team in fact. A copy is available here if you are interested in just how simple it is.

“Stupidity is a talent for misconception.” — Edgar Allan Poe

But that’s just the start of it. As in all good Groupthink scenarios, the problem gets worse and builds on the original misconception. Access to client sites was done via a company proxy, and the Onelogin system was secured so it could only be logged into via this proxy and via the “secure browser” which all the staff now had to use. This could have been well and good, except that the proxy-setup was apparently the most unreliable thing in the entire universe. It wasn’t the proxy itself which had a moderately good uptime, it was the fact that the authentication system was next to useless. When it crashed (which it did, often), the technical manager had to be woken up to restart it. Obviously he didn’t trust anybody else to have access to it. This meant that often enough the proxy was was inaccessible for hours and hours at a time. The company was a 24/7 moderation company with some high profile clients, and still had some project managers who actually cared about them; so what would then happen is that they told the moderators to use another browser without the proxy enabled and they were given the passwords needed to moderate. They were then told not to tell any technical-people because that obviously wasn’t allowed.

So now you have a company who has put a lot of time and effort into creating a system that they are convinced is secure, and a staff-base, being unable to actually do the jobs for which they are paid and being relied upon to do; finding ways to circumvent all of this simply so that they can work. They aren’t doing this maliciously; they are doing this because the security in place is actually hampering them doing their jobs.

“Only two things are infinite, the universe and human stupidity, and I’m not sure about the former.” — Albert Einstein

One of the best things about all of this is that, now the company has done all of this; being social-media gurus as they are, they are telling the world all about it. They have not only done collaborative videos with Onelogin; they have also now set up a company to tell other people how to spread the misconceptions even further.

So folks – If you ever want to set up a 24/7 moderation company, with some very high-profile clients with sites which are constantly under attack by bad-folks who thankfully haven’t yet discovered the three completely separate and incredibly easy-to-attack single points of failure which would bring the entire company down with no means at all of switching to any alternatives.  If you ever want to completely alienate your work force so they have no respect or loyalty to you at all any more and if you ever want anybody with any technical background at all to look at you as though you are a naked-emperor on acid; then I know just the advisors for you!

Leave a Reply