Yup, I'm still keen on wielding the good-old carefully-selected cc when necessary. People don't grump at you if you don't default to the scattershot approach.
As long as someone in your management chain or the organisation's Security group is included, you're covered. Especially in these days of email journalling and retention, which often means you don't need to keep it physically sitting in your inbox forever. (Although hanging onto that "problem" correspondence is never a bad idea.)
A friend of mine works for Australian Customs, and by far their greatest information source for wrong-doing is disgruntled ex-partners or ex business associates.
So I wonder how many axe-grinders in the guise of whistleblowers will be running off to Cameron Whaleoil now that he has been appointed editor of "Truth".
I'm pretty much nodding along to everything you're saying here. Some of it may be about my not discovering my kinky side until my late 30s, so I may find it a more "defining" thing in future. Being queer - which I've known about for 26 years now - is definitely part of my identity.
I'm selective about who I'm out to in a professional context in the varying ways. I mean, I look like a butch dyke, but if you don't say anything, there seems to be this "plausible deniability" clause that kicks in. Which I use the heck out of in situations (i.e. working in foreign countries, even those as "close" culturally as Oz, or around religious people) where I don't feel very secure.
One job, I was out about the poly thing, but not officially queer. This job, they know about me and my partner, but not about the poly thing. Kink, I don't discuss at all outside of my safe communities - i.e. the queer one (and not all queers - old skool lez-fems are not going to hear about my kink life, and there are untold lesbians who have real disdain for the poly thing) and the kinky one (everything goes there). Certainly not my family, and in fact, quite a number of my older friends haven't heard the kink news.
For kink, I think of it as like discussing my sex life in a specific kind of way- with most people, it's not a topic. I don't think I'd ever talk about the cute bottom I have my monthly play date with (not quite like bridge club). With being queer and polyamorous, some of that can come into general conversation when talking about partners. If I need to be in a position of trusting someone in an intimate way, then the full disclosure has to happen. I am not sure yet if I would require a kinky component in any sexual relationship I have (this is really evolving right now), but partners would have to know about it and accept it, because I go to play parties.And won't be stopping for the foreseeable.
Regarding any remedial works, well, who knows if they'd go the full range of reimaging anything that could have been touched by that account.
Definitely a full password reset regime for any admin/service accounts, and end-users asap. Full server scans for any malware/viruses, full file audit of any file store accessible from the problem account(s) with particular focus on anything potentially executable.
That doesn't solve any backdoors, VM image SAM hacks or other exploits that may have found their way onto the boxes. How much money will they spend? Nuke from orbit, or do the basic remedial actions and cross fingers no nasty surprises will raise their heads later (high-9s likelihood this will be sufficient. Is that enough?)
I can't see how it would be anything to do with the kiosk image. I mean, sure, the fact the USB was unlocked is a concern from a workstation security point of view (viruses, anyone?), but may have been a requirement for other reasons.
The hole will be related to what account is used to run the kiosk, whether that was baked in at installation time or (mis)configured later.
ETA: if they used a domain admin-type account or something over-elevated to join the computer to the domain or similar, which wasn't subsequently changed, that's where the kiosk installation could be relevant. Still an account issue.
Since "successful file access" auditing isn't enabled by default on Windows boxes, I'd say it's extremely likely there is no record of what accounts have accessed which files.
I'm still appalled that these kiosks weren't set up as "kiosk-style" machines, of which there are copious examples around the place, with accounts that are basically "guest" accounts (assuming they need to be in the Windows security domain for other reasons). To compound that with editable file permissions is unbelievable, since a user with access to a share has "read" access by default. Of course, users can be members of groups with greater access, but they have to be put into those groups.
So either someone didn't configure the account(s) properly (which frankly, is the "easy" solution), and they or the person who developed the faulty process should be fired, or a whole bunch of people up the chain signed off on this security breach. And yes, as a lowly techie, I would have kept the arse-covering material that said "do it like this" with authorisations.
As for the ease of how to do this, and to continue the car analogy, the relative skill would be like someone who's comfortable with doing an oil change and oil filter replacement. Basically, not very difficult for someone with slightly extended knowledge of computers on enterprise networks. Possibly even less, because someone could inadvertently bring up that dialogue in Word and start clicking around from curiosity.
I also disagree with the point that someone would have to know what they were looking for to get any use out of this. Copying all those sensitive files to a USB and uploading to Wikileaks or a similar organisation would have been trivial. Or poking around and making edits to files just for "fun".
I buy scented candles AND craft beers. OMG. I would probably make the Moa marketing execs brains implode.
Oh, well, they haven't seen my money since last year, so at least I won't be another customer fuzzying up the issue of lady parts + liking to drink decent beer.
That's exactly it, Morgan.
And thank you, Emma. Ok, they are riding on the 50 Shades of Shite bandwagon, but yeah, keep it in the porn/erotica world, not the mainstream, where it's just - to resurrect a fun phrase - reinforcing the norms of the patriarchy. No, it's not witty and subversive here.
I don't know about the linked blog as a whole, but it quotes the an article by Meurant about his change of heart about some areas of his life, including police culture and actions. http://www.police-corruption.com/nz-warned-regarding-anti-terror-legislation/
In short, people can reflect, and change their views.