• United States




Security and small thermal exhaust ports

Mar 28, 20164 mins
Cloud SecurityCybercrimeData Breach

I have always marvelled at the inability of the Empire and later the First Order to build a evil death machine without a simple exposure causing them issue. You would have thought that they would have reviewed the data after the first time the Death Star was blown up. Surely they had offsite backups they could look at, no? But, when we see the (spoiler alert…but really, if you have not seen if by now) First Order roll out their weapon called the Starkiller Base.

Now, let’s be clear about this one. By the time the First Order goose stepped their way on to the big screen they had been through two, count them, two Death Star explosions. Both times a small vulnerability was discovered and taken advantage of. Now, surely this would not be the case again in the third iteration of the gratuitously oversized weapons category.

This time, they didn’t have a thermal exhaust port. Nope. Checked that box on the compliance checklist. This time they had a thermal oscillator. Totally different.

While I’m having fun with this I cannot help but, to see the parallels in our everyday lives. Time and again we read about a data breach that could have been prevented. So what can be done to repair these issues? What is the best way forward?

Welp, let me tell you what the legislators in Florida thought was a good idea. They decided that they would vote into effect SB 624 (.pdf), or as I call it, “Nyah nyah nyah I can’t hear you” law which was passed allowing the government to hide security audits and breaches from their management…the voters.

You heard me.

From Statescoop:

Gov. Rick Scott signed S.B. 624 Friday, following months of negotiation. The legislation, which was sponsored by state Sen. Alan Hays, creates a new exemption in the state’s public records law to let agencies withhold information about network breaches and security audits.

Florida’s Agency for State Technology worked with Hays to craft the bill and introduce it in October, and it passed the Legislature earlier this month.

This is just asinine. I thumbed though my thesaurus this morning and I just could not find a word that is more succinct than that. Florida actually signed into law a measure that will keep cyber security breaches, a secret.

From S.B. 624:

Information held by a state agency relating to the detection, investigation, or response to any suspected or confirmed security incidents, including suspected or confirmed breaches, which, if disclosed, could facilitate the unauthorized access to or the unauthorized modification, disclosure, or destruction of data or information technology resources is confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution

The part of this that they may be having a problem is that the government answers to their voters. Not sure that I would want to have my information breached and being traded in underground forums only to have the government say, “Sorry, that’s secret.”

The part that Florida legislators missed in passing this law is that they get all of the free penetration tests they want. Problem is that when they attackers gain access you can imagine that they will not be worrying about that law. They’ll post data all over the tubes of the Internet.

While the Empire and the First Order failed to learn the lessons of thermal exhaust ports one would hope that here in the desert of the real world that people might apply a little common sense. Address the problems and don’t wrap them in a veil of secrecy. Thermal exhaust ports have a way of showing up at the most inopportune times. 


Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast.

The opinions expressed in this blog are those of Dave Lewis and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author