At SEC: Porn Surfing Down, Waste Up, Stunning Disregard For Basic Computer Security

from the 'password'-is-not-a-good-password dept

An internal investigative report of the SEC's Trading and Markets division has been recently been reviewed by Reuters. After reading its rundown of the misdeeds and abuses uncovered, I'm left with the urge to laugh maniacally in the manner of someone having just cleared the tipping point and now sliding irretrievably into insanity. The sheer irresponsibility on display here springs from the sort of irredeemable carelessness that comes with spending other people's money (taxes) and operating without any credible oversight or accountability (a large percentage of government entities).

Bess Levin at Dealbreaker points out that while the SEC's internal investigation may have turned up several misdeeds, ranging from the merely stupid to the positively horrendous, it is quite a step up from the insatiable pornhounds that used to populate the Commission:
If you had asked us two years or two months or two days ago if we thought that there would be a time in the near future when Securities and Exchange employees would not be regularly reprimanded for watching porn on their work-issued computers for 98 percent of the workday, we would have said absolutely not. No judgment, but in our professional opinion, people do not go from, among other things:

* Receiving “over 16,000 access denials for Internet websites classified by the Commission’s Internet filter as either “Sex” or “Pornography” in a one-month period”

* Accessing “Internet pornography and downloading pornographic images to his SEC computer during work hours so frequently that, on some days, he spent eight hours accessing Internet pornography…downloading so much pornography to his government computer that he exhausted the available space on the computer hard drive and downloaded pornography to CDs or DVDs that he accumulated in boxes in his office.”

…to living a porn-free existence at l’office.
Truly a mind-boggling set of employees. One regional staff accountant ran into the "no-porn" wall 1,800 times in a two week period, yet remained undeterred. Those caught accessing porn with ridiculous frequency cited the "stress" of their jobs as the underlying reason for the nearly uninterrupted pornathons.

But this porn-heavy chapter in the SEC's history is now behind them, according to an internal investigative report viewed by Reuters. Moving boldly forward, the SEC has apparently ushered in a new wave of semi-competence, the sort befitting an agency that is entrusted with keeping our financial systems free of corruption. So, how is the New, Improved SEC doing?
Several Securities and Exchange Commission staffers responsible for monitoring the markets and exchanges broadly misused computer equipment to download music and failed to properly safeguard sensitive information, a report has found.
Well, that's one strike for infringement and one strike for not securing sensitive information. "Securing information" seems to be something the SEC's Trading and Markets division is particularly bad at. To say this is ironic would be a colossal understatement, considering the government's current obsession with all things "cyber."
The report also found that the staffers failed to protect their computers and devices from hackers, even as they were urging exchanges and clearing agencies to do just that.

Although no breaches occurred, the staffers left sensitive stock exchange data exposed to potential cyber attacks because they failed to encrypt the devices or even install basic virus protection programs.
The report says the staff may have brought the unprotected laptops to a Black Hat convention where hacking experts discuss the latest trends. They also used them to tap into public wireless networks and brought the devices along with them during exchange inspections.
Considering the amount of sensitive information the SEC has access to, it's stunning that the barest minimum of precautionary measures were never taken. This protection-free era of SEC computing occurred during the same period the SEC was issuing guidelines for public companies to follow when reporting security breaches to investors.

In addition to this complete disregard for basic security, the SEC Tradings & Market Division was handed a blank check to purchase equipment, leading to some unsurprising abuse.
[T]he full report... details an even broader array of problems, from misleading the SEC about the office's need to buy Apple Inc products, to cases in which staffers took iPads and laptops home and used them primarily for pursuits such as personal banking, surfing the Web and downloading music and movies.

Rymer found that the office did not have any planning or oversight into its purchases of computer equipment. From 2006 through 2010, the office got permission to spend $1.8 million on technology devices.
As Levin points out, it's an upgrade from the staff's former pornaholic ways but this report gives off the impression that staffers have simply found new ways to screw up. Would that this report contained anything truly surprising, but it's more of the same. It's not that all government entities are shot through with bumbling fools and opportunists looking for some power to abuse. Individually, there are plenty of good, hardworking public servants. But as an aggregate, nearly every derogatory cliche of government work (and government employees) can be proven true.

At the very least, I suppose we (the people and the taxpayers) can be grateful that someone is looking into this and, better yet, ushering it out of the darkened hallways of regrettable governance and into the harsh sunlight of public appraisal. But with progress so incremental it barely fits the definition, there's still a long, hard road ahead that will demand the full attention of those tasked with shepherding the (mostly) unwilling herd.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    That Anonymous Coward (profile), Nov 16th, 2012 @ 3:45am

    But but but they are the "Good Guys" (tm) so we need to just smile and nod, knowing they have our best interests at heart.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    The eejit (profile), Nov 16th, 2012 @ 4:53am

    New slogan for Apple?

    "Safer than the SEC!"

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Nov 16th, 2012 @ 5:06am

    i dont understand why they dont just let them have the porn... a session takes what 20 minutes? then youre done, get back to work. no need for 8 hour marathons trying to defeat their blocking.

    also a couple people spending their whole day being totally unproductive at work is likely waaaaaaay cheaper than data being compromised. this isnt a step up its a step down.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Nov 16th, 2012 @ 5:12am

    I note you said there is someone looking nat the problem, however is there someone responsible for fixing the problem?;-P

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Lord Binky, Nov 16th, 2012 @ 6:01am

    At least when they were looking up the porn they weren't buying it with SEC funds.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Nov 16th, 2012 @ 7:30am

    No one will ever figure out my password is drowssap

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    nasch (profile), Nov 16th, 2012 @ 8:29am

    Government

    It's not that all government entities are shot through with bumbling fools and opportunists looking for some power to abuse.

    [citation needed]

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    iambinarymind (profile), Nov 16th, 2012 @ 8:38am

    Of Course...

    The SEC is an organization that is funded via coercion/theft ("taxation"), so they are paid whether they do a good job or not; meaning they are not exposed to market forces.

    There is no market incentive to keep the data secure and do a good job.

    This is just another of the miriad of examples of why laws against theft should be applied universally, no matter what organization you are a part of/what color clothes you wear/or what euphemism you use to rename theft ("taxation").

    I prefer consensual relationships. Try Voluntaryism instead.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    artp (profile), Nov 16th, 2012 @ 8:50am

    I could do that job!

    And I'm disabled. They would have to let me waste half my day reading TechDirt and Groklaw instead of the whole day surfing porn, but I think that I could fill the functional requirements of the job just fine!

    I could even work from home. They obviously don't check on their employees, so that won't be a burden to them.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    btr1701 (profile), Nov 16th, 2012 @ 9:34am

    IT

    > Although no breaches occurred, the
    > staffers left sensitive stock exchange
    > data exposed to potential cyber attacks
    > because they failed to encrypt the
    > devices or even install basic virus
    > protection programs.

    Seems to me the problem isn't that these staffers failed to do these things, it's that the SEC apparently has no competent IT department. In my agency, the average employee is not responsible for encryption protocols or installing virus checkers. It's the IT people who do that, and a good thing, too, because some people are so cyber-ignorant that for them just booting up their machine in the morning is a Herculean task.

    If the SEC is relying on its secretaries, file clerks, and admin personnel to implement the agency's IT security, they're even more fundamentally screwed than the article portrays.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    RD, Nov 16th, 2012 @ 9:37am

    So where is...

    So where is OutOfTheAverageJoeBob to raise the rallying cry for the heads of the "thieves" of music? Oh thats right, they only jump in and post within the first 5 comments if its an average person accused. For Govt/BigMedia/Corp/RightsHolders, its silence or a constant barrage of excuses and hand-waving passes, with plenty of "there must be more to the story" and "this is not the same" and "lets wait to see how it plays out in court" (HA! good one! It only takes the barest *accusation* against a normal person file sharing for them to call for them to be immediately cut off from the net, fined and imprisoned, but when its their Corporate Masters, its "benefit of the doubt.")

    When its not a regular person, they can't bend over fast enough to take the Big Media Shaft and spit out all kinds of tolerance and understanding.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    John Fenderson (profile), Nov 16th, 2012 @ 9:46am

    Incompetence

    Those caught accessing porn with ridiculous frequency cited the "stress" of their jobs as the underlying reason for the nearly uninterrupted pornathons.


    Yes, 8 hour pornathons can be incredibly stressful. Pro tip: you don't actually have to masturbate to every picture you see.

    But the porn stats and the security problems are connected. These people were triggering their web filter thousands of times, but none of them thought to google for "web proxy" to circumvent the filter? They just kept running into the wall over and over?

    People with that little amount of problem-solving ability cannot be expected to adhere to even the simplest of security protocols. If I were their managers, I would be reconsidering their employment on the grounds that they just don't appear smart enough for the job.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    PT (profile), Nov 16th, 2012 @ 12:26pm

    "One regional staff accountant ran into the "no-porn" wall 1,800 times in a two week period, yet remained still employed."

    There, restated the problem in two words. I doubt if an individual in private industry would get much further than a tenth of that block total before he was asked to step into the boss's office. The problem with government jobs is they're all carrot, no stick.

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    cosmicrat (profile), Nov 16th, 2012 @ 12:42pm

    Very concerning...

    First of all I have to wonder about how definitions are applied. When the article says "used their work computers to access unauthorized music" I am reminded of a place I used to work at. A lot of us liked to listen to Pandora while we worked, but then the bosses banned that, so then we were listening to "unauthorized" music. (and some people will purposefully obfuscate the meanings of "download" and "obfuscate"). I also wonder how their "porn" filters are actually set up.

    But my main reaction is OMG! This is obviously a bureau with some problems. Now, granted, we need to hire highly intelligent specialists for a job like this, not mindless worker drones, and make no mistakes their job is genuinely stressful, but still WTF!

    Also, to those of you suggesting we should gut the agency because of their inefficiency, that would be a huge mistake. In fact we really need to increase their funding (along with the banking arms of the consumer protection agency, if such a thing exists). You see Reagan and his successors already gutted this agency, and we got unregulated derivatives trading, the financial crisis and the bailout as a result.

    We need more people in the SEC, and we need them to do their jobs.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    cosmicrat, Nov 16th, 2012 @ 2:32pm

    Re: Very concerning...

    Oops I meant "some people will purposefully obfuscate (and conflate) the meanings of "download" and "access"".

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Loki, Nov 16th, 2012 @ 3:59pm

    Although no breaches occurred, the staffers left sensitive stock exchange data exposed to potential cyber attacks because they failed to encrypt the devices or even install basic virus protection programs.

    "We have no clue about even the most rudimentary security, but we can assure you nobody much more knowledgeable than us hasn't waltzed right in an helped themselves to our data."

    I feel so comforted.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Filters Suck, Nov 17th, 2012 @ 11:58am

    The filtering systems used by government & corporations very often misclassify non-porn sites as porn sites. I've seen one of them, OptiNet, classify the Miami Herald newspaper as a porn site, along with many other well-known daily newspaper websites and large numbers of other obviously non-porn sites. To take the word of a filtering program that what it alleges to be a porn site actually IS a porn site is just ludicrous.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Lianne2012 (profile), Nov 19th, 2012 @ 9:51am

    I guess they need more than just filtering it. It's right that some of the non-porn sites are being filtered, which is very frustrating.

    Better to have 01-SSC-6087 for security purposes.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    MHab, Nov 26th, 2012 @ 8:35am

    ah ha!

    this explains the whole fiasco of 2008... SEC employees were too busy watching people getting screwed to see PEOPLE getting screwed

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This