[893helios]

This is a total nightmare scenario for a lot of organizations, and is quiet doable for a lot of systems. Specifically on the router side (thanks Cisco) I haven't seen a lot of controls that would stop this. Network Engineers need full access to get things done in a timely fashion, and the limitations of control in TACACS. Recover from insider attacks of this nature are all based on how much to drill to recover from this style of attack.

[brianwawok]

Someone has to have root at some level right?

So why is the router attack any worse than a "Delete exchange server + all backups" command, or the "use ansible to remote format entire server farm in 1 click" command?

You have to trust employees at some level. If people know that doing things like this will equal jailtime, I would assume that would stop most people.

Now think if this employee lived in Russia and did this remote. What would the recourse be?

[jon-wood]

At the scale of companies like this one it should be physically impossible to bring down a critical server and all its backups. That's what offsite backups, preferably on write only media are for.

[zeveb]

> Someone has to have root at some level right?

In Unix, yes, but there have been systems without a single ultimately-privileged user.

One could imagine a system in which ultimate authority belongs to a 51% share of stockholders, whose keys delegate authority to the board of directors, who delegate authority to the CEO or CTO, who delegates authority on down the line. Each certifying party could revoke (or allow to expire) authority prior to firing a delegee.

> If people know that doing things like this will equal jailtime, I would assume that would stop most people.

What I want to know is how people grow to physical adulthood without realising that this is wrong. One simply doesn't destroy others' property.

[kbenson]

For the same reason that people still do things knowing they result in jail time, people will still do things knowing they are wrong. There's probably a few root causes for actions like that (rage, hopelessness, greed, etc), with different levels of how much each one plays in the decision.

In the end, society only functions because the vast majority of people think they are better off following the norms set by that society. When they no longer think this because of emotional tunnel vision or a real lack of hope, whether it be real or imagined, or pervasive or lasting just long enough, their actions are no longer predictable as a rational member of society. Unfortunately, that means in some cases, it doesn't matter what the consequences are, there will still be the occasional incident.

[brianwawok]

Okay so a deploy to prod should be able to require a stockholder voter? This sounds like a Utopian paradise not the realities of IT in 2016.

[zeveb]

> Okay so a deploy to prod should be able to require a stockholder voter?

Well, every deploy to production in any company is the result of a shareholder vote — it's just made obvious.

By using delegation and certificates, an employee who is delegated authority to deploy to production can do so without requiring a majority of shareholders to actually vote on that particular deploy.

That's pretty awesome.

> This sounds like a Utopian paradise not the realities of IT in 2016.

We've had the ability to do this for almost twenty years: it was made possible by RFCs 2692 & 2693 in 1999. The necessary processing could be performed in a split second.

[zzzcpan]

The system able to do that will have to be designed by someone and maintained by someone, because it cannot just appear out of thin air, work perfectly and never have bugs. So, ultimately there will be someones with enough power to change the way every single thing in the system operates and therefore enough power to destroy the system.

[brianwawok]

Agreed, it sounds like he shifted the blow up the world key from Engineers to a Board president.

Which is fine, but seems like a roundabout way to do it.

[PeterisP]

"Someone has to have root" is not entirely true - you can easily have root accounts on key systems accessible only by requiring two separate authentication tokens, and have them be held by separate people. Sure, it's inconvenient, makes changes slower and requires more people and thus is more expensive, but that does prevent any single person from doing too much damage.