[dannysu]

hi Bron, thank you for this response. Much clearer and I think this is what everyone wanted to see.

Can I just clarify some things for peace of mind?

1) When you say regular support staff cannot alter security-sensitive details. How is that done? Do they only perform changes through a limited set of UI?

2) When you say if 2fa is enabled it goes to senior security team, is that an automated process such that support staff don't see that ticket at all? The support ticket interface doesn't seem to have anything that helps to automatically route password reset requests.

3) Was the security incident involving ghouse through support tickets?

4) Do the senior security team have direct data access? i.e. do they also change things through a UI or do they have capability to directly change data?

Thanks

[brongondwana]

1) yes, support staff have a limited UI. There is always a balance between limiting support access and having them able to provide meaningful help. I have the same level of access as a support staffer, and I still get tagged into to work on some issues (particularly calendaring issues, a lot of people have died on the hill of calendaring and I'm currently still our primary expert on some parts of it), and often I need to view people's calendars and the emails related to scheduling in order to debug their issue. The nature of the job is that many issues can only be understood and resolved "in situ". Have I mentioned yet how horrible calendaring is? Thanks for reminding me :(

The UI given to support staff doesn't have the ability to update security credentials for users because they no longer have the "can update security credentials" role like they did in 2016. I don't even have it any more.

2) front line support still see all the tickets first, and they route them as appropriate. Sure this takes longer, we don't have 24 hour coverage of senior security staff (not entirely true, we have 24 hour coverage for emergencies. Somebody forgetting their password is not an emergency in this context)

3) the security incident involving ghouse was entirely via support tickets. His description was accurate, front line support send the pro-forma "we need a bunch of these details", got back some pretty half-arsed details that didn't meet the bar of what was supposed to be provided, and helpfully made the change despite our policy. The helpfulness of humans is a major bug with any security system, and this particular human tried to be too helpful.

4) The senior security team also use a UI. Operationally, they all have the ability to write code that directly changes things under the hood, but that code also has an audit trail and goes through review. It's always quicker and easier to use the UI, so that's what they do.

The UI is not just available to those three people, it's also available to anybody who has a multi-user account and needs to administer their own users. It's still a standard part of our system, just restricted in who can use it at an "any arbitrary Fastmail customer" level.