[geofft]

A little bit of a tangent, but,

> Earlier this month, after five years of organizing, security officers for companies including Facebook, Google, and Genentech, many of whom were making between $12 and $14 an hour, ratified their first union contract. They won wage increases of up to $1.20 per hour, better health care, and, for the first time, paid holidays.

How is this rational? Do Facebook and Google believe they are facing no advanced persistent threats capable of bribing someone who lives in the Bay Area on $12/hour?

[eigenvector]

The sad thing is that while I sort of understand from a business perspective why Google et al don't want to end up with a massive low-skill workforce that isn't directly relevant to their business, the number of security guards you need is directly proportional to your office footprint (i.e. you aren't going to wake up one day and find you've suddenly got more of them than you have tech workers). And I'll say the same for maintenance / custodial staff and food workers. Honestly, just pay all these people a decent wage - the impact on the company's bottom line will be a rounding error.

[mc32]

Those folks do physical security. Aside from access to buildings and stuff they have access to little else, plus they have supervisors and people at the company who supervise them, plus doing weird things will trigger alerts and stuff, so I don't think they can do a lot beside ignore alarms for an intruder who would not have access to digital assets. Plus, NDAs are pretty powerful tools.

I mean, if a guard lets you in, what are you gonna do, steal a laptop which is encrypted and requires 2FA? The only places which might have richer targets are research and prototyping facilities which I imagine have additional safeguards.

[cco]

Physical access is always the single most important aspect of your security stance. There is almost no technical safeguard that will stop someone with physical access and time.

[mc32]

I don't think big companies allow employees to have the crown jewels on their co issued devices. They would have to remote into something even they don't have physical security access into.

[TeMPOraL]

> They would have to remote into something even they don't have physical security access into.

Which they do from their... "co issued devices". And in the days of keys over passwords being standard practice (but 2FA not yet), pwning a worker's device can be very useful even if all the real targets are on remote servers.

[mc32]

I'd be surprised if any of the big tech cos have not deployed U2F.

[chronid]

You'd be surprised by the number of those USB keys permanently attached to laptops/desktops or left on desks in the offices of the big tech cos. :)

[lazyasciiart]

What are 'the crown jewels', in your opinion? Surely (some) source code counts?

[pizzazzaro]

Silicon Valley may have figured out 2FA, but only a handful of companies elsewhere got on board.

And unless you're in some government building or a Wall St bank, hard drive encryption is rare.

Get me past the security guard anywhere else on the east coast? And I'll get you anything you need past that.

[oh_sigh]

Bribe a guard, install a hardware keylogger on random workstation, steal corporate login password, and go from there.

[tony101]

And grab any U2F security keys in sight.

[oh_sigh]

A missing U2F key might trigger an audit which could lead to discovery of the keylogger. Better bet would be to get the passwords, and then come back and register a second U2F key to the victims account.

[eigenvector]

What about getting into a data center and causing a service disruption by physically destroying equipment?

[mc32]

Datacenters, from my understanding are different. They may have hired guards but also have a smaller contingent of actual employees --guarding, doing maintenance, monitoring, upgrading, etc., etc. In addition to rings of security.

[scarejunba]

The datacentre security is different. They tell you when you sign up for GCP.

[jkaplowitz]

Can confirm. Even most Googlers can only go there on pre-approved guided tours, most of the time. And even that isn't common.

[geofft]

Leave a web-connected microphone near Project Zero's desks.

[2bitmachine]

If they can’t do basic, physical security correctly, it kind of calls into question their broader approach? For example, I imagine it’s much easier to socially engineer yourself into other access once your inside the campus than from without.

[solatic]

Even if the security guard is paid $200/hour, it doesn't matter. If someone puts a gun to your head, you're going to comply - nothing is worth your life. This is a large part of the reason why militaries spend much more time on psychological molding of their soldiers, because it's much, much easier to convince somebody to put themselves in the line of fire for Reasons than it is for a paycheck. The kind of security folk who actually are willing to put themselves in the line of fire for a paycheck (mercenaries) simply do not exist in the numbers needed for manning private sector security across the economy, so again, the pay is largely irrelevant.

The real purpose of security guards is to raise the cost of an attack, in terms of the number of people needed to carry out an attack. A larger attack party translates into the jackpot being divided into more payouts, and therefore the jackpot needs to be larger in order to justify the attack, not to mention the increased risks involved with coordinating a larger-scale attack (keeping opsec etc.). One security guard is easily subdued by a lone wolf attacker, or avoided. Multiple teams of roving security guards need much more coordination to subdue or avoid, without raising an alarm.

Even if you are interested in bribing a security guard, again, a single security guard doesn't provide much protection, but the more security guards on each shift, besides the amount of money needed to bribe all of them, each additional guard raises the risk of the bribe being reported and the attack failing.

Precisely because many security guards are needed for effective security, the ease of training new security guards, and the ease of hiring new ones, are security guard wages relatively low.

[jjoonathan]

Why would they care? Companies never seem to be held accountable for being hacked.

[briandear]

What’s rational is that people are accepting positions at those pay rates. If you don’t want $12 per hour, go somewhere willing to pay more — even fast food pays more than that in the Bay Area. Entry level at Target pays over $15. They don’t need a union, they just need to quit and go work somewhere else. No shortages of jobs in the Bay Area— essentially everyone is hiring right now.

Why should the company be blamed when people keep lining up to work for the wages on offer?

Does anyone buying bananas at Safeway just randomly decide to pay more than the asking price? Of course not. It’s the same with companies.

[TeMPOraL]

> They don’t need a union, they just need to quit and go work somewhere else.

Not easy if you live paycheck-to-paycheck, which most such people do. Can't afford the time it takes to find a better-paying job, or more likely, retrain before searching for such a job.

[jjeaff]

Safeway is a business. Not a human being.

Just because a vulnerable person allows you to take advantage of them, doesn't make it ok.

If you can see that your employees are struggling to survive (and on $15/hr in Silicon Valley, you can about guarantee that they are) it would be in your best interest to give them a raise. But most of all, it's the human thing to do.

We don't have to live in a world where everyone is angling to squeeze every last drop from everyone else.

[DoubleCribble]

I take it you have never worked in retail because the difference would be immediately obvious.

Why work at large Bay Area tech: - Free catered breakfast, lunch and dinner - Free gourmet coffee - Free snacks - Free drinks - Free company merch: t-shirts, backpacks, jackets, tickets to events, etc. - Nice offices - Nice bathrooms

Added value per day = $75+

Why work at Target: - $3 more per hour

Added value per day = $24 (assuming 8 hour shift)

[geofft]

My question was specifically about the rationality of offering these wages, not about accepting them. Whether or not companies deserve blame for the employees taking jobs with low pay, that wasn't my question at all. My question is whether it makes sense to entrust security to people with low pay.

By your argument, it doesn't; a single well-placed argument from you can have all the security guards from Google tomorrow and someone helpful in every aisle at Target.

And I can't tell you much about bananas but in my first tech job out of college my management sat me in a room one day and said, "We think you're doing a good job so we're going to pay you more." Apparently this is called a "raise" and is not uncommon? There must be some rationality behind it, even though I've never give a so-called "raise" to a banana.

[danharaj]

Considering your comments on this point, you seem really annoyed that the bananas formed a union.

[toomuchtodo]

Wages set by the free market can be below what is necessary to survive, and it is our job as citizens to ensure public policy exists (and yes, unions) to ensure wage floors that allow people to live with dignity and without chronic stress from the fear of destitution. You don’t have to agree with this sentiment of course, that’s what votes, elections, and the ability to organize are for.

[mmirate]

> Wages set by the free market can be below what is necessary to survive

... and this conveys the fact that the work to be done, isn't considered valuable enough to support a human life.

Making these kinds of jobs illegal just puts them out-of-reach of youths and speeds up the perennially-villified yet inevitable process of automation.