[mc32]

Those folks do physical security. Aside from access to buildings and stuff they have access to little else, plus they have supervisors and people at the company who supervise them, plus doing weird things will trigger alerts and stuff, so I don't think they can do a lot beside ignore alarms for an intruder who would not have access to digital assets. Plus, NDAs are pretty powerful tools.

I mean, if a guard lets you in, what are you gonna do, steal a laptop which is encrypted and requires 2FA? The only places which might have richer targets are research and prototyping facilities which I imagine have additional safeguards.

[cco]

Physical access is always the single most important aspect of your security stance. There is almost no technical safeguard that will stop someone with physical access and time.

[mc32]

I don't think big companies allow employees to have the crown jewels on their co issued devices. They would have to remote into something even they don't have physical security access into.

[TeMPOraL]

> They would have to remote into something even they don't have physical security access into.

Which they do from their... "co issued devices". And in the days of keys over passwords being standard practice (but 2FA not yet), pwning a worker's device can be very useful even if all the real targets are on remote servers.

[mc32]

I'd be surprised if any of the big tech cos have not deployed U2F.

[chronid]

You'd be surprised by the number of those USB keys permanently attached to laptops/desktops or left on desks in the offices of the big tech cos. :)

[lazyasciiart]

What are 'the crown jewels', in your opinion? Surely (some) source code counts?

[pizzazzaro]

Silicon Valley may have figured out 2FA, but only a handful of companies elsewhere got on board.

And unless you're in some government building or a Wall St bank, hard drive encryption is rare.

Get me past the security guard anywhere else on the east coast? And I'll get you anything you need past that.

[oh_sigh]

Bribe a guard, install a hardware keylogger on random workstation, steal corporate login password, and go from there.

[tony101]

And grab any U2F security keys in sight.

[oh_sigh]

A missing U2F key might trigger an audit which could lead to discovery of the keylogger. Better bet would be to get the passwords, and then come back and register a second U2F key to the victims account.

[eigenvector]

What about getting into a data center and causing a service disruption by physically destroying equipment?

[mc32]

Datacenters, from my understanding are different. They may have hired guards but also have a smaller contingent of actual employees --guarding, doing maintenance, monitoring, upgrading, etc., etc. In addition to rings of security.

[scarejunba]

The datacentre security is different. They tell you when you sign up for GCP.

[jkaplowitz]

Can confirm. Even most Googlers can only go there on pre-approved guided tours, most of the time. And even that isn't common.

[geofft]

Leave a web-connected microphone near Project Zero's desks.

[2bitmachine]

If they can’t do basic, physical security correctly, it kind of calls into question their broader approach? For example, I imagine it’s much easier to socially engineer yourself into other access once your inside the campus than from without.