[kkwak]

Programming generally provides people with a lot of power. Either in access to data or obviously code. In that, there is a lot of trust requested and given. I know lots of enterprises add a lot of "scans" and "checks" and limit things to much complaints to remove the "we trust you" from the equation, but still you can't scan for everything.

The open question is how much trust do you want to give? Of course, 2nd, 3rd, 4th chances are awesome and all - but in reality; as a company with lots to lose. 1. reputationally 2. financially

[livueta]

I feel like if any one person can seriously subvert something, you've already lost. Maybe that's just my perspective from working at international enormous tech corp X, but we've already basically got that problem in the form of employees hailing from repressive states (yeah, Australia, that's you now too) where everything needs cross-signing anyway.

All in all, I'd probably be more concerned about foreign nationals open to various forms of coercion than I would felons - in the general case, anyway. Of course, there are certain environments where more assurance is needed and not employing from either category is reasonable, and the type of criminal background also matters. For instance, someone from a bad neighborhood who got swept up in gang activity like the guy in the article is probably a lot less likely to try to fuck you over than a serious convicted blackhat/fraudster.

It's also possible to, as in the article, explicitly limit their roles to those that don't touch customer data or sensitive product code, where it'd be significantly more sufficient to parlay access into a quick payout. One ironic thing is that's frequently the exact opposite of how it works in practice: think of all the crooked telco CS reps who've been doing SIM swaps recently. Those roles aren't exactly exclusive positions, and I'd argue they're a good example of why paying people crap combined with poor vetting and lots of access is a bad idea.

[joenot443]

I definitely agree with you in spirit, but I feel like in most organizations, there's still lots of easy potential for one person to seriously subvert things.

I think a baseline level of trust is an absolute requirement, regardless of how well implemented your organizational access security is.

I would say that any company source code, by definition, is a company secret, and there will always exist an easy means for an employee to leak or compromise that secret.

[Accujack]

>I feel like if any one person can seriously subvert something, you've already lost.

This is technically correct, but most companies (at least in the US) take the easy way out, just like they do for hiring. No college degree means no job offer.

A well functioning IT organization will not be vulnerable to a single malicious person, but having been in the industry for almost 30 years at this point, the number of corporations functioning to that level in IT is small.

The fact that most organizations are more concerned about lowering costs and increasing profits instead of quality means that managers take the easy way out... it's cheaper to just not hire anyone they deem a risk and not worry about improving IT's functioning because they don't see any downside to that in the time frame that concerns them.

[A4ET8a8uTh0]

I agree. Proper controls are half the battle. Naturally, those tend to be ignored when things get difficult..

[jacquesm]

Based on my sample of well over a hundred companies proper controls are very rare.

[traderjane]

Intelligence organizations and other institutions handling very sensitive data likely have way better information discipline than almost any org, but even there singular individuals leak and cause outsized embarrassment.

Trust is bigger than big.

[johntiger1]

Interesting point about foreign nationals! Indeed, this seems like a major point often overlooked, despite the recent growing evidence of state-sponsored and state-directed hacking

[mabbo]

But this is precisely why Tech is the perfect place for people like this: we already don't trust anyone!

Consider Netflix's ChaosMonkey (or whatever their new simian name they have now). It messes with your IT infrastructure automatically to ensure that your software/system can handle these regular problems. Developers have to consider that hey, these things are going to happen all the time (rather than relying on luck that it doesn't happen) and they build super resilient systems. You ever even heard of a Netflix outage?

Now ask yourself this: How would you build your security infrastructure/system given the knowledge that literal convicted criminals would have access to some parts of the system? You'd become very inventive, creative, and build the world's best system. AAA (authentication, authorization, accounting) security? You'd find some new A's to add just to be sure.

If your system can't handle convicted criminals access it, how will it handle the ones who didn't get caught but now work for you?