[livueta]

I feel like if any one person can seriously subvert something, you've already lost. Maybe that's just my perspective from working at international enormous tech corp X, but we've already basically got that problem in the form of employees hailing from repressive states (yeah, Australia, that's you now too) where everything needs cross-signing anyway.

All in all, I'd probably be more concerned about foreign nationals open to various forms of coercion than I would felons - in the general case, anyway. Of course, there are certain environments where more assurance is needed and not employing from either category is reasonable, and the type of criminal background also matters. For instance, someone from a bad neighborhood who got swept up in gang activity like the guy in the article is probably a lot less likely to try to fuck you over than a serious convicted blackhat/fraudster.

It's also possible to, as in the article, explicitly limit their roles to those that don't touch customer data or sensitive product code, where it'd be significantly more sufficient to parlay access into a quick payout. One ironic thing is that's frequently the exact opposite of how it works in practice: think of all the crooked telco CS reps who've been doing SIM swaps recently. Those roles aren't exactly exclusive positions, and I'd argue they're a good example of why paying people crap combined with poor vetting and lots of access is a bad idea.

[joenot443]

I definitely agree with you in spirit, but I feel like in most organizations, there's still lots of easy potential for one person to seriously subvert things.

I think a baseline level of trust is an absolute requirement, regardless of how well implemented your organizational access security is.

I would say that any company source code, by definition, is a company secret, and there will always exist an easy means for an employee to leak or compromise that secret.

[Accujack]

>I feel like if any one person can seriously subvert something, you've already lost.

This is technically correct, but most companies (at least in the US) take the easy way out, just like they do for hiring. No college degree means no job offer.

A well functioning IT organization will not be vulnerable to a single malicious person, but having been in the industry for almost 30 years at this point, the number of corporations functioning to that level in IT is small.

The fact that most organizations are more concerned about lowering costs and increasing profits instead of quality means that managers take the easy way out... it's cheaper to just not hire anyone they deem a risk and not worry about improving IT's functioning because they don't see any downside to that in the time frame that concerns them.

[A4ET8a8uTh0]

I agree. Proper controls are half the battle. Naturally, those tend to be ignored when things get difficult..

[jacquesm]

Based on my sample of well over a hundred companies proper controls are very rare.

[traderjane]

Intelligence organizations and other institutions handling very sensitive data likely have way better information discipline than almost any org, but even there singular individuals leak and cause outsized embarrassment.

Trust is bigger than big.

[johntiger1]

Interesting point about foreign nationals! Indeed, this seems like a major point often overlooked, despite the recent growing evidence of state-sponsored and state-directed hacking