Welp, I guess I'm starting a blog today. I want to talk about how we secure systems today, but I don't want to talk about computers, I want to talk about organizations as systems. One of the things that I think haunts infosec is our insistence that technical solutions, computers, and similar automation is the solution to security. I think this is because it's easy to measure, and there's a belief that it's reliable. But today I want to talk about what I see as the core gap in that system.
I think there's a related blog post about the fundamental flaw in blockchains and flatpack style package managers that sits next to this one, but not today. That's later. I gotta get my CPEs somehow.
Yesterday, as we all know, this happened. First, I want to laugh at the Trump Admin texting out its war plans. Let's all have a good chuckle. Now, let's take a moment of silence for the people bombed. Ok? Good, thank you.
Because of that event I've been seeing a lot of hot takes about how the Trump admin is fucking stupid. Which I appreciate. Despite this, I've seen some hot takes about how Signal is deficient because it allows groups to add non-members to the group. This is fucking wild, and I want to talk about this idea. I want to think a lot about authorization.
A user is authorized to do something if they are allowed to do it. But what does it mean to be authorized. On their phone, members of the Trump Administration, are authorized to use Signal. Signal is authorized to send messages. And they are authorized to communicate with journalists. Great we can all agree with that. So we can assume they should be authorized to add journalists to group chats, and that they should be allowed to add them to group chats containing other members of the administration. But there's something else here. Something about authorization. Firstly, the authorization to use Signal is a organizational one, potentially enforced by mobile device management. The authorization for Signal to send messages is a network/MDM setting. The authorization to communicate with journalists is also an organizational authorization, not a technical one. But then the authorizations for Signal is purely technical. We also need to agree that this list of authorizations is good. If you don't agree, I think you're coming out against whistleblowing as a concept, and I have a fundamental disagreement with you. If you have a different reason, hit me up on The Fediverse.
BUT! We have to admit that something else is wrong. The Trump Admin shouldn't have been discussing its war plans on Signal! Signal isn't responsive to the Freedom of Information Act! It's not a proper communication channel. It's a third party supplier and not audited by internal processes. It's not managed by data loss prevention or other tools to prevent communicating with those not privy to those plans! That's because Signal isn't a tool for communicating war plans! I would also argue that the members of the admin were not authorized to use it (because of the FOIA issue), and likely are not by internal policy (I don't know their internal policies), and their internal systems likely did have controls for preventing external users from using the tool. The problem here is not that Signal is hard to use - the problem is that users were using it inappropriately to (probably) avoid FOIA and other scrutiny! These users were authorized to use Signal (technically) but they were not authorized to use it to avoid scrutiny and accountability (organizationally).
This is where we get to the actual problem. The Authorized User Problem. Users who are completely authorized to do something sometimes but not other times. These, most of the time, are admins, but this is a great example of a difference. Generally - we use detective controls to manage this. We log their use, we check for the tool, and we alert when these things happen, but it would feel weird in this case to have too much oversight of Signal (see whistleblowing). This is a case where you would start with user training and then a discipline tier. Because this is someone abusing special authorize - like a rogue admin on your network. Authorized users are trusted users. Trusted users are users who have access to do things that's against policy, this is something that is often necessary because of multiple policies. Because we can't automate everything. Sometimes we need to allow people to do things that are incorrect, and then support them in not going it, and then, when they decide to discuss their war plans over Signal, we give them a warning and retraining, and probably eventually a censure because people are trusted. People must be able to do wrong things sometimes, and we need to treat them like fucking adults when they do. And if they show they aren't able to handle that responsibility, we can't remove the ability to use tools.
Basically - we need to authorize users technically and then put organizational fucking controls in place. Stop treating user authorization as a bug.
Because we can't just secure computers