Security cannot be improved by waving flags

Via Schneier comes a story about the US Navy and a disgruntled contractor who just plead guilty:

He confessed to programming malicious software codes into computers that track Navy submarines in May 2006 while in Naples. He told Navy investigators that he was upset that his company’s bid on a project was passed over. Sylvestre had fled Italy after he entered the codes.

The guilty party, one Richard Sylvestre, was a sys-admin at a US Navy System based in Naples Italy and he had a top-secret security clearance. So, without being to crass about it, the sales pitch about security as a property of who works on the software is once again shown to be simply ridiculous – see my old note on the subject. Security is a reliability issue that needs to be addressed in design and administration procedure. The network that was hacked was too trusting of its operators and the people who were responsible for administering the sys-admins were not doing their jobs.