The FBI, due to an error in the configuration of its systems, allowed a user to access them illegally and use them to send unauthorized messages. In the purest zeitgeist everything was resolved in a cold press release (https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-incident-involving-fake-emails), but the technical reconstruction of event once again proposes the theme of the inability to manage the levels of complexity of the infosphere and its consequent intrinsic vulnerability. In summary: we have built a colossus which, unlike the one in Rhodes, has not only its feet made of clay.
It is of little importance, in the specific case, that the vulnerability of the FBI systems was exploited to send SPAM and not (according to public statements) to steal information by impersonating some official or to commit more serious actions. As it is unimportant that the unauthorized access was possible due to a serious mistake of design of the client-server interaction during the registration phase on the attacked portal, on the basis of which – as the apparent anonymous author of the fact declares – Basically, when you requested the confirmation code was generated client-side, then sent to you via a POST Request … This post request includes the parameters for the email subject and body content. Needless to say, this is a horrible thing to be seeing on any website … I’ve seen it a few times before, but never on a government website, let alone one managed by the FBI.
Errors of this kind happen all the time and are among the main causes of “accidents” that only minimally reach the headlines. But, too often, these events are not caused by “mistakes” and cannot be called “accidents” in the sense that they are the fault of cynical and cheating destiny. They are the result of negligence caused by a widespread malpractice in software design and platform management, as well as the cultural bias of politicians and administrators according to which “computers are the stuff of technicians”.
So, as Alan Cooper wrote, The Inmates are Running the Asylum — the mad are running the sanatorium, or as the Alan Parson Project sang, We let the blind man lead the way too long.
When a defect in a program is not a defect but a functionality, when the design of a network is done “because this is better”, or when a platform is put into production without worrying about verifying if it works or if it is safe, this does not it has nothing to do with “oversights” or “low blows of fate”. Yet this is the narrative that characterizes commentary on such cases. The now Pavlovian reaction to these events, in fact, is “to apologize”, “to announce the adoption of new measures” and – in the Italian variant – “to report to the postal police” and “to report to the Guarantor (of personal data)”. And then carry on more or less as before, hoping that the “bad luck” will rage on someone else and that some inspection will not arrive.
If, however, a private company can afford this (pragmatic but risky) approach, can we accept that public institutions do the same?
Italy has a less than brilliant tradition when it comes to the security of public platforms. It reacted, in particular by applying the Regulation on the protection of personal data, bureaucratizing the obligations in the name of “paper security”, and creating “committees”, “working tables” and “collaboration protocols” of which, after the launch press, no one has heard of it since. The national response is systematically closing in on a hedgehog and waiting for the buriana to pass (does anyone have any updates on the Lazio Region case?)
There is, therefore, a substantial difference with the approach of the USA – which despite all the perplexities of the case – when it is necessary they go gloves off and they do not allow themselves to be harnessed by quibbles.
However, the point is, as the facts show, that even criminals have taken off their gloves — the common ones and those unofficially “sponsored” by hostile countries. As a result, and the FBI case clearly demonstrates this, the outlook changes altogether. From the “guard and thieves”, where the actions were limited to limited areas, we have moved on to an asymmetrical conflict as much as we want, but still a conflict in which the authors of illegal acts react or even carry out preventive actions. And in every conflict only one thing counts: to win, at any cost, by any means.
This change of perspective brings with it the thinning of the boundaries between the hunt for criminals (which has its own legal rules) and the elimination of the opponent (which requires only the result). Both approaches make sense in the contexts of reference – courtrooms or war theaters – but if roles are mixed up or parts are swapped, the consequences can be devastating.