Use of Yammer by VA staff was a major security risk, investigation says

There is another article on the internet describing recent findings at the Los Angeles VA regional office where &quot;erroneous shredding&quot; of veteran benefit applications was ubiquitous.<p>As a veteran using VA services, I beg Americans to raise their own awareness of the criminal negligence occurring at the VA. Law currently provides that the VA may not fire or reprimand VA employees based on past performance. That&#x27;s right: VA employees cannot be fired for shitty performance (or &quot;erroneous shredding&quot;).<p>The phrase we use to describe the VA is &quot;delay or deny until they die&quot; and it&#x27;s absolutely the truth. A very good friend of mine was murdered by VA doctors who prescribed him drugs with deadly interaction. His family can&#x27;t do anything about it, and those doctors are still working at the VA, prescribing medications to veterans.<p>If any government organization needs a complete overhaul, an across-the-board firing of all employees (and a permaban of all of those employees from ever working for the government ever again), it&#x27;s the Department of Veteran Affairs.

We were looking at using these kids of tools, but having your internal corporate communication hosted on an external site which you have little control over wasn&#x27;t really something we wanted to do.<p>We ended up developing our own system which ended up a bit similar to Slack. Of interest to the crowd here, the server side is implemented in Common Lisp. We&#x27;ll release it as open source as soon as we&#x27;ve cleaned it up a bit.<p>I have an externally available demo system, but I don&#x27;t want to reveal the URL to it publicly right now since it runs on the smallest possible Google Cloud instance. If anyone is interested in testing it, send a private message to me, or wait until we release it.

They didn&#x27;t setup an admin account and disable ex-employees&#x27; access. How is this Mucrosoft&#x27;s fault?

I&#x27;ve also never really figured out what value Yammer, and other similar products, like Chatter from SalesForce, or IBM&#x27;s Lotus Connections, was supposed to provide. As best I can tell, the rationale must have been something like:<p>1.) Well, our employees spend a lot of time screwing around on Facebook, so let&#x27;s build something that looks almost identical, but that is supposed to be used for posting status messages about work, instead of BuzzFeed listicles, baby pictures, and venting!<p>2.) ?????<p>3.) PROFIT!!!!

Meanwhile I&#x27;ve had two companies attempt to get employees to try to use this. If I can&#x2F;want to deal with coworkers in person, I will. If I can&#x27;t&#x2F;don&#x27;t want to, I&#x27;ve got real-time tools to do it. Where does this fit in? It&#x27;s one more layer of crap to get in between me and getting my work done.

As Randall Munroe has cleverly illustrated, a system is only as secure as its weakest point: <a href="https:&#x2F;&#x2F;xkcd.com&#x2F;1200&#x2F;" rel="nofollow">https:&#x2F;&#x2F;xkcd.com&#x2F;1200&#x2F;</a><p>IT administrators can secure everything under their control really well, but if a third-party web application used by employees is successfully penetrated, poof! IT infrastructure is now exposed to threats from the inside. Meanwhile, the only people who can evaluate and improve the security of that web application are the people selling the application.

My IT department is a menace. In the name of security we have all been forced into a shitty Juniper VPN with no Linux support, ssh and http access is curtailed campus wide and we must install some tracking software so IT can &quot;monitor our patch status&quot;.<p>Whether this improves anything in terms of data breaches I don&#x27;t know. But as far as I can see &quot;security&quot; is the literal opposite of freedom and openness.

The compliance tools for Yammer are pretty rudimentary. I&#x27;ve actually worked on a product for automating the Yammer data export, converting the raw data that that dumps to you (what looks suspiciously like a straight table dump, converted into an archive of CSV files), and pushing that into various compliance management systems.

&gt; When quizzed about how exactly the network was supposed to stay secure without oversight, an official whose name is redacted from the document told the investigators: “It’s kind of like a self-policing, everybody’s job is to be responsible.”<p>So their security policy was to not have a security policy, essentially.