eugen at leitl.org
Thu Dec 9 15:21:45 UTC 2010
On Thu, Dec 09, 2010 at 02:44:40PM +0000, BillK wrote:
> The problem is that in the internet age security is actually a very
> hard problem.
The Internet has nothing to do with it.
> All large organisations are struggling to solve this problem.
> And organisations don't come much larger than the US government.
> Manning accessed SIPRNet.
Which is not top-secret (nevermind higher classification),
so really nothing to see here, move along.
Still enough egg on collective faces to be pulled the plug on.
The network is down, but the practices continue.
> A 1993 GAO report estimated more than 3 million US military and
> civilian personnel had clearance, and access is also available to a
> "...small pool of trusted allies, including Australia, Canada, the
> United Kingdom and New Zealand...".
> So, try and secure that! Not only US computers, but allies computers as well.
Typically you compartmentalize by need to know basis. You can use
smart tokes for authentication and serve information keyed to said
token, and use secure terminals in secure location. It is also
easy to log access, lock out on recognized access patterns, introduce
watermarks to each analyst account. Just because it has not been
done in this case it doesn't mean it can't be done.
> The big problem with role-based security is that staff roles change
> all the time. And it is difficult to decide what level the 'need to
If you don't revoke access when the role changed than you know what
you're doing wrong (or right) already.
> know' stops at. So most organisations give people more clearance than
> they need, 'just in case'.
Spooks are not most organisations.
> Staff regard security as an obstacle to doing their job and quickly
> find ways to bypass security measures that get in their way.
You know what do with such staff.
> Everything from holding the security door open, to passwords stuck on
> the screen, to 'Can I borrow your signon for this job?'
In some places, that's a firing offense. Of the court-martial firing-squad
> If you want a hopeful spin on all this, it is that perhaps the US
> government will adopt the 'Don't be evil' motto. If you don't behave
You're really funny.
> badly then you don't have to worry if your security fails. And, of
> course, if you don't behave in ways that make people despise or hate
> you, this is an additional security measure because then your staff
> won't be motivated to harm or expose your misdeeds.
The world doesn't work that way.
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the extropy-chat