double shot of snake oil, good conclusion

Ed Gerck egerck at nma.com
Thu Mar 6 12:38:25 EST 2003



Tal Garfinkel wrote:

> The value of these type of controls that they help users you basically
> trust who might be careless, stupid, lazy or confused to do the right
> thing (however the right thing is defined, according to your company
> security policy).

It beats me that "users you basically trust" might also be "careless, stupid,
lazy or confused" ;-)

Your point might be better expressed as "the company security policy would
be followed even if you do NOT trust the users to do the right thing." But,
as we know, this only works if the users are not malicious, if social engineering
cannot be used, if there are no disgruntled employees, and other equally
improbable factors.

BTW, one of the arguments that Microsoft uses to motivate people to
be careful with unlawful copies of Microsoft products is that disgruntled
employees provide the bulk of all their investigations on piracy, and everyone
has disgruntled employees. We also know that insider threats are responsible
for 71% of computer fraud.

Thus, the lack of value of these type of controls is to harass the legitimate users
and give a false sense of security. It reminds me of a cartoon I saw recently,
where the general tells a secretary to shred the document, but make a copy
first for the files.

Cheers,
Ed Gerck


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list