Wednesday, December 31, 2008

More doom?

a) 1974 http://web.mit.edu/Saltzer/www/publications/protection/

and

b) SecurityMetrics mailing list going round in circles.....

including

c) "It'll be just as insecure as it possibly can, while still continuing to function."
http://www.ranum.com/security/computer_security/editorials/point-counterpoint/homeusers.htm

One does worry.

Until we can elicit a value to shared and dedicated nodes/messages + the organisational superorganism as a whole, risk and the quantification thereof is a joke.... unfortunately shared infrastructure and services such as routing/DNS/SNMP/NTP/logging *are* business critical e.g. data and control planes including management control planes. http://twitter.com/irldexter/status/1087480944

Here's to 2009! And some standardisaiton of code development and testing including liability etc as per David Rice's arguments in Geekonomics. http://my.safaribooksonline.com/9780321477897

Peace.

1 comment:

Anonymous said...

Your tutorial on security protection reminded me of two incidents involving the use of office networks.

The first was around 1980 when the the central computer was a DEC PDP11 minicomputer and a rake of dumb terminals. I had an account with read and write access. One day I decided to go walk-about on the system and see how far I could get. I found that while write access was limited to my own account, I had read access to the whole system. For read, read copy. So I could copy data and programmes from any other account and run them in my own account. I reported this to an incredulous systems operator and the hole was eventually plugged.

The second, in more recent times, was around 2001. I had access to a certain block of financial information directly related to my work. This was normally accessed through a menu system. When I resorted to the Windows Explorer I found I also had access to other blocks of information which should not have been accessable. I reported this and it was corrected.

Also, in the 1980s, I set up a system, under Novell networking software, for dealing with sets of confidential material which were to be made available to different lists of readers, and the updating of which would be confined to the originating work units. This was quite simple. I put the indvidual blocks of information in separate subdirectories and gave read access to the authorised readers and additional write access to the appropriate originating work sections. The systems operator had delegated me administrative rights over the account and its subdirectories. This worked fine until each time a Novell upgrade was implemented and when I checked the rights distributions they were all over the place and had to be reconstructed from scratch.

You will gather from the above, that I enjoyed reading this tutorial immensely and only wished my various sysops over the years had taken such matters sufficiently seriously at the outset.