Gil Gelep's post is open to detailed criticism, but he does make an
important distinction.
There are insiders and there are outsiders. Insiders do sometime know
things---passwords, slip paths, and the like---that make it possible for
them to do damage within their own shops but not in others. In my
experience the damage they do is almost always inadvertent, stupid rather
than malicious; but they do sometimes do such damage; and security
mechanisms do not help much to prevent it.
Another, different problem is harder to talk about because I cannot give
concrete examples. Those of us who build systems often include trap doors
in them that facilitate our own testing (and subsequent maintenance)
operations, and in an OCO era we often leave them in these systems. Worse,
some of us---Let me call them locksmiths---even know a lot, security people
think too much, about trap doors in systems we did not develop. This is
imporftant because, while one can choose to use one locksmith instead of
another, there are circumstances in which one must use a locksmith.
External penetration is the major threat we confront, and it should be the
major preoccupation of security groups. Moles, to the extent that they pose
real problems in business (as opposed to the NSA) cannot be dealt with using
passwords. Moles know them, just as an NSA mole, if there were one, would
have a security clearance.
John Gilmore
Ashland, MA 01721
U.S.A.
_________________________________________________________________
Dont just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html