Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: Notesfiles $Revision: 1.6.2.17 $; site uokvax.UUCP Path: utzoo!watmath!clyde!cbosgd!ihnp4!inuxc!pur-ee!uiucdcs!uokvax!emks From: emks@uokvax.UUCP Newsgroups: net.unix-wizards Subject: Re: Security, hackers, computer crime Message-ID: <6200037@uokvax.UUCP> Date: Thu, 20-Dec-84 01:52:00 EST Article-I.D.: uokvax.6200037 Posted: Thu Dec 20 01:52:00 1984 Date-Received: Fri, 28-Dec-84 03:55:23 EST References: <1@decwrl.UUCP> Lines: 63 Nf-ID: #R:decwrl:-100:uokvax:6200037:37777777600:3184 Nf-From: uokvax!emks Dec 20 00:52:00 1984 /***** uokvax:net.unix-wizar / decwrl!kaiser / 7:50 pm Dec 17, 1984 */ Study after study done by the nation's law-enforcement agencies shows that the greatest money losses from crime come from white-collar crime committed by trusted insiders. ... People abuse their privileges ... [guilt trip] ... and misuse their resources in criminal ways. Some persons profit from this, deliberately. They are criminals. Most are never detected, much less caught, tried, or convicted of their crimes. If we absolutely stopped all irresponsible hacking ... and completely plugged every conceivable technical hole in computer security, the amount of security gained, the amount of crime halted, would be a trivial part of the true total of computer crime and breaches of security and privacy. So we shouldn't ... be seduced into thinking that [hackers] and technical holes in computer security are the biggest part of the problem. They aren't; they're just the most dramatic and visible parts. When we get serious about security ..., we'll attack them at the roots ... but unfortunately, that will be much more difficult than anything we've done so far.... ---Pete /* ---------- */ Boy, can I ever echo what Pete just said! I think that the computer center's site management team (probably in an effort chiefed by the data security manager) should look at the risk potential based on things like the type of data handled, what sort of access is granted to which people, and so forth. Cheap ideas like the DoD's "two-man" rule in areas regarded "no-lone" would probably deter much of the irresponsible actions on the part of those with access to the system console and accounts with special privileges. But one must also weigh the potential risk against the hassle (the old "bennies versus loss" argument). I don't think that our site administrators here at the University of Oklahoma would be thrilled pink if they had to be accompanied into the machine room by another knowledgeable person (and the same procedure for each "su"). Now, our site administrators are human and, just like that Northrop guy arrested by the FBI, probably pretty consciencious--under most circumstances. I think it would be a really good idea for centers to adopt rules like "two-man," but prepare for revolt! One of the weakest areas in the area of management selection is that of an individual's background. DoD is one of the few agencies that actually has a decent background investigation--and for good reason. But most companies are unwilling to do much of anything to determine the trust- worthiness of employees which, in a real sense, are sometimes given the most sensitive of corporate or personnel information. [Examples abound: E-Mail might contain inside info. about stock deals, engineering data about a proprietary project information about which the computer manager might not have any need, etc., ad nauseum] What can be done about this?? Sigh. I think that the only way companies will change is to have losses, to wit. "take it in the shorts." /\ / \ Have a safe holiday season... / \ We wouldn't want you to miss NEWS!!! ------ || kurt