[782] in cryptography@c2.net mail archive
Re: key recovery vs data backup
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Fri May 9 16:28:42 1997
To: cryptography@c2.net
In-reply-to: Your message of "Fri, 09 May 1997 15:35:37 BST."
<199705091936.PAA18161@codex.cis.upenn.edu>
Reply-To: perry@piermont.com
Date: Fri, 09 May 1997 16:17:01 -0400
From: "Perry E. Metzger" <perry@piermont.com>
"Angelos D. Keromytis" writes:
> In message <v03007802af98f8598838@[207.94.249.67]>, Bill Frantz writes:
> >IMHO the problem companies worry about is not employees using email to
> >steal company secrets. Employees have too many other ways to get the
> >secrets out. What companies worry about is Trojan horses stealing company
> >secrets.
>
> I'll disagree. If you followed alt.security about a month ago, someone
> from Solomon Brothers posted about their security policies and
> (mal-)practices. In those messages (quite a few, larges ones), it was
> explicitly stated that all traffic (esp. email) through the firewall
> was monitored by the administrators to spot leaking of company secrets
> (quite successfully too, from what he says).
Whether Solly does that or not doesn't really matter -- many companies
have silly policies. The real question is "does this buy you
anything". As has been pointed out, it is pretty damn trivial to walk
out of the building with loads of valuable documents, either on paper
or disk, or even with valuable data in one's head.
I worked some time ago at a hedge fund, where one day some
administrators asked me about filtering the outgoing mail to detect
anyone trying to mail the firm's position sheet out. I noted that most
people on the desk got the sheet, conveniently xeroxed, every day, and
that they could drop it in their briefcase and take it out any time
they liked.
It is useless to worry about an employee using cryptography to sneak
some valuable firm secrets out the door when no one is searched for
floppies carrying the same.
Security has to be considered as part of an overall system. It is
worthless to place a two foot thick molly-steel vault door in a wall
made of rice paper.
Significance? This principle has to be remembered when designing
cryptographic systems, too, or when using them as part of a larger
security system.
Perry
