Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!purdue!bu-cs!buengc!bph From: bph@buengc.BU.EDU (Blair P. Houghton) Newsgroups: comp.unix.questions Subject: Re: A way to monitor your files Message-ID: <4113@buengc.BU.EDU> Date: 10 Sep 89 23:04:40 GMT References: <547@chem.ucsd.EDU> <1140@virtech.UUCP> <29114@news.Think.COM> <1142@virtech.UUCP> <11022@smoke.BRL.MIL> Reply-To: bph@buengc.bu.edu (Blair P. Houghton) Followup-To: comp.unix.questions Organization: Boston Univ. Col. of Eng. Lines: 43 In article <11022@smoke.BRL.MIL> gwyn@brl.arpa (Doug Gwyn) writes: >In article <1142@virtech.UUCP> cpcahil@virtech.UUCP (Conor P. Cahill) writes: >>Yes. I did not intend to say that C2 is the solution to the problem with >>the superuser, but further levels of security (possibly B1, but more >>probably B2) will begin to dispense with the idea of an omnipotent being. > >And then the sysadm will merely shut down the system, boot up his >browser, and examine files on the supposedly secure disk. > >Nothing short of an excellent encryption scheme will foil the >determined snooper in a situation like the one we were discussing. Then, he said, change the situation. The error is in trusting "computer security" at all. Real document control is what's needed. All secure data is to remain on removable media and stored in a locked box. The person with the key to the box is not the person with the key to the drive. The other thing to remember is that almost every security situation has a single person who has the opportunity to "browse" the documents if only while walking them from the window to the cabinet, and is probably authorized to do so in order to check for missing pages, etc. As long as the superuser is a sufficiently cleared individual, then the proper security is being maintained no matter what software he can use to get into the files. As in a traditional paper system, one has to place trust in the handlers of the data. I thought the real problem was in plugging up holes that allow external communication and unauthorized access, and partitioning the access among the various groups that need to share the storage systems. That's what I read this "C2/B1" stuff to mean. I can't remember which group had that discussion originally. Was it here or in comp.misc? Will uunet have it in an archive, so I don't have to make much more of a fool of myself by covering old ground? --Blair "I hold forth, but I came in with a fifth..."