[4395] in cryptography@c2.net mail archive
RE: references to password sniffer incident
daemon@ATHENA.MIT.EDU (Brown, R Ken)
Fri Mar 26 14:29:05 1999
From: "Brown, R Ken" <brownrk1@texaco.com>
To: "'Phil Karn'" <karn@qualcomm.com>, warlord@mit.edu
Cc: wsimpson@greendragon.com, ggr@qualcomm.com, cryptography@c2.net
Date: Fri, 26 Mar 1999 05:08:37 -0600
Phil Karn wrote (amongst other things)
> The people who run today's MIS/IT departments are the direct
> descendents of those who ran big computer centers in the old days.
No we're not their descendents - we are the same guys. Those "old days"
aren't that long ago & we haven't been put out to grass yet.
> They've watched as most of their reason for being has been eroded out
> from under them by the personal computer. The network is the only
> thing they have left.
Hmmmm.... I don't think my "reason for being" has much to do with computers
or work of any sort. But our employer's reasons for paying us to come in to
the office haven't been eroded. If anything the more complex systems we
have now generate more work, not less. The more stuff the users get up to
the more there is for us to do. And on the whole we tend to be fans of
de-centralised management. And, of course, we love playing with new toys.
> They justify their tight central control of it
> with strident appeals to security fears, just as governments have for
> centuries whipped up fears about crime to justify the creation of
> police states.
>
> Deploy good security mechanisms in host systems so they no longer
> depend on (largely illusionary) security mechanisms in the network,
> and you've taken away the very last reason these people have to go on
> living. Expect a big fight.
It's, honestly, very often exactly the other way round. Management (mainly
accountants in the UK or lawyers in the US) are often paranoid about what
they see as legal problems. They use "security" as a mantra to oppose any
change. They *love* doing big deals with suppliers they have heard of, they
*hate* their IT departments, and they are often willing to take advice from
any cowboy who turns up in the right kind of smart suit.
There are companies that won't use SSL even, or *anything* that involves
certification or encryption because the management & the legal people want
to have a "corporate strategy" first & won't let those IT departments
implement anything until it is all complete. Trying to talk to these people
about IPSEC would be like chatting up a brick wall. Us IT department types
spend a lot of our time *telling* them that the security they need really
has to be implemented end-to-end, in the hosts. And they spend a lot of
their time ignoring it.
There are others who simply don't trust electronic media of any kind. They
want everything on paper, they somehow don't think it is "real" unless it is
written down. There are managers who demand that all email they receive gets
printed automatically & employ staff to file it - what does that do to
encryption?
Discussions go like this:
Faceless Corporate Beauraucrat: "My application is really important & no-one
must read my files or messages"
Me: "it's only safe if you encrypt it".
FCB: "We are encrypting it, we use MS Exchange & NT".
Me: "well, that's not all that safe, we really ought to be thinking about
<insert widely available strong encryption method of your choice>"
FCB: "But isn't that illegal?"
Me: "No, not really.... <insert brief explanation of crypto export saga>"
But the FCB's eyes have glazed over & they have made their excuses and left.
Thrusting Corporate Lawyer: "we really need to communicate fast with these
law firms"
Me: "That's easy, you just send them some Internet mail."
TCL "Oh no, I've heard that the Internet is crawling with hackers and
criminals! We have to use x.400!"
Me: "yeah, you can do that, although it makes the address book harder to
manage, and it's usually slower, and it isn't really that much more secure -
if you want to keep it secret you need to encrypt it."
<Insert discussion about encryption as above>
TCL: "That sounds hard. I think I'll stick to fax".
Greed-is-Good Corporate Trader Type: "We have to get these contracts out
yesterday! And your bloody email to telex system isn't working!"
Me: "That's because us lazy, old-fashioned, non-business-orientated,
mainframe-mindset, crypto-fascist-fom-hell system-administrators were all
down the pub plotting to Rule the World through Network Management; and we
couldn't be bothered to pull our fingers out to fix the server. But why are
you still using telex anyway? Why don't you just send your customers email?
Everybody is on the Internet these days it is much faster, 2,000 times
cheaper and you won't have to use all those naff upper-case letters."
GICCTT: "But... "<insert fruitless discussions on encrytption, security,
reliability> " and anyway, Telexes are Legal Documents and email is Not a
Legal Document."
Me: "I'm going back to the pub. Call me if you ever actually make a profit."
But it could be worse - I have seen people who insisted on having remote
users (at over 200 locations) use a PC and modem to dial up a server, with
no dial-back, and log on to Unix; all sharing one userid and password
(because it made the admin easier), that userid having rwx access to the
entire directory tree that contained the application and all its data, with
the userid and password hard-coded in clear in a logon script called from
autoexec.bat on Windows 3.1 PCs (no problem they said - apparently the users
of this system were all to be low-paid employees who wouldn't know anything
about computers and were too stupid to learn). And this for an accounting
application that tracked millions of pounds worth of business a year. And
when some imperialistic IT department types tried to tell them that they
were taking a risk, they just told them to piss off, that they didn't
understand business, and that they were too busy to listen.
But then some of the same guys were printing reports from one application
and faxing them to colleagues who typed them into a spreadsheet.
Ken Brown (usual disclaimer - very much NOT his employers this time - we
wouldn't be anything like that stupid, would we?)
