Security, hackers, computer crime

emks at uokvax.UUCP emks at uokvax.UUCP
Thu Dec 20 16:52:00 AEST 1984 

/***** uokvax:net.unix-wizar / decwrl!kaiser /  7:50 pm  Dec 17, 1984 */
Study after study done by the nation's law-enforcement agencies shows that the
greatest money losses from crime come from white-collar crime committed by
trusted insiders. ... People abuse their privileges ... [guilt trip] ... and
misuse their resources in criminal ways. Some persons profit from this,
deliberately.  They are criminals.  Most are never detected, much less caught,
tried, or convicted of their crimes.

If we absolutely stopped all irresponsible hacking ... and completely plugged
every conceivable technical hole in computer security, the amount of security
gained, the amount of crime halted, would be a trivial part of the true total
of computer crime and breaches of security and privacy.

So we shouldn't ... be seduced into thinking that [hackers] and technical
holes in computer security are the biggest part of the problem.  They aren't;
they're just the most dramatic and visible parts.  When we get serious about
security ..., we'll attack them at the roots ... but unfortunately, that will
be much more difficult than anything we've done so far....

---Pete
/* ---------- */

Boy, can I ever echo what Pete just said!

I think that the computer center's site management team (probably in an effort
chiefed by the data security manager) should look at the risk potential based
on things like the type of data handled, what sort of access is granted to
which people, and so forth.

Cheap ideas like the DoD's "two-man" rule in areas regarded "no-lone" would
probably deter much of the irresponsible actions on the part of those with
access to the system console and accounts with special privileges.

But one must also weigh the potential risk against the hassle (the old
"bennies versus loss" argument).  I don't think that our site administrators
here at the University of Oklahoma would be thrilled pink if they had to
be accompanied into the machine room by another knowledgeable person (and
the same procedure for each "su").  Now, our site administrators are human
and, just like that Northrop guy arrested by the FBI, probably pretty
consciencious--under most circumstances.  I think it would be a really good
idea for centers to adopt rules like "two-man," but prepare for revolt!

One of the weakest areas in the area of management selection is that of
an individual's background.  DoD is one of the few agencies that actually
has a decent background investigation--and for good reason.  But most
companies are unwilling to do much of anything to determine the trust-
worthiness of employees which, in a real sense, are sometimes given the
most sensitive of corporate or personnel information.  [Examples abound:
E-Mail might contain inside info. about stock deals, engineering data about
a proprietary project information about which the computer manager might not
have any need, etc., ad nauseum]

What can be done about this??  Sigh.  I think that the only way companies
will change is to have losses, to wit. "take it in the shorts."

       /\
      /  \    Have a safe holiday season...
     /    \   We wouldn't want you to miss NEWS!!!
     ------
       ||

		kurt

More information about the Comp.unix.wizards mailing list