[Info-vax] Bradley Manning and OpenVMS

Bill Gunshannon bill at server3.cs.scranton.edu
Mon Dec 9 10:28:58 EST 2013 

In article <52a569d4$0$17063$c3e8da3$dd9697d2 at news.astraweb.com>,
	JF Mezei <jfmezei.spamnot at vaxination.ca> writes:
> On 13-12-08 07:43, Simon Clubley wrote:
> 
>> Without mandatory access controls, he could have just used his administrator
>> privileges to turn them off before copying the files.
> 
> On a good OS, turning off logging would be logged. You fire an employee
> who turns off logging without a signed letter from the CEO authorizing it.

And the guy with the power to turnit off also has the power to "fix" the
logs.

> 
> Also, this is why VMS supports 2 passwords for accounts. You require 2
> persons to login with any privilege that can give you access to
> files/devices/privileges you don't have.

I have never in my life seen a VMS system where two people were required
to log into an account.  And that includes systems at places like the
Pentagon.

> 
> 
> But no matter what sort of surface procedures you institute, I am not
> sure there is a truly foolproof way to secure a system against all
> employees. Eventiually there are a few key employees you need to trust.

And that is always the problem.  Both of the people mentioned had been
vetted for that trust having met all the requirements.

> 
> But if data is encrypted, then the system manager may have access to the
> files, but won't really have access to the data (unless he then uses
> brite force to decrypt it at home).

Snowden used social engineering to get the passwords of people whose
files he wanted to access but his privs wouldn't let him.  Can you say
"Mitnick".

> 
> 
> If a user with the keys colludes with system manager, then the later can
> steal the data and the former decrypt it.

He doesn't have to collude.  Just be of average inteligence.  :-)


bill

-- 
Bill Gunshannon          |  de-moc-ra-cy (di mok' ra see) n.  Three wolves
billg999 at cs.scranton.edu |  and a sheep voting on what's for dinner.
University of Scranton   |
Scranton, Pennsylvania   |         #include <std.disclaimer.h>

More information about the Info-vax mailing list