Mr Big & the Black Hats (was Unfinished Business)

[Communications Admin]

On Thu, 22 Jun 2000, Ross Anderson wrote:

> 
> > After all a key once siezed will become an item of evidence and as such
> > should be handled as any other piece of evidence under the rules of
> > PACE.
> 
> It may not be that easy. What happens when you have a trial with 20
> defendants from a number of warring drug gangs, and their lawyers get
> access to key material or passwords from rival factions?
> 
> I think we should be told
> 
> Ross
> 
> 
Who cares if these 'innocent' scumbags deceided to take appropriate
measures to reduce the competition. No great loss to scoiety.

I'm not too sure who the 'we' you refer to means. if it is the general
public, then you may as well put all siezed keys on billboards.

If you mean 'we should be told' who has access to the keys then this is my
point about an audit trail and I agree. Though I am rapidly coming to the
conclusion that as a systems manager if any key is siezed under RIP I
should take the same action as if I suspect compromise. The problem being
at it is currently worded if i'm not directly approached for the keys then
I should not know. As simple directive that any key passed to a third
person requires renewal of keys should give me the hint; but does that
sort of standard practise break the 'you shall not tell' rule ?

As I said this proposal seems a total bag of worms, if an employee is
legally gagged to prevent me knowing of a security breach who is liable
for any information that is leaked. The employee ?, me ? the client will
not reall care just sue company and cease contract or end the contract
and spread the word that this company is insecure.

Russ