"MI5 laptop snatched"

Barnaby Prendergast ybanrab at hotmail.com
Tue, 28 Mar 2000 15:22:49 BST 

>From: Ian G Batten <I.G.Batten@ftel.co.uk>
>Reply-To: ukcrypto@maillist.ox.ac.uk
>To: ukcrypto@maillist.ox.ac.uk
>Subject: Re: "MI5 laptop snatched"
>Date: Tue, 28 Mar 2000 14:18:28 +0100 (BST)
>
>You write:
> > The problem is that the business chaps understand the legal/financial
> > liability that lies upon them and so takes measures to secure those keys
>
>I beg to differ.  You're looking at things from the perspective of a
>small to medium enterprise.  I've seen some horrors surrounding security
>in telco environments, large manufacturing environments and so on, where
>security is devolved as a purely rote function which is then pushed down
>as a book of rules to be blindly followed.  A lot of corporate security
>guidelines are followed without any understanding of their function,
>either tactically (``why is it a bad idea to write your passwords
>down'') or strategically (``why is it a bad idea to have random users
>using your machines'').  We have endless trouble convincing users that
>sharing passwords is a bad idea, for example.

Agreed, and this is a particular nightmare of mine in my current position.

>
> > respective to that liability. If PC Plod then takes those keys, for
> > which they have no liability, then they are not so motivated to
> > implement appropriate security.
>
>Does a random employee of a multi-national have the aforementioned
>``motivation''?

We have made it a disciplinary offence (ultimately a dismissable one) for a 
user to reveal their password to anyone but authorised IT personnel (and 
then only in exceptional circumstances), and although this has still not 
solved the problem, it has reduced it by a significant degree (a few people 
simply do not care).

>
> > Cases like this do not suggest the entire physical security
> > infrastructure of the intelligence services is rubbish, but it does
> > little to inspire confidence.
>
>Ask an IT manager how many laptops they lose a year.  They probably
>won't tell you, but it won't be zero.

Again I concede that there is more bad practice going on in the bright world 
of commerce than you can shake a stick at, but this is, IMHO, largely a 
different issue to the one whereby security is compromised by parties other 
than those over whom one has some degree of supervision and control.

What the RIP Bill leaves, I think, is a situation whereby *theoretically* 
no-one's security can be better than the *theoretical* lowest level of 
security provided by the investigating powers and their agents. You'll 
notice that I'm not offering any solutions to this problem, just 
highlighting it, for which I offer my apologies.
:o)
Barney

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com