[cap-talk] In Defense of Identities - not

Marc Stiegler marcs at skyhunter.com
Thu Dec 7 11:29:12 CST 2006 

Let's get even more realistic. So, the company is tracking the signature 
of the ink. Fine. When I go to breach the company's security, I use a 
pen that I did not get from the company (this is the ink equivalent of 
using yahoo mail rather than the company email system to sell their 
secrets). If a pen I got from the company is used to breach the 
company's security, I am responsible only if I am stupid.

Actually, this is still not realistic. If I found out that the company 
was assigning responsibility based on ink, I would buy my own pens from 
elsewhere for all purposes, because I don't want to be responsible if 
someone steals one of my pens for evil purposes. This is the moral 
equivalent of people exchanging business mail through their google 
accounts because the madness of using the actual corporate mail system 
is too great. For example, at this particular moment, I cannot get 
through the HP firewall to access my HP mail. So I am communicating with 
markm about business issues (nonconfidential ones, alan) by using my 
skyhunter mail, speaking to markm's google mail. Somehow, somewhere, the 
original purpose of corporate mail, to facilitate cooperation and 
coordination among employees, got lost. But it is secure: we can 
guarantee that, if someday hp's security is breached, it will be 
(easily) breached with tools that are not under HPIT control. How did 
that help exactly?

--marcs

Rob J Meijer wrote:
>> I have seen this too. But I have never seen nor heard of an organization
>> that, once having signed a pen to you, required that you go back to the
>> stock clerk to keep the audit trail straight when the guy in the cube
>> next to you asked to borrow the pen. Or when you lent a pen to your
>> subordinate so he could sign the paperwork you had just handed him. This
>> is the real analogy: we're talking about a second delegation of an
>> authority that has already been delegated to you. Everyone assumes you
>> can have the wisdom and responsible attitude necessary to re-delegate
>> your authority, not just with pens, but with items of equipment of
>> substantial value, without more paperwork. Good thing, too, because the
>> stock clerk has far less info than you with which to make wise decisions
>> on further levels of delegation.
> 
> Lets take this metaphore to one a bit unrealistic but I hope more
> descriptive of the real issue, that is to incident response and
> accountability.
> 
> Lets assume the ink of each pen in the batch that was given into your
> responsability would be directly tracable ink->pen->batch->you, and now
> lets say a letter damaging to the company was intercepted and could thus
> traced back to the pen you handed to the guy in the next cube. You would
> be very hapy if an audit trail could proof that:
> 
> * you delegated the specific pen to the guy in the next cube.
> * you did not yourself have the posibility to use the pen after you
>   delegated it.
> * the leter was writen after delegation took place.
> 
> If you would have had no reason to distrust the guy in the next cube
> with your pen, than given the aditional information provided by you
> for the abouve would divert all accountability from you to the guy in
> the next cube.
> 
> Rob
> 
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
> 
>

More information about the cap-talk mailing list