<div>Relevant to this:</div>
<div> </div>
<div>
<p style="MARGIN: 0in 0in 0pt 0.5in" class="MsoNormal"><a href="http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf"><font size="3" face="Calibri">http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf</font></a></p>
<br><br></div>
<div class="gmail_quote">On Sat, Dec 19, 2009 at 12:18 PM, James A. Donald <span dir="ltr"><<a href="mailto:jamesd@echeque.com">jamesd@echeque.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">Ben Kloosterman wrote:<br>> - The desire by admins ( and hence organizations) to allow only<br>
> system/security admins to approve certain functions which may includes<br>> installing applications in some organizations. This includes the<br>> centralized control of rights.<br><br>People desire what is not good for them. What they desire is that other<br>
people are required to do certain tasks, and then required to seek<br>permissions to accomplish those tasks - which pretty much guarantees<br>that users will work to subvert security. And since the end user has<br>physical control of the box or the data, the end user will always<br>
succeed. The petty bureaucrat, by maximizing his power within the<br>organization, undermines the organization's security.<br><br>Observe that one of the big reason's for walmart's success is that other<br>big box company purchasing managers routinely accept bribes from<br>
salesmen, while Walmart purchasers are notoriously honest.<br><br>Meeting admin desires is in this case meeting admin desire to undermine<br>security for personal benefit. Security mechanisms have to benefit the<br>person who has physical control of the data and the box on which it<br>
resides, not the admin, or else they will always be bypassed.<br>
<div>
<div></div>
<div class="h5"><br>_______________________________________________<br>cap-talk mailing list<br><a href="mailto:cap-talk@mail.eros-os.org">cap-talk@mail.eros-os.org</a><br><a href="http://www.eros-os.org/mailman/listinfo/cap-talk" target="_blank">http://www.eros-os.org/mailman/listinfo/cap-talk</a><br>
<br></div></div></blockquote></div><br>