[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: photuris-06.txt

To: markham@sctc.com
Subject: RE: photuris-06.txt
From: Phil Karn <karn@qualcomm.com>
Date: Tue, 7 Nov 1995 18:27:51 -0800 (PST)
Cc: tytso@MIT.EDU, ipsec@ans.net
In-Reply-To: <199511071402.AA04466@interlock.ans.net> (message from Tom Markham on Tue, 7 Nov 1995 08:02:43 -0600)

Never having worked in a classified environment I have only minimal
knowledge of the rules that apply there, and the threat models on
which they're based. But it does seem that many of those threat models
are far more concerned about "internal" attacks, i.e., attacks from
users with enough authority to obtain some access to the system
but who are not specifically authorized to access the data in question.
Is this true?

If so, I'd posit that in the commercial world this isn't as often the
case.  More often the problem is entirely external, i.e., keeping
people out of a system who don't belong there at all. This is not to
say that there are no internal threats, only that they're much more
subtle and difficult to deal with because, unlike the military world,
even the policies haven't been fully established.

Since I am not concerned about the military world (they can take care
of themselves) I am tempted to conclude that these issues are all
beyond the immediate scope of the document for now.

Phil

Follow-Ups:

RE: photuris-06.txt

From: Hilarie Orman <ho@cs.arizona.edu>

References:

RE: photuris-06.txt

From: Tom Markham <markham@sctc.com>

Prev by Date: Re: photuris-06.txt
Next by Date: RE: photuris-06.txt
Prev by thread: RE: photuris-06.txt
Next by thread: RE: photuris-06.txt
Index(es):
- Main
- Thread