Tal Garfinkel wrote:
> The value of these type of controls that they help users you basically > trust who might be careless, stupid, lazy or confused to do the right > thing (however the right thing is defined, according to your company > security policy). It beats me that "users you basically trust" might also be "careless, stupid, lazy or confused" ;-) Your point might be better expressed as "the company security policy would be followed even if you do NOT trust the users to do the right thing." But, as we know, this only works if the users are not malicious, if social engineering cannot be used, if there are no disgruntled employees, and other equally improbable factors. BTW, one of the arguments that Microsoft uses to motivate people to be careful with unlawful copies of Microsoft products is that disgruntled employees provide the bulk of all their investigations on piracy, and everyone has disgruntled employees. We also know that insider threats are responsible for 71% of computer fraud. Thus, the lack of value of these type of controls is to harass the legitimate users and give a false sense of security. It reminds me of a cartoon I saw recently, where the general tells a secretary to shred the document, but make a copy first for the files. Cheers, Ed Gerck --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]