On Fri, 2002-08-02 at 12:11, Ken Ambrose wrote:

> 1) Unless I'm mistaken (something I'll readily concede if it's the case --
>    my time with Token Ring Hell^H^H^H^H^H^H^H^H^H United Parcel Service
>    was many moons ago), you could just splice the TR cable, plug it into
>    a MAU, and go from there.  You wouldn't even drop packets if your
>    ring was an actual ring, though you might notice a couple beacons.

Having also served my time in UPS hell, and having delt with their
warped view of how to run a network, I can honestly say that they are an
exception. They purposely did away with some of the security features
built into TR for various reasons. 
> 2) All of this is well and good, but IMHO, encrypting the workplace would
>    -not- solve even a portion of the big problem.  People who have access
>    would still have access, and could just as easily e-mail files to the
>    outside.  Combine that with "social engineering", and the damn keyboard
>    capture devices I've seen that plug right into the PS/2 port (Hell:
>    PC Magazine even wrote two up last issue), and it's *DAMN* hard to
>    prevent someone who's determined from getting to stuff, and a whole lot
>    easier than it would be to sniff an unencrypted packet-switched
>    network.  Don't mis-understand my point: encryption -is- good.  But
>    hiring trustworthy employees, expiring passwords, and enforcing good
>    file-permission security (so people don't have access to things they
>    don't need access to) are probably more relevant. 

I never meant to imply that this would solve all security problems. It's
not even close. My point was that there are ways of securing a network
against the type of attack that was described in the article where
someone plants a box on your network. 

If someone has access to a system that is *SUPPOSED* to be on the
network, then your network is theirs. I whole-heartedly agree that
password aging, file-permissions, etc. are extremely important. As I,
and many others, have said many times before, security comes in layers
upon layers. There is no silver bullet that will solve all security
problems. As I have said many times, also, there is no such thing as
"secure", only varying degrees of risk. It is all about what you are
willing to do to protect data, what the data you are protecting is
worth, and to what lengths someone will go to to get that data. My
example was only one small part of an over all plan, not by any means, a
solution for all security problems. 

> That, and throwing away Outlook.  ;-)

Well, that goes without saying, now doesn't it ;-)


"Tact is just *not* saying true stuff" -- Cordelia Chase

Kenneth E. Lussier
Sr. Systems Administrator
Zuken, USA

To unsubscribe from this list, send mail to [EMAIL PROTECTED]
with the text 'unsubscribe gnhlug' in the message body.

Reply via email to