Re: double shot of snake oil, good conclusion
Tal, I am in full agreement with your opinion. I do not think security is an all or nothing property, and I do think that mechanisms can be considered effective even if they do not protect against attackers with some level of skill or motivation. After all, there is no complete security and security is, and has always been, considered as perceived assurance. I do not think that a fact that a mechanism can be somehow circumvented makes it useless. Keepng the honest people honest is a good enough legitimation for a mechanism to exist as well as moving the bar higher. However, the only problem I can see in this case is the opening of a possibility of a false sense of security. Security mechanisms do not have to be perfect, but their perceived strength by their users shall be set right. For this I personally think that the mechanism is great and useful, but should be presented by Microsoft accordingly, hence: as a useful security-related feature, not as a complete bullet-proof protection tool. Hagai. Hagai Bar-El - Information Security Analyst Tel.: 972-8-9354152 Fax.: 972-8-9354152 E-mail: [EMAIL PROTECTED] Web: www.hbarel.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: double shot of snake oil, good conclusion
Tal Garfinkel wrote: ... Clearly, document controls are not a silver bullet, but if used properly I believe they do provide a practical means of helping to restrict the propagation of sensitive information. I believe we are in agreement in many points. Microsoft's mistake was to claim that For example, it might be possible to view a document but not to forward or print it. As I commented, of course it is possible to copy of forward it. Thus, claiming that it isn't possible is snake oil and I think we need to point it out. I'd hope that the emphasis on trustworthy computing will help Microsoft weed out these declarations and, thus, help set a higher standard. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: double shot of snake oil, good conclusion
On Thu, Mar 06, 2003 at 09:38:25AM -0800, Ed Gerck wrote: Tal Garfinkel wrote: The value of these type of controls that they help users you basically trust who might be careless, stupid, lazy or confused to do the right thing (however the right thing is defined, according to your company security policy). It beats me that users you basically trust might also be careless, stupid, lazy or confused ;-) That's security in the real world. You screen employee's based on their character and competence at the task you hired them to do, you typically don't rigorously drill them on security procedures, and even if you do most folks get lazy, careless or confused at some point. Example: If an executive is told by the security bozo down the hall that they should not print out sensitive documents, they might take it seriously, but then again they can make excuses for their laziness, he's just being paranoid, I want to read this report in bed, it won't hurt this one time, etc. On the other hand, if they have to do something like break out the digital camera, it should be pretty obvious to them that what they are doing is in pretty severe violation of company policy, will likely get them severely reprimanded if caught, and will likely obviate any convenience benefits they might have hoped to gain by having a hard copy of that document. I think experience with password security is a perfect example of a the principle at work here, if you make it convenient to do the wrong thing, people almost certainly will. Your point might be better expressed as the company security policy would be followed even if you do NOT trust the users to do the right thing. But, as we know, this only works if the users are not malicious, if social engineering cannot be used, if there are no disgruntled employees, and other equally improbable factors. Ok, so there are only two issues here. One is problems with intention (are they mallicous or not, this includes disgruntled employee's etc.) and the other is problems with competence (can they be relied upon to always follow procedure). In the former case, document control will probably only serve as a mild deterrent, but raising the bar doesn't hurts. At least you might have the chance to catch some employee trying to photo many pages of your sensitive data off their screen. In the latter case, document control can help quite a bit, and can serve as a deterrent against things like social engineering. Also, it seems you are assuming that all internal attackers have equal access to information, this is not the case. If employee's can make print outs and accidentally leave them lying around, throw them away, etc. it lowers the bar for an unprivileged internal attacker. At least if everything stays in electronic form a mallicous employee may have to attempt to tackle you computer systems access controls head on instead of simply rooting around in your desk. Clearly, document controls are not a silver bullet, but if used properly I believe they do provide a practical means of helping to restrict the propagation of sensitive information. --Tal - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: double shot of snake oil, good conclusion
Tal Garfinkel wrote: The value of these type of controls that they help users you basically trust who might be careless, stupid, lazy or confused to do the right thing (however the right thing is defined, according to your company security policy). It beats me that users you basically trust might also be careless, stupid, lazy or confused ;-) Your point might be better expressed as the company security policy would be followed even if you do NOT trust the users to do the right thing. But, as we know, this only works if the users are not malicious, if social engineering cannot be used, if there are no disgruntled employees, and other equally improbable factors. BTW, one of the arguments that Microsoft uses to motivate people to be careful with unlawful copies of Microsoft products is that disgruntled employees provide the bulk of all their investigations on piracy, and everyone has disgruntled employees. We also know that insider threats are responsible for 71% of computer fraud. Thus, the lack of value of these type of controls is to harass the legitimate users and give a false sense of security. It reminds me of a cartoon I saw recently, where the general tells a secretary to shred the document, but make a copy first for the files. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: double shot of snake oil, good conclusion
Lotus Notes/Domino already has something similar to what Microsoft is proposing. You can designate an outgoing message as read-only. The end-user (if they are using a Notes Client) can only view the message, menu choices for printing and cutting/copy text are disabled. Forwarding the message is also disabled. Note you can still use a screen grabber to grab the image off the screen... Leave to Microsoft to claim it's a new idea. (Although, after using Notes/Domino for over a year, I heartily agree with Peter Guttman's assessment of it, and would definitely switch back to Outlook/Exchange if given the choice between the two. POP/IMAP would be even better). -- Neil Johnson http://www.njohnsn.com PGP key available on request. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: double shot of snake oil, good conclusion
A.Melon wrote: Ed writes claiming this speculation about Palladium's implicatoins is mis-informed: while others speculated on another potentially devastating effect, that the DRM could, via a loophole in the DoJ consent decree, allow Microsoft to withhold information about file formats and APIs from other companies which are attempting to create compatible or competitive products I think you misunderstand the technical basis for this claim. The point is Palladium would allow Microsoft to publish a file format and yet still control compatibility via software certification and certification on content of the software vendor who's software created it. We are in agreement. When you read the whole paragraph that I wrote, I believe it is clear that my comment was not whether the loophole existed or not. My comment was that there was a much more limited implication for whistle-blowing because DRM can't really control what humans do and there is no commercial value in saying that a document that I see cannot be printed or forwarded -- because it can. Your other claims about the limited implications for whistle-blowing (or file trading of movies and mp3s) I agree with. And that's what my paragraph meant. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: double shot of snake oil, good conclusion
DRM can't really control what humans do and there is no commercial value in saying that a document that I see cannot be printed or forwarded -- because it can. I believe you are overlooking the assumed threat model, and thus the value of document control systems like the one that Microsoft is proposing. The benefit of systems like this is to aid in managing the huge amounts of confidential internal documents that enterprises generate and would like to keep out of paper form, thus out of the hands of dumpster divers and not left around on desktops, to prevent accidental propagation of internal documents, etc. Imposing access controls that rely on users not being explicitly mallicous are not snake oil and are not a new idea, nor is the recognition of their limitations. In systems that impose mandatory access controls of the more traditional type (ala Bell LaPadula), the user can always violate the *-property (i.e. no write down) by simply typing information from a high level document into a lower level document. Clearly, you could do the same thing with the system Microsoft is proposing, but preventing this type of attack is not the objective. The value of these type of controls that they help users you basically trust who might be careless, stupid, lazy or confused to do the right thing (however the right thing is defined, according to your company security policy). --Tal - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
