On Fri, Mar 23, 2007 at 02:29:14PM -0800, Alex Alten wrote: > It seems to me that this could have been prevented (or better damage > control) by: > 1) encrypting the files
Encrypting the files would not have served any purpose; the decryption key would simply have been part of the customer credentials that were abused. Proper key management is actually harder than proper access control. > 2) putting in place good access controls (policy adjudication and > enforcement) > examples: if more than 100 files / week then raise alert > if customer access incorrect areas /directories > raise an alert Yes, Oracle did not enforce proper access controls if customers could download things they were not entitled to. An argument can be made in their favor that they allow customers without a license to browse around so that they will be tempted to actually buy the product later on, and relying on the legal system to enforce abuse. This, however, does not explain why internal, proprietary information was available with unrestricted access, and SAP (or anyone else, for that matter) was able to download it. Again, as far as alerts are concerned, it is easier to put hard-and-fast access controls than to try to deduce customer behavior. > 3) possibly better auditing in place to assist after-the-fact forensics > (this might have > reduced the scope of the theft by allowing a more timely response) > I think their auditing is fine; the attacks occured in late November 2006, and the litigation is starting less than four months later. /ji -- John Ioannidis | Packet GENERAL Networks, Inc. [EMAIL PROTECTED] | http://www.packetgeneral.com/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
