[ On Thursday, March 8, 2001 at 09:54:50 (-0600), Michael R. Jinks wrote: ]
> Subject: Re: Block scp, allow ssh? (now way off topic)
>
> Given the sophisication of network monitoring tools these days, I'm
> going to ask how you'd do this. On the one hand I agree that the
> company in question is trying to do something awfully impractical and
> maybe pointless (if it's that important I'll just Xerox it and walk it
> out in my trouser leg ten pages at a time... Is security going to pat me
> down as I leave every day?). But if they really are willing to take
> this so far as monitoring for anything encrypted and squashing it, how
> would one get around that?
Well, maybe, but given that most idiots are still using proprietary
software that they don't have a clue about, even the most sophisticated
monitoring tools won't likely be used in any intelligent way, so even a
well thought out security policy (of which there are hardly any) won't
be implemented in reality.
> Steganography? And then you _really_ look
> like you're trying to do something nasty even if you're really just
> trying to protect mail to your wife and your stock broker.
Well, when it comes down to Spy vs. Spy, any number of measures and
counter measures are possible, including not making use of most
information you might learn, just as the Allies supposedly didn't make
use of much of the Enigma traffic they decoded during WWW-II.
However depending on the nature of what you're trying to communicate,
covert channels can avoid even the most sophisticated monitoring tools.
It all depends on the ratio of secret to non-secret traffic you've got
to send (and how much you might be able to spoof other senders of
non-secret traffic from inside your network). Heck you can even use DNS
as a covert channel!
> I second the opinion that this comes down to who you trust -- employees
> or strangers. Inside jobs constitute a majority of known security
> compromises recently (and probably forever), but the way around that is
> not to forbid secure communication, that just leads to bad will.
and if you forbid secure communications then you cause people to seek
all manner of work-arounds....
> I'm
> curious to know what is so important that it must be protected by these
> measures, and whether there might be some better way of doing it than at
> the network protocol level, which strikes me as clumsy and obviously has
> significant drawbacks that have nothing to do with protecting the
> company.
even if you have enormous secrets to protect, if you've got a more or
less general purpose Internet connection then forbidding secure
communications is like asking for your employees to walk out with all
your secrets by whatever means they can....
I.e. the only way to prevent covert channels over a general purpose
Internet connection is to cut the cable. :-)
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
