Home > Audit, Compliance, InfoSec, Trends > If you can’t trust your locksmith – or your network admin – who CAN you trust?

If you can’t trust your locksmith – or your network admin – who CAN you trust?

Why is the possession of lock picks by non-locksmiths
illegal in some states? That was the
unlikely question posed to me by IT security expert and CEO of ProofSpace,
Paul Doyle, when he called me this morning. The obvious answer to the question is that lock picks in trained hands
may be burglary tools. That kind of “super
power” is also disconcerting. When my neighbor locked his babysitter out of the
house accidentally last week, the babysitter came over. I called my neighbor on
his cell phone and asked if he wanted me to pick the lock – I am a locksmith
after all. He declined and preferred to
drive 20 minutes back to his house to unlock it himself. He really didn’t like the idea that his house
wasn’t private to someone with lock picks.

There is a corollary to law and IT security. Individuals with admin privileges on a
corporate computer – like an email server or database – essentially have
logical lock picks. So shouldn’t admin privileges
be closely guarded. In many states locksmiths
have to be licensed. Should we license
our computer and network administrators?  Just about every computer I’ve ever seen in use by security personnel is logged in as admin.

It was American Express or some other mega financial
services firm which recently had its complaint thrown out of court. The company contended that another firm
misappropriated confidential data. The
judge in the case asked the plaintiff a simple question: How do you know the
data was authentic? The company did not
have an adequate answer and the case moved no further.

Fascinating. How do
you prove that data – like emails – are authentic? Well, you can sign it with a hash, measure it
with a checksum, closely audit all activities with Verdasys Digital
Guardian™, or sign it with ProofMark™ from ProofSpace.

If there were an easy, cost effective way of ensuring or
measuring authenticity of data that companies would buy it? I think so. Just like companies bought RACF and ACF2 for their mainframes, or
SeOS/eTrust Access Control for their Unix boxes. What do you think?

About these ads
Categories: Audit, Compliance, InfoSec, Trends
  1. August 9, 2007 at 2:20 pm

    I spoke to Rich Mogull a couple of weeks ago about integrity solutions, and their relation to timestamps.
    Everything Paul says about integrity solutions is correct, and the market will show that in the coming months.
    However, Proofspace relies on timestamps, and is such a timestamping solution rather than an independent integrity solution.
    Rich said that, and I quote : “timestamping is a dead technology, no-one will ever need it.”
    Proofspace have been around since before 2000, and disappeared for a few years whilst Doyle’s brother Mike sued Microsoft (successfully).
    I’m curious as to why they believe this will work now, but when you have $500m to burn, I suppose anything is possible…
    By the way, if you can’t trust your network admin, he will soon find a way to disable your timestamping solution too.

  2. August 9, 2007 at 4:26 pm

    Dear D. Advocate,
    Thanks for the kind affirmation of the basic assertion about the importance of integrity solutions.
    Can you please explain what YOU (or Rich Mogul) mean when you refer to “independent integrity solutions”?
    I’ll try to address you question about why timestamping is important, and why now, but first would like to better understand the distinction you (or is it Rich) are making.
    Thanks in advance.
    –Paul

  3. August 10, 2007 at 1:04 am

    An independent integrity solution would be a solution that proved the integrity of information independent of changeable external factors, such as a time sources.
    You don’t need time to prove information integrity, and relying on it is dangerous as time sources can be altered, so any information is rendered useless for proof purposes unless you buy a timestamp solution already embedded in an HSM, like Utimaco already provide (and hardly sell any of).
    There are many ways to do this without this kind of investment:

    http://ask.slashdot.org/article.pl?sid=07/07/31/2240237

    Which is why timestamping for integrity purposes is dead.

  4. August 14, 2007 at 9:51 am

    Why would time stamps or anything for that matter be even considered if they are alterable?
    However, if time stamps are provably tamperproof, they do become more usable.
    Since we use domain separation at the kernel level to separate data recording and logging from all users, including the CSO and the system admins, then time stamps become part of an important defense for use with non-repudiation in assuring data integrity in things like secure data hand-offs etc.

  5. August 14, 2007 at 9:52 am

    Why would time stamps or anything for that matter be even considered if they are alterable?
    However, if time stamps are provably tamperproof, they do become more usable.
    Since we use domain separation at the kernel level to separate data recording and logging from all users, including the CSO and the system admins, then time stamps become part of an important defense for use with non-repudiation in assuring data integrity in things like secure data hand-offs etc.

  6. August 14, 2007 at 9:52 am

    Why would time stamps or anything for that matter be even considered if they are alterable?
    However, if time stamps are provably tamperproof, they do become more usable.
    Since we use domain separation at the kernel level to separate data recording and logging from all users, including the CSO and the system admins, then time stamps become part of an important defense for use with non-repudiation in assuring data integrity in things like secure data hand-offs etc.

  7. October 31, 2009 at 12:45 am

    I am to submit a report on this niche your post has been very very helpfull

  8. December 15, 2009 at 6:50 am

    Thanks for the kind affirmation of the basic assertion about the importance of integrity solutions.
    Sacramento Locksmith

  9. February 28, 2010 at 10:47 pm

    It is important to find a locksmith you can trust. I found a really great company in Raleigh.

  10. Ben
    July 6, 2011 at 9:30 am

    There are still some excellent locksmiths out there. We provide a honest reliable and friendly service to all our customers and would hope that they feel they can trust us. It definatly pays off for us too because we get locks of repeat customers. Have a look at us http://www.1stdefencelocksmiths.co.uk Thanks

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: