The Mitnick and Security Clearance exchanges have been followed by
the inevitable requests to 'knock it off' or 'take it elsewhere' on
the grounds that it has nothing to do with firewalls.
One of the great things about an unmoderated list is that its like
'brainstorming'. Much of the postings are probably regarded as stupid
or inappropriate by someone and both interesting and useful by
someone else. If only 1% of all postings are of benefit to any
individual subscriber that benefit may be well worth the effort of
That 1% may turn out to be something that most of us thought was a
waste of bandwidth, so lets not discourage postings too quickly.
We should all have the magic delete key, but if we only want to hear
about things we already see inside a box there probably isnt much
point in subscribing to a discussion group.
General speculation on Mitnick doesnt interest me very much, but if
it prompted someone to go and review their security policy, or read
up on current/recent attacks, its no bad thing.
Discussion about security clearances may have some dangers and I
wouldnt encourage it, but again it may prompt positive action.
Far too many people assume that there is something magic about
government security and that somehow its totally different from
commercial and academic needs. The reality is that every information
user has very similar general needs and the main difference is
Governments have been attempting to protect information for hundreds
of years whilst some other users are only just starting.
I really cant see how you can implement an effective firewall without
establishing need-to-know and classifying data. You might not choose
to use the same words to describe the process but thats language.
Without knowing what you are trying to protect and why you are making
the attempt, you inevitably either under protect or over protect.
That means you either have inadequately moderated risks, or
unnecessary overhead. Neither is desirable and both can be harmful to
Governments do employ security by obscurity to some extent and thats
not necessarily a bad thing. Every country is a bit different and the
clearance debate has been strongly US based. Even in the US someone
requiring clearance has to agree to confidentiality on the subject.
In some countries, like the UK, a person requiring clearance has to
agree to keeping the holding of clearance a secret, even for the
purposes of resumes. Of course that tends to be widely ignored by
companies attempting to recruit cleared personnel. OTOH, a clearance
usually cannot be transfered from one job to another. In fact someone
who has been cleared while working for one company may take longer to
clear after changing employees (even if the clearance is for exactly
the same job) than someone who has never held a clearance before.
That may sound weird but, once you have a clearance, you have a file
and that file has to be drawn and read.
As far as I'm concerned, who has what clearance (in public
conversation) is in much the same category as name dropping and has
much the same limited benefit (thats benefit mainly to the ego of
the name dropper). Those hold, or have held, particular clearances
will know what the levels are up to the level at which they have been
cleared. Any good spy book will quote all sorts of clearances, some
of which are the creation of the writer - but who cares.
The valuable part of the debate is that it touches on administrative
issues which are vital to an effective firewall.
Governments have a well proven system of clearances and
classifications. It doesnt mean that the systems are 100% perfect but
so far no one has come up with anything better. Usually where they
fall down is the way they are implemented.
Any enterprise has information which doesnt have to be circulated
widely and some which shouldnt be distributed freely.
Those who remember the era before office copiers will know that
companies survived very well with no more than 3 or 4 copies of a
document and meetings were conducted effectively without circulating
a 600 page paper to everyone who was due to attend the meeting and
to a few folk who werent even required to attend.
Most of us have probably attended meetings which have dragged on,
failed to produce a result, generated lengthy position papers from
each of 20 attendees and could have been dealt with productively in
an hour with 4 people holding a discussion.
I have seen more than one situation where in government contracts a
vendor has spent most of the budget in meetings and just realised
that the contract called for him to spend some of the money on
producing a product. The $800 toilet seat is not necessarily
profiteering by a contractor but just a reflection of how many
meetings were necessary to produce it.
The photocopier makes it very easy to run off 100 copies of some
trivial document and paper bomb the enterprise. It also makes it easy
for people to illegally copy all sorts of documents and distribute
the result outside the enterprise. Thats still a whole lot easier
than trying to break in through, or out of, even the weakest
firewall (or even go through an unprotected gateway).
The word processor makes it very easy to produce vast amounts of
garbage which decimates rain forests and chokes enterprises. All the
electronic communications systems do is provide a means to waste even
more resources, even quicker, when they could be helping us to reduce
waste and increase profit and efficiency.
Classification of data doesnt mean putting a 'Secret', 'Top Secret',
'Ultra', or 'Cosmic' label on it. It could be 'Confidential',
'Company Confidential', 'Public Domain', 'Customers', etc. Trusted
systems are quite capable of supporting any word you want inserted in
place of government lables and having any number of classifications
you might desire.
You might also want to have sensitivity labels. Some 'Company
Confidential' information may need to be restricted to certain groups
of people like Personnel/Human Resources, or Heads of Departments,
Clearance of personnel is also required and that should be part of
the recruitment policy. Very much more is stolen by people who became
employees just to steal information than has ever been stolen through
ISH connections. Its so much easier to achieve and organizations
thoughfully provide all the necessary tools like unregulated
There are well proven systems available which do all of these things
very well and remarkably cheaply. They even permit every employee to
have a personal security profile which locks directly into
classifaction and sensitivity lables. Of course its not as much fun
as rolling your own firewall and then having hours of pleasure trying
to make it work.
It may be that governments have tended to use classification and
clearance just for assurance, but theres no reason why it cant be
used to reduce costs, improve efficency, provide greater availability
and enhanced integrity. It provides a means of justifying the cost of
risk management by providing a return on investment.
Security/risk management is like most other human activities - you
can use it positively or negatively.