> On Wed, 31 May 1995, Paul Ferguson wrote:
> > > we have customers/auditors who require us not to trust our employees.
> > > If this is the case, why would we trust the carrier.
> > Why not just disconnect yourself from The Net altogether? ;-)
> Indeed--if you can't trust your employees, then how can you have
> security? That is, if you can't trust your employees(i.e. the other
> sysadmin even) to keep their password confidential, then you can't
> operate--there has to be SOME level of trust somewhere.
There must be trust somewhere, but this brings up a point that Marcus
Ranum makes - you have to know what you are protecting and who you are
protecting against. If you are protecting a $50,000 secret against
competitors, firewalls and encryption that protect against an attack
costing $50,000 do no good if you can bribe an employee for $25,000 for