http://emergentchaos.com/archives/2008/03/avoid-id-theft-dont-run-for-president.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://emergentchaos.com/archives/2008/03/avoid-id-theft-dont-run-for-president.html/comment-page-1#comment-4493 PHB Sun, 23 Mar 2008 09:29:20 +0000 http://emergentchaos.com/?p=2696#comment-4493 I have had a couple of looks at this myself. <a href="http://dotfuturemanifesto.blogspot.com/2008/03/irrellevant-information.html" rel="nofollow">http://dotfuturemanifesto.blogspot.com/2008/03/irrellevant-information.html</a> I don't think you can say that 'the problem' is X. There are so many problems here. Looks to me as if the problem is much more in the realm of least privilege than separation of duties. Its an accountability based security scheme, there is nothing wrong with that in principle, it is probably impossible to anticipate all the rules that should be implemented in an ACL scheme. The duty of reviewing access to the files and access to the files appear to have been separated (albeit in a highly unsatisfactory manner). Part of the problem is that they ONLY have accountability. Although I do make the case for accountability in The dotCrime Manifesto, I have never advanced it as a substitute for access control. It should be a supplement, not a replacement. So one question would be why they don't have access control on the system. I suspect that the answer is (1) its a civilian system, the information is confidential, not classified and (2) when the system was designed the only information security choices available were all designed for military use and utterly unusable. But the bigger issue here is responsibility. 'Trust me' is not an acceptable infrastructure design. This administration is very much a 'trust me' administration, they refuse accountability and the Republican party has been a willing accomplice. We know that we cannot trust the competence or truthfulness of this administration. They have given us no reason to trust them for any other reason. They can be as indignant as they like but there is absolutely no reason for anyone to trust Condi 'mushroom cloud' Rice. I have had a couple of looks at this myself.
http://dotfuturemanifesto.blogspot.com/2008/03/irrellevant-information.html
I don’t think you can say that ‘the problem’ is X. There are so many problems here. Looks to me as if the problem is much more in the realm of least privilege than separation of duties.
Its an accountability based security scheme, there is nothing wrong with that in principle, it is probably impossible to anticipate all the rules that should be implemented in an ACL scheme. The duty of reviewing access to the files and access to the files appear to have been separated (albeit in a highly unsatisfactory manner).
Part of the problem is that they ONLY have accountability. Although I do make the case for accountability in The dotCrime Manifesto, I have never advanced it as a substitute for access control. It should be a supplement, not a replacement.
So one question would be why they don’t have access control on the system. I suspect that the answer is (1) its a civilian system, the information is confidential, not classified and (2) when the system was designed the only information security choices available were all designed for military use and utterly unusable.
But the bigger issue here is responsibility. ‘Trust me’ is not an acceptable infrastructure design. This administration is very much a ‘trust me’ administration, they refuse accountability and the Republican party has been a willing accomplice.
We know that we cannot trust the competence or truthfulness of this administration. They have given us no reason to trust them for any other reason. They can be as indignant as they like but there is absolutely no reason for anyone to trust Condi ‘mushroom cloud’ Rice.

]]> http://emergentchaos.com/archives/2008/03/avoid-id-theft-dont-run-for-president.html/comment-page-1#comment-4492 robs sama Fri, 21 Mar 2008 13:38:43 +0000 http://emergentchaos.com/?p=2696#comment-4492 Drudge is reporting that McCain and HRC also had their passport files accessed... Drudge is reporting that McCain and HRC also had their passport files accessed…

]]> http://emergentchaos.com/archives/2008/03/avoid-id-theft-dont-run-for-president.html/comment-page-1#comment-4491 Chris Fri, 21 Mar 2008 11:32:34 +0000 http://emergentchaos.com/?p=2696#comment-4491 They say they log all such accesses (even for us peons), and "spot check" that they are kosher. Whether those checks are effective in suppressing the idly curious (or worse) is a question. They say they log all such accesses (even for us peons), and “spot check” that they are kosher. Whether those checks are effective in suppressing the idly curious (or worse) is a question.

]]> http://emergentchaos.com/archives/2008/03/avoid-id-theft-dont-run-for-president.html/comment-page-1#comment-4490 Andy Steingruebl Fri, 21 Mar 2008 11:10:39 +0000 http://emergentchaos.com/?p=2696#comment-4490 To give the State department a small amount of credit though, they actually detected this. How many places would actually detect this sort of unauthorized access? Hospitals and the IRS are generally the only places that ever implement this sort of account access tracking. It is nice to know that they noticed for Obama, but only because he was specially labeled. What about anyone else whose records might have been looked at improperly? To give the State department a small amount of credit though, they actually detected this. How many places would actually detect this sort of unauthorized access?
Hospitals and the IRS are generally the only places that ever implement this sort of account access tracking. It is nice to know that they noticed for Obama, but only because he was specially labeled. What about anyone else whose records might have been looked at improperly?

]]>