"more secure" 3rd-party file sharing?

Bill McGonigle bill at bfccomputing.com
Wed Aug 23 23:11:01 EDT 2006 

On Aug 23, 2006, at 22:46, Ben Scott wrote:
>  The procedural side of things might be more useful to you.  Again,
> not in the details, but in the concepts.  Regular briefings and
> training.  Lots of logs and audit trails and accountability.  To get a
> Security Clearance, you have to sign an NDA, take an oath, submit to a
> background investigation.  Security Is A Big Deal.  It is treated as
> an essential element, rather then a hassle.  Not the rubber stamp that
> corporate security usually is, but "You will go to Federal Pound Me In
> the Ass Prison if you screw off".

good overview - thanks.   The sentence, "It is treated as an essential 
element, rather then a hassle" is gold.

>  And the SSL HTTP file transfer gets you what, exactly?  You don't
> know who, or where.

to a certain extent you do.  If a file was bound for lawyer.com and 
winds up getting downloaded from kimchee.kr you know something you 
didn't before.  Think security cameras as well as pointy fences.

>   You know when the file was downloaded, but not
> that it was read or opened or anything.  It might have gone into the
> bit bucket, for that matter.

all true.

>  I usually only get a given email message once.  :)

this is about unexpected forwarding, files being accessed by mail 
server sysadmins, etc.

>  A compromised machine is, well, compromised.  We assume the attacker
> can access the files on the machine.  Does it matter if the file got
> there via HTTP instead of SMTP?

Consider the setting where mail system is compromised (could even be 
the BOFH) but the workstation is not.  Especially in an academic 
setting where the user owns his workstation.

>  You're not really solving the problem, just moving it around.

That and hopefully reducing the scope, a bit.

>> How I wish everybody had S/MIME certs stored on smartcards. :)
>  ... which we assume they will hand over to the first stranger who 
> asks, right?

Well you have to do that to clam your free prize! :)  Point well taken.

-Bill

-----
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
bill at bfccomputing.com           Cell: 603.252.2606
http://www.bfccomputing.com/    Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf

More information about the gnhlug-discuss mailing list