From owner-freebsd-questions Thu Nov 8 8:57:45 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mtiwmhc21.worldnet.att.net (mtiwmhc21.worldnet.att.net [204.127.131.46]) by hub.freebsd.org (Postfix) with ESMTP id F110F37B405 for ; Thu, 8 Nov 2001 08:57:29 -0800 (PST) Received: from columbia ([12.93.210.253]) by mtiwmhc21.worldnet.att.net (InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP id <20011108165728.QKTS29594.mtiwmhc21.worldnet.att.net@columbia>; Thu, 8 Nov 2001 16:57:28 +0000 From: "Andrew C. Hornback" To: "Anthony Atkielski" , "FreeBSD Questions" Subject: RE: Lockdown of FreeBSD machine directly on Net Date: Thu, 8 Nov 2001 11:51:05 -0500 Message-ID: <012201c16875$8e7b6b80$6600000a@columbia> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 In-Reply-To: <003901c1682e$26a0a0d0$0a00000a@atkielski.com> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > -----Original Message----- > From: Anthony Atkielski [mailto:anthony@atkielski.com] > Sent: Thursday, November 08, 2001 3:20 AM > To: Andrew C. Hornback; FreeBSD Questions > Subject: Re: Lockdown of FreeBSD machine directly on Net > > Andrew writes: > > > > b) Calling the sysadmin and pretending to be his > > > boss and convince him to open a hole. > > > > Most organizations require something like that in > > writing, or at least as part of a face to face > > conversation. That negates this loophole. > > I've never encountered an organization that has a policy like that, but my > personal policy is along those lines. If any manager wants me to > compromise > system security, he needs to put it in writing. This not only > protects the > organization from hanky-panky, but it protects me and the > organization from > lawsuits (albeit not prosecution, in most cases). Having held such positions as Senior System Administrator, Director of Server and Network Operations and (hands on) Chief Operating Officer of an ISP... I'm very surprised that you've never encoutered this. Such a policy is standard operating procedure for me, period, no matter where I am employed. If a supervisor is asking me to do something that I deem as being risky (and yes, I am quite paranoid about system security), I ask for something in writing or at least an explanation as to why they need something like that done. Often time, I've been able to explain to the supervisor how to do things differently to accomplish the same task, or through their explanation find out that they don't know what they're asking and suggest an agreeable alternative. Maybe it's a stereotype that a lot of people don't see, but some of us Americans take pride in the jobs that we do and make an effort to do them properly. > > If a secretary does this, they need to be fired, > > period. > > In some organizations (many, in fact), she might be fired for > _not_ doing it, as > few people understand the risk to security that doing something like this > represents, and they would interpret her refusal as a lack of > team spirit or > cooperation or some such. I'll refrain from making a comment as it would appear to be extremely inflammatory. > > Wouldn't work under a "Trusted" system, you'd > > have to bribe, torture or blackmail three people. > > Not outside the realm of possibility, but it is true that > collusion between two > or more people is _far_ less common (and much less stable) than > dishonesty in a > single individual. It's a numbers issue. If an operation requires three doctors, and you only have two, you're probably not going to have the outcome that you seek. --- Andy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message