[liberationtech] Concerns with new Stanford University security mandate

Paul Ferguson fergdawgster at mykolab.com
Sun Jan 26 08:07:27 PST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Below:

On 1/26/2014 2:36 AM, Rich Kulawiec wrote:

> On Sun, Jan 26, 2014 at 01:20:20AM -0800, Tomer Altman wrote:
>> To Liberation Tech:
>> 
>> Stanford is implementing a new security policy detailed here:
>> 
>> http://ucomm.stanford.edu/computersecurity/
> 
> First, if they were serious about security, they wouldn't be using
>  Microsoft products.
> 
> Second, backdooring end-user systems en masse provides one-stop
> shopping to an attacker.
> 
> Third, "locating PII on systems" is not a solved problem in
> computing, and for anyone to pretend otherwise is, at best,
> disengenuous.  Not only that, but anyone who's been paying
> attention to the re-identification problem knows that non-PII is
> quite often just as sensitive.
> 
> Fourth, the simultaneous requirement that systems be backdoored and
> searchable while their disks are encrypted strongly suggests that
> they intend to have a central repository of encryption keys.
> 
> Fifth, the requirement for use of centralized backup also provides 
> one-stop shopping to an attacker.
> 
> Bottom line: this isn't about security, it's about control and
> monitoring.
> 
> ---rsk
> 

I've got to agree with Rich here -- this *is* about control & monitoring.

Having said that, saying that this policy is simply about "security"
is not quite correct -- it is about controlling *employee" access to,
and handling of, sensitive information in the Stanford University
computer network systems.

But let's remember that there are *different types* of security: Ones
which control & monitor, others which attempt to protect
organizational users from external threats, etc.

I don't believe this is pretty much /de rigueur/ and appropriate for
virtually any organization which wishes to protect sensitive
information, and provide some accountability.

Remember: Employee prescriptive measures are different that
non-employee measures.

- - ferg


- -- 
Paul Ferguson
PGP Public Key ID: 0x54DC85B2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlLlMr8ACgkQKJasdVTchbJuuAD+PE+MsNYYu73+EX6TPMZgLiX3
zei8ig48GX7Xvy/duBABAMeS10yF5L7w9bc3WOQ7ASczRlnycozj0QeWyrcYyUJs
=XHRk
-----END PGP SIGNATURE-----

More information about the liberationtech mailing list