There are two problems really.

The first is the overpower of IT stuff. For example, if you are a sysadmin of your company file server - what (technically- I do not consider ethics now) will prevent you from viewing your co-workers data? File audit, you say. But if you are proffesional SA you obviously know how to change your system logs, how to get rights and remain unnoticed (especially if you deal with security issues). Then, if your boss likes porn (and you manage an enterprise proxy) - will you know about that? What will prevent you from abuse of this information? To conclude I will ask: "What will prevent you from doing anything you like to the system if you have admin rights?"

The 2nd half of the problem is even more complicated. The security and privacy is a kind of intellectual contest nowadays. If a hacker is more clever than SA he will surely take his systems over. And intelligence (among other nice properties) has something called generalization ablity. This allows us to aggregate information, make conclusions, use our experience in different situations. And good hacker surely has this ability on a high level. Think of it - good hack is gathering information, social enginnering and only at the last stages (if it is needed) software abuse - remember Kevin Mitnick.

By the way this kind of treat was invented very long time ago - before modern IT and computers. Remember that detective stories when a man from agency gives a barmen or some other staff money for some information about someone he is spying at. Does it differ greatly from using drive map to spy on a woman?

Nothing new, even the scale changes.



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/318/31443#31443