1995-12-16 - Re: .PWL spin

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: llurch@networking.stanford.edu (Rich Graves)
Message Hash: e9fd3a01b104c126d967d7eefc3c5fb8203a1b3a327eb2e6364499d8e8a916f1
Message ID: <9512160258.AA17014@all.net>
Reply To: <Pine.ULT.3.91.951215142347.14138O@Networking.Stanford.EDU>
UTC Datetime: 1995-12-16 05:55:30 UTC
Raw Date: Sat, 16 Dec 1995 13:55:30 +0800

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Sat, 16 Dec 1995 13:55:30 +0800
To: llurch@networking.stanford.edu (Rich Graves)
Subject: Re: .PWL spin
In-Reply-To: <Pine.ULT.3.91.951215142347.14138O@Networking.Stanford.EDU>
Message-ID: <9512160258.AA17014@all.net>
MIME-Version: 1.0
Content-Type: text


> > > What would make a University less secure than a corporation??
> > 
> > Ostensibly, universities in the interest of academic freedom and 
> > promoting learning usually don't have nearly the same draconian measures 
> > that corporations have.
> 
> More to the point, us poor professional staff don't stand a chance 
> politically against students and faculty. We support whatever they want 
> to use.
> 
> I think it's more an issue of control. Ford IS can say Thou Shalt Not
> turn on SAP advertisement, and people will listen (or go away). At major
> Universities, what we do with troublemakers is, we hire them.

I think your impression of the corporate work environment is a bit naive,
just as most people in the commercial environment have misimpressions about
university environments.

In universities, the faculty rules - sort of.  The administration also
has a great deal of power as is usually wielded by the deans.  In
corporations there are often several levels of management, each with
control and responsibility.

Just as a university president has little chance of success in ordering
something that is viewed by the faculty as a breach of privacy or heavy
handed action, the CEO of most companies is similarly constrained.  In
fact, it would be rare that either would get involved is this level of
decision. 

If Ford IS said "Thou Shalt Not turn on SAP advertisement" and someone
in Ford's engineering department had a requirement for SAP advertisement
in order to service a major customer, the IS department would fail (and
the person responsible for making the decision might be surprised at how
fast the human resources department can act).

> But back to the point, the anonymous (cypherpunk relevance) "system 
> administrator" (guess they couldn't find anyone willing to make a fool 
> of himself on the record?) who said that Universities would be hurt more 
> was wrong. We just don't have passwords on Win95 machines, or don't care 
> if they're compromised. It's the people at Ford, Dow, and Sprint, 
> which had wasted man-years putting together "policies" and "user 
> profiles" that have proven to be worse than useless, who are pissed off. 

In my experience, it is rarely the case that eaither a university or a
business is well protected.  Comparing one to the other is probably not
very useful.

One thing is for certain, however.  The vast majority of the professors
in computer science don't understand anything of substance about
information protection.  If you tried to tell them about it, chances are
they would rebuff you for your attempt.  Furthermore, professors of
computer science almost never perform systems administration duties for
the university computer center.  The computer center is almost always
run by professional staff not affiliated with the computer science
department. 

-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236





Thread