Bruce Schneier put up a post about the inescapable truth that systems need trusted users, and the dangers inherent therein. He observes, “Replacing trusted people with computers doesn’t make the problem go away; it just moves it around and makes it even more complex.” He suggests a number of ways to reduce the risk of a breach by a trusted user, but also cautions that trying to cover every angle is ultimately a bad idea. The post concludes as follows:

In the end, systems will always have trusted people who can subvert them. It’s important to keep in mind that incidents like this don’t happen very often; that most people are honest and honorable. Security is very much designed to protect against the dishonest minority. And often little things—like disabling access immediately upon termination—can go a long way.

Of course, these precautions are applied to people who actually, you know, do things. Once you get far enough up the ladder that you aren’t really doing anything, you’re just figuring out ways to magically make money appear out of air, all bets are off and there’s no impetus of any kind to be either honest or honorable.

Hard to imagine how you can convince corporate types to behave any better on the basis of stuff like this.

Leave a Reply

Your email address will not be published. Required fields are marked *