[Security_sig] 10/14 Conf. call minutes

Ed Reed ereed at novell.com
Fri Oct 22 07:34:25 PDT 2004

Certainly it's that - people may abuse physical access to the computer.

But it's also something often overlooked - people may abuse physical
to the DATA, which is not ALWAYS under the protection of the COMPUTER.

The recent news story about a researcher at a university using data
by a government agency, and discovering that the university copy was
compromised is one example of this.

But the same thing can occur when production data is used for test
on test machines without production-level access controls (either
or physical).

And, indeed, the backups (whether tape, disk, TAR file, or otherwise)
themselves, if they are not carefully protected by
physical and logical protections (encryption), represent terrific risks
unauthorized information disclosure, if not modification. 
Modification, too,
if the compromised backup file can be reinserted into the collection
recovery (on-site or off-site) backups, whose use might be triggered
a natural, physical or network disaster (attack) of some sort.


>>> jonmasters at gmail.com 10/21/2004 5:30:33 PM >>>
On Thu, 14 Oct 2004 11:47:32 -0700, Chris Wright <chrisw at osdl.org>

> Ed: Access to backup tapes has information access which is normally
> via security of live system, but could be used in test systems, etc.

> Chris: Physical access to the machine is clearly required.

Can you clarify what's being said there please? Seems like a standard
"but people might abuse physical access" type of non-argument.


More information about the security_sig mailing list