Re: What about Traffic Analysis?

[Henry Hertz Hobbit <hhhobbit () icarus weber edu>]

On Thu, 6 Aug 1998, Bennett Todd wrote:

> 1998-08-06-15:28:33 Adam Shostack:
> >     Ok, so the assembled wizards have declared trying to
> > understand the content of messages to be a loss, which is toughly
> > correct.
> >
> >     What about performing traffic analysis on the mail flow?
> > Catching information by spikes in the places people send mail?
> > Sending files to the competition?  Is this worthwhile?  (Assume
> > trapping messages that hit some threshold.)
>
> If the environment (views of right and wrong, opinions about the law safely
> guided by those views:-) support reading other peoples' mail looking for
> misbehavior, then traffic analysis will be very fruitful.

When I worked for WordPerfect, they handled this simply by declaring
all mail either going or coming to any individual to be *their* mail.
This included both snail-mail and email. Why somebody would be sending
their resume from a company is beyond me. On the other hand, what do
you do about them getting calls from another company on company phones.
I start to see that things can get so out of hand that the people
working for that company that is taking such dictatorial steps will
no longer like or want to work there. You have to work out some sort
of balance that both protects the company but is not so repressive
that workers begin to leave the place.

IMHO, WordPerfect in many ways shot itself in the foot with some
of its policies. Sure, you don't want any of your company's
private and confidential information going out the door, but just
how far should you go? In other words, if somebody is selling
information about the company, you want to hang them high and dry.
If they are inadvertently letting information slip out, you may want
to just warn them that what they are doing is wrong without breathing
down on them with the fiery breath of a dragon.

In other words, let the policy drive the choice of tools that you
use. If you have somebody that is shipping confidential stuff out
in pictures, they are most likely to be technically literate. If
you are a site developing DoD or other sensitive stuff, you may not
even want a connection at all depending on what you are working on.

Having said that, I would be loathe to work for a company that snips
all of the wires out completely. How in the world will you keep up
with the technology advances with that kind of an isolationist stance?
Russia tried it, and look what happened to them...

The screening of your people should have taken place LONG before you
start sifting email. Again, that is a policy decision about who and
who not to hire. How many companies do drug tests today? A policy
decision, and one that shows to me the level of commitment most
companies have to do background checks on people is extremely low.
For myself, I consider a drug test an insult! I  have never used
illegal drugs in my life. Do companies I have talked to ask about
that? NO. In other words, it strikes me that they didn't do enough
checking at the start when and where most companies should
be doing it.


Just my 0.02 worth...

HHH