Firewall Wizards mailing list archives
Re: What about Traffic Analysis?
From: Ted Doty <ted () iss net>
Date: Fri, 07 Aug 1998 10:09:04 -0400
At 09:01 PM 8/6/98 -0400, Bennett Todd wrote:
In my own experience, if you are ready to read other peoples' email and
act on
what you find, traffic analysis will turn up plenty of questionable stuff ---
Define questionable (that'll be a fun exercise). Make sure that you're thorough, which means let your mom review it when you're done (if she doesn't understand particular issues, go back and re-define them). Now get your corporate lawyers to review them. NOW get your CEO to sign off on them. At this point, you're ready to distribute to everyone in the organization. Probably you need to get them to sign a form stating they read and understood the guidelines (e.g. don't email resume.doc to headhunters). A special note to people who actually want to do this. Ask your lawyers how they expect to defend the organization against the inevitable lawsuits that will result (wrongful dismissal, if nothing else). One group I know defined the threshold for employee dismissal for downloading pornography at work to be anyone who downloaded more than 1000 pix. The argument was that this would be considered *so* egregious that it would hold up in court, or at least deter suits. If your management isn't willing to pay the on-going cost of the analysis (which will be high, since at least several people will be involved), if your management isn't willing to accept the loss of high performing employees who refuse to go along with Big Brother proceures like this (is emailing resume.doc an actionable offence? *Should* it be?), if your management intends to duck and cover the first time someone sues the organization (count this as more expense for Spin Doctors), if your management is likely to be nervous about Loss Of Reputation from these kind of lawsuits (I remember the Alana Shoars vs. Epson America incident) then Don't Go Here. This is not an exercise in technology, it's flat out politics. ObDisclaimer: I probably would not want to work in a place that was successful in defining criteria of acceptable use; I certainly wouln't work in a place that implemented this without defining any criteria. Your mileage, as always, may vary. - Ted ----------------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 678 443-6000 6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax: +1 678 443-6479 Atlanta, GA 30328 USA | Web: http://www.iss.net ----------------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE
Current thread:
- What about Traffic Analysis? Adam Shostack (Aug 06)
- Re: What about Traffic Analysis? Bennett Todd (Aug 07)
- Re: What about Traffic Analysis? Ted Doty (Aug 07)
- Re: What about Traffic Analysis? Henry Hertz Hobbit (Aug 07)
- Re: What about Traffic Analysis? Ted Doty (Aug 07)
- Re: What about Traffic Analysis? Adam Shostack (Aug 07)
- <Possible follow-ups>
- Re: What about Traffic Analysis? Ryan Russell (Aug 07)
- Re: What about Traffic Analysis? Stephen P. Berry (Aug 07)
- RE: What about Traffic Analysis? Jeff Sedayao (Aug 07)
- RE: What about Traffic Analysis? Peter Mayne (Aug 11)
- Re: What about Traffic Analysis? Bennett Todd (Aug 07)