Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: CIA Director Deutch and MLS from Risks Digest 20.78

From: Dave Farber <farber () cis upenn edu>
Date: Mon, 07 Feb 2000 15:20:14 -0500



Date: Tue, 1 Feb 2000 09:40:14 -0500 (EST)
From: Jeremy Epstein <jepstein () monumental com>
Subject: CIA Director Deutch and MLS

An article in *The New York Times* 1 Feb 2000 details former CIA Director
Deutch's use of unclassified Macintosh computers in his homes to store
thousands of highly classified documents on the same computer he used to
access AOL, Citibank's personal banking service, and other services.  The
investigation seems to have been delayed and perhaps limited as a result of
Deutch's position.

It's old hat that personal computers (be they Windows, Macintosh, or
UNIX-based) are inherently unsuitable for Multi-Level Security (MLS).  What
we see here is that even though all the proper procedures were in place, the
human element is sufficient to undermine all of the technical controls.  As
long as we have people, we'll have RISKS!

Full article at
http://www.nytimes.com/yr/mo/day/news/washpol/cia-impeach-deutch.html

  [Multilevel security may not seem to be an issue here *internally*
  because John Deutch had access to all of the information on his
  systems, considered as SYSTEM HIGH -- that is all logically at the
  highest level.  However, surfing the (unclassified) Web is clearly a NO-NO
  from such a machine.  RISKS readers are of course familiar with the risks
  of Web browsing.  However, an added note in this case was the report that
  the visited sites included a porn site.  Deutch apparently denied having
  accessed porn any sites, suggesting that it might have been done by one of
  his offspring?  If that is indeed true, it would make the presence of
  highly classified information on a multiuser workstation even more
  untenable.  (On one hand, even if such a PC claimed to be multilevel
  secure, that would be a VERY BAD misuse.  On the other hand, RISKS readers
  know how one can be duped into visiting sites other than what was
  expected, as in clicking on whitehouse.com instead of whitehouse.gov,
  or in clicking on a Trojan-horsed URL.)  PGN]
Previous By Date Next
Previous By Thread Next

Current thread: