Security Proportional to Risk (was: IBM Mainframe at home)

From: Anne & Lynn Wheeler (lynn@garlic.com)
Date: 03/04/02

  • Next message: Xman: "ftp server and IP filters" 

    From: Anne & Lynn Wheeler <lynn@garlic.com>
Date: Mon, 04 Mar 2002 20:27:24 GMT

    Anne & Lynn Wheeler <lynn@garlic.com> writes:
    > After that, things still continued on the seven year cycle ... but
    > there were two teams, working in parallel producing products
    > offset. The 3081 was the "158" team ... the 3090 was the "168" team.

    above from "ibm mainframe at home" thread in a.f.c
    http://www.garlic.com/~lynn/2002d.html#7

    with OT thread drift to "security proportional to risk" thread
    (somewhat e-commerce):
    http://www.garlic.com/~lynn/2001h.html#61 Net banking, is it safe???

    in the early 70s there was a trade-secret document theft case
    regarding disk technology. The assertions was that the "disk clone"
    business took 12 to 18 months to reverse engineer, duplicate and bring
    product to market (after initial introduction of new product). The
    assertion was that the document thefts would potentially allow a clone
    manufactor to bring a product to market six months earlier
    ... representing possibly several tens of billions of dollars in
    revenue.

    somewhere along the way, the judge supposedly raised the "swimming
    pool attractive hazard" issue (aka pool owner is responsible for bad
    things that happen in their pool unless they can demonstrate fences
    and other security measures proportional to determination of
    trespassers that might find the pool attractive); aka for legal
    remedy, have to demonstrate security measures proportional to the
    value of the trade-secret.

    For actual disk hardware this was a secure compound with perimeter
    fence and guards at the gates, patrols inside the compound, secure
    building with door badge readers, enforced & audited policies about
    tail-gating, 2nd floor (above ground) machine room with even more
    restricted badge reader acces. Within the machine room, devices were
    housed in a "test cell" ... basically a small heavy steel wire mesh
    cage (maybe 5x5x7, reinforce steel floor, heavy steel wire mesh sides
    & top). Door to cage had combination lock and each cage had unique
    combination. Lots of audit procedures and patrols to assure that
    security was being followed. This is somewhat analogous to safe
    deposit boxes but with more layers of security and constant auditing
    procedures.

    Documents were "candy-stripe" covers with registered confidential
    classification. Each copy of a document was numbered. Each page of a
    candy-stripe document had the document copy number embossed in large
    print on every page (basically faint background but the number was
    large print essentially filling the whole page) with legend
    "registered confidential, do not copy/reproduce" on every page (either
    3800 background flash or special paper from secure printer).

    Each copy was signed out to specific person and that person had to
    follow a lot of processes protecting the document which were also
    audited on regular basis. A person having registered confidential
    documents also had special secure file cabinat for storing the
    documents, their offices had sporadic audits after hours and there
    were periodic audits to verify that the person still had possesion of
    the document. Registered confidential document copies tended to number
    in the tens or at most few hundres.

    For the 3081 there were a whole file drawer of "811" documents (from
    the date nov. 1978) that were registered confidential and had to
    demonstrate that every copy of every 811 document was managed with the
    highest/appropriate security processes. Even at that, there was some
    leakage and a fairly well publiciszed industrial espionage case
    related to 811 documents.

    bringing back to merchant e-commerce sites thread ... would an
    attractive hazard be a defense with regard to hacking e-commerce
    servers that had insufficient security?

    random registered confidential refs:
    http://www.garlic.com/~lynn/2001i.html#30 IBM OS Timeline?
    http://www.garlic.com/~lynn/2001n.html#79 a.f.c history checkup... (was What specifications will the standard year 2001 PC have?)

    random attractive hazard refs:
    http://www.garlic.com/~lynn/aadsmore.htm#2527a RFC 2527 Physical Security Controls Question
    http://www.garlic.com/~lynn/2001d.html#42 IBM was/is: Imitation...

    random disk test cell ref:
    http://www.garlic.com/~lynn/94.html#15 cp disk story
    http://www.garlic.com/~lynn/95.html#3 What is an IBM 137/148 ???
    http://www.garlic.com/~lynn/96.html#18 IBM 4381 (finger-check)
    http://www.garlic.com/~lynn/97.html#15 OSes commerical, history
    http://www.garlic.com/~lynn/99.html#31 Old Computers
    http://www.garlic.com/~lynn/99.html#54 Fault Tolerance
    http://www.garlic.com/~lynn/2000.html#9 Computer of the century
    http://www.garlic.com/~lynn/2000c.html#69 Does the word "mainframe" still have a meaning?
    http://www.garlic.com/~lynn/2000c.html#72 Does the word "mainframe" still have a meaning?
    http://www.garlic.com/~lynn/2001h.html#19 checking some myths.
    http://www.garlic.com/~lynn/2001l.html#13 mainframe question
    http://www.garlic.com/~lynn/2001l.html#32 mainframe question
    http://www.garlic.com/~lynn/2001n.html#39 195 was: Computer Typesetting Was: Movies with source code
    http://www.garlic.com/~lynn/2002.html#10 index searching
    http://www.garlic.com/~lynn/2002b.html#2 Microcode? (& index searching)
    http://www.garlic.com/~lynn/2002d.html#0 VAX, M68K complex instructions (was Re: Did Intel Bite Off MoreThan It Can Chew?)

    random 811/3081 references:
    http://www.garlic.com/~lynn/93.html#31 Big I/O or Kicking the Mainframe out the Door
    http://www.garlic.com/~lynn/94.html#00 Big I/O or Kicking the Mainframe out the Door
    http://www.garlic.com/~lynn/94.html#43 Bloat, elegance, simplicity and other irrelevant concepts
    http://www.garlic.com/~lynn/94.html#55 How Do the Old Mainframes Compare to Today's Micros?
    http://www.garlic.com/~lynn/95.html#3 What is an IBM 137/148 ???
    http://www.garlic.com/~lynn/95.html#10 Virtual Memory (A return to the past?)
    http://www.garlic.com/~lynn/98.html#46 The god old days(???)
    http://www.garlic.com/~lynn/99.html#4 IBM S/360
    http://www.garlic.com/~lynn/99.html#102 IBM 9020 computers used by FAA (was Re: EPO stories (was: HELP IT'S HOT!!!!!))
    http://www.garlic.com/~lynn/99.html#103 IBM 9020 computers used by FAA (was Re: EPO stories (was: HELP IT'S HOT!!!!!))
    http://www.garlic.com/~lynn/99.html#112 OS/360 names and error codes (was: Humorous and/or Interesting Opcodes)
    http://www.garlic.com/~lynn/99.html#190 Merced Processor Support at it again
    http://www.garlic.com/~lynn/2000.html#78 Mainframe operating systems
    http://www.garlic.com/~lynn/2000b.html#38 How to learn assembler language for OS/390 ?
    http://www.garlic.com/~lynn/2000b.html#65 oddly portable machines
    http://www.garlic.com/~lynn/2000e.html#55 Why not an IBM zSeries workstation?
    http://www.garlic.com/~lynn/2000e.html#57 Why not an IBM zSeries workstation?
    http://www.garlic.com/~lynn/2001b.html#35 John Mashey's greatest hits
    http://www.garlic.com/~lynn/2001b.html#37 John Mashey's greatest hits
    http://www.garlic.com/~lynn/2001b.html#38 Why SMP at all anymore?
    http://www.garlic.com/~lynn/2001b.html#62 z/Architecture I-cache
    http://www.garlic.com/~lynn/2001b.html#69 Z/90, S/390, 370/ESA (slightly off topic)
    http://www.garlic.com/~lynn/2001b.html#83 Z/90, S/390, 370/ESA (slightly off topic)
    http://www.garlic.com/~lynn/2001c.html#53 Varian (was Re: UNIVAC - Help ??)
    http://www.garlic.com/~lynn/2001d.html#66 Pentium 4 Prefetch engine?
    http://www.garlic.com/~lynn/2001f.html#62 any 70's era supercomputers that ran as slow as today's supercomputers?
    http://www.garlic.com/~lynn/2001f.html#68 Q: Merced a flop or not?
    http://www.garlic.com/~lynn/2001j.html#13 Parity - why even or odd (was Re: Load Locked (was: IA64 running out of steam))
    http://www.garlic.com/~lynn/2001j.html#17 I hate Compaq
    http://www.garlic.com/~lynn/2001j.html#18 I hate Compaq
    http://www.garlic.com/~lynn/2001k.html#7 hot chips and nuclear reactors
    http://www.garlic.com/~lynn/2001l.html#24 mainframe question
    http://www.garlic.com/~lynn/2001l.html#40 MVS History (all parts)
    http://www.garlic.com/~lynn/2001l.html#61 MVS History (all parts)
    http://www.garlic.com/~lynn/2001m.html#23 Smallest Storage Capacity Hard Disk?
    http://www.garlic.com/~lynn/2001n.html#9 NCP
    http://www.garlic.com/~lynn/2002.html#5 index searching
    http://www.garlic.com/~lynn/2002.html#45 VM and/or Linux under OS/390?????
    http://www.garlic.com/~lynn/2002.html#48 Microcode?
    http://www.garlic.com/~lynn/2002b.html#11 Microcode? (& index searching)
    http://www.garlic.com/~lynn/2002b.html#20 index searching
    http://www.garlic.com/~lynn/2002b.html#32 First DESKTOP Unix Box?
    http://www.garlic.com/~lynn/2002c.html#9 IBM Doesn't Make Small MP's Anymore
    http://www.garlic.com/~lynn/2002c.html#40 using >=4GB of memory on a 32-bit processor
    http://www.garlic.com/~lynn/2002c.html#42 Beginning of the end for SNA?
    http://www.garlic.com/~lynn/2002d.html#7 IBM Mainframe at home

    random security proportional to risk refs:
    http://www.garlic.com/~lynn/aadsmore.htm#2527a RFC 2527 Physical Security Controls Question
    http://www.garlic.com/~lynn/aadsm6.htm#websecure merchant web server security
    http://www.garlic.com/~lynn/aadsm6.htm#terror [FYI] Did Encryption Empower These Terrorists?
    http://www.garlic.com/~lynn/aadsm6.htm#terror3 [FYI] Did Encryption Empower These Terrorists?
    http://www.garlic.com/~lynn/aadsm6.htm#terror5 [FYI] Did Encryption Empower These Terrorists?
    http://www.garlic.com/~lynn/aadsm6.htm#pcards The end of P-Cards?
    http://www.garlic.com/~lynn/aadsm6.htm#pcards3 The end of P-Cards? (addenda)
    http://www.garlic.com/~lynn/aadsm7.htm#rubberhose Rubber hose attack
    http://www.garlic.com/~lynn/aadsm8.htm#rhose17 [Fwd: Re: when a fraud is a sale, Re: Rubber hose attack]
    http://www.garlic.com/~lynn/aepay7.htm#netbank2 net banking, is it safe?? ... security proportional to risk
    http://www.garlic.com/~lynn/aepay7.htm#netsecure some recent threads on netbanking & e-commerce security
    http://www.garlic.com/~lynn/aepay7.htm#3dsecure2 3D Secure Vulnerabilities? Photo ID's and Payment Infrastructure
    http://www.garlic.com/~lynn/aepay7.htm#3dsecure3 financial payment standards ... finger slip
    http://www.garlic.com/~lynn/aadsm10.htm#cfppki13 CFP: PKI research workshop
    http://www.garlic.com/~lynn/aadsm10.htm#tamper Limitations of limitations on RE/tampering (was: Re: biometrics)
    http://www.garlic.com/~lynn/aadsm10.htm#bio8 biometrics (addenda)
    http://www.garlic.com/~lynn/2001d.html#42 IBM was/is: Imitation...
    http://www.garlic.com/~lynn/2001h.html#61 Net banking, is it safe???
    http://www.garlic.com/~lynn/2001h.html#67 Would this type of credit card help online shopper to feel more secure?
    http://www.garlic.com/~lynn/2001i.html#53 Credit Card # encryption
    http://www.garlic.com/~lynn/2001i.html#57 E-commerce security????
    http://www.garlic.com/~lynn/2001j.html#2 E-commerce security????
    http://www.garlic.com/~lynn/2001j.html#5 E-commerce security????
    http://www.garlic.com/~lynn/2001j.html#44 Does "Strong Security" Mean Anything?
    http://www.garlic.com/~lynn/2001j.html#54 Does "Strong Security" Mean Anything?
    http://www.garlic.com/~lynn/2001k.html#55 I-net banking security
    http://www.garlic.com/~lynn/2001l.html#2 Why is UNIX semi-immune to viral infection? 

    -- 
Anne & Lynn Wheeler   | lynn@garlic.com -  http://www.garlic.com/~lynn/

    Relevant Pages