Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

The problem of controlling user access to the resource-sharing computer system i

ID: 3872283 • Letter: T

Question

The problem of controlling user access to the resource-sharing computer system is similar in both the security and privacy situations. It has been suggested that one-time passwords are necessary to satisfactorily identify and authenticate the user in the security situation. In some university time-sharing systems, permanently assigned passwords are considered acceptable for user identification. Even though printing of a password at the console can be suppressed, it is easy to ascertain such a password by covert means; hence, repeatedly used passwords may prove unwise for the privacy situation. (2) The incentive to penetrate the system is present in both the security and privacy circumstances. Revelation of military information can degrade the country's defense capabilities. Likewise, divulgence of sensitive information can to some extent damage other parties or organizations. Private information will always have some value to an outside party, and it must be expected that penetrations will be attempted against computer systems handling such information. It is conceivable that the legal liability for unauthorized leaking of sensitive information may become as severe as for divulging classified material. (3) The computer hardware requirements appear to be the same for the privacy and security situations. Such features as memory read-write protection, bounds registers, privileged instructions, and a privileged mode of operation are required to protect *Peters, B., loe cit. From the collection of the Computer History Museum (www.computerhistory.org) Security And Privacy: Similarities And Differences 289 information, be it classified or sensitive. Also, overall software requirements seem similar, although certain details may differ in the privacy situation because of communication matters or difference in user discipline. (4) The file access and protection problem is similar under both circumstances. Not all users of a shared computer-private system will be authorized access to all files in the system, just as not all users of a secure computer system will be authorized access to all files. Hence, there must be some combination of hardware and software features which controls access to the on-line classified files in conformance with security levels and need-to-know restrictions and in conformance with corresponding attributes in the privacy situation. As mentioned earlier, there may be a minor difference relative to volume. In classified files, denial of access must be absolute, whereas in private files access to a small quantity of sensitive information might be an acceptable risk. (5)"The philosophy of the overall system organization will probably have to be different in the privacy situation. In the classified defense environment, users are indoctrinated in security measures and their personal responsibility can be considered as part of the system design. Just as the individual who finds a classified document in a hallway is expected to return it, so the man who accidentally receives classified information at his console is expected to report it. The users in a classified system are subject to the regulations, authority, and discipline of a governmental agency. Similar restrictions may not prevail in a commercial or industrial resource-sharing computer network, nor in government agencies that do not operate within the framework of government classification. I n general, it would appear that one cannot exploit the good wiIJ of users as part of a privacy system's design. On the other hand, the co-operation of users may be part of the design philosophy if it proves possible to impose a uniform code of ethics, authority, and discipline within a multi-access system. Uniform rules of behavior might be possible if all users are members of the same organization, but quite difficult or impossible if the users are from many companies or agencies. (6) The certifying authority is certainly different in the two situations. I t is easy to demonstrate that the total number of internal states of a computer is so enormous that some of them will never prevail in the lifetime of the machine. It is equally easy to demonstrate that large computer programs have a huge number of internal paths, which implies the potential existence of error conditions which may appear rarely or even only once. Monitor programs governing the internal scheduling and operation of mUlti-programmed, time-sharing or batch-operated machines are likely to be extensive and complex; and if security or privacy is to be guaranteed, some authority must certify that the monitor is properly programmed and checked out. Similarly, the hardware must also be certified to possess appropriate protective devices. In a security situation, a security officer is responsible for establishing and implementing measures for the control of classified information. Granted that he may have to take the word of computer experts or become a computer expert himself, and granted that of itself his presence does not solve the computer security problem, there is nonetheless at least an assigned, identifiable responsible authority. In the case of the commercial or industrial system, who is the authority? Must the businessman take the word of the computer manufacturer who supplied the software? If so, how does he assure himself that the manufacturer hasn't provided "ins" to the system that only he, the manufacturer, knows about? Must the businessman create his own analog of defense security practices? (7) Privacy and security situations are certainly similar in that deliberate penetrations must be anticipated, if not expected; but industrial espionage against computers may be less serious. On the other hand, industrial penetrations against computers could be very profitable and perhaps safer from a legal viewpoint. It would probably be difficult for a potential penetrator to mount the magnitude of effort against an industrial resource-sharing computer system that foreign agents are presumed to mount against secrecy systems of other governments. To protect against large-scale efforts, an industry-established agency could keep track of major computing installations and know where penetration efforts requiring heavy computer support might originate. On the other hand, the resourceful and insightful individual can be as gn~~t a threat to the privacy of a system. If one can estimate the nature and extent of the penetration effort expected against an industrial system, perhaps it can be used as a design parameter to establish the level of protection for sensitive information. (8) The security and privacy situations are certainly similar in that each demands secure communication circuits. For the most part, methods for assuring the security of communication channels have been the exclusive domain of the military and government. What about the non-government user? Could the specifications levied on common carriers in their From the collection of the Computer History Museum (www.computerhistory.org) 290 Spring Joint Computer Conf., 1967 implied warranty of a private circuit be extended? Does the problem become one for the common carriers? Must they develop communication security equipment? If the problem is left to the users, does each do as he pleases? Might it be feasible to use the central computer itself to encode information prior to transmission? If so, the console will require special equipment for decoding the messages. (9) Levels of protection for communications are possibly different in the two situations. If one believes that a massive effort at penetration could not be mounted against a commercial private network, a relatively low-quality protection for communication would be sufficient. On the other hand, computer networks will inevitably go international. Then what? A foreign industry might find it advantageous to tap the traffic of U.S. companies operating an international and presumably private computer network. Might it be that for reasons of national interest we will someday find the professional cryptoanalytic effort of a foreign government focused on the privacyprotecting measures of a computer network? If control of international trade were to become an important instrument of government policy, then any international communications network involved with industrial or commercial computer-private systems will need the best protection that can be provided. This paper has attempted to identify and briefly discuss the differences and similarities between computer systems operating with classified military information and computer systems handling private or sensitive information. Similar hardware and software and systems precautions must be taken.

(4)Please write commonalities among security and privacy from this article in your own language.Chapter 5,6 tavani

Explanation / Answer

Commonalities between security and privacy

Passwords - using passwords both for military organizations and private organizations is a very useful option. But one should be careful while using passwords. One time passwords are a very good option for authentication . on the other hand permanent passwords can be stolen.

Incentive To Penetrate - there is always a profit involved in penetrating a system. If the military information is revealed to the outside world it will bring down the image of the security system of the country. Similarly private information of organizations can damage their image also.

Hardware and Software Requirements   - the hardware and software requirements are similar like

File Access and Protection Problem - this feature is common in both the systems. Not all the users should have access to all the files either in a private network or a security system. There should be some combination of hardware and software to implement this aspect.

Both The Systems Are Liable to Penetration- both private networks as well as are liable to penetration .But breaching the privacy can be comparatively easy and very profitable also. The security of government organizations can be very robust and will not be easy to penetrate.

Secure communication Channels – for both security and privacy secure communication channels are required as that is the place where most of the leaks can occur. The data should be properly encoded so and proper decoding devices should be present at the receivers end.

Related Questions

The problem is as follows: An empty rubber balloon has a mass of 0.012 kg. The b
Question #1701521
The problem is as follows: On the student CD you will find a file named text.txt
Question #3622082
The problem is asking you to write up the VHDL (entity and architecture parts) o
Question #2081952
The problem is available on this link on page 91: http://books.google.ca/books?i
Question #2092081
The problem is below The steps we must use to solve the problem Here is an examp
Question #3120974
The problem is called \"Name Search\" and it has to be in C# 6. Name Search In t
Question #3930645
The problem is from the 8th edition Cutnell Physics book. Chapter 20, problem 76
Question #1687839
The problem is from the 8th edition Cutnell Physics book. Chapter 20, problem 76
Question #1689837

Navigate

Previous
The problem of asymmetric information is a major issue in the market for health
Next
The problem of counting the digits in a positive integer or summing those digits

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.