[TCP] question on how to disable a file's network transmissioncapability

[Sandy Harris]

Gene Kim-Eng <techwr at genek.com> wrote:

> I don't think this is going to accomplish what was asked for
> (letting people access and view the files they need but not
> move or copy them to another machine or attach them to
> email).
>

The standard term for what was asked for is Mandatory Access
Control, as opposed to Discretionary Acess Control which is
what most OSs -- Windows, Unix, MacOS, ... -- give you.

A web search on Mandatory Access Control will turn up
more info than you'll ever need, but here's a summary:

With DAC, users control acees to files, turn on sharing, etc.
With MAC, the system manages some of that. Usually MAC
is implemented as part of a secure OS (Multics is the classic
example) to give "multi-layer security". e.g. a Top Secret doc
cannot be sent to any person, process, machine or disk
drive that does not have Top Secret clearance. Even then,
they have to be authorised for your project before they can
get project docs.

MAC tends to be expensive, special-purpose stuff built
for gov't contracts, but it is available if you need it.

Ross Anderson has a good paper on why military
security standards may not apply or work well for
company security: I don't have exact URL.

Home page: http://www.cl.cam.ac.uk/~rja14/

-- 
Sandy Harris
Quanzhou, Fujian, China