Date: Fri, 14 Aug 2020 13:49:02 -0400 From: Aryeh Friedman <aryeh.friedman@gmail.com> To: Jon Radel <jon@radel.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: OT: Dealing with a hosting company with it's head up it's rear end Message-ID: <CAGBxaXkYpjUGwFwR-WZo9Ud0b_ZwmP7QVY74QH3vyt0Z12NmXQ@mail.gmail.com> In-Reply-To: <df55f102-228f-021d-62ba-b26520e78740@radel.com> References: <CAGBxaXmg0DGSEYtWBZcbmQbqc2vZFtpHrmW68txBck0nKJak=w@mail.gmail.com> <CAGBxaX=XbbFLyZm5-BO=6jCCrU%2BV%2BjubxAkTMYKnZZZq=XK50A@mail.gmail.com> <CALeGphwfr7j-xgSwMdiXeVxUPOP-Wb8WFs95tT_%2Ba8jig_Skxw@mail.gmail.com> <CAGBxaX=CXbZq-k6=udNaXTj2m%2BgnpDCB%2Bui4wgvtrzyHhjGeSw@mail.gmail.com> <40xvq0.qf0q3x.1hge1ap-qmf@smtp.boon.family> <CAGBxaX=9asO=X32RucVyNz5kppPhbZc9Ayx-pyiXMBi85BeJ6w@mail.gmail.com> <20200814004312.bb0dd9f1.freebsd@edvax.de> <20200814065701.2b390145ac6d189161bc31b4@sohara.org> <173ed205550.27bc.0b331fcf0b21179f1640bd439e3f4a1e@tundraware.com> <CAGBxaX=gs57EXsm028%2B6Var89MUoGh-7d1gfPdGmbm5gPBnufA@mail.gmail.com> <4d320acd-a995-7a35-5c0e-c2c22e7e6f96@radel.com> <CAGBxaXnjDAnZPjx_nksb_ed-f%2BX=PowLTUYMX706oMScd8HDaw@mail.gmail.com> <df55f102-228f-021d-62ba-b26520e78740@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 14, 2020 at 1:13 PM Jon Radel <jon@radel.com> wrote: > On 8/14/20 10:44, Aryeh Friedman wrote: > > On Fri, Aug 14, 2020 at 10:32 AM Jon Radel <jon@radel.com> wrote: > > > >> On 8/14/20 09:48, Aryeh Friedman wrote: > >>> Unless it is 100% air gapped with no ability to plug in portable media > >>> and/or record the screen then nothing is 100% immune from such loss and > >>> thus not allowing it makes very little sense. If on the other hand > the > >>> idea is to limit the damage that malware/spyware can do then it makes > >>> sense (even if someone does in [accidentally] install malware/spyware > it can > >>> not send the results of its dirty work anywhere). > >>> > >> Untrue. As the CISO at my latest employer said to me (paraphrasing > >> some, as it's been a while): > >> > >> You and I know how to circumvent the restrictions, but the vast majority > >> of the staff hasn't a clue. This cuts down the noise I have to wade > >> through. > >> > > Oh great security by obfuscation! Sounds like the CSIO missed the first > > day of security 101. False sense of security is always a bad idea. > > > I'm a bit unclear on how a frank admission that the controls can be > circumvented translates, in your head at least, into a false sense of > security. > If the controls can be circumvented they are essentially useless and shouldn't be in place in the first place. Besides anyone who knows what RDP or SSH is would also know how to circumvent controls designed for non-technical people so that makes the blocking of them even more short sighted. This is what I meant by security by obfuscation (i.e. hiding obvious truths that everyone with any knowledge knows). > > The playground is a bit bigger than the technical sandbox where you > appear, and I most certainly am, most comfortable. The CISO also has to > be comfortable hanging out with the compliance lawyers behind the shed > at the far end of playground, not to mention keeping HR happy. > In our case it is also keeping a government agency happy. And yes we do deal with that level of decision making since we are the de facto IT dept. > If you write a policy document, implement controls that make > "accidental" circumvention of the policy difficult, while still keeping > a close eye on what else the staff is doing, you can: > > 1. Reduce the noise of having to track unthinking, largely innocent > violations and endless, tedious discussions about who deserves to be > fired. > The very idea that it is about who to fire instead of actually preventing the issue in the first place is a mindset failure (and one of the primary reasons why corporate America in general is screwed in the head). > 2. Reduce the plausible deniability of the actual attempts to cause > harm to the company, now that actual "tricky" actions are required to > circumvent controls that give you big warnings in your browser, making > for much better confidence in making termination decisions and/or taking > legal action. > Not the case with doctors who have staff that routinely break HIPAA (not our problem but there are stores everywhere on it). No level of "don't do this" coupled with very hefty government fines stops them. General response from doctors is: we don't care. > None of this particularly has anything to do with the technology. > > > >> Actually, better yet, you probably don't want to discuss that on a > >> public list...... > >> > > If *YOU* think it doesn't belong on the list just come out and say it. > > > > > You may be under the impression that our interests are aligned on this > one. Personally, I'd find blow-by-blow updates on how your lawyer > freaks on finding that you are discussing his/her strategy on the > Internet, tidbits on the suit against you claiming torturous > interference by the hosting provider you've been bad-mouthing for days > and have now named, and the general unraveling of your contract, amusing > reading. (Others here probably feel differently, but they can speak for > themselves--I suspect the sensible ones have already killed this > thread.) If you think that was a mealy mouthed way for me to say that > I'd prefer you'd stop discussing this, you'd be most mistaken. I was > just trying to suggest, given that I'm not malevolent enough to wish all > that on you solely for my amusement, that you consider how much of your > laundry, with some mighty amusing and suggestive stains showing, you > wish to air in public. That's all. > First there is no active lawsuit or even contemplation of legal action whatsoever currently from any of the parties (that we know of). I didn't say anything that is not already public knowledge (it might have been a little more detailed than normal but it is not anything secret). (If you cared enough to see that I checked my link in then you might want to do some research on me to see that none of this was not already public knowledge [the people that I didn't name were already named by other sources]). As to my clients strategy there is nothing I said that is not already in their marketing material (and I never named the client's company name, only one of the two vendors we are having issues with). -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGBxaXkYpjUGwFwR-WZo9Ud0b_ZwmP7QVY74QH3vyt0Z12NmXQ>