josef newton wrote:
Banning IM and Skype are silly.  Do they ban cell phones/SMS?  Same
thing really.

I don't think IM and cell phones are the same. IM and Skype are using company infrastructure - packets going out come from the company (not a personal phone), and so the company may be held legally responsible for them. Also IM and Skype have access to the corporate network. Defects in such software *has* been used to break into companies and steal information. Do you really want a company that has your personal information (such as credit card details) making that information susceptible to attack? Such breaches can destroy a companies reputation - a lot more costly than increasing the productivity of some individuals.

I have been listening to a number of security podcasts recently and I must say the insecurity of many systems out there gets quite frightening at times. And they talk about exploits that have actually happened. E.g. an episode back in October last year (so might have been fixed now) was talking about how one web browser (not IE) as soon as you installed one plug in was susceptible to attack. The plugins have access to all web browser internals, so can hide themselves, download more plugins and hide them, and access the complete memory space of the browser (including cached passwords etc). Imagine a plugin developer having auto updates, then a hacker breaking into the auto-update site and putting malware into the plugin. They can then skim all your banking details etc without you knowing.

Actually, the security podcasts are also quite fun to listen to at times. My favorite was a talk where a researcher got a laser pointer, rewired it to hook up to the MIC in line on their computer (turning it into a directional laser microphone), then adapted voice recognition software to distinguish between the sound of different keys on a laptop. They pointed it at the back of a laptop while someone was typing, collected sound for a bit, then fed it through a dictionary to guess which sounds were which keys on the keyboard. The space bar sounds so different it was easy to spot word breaks. In less than a minute they could listen in on what someone was typing on their laptop with fairly good accuracy. They then demonstrated it working in the conference presentation. I think it worked from 20m away with a cheap off the shelf laser pointer.

I am not saying some companies don't have security tighter than necessary or that its annoying. But I do think that most developers DO NOT understand security issues as deeply as you would expect. I think its a specialist field. Its sort of like saying all carpenters are cabinet makers. It just isn't so!

Sorry, not picking on this post in particular. Just wanted to make the point that (I believe) most developers do not know enough about securing systems, so just saying "trust developers as they are more IT literate" is not convincing to me.

But it could also be paranoia after listening to too many security podcasts!

Alan

--
You received this message because you are subscribed to the Google Groups "The Java 
Posse" group.
To post to this group, send email to javapo...@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Reply via email to