On Mon, Feb 3, 2014 at 3:43 AM, Rich Kulawiec <r...@gsp.org> wrote: > On Fri, Jan 31, 2014 at 09:01:06AM -0800, Yosem Companys quoted: > > "One of these mandates includes having employees with Windows XP > > laptops and desktops migrate to Windows 7 Enterprise or Ultimate, or > > Windows 8 Pro or Enterprise, by April 8. Employees will be able to > > download the latest Microsoft software for free under a new campus-wide > > license obtained in November 2013." > > Let's stop right there. > > If this entire initiative was actually about security in any way, > shape or form, then this paragraph would not be present. Closed-source > software cannot be secured, and changing from one insecure version > of Windows to another is merely an expensive, time-consuming exercise > that achieves nothing of significance.
Disclaimer: I can't stand windows and I've nearly banned it from work place. Reality: You don't understand business nor threat modeling. Microsoft is, unfortunately, the backbone of most world-wide business. There are a host of applications from finance, to statistical modeling, HR planning and otherwise that only run on Windows. You can't easily kill it off. When and if we manage to kill it off, attackers will move to the new thing (say. Mac OS) and focus efforts there. So, for the users that must run Windows on a daily basis, they're electing to offer free upgrades. Good on them. The older versions (such as XP) are reaching end of life for support (and security support) and potentially will become a source of indefinite zero-days. Calling this action meaningless due to your implicit bias against commercial software and windows is a fallacy. Properly implemented, it will result in a reduction of the overall threat to the University. Unfortunately, their implementation process isn't very good. I don't agree with the open-ended nature of their solution. Relying on the users to upgrade themselves means generally that the upgrade will never occur. A compliance-enforcing approach, such as those used in the Cisco and Juniper VPN clients would be better. For example, "You have 30 days to upgrade to Windows 7 or VPN and 802.1X will block you from joining our network" is much better than "Go secure yourselves, we'll be over here" Additionally, your statement of: "Closed-Source software cannot be secured" -- I prefer open source software but I disagree that it cannot completely be secured. It depends only on the motivation, financial resources, and merit of the company attempting to secure said software. Just because you don't happen to get a look at the source code doesn't make this a definitive statement. There are numerous examples of commercial software being immensely hard to defeat. -john
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
