On 7/9/2014 11:37 AM, Mauricio Tavares wrote:
On Wed, Jul 9, 2014 at 2:23 PM, Ted Mittelstaedt<t...@ipinc.net> wrote:
First of all why do people insist on hiding names of companies that
do stuff like this? It just makes it look like your manufacturing
an event that doesn't exist, it destroys your credibility.
You mean besides NDAs and policies that at the very least might
cause those people to be fired by their employers? If you ever went to
a defcon open presentation, they do their best not to divulge the
names of involved parties.
Correct, but THEY ARE SAYING that they are under NDA and can't talk
about it. They readily admit they are profiting off the evildoing of
their customers or whatever, and quite often they have worked
relentlessly within their organizations to change the SOP, and are
known a gadflys, and their employer is well aware of their views.
They speak at DEFCON because they hope that if enough people are
educated to bad security practices that sooner or later an outside force
will either convince their employer they were right all along,
or if there's enough agreement they are correct by 3rd parties, their
employer may be convinced.
David DID NOT say that. He said that "he was shocked to discover" Why
are you assuming he is under NDA or he is an employee of this company?
He did not say this large DP company was his meal ticket. Are YOU
saying that this is his meal ticket?
But there is a larger issue here that I will address - this insistence
of cowardly hiding behind NDA to protect rule breakers. David DID not
say he did that - YOU are saying he did - and YOU appear TO BE ARGUING
IN FAVOR OF DOING IT.
What it boils down to is who are your sympathies for? The people
breaking the rules or the thousands of other
people who are going to find out after signing up with the rule
breakers that they use questionable and unsafe business practices?
Now, in MY opinion there are only TWO ways to handle organizations
like "large data processing company"
The first is to work within the system - if for example Large DP
Company _is_ a customer of David's he goes to them, explains the danger,
recommends they correct it.
Then when he posts here he says "I was shocked to discover and my
customer and I are working to correct it" or some such. I have plenty
of respect for that, and posting that encourages other IT people to
do the same.
The second way is to work outside of the system.
You start by sending an anonymous letter to the large DP company
outlining the security issue and giving them 3 months to correct it or
you will go to the press.
If they haven't corrected it in 3 months you anonymously post details
of what they are doing to every security blog and mailing list you
can find.
In that case, you NEVER, EVER breath a word of the security problem to
anyone. No one in the company, no one outside of the company. You make
absolutely sure there's no possible way it can be traced back to you
because trust me they are gonna try like hell to find whoever ratted
them out.
I presume David IS NOT doing that or we wouldn't be having this discussion.
If you cannot do either of those options THEN GET THE HELL OUT OF HIGH
TECH WE DON'T NEED YOU.
You are an administrator. YOU ARE PAID BY CLUELESS USERS TO PROTECT
THEM AND THEIR DATA, DAMMIT. They trust you. When you walk on by
something like this business David posted about, and DO NOTHING, you are
breaking their trust. THIS is my beef with David's post. Merely
posting "hey this is what someone is doing" is just walking on by,
kicking the can down the road, doing nothing. THIS is what destroys
your credibility.
Users don't understand the dynamics of it. They aren't qualified to
advise you no matter what they tell you and what you think - if they
were, they wouldn't be paying you to do the job.
Defending the people like Large DP Company is morally wrong and
bankrupt. Mauricio, you need to seriously think about what your saying.
Would you want the doctor of your child to say nothing when you tell
him your a 2 pack a day smoker in your home? Well probably
you would - but the doctor's responsibility is to the helpless
child, not to you. The IT admin's responsibility is to the helpless
users not to a rule-breaking large data processing company.
Ted
Secondly, if you think that this is an example of "badness" on Windows
security best practices you simply have not seen Windows deployed in
90% of production networks out there. This is NOTHING compared to S.O.P. on
most Windows setups.
Imagine MS-DOS/LanManager network security model of 30 years ago. Now
imagine Windows networks today in the vast majority of production installs.
NO EFFING DIFFERENCE!!!!!!!!!
Ted
PS: Naturally there will be some Windows-kool-aid drinker who is going
to angrily reply to this post claiming Windows is secure if people just
followed Microsoft's directions.....
On 7/9/2014 11:06 AM, David F. Skoll wrote:
On Wed, 09 Jul 2014 05:44:34 +0200
Karsten Bräckelmann<guent...@rudersport.de> wrote:
If you deliberately try to sneak past sensible security measures, you
should not be surprised to be blocked. The attempt by an honest user
to disguise any $file (he did it on purpose, so he knows there's
issues with that) is in no way better than a dis-honest user
disguising a file.
Since implementing this rule, I have been *shocked* to discover that a
large data processing company (name hidden to protect the guilty)
sends out information about credit-card processing in the form of
obfuscated Microsoft Windows executable files!!! (They're renamed to
end in ".ex" instead of ".exe") I tried running one of these files inside
Wine. It's a "PGP Self Decrypting Archive" that asks for a passphrase.
The mind boggles! *THIS* is the state of Windows "security" best
practices?
Regards,
David.
---
This email is free from viruses and malware because avast! Antivirus
protection is active.
http://www.avast.com
---
This email is free from viruses and malware because avast! Antivirus protection
is active.
http://www.avast.com
