Slashdot Mirror
Has Corporate Info Security Gotten Out of Hand?
KoshClassic asks: "What is the right balance between security and productivity, in the corporate IT environment? Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline. On one hand, you can never be too secure, however on the other hand, have we become so secure that we're stifling our own ability to get things done? What is the situation like at other companies?"
The only real problem is overzealous proxy servers, which can be tough to configure, but should have a whitelist of some sort... the rest of the problems mentioned are problems that have solutions. There are plenty of corporate-level antivirus solutions that will allow the control of virus scanning policies so that you could enable the sending of e-mail through SMTP. If it's corporate policy not to allow it, then it really isn't a computer problem, but a company policy problem. There are also plenty of options for keeping up on patches that would relieve the users of this responsibility. Even in the case of Windows, Microsoft distributes a free "private" version of Windows Update, called Windows Server Update Services that can be deployed on a network. This version allows you to choose when and how which patches are distributed; all you have to do is point your computers to the server. Assuming you are running a Windows network, the settings for the Windows Update can be deployed via Group Policy without ever having to visit a workstation. Workstations can be scheduled to update themselves without taking control away from the IT department in regards to which patches they want installed.
Most of that was assuming you are running a Windows-based network. I am not as familiar with Linux software, but I know that similar services are available for Linux as well. In my experience managing network environments, most of this has never been a major problem. It seems to me that the network environment doesn't suffer from too much security, but that the existing security needs to be better managed so that it doesn't prove detrimental to the productivity of the employees.
I think overall mankind's productivity has increased thanks to the technology. I can't say if the IT world would be more convenient if 95% of us were using Linux.
It's like when cars were first introduced, there were not speed limits, cars were hardly locked and tyres were hardly threaded......
As cars become more common, more people died in car accidents, so you can't drive too fast anymore, must wear seatbelts and cannot drive drunk.
As car thefts become a norm, we must lock our cars, when that's not enough, we need to put on the steering lock, alarm, then immobalizer, and now the security datadot. However, I think overall we do benefit from the introduction of vehicles.
Virtual Betting on Facebook for non-geeks.
Security like most things, is a balancing act. Being able to manage the 'pain vs. protection' factor is the key to all of it, and unfortunately no tools seem to have the sliding adjustment with those options on it.
Ideally security will allow everything that's vital while not stepping on any services that are required. With most companies, what is 'required' ends up being pared down as the security net gets closed down tighter.
Nostalgia is one thing -- how many of us worked on systems that had telnet / ftp open to the outside without a firewall? I know I did back in the day. When management is behind security initiatives, being able to work on the business isses ("No, we CAN'T disable FTP!") becomes less of a problem.
Regarding individual workstations -- putting the burden on end-users doesn't seem to be a common (thankfully) configuration in the companies I've seen. Most larger places are doing automated patch management and deployment now. I know quite a few places where every single system (desktop and production) is patched within a 15 day window. While it's not bleeding edge, this relatively fast schedule combined with the concept of 'defense in depth' goes a long way to preventing issues. I know places that haven't lost a machine to a virus in YEARS.
Security that's preventing legitimate work from being done needs to be adjusted. All of the problems you've mentioned are fixable.
When I run into such a seriously aclueistic situation, I point it out. Once. Then, I go work somewhere else if they don't get a clue.
But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
One time for security's sake my office ethernet port was turned off by IT. Figuring it to be some outage I called support (hah!), and they looked up my IP address and said yes the port had been turned off because my machine had refused to accept recent XP updates.
Hmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port. I asked why I hadn't been notified -- they said ALL XP login scripts had been posting the notice for over a week, I had been given "plenty" of warning!
Hmmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port.
Fortunately I had a dual-boot, so I was able to comply.
But, ironic that one of their (in my opinion) least vulnerable machines on the network was mine.
(And, for the record, my assigned work had no specific XP requirement, and my responsibilities were heavily around Unix... so I wasn't in violation of any policy (such as they existed).)
individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access
I don't think this is unreasonable at all. What's the downside of enforcing a little rigor in your employees, when the alternative is having your entire corporate network become a zombie farm overnight controlled by a mob boss in Russia named Vladamir?
I'm sorry. The number you have reached is imaginary. Please rotate your phone 90 degrees and try again.
But also realize how much the worms of 2003 and 2004 cost corporations. I saw it first hand when working in a plant, and it was seriously disastrous. I can understand why they don't want that to happen again.
If surfing "bad" sites is THAT important to you, perhaps its time to get your resume out to a company that trusts its employees more. Or quit complaining to a bunch of slashdotters and present a true solution that benefits everyone. There are ways to have both security and usability.
Berto
What is the situation like at other companies?
I'd love to tell you but that would be a breach of security.
Everywhere I've worked seven to ten years ago (1995-1999) made IT workers who wanted Internet access sign special forms that had to be okayed by three levels of management before Internet access was granted. And once granted, it was heavily monitored.
/. that checking code into CVS.
Four to seven years ago (2000-2002) getting Infobahn access was far easier, but most companies still required that you use their proxy so that they could monitor who visited which sites and who spent more time posting to
But lately, Internet is usually just taken for granted. At most you have have to worry about firewalls that don't let ports other than the standard http and https ports in or out. And that is fairly easy to bypass by anyone with a home machine.
- Google Groups doesn't sound like a business website. That's "bad" from a management perspective.
- SMTP blocking would not be needed if users didn't keep clicking on emails from the "FBI" "CIA" , etc. Besides that, it's easy to configure an AV policy to exempt legitimage SMTP usage.
- Updates can and should be applied automatically and without user intervention. If a reboot is required a nightly shutdown policy will suffice.
I'd love to live in a happy land where all computers can be open and free but unfortunately malicious crackers, crappy programming and ignorant users have made that an impossibility these days.
Hmmm, maybe if you didn't filter out google groups you could actually find out what other companies are doing. That's like one of the #1 internet tools for troubleshooting everyday issues. Pop in an error message and out comes reems of articles with other users having the same issue and the fix to the problem. it's the best free knowledge base ever!
Adeptus
No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
I think that there are too many companies who have people who just decide iTunes purchases and downloading of podcasts specifically through iTunes is not a good use of resources, yet we are a educational institution that can have VALID reasons for purchasing music and downloading podcasts. There's a programmer that creates...things that are put into our login scripts to kick off antiviral scans at every reboot, scan inventories and update records at every log in among other things. It's to the point that I never log into the network with my laptop (I just use the ethernet) so that my tools like VNC are still around when I need them. I have no power on what I have on my PC any more because somsone things that X thing is "dangerous" to the network. This is what malware and Windows Bugs has done to a great industry.
Gorkman
Being a memeber of the IT dept. at a school district , i am glad our secuirty policies are as stringent as they are. when you have a few thousands teenagers trying to download as much spyware and pr0n as possible. Now you may say most business dont have teenagers as employees, but even the teachers need to be protected from themselves because they dont know any better. What im getting at , is if he thinks its hard to get stuff with his security policies wait one week without them and see what he can do.
"When they invent bitch slaps that can go through a monitor you better f'ing duck" --deft (253558)
A slow transition is better than sticking with the current situation.
At big big US government agency they block jakarta.apache.org because it is a "hacker tools site". Ironically the majority of their own stuff runs on Tomcat, et al.
Your complaints are more about lazy and/or stupid and/or under resourced sysadmins and bad security setups than security in itself. Regardless the poor security is generally less of a dent on productivity than corporate lans without virus scanners or fire walls.
Has Corporate Info Security Gotten Out of Hand?
Obviously it still needs work.
google: stolen customer data
Comment removed based on user account deletion
And, why, yes I am a network administrator, thanks. I'm lucky so far -- it's a small company, people are well-behaved, and I don't have to implement the policies you describe. I set up times for patches, there's no proxy yet and not too many firewall restrictions.
But if this place gets to be big enough that I can't count on collective intelligence and/or social pressure to keep people doing the right thing, I'm going to have to seriously consider policies just like the ones you describe, in order to keep things running as they need to -- because your complaints about the network not working 'cos of the latest virus outbreak are going to be a fuck of a lot louder than your complaints about your desktop machine not being allowed to be a mail server.
Carousel is a lie!
What does create havoc (and I jump in with this in every one of these discussions because it can't be said enough) is the insanity with multiple, long, complex, frequently-but-out-of-sync changed passwords. It causes huge hassles, prevents users from taking advantage of resources and is an absolute disaster for security.
What I'm listening to now on Pandora...
And not just on the IT side. Arbitrary security requirements often slow progress tremendously if the don't halt it altogether. It's grown its own huge beaurocracy & career path. And heaven help you if you question anything security requires. I've literally been told that I'm "unamerican" because I questioned a particularly useless security requirement that arbitrarily levied on us. And you wonder why I post this AC?
And the economic cost is enormous - I used to work in a major acquisition system program office (SPO). Various security costs amounted to the biggest budget line item in the program, although they were careful not to show it that way on any single chart. And that didn't account for military personell dedicated to security, as they didn't come out of that cost. And it certainly didn't account for the huge drain on productivity it caused.
Of course, when companies get nonsensical security policies, they force people into horribly inefficient and/or insecure workarounds.
Rather than issuing in-office consultants a company e-mail address, CCing a Yahoo.com e-mail address, besides being insecure and unaudited, just looks damn unprofessional.
Don't have a document management system, SFTP, or even FTP? People clog up Exchange with huge attachments with no central control or even a sense of where the authoritative copy of something can be found.
How many of us have run SSH on port 443 on an outside box just for SSH tunneling? I had an employer who blocked 22 specifically because the firewall guys new that inbound tunnels could be opened... but damn it if 443 wasn't wide open.
When C-level execs bitch about things, though, it's not hard to get someone in IT to demand the security equivalent of a chmod -R 777 /
*sigh*
500GB of disk, 5TB of transfer, $5.95/mo
I work in a .mil environment with managed images and very good security. What I'm reading is that your company is still in the learning phase when it comes to customer service balanced with security.
We operate under a standard image architecture with updates and patches pushed out across the enterprise. Proxy servers are a necessary evil, but we are very reasonable on our block lists. (North Korean sites are discouraged along with Ebay...) This is for our unclassified network...
We learned the hard way too. Our first generation of machines were issued with padlocks on the cases and no CDROM drives...
Our IT system never compromises operations for security, and it never has to. Your IT staff may need a bit of fresh air, a few customer-centered workshops, and maybe some field trips to see how others work.
I feel your pain and wish you the best.
ay
Security : Top-notch
Users: Some give away their personnal passwords(for legit purposes) instead to ask to the right persons to create new accounts.
Impact on security : The security becomes useless.
This is a problem in many large organisations, specialy when dealing with people who know about nothing about computers and security.
The best excuse for a President, a King or others *insert your words*, is God. God has still yet to find an excuse.
What is the right balance between security and productivity, in the corporate IT environment?
Simple, more security. As more secure systems tend to run more reliably (less bugs) and with lower maintenance (removing root kits)than do less secure systems. Knowing most corporate environments, security tends to be lax.
Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software.
Yes, it was better more than ten years ago. If your computer was connected to the internet and caused someone problems you got kicked off for a week or two to think about it. Some were even blacklisted. And few if any ran Microsoft products as their gateways or terminals.
But the fact is with many hundreds of millions of Internet users today practicing self administration of an inherently insecure OS and trusting everything they click on -- without regard to others or their companies costs, security has had to evolve. And believe it or not, firewalls existed 10 years ago.
Then along comes the modern cowboy on an unmonitored cable connection hacking people for sport and profit. People hack computers just to send spam, and the system/ISP do nothing. They have long since abandoned kicking them off. The result is the problem is mow rampant.
have we become so secure that we're stifling our own ability to get things done?
Not at all, I have always kept important stuff on UNIX and Linux, and professionally manage them like I do at work. They haven't been hacked or wormed. I also tend to use "safe" tools as they also fail less as well are more secure.
But the optimum answer to be secure is to use securable tools and secure practices in what you do with your computer, something like safe sex.
Heh, my Christian University is a lot worse than that. We have mandatory antivirus (which seems to run scans at the most inconvienent times. Cancel them and you get kicked off the network.) We also have to run all traffic through a HTTP proxy, because they block all outgoing port 80 traffic. The HTTP proxy logs all traffic which is then sent to our deans and hall directors, as well as kept on record forever. In addition, it blocks such disgusting websites as Ebaumsworld, and hackaday (hacking is illegal, kids). It can be loads of fun trying to get programs without proxy support to work. We also get AIM file transfer (for my non-geek friends from home) disabled, along with bittorrent and pretty much every non HTTP protocol. They even have a packet shaper which detects traffic on the wrong ports and blocks it, so forget about using a proxy. Internet access at schoool can be much worse than at a workplace... Thank the gods for PGP and dial-up!
general manager of a franchise location-- think 'mcdonalds' but it was not foodservice.
chain (under the guise of 'uniformity' but really as a means to screw every last blood cent out of the franchisees) made mandatory for EVERY SITE in the flock a satellite internet connection, at $150.00 per month.
prior to that, I'd been running on a consumer class verizon dsl account for 30 a month- for me only.
of course, as soon as this high speed (incredible ping) service became mandatory, the owners refused to pay for the 30$ dsl
ya know what- the franchise blocked among others, groups.google.com and refused to unblock any site on the forbidden list.
with 4k locations total, they didn't care jack about one request, and there was no way to get it reversed.
Exactly. Eye-tee has figured out the same thing the government has figured out. Few dare question anything done in the name of security. And those few can be dealth with harshly. It's how they're going to turn corporate computing back into a priesthood.
I too have felt the cold finger of injustice.
" Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice,"
Of course its out of hand. Companies, as well as individuals pay alot of money for computers. If we bought a car that needed patching every week to run properly it would be called a lemon. And we have lemon laws. If we bought a TV that needed to be patched every week to work properly we have a warantee to help resolve the issues with that product.
While the computer itself works fine, its the OS and Applications that need constant patching. When the OS makers and Application sellers are held to the same standards as other products are, then maybe you will see your cost of doing buisness with computers go down.
This has been another valuable and informative opinion from:
Catahoula!
I'm the network admin for a small city government and I have to fight hand, tooth and nail to keep acceptable security practices in place. My users, and the senior management also, are constantly trying to get me to basically negate the most essential security because they'd rather have more convenience and if something goes wrong, then they don't give a rat's patootie that I'll be the one getting punished. The users keep wanting full routability from their desktop to the public Internet without any firewall in place, the senior management wants me to place a bunch of unprotected Windows servers onto the raw Internet outside the firewall, everyone complains about spam, and then when they finally get me the funding to buy a Barracuda, they have me configure it to let over half the spam blaze right thru it anyway. Oh, and when anything bad happens because I was ordered to bore a hole thru what's left of my firewall to satisfy some clerk's need for more convenience to access some ftp site or whatever, it suddenly becomes my fault for allowing our network to become vulnerable. And here's the clincher... one of our own desktop support techs got caught using one of the cops' computers to download a bunch of porn, that somehow became my fault too even though I am not permitted to have any authority over the police dept network security or access controls.
It's tough when you are forced to bear all the responsibility, yet have no effective authority in matters of network security. I say give you network admins more power and authority... after all the company network (or govt org's network) is a business tool that was put in place for the purpose of conducting valid business, not for the users entertaining themselves on the Internet.
You need to talk to my sys admin. Our corporate system is so locked down that it's next to impossible to get anything done! He enforces an insane level of "security" and wears it as a badge of honor that he is pissing off most of the workers; it shows he's doing a good job. It's an absolute pain in teh ass to work on our system.
Years ago people didn't lock their doors because everyone knew each other. Years ago you didn't need a firewall in many cases and these things weren't on your mind. Times change and you have to protect yourself.
Many of the complaints in the submission sound like bad IT or mis-directed policy. AV might block a server from sending SMTP mail, but how is it supposed to know it's legit? The IT staff should be telling it which is legit. Users shouldn't be responsible in a corporate environment for patches and updates. That's the Network Group's job. They need to be making it as painless as possible for the end user. I don't expect my users to know about updates and patches and exploits. That's why my team is there.
You should have simply rebooted to the XP side and run the updates. If you want the luxury of a dual-boot system, you should be willing to maintain both halves.
My policy for dual-boot machines is this: No. You can have two machines. I'll get you two monitors you can use dual-head on each machine, a KVM, your own switch, and I'll even clean the goo off your keyboard. But I won't manage a dual boot machine, and I don't want them on my network.
Why?
Raise your children as if you were teaching them to raise your grandchildren, because you are.
but employers do have a right to dictate what happens on their own property. (Although some employers are abusing this right now to dictate what happens on their employers' property, which must be stopped and soon.)
Any employee computer activity on the job, especially internet activity, is a potential liability for the company, and if you browse to the wrong site you can get hit with spyware, cookies, etc. that could compromise the security of the network. Get nailed with a keylogger cookie and all your intellectual property could be stolen.
One day the employees are playing Unreal Tournament 2004 online. The next day it could be this.
Now, honestly, I feel bad about saying all that because I've lived through dialup and I loved to use my high speed access at work before I got my blazing high speed cable modem. But this is the reality of things. Employee optimization, as it is called, can save an employer from FBI raids, massive RIAA litigation, IP theft, and other horrors.
--- Grow a pair, liberals... stop letting the Republicans bully you!
How about too many accounts and strict passwords? That part drives me nuts.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Security has very little to do with updating your virus definitions hourly, and everything to do with knowing when to just unplug the box and find another way to get the job done. What's your risk model? Point granted: the network is a demanding mistress. But fortunately, everyday risk is often handled best by the simplest of means. Stop instant messaging the person one cubicle owner, and get to know your local coffeeshop owner. Or neighborhood banker.
http://tinyurl.com/4ny52
Hey Cliff
My opinion is based on 10 years as a computer professional. I have predominantly performed some level or type of support working with end users. Which means I may be a little biased.
My opinion:
It is important that there is a balance between security and freedom. The best balance maximizes productivity.
"FREEDOM!"(Mel Gibbson, Bravehart)
On one side we have the users freedom to do whatever they want. This can and will cause hits to productivity in a number of ways. It's my opinion that the most significant of these ways is the productivity hit of viruses, spyware, and problems caused by the install of unapproved programs.
SECURITY (sorry can't think of a qoute)
On the security side productivity can be hampered by having to go through red tape to do your job, having to get special permission for important job related functions, or simply limiting your otherwise boundless resources.
After seeing and experiencing what I have I beleive the best is to provide all protection possible that doesn't limit freedom. Then make policies regarding misuse of the equipment. Create limitations as needed based on abuses that decrease productivity (if everyone is using internet radio they won't stop and it is hurting network bandwidth start blocking those sites or services).
Good luck.
You're upset over your access to the Interent?
We have no e-mail, no web access, no ftp, nothing. We have no networking at all!
I work on a combat vessel. None of our systems are networked -- at all. The Commander won't allow it. We're defending a civilian fleet and every member of our enemy forces, literally every one, knows enough about computers that they could infect any of our systems with some of the nastiest computer viruses you've ever seen. The XO, on one occasion, allowed them to network a few computers to calculate our course so we could catch up to the rest of the fleet and it resulted in a firewall weak enough for the enemy to penetrate the system. They almost brought down all the systems on the entire vessel. At one point (the start of the recent hostilities), a number of our fighters were completely disabled and taken out by the enemy because their onboard computers were targeted, knocked offline, and the fighters left defenseless and were picked off one by one.
So if you're complaining about having to deal with web proxies and firewalls, be happy you're not serving on our ship.
Company B - XP Pro locked down so tightly that we can do browsing, email and that's it. No virii in 2 years that I've seen or known about. Patches done to all workstations in a two week window.
The staff in company B are more productive, less distracted and have significantly more uptime, so I think the heightened security is a good thing.
I'll tolerate anything except intolerance.
(Whoops should have been Highlander (with an R))
The stupid part of the story (as told by the poster) is that these IT "professionals" didn't seem to understand that Linux is incompatible with XP.
Why are people who don't comprehend - or can't communicate - this employed in an IT organization??
Had they just explained things the way you explain them in your post, there would be no problem.
Yes, security is most definitely being used as the stick to beat end-users down as far as 'distractions' go. I have had the fortunate experience to work for a company where the motto is:
"It's the result that matters."
If you spend time on slashdot or other forums during the day that's ok (and most definitely not filtered) -- but at the end of the month you have XYZ to get done. If you get it done by working nights / weekends that's your prerogative. Flexibility like this is one of the reasons why we've had zero turnover in my department in almost 5 years.
The tighter companies restrict internet usage and employee behavior, the less personally attached to the company (and their work) the people get, at least in my experience. Companies with fanatic employees can do great things. Companies with people that feel oppressed are just places to work.
The first problem you mentioned is what we always call 'management by magazine.' Some exec saw something on cnn / in a magazine / at his country club and wants to know what it's not being run. Thankfully most executives are adverse to spending money -- and in this case it's usually a good way to end some of the ideas they bring to the table.
Speaking of the idea of 'having something just to have it' -- I think this is a problem that's being pushed along by things like SOX / PCI / CISP / and other compliance programs. "We're required to have intrusion detection" so people get out a checkbook and make rash decisions just to put a check in a column.
I am probably one of the only mac users on a large (50000+ employees) network. I practically daily messages about patches, reboots, viruses, malware, etc. from corporate IT. I ignore them, and simply keep my computer up to date via Software Update. Ironically, my computer being on the network technically violates IT policy. If I were to follow IT policy, I wouldn't get work done. Why can't IT leave people alone, especially in technical (engineering) environments?
I have run into this problem at my college as well. Virtually every port is closed except those needed fot http, https, ftp, and smtp. I cannot use RDP, SSH, or VNC to check on my servers at home or at work. Frankly, with better security implementation they could allow these services to students without compromising themselves too much. I think it is mostly just the higher-ups in the college who are all concerned about "piracy" and hackers.
really, the only people that aren't a security risk without security disabled can easily get around it, if they need (or want...) to. The average luser will cause more problems than this security will. The key to this though, is punishment of those who circumvent security. At my school, I regularly aid even teachers in getting freemail access, around the filter, etc. They trust me because they know I'm smart enough to do this, and not do anything stupid with my 'superpowers'. Most of them are well aware that the security there is bad and the IT staff unskilled (with few exceptions) enough that if I really had ill will in my heart there's not much they could do to stop or even catch me. My cousin's school used to be like this, but then a new administrator came along and changed the rules. My cousin was found using a proxy that SOMEONE ELSE had once, A YEAR AGO, used to look at ONE pr0n site and was suspended for a week (and grounded). The biggest irony is that he used the proxy to get to a site he NEEDED for his assignment. I don't hate stupid people (everyone is stupid in some ways) but everyone hates having an idiot in charge and being unable to avoid their work. With a bad restaraunt, you can go elsewhere, with a bad leader, your options are limited (esp. when you don't get a say in determining the leader).
The 'Net is a waste of time, and that's exactly what's right about it. - William Gibson
A few years ago we had to put an ssh server on the telnet port, because one of our users was at the Federal Reserve Board, whose security committee hadn't approved outbound access to ssh servers on the usual port! In a telephone conversation with me, their security person suggested I turn on the telnet server at my end, and said that he had read about security issues with ssh that discouraged them from allowing it!
Lots (not all) IT security is just dumb rules of thumb with no analysis or understanding. Lots of IT staff don't think the other employees have work to do, and don't mind interfering with their efforts. As the years go by, management will become more experienced at understanding who is a blowhard and who knows what they are talking about. But it will take time.
It is imporant to get the basics, and most of the basics can be taken care of by IT. If done properly won't impact the user at all. "What about passwords?" you might ask. The most insecure thing at most companies will always be the user. The best thing to do is be sure that no normal user has access to everything; every record, every file, every database . . . This will limit a lot of damage. I tend to believe user education is a waste of time too. It isn't a user's job to worry about this stuff, and the fact that we have poorly designed OS's isn't their fault. Other than these issues, most security-related issues can be taken care of behind the scenes.
BTW not sure why your company is mandating manual patching versus implementing Windoz Update Services (WUS). Computers patch and reboot VERY early in the morning, and the user doesn't have any choice in the matter. I have never had problems with this procedure BTW.
-Schnibitz
Have you ever used USENET? Many of the comp.* groups are quite active, and many are a prime source for information concerning IT-related issues. If you want help, that's the place to go. You'll often get a quick answer, often from somebody with a high level of expertise.
Cyric Zndovzny at your service.
I develop display software for US military aircraft. IT wants the company to switch from UNIX boxes (Suns) to Windows. Need I say it sucks? Windows screws up the case in filenames. The machines aren't set up to carry your environment from one box to another. They have to be rebooted at least every couple of days. There's so much useless crap loaded at boot that they've already consumed 300MBs of RAM before you log on. Then when they are running they're constantly probed by the mother ship. We have the blocked URLs and crappy internet access but I can live with that. They upgraded all the machines from W2K to XP but didn't bother to get compatible applications. I can't run Outlook and my Xserver at the same time. Guess which one doesn't get run? Then there's the phone system.....
We have pretty much no security policies where I work, and as such really no security problems that I could see. Just my $.02 === Your PC has been infected by SPYWARE! You need Ultra Spyware Removal 6000 to fully optimize your PC for the internet! Download now at www.ultraspywareremoval6000.cx and get started today! ===
(term coined by Bruce Schneier, AFAIK)
What bothers me more than the company turning down the screws to secure things is when they turn down the screws to secure things, without really accomplishing that end. I certainly won't disagree with a software maintenance policy, for Windows, Linux, and everything else. Nor will I disagree with firewalls and enforcing company policies across them.
But if I were to tell some of the more boneheaded things that are ALSO done, and the holes obliviously left open, you'd either know where I work, or how to crack the place.
The living have better things to do than to continue hating the dead.
I work for a company which has a very restrictive policy. All PCs are centrally managed, monitored, patches are remotely applied, internet access is very strict (only ports 80, 443 outbound allowed). All access is via corporate proxy server with layer 7 filtering. Every outbound access is logged.
However, despite these measures I can still use JAP or Tor to access any site. I can still ssh (via ProxyTunnel) to my home PC over port (my sshd runs on port 443). Basically, it just means I have to go through hoops to get stuff done.
I understand that these measures are aimed at the non-geeks - the same people who have spyware infested PCs at home (and aren't even aware of it). However for geeks in the I.T. dept like myself, it is just a futile arms race which can never be won by either side.
What is the productivity of a system full of spyware/viruses? Usually, just about zero.
If you can restore a system in a matter of minutes (deep freeze), then maybe it's not such a big deal to have a secure system. But if it takes an hour or a day, then its a bigger deal.
What's more, unlike the useful free accounts such as gmail and yahoo that often put suspect mail into a spam box, I have no access or knowledge of what the spam filter is destroying - so emails aren't received, customers get cranky and information is lost, time is wasted. I'm sure there must be others who feel the pain of spam filters both at work and home.
so the question is, would you risk your job over the security of your workstation? I hope not... If so you are a moron and deserve MIS to come craking down on you. MIS and HR are tight at my company, and for good reason.
> [...] individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access [...]
One thing you DON'T want is your network getting all loose; the bits fall out everywhere and it's very messy.
So keep your network tight! Apply patches!
I don't know the meaning of the word 'don't' - J
Yeah, weird that they might want a machine running Windows XP to be updated. You might have Linux on the machine, but you also had Windows XP, and it sounds like it was missing security patches.
The fact that he hadn't noticed the loginscripts for over a week indicates to me that the didn't use his XP installation at work alot and even then how can you assert it wasn't patched? He may even have had to wait until a patch becaeme available to qualify for a connection because his XP installation was already fully patches! Off hand I am guessing this guy probably got issued a laptop from his employer and used installed Linux on it for day to day for home as well as for work use dual booted with XP for mostly for gaming and perhaps for that once-in-a-blue-moon that he couldn't get something done at work with Wine+[Random M$ application] and for Gaming.
I fail to see how this was stupid of the network admins. Draconian maybe, but it got you to apply the security patches.
It is stupid because they could have exempted him from their Windows specific policy quite easily. It is stupid because they may even have given him a hard time because they didn't even know how to exempt a non Windows boxen from their MS specific setup. All it would have taken was to send somebody up stairs to check out his setup for security and if it was OK adapt the policy. If you are an IT tech that works alot around Engineers, non-MS admins or Programmers you are going to have to get used to cases like this (ie. escaped mental patients who use Linux or OS.X in a corporate environment) and unless you find out how to cater to people running non-MS Operating systems you will quickly find out that you haven't got any friends willing to do you a favor when you really need it (ie. when you have screwed up and need a quick fix from the local nerds).
Only to idiots, are orders laws.
-- Henning von Tresckow
You sir, need to accept the bureaucratic nature of large organizations. There have been a few times that I've had to do some really asinine things in order to keep my job. I knew it was bullshit, my coworkers knew it was BS, and the poor SOB on the other end really knew it was BS. But, if either strayed from policy it was our asses. Why was this policy in place? Because the higher ups didn't want to take the time for all of the inevitable exceptions that occur.
The solution? Acceptance - Zen practice. Or, start your own organizaton - if possible. Entrepreneurship!
There's a reason why small companies are the ones that are creating most of the jobs. There's a reason why small companies are the innovators. There's a reason ... you get the idea.
So the question that LEAPS out at me, is how can they block groups.gooogle.com as being a "bad" site, and still allow access to slashdot? WTF??
Seriously, one of the problems has a relatively simple solution. Antivirus is running, and blocking SMTP. I am assuming that you run an "enterprise" edition of some anti-virus software. They probably have one group policy set for all machines, since everyone uses outlook or something.. This is not taking into account your groups machines, that need it to get work done. Usually,, you can create another "group" in the software, and give them slightly different configs.. (like letting SMTP through) and only putting your machines that NEED it in that group..
The other possiblity (wasn't explained well) is that they block port 25 on the network. This is a little more difficult. I personally have my routers set to deny any outbound port 25 connection that is not from a list of mail servers.. It gets logged, I get an email, and I have a pretty good idea what machine is infected with a virus... (also handy for other ports, 110, 443, 135, etc)
Egress filtering! its good to be a nice Net-Neighbor!
What are we going to do tonight Brain?
To a large extent, it depends on who you are, who most of the computer users are, and what objectives the IT security staff has. Our company has had its share of lockdown mania. We're about to go through another one very soon. The problem is technical ignorance. Those in charge do not understand what the fundamental issues are.
In fact, although it's possible to secure a gaggle of Windows based systems, most people don't know enough to do it right. And in addition, once you learn that much, you begin to see the wisdom of the designs in so many other "complicated" OSs. It's not that Windows is more or less complex. It's just that they have successfully marketed themselves as the "easy to use and secure" OS even though the underlying concepts are anything but.
Real security comes from understanding. That understanding is not commonly found among the many people who call themselves Windows network administrators. That's why this problem exists.
In other words, Marketing is one of the biggest reasons why Windows really sucks. The security features are there. It's just that learning to use them is far more difficult than most customers have bargained for and the folks who market this stuff do not want that commonly known. They'd rather sell security "improvements" and update services...
Nearly fifty percent of all graduates come from the bottom half of the class!
My company has been in the middle of the road - until recently. One day, I was attempting to download an update to one of my favorite Firefox extensions, and low and behold - mozilla.org was blocked by our firewall.
I thought this was just an oversight or something, so I submitted a request (like many others I've done in the past) to get mozilla.org unblocked - and was given a message sorta like this:
"Mozilla and Firefox are now blocked - not approved software anymore, due to a vulnerability identified in a pre-1.0 version of Firefox"
Huh? So I'm to run this thing I haven't run in a LONG time called Internet Explorer? Umm
When I pressed them, their response was "with IE, even if there are 100 patches released every week - at least we have an automated way to distribute them to the thousands of systems in the corp. With Firefox, there is _no_ way to do this - so a single vulnerability puts us at a much greater risk"
Now, I'm no Microsoft admin or anything - so I'll look to the community here: am I getting smoke blown up my ass? Is this just a case of ignorance by my admins? Or, are they being honest? If they are, I think this is something that should definitely be addressed if we're ever going to get FF accepted in corporate America.
At a Federal Agency (US) that will remain nameless, they have gone to great lengths to approve applications that get along with a standard operating environment and severely limit the use of applications not in that list. They don't go quite as far with taking machines off the network if they don't have updates/patches, as your company does, even though it is being discussed. There are quite a few limitations put on what types of files can be emailed, what sites on the internet that can be viewed (if the user even has permissions to access the internet).
"Mentally confused and prone to wandering."
OK folks, I can see modding my post "Offtopic" (I said as much in it), but "Flamebait"? C'mon.
Assume that almost all software -- including firewalls, anti-virus programs, and operating systems -- is crap, and probably has security holes. This is not an unreasonable assumption. Once you make that assumption, you can understand why companies put up so many barriers because all of the barriers are made of crap. This way, attackers have to sift through a lot of crap to get what they are after, and hopefully most will give up before succeeding.
http://outcampaign.org/
No computer is safer than one that is not connected to the Internet... wait, that probably doesn't help you much. Pay no attention to the man behind the curtain!
You do all of this, yet the same thing happens every year. Why is that?
Friends don't help friends install M$ junk.
About 15 senior engineers and managers of the water & wastewater utilities that serve a city of a million people (combined yearly budget: >$250M) gathered in a conference room with the manager that handles the IT budget (>$4M) for both - to watch an American Waterworks Association "Webcast" about "Managing Your Assets" that uses streaming media, your choice of Win Media or Real.
Tried the Windows Media player - no go. "We saw a Webcast at another boardroom", said one guy - "we had to use Real - because of the corporate firewall.". Didn't have Real. Tried to install. But the manager for all our IT did not have an Admin login on the XP machine - or any other XP machine that she signs off on over a million dollars a year for, to get corporate IT support.
NOBODY outside the actual IT dept has an admin password on any machine connected to our network; and believe me, they are so locked down I have icons on my desktop I can't delete; and I certainly can't install anything that doesn't run entirely in my own home directory; "C:\" is locked to me, for instance. Almost every installer just dies before it starts with a message that "your account can't install this".
I agree this is a good thing for 90% of users; but the manager in question - and I - were doing PC support and Unix workstation builds back when the first 286 hit the corporation. Doesn't matter. No exceptions.
Anyway, the whole meeting broke up, the reps from some local companies that are much smaller and, ahhh, less formal about such things, shaking their heads in wonder.
It's the "no exceptions" thing that is the mistake. So my vote is "Yeah, It's Gone Too Far".
Bill Gates Loves You.
On this planet, where you know, people need to get things done there is software that works.
Friends don't help friends install M$ junk.
Disclaimer: I work on the security team for a rather large (Fortune 5) corporation.
I would say, compare the environment of the public internet to how it was ten years ago. Would you place your unpatched Windows machine directly on the public internet now? You have (roughly) ten minutes before another infected machine exploits one of the dozen out-of-the-box vulnerabilities that will allow them to run anything it wants on your PC. Not the case ten years ago.
Unfortunately, what was once a rather quiet suburb filled with geeks posting to Usenet and using Mosaic is now a post-nuclear, disease filled demilitarized zone where so many infected systems simply sit and try to infect others that a defenseless machine (or a network of them) is doomed.
Trying to manage security in this environment is a much more difficult job than it ever has been, and every month that goes by makes it more difficult. We shudder on the second Tuesday of every month at what new terrifying vulnerability Microsoft will tell us is in their product that's deployed on a hundred thousand machines on our network. We plead with other IT teams (networking, server admins, client admins) to implement our tools and software and protect the environment, but most of them get pushed to the back burner, either because it's "too invasive", i.e. it annoys the end user too much; or it costs too much; or they just don't have the time.
Then MS05-039 is released. We plead and plead for the patches to be distributed right away because of how severe the threat is. But users like the submitter can't stand to have their PC rebooted unless it's the absolute perfect time. Plus, we have 1700+ applications to test compatibility with the patch on, on hundreds of different PC environments. And it requires a service pack we don't have deployed everywhere, again, because it's too invasive.
Then Zotob.E gets into the environment, and shuts down large sites in a matter of minutes. Then people scream even louder! Where is security? Why didn't they prevent this?
Because no one takes security seriously until it's too late.
From a security admin's perspective, we never have enough resources or management support to fully defend against even the most prevalent threats. Because security (and, as most admins know, IT in general) is underfunded. Because of (very real) scenarios like I described above, we have much more support than we did, and things are improving.
I guess my point is, step into our shoes for a few days. We don't enjoy being draconian - we like Google Groups as much as anyone else! But there are so many attack vectors that we have to be concerned about to protect the environment - and it only takes one. One of my co-workers is fond of the saying, "the hackers only have to be lucky once - you have to be lucky all of the time."
I guarantee every IT admin reading this is thinking, well, if you did this instead of that, if you had two hundred guys on your security team, with all of them testing patches, while listening to every end user complaint and rectifying their situation immediately, you could stay out of the end-user's way! Trust me - we know. We wish our teams were as stacked as they should be. Heck, we wish it wasn't necessary at all to have to defend against stuff like WMF, where any end-user clicking on a link from their IM buddy could get exploited in a second... we wish it wasn't like this. We wish things could go back to how they were ten years ago. The reality is, this is the internet we built and we are fighting to protect our assets from.
---
"how can the same street intersect with itself? i must be at the nexus of the universe!" - cosmo kramer
I needed to rant about the company I work for. Our IT security people have this cool ability get in the way of absolutely everything I need to do for my job -- all in the name of security.
1. I had to cancel my MacBook Pro order because user-directory encryption (FileVault) is not good enough they want full HD encryption. So no mac laptops. Sorry, it's security policy.
2. We can send 3. They block all file types in email with a known extension. So you have to make up an extension and rename the file.
4. Our screen savers come on after 1min and we must type our passwords to get back to the desktop.
5. The virus scanner runs during peek office hours and brings our PC's performance back to the stone age.
6. There is a web filter which is always blocking legit websites. It has an animation and it makes you feel like a criminal.
7. User passwords expire in 90 days and must be the standard Alpha-numeric+non-alpha-numeric+long+never used before... which is actually fine except the AD admin password is something any dictionary attack could break in 1 second and it never changes.
I thought that the IT department was supposed to provide the IT services that the company employees need. Lately, the IT department is deciding what we need without asking for our input. If you go around their back to get your work done (use an anonymizer to access the web, P2P to send files to customer...) you can get fired for being a 'hacker'.
You seem to forget two things:
(a) Freedom cuts both ways. People have freedom of expression, and people have the freedom of employees to prevent themselves from being exposed to porn in the workplace. If you're looking at porn at work, you're taking the latter right away from all your coworkers. Which do you take away: the right that one person enjoys, or the right that many people enjoy? Perhaps a poor explanation, but the principle is valid.
(b) The workplace is not a free environment. You are working for someone, on THEIR property. What you do on your own time is your own business. What you do on company property is very much the company's business.
Freedom does not mean "I can do whatever the hell I want, whenever the hell I want, wherever the hell I want," at least if it is to be applied to more than one person.
--S
-- sigs cause cancer.
All this whole comment is about is "I can't surf without penalty, I can't run my own machine, wahh..."
.....
First: Did you buy the network infrastructure? If not, then you don't make policy.
Second: Did you buy the computer? No? Then again, you can't bitch about the way it's controlled.
Why stop SMTP mail? On a Windows network, if you're running Exchange, there is NO reason to have SMTP mail enabled. Outlook transfers its mail to Exchange for delivery. Unless, of course, you're trying to bypass the corporate mail server.
"Overzealous Proxy Servers" - ? Hardly. Deny all, explicitly allow.
In most cases, you do NOT own the computer. Even if you DO (contractor), then you don't own the network infrastructure.
Too many liabilities - including morons like the submitter - are why *real* IT staffs have to keep things under tight control and wraps, so that when the next Windows vulnerability surfaces, we can limit its impact and rampant stupidity.
However, since this is gonna be posted AC, nobody will read it anyway
a) Your coworker has no business looking at your screen. He or she should be doing their own work, and should not be snooping on you. It isn't a case of somebody being loud, for instance. The viewer has the option of 1) not looking in the first place, 2) turning away, 3) ignoring the pornography, or even 4) enjoying it.
b) Like I said, had you read my post, it is perfectly fine for one's manager to object to such activity. If somebody isn't working at work while they're supposed to be working, the of course it is acceptable for the firm to take action against them. But that has nothing to do with what they were actually looking at; it just has to do with the fact that they were doing something other than work.
Cyric Zndovzny at your service.
> Companies today cannot afford to not be producing at 100% efficiency Do we have any idea the size of his company? The "type" of employees there? Maybe he's in a small majority of reasonably users, and 90% of the rest will click on anything that pops up in front of them... Running a business requires making alot of tradeoffs, and we just don't know enough about his situation to make judgements about the correctness of their tradeoffs.
You have apparently never worked in cubeville.
Pr0n is considered indecent in most of the civilized world. Get over it. Whack off at home, man, don't do it where I might accidentally see you.
--S
-- sigs cause cancer.
Ordinarily I'd agree with you, except for:
(a) What if you're working for a company like Playboy or Penthouse, or others more risque? Porn is expected to be on your screen since it's a function of the workplace.
(b) Not everybody's working on company-owned hardware. When our company got the bright idea of upgrading everyone to LCD screens they wanted to take away my two 19-inch CRT's and give me a single budget-priced 17" LCD. This was idiotic, but I was told that if I wanted anything better I'd have to buy it myself, so now I have two 20" LCD's on my desk that I bought myself and claim on tax as a work-related expense.
It's not the users. Think about it and tell me why you have never heard of such problems in places that use Macs. Don't tell me that it's because graphic designers are better behaved or know more about computers than the rest of us. Well, they do know better than to use computers that need and Administrator like you.
You've never heard of problems in those places because they're four man design shops. You've clearly never been in an enterprise environment. They don't run Macs. They can't afford your overpriced, underpowered machines when they have to be deployed to fifty thousand users. Not that I'm thrilled about Windows, but it's the real world, not your fantasy dream world where everyone runs Debian. You either live in it or sit in your basement and call Microsoft "M$".
I don't know if you're a Linux or a Mac fanboy - from the other comments you've posted in this article, it could go either way. You're right - security would be easier in an environment where everyone ran Linux on the desktop. Then we could all use LDAP for directory and IMAP for mail and we could safely run sendmail from our workstations. But large corporations don't work that way, unfortunately, and if you want a job in this environment, you come to terms with that. Change comes slowly in the enterprise.
---
"how can the same street intersect with itself? i must be at the nexus of the universe!" - cosmo kramer
ISPs are able to serve thousands without blocking ports or web sites, and don't disconnect customers for not installing the latest patches. Some cities are even putting in free wireless Internet access for anyone and everyone, no identification, membership, or monthly fees required. There are plenty of cafes, bookstores, motels, and other businesses that offer free Internet access. What's their secret that, unlike the typical employer, they can grant free access without having their networks slowed to uselessness by a ton of spam and virii and whatever else?
What is it about work environments that management and administration want to hold users hands more firmly than the users want them held? They convince themselves it's in everyone's best interests, even the users who are only "occasionally" inconvenienced. Security is too easy to use to excuse all sorts of obnoxious policies, and not just in IT. They forcibly take responsibility, then have the nerve to sneer about employees being whiny, dependent, clueless lusers, not appreciating they're partly to blame for fostering and forcing the dependence. I've seen this attitude too often in network admins. I've had far more trouble from overzealous security than I've ever had from the stuff the security is supposed to protect me from. And, yes, I've used computers just fine with far less protection than most admins seem to think necessary. In other words, you don't need the latest patch to fix the vulnerability in the never used service that listens on ports 135 to 139 if you simply shut that service off or block those ports yourself with your own firewall. You don't need the continuously operating automatic virus scanner chewing up 50% or more of your processor time and banging your hard drive as hard as a virus would if you use apps like Thunderbird and not a broken email app like Outlook. It's like the bad old days of Ma Bell, when ordinary mortals were not permitted to use anything but a few basic models of phones, no modems, and the phones were only leased out-- Ma Bell still owned them. Today, phones are libre, but computers sure aren't.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
A decade ago it was not unusual for corporate networks to have little or no restrictions on end users. Workstations, servers and even printers had publicly routable addresses and free access to the internet as it was. Back then we had to deal with relatively few miscreants... the occasional "ping of death", "teardrop" or the dreaded "smurf" attack. Malicious activities could be deflected by a few simple firewall rules.
Flip the calendar ahead 10 years... The internet is ripe with malicious content. Organized groups of crackers, writing exploit code for every system vulnerability imaginable... Script kiddies gaining "respect" relative to the number of machines they can compromise for addition to their bot-nets... Spammers building their armies of compromised boxes to anonymously sell viagra and fake rolexes... the list goes on and on. In short, the need for network security is real and sometimes the end user is inconvenienced in the process of running a tight ship.
In an ideal corporate world, the bad guys would stay out and the users would have everything they want. In the real world there is a balancing act that weighs a security "best effort" against business needs. It sounds to me as if the original poster's company is in the early stages of making this happen. Security measures are being taken and users are feeling the pain. The next step is for the users to identify the needs that are not being met and challenge their management and IT resources to provide for those needs while making a best effort to do so securely. This, unfortunately, often involves plenty of corporate political bullshit and associated headaches, but if you can show a LEGIT business need, it should make it through the process.
I manage all internet connectiity and perimeter security for a very large healthcare foundation that includes several hospitals, physicians offices and research facilities. Not a day goes by without some kind of request for additional access to some resource. Most are reasonable and can be accomodated with little or no impact on security. Some are not so reasonable politely rejected with a comprehensive explanation of why it's not gonna happen and where applicable, alternative solutions are offered.
As for the original poster's situation... should end users be applying system patches? hell no. IT folks get paid to do that. Should individual workstations be sending SMTP traffic beyond the network perimeter? hell no! IT folks should make a suitably secured SMTP gateway available. Should users be able to go anywhere on the 'net they want? hell no! The company pays for the bandwidth and owns the workstations... they can say "no" to anything they consider to be unrelated to doing business. If users need to get somewhere on the filtered list, it should be easy enough to justify it to management. Do the homework and make your case... you'll get much farther than someone that just pisses and moans about how restrictive those IT bastards are.
Best of luck.
chown -R us
I work in a bank. If we fuck up IT security, someone loses a lot of money. The only place more stressful is a hospital. Someone fucks up IT security there, people die.
IT security was a bit of a joke 7 years ago. It isn't funny any more.
Hoist Number One and Number Six.
(a) We actually have an area where I currently work that is explicitly setup for NSFW content... because that's actually part of their job. They have to sign a bunch of waivers, I think there's even a psych test involved, and it's in a secured area of the building with nothing facing windows or the entry doors. 'tis an odd environment to be around.
(b) Funny... A large place I worked at actually had policies against personal equipment at work, partially for situations like this.
We required that all equipment is ours... bring your own stuff in, get a warning. If it's still hooked up after a reasonable period of time (hour or so depending) you get one more chance. After that, you are taking it out, along with the rest of your stuff and your last paycheck.
For all the things companies do poorly, I've found my own company does IT pretty well ... or, at least the portions you mentioned.
The proxy really only blocks things you truly shouldn't be viewing while at work. They tried keyword filtering, but when it failed it was backed off and progress kept moving forward.
Security patches and such are handled decently (if you're on the corporate domain). If you're not on the corporate domain, see next item.
A/V is really the only thing that ever crops up and "interferes" with normal (legitimate) work. If you have an active virus, the networking group disables your network port until things are cleared up. Typically people get the virus in the first place because they don't have their machine patched. If you become a problem it goes to your management (either because someone picks up the phone and calls your manager, or more likely you can't get your work done and your manager finds out you've been wasting your time setting up your own domain and goofing around doing irrelevant things).
Winners tell stories while losers yell deal.
I would agree, especially with the second point. Does your employer pay you for every minute you worry or think about your job when you're at home? If not, then what reasonable basis do they have for forcing you to spend every minute at work thinking about your job. I mean its one thing if someone is spending the entire fscking work day reading /. (I'm available for any jobs that entail that ;) ), but its another thing entirely if they spend like 2 or 3 minutes here and there reading a website/usenet or emailing/calling a friend or spouse or something.
Every time you post an article on Slashdot, I kill a server. Think of the servers!
Security technologies these days are pretty well defined, but getting policies right (and making people follow them) is an ongoing battle.
:)
Our company setup a "transparent" proxy server on the border router which requires proxy-auth to access any external web sites and then logs the crap out of you. Since I object to such monitoring I refuse to use it. Whenever a new server gets setup for us to use, like CVS or SVN for example, I find myself getting prompted for access because the server builders put it on a public IP.
I take great delight in telling my manager that I can't do any work until they've followed their own security policies and put an internal system on our internal networks. You'd think they'd learn after the first few times.
Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software.
Looking back 10 years ago, your biggest threat was someone bringing a virus-infected floppy disk into work and taking down one of the 20 computers in your 50-person office. But hey, if you want to connect your PC to the Internet with no proxy, no firewall, and no virus protection, then be my guest. I doubt your PC lasts 24 hours before it becomes unusable.
Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups;
And also very likely thousands of hacking, piracy, virus, worm, spyware, and phishing-related sites.
our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP
If it really is a legitimate purpose, you shouldn't have any problems being granted an exception for your specific case. Everywhere I have ever worked has done so.
and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline.
Ah, now I see. Your administration is incompetent. Under no circumstances should end users be installing security patches. They should be installed by administrators (if not automatically), and there shouldn't be any concern about cutting off non-compliant PCs because there won't be any. Anything less isn't security at all.
have we become so secure that we're stifling our own ability to get things done?
We haven't, but it sounds like the folks running the show at your place may have. But it also sounds like they don't know what they're doing either.
Being a corporate IT security at large corporation I can tell you why google groups are blocked. If I am looking at porn on alt.binaries.erotica and a female co-worker walks up behind me she could sue for sexual harassment and say the company did not take adequate measures to prevent this situation.
My understanding is the hoopola about "if you don't block pornography, you're liable" is nonsense that's heavily propogated by vendors of filtering software. The case that claims about liability are based on is the '91 ruling in Robinson v. Jacksonville Shipyards, Inc. Here, the plaintiff was being directly targeted and porn was being publically pervasively placed throughout the workplace. That's a *far* cry from someone walking in and seeing a pornographic image on someone's computer monitor. That's even *further* away from a company being liable because they actually aren't buying a product to do filtering.
My impression is that most of the people that install these packages get sold a bill of goods by the filtering people "Lawsuits! Lawsuits!" The IT people pass the possibility of a lawsuit on up, some higher-up decides that the software is cheap insurance against a lawsuit, and buys it.
Frankly, companies don't need to worry about liability from not filtering porn (IANAL and all that). They might need to worry about employees being off-task (I mean, come on -- if you're browsing porn, you are *not* doing work). However, I've been incredibly frusterated by stuff in the past (like pages containing "wine" in the URL being blocked -- when I'm trying to look up constants in WINE's header files), with information about HTTP tunneling that I needed for writing some software that had to interoperate with a firewall being blocked (as "criminal activity", impressively enough, along with anything involving a "proxy"), and so forth. Companies aren't avoiding liability at all -- they're trying to control employees, and keep them from goofing off at work. I'm not saying that there's necessarily anything wrong with that that, but it's just not really a liability issue. I've seen people blow time chatting with their friends on non-work related stuff on AIM, and I can understand that there's a desire to not let the computer be an entertainment device.
However, I've got a much better solution. Have software that skims browsing history, flags anything suspicious, and allows an employee's boss to take a gander at it (if he really wants to). Oh, and *tell* the employee that you plan to do this -- the idea is to prevent abuse. I don't have a problem with my boss seeing a complete log of my at-work browsing history -- I do have a real problem with IT blocking things. I don't abuse my work connection, and it's really irritating to be treated as if I have because someone somewhere *has* done so.
Basically, I think that it's probably unreasonable to prevent the following types of Internet usage in a regular work environment, at least from a security/liability standpoint:
* Outbound TCP connections, other than maybe to port 25. The whole world is not HTTP.
* Requests to DNS servers other than the company one (why on *earth* do people do this?)
* Outbound SSH connections (a special case of the above that's particularly annoying -- sometimes I need to get at my addressbook or something else on my home computer). (There is a small potential security issue here in that someone could set up X11 port forwarding, and have a compromised outside box keylog or screenshot their workstation machine desktop) but goddamn it, the risk is awfully small and the loss of functionality enormous. This is not James Bond, and armies of ninja hackers are not out trying to take screenshots of desktops.
* Access to webpages. Good *God*. If you have to log them, fine, but for Chrissake, do not filter. It's *so* irritating.
Real security risks? Worms, dubious software that people intentionally install, people simply taking confidential (*actually* confidentially, not doc
Any program relying on (nontrivial) preemptive multithreading will be buggy.
That would be a violation of our security policy.
(Software developers on the other hand, I guess, exist to download free web proxy software and set it up on one of the company's web servers, so that the software development group can bypass the filtering AND the logging, and surf freely.)
Not that I'm thrilled about Windows, but it's the real world, not your fantasy dream world where everyone runs Debian. You either live in it or sit in your basement and call Microsoft "M$".
I don't know if you're a Linux or a Mac fanboy
Sounds to me like he's someone over 25, is all. Notice something about the article:
Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software.
Looking back 10 years ago, Windows was just coming onto the market in a big way. At that point networked machines were all sorts of wonderful beasts, from diskless DOS boxes to an endless variety of Unix hosts to the venerable Novell servers every office large and small had. In the "real world", as you refer to it, there was a time before Windows. There was even a time before Windows where a lot of places had Internet access, a lot of hosts were on it, and virus/worm/trojan writers were doing their damnedest to get in, mostly unsucessfully.
The difference is, back then every host wasn't sitting listening to all sorts of needless network traffic just waiting to be exploited, trusting that any data sent its way would be benign.
Well, at one point that was the case. Then the Morris worm hit. Nothing like it would come again until Microsoft decided to release 9 years of software written so that the network stack, by default, listens to all sorts of incoming traffic for no good reason .
Combine a near-monoculture with an incredibly stupid security design, and you get Wormfest2000 (tm).
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
You obviously don't administer any sizable network. On our network, there are exactly two email servers. One is an Exchange server running on Windows 2003 Standard. The other is a POP3 server running on Linux so we can keep our Exchange costs down. Any email traffic coming from any other machine on the network gets quashed. To do otherwise invites an unnecessary security risk. And if another server or workstation needs to send an email, it's not that big of a deal to connect to the Linux server.
And also get over your stupid zealotry. In the real world, you deal with a mixed environment. I manage a network with machines running Windows 2000, Windows 2003, Windows XP, Linux and Mac OS X. I really don't care what OS it is running.
It's not the users. Think about it and tell me why you have never heard of such problems in places that use Macs. Don't tell me that it's because graphic designers are better behaved or know more about computers than the rest of us. Well, they do know better than to use computers that need and Administrator like you.
As Apple's market share increases due to the switch to Intel, you can bet that they will start experiencing some of the same problems Windows users do. I've had Windows users infect their machines because they installed software that was bundled with spyware. I don't really see Mac OS X being that much safer than Windows in a case like that.
Karma: Positive. Mostly effected by cowbell.
If you were setting up SSH tunnels, I'd get pissed off too. That's called a backdoor into the network from an outside untrusted computer. If I found you knowingly violated an established computer-use policy, I'd read you the riot act then I'd ask you to define your needs and see what could be arranged.
From my experience, it's the guys who know enough to be dangerous, but not enough to do it safely, that cause most of the security incidents. If you're in a larger environment, the IT guys can't easily distinguish between the idiots trying to bypass the proxy server to surf porn and the savvy users trying to get to an external system for real work. They are forced to treat everyone the same. Now if someone came to me ahead of time with a legitimate request that didn't pose an unacceptable risk, I probably would let you tunnel into your home system. I would ask you to prove you have acceptable firewalling and security on your home systems of course.
The mod nazis hate proofreaders, otherwise they would have some and onr would have fixed that before posting it. To stay on topic, the security at the submitter's company is paranoid overkill.
How ya like dat?
If only my network administrators and/or supervisors thought like you. It took several months of begging to get a junker out of the warehouse that I could use for linux, so I didn't need to have a dual boot machine. They are a huge PITA. How people develop software on multiple platforms without having a sample of those platforms that they can destroy occasionally is beyond me.
My momma gave birth to a winner, I gotta win.
But at school (which is as close to a "corporate" environment as I can get), it's another story. We have a (horrifically unstable, read: if you touch it in the wrong place, the hard drive disconnects) proxy server as a pr0nfilter, about three different - all ineffective - AV/AS/AA software setups. We use some stupid Novell launcher that makes it impossible to do anything productive and very difficult just to waste time (Adobe reader isn't associated with PDFs, so you can't open them... extrapolate that level of difficulty to trying to code a standards-compliant idiotproof website with php and stylesheets using notepad and you'll relive my last two months). They'll kick you off the network if you look at the IT department the wrong way.
They put the newest machines in the lab where they teach keyboarding, but leave the slowest machines I've used in the last ten years in the CAD lab. I mean, damn. I've heard the hard drives dying on those things. You think they try and make it impossible to do anything.
And where does it get us for security? Absolutely f'ing nowhere. I still get more spam at school than the rest of my half-dozen email accounts combined, have effectively zero productivity, and all my popups are instead replaced with script debugging errors. Meanwhile, files seem to dissapear out of my network storage, and about eight different CrapWare! toolbars are installed on every copy of IE (no, they won't even consider letting us use firefox).
So, their fifteen steps of added security has done absolutely nothing productive. It makes the computers (most of which don't even meet the minimum requirements for XP, but that didn't stop them!) EVEN slower, makes it harder to do anything, and I still am nervous about logging in to check my email on my own webserver (as they blocked gmail with the pr0nfilter). Basically, they did all the stupid crap the government makes them do to comply with the CIPA so they can keep getting (and wasting) federal funding. I flat-out refuse to work on anything of real importance on their computers, because even if security is moderately reasonable, reliability is near-zero.
Sure, I can't look at pr0n at school (as if I'd want to, their 17" LCDs are all forced into 800x600 anyways, and have some of the worst constrast I've seen, not to mention a good portion are shattered), but I certainly can't do a project for a health class either. That's all we have to show for tons of "security" measures that all translate into ineffective anti-stupidity measures.
I remember, back in the day, the school security measures were take your floppy to the tech guy's office and have them make sure it doesn't have any viruses on it before using it. And if you wanted to open your .htm files in wordpad, you could. Nothing ever dissapeared and identities weren't stolen. Heck, there wasn't even spam. I'm glad I have real computers at home...
How are sites slashdotted when nobody reads TFAs?
You're right. Microsoft wrote the last decade of Windows releases with little to no regard for security. Unfortunately most large businesses run some form of them - most on Wormfest 2000 or XP.
So what do we do? My guess is "ok, everyone boot this linux install disc" won't fly, and neither would "here, use this mac mini with none of the software you need, now we're broke from replacing all our hardware". That was what the parent seemed to be suggesting. My apologies if I misinterpreted. The 'Linux or Mac fanboy' comment came from reading some of his other posts in this thread.
So we're faced with responding to this threat, and the result has been to block as many avenues of attack as we can (and there are plenty in Win2K) and patch, patch, patch so that we can protect as much as possible.
---
"how can the same street intersect with itself? i must be at the nexus of the universe!" - cosmo kramer
Comment removed based on user account deletion
You're asserting he uses Groups to do 90% of his job. I read it as he solves 90% of his problems with it.
I'm the same way with Oracle's Metalink - most of the time I know what to do but when I don't, I go there.
You better watch out, there may be dogs about . .
What do we do?
Migrate, migrate, migrate. Unless Microsoft locks Vista down like we've never seen, we're just going to run through this entire process all over again. I had genuine hope for XP. I really did. It turned into a worse nightmare than 2000, until SP2 - and that didn't even fix the damn problem. When will people learn, a software firewall is not only useless as a security measure, it just adds another possible attack vector? CLOSE YOUR DAMN DEFAULT NETWORK PORTS.
Most things I see Windows used for in the enterprise could easily be replaced with something else. Exchange is a bit of a pain, granted, and the new AD features are handy. But file storage? Gateways? General workstation use?
The "use this mac mini with none of the software you need, now we're broke from replacing all our hardware" is a bit of a strawman. Well, not exactly a strawman, but it's not like we haven't done this before. People have used computers in the workplace for decades, and Windows has existed for only a small portion of that time. The vast majority of "you NEED Windows" software are programs for home use (and no, listing your favourite 3 Windows-dependent programs does not refute this, hence the word "majority" and not "every last one"). Most business functions can be switched to another platform tomorrow, and for those that can't, like I said, it's not like we haven't done this before.
Everyone moved to Windows to save money, time, sanity, or whatever floated their boat at the time. I don't see why we can't migrate off of it, if we can save that same money, time, etc again. And quite frankly, if it isn't worth it, then we can stick using Windows - it may just be the cheaper/better option in a lot of cases. For most business analysts, it seems to be so as of today.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
At my company security is definitely not a priority. I'm sure I'm often viewed as "bitchy" when it comes to securing the network. I'm a firm believer in security first, everything else later.
-Nick
"A plan fiendishly clever in its intricacies"- Homer Simpson
Where I work (a municipal government), the security folk are more concerned about the appearance of security than actual security. All ports are now blocked but for ftp, http, https and 12173 (specific app). I used to be able to SSH, but no more. The worst part? They are now blocking a pile of "games" sites. The dumb thing, in two parts: (1) they're blocking via a firewall which only blocks IP addresses, not URLs, so they scanned all http traffic for "games" and blocked the corresponding IP address; (2) this blocks "games.slashdot.org"... and it.slashdot.org, and ask.slashdot.org, and books.slashdot.org, and science.slashdot.org -- all *.slashdot.org resolve to the same IP address -- but NOT http://slashdot.org/ !!! So I can view the main page, but almost no articles and comments. Yes, I'm posting this from home. Yes, I explained that games.slashdot.org does not CONTAIN games in any form, but just news ABOUT games, but they haven't responded. They're a bunch of twits.
I always equivocate. Well, almost always.
The situation where I work is great. The IT people are extremely competent and know that their job is to facilitate the developers and others in the creation of the company's software (sales of which are being where the company makes its profit). As a programmer, I greatly appreciate the job they do, having worked at other companies where the IT people seemed to think their job was to reduce the amount of work they had to do on a daily basis, regardless of how their lockdowns and poorly thought-out policies impacted anyone else or the company's bottom-line.
Not having access to Google Groups/Deja would be a real productivity loss for me and most other developers I know, so I'm thankful I don't work at the article poster's place of business. Of course, YMMV depending upon where you work and the needs of the users, and blocking sites like Deja may make sense at some companies.
Insightful? You gotta be kidding!
I have been a corporate security professional for over 10 years, and the only people that I ever get whines from like the parent are typically engineers or IT people who either believe that a) they are God's gift to computers and/or b) the rules don't apply to them. I may seem a bit pissy here, but it just burns me to read posts like this from people who clearly have never tried to think about security from the perspective of the business protecting its assets.
Contrary to what most people seem to think, companies do not exist for the convience of the employees. It is the other way around. Employees have jobs to do what the company tells them to. If the policies at your company don't allow for any way for you to do your job, talk to management. More than likely, either an alternative solution exists, or the business function you're trying to do hasn't come up before and security will have to figure out how to incorporate it. If the problem is that the official method of doing your job isn't as convenient, as cool, or as uber as what you'd like to do, then either get over it or get a different job. Corporate policies and standards are put in place to homogenize the environment, ease support, and maintain regulatory compliance. They are not put in place, at least in my company, to inconvenience employees. In fact, the point behind security efforts in my environment is to enable the business to do everything they need to do, but in a manner that doesn't put the company at risk. Some times, this means that one business unit will have to accept a less-than-optimal solution because of more pressing issues at another, but we haven't been faced yet with a situation where there's been no way to safely do a valid business function.
In large corporations, in particular, security decisions are frequently a balance between the needs of very different business units. For example, a unit that provides credit functions to customers in the US is regulated by the Gramm-Leach-Bliley Act, but a manufacturing unit in the same corporation wouldn't be normally. GLBA may apply to both, however, unless there is some system in place to prevent mistakes at the manufacturing unit from affecting the credit unit. So, while encrypted, authenticated wireless access may not be convenient for an engineer at the manufacturing unit, without internal firewalls to segment security zones, encrypted, authenticated wireless is the only option.
Don't get me wrong, we do things I don't agree with. Proxy blocking, for example, seems pointless to me. Surfing porn from a company system is not a technical issue, it is an HR issue. Have a policy that states what is acceptable, give one warning per user, then fire their ass. Believe me, Internet usage reports get much cleaner when someone at a site has been fired recently, regardless of what the proxy is blocking.
Oh, yeah. The so-called draconian policies we have in place have created an environment where a really, really bad virus outbreak is 2-3 machines worldwide. Before we went down this path, there were worms that affected thousands of systems all around the world. We also have a very, very low incidence of harassment issues, we have five-nines uptime on our production systems, we've never had to completely sever our Internet connections to deal with security threats, and we've managed to balance security and business function well enough that end-users rarely have to contact the help desk because a security measure is preventing them from doing their job. Things may not work this well at other companies, but whinging on /. isn't likely to change that anyway.
And I do agree with you on the remainder of your post - the WHY is more important than the fix.
On the Oracle Applications side, though. . . metalink often only points you in the right direction for a diagnosis. Oracle Apps is a sumbitch, and the error documentation rarely points to the WHY of a problem. But it does make a fantastic search phrase to start your work from :)
God I hate Oracle.
You better watch out, there may be dogs about . .
Maybe a good example of the corporate IT environment will be the example of my (recently) former company: a major computer manufacturer. I signed a nondisclosure agreement, so I won't give anything blatant away, but you can draw your own intelligent conclusions. I agree with most of the comments made: that company policy and actual security are two very different things. My point is, that a company that deals with computer manufacture and OEM releases of Windows should know better. All companies have small beginnings, and people talked about the good old days when I came to the team. But by the time I got there, people in product development had computers with no cd/floppy drives and locked cases so they "couldn't steal the RAM" (all pitiful 64 MB of it) and you had to save all your work on the network where everyone else could access it if they really felt like looking. My machine had an 8 GB hard drive. After my OS, normal security measures and applications, not to mention management-inspired insanities, what was I supposed to do with the remaining 1 GB of my "brand new" computer's hard drive space? To be fair, in 1997, it was running on a Win95 network, but in 2002 it was still running on the same basic infrastructure. For security reasons. Management was so terrified of theft of ideas and possible piracy (like people didn't have their own broadband at home) that security searched you and your belongings every day for discs/diskettes. No more notebooks or working at a place other than work. Not even for management. You had to check out discs and RAM for a system in the lab, which was the only place that had computers with drives outside the server room, the actual manufacturing floor, and six offices used on rotation by managers. This was primarily for demonstrations when you were teaching tech support staff about new products, services, or OS releases. I had to introduce serial ATA to 30 people at a time in my building, while being monitored by security and recorded, with a checked out copy of a Windows XP beta edition and one stripped-down computer case because that was all that they were willing to give me. And then came WinXP. All the systems complex-wide were falling apart, being 4-7 years old, so they upgraded every box to 128 MB RAM and 8 GB hard drives. Then they installed the OS as soon as it was released. Needless to say, systems were crashing everywhere, none of the company-wide software applications were even XP-compatible, and there was a general state of chaos. There were real security holes everywhere, but corporate HQ touted their trend-forward steps for their shareholders. For a year this particular location operated in total darkness while their crippled and villified 10-person IT team tried to allocate resources and time to fix everything. Not only did Corporate expect IT to magically fix everything; they expected an entire manufacturing, customer service and tech support center to operate with unreliable documentation tools, poor shipping fulfillment software and customer information database vulnerabilities. Things are running more smoothly now, but this event illustrates the problems with so many companies, both tech-related and not. Most corporate-level managers still think it's 1985 and things are as simple as MSDOS 6.0. They can program in QBASIC. If they had any technical experience, it's long out of date. These are the people who set the policies that drive your IT practices, especially in larger companies. Kudos to all the businesses that still give their IT staff the power to use their own discretion, but they are becoming rarer every day. In the end it's not the intelligence of the end-user that needs to change; it's the education level and experience of the person setting technical policy that needs to change. If this means the company's CEO spending a 2-week internship in Engineering, why not? He's still getting paid. If the VP of sales needs to understand that she can't guarantee a client that her company uses this or that security protocol, fly her down to a local sysadmin's office for a month. Corporate practices need to change before industry standards will change. Until then, we all just need to hang in there.
Most business functions can be switched to another platform tomorrow, and for those that can't, like I said, it's not like we haven't done this before.
:)
I would disagree with 'most business functions can be switched to another platform tomorrow'. Possibly in small-to-medium businesses (sub-1000 people), but not in larger organizations - too much capital has gone into the systems that are currently in place for them to drop everything and switch client and server OS's and applications in a short period of time.
In any case - I'm also hoping for a transition to a safer, more secure platform that's just as useful to the enterprise. We'll see if Vista is as hole-ridden as the last two versions... fortunately our organization moves so slowly it won't matter until 2010
---
"how can the same street intersect with itself? i must be at the nexus of the universe!" - cosmo kramer
I'm going to attempt to answer this question. I've been in schools and government and I see the slide toward using "SECURITY" as a way of managing workers. And I think this has to stop.
I'll explain what I mean. Security, as most employers define it, is to keep the IT resources available for "Legitimate Use". Now with firewalls and proxies you can define for the employees exactly WHAT legitimate use is. Except you need another IT department to deal with monitoring blacklists, removing sites from blacklists for legitimate purposes and analysing logs - assuming you want the the system to work effectively AND maintain productivity. And all this in the name of Security.
How about taking a step back and looking at the bigger picture. Here in Australia we have laws that determine what we can and can't see. Various magazines can only be sold to adults and pretty much everything comes with a classification rating. On top of that we have various other legislation that basically says "Don't discriminate" and this means no girlie posters/magazines where someone may be offended. And workplaces, abiding by that legislation, have procedures to follow in the case of a breach of one of these laws.
SO! Why block these websites? If someone detects this (either by logs OR by walking past) then there is a clear procedure to follow. Why should something being viewed on a computer screen be any different than printed. The answer is - BECAUSE SYSADMINS HAVE THE TOOLS TO STOP IT!
I disagree with using these tools because it is a "quick fix" solution for management (a handball if you will) which becomes one of the biggest headaches for the IT department. If you already have the procedures, then follow them!
I'll extend this further by taking the given example of Google Groups. For what reason is this being banned? Does it contravene any legislation? NO! Does it contravene any Human Resource policy? NO! What it does do is allow staff to spend time not doing work. Now, I seem to recall that, once upon a time, workers not doing work were sacked! If you were in derelict of your duty, a reprimand was issued. After this it was "Here is the door". So follow this well established procedure. Don't force staff into a shoe box. Reward good workers with latitude and get rid of the dead wood!
So the answer to your question is - Make a clear distinction between what is necessary for security and what is purely management not wanting to manage. Security is about patching machines, antivirus and appropriate controls. Security is NOT about content management. Yes, there are some grey areas (like email and firewalls) but if you can make that distinction then lineballs become easier to deal with.
**Please note that I have a different opinion where minors are concerned.
If the security rules were then written to use capabilities instead of ACLs, it would pretty much be bulletproof...
Someday we'll get there... but the pain isn't sufficient yet... and the virtualization hardware is just coming into play.
--Mike--
I work as an IT manager at a company where I had to install an attachment scanner -- and it routinely chews up legitimate emails I get from programmers -- But there's nothing I can do, the virus writers are getting smarter and are zipping or otherwise encrypting emails and I have to do something to stay a step ahead of them. Thankfully Linux has helped me immensely in keeping our infrastructure from dying.
- Brett
So to make your job easier, you're happy to inconvenience your users and cost your company money? Yes it might be a PITA. Guess what, that's why you get paid. If your users have a genuine need for a dual boot system, you should be supporting it. It's not some strange alien configuration that you couldn't possibly know about. How will you ever cope if your users get VMWare?
As other users have pointed out 2 machines = twice the cost and twice the admin, and as a user there's a good case for not booting up the one you're not using at the time, so you'll still get out of date updates.
Thank $!@# you're not my sysadmin. (And you should thank !@$% I'm not your boss either!)
These posts express my own personal views, not those of my employer
First, I doubt any user owns any of the computers at your company. Stop thinking of the computer in your office or your backpack as YOUR computer. But don't stop there -- correct your thinking while you're at it: start thinking of that computer as a SERVICE the company provides to its employees to do what and ONLY what the company wants you to do.
You do NOT have ANY rights regarding that computer, the software installed on it, how it runs, etc. You also should NOT be browsing the web for personal enjoyment or reading personal email.
Face reality - you are there to do a job and any time you spend doing something else is time you are being unethical. Do you think your colleagues on the GM assembly lines have ANY sympathy for your whining? They have every minute of their working day scripted by the timing of the line, down to how long they get in the bathroom. Most IT workers in the US spend 80% of their day surfing the web or chatting online, then go home and bitch about how the IT group cut off AOL access.
You are there to DO WHAT YOU ARE TOLD and to SERVE THE COMPANY TO EARN YOUR PAY. You are NOT there to go to websites the company doesn't ask you to visit. Do what you're told or find a better job, if you really think you can.
I am soooo sick of whiny white-collar workers who think they really work after surfing the web all day - you'd think none of those people knows a person with a real job.
Beautiful.
They can't afford your overpriced, underpowered machines when they have to be deployed to fifty thousand users.
Tell me how they afford week long downtimes everytime another M$ worm comes out.
You've clearly never been in an enterprise environment.
I've been in some those silly places. Others, like Lowes, General Motors, IBM etc. are better run than the mythical "enterprise" that thinks of M$ as a "standard" for anything other than a money sink.
I love all the "fuck you" I'm getting from M$ shills and fanboys. They are all so angry because their stuff does not work and everyone knows it.
My house has no basement and I own it, thanks for asking.
Friends don't help friends install M$ junk.
I'm not sure how it could happen more than 52 times a year. It takes at least a week to reinstall all that broken junk. Considering the number of critical patches every month, it's a wonder this limit is not attained.
Let's hope more people do as you say and less as you do. As you said somewhere else, "security would be easier in an environment where everyone ran Linux on the desktop." I say it would be a lot easier for everyone. I won't have to pay that much more for all those things big dumb companies make. I also won't have to put up with their big dumb networks taking down the whole internet and being used for extortion and all the other things the M$ monoculture provides.
Friends don't help friends install M$ junk.
Yes, you *can* be too-secure. "Too much security" occurs when you can't get work done -- as is your case. The only *real* question facing corporate IT is "what amount of liberty is necessary to perform the duties of the employee requesting that access?" In true totalitarian style, the old computer security saying "that which is not expressly-permitted is forbidden" is the basic principle of current corporate IT security.
We have this same problem where I work. Thank shitty MSFT security for the current mess...
On a related, more-general note, security and liberty are *always* at odds. They logically must be: if you are restricted from performing action A, then you are not at liberty to perform action A. Simple as that.
For a real-world example: if you are locked-out of somebody's home, then you are not free to open the door to that home. The home is secure against your entry (at least from this particular vector).
Frankly, he who wants to be both safe and free will never have what cannot be.
Is Capitalism Good for the Poor?
At one company I worked for we used to joke about the servers that we were going to "manage them to their knees" since we had so many security and monitoring applications on them.
Of course this was the same company that would randomly block websites (that had worked before). At one point they blocked access to CPAN of all things. When I questioned it with someone in Info Security I was told "we get our filtering rules from the company that supplies the proxy, we can't change them, just wait until next week and your site might be back off the block list". Great way to manage security huh, just "trusting" some other company to do it right and if it's wrong just wait a week.
To be quite honest (and this is coming from a Microsoft hater), Microsoft's stuff does work albeit not as well as Linux. I trust my Exchange server since I've spent all of this time locking it down! Just because it's Microsoft doesn't call for blind hatred. Your blind hatred is why some of us are classifying you as the Hax0r in your parent's basement.
This guy is way out there
I can understand that for anything with storage - laptop, external hard drive, usb drive; ANYTHING that would compromise security. But a monitor? What if someone has a preference for a keyboard that's more comfortable? where does it end? Firing someone for having a wrist support? A trackball instead of a mouse?
OH NOES! Someone has a TRACKBALL and a BIG MONITOR! FIRE THEM!
the basic theme of this is that draconian and over-wrought corporate policies do little more than annoy employees and make them think less, overall, of corporate policy in general (and thus more likely to circumvent it when it _does_ matter).
-- "Those who cast the votes decide nothing. Those who count the votes decide everything." -Joseph Stalin
Did you read his post? Outbound ports 80 and 443 were allowed. If *any* outbound TCP ports are allowed, ssh tunnels are allowed.
This gets to one of my pet peeves: the illusion of security by port-restriction. People forget that well-known port assignments are nothing more than convention. TCP port 80 does *not* mean http. TCP port 53 does *not* mean DNS XFR. You can only prevent remote attacks by limiting listening services on individual hosts. More to the point, if you allow any non-proxied outbound traffic, you are allowing all non-proxied outbound traffic. You just may not realize it.
All's true that is mistrusted
My former employer, Analog Devices, first implemented web filtering many years ago.
They put an immediate halt to it, pending better software being available, when their very own website was inaccessible to them. Why? It contained the substring 'anal'.
Yeah, they had to change filtering software pretty quickly.
They also blocked anything beer or wine related, even years later. Planning corporate (e.g. sales) related outings necessarily involved circumventing things.
the whole "criminal activity" thing about http tunneling, proxies, etc. definitely rings a bell too.
Suffice it to say, our head of Information Security was a great moron.
-- "Those who cast the votes decide nothing. Those who count the votes decide everything." -Joseph Stalin
Obviously I can't speak to your company since I know nothing about it, but if they're like most outfits I have consulted for, they are megamaniacally convinced against all evidence that their business model is unique and the key to their future riches. I have seen quicksort marked "Proprietary - Confidential". I have seen pay schedules (every other friday excepting when the friday is a holiday, in which case the preceding thursday) marked "Proprietary - NDA required".
The simple fact is for most businesses their IP is worth next to nothing. Several other companies have the same idea and are developing it just as quickly. As history has proved from Edison (heck, from Gutenburg) on down, it doesn't matter who comes up with the idea first, it matters who gets a palatable, reasonably-priced product on the market with decent marketing first.
All's true that is mistrusted
Good times.
...of your article clearly shows allmost everybody that your business is primary using MS Windows on your workstations and servers...
--
I'll have a good sig. once Windows is secure...
Seriously, how do you get the restricted user to work right? We have spent months on this, and every time we think we have it nailed, something comes up.
But you know, inspite of all the above, I would say that information security is now taken more seriously than before. When we point out vulnerabilities at least now we get a little respect. Not much, but its more than before. Now applications are supposed to be scanned before they go into production. It used to be it took almost a year to deploy a single critical patch. Now it can get done in under a week.
My experience is that IT departments are more in the business of CYA these days. In a recent job, some colleagues were developing a data warehouse on Oracle. They were piggybacking off a dev server we had, behind the firewall, sitting under my desk. Two guys, some commodity equipment, and they were doing a ton of good work. One day they decided they needed their own dev server, which was fair enough. So they put in a request to IT for a new desktop machine. IT came down to talk about what they needed it for, saw what they were doing, unplugged the dev server and then made them put in a request for a mid-range machine. This of course required a budget, a project manager, a business case, and in short order the project stalled, for months. All their good work was going nowhere fast and the business was crying out for their solution, which was initially only costing the DBA and developer's salaries and two desktop machines. These guys weren't cowboys either. The DBA was one of the best Oracle DBA's I've ever met. But IT effectively shut them down.
To my mind businesses need some kind of network-DMZ where people can start their projects without the need to resort to business cases, project sponsors etc, because IT is mainly concerned with making sure the network is safe.
They said ALL XP login scripts had been posting the notice for over a week, I had been given "plenty" of warning!
"Nonsense. All Plans for the new intergalactic highway has been posted at your nearest Solar System for 100 years."
> But a monitor?
Yeah, I think the logic was one of liability...
What if it gets stolen or broken at the office, we don't want to appear responsible for having to replace it...
What if it catches on fire... it wasn't approved by us, so you're much more liable.
What if it doesn't comply with whatever safety standards are set at the organization?
What if it was stolen property to begin with... now we have to spend money/time defending ourselves.
I know there were more scenarios, but I try not to rack my brain too hard on this stuff. Starts to hurt =-)
What actually happens when an employee looses his/her network access?
Doesn't it fit anymore to his/her computer?
Capitalization is the difference between "Helping your uncle jack off a horse" and "Helping your uncle Jack off a horse"
> Why not? Production machines need to be able to mail their owners about problems. Desktops need to be able to send mail. Both might just not be Windoze machines able to talk to your crappy, virused out Exchange "server".
That's a pretty unusual exchange server you're talking about there.
> Not accepting SMTP requests from desktops is just another workaround to M$'s really shitty security that won't work.
Then why would any well-run Unix shop also use mailhub? Why do Unix MSPs implement that functionality? Why does every well-known figure in Unix mail recommend using that functionality for this purpose?
Where I used to work people were told they were not allowed to bring their own fans in (was in a heat wave and for some stupid reason the heaters were still on as it was March).
;)
Anyway the reason we were told was because of the fire risk to untested electrical equipment. But we did bitch enough to get management to buy us a bunch of fans, one per 3/4 employess (sat in banks of 3/4 and not in cubicles so this kinda worked). We still brought our own ones in though
That is how it works at our company. The default is linux. All "regular joe's" have linux on their desktop. All servers are linux. If you begin and you don't know linux, that's your problem, learn it. But you can have windows, if you have VERY good reasons (e.g. secretaries that receive MS-office documents all the time). These windows-machines are completely locked down. You can do exactly what you wanted your windows-machine for, but nothing more. Also, these machines are reinstalled every single night (ghost) with a new image maintained by the IT-department (so daily updates).
The linux-machines are gentoo-based, and are also tuned. Nothing too much in there, but what is there simply works. These machines can also be automatically installed by just connecting them to the network and booting from a usb-stick, or remotely from a server.
Combine this with a little education of your users, a little trust, a security-model not based on the "hard shell soft inside" model, but the "insiders can also seriously mess things up" model, a decent network-infrastructure (e.g. managed switches, fast uplink) and some guys that really know how to setup and secure a server or a network, and you won't have many problems or complaints.
int main(void) {while(1) fork(); return 0;}
I am at work from 5AM until 4PM usually, and out of those 11 hours, my computer is only usable for about 4 of them.
5AM-6AM: Usable
6AM-10AM: Unusable because IT folks force a full virus scan at top CPU priority and I can't change it.
10AM-11:30AM: Usable
11:30AM-12PM: Unusable, some process called RPG.exe runs at highest CPU priority during this time. I don't know what it does, but a quick google says it's for some kind of backup and restore function.
12PM-2PM: Unusable: mandatory daily over-the-network "full" backup of local drives, even though work product is not stored locally and the local disk doesn't change much. I suspect this is actually just to see if I am putting "unapproved" software on my PC. I have had shareware apps simply disappear in the past, including FireFox, Thunderbird, and OpenOffice (we have a contract with M$)
2PM-4PM: usable, except when pushing M$ patches, when my PC reboots w/o warning and at random, not allowing me to save my work.
I've complained all the way up to the VP of engineering, and the attitude I get is "tough ****, deal with it, we will not compromise data security for your convenience."
So yeah, valid topic, good article.
The best one I came across was a company who disabled the right-click on their standard NT build. Very upsetting if you're a developer, and the process to re-enable it took much form-filling and was taken suprisingly seriously. Another good one is locking down the registry which stops a vast amount of 3rd party software from working !
Why not? Production machines need to be able to mail their owners about problems. Desktops need to be able to send mail. Both might just not be Windoze machines able to talk to your crappy, virused out Exchange "server".
Desktops, servers, and other devices need to be able to send mail to the central mail infrastructure and USE IT if your company has invested in such a thing. And if all you have for a central mail server is a "crappy, virused out Exchange server," then your company's problem isn't that they have overzealous security, nor is the fix to allow every box to be an SMTP server.
Your company's problem is that you are misclassifying a poorly handled mail infrastructure as overzealous security and then claiming that the solution is to abandon it rather than fix it, so they now have to both fight with you and fix the mail infrastructure at the same time. Plenty of ROI on that salary of yours while you're armchair quarterbacking.
Your problem is an "I don't care how the mail gets out as long as it works for me and my job" mindset, which, incidentally, back-seats the company's interests (which is interesting, considering that its interests are the only reason why you're there at all).
After I get about 6,000 of you in my company, there are too many of you for me to lock in a single room so you can claw each others' eyes out about whose ad-hoc infrastructure is more important. So I have to assume you're ALL important (horrors!), build an infrastructure that can sustain ALL of you, point you at it, and shut down all the destablizing junk you ad-hoc and armchair-quarterback into existence and then complain to me about when it not-so-surprisingly gets blown up by something ad-hoc'ed and armchair-quarterbacked into existence by your coworker.
The business purpose behind a centralized email infrastructure is to make sure that each and every one of the 6,000 of you can get your work done instead of having 6,000 separate and distinct you-vs-your-5,999-coworkers'-infrastructure-trashi ng battles going at once, with each and every one of you 6,000 telling me to get it fixed but in some way that doesn't impact anyone but the other 5,999 who you personally don't give a damn about (ok, 5,998, I'll allow you one buddy who you care about).
The biggest reason IT winds up playing stability cop is because YOU DEMAND IT. We don't blow it up, YOU blow it up, and YOU demand that it be rendered stable with no changes in your destabilizing behavior. Well guess who wins? YOU. We can't tell you to flake off, so you get stability, and just like order kills chaos, stability kills off all the unstable stuff you love doing so much. You can balance them and compromise, but you most certainly can't have both in their extremes.
Security is a pain? Tell you what. There are three components of security. Confidentiality (of information), Integrity (of information), and Availability (of information). Guess which one you lose first when your infrastructure is unstable? (Hint: the last one). Wow. Since you love your email so much, guess you need security after all. But then, you did mention the viruses first, so maybe you *do* know that.
You can't solve a problem by ignoring it. I'm working at an antivirus company, and simply "shutting things out" is no option. After all, we're supposed to pluck them apart, watch them work, see their destruction first hand to inform people what the latest piece of malware does and of course develop counter strategies.
:)
So what you really need is a good way of getting your computer back to working condition instead of trying your best to keep it from breaking down. Because you simply cannot do the latter, the user will find a way to circumvent your security wall (which is more often than not a necessity to get work done, because the tool or the info you need is on a "bad" site).
Trying to tighten security to the point of rendering the system useless is the way of the lazy and/or clueless admin. The pro knows he cannot keep desaster from striking and instead works on ways to minimize the time needed to get the system back to work.
'sides, it's always a nice way to make the user feel dumb and lecture him while you're resetting his PC.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
IT security is not about restricting what users can and cannot do - it is about enabling users to do what they need to do in a secure and stable fashion. As an IT professional, all too often I hear through the company grapevine about someone who has been grumbling that the IT security policy was too restrictive, but when you go and talk to the person it turns out that whatever it is they wanted to do can be done, they just didn't know how to do it properly with the systems you have in place. Naturally, they blame the systems, not themselves. Why would you want to send outbound emails from your box, when you can relay through the corporate mail server? Why do you need to run an FTP server to upload your files from home, when SSH is running on your computer already? Why do you need IT to open up ports 1024-65535 in the firewall to allow your new piece of code to work when you could just write it properly in the first place?
IT security policy should not be inflexible, but neither should users assume that it is there just to block them from doing things. If it is, then that is because company management have decreed that behaviour X is not allowed - and that's not an IT security problem.
Why can't we all just get along?
It simply boils down to a lack of accountability. Most IT organizations are now allowed to make decisions unilaterally for the entire business, even if it results in creating unnecessary or exorbitant expense. I know of IT security managers who would be perfectly content to see their employer go down in flames as long as the noble ideals of their security policies were never violated.
The IT security discipline has boomed over the last few years and I fail to see how the situation has improved. In fact, it has only worsened. We don't need more security admins... we need security admins who are committed to the same goals as the rest of the organization and make THAT their first priority instead of worshiping at the feet of noble theory. The principle job of a security admin should be ENABLING users to go about their work in the most secure manner possible, not preventing them from getting the job done. Big difference.
One of the greatest risk's to security is the User...machine to machine interaction can be structured nice and tight. It is when you get people running unauthorized apps, introducting flash drives etc. into the mix that increase the security risk.
Tell me how they afford week long downtimes everytime another M$ worm comes out.
This is a key point - downtimes from worms have been reduced to next to nothing because of the security measures that are implemented in organizations. An organization with no security measures in place would probably be miserable and get absolutely nothing done, though, if they had a mostly Windows architecture.
We pay for it one way or the other, though. But simply replacing everything overnight is so completely out of the ballpark of the realm of possibility that it's not even worth being brought up. This is why I assumed you'd never been in a large organization - because, if you had, you'd know that your suggestion of "everyone use Linux" would get you laughed out of the room.
I love all the "fuck you" I'm getting from M$ shills and fanboys. They are all so angry because their stuff does not work and everyone knows it.
I think you might be incorrectly assuming that we're "M$ shills and fanboys". Just because I help administer a Windows environment doesn't mean I enjoy it, or that I'm a fan of Windows. I'm not.
This is the reason, by the way, I assumed you were a younger kid living in your parent's basement. My apologies for the assumption. You might be more successful and convincing in your arguments if you didn't use phrases that kids like that normally use, e.g. "M$", and assume that because someone supports a Windows environment, they're a Microsoft fanboy. For the majority of us, it's just a job, and we're about as excited about supporting Windows as you would be.
---
"how can the same street intersect with itself? i must be at the nexus of the universe!" - cosmo kramer
> and individual employees are forced to apply security patches with
> little or no notice, under threat of their machines loosing network
> access, if they do not comply by the deadline.
You have a lazy-ass IT department. Ours has things set up to automatically update whatever they want whenever you log on or reboot.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
I have repeatedly had to explain to the Network administrators that I have to be able to send email from one of 2 Unix boxes.
Everytime they apply a patch to Exchange they block all forms of Relaying. Which means no mail from any machine in the network can send outbound email (except Outlook of course), through the exchange server or not.
At the end of the day I don't care, but they wasted the week of development done to produce PDF based Invoices for their customers which are sent. And I get the pleasure of explaining there is nothing I can do about the problem. And now those IT functions are not handled in-house, they are handled by the parent company and take longer to resolve than previously.
Funny - just the opposite happened to me at an employer.
Picture working in a call center in the middle of Summer (90 deg F outside) and we had a wind-chill factor INSIDE... People where covered in blankets and wearing gloves. Management complained to the building owner that the cooling was way too much. They brought in an engineer that setup historical temp boxes. Showed the cooling was right on and couldn't figure out why we where all cold - called us crazy and walked away.
2 weeks later, space heaters and electric blankets started piling up inside. The building owner threatened to cut cords on anything they found plugged in but did agree to call in other engineers. They brought in a PhD from a local school. After 20 minutes of looking over the data from the last engineer, a look at the building plans and a quick walk around, he said he would tell them what the problem was, but he wanted to bring in classes to show them how things that look right are not.
Turns out, the air ducts where misplaced in all the wrong spots with too many intakes. This caused sweeping wind-chills from one end of the call center to the other.
Each case/application should be handled on an individual basis. There is NOTHING that can't be done as a restricted user in the Windows world with the proper administration.
Interested in open source engine management for your Subaru?
I am in InfoSec for a medium-sized environment (3-4000 users) and know all of the tradeoffs that have to be made to keep usability and security from defeating each other. In my case, I work in a hospital, so usability trumps security. If a computer is unusable, someone could die; if a security breach happens, we can mitigate the damage. There are definite ways to keep desktops and servers secure which do not significantly degrade their usability. However, if the company doesn't give adequate funding and get well-qualified people to run the security department, you get the kind of overzealous blocking that you have described.
-Blocking technology is out there to allow an individual to bypass the block by entering a username and password. Yeah, I know "just one more password to forget," but this kind of thing helps to keep access to potentially "bad" sites honest. The technology also exists to always allow a certain computer/account to access these types of sites. Anything less is a case of underfunding or using the wrong tools.
-Your antivirus vendor should be at least customizable enough to selectively allow SMTP sending on production servers. Ideally with servers, you'd have it only allow certain programs to send mail or have a threshold of connections per second that it would prevent (most mass mailing viruses I've seen send one email per connection before changing servers). If your AV has these tools, the IT department doesn't seem to be managing them well. I have a problem here with our AntiVirus detecting security tools as "hacker tools." As far as I know, with our current configuration we cannot change that behavior just for me and not for any other computers, so I choose to deal with the hassle of it reporting, but not quarrantining my apps.
-Patch Management is tricky, but if there are adequate safeguards on the desktops (ie. minimal services, userlevel accounts, antivirus, etc.) then your company should be on a schedule of deploying patches. For example, once a quarter you test all the apps for compatability with patches and then deploy the ones which don't break anything. Deployment would be carried out with minimal downtime, at off-peak hours. This procedure would be thoroughly documented through some kind of change management procedure where everyone knows that changes will be made to the systems, so they can report any problems with the upgrades.
With more and more internet users behind NAT routers, networked malware is now instead of running on a machine and listening, is running on a machine and making an outbound connection to some remote host. If you don't have egress filtering, your firewall may as well not exist.
I will grant that I think about this less; in the Unix world, security problems are slightly different. However, I have discussed this with some rather notable gentlemen who are more oriented around Windows security, and their opinion is different. They suggest that it is not really possible to keep information from filtering *out*, if software on your machine wants to send data out. There are just too many ways to sneak bits across the wire, and they cannot all be blocked in the real world. Their take is that the only reasonable way to stop malware is to keep it from gaining a foothold on the computer in the first place, rather than trying to keep it from then communicating once it is there.
Actually, to some extent, this is exactly what you just said (though about NAT, not about firewalls) -- security administrators tried using NAT to lock down their networks, and discovered that malware simply adapts to deal with it, and now there is a big functionality hole that makes it difficult for people to write and use legitimate network applications.
Highly restrictive blocking, as implemented today at a corporate level, is *only* useful in that people that do so may differ from the majority, that they have an "oddball" configuration. That's where the practical security benefits that they're claiming comes from, not from the fact that their blocks cannot be walked around by anyone who tries to do so. If I can write malware that, on 90% of the machines out there, can just open a TCP connection to the outside world on an arbitrary port and send data, I'm probably going to do so, rather than making that worm take a clever approach of having to subvert Outlook or IE to send its data out.
The problem is that now a number of companies *do* only allow access out through a proxied connection, and now malware writers that want to target them need to hijack things like Outlook or DNS requests or whatever. The benefit is highly impermanent -- so there is no long-term security benefit, but there is a blow to functionality, in that features once present are now missing on these corporate networks (and doing things like ramming previously-working apps through HTTP tunnels simply degrades performance and increases complexity).
If you want to occasionally SSH to your home machine, run your sshd on port 443 and go via your company's web proxy (tools like PuTTY can use HTTP CONNECT to do ssh via a proxy on port 443). Be sure to ask your company if this is OK first though. That way they don't have to open port 22 to the world, and instead they have a logged, traceable connection.
Oh, I have. Had a meeting with our security admin and everything. He said "no go" and warned me that he monitors connections. Actually, he used to have a configuration in place that killed any outbound HTTP connections that lasted too long. That was infuriating to work around if you needed a Linux ISO or something similar. He finally got enough complaints to decide that that was a bad idea.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
I'd love to know how much money these morons spent doing studies to solve a problem that any sensible person would have solved by turning down the thermostat.
...the only people that I ever get whines from like the parent are typically engineers or IT people who either believe that a) they are God's gift to computers and/or b) the rules don't apply to them. I may seem a bit pissy here, but it just burns me to read posts like this from people who clearly have never tried to think about security from the perspective of the business protecting its assets.
How about you, as an administrator, consider providing responsive service to those engineers or IT people who need an escalation of priviliges above the average luser to do their jobs effectively? What is an engineer supposed to think when his job description contradicts the sysadmin's policies and his boss is asking for results? Of course you'll get "whines" from these people - their jobs dictate that some of these rules shouldn't apply to them. Get off your high horse. If you are supposed to be serving the business, and assisting it in "protecting its assets", your responsibility would be to provide those services that facilitate other employees getting their work done. When a software engineer's duties require that he have administrative control over his own workstation, you and your system administration policies have become a liability to the company; you're keeping the engineer from getting his job done.
I pity the foo that isn't metasyntactic
Preach it Brother.
I remember when I was the rarely consulted "hacker" who sat in a lab and played, until there was an issue. Now I have so many projects, deadlines and critical assessments that I'm working 40+ hours and have no lab time.
Get a life, not a lifestyle. - Hikem Bey
Free Speech and Free expression is a personal right, protected by the federal government. It protects you from getting killed or tossed in jail by the government. It does not, in any way, protect you in your workplace. I find it astounding that so many Americans (regrettably they generally align themselves with Democrats), think that freedom of speech means that they have the right to say whatever, wherever and no one can do anything. That's not how it works. All it means is that the government isn't supposed to bother you, it says nothing about employers. Your employer has the freedom to hire and fire people, based on whatever criteria he/she decides (in many states). If you offend your coworkers, they have the freedom to fire you.
No company owes you a job.
Get a life, not a lifestyle. - Hikem Bey
From your examples, it looks like your whole IT deparment is working very hard to be downsized or outsourced. From my experience, the minute a smart VP or CEO (or, a common case, an external consultant who has the VP or the CEO's ear) notices and documents the kind of impact they are having in the bottom line, lots of high and middle heads will start rolling. Having inflexible rules when your market is evolving or constantly changing (and when your market is global it is always changing and evolving) is so dumb it hurts - when have we called the high priests back to the computer room, anyway? I though we had all agreed to send them home for good by the end of the 70's.
I'm definitely gonna sound pissy here. I'm an engineer and a developer, and I kinda get annoyed with "security" "professionals" who consider "security" to be the product of their companies. I've worked at companies that hired major tight-ass "security" guys like you. Guys that take "security" actions without even trying to think clearly about the big picture of the nature of the company's product or service. For instance, disabling all the dial-in and dial-out modem lines without asking why we had them -- we developed hardware and software for modem communications!
Do you know why the engineers and developers think they are 'God's gift to computers'? Turns out they are, if you consider the hardware and software you use.
Actually, in the case of public corporations, the understanding is the company exists to serve the financial interest of the owners. Companies pay employees for labor. But thanks for playing.
What ever happened to the 125-year-old company that I worked at with the new draconian security policy, you ask? Gone within 6 months of the new owernership/security regime. Some parts were sold off to competitors with an interest in building products instead of corporate policies. Some just vanished. But a business that survived 2 depressions, multiple recessions, and three years of McKinleynomics is now just a memory.
I am not a crackpot.
Sounds to me like you have (had?) incompetent mail admins, not "too much security."
Plenty of sympathy here, but the "if I want something done right you have to let me do it myself" thing just plain doesn't work in the context we're talking about. Sole proprietorships with no staff but the owner, perhaps, but not in the enterprise. Your mail admins need to be getting the job done without cutting you off over and over again. Going around them is not the solution. Fixing them is.
To be clear, there is no excuse for the trouble you're describing. I've done mail admin, server admin, network admin, and security on all of the above-- and I'd disappear any mail admin who chronically couldn't figure out how to patch an Exchange box without blowing up established SMTP relay allowances.
Again, availability is a cornerstone of security, and they're making services unavailable by goofing up every time. The problem isn't that you have too much security. Rather, your firm has something being called security that is quite the opposite. And like any *breach* of security, it is undermining business function. The folks managing your back end need a clue, and maybe some new staff.
My sympathies. The only thing worse for security than apathy and ignorance is incompetence. Sounds like someone has plenty in your shop. :-(
But at the end of the day incompetent staff are incompetent staff. They don't stop being incompetent staff and morph into something else called "too much security" just because they control an IT choke point that you can't bypass. And this is important mainly because-- as you presumably know, being a Unix admin-- if you don't properly identify a problem's root cause, you can't very well fix it.
Good luck.
I'll disagree here. Not because I'm a mac fan or because I think that an environment of all Macs is the way to go, but rather the comment about Macs in an enterprise environment. Speaking from personal experience, Adobe Systems uses Macs extensively. They develop software to run on Macs. I worked in a test lab that was 50% Macs of all varieties, had a Mac on my Desk and the company supported it and worked closely with Apple to test their software against pre-release OS X Tiger seeds while I was there. To the best of my knowledge, we had no more or less problems with the Macs compared to the Windows machines because of intelligent network security policies and a decent IT group. In fact, I've worked in far more heterogeneous environments with some mix of machines running different operating systems. Far and away the most unusual was the bank I worked at that used a combination of Macs, Windows machines, and some sort of proprietary DOS system all glued together with Novell to talk to what I think was a VAX mainframe. It was a headache to maintain, but the majority of problems were the kinds of user errors that would have occurred on any system. And for me personally, I kind of prefer the Apple bomb icon to a BSOD.
Building was owned by Tyco - that should explain it.
I strongly disagree with that throw-away comment. The only perfect security is at absolute zero with everyone is dead. Is that what you want?
-I like my women like I like my tea: green-
Ah-ha! I think you got my point, even if you haven't recognized it yet. I never said that we imposed security policy by fiat and ignored all requests for changes. We put in place policies designed to protect the assets of the whole company, and then work with the business to develop solutions to their problems that both enable the business functionality to continue and abide by the security policy.
We have hundreds of engineers in our company, and to my knowledge, every single one of them is able to do their job. If a new threat comes out (mass-mailing worm that spreads via SMTP from the client) that requires a change to the security posture and impacts the engineers, we work with them to either find a new tool/method to achieve the task or we document an exception, including who approved it, for whom was it done, why was it done, and, if applicable, when the exception will end.
The engineers I have problems with are not the majority. I have a problem with the ones that insist that their solution is the only one, even though every other engineer in the company is using the official solution successfully. I have a problem with engineers who think they're smarter than security and deliberately attempt to bypass the security measures without contacting us first to see if there's a known, supported fix. Finally, I have a problem with anyone who believes that their personal use of the company's assets (computers, Internet connection, time, etc.) is more important than federally mandated security controls. While it is often necessary to reduce some security controls so that the company's business can continue, there is no time where we will consider a reduction in the security posture for an employee to run their own company or make accomodations to enable someone to become even less productive than they already are.
You:Then why would any well-run Unix shop also use mailhub? Why do Unix MSPs implement that functionality? Why does every well-known figure in Unix mail recommend using that functionality for this purpose?
There's nothing wrong with a mailhub, as long as it works with published standards. What's happening in the big dumb company world is that admins are closing port 25 on their mail servers and eliminating SMTP in favor of some kind of M$ Exchange mess. As the administrator here told me, "I'll look into opening that port (he did not know which one) for SMTP on the Exchange server, but I'll have to find out it that poses any security risk." This replaces well known sturdy software with the worst of class, Exchange on the server and Outlook or IE on the desktop.
This is just another anti-competitive thing M$ has come up with for it's partners. Why anyone would listen to them and get themselves that much more locked in after their repeated failures is beyond me.
Friends don't help friends install M$ junk.
I know that security is not a product of my company. I know that engineers are responsible for producing the products we sell (although not most of the services). However, engineers have to understand, particularly in a diverse corporation with many different independant businesses, that compromise is not where the other guy backs down. I agree, taking away the modem lines from a company that manufactures modems is stupid and that there are times where developers might need admin-level access to their development platform. I understand, though, that secretaries, content writers, marketing reps, and call-center techs do not need modems that accept inbound connections or admin access to their desktops.
On who works for whom, you are right that public corporations are beholden to the shareholders, but that doesn't change the fact that companies are not created for the convenience of the employees. Your final paragraph is a perfect demonstration of that. The company goes away, are there any employees any more? What difference does it make that the policy allows you to surf porn during business hours if the company goes belly up? Also, my guess is that security policy alone was not what sunk your 125 year old company. Bad management can do wonders towards destroying a legacy.
Also, just because some engineer somewhere designed the computer and some developer wrote the software I use, that doesn't mean that the engineers and developers in this corporation, which manufactures no computers and sells no software, are entitled to the same rights and privileges that IBM or Microsoft grants their development staff. Everyone needs to get some perspective, both security staff and engineering, and they need to realize that the perfect compromize typically means that neither side is happy.
This is exactly the kind of problem I'm talking about. It's M$ policy to block all but their crappy client software and they are starting to talk about it as a security measure. Soon, the only way to dissapear the person who could not patch/upgrade/turn on the Exchange box without blowing up SMTP is going to be to dissapear the box.
Friends don't help friends install M$ junk.
My point was, the machine is owned by his employers. It is not his property.
I've got to agree with you there, bad security policy is just a specific case of bad policy in general. And misplaced priorities regarding security were only a part of the misplaced priorities of the company in question. Kind of like how a symptom is to a disease.
I am not a crackpot.
Yes, I explained that games.slashdot.org does not CONTAIN games in any form, but just news ABOUT games, but they haven't responded. They're a bunch of twits.
And what part of your work duties require you to follow news about games during work hours?
If none, you shouldn't be paid from the hours you spend reading slashdot during work hours. And best way for them not to pay, is disabling everything that you don't require for your work.
If it is your task to follow slashdot and similar forums, then there should be change on policies. Otherwise, it's their money they pay you do to your tasks required. And they make the calls what is accepted and what is not.
Our building was rented from someone else and THEY controlled the thermostat and we weren't allowed to change it, so when it got really hot in march two years back they had expected colder weather and had the heater on. I'm guessing that they couldn't be bothered to pay someone to come down to change the thermostat (and yes probably in a locked room no-one else had access to)
1.- So you were willing to email something (email is not secure and it is not guaranteed that a message is delivered) but could not send it with a messaging company? Sorry, but give me a frigging fucking brake. It sounds to me more like you decided to get a freebie with the IT restrictions as an excuse. Oh yea, you ignored ftp, sftp and the post box down the road (don't fucking tell me it is not safe. You were emailing the damn thing, you are defenseless there).
2.- Tell your IT people that I say they are dumb. Honestly. But also the bussiness side of things is at fault. If you are not able to make a bussiness case for handling deployment of security patches more efficiently your bussiness should also question how capable they are.
3.- Correct actions, wrong approach. What they did (reorganize access to a resource) is impecably correct, there should no be user whining about it. What is absolutely unnaceptable is the lack of notice. What does not surprise me is the obvious understaffing: IT may have quite a lot of power nowadays, but that does not mean that they get the resources they need. This is the fault of the bussiness side of things that keeps considering IT a cost and treat it as waste of money.
4.- Read above. Perhaps yout IT people were ready to implement single password sing on but are understaffed? The best indication of this is having all the technical resources ready but nobody to implement things. Your IT poeple are a bit dumb, but the bussiness side of things is obviously not providing the resources required to keep things running smoothly.
IANAL but write like a drunk one.
You were in the wrong. Period.
You either had a machine that was not allowed or failed to provide enough information to the support drones.
IF you reached a point in which they did not know what Linux is, it is your fault (or your department's or whoever was responsible to make sure the XP drones knew abou leenucs) that they did not have that information.
IANAL but write like a drunk one.
Sorry, but what you are saying is utter nonsense.
A computer, specially for corporate users costs peanuts. It is a very negligible cost, and if the Linux-XP guy is a rare ocurrence, the cost for additional machines small on the great scheme of things, or he can have as second machine one of the many in any medium sized enterprise that is upgraded. Your cost argument is a non issue.
As is the inconveniencing. How it is inconveniencing somebody to ensure this person has access to both environments at the same time? The dual booting means only one or the other is available. What a fucking inconvenience. And even if it was inconvenient, the minimal distress caused has to be contrasted with the security issue of not patching boxes timely. And you know what? I would be damned to let a bit of inconveniencing get on the way of the security of my organization.
2 machines are not twice the admin time, one dual boot machine may be, but two machines aligned to supported configurations are a non issue from the administrative point of view: once you have a solution that escalates to 50 machines (or 100, 100, or 10000), adding one more machine adds no burden.
So it is 3 strikes, you are out matey.
IANAL but write like a drunk one.
If your SOX assumption is correct, that would be the BEST thing I have ever heard about SOX. Every time the auditors come by us, all we do is take raw data and polish it into report form for them! So I suspect they sit in the corner and play solitare, you would think that auditors would WANT the raw data so that we could not fudge any facts. Everything I have seen tells me SOX is a joke and does nothing for real security.(with the exception of your statement)
Linux Works
Public key encryption and the like have given us some powerful tools with regard to security. However, I think too often people (sysadmins) are given to view those standards as a minimum requirement. Usually, out of practicality, the best schemes are compromised by not taking reality into account. Whether we're talking about passwords or private keys, the likelihood of me, as a user, introducing a severe security flaw into the system is in direct proportion to the inconvenience of the secrity policies.
If I have one password, I'll keep it secret. If I have to remember 20 passwords, be sure that they'll all be on a piece of paper somewhere around my desk. If I'm to be the sole keeper of a private key, let it be known that I won't keep it secret (I like to go on vacation every now and then).
Although nearly perfect tools for security do exist, they're more often than not not perfect in the real world. The legal standard of reasonableness is much lower than the technical standard. Somewhere within these comments someone lamented that because an email system blocked a file with an unknown extension, that that person had to fly to another country with a CD. Someone responded that they could've just mailed it. Yeah, like Snail Mail is secure.
Do you enter an ATM PIN at the drugstore? Does anything shield the view of that from the person behind you in line? Has anybody taken anything with your social security number out of your mailbox in the last month? You can't know, can you?
These sorts of things are not new. But overly draconian security policies can actually make things worse.
Subject says all.
The bright spot for me is the accessability of the work network when I'm remote via VPN RSA key type methods. This is one big plus. There are terrible downsides. At one point my company outsourced IT to a large company with a three letter acronym... lets call it "HAL". For most large companies this would be fine, but for a technology company like the one I work for it was a disaster. We are still only now recovering from that decision I believe, and have returned IT to local control. The largest issue I see is in the old days, engineering groups like the ones I worked in, did our own system administration, and we had large capitol budgets to purchase $12,000 per seat engineering Unix workstations. Recently we have had to wait in line to get a purchase approved for a $600 PC running Windoze. And then many of the IT service people have no idea of what we need. For example, I needed a RAID 0 (striped for speed) 2 disk machine setup for data crunching of very large files. This was delayed for weeks as no one knew how to image the drive. In the old days, they would have shipped me the CPU, and I would have configured it myself. Even today, if I have an IT issue, my call goes to some corporate "call center" very possibly in India, and a ticket id is assigned. My favorite was when I had forgotton my Unix login, I emailed IT to get my password reset. They called me back to ask me what my userID was. I was going to give them the UserID of the CEO as a joke... they had my EMAIL ID, but couldn't look up my user id? Hmmm... what has the world come to.
Ross Youngblood
Who in their right mind does any type of backup in the middle of the day?
Good grief... why don't you write a big letter to the VP and include it with you resignation... your organization sounds like a horrible place to work.
and you won't have many problems or complaints
Just because people don't bother to complain because you're too much of an ass to help them get their work done (seriously, reinstalling windows every night after you begged to get a box that can read a fricken excel document?) doesn't mean they don't have complaints/problems.
It just means you're an ass.
I agree.
Having worked for a Swiss bank, even its internal security was extremely good. The few times I have forgotten my pass, I needed to have the security people at the front door issue me a new one. Now, I've been working there for about 3 years, and all the sec people know me on-sight, by name. Yet they must bring up my security profile on their PCs, double-check by asking an obscure question that only I know the answer and then, and only then, will they issue a temporary pass for the day.
In addition, to get to some of the system rooms I needed to pass 6 security pass points:
- front door - security guards, passcard
- entry to secure entry - use pass card, checked by security guard
- entry to secure zone - use passcard and fingerprint to go through a door for only one person at a time, checked by security guard
- elevator to secure zone 5 - use passcard
- entry to secure zone 5a - use passcard
- entry to system room - use passcard to go through a door for only one person at a time
The difficulty, although well warranted, led my team member and I to design our systems (400 Citrix servers) to be completely managed remotely. The time to just go down to push a button or type on the keyboard was considerable.
I remember the first time we had to move the servers into the server room. There were about 25 pizza-boxes on a trolly that couldn't go into the room since it was a 'raised-floor'. So we used the trolly to block the door open while we moved the servers in. After about 3 minutes there was an alarm beeping for a minute or so, which we figured was the door alarm. It went off, so we continued moving the servers into the room.
A minute later, two security guards appeared to check. They asked us why we left the door open since that set off the alarm. Next, they asked us for our passcards, called in on telephone to the main security center to confirm we could be here in this specific room. Afterwards they mentioned not to leave the door open since the alarm goes off. We said ok and finished the job.
Now, these were the same guards that saw us pass into the secure area a few minutes earlier, so it was obvious we were ok to be there. But they double-checked again.
Two weeks later it happened again, while moving in another batch of servers. And a minute later the guards were there, double-checked our passes. But this time, a warning was sent to our manager. Ouch.
But all in all, it was a wonderful (and safe) learning experience.
If you can stay calm, while all around you is chaos... then you probably haven't completely understood the question.