Slashdot Mirror
HP: Smartwatches Are a Major Security Risk
Mickeycaskill writes: Researchers at HP Security discovered "significant vulnerabilities" in every single smartwatch they tested, claiming they pose a major security risk for users. The team is concerned by an apparent lack of authorization and authentication provisions, encrypted firmware updates and protection for personal data. When coupled with poor password choices, HP says wearables are as much a target for cyber criminals as muggers on the street. "As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks," said HP's Jason Schmitt.
calm down. man.
These smartwatches are toys. What happens when we put machines in our bodies, giving them control over body functions? Do I have to change implants when I change my employer, because the new one has stricter security guidelines?
Why is it that all news articles these days never reveal the actual details? Which smartwatches were tested and which "three out of ten" smartwatches had this or that problem? Which apps have invisible ads? Which Japanese city opened a robot-operated hotel (that to click a few links in that one to find out). Even going to the HP source and their linked pdf for "more details" reveals nothing than what's already on their website...
Annoying.
Sure you have a smartphone that can track where you go but do you really need a device that also tracks how you get there, along with all of your calorie statistics, habits and health data? How much is that really helping you? I doubt many people who use these fitness trackers are actually getting much real benefit from them except for a "hey, in case you forgot, you should probably exercise"
There can be no security. The only sustainable choice left is total and utter transparency.
Here's the original Fortify report, which has actual data (tm): http://www8.hp.com/us/en/hp-news/press-release.html?id=2037386#.VbF-Hbd2lEE
Welcome to the real world Neo
It talks via bluetooth, which is pretty short range... it could only talk to maybe your cell phone, or that hacked entertainment system in your car that's wired into the rest of the system, but it probably can't get to your wi-fi enabled toaster or fridge, they'd have to find back-doors into your router or something... and we all know none of that can ever be an issue. ... yeah, give me a 'dumb' phone, a 'dumb' watch, and a 'dumb' car, thank you very much. I don't really *want* all this stuff 'connected' to who knows what.
We don't make one of these amazing things, so you shouldn't have one of these scary things.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
HP says wearables are as much a target for cyber criminals as muggers on the street.
Muggers are a target for cyber criminals? Who knew?
Not surprised. Most manufacturers are pretty crap when it comes to security. That said, this report is somewhat useless without naming which watches were tested.
http://go.saas.hp.com/fod/internet-of-things
Bluetooth.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
This is a little rich coming from HP... How many devices have they released with HARD CODED passwords that CAN'T be disabled or changed so field engineers can have easy 'access'?
... the company servers if you give a shit about security.
The whole BYOD argument has been debated to death. Point is there are two camps here.
Camp 1 says "No, because security" and Camp 2 says "Yes, because I'm lazy and like my toys."
Did I strawman camp 2? Sure. They'll actually say stuff like "we can secure our systems. But there is overwhelming evidence to the contrary. And if you ask them why they don't want to use the company provided blackberries or something they'll say "well I don't want to bring two phones" or "I can't install my apple shit on this thing" or whatever. Which means the security is being compromised for convenience and toys.
Now is there some hidden agenda in Camp 1? I mean, I just talked a lot of shit about camp 2... is there something off with camp 1? I can't see it. I'm a fully paid up card carrying member of camp 1. So maybe I just can't see it because I'm too close to it. You tell me. But I don't think there is a hidden agenda with camp 1. Camp 1 says "we cannot secure your private shit phone and thus giving it access to the VPN etc is a stupid idea and we're not doing it."
So the stupid watches for the BYOD phones are an additional security vulnerability? Okay.
Who's problem is that? Not camp 1's problem because they're not going to let you use that shit with the company phone anyway. Problem fucking solved. *brushes rhetorical dirt off hands and goes off to lunch*
Camp 2 however has more problems to deal with and it is never going to stop. And the thing is that no organization either can or will even choose to try to keep up with all this shit. They'll make efforts to close the most glaring issues but that's about it. Which means those systems will be what they've always been... wide fucking open. And that predates the whole BYOD thing. Some organizations do what is required to secure the systems and some basically jerk off into their coffee and call it cream.
Here is what "I" need for the stupid watches to be acceptable. I need to be able to control the encryption between the phone and the watch. And then I need to be able to lock those parameters into the phone so that they can't be changed by the user or some fucking program you install from the marketplace/appstore that says in the long list of permissions "oh yeah, fuck your security". And then I need to be able to control what is passed between the phone and the watch. Apparently these things are set up to pass EVERYTHING. And that's adorable and stuff but clearly that has to be scaled back to something less deranged.
There are so many problems with this stuff. I appreciate the makers are pushing this for idiot consumers and that they are going for looks and functionality etc and security isn't even on the radar.
And that is FINE... for a toy. But any company that lets that crap have access to their servers deserves what ever happens.
No pity.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
The problem with camp #1 is they, in many cases, utterly fail to provide the tools necessary for people to do their jobs efficiently, which is why people want to bring their own.
Mind you, it's not necessarily the boots on the ground (but rather the generals) for camp #1 causing the problem, but is is camp #1's problem.
(by the way, I have been in both camps in various parts of my career)
You're right. And I think OPM is really leading the way with this revolution you're talking about. From what we hear they didn't even have an IT security department until a year ago and that was probably a mistake.
The hack they had wouldn't have even been noticed in the first place without people me.
You don't know what you're talking about. You're another snotty user that thinks his parents are poopy heads because they won't let him install malware on the company network.
And users like you are not a problem usually. My job is child proofing the system so you can't kill yourselves or hurt the organization.
The problem is when people like you get promoted above your competence into management. And then start elbowing your other lackwit cronies and giggling about how the security people are always exaggerating or they just want to control stuff because they're busy bodies or something. Never mind that the hacks never happen to the systems they are allowed to lock down and always happen in the networks and systems they are systematically sabotaged out of managing.
You are information security cancer. I would feed you poison, bombard you with radiation, and then cut out your withered corpse as medical waste.
now... which of us delivered a hotter burn? I think I win. My burn was hotter... BUUUURN. :D
Fucking stupid users. :D
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
I don't think there is a hidden agenda with camp 1. Camp 1 says "we cannot secure your private shit phone and thus giving it access to the VPN etc is a stupid idea and we're not doing it."
Camp 1's hidden agenda is making life simple for them (e.g., IT security). When a gatekeeper's opened for opening a gate, they'll have no incentive to do what's actually best for the organization. It's not just IT, either. We all do it. Want to order some software? Legal and Supply Chain and IT will all conspire to make this a big fucking deal that takes two months to get done. (Shhh... don't tell them about the thousands of packages flitting into their network via nuget/npm/git/aptitude/docker/whatever. This is the real reason Open Source won the world of software reuse. Blow your deadline doing paperwork and politics, or `npm install foo` and keep programming?)
That's not to say I'm a fan of camp 2 and the BYOD movement; I was saying "hell yeah" reading your post, so I'm probably not the best person to put forth the camp 2 argument. It's just that dealing with risk is a very, very hard balancing game. When you ask the person in charge of managing risk, they'll always say "no"; when you ask the person in charge of getting results, they'll always say "yes". But the optimal solution... the one that best maximizes shareholder value while keeping it within their preferred level of risk tolerance... is going to vary case by case.
-1, Too Many Layers Of Abstraction
Funny, I thought the "Nazi SA" stereotype died last decade, guess I was wrong. Go pull your head out your ass and stop being a speed bump for real people to get real work done.
Well... you say simple, I would say "possible".
Here is the thing, you compromise the system enough and IT security just throws their hands up. There aren't enough of us, no company or government is going to pay enough to secure those systems, and so what happens is that you get shit security.
So yeah. Not fucking up the system does make it easier. But fucking it up can also make it IMPOSSIBLE to secure it.
In fact, so much of IT security has battered wife syndrome at this point that we just take it in stride that systems can't be secured.
Oh you know hank... he's just had a hard day... he can't help it.
And frankly... this attitude is fucking up IT horribly.
If people want to do new things on the system or access things in a new way. That's great. We can come up with a secure way to do that. The solution is not to bypass the security, hook up the machine people install angry birds on, and hope for the best... because after all "who would hack us, right guys?"
As to shareholders... lets not pretend anyone gives a shit about shareholders. No one cares about them.
teh company doesn't, the government doesn't, the exchange doesn't, the trading houses don't... their fucking brokers don't care.
Here is what matters... what management wants. Is management beholden to the shareholders? To some of them maybe not honestly even then CEOs etc tend to view shareholders as amusing peasants. You'd need to have voting shares to at least be considered remotely credible. And really what management cares about more than anything is their stock options. Which means they care about what their stock will sell for when it matures which could be tomorrow... after which all their fucks are gone.
Anyway, shareholders aside... to the issue of what is best for the company, that is often a very dubious question. You don't actually know a lot of the time what is best. Every new fad comes along with promises of improved productivity or lowered costs and it frequently doesn't happen. So did people lie when they said X or Y would happen? No... but they did imply that they knew something was going to happen or had some grasp of the issue when in fact they had little more than assumptions, biases, and hopes.
I see no way in which BYOD helps anything. What are you doing on your iphone that you couldn't do on a company blackberry?
Literally... what are you doing for the company with that expensive fashion accessory that you couldn't do with the approved company hardware? Because my evaluation is that you are typing less effectively because virtual keyboards are shit. The blackberry is not a perfect device but for a business it really does a much better job of complying with organizational priorities.
And the arguments I've heard against such devices are pretty much just giant whines about how they're not pretty or its a pain to charge your free phone which you're often permitted to make personal calls on so long as you don't call phone sex lines in on the other side of the planet.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
The smartwatches, being computer devices, are having many security risks of the computer. Solution is to not use intelligent devices when they are not being needed.
The traditional watch is providing all of the functionaries which are needed from same.
From my perspective, the biggest problem with BYOD is that management is not likely to give IT the resources needed to ensure that BYOD is done in a secure manner. Personally, I will not bring my own device to work for a couple of reasons. First, why on earth would I subsidize my employer? Second, why on earth would I consider giving my employer any measure of control over my device?
linquendum tondere
You are all cows. Cows say moo. MOOOOOOOOOO! MOOOOOOO! Mooo cows MOOOOOO! Moo say the cows. YOU COWS!!
Bitter IT drone detected.
Resources is always the issue with anything.
You could win a nuclear war if you had an endless number of guys with sharp sticks.
The thing is that if things are done in a dumb way then there are two ways to fix it.
1. Stop doing the dumb thing.
2. Throw money at the problem until it goes away.
What you're saying is that management will look at the bill and say "we're not paying that"... and I agree... they never have and never will.
But then you're not making the leap to where you get that that means you have to go with option 1 which is to not do things in the dumb way.
I'm getting attacked by a lot of people in this thread.
I've been called a nazi.
I've been called someone that is only out for personal power as if I care how much horse porn people jack off to.
I've been accused of being lazy because apparently I'm bad at my job if I do things efficiently.
As to your reasons why you wouldn't bring your own device... I can appreciate not wanting to let the company control your property. That's reasonable. But by the same token why would they let you control theirs? Same thing... only they potentially have more to risk than the fact that you're having sex with your wife's sister. Organizational systems get penetrated and it can really hurt an organization or worse it can threaten whatever it is that the organization does... government or corporate. Fucking up the office is bad... but undermining the business model or undermining the function of a government agency is another entirely.
Also, I'm perfectly happy to help the company out so long as the boss notices it. This anti corporate anti management stuff is career poison. I don't know why people spew this stuff. it is noticed and there are consequences. Don't do that. Shut the fuck up, do your job, make everyone happy with you, and your chances getting paid more or given more responsibility which you can leverage to make them give you more money go up. Lots of people at work hate me. Management loves me. Bonus every year. Guess how much I care Mike in accounting thinks I'm an asshole? If anything I'm glad he thinks I'm an asshole because it means he knows I am completely fucking serious when I say I'm going to do something. He knows I'll do it.
And because of that, he doesn't fucking try me. And that ladies and gentlemen is respect. The sure knowledge of quick and righteous retribution.
As I said, most IT security people have battered wife's syndrome. They take the shit for granted. They take the disrespect. They take it all and just say that's normal or people can't help themselves or some other excuse as to why their job is being systematically sabotaged by irresponsible, selfish, unprofessional, ignorant, children.
I fucking refuse. I have to fight these fuckwits every so often. My god the hours spent making little presentations to educate management why they're about to unzip their flies and stick their dicks in blender.
So far I've not had to give an inch. Lucky maybe. But I've also caught a lot of people that were trying to steal etc and I never let management forget it. That gives me enough credibility when pressed to get deference.
That said, I do try to not be a dick. People are given an orientation... I give lots of what I hope are taken as friendly warnings.
But you know... after getting warned for the same thing three times in a row and the person being warned just tries to be sneakier every time... Fuck him.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
What needs to be done is a multilayer approach to security. For data going over the air:
1: The BlueTooth pairing should be done via a "real" way, preferably 6-8 digit PINs on both devices. No just entering "0000" as a default and calling it done. My car's audio head uses a randomly generated six digit PIN by default when pairing.
2: There needs to be security of data on the networking layer (independent of Bluetooth). The ideal would be SSL, except instead of CAs, the devices know each others keys, so they know if a MITM is trying to take place during a SSL handshake. Having a shared symmetric key that is only used during the DH handshake might improve things.
3: If the device and phone are in constant contact, it might be wise to have them negotiate a VPN (using no CAs, but preshared keys), so that a BT protocol break only means an attacker gets to look at an encrypted tunnel.
Of course, real encryption algorithms and PFS enabled, not RC4 or some teenie-weenie RSA key. I'd almost say 4096 bit or the ECC equal.
Now the hard part: The data at rest. Apple handles that by a TPM-like chip which handles the keys, while Android prompts for a password at bootup which unlocks the volume key (usually just /data.) The ideal would be some way where every app has its own encrypted filesystem (EncFS), and when not in use, it is unmounted, and mounted automatically with the keys pulled from a tamper-resistant chip when needed.
Honestly, I don't care about the original post, but flamebait kharmasheen is trolling for love. He sounds like a 4 year IT security guy whom has not quite grown yet in the industry. Usually the "I" twat, gets ignored, but let the perpetual two year old throw his tantrum. After all, we are not his daddy. He/She is either a person whom cares about the job, whom has technical skills and much more to learn, or are an older douche whom will remain a perpetual two year old. In either case, BYOD stands for "Buy your own device", and the only reason its embraced by management and HR is because they are shifting the cost to the employee. Having worked across the industry and even in security, my advice is to NOT dismiss the posts you are reading from people in other camp(s). There are some that have been in your world, and now see the light. You will get there young skywalker, or find the fate of darth vader. You will never SELL anything including security or IT, if you berate your customers. Sure, you will not see short term consequences, but eventually, you will go out of business. I have seen some folks dismiss people and hold others to the fire. Eventually the dicktators will lose, and lose bad from all of the bridges they have burned. Get your head out of the sand, ostrich, and you may see the light. It is apparent from reading kharmasheens posts, that the person is in a world of limited view. The optimistic me hopes kharmasheen grows up. We need people who care working.
Efficiently == lazy in your statement....
And remember tha some things are just not compatible, like security , comfort and privacy.
No one solved that triangle fully, so not a camp 1 problem alone.
There is a trade off and we must choose what we.adhere to....
I still have the watch I purchased in the 20th Century. My pocket computer doesn't replace it.
Good-bye
I used to wear a watch, back in the 20th century. That's when cell phones were the size of a common house brick. Fuck watches
If they can make a phone the size of a watch, I say, fuck phones.
HP concerned about data security? Well that's a new one! Having worked closely with HP, I have zero confidence that they have the slightest concern about users' data security. They couldn't even do simple disk encryption right a couple of years back.
I have give a very cursory read to the PDF, it seems quite broad. The timing of this is quite suspect, is just to make people not buy iWatchs?
American idiots:
"wearables are as much a target for cyber criminals as muggers on the street"
I think you meant:
"wearables are as much a target for cyber criminals as FOR muggers on the street"
(1) I'm not sure on the specifics of phones/watches but in my country, one can claim as a tax deductibility a 'salary sacrifice' if equipment is used for work purposes. e.g. that $70/month shiny iPhone 6 plan might be subsidized by the government if you BYOD but maybe not if it's purely for personal use.
(2) I'm surprised hypervisors with dual SIM haven't caught on yet. i.e. you run your own personal stack as the host OS and work provides you with a secure encrypted image to load as the guest OS. That way they only have control of the virtualized environment which is remotely scrubbed on employment termination or theft.
From the article: "when connected to a test mobile device that was deliberately made insecure"
Come on. This is not real world.
Greed is the root of all evil.
I used to wear a watch, back in the 20th century. That's when cell phones were the size of a common house brick. Fuck watches
We are straight back to phones the size of a house brick. When the iPhone was released with a 3.5 inch screen, everyone thought it was _huge_.
THERORETICAL accuracy for measuring energy expenditure from heart rate is:
- 15-25 % if the model and measurements are calibrated for a particular individual in a lab environment
- 20-35 % in a generic case
Source: http://www.firstbeat.com/userD...
Your device, be it a watch or a phone, using chest strap or wrist, CANNOT get more accurate than 20%, whatever the marketing dept would say.
The human body simply is not a precision instrument, and the individual deviation from the formulas cannot be eliminated easily.
... the company servers if you give a shit about security.
The whole BYOD argument has been debated to death. Point is there are two camps here.
Camp 1 says "No, because security" and Camp 2 says "Yes, because I'm lazy and like my toys."
Hmmm no bias detected in that statement... though you did openly admit that you're a camp 1 member later on. I will tell you right now that I've worked for several companies with people like you calling the security shots. I can also tell you right now that I will never carry a company phone, no matter what my boss wants. Most engineers I know have zero interest in a company phone. The only people I know who do want one are managers and sales types. If you want somebody outside of those two groups to be connected, you have to allow BYOD to some extent. You may not like it, and you may think its all about the toys, but that's just because you're way too uptight and don't realize that people want a work life balance. Carrying a corporate phone is like having an electronic leash around your neck.
You can have all the security in the world if you disconnect your network from everyone else. No one will be able to get anything meaningful done. You have to balance the needs of your employees with the needs of the business. I would never work at your business unless I was absolutely desperate. Thankfully, I have never been that desperate.
The problem with decrying BYOD as being "only for convenience" is that, when it comes down to it, basically all enterprise tech is "only for convenience". Tech exists within an organization to allow their employees to be more effective, more efficient, react faster, etc. That's what it's for. Convenience isn't a reason to ignore a technology, it should be the most important reason to adopt it.
I've worked in security in one of the most paranoid companies around and I totally get the need to protect the network - but the approach of just default denying everything because it's easier than figuring out how to allow something in a safe manner is lazy, and dare I say it, just for your convenience.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
Nice try... I didn't say it was a convenience for the company or for the user to do things for the company.
Rather, I'd like you to tell me something you need your device for that you couldn't do on a company blackberry?
Hit me with your best shot. Why do you need a an iphone6 to answer an email or send a text? I'd love to hear it.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
If security is important to the company they'll call your bluff.
If you're working at a company where security isn't important or where they don't take it seriously... then do whatever. Write your user name, password, on to strange public bathroom walls for all I care.
As to people not being able to get work done with the network disconnected.
That's a false dichotomy. I don't have to go full blown sneakernet to secure a network. I just need to:
1. Control physical access to anything users touch such that interactions happen in ways I control. This is easily done with thin clients and terminal servers. I the clients I use have bios settings that disable the US of mass storage drives in the USB ports.
2. The operating system mirrored for all the clients will only run white listed code. If an admin hasn't personally approved a given exe by a given user/group/anyone to run the thing... it isn't running. And all programs capable of executing scripts have that functionality either limited or kneecapped. I am very good at surgically breaking software so that certain features of the software just don't work. I do that whenever a bit of software has to be used but it has problematic features that actually aren't required. Sometimes they are required and then I just find ways to control the problem.
3. The firewalls only permit access to whitelisted domains.
I could go on... the list of things done to the network is exhaustive.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
This report is from HP... the copy that brings you some of the buggiest printers ever made. Maybe your smartwatch is reporting how many calories you burnt walking to work, but your insecure printer is inside your corporate network, may have wireless, bluetooth and internet connection. When was the last time HP patched one of their printers for a "security issue".
HP, a sad shell of aa once great company, should go back to selling overpriced ink, bloatware-overloaded badly designed PCs and use-once printers. I don't think they are a very credible source of "oh my god, there is a security risk in a watch".
The problem with camp #1 is they, in many cases, utterly fail to provide the tools necessary for people to do their jobs efficiently, which is why people want to bring their own.
Mind you, it's not necessarily the boots on the ground (but rather the generals) for camp #1 causing the problem, but is is camp #1's problem.
(by the way, I have been in both camps in various parts of my career)
A perfect example, as a software developer I occasionally need to read documentation on how the libraries I use work.
Occasionally, an open source software offering provides video demos of the use cases instead of static HTML. Often when this happens, they host their videos on YouTube and embed them in their local website. npm is an example.
This combination means that I can't watch the documentation for npm, as our corporate firewall policy forbids it; however, I can
Of course, I can't admit to doing any of the above; but, that is a small concern when I must report to management that I've learned npm. They even suggest workarounds, as the company's IT department has eventually become so independent of the development department that they are not concerned if developers can work effectively. The IT department's motto is "we give you resources, it's up to you to figure out how to be effective with them." If we don't make deadlines, they don't care. They're not winners when we hit the deadlines, they are winners when they prove policy enforcement by denying requests.
I've even seen sites blocked by their web proxy for the reason "IT / Technology" as if developers shouldn't be concerned with such things.
The BYOD crowd is really not about the toys, it's about a last ditch effort to get resources by alternative means. The BYOD crowd plays with a different set of values, valuing being effective over paying an inordinate amount of overhead attempting to have check marks in everyone's checklists.
I've worked on systems where the latest version of available build tools (apache maven) were two years old, because someone was worried a trojan might be included in the tool, so you couldn't internally distribute until after it was approved, which required an analysis of the code, which would never be performed more than three times since they can't afford to hire people to just sit around and read the source code of all the corporate mandated software products.
And because of that, he doesn't fucking try me. And that ladies and gentlemen is respect.
No, that's called being a belligerent asshole.
You just sound like a control freak standing firmly in the "no" camp. I've seen IT like that, and ultimately they get replaced. That doesn't mean you have to bend to every silly whim, but there is a whole lot of grey between the two. It your job to weigh the risks within those two extremes and strike a balance between them to optimize the ratio between the two. It doesn't lie at either extreme in almost all cases -- regardless of what you think.
As for using company devices, I'd refuse. Well, I wouldn't, but I'd let management know that if they require me to carry a company supplied phone with me (or pager, or whatever), then I'll be billing them for the entire time I do (billing 24 hours a day). If they require me to physically come to the office in an "emergency", and it could have been prevented had they not had such draconian security, then I'm going to bill them for my travel time as well as the time spent at the office for it. I will however, give them my cell phone number, and they can call me if they want -- for free. If they want to email me something out side of business hours, and I can't access the email how it is convenient for me, then I will either get it when I get in the morning, or they can send it to an email address I'll provide them, but I won't guarantee absolute security of it, and it'll be on a shared email server. Their choice.
It has always worked out well for me.
"Camp 1" could make things even more secure by never plugging in any of the computer equipment. If nobody can use it, neither can the hackers. That's about as secure as it gets!
Yes, a ridiculous example, but there's a point here. If perfect security is your only goal (which is sure what it looks like from your message), then that's exactly where you are headed. Assuming you don't do that, then there's actually a balance you are striking between a convenient system that helps people get their job done as efficiently as modern science allows, and security. So the question to ask here is not how to have the best security humanly possible, but where your balance is. How much "insecurity" are you prepared to tolerate, at the expense of productivity? I can't say you are wrong with the balance you chose, but you can't really say anyone else is either.
To be with me when I'm not at the office, cause I'm sure as hell not carrying and charging that blackberry piece of crap (at least not for free, and not likely for any amount the company is willing to pay)
Tell me why you can't secure your email server so that my iPhone can't securely access it?
Hit me with your best shot.
I applaud your excellent customer service skills. IT is a customer facing business, Perfect security is all about spherical cows, it's never found in nature.
Cheap storage VM.
Let's not pretend their aren't security implications when you use a corporate phone. You cede alot of information to your employer, and they can misuse it. Even if they are disinclined to use it, your phone records could easily become part of a legal discovery process and be misused by someone else.
Cheap storage VM.
Very good SF by John Stith, and not a never-ending-epic. The protagonist's smartwatch is a central part of the story.
First, I'm not an asshole... anymore than the legal team is an asshole if you open the company up to lawsuits... or the accounting team is an asshole if you don't document your expenses properly or misappropriate funds... or the HR department if you start calling coworkers racist names... etc. I'm not an asshole. I'm doing my job.
Second, IT security is very poorly understood and rarely gets the respect it deserves. This leads to it being asked to do impossible and contradictory things. And that leads to them giving up. You replace me because I insisted on the security not being shit and you'll get an IT security team that is more afraid of angering ignorant users than it is of not doing its job. It will then PRETEND to work instead of actually do anything. All these hacks are happening at just such companies. Not ONE successful significant hack has happened at any organization with an empowered IT security department. Not fucking one.
It is people like you that made the Sony hack happen. It is people like you that made the OPM hack happen. It is little shits like you that ruin IT security and make big organizations incapable of defending themselves from teenagers in Russia giggling as they rifle through the organization's database. And you presume to judge me? You're a fucking cancer.
As to you refusing to use company devices. Any company that cares about security will call your bluff and tell you to find work elsewhere. Where I work, I have to use three types of authentication just to get to my office... debatablely four if you count human eye balls. You think they're going to let your iphone shit connect to the servers? You're adorable but no.
You are permitted to bring your own personal phones into the building and do whatever you want with them. The only risk I've been able to figure out from that is the cameras on the phones. There are actually rooms where even your personal phones aren't allowed but most of the offices aren't that level of security. Regardless... personal devices do not connect to the servers in any way.
People that need to work at home or travel are given company laptops. People that don't have memos forwarded to personal email accounts. etc.
Its a different way of thinking and I appreciate if you find it alien or onerous. However, it is secure and it does not get hacked. Anywhere by anyone... ever.
Your system is easy, requires very little skill to maintain, is very permissive to whatever users want to do, and is very popular... but it is also insecure and gets hacked constantly.
So you decide what matters. Security or angry birds. I choose security. You apparently are an angry bird champion. Congrats on that and good luck.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
First, you're assuming that you only have the company phone. If you care about your privacy then just keep a personal phone as well.
Second, I can only speak for myself here... I don't care what you do with your company phone whenever it isn't accessing company information. We have a zillion minutes on the shared account. There was one guy that was having four hour conversations with someone that was surely personal and it didn't matter. The policy we have with it is that you can make all those calls so long as they're not international. Then we start to pay for that. And even then all we ask is that you pay for what those minutes cost the company. Which you'd have to do with a personal line anyway.
As to legal discovery or something. You're talking about a very hostile work environment which no one wants. Anyone that is so annoying that we start talking about about legal action is someone we want gone anyway. And a reason will be found. If we have to, we'll downsize their position which permits arbitrary dismissals. The culture where I work is that you're a company man/woman or you're gone. Legal action would only happen if you did something that involved damages or if you tried to sue the organization. And in that case, we could get your private cell phone provider to give us your records by court order without much more difficulty than we could poll the records from our own lines.
Look... you don't want to use the company phone for personal stuff? Fine. Get your own phone. Use it in health. But you're not connecting to company systems with that thing unless you're willing to hand it to me, install custom firmware on it, and have all its security settings slaved to security policy. No device that has not had that done to it is connecting.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
IT security is not customer facing any more than the legal department is customer facing or the accounting department or HR or any other department designed to manage risk and see that things are done in the CORRECT way so that the organization doesn't get corn holed by being sloppy, lazy, or stupid.
You saying there is no such thing as perfect security is like saying there is no such thing as a company with competent accounting.
My cousin recently had to go to India to audit a company in Mumbai. Had a good time... but he said they had the sloppiest accounting he had ever seen. He basically had to redo everything and educate their senior accounting staff as to the importance of proper documentation.
That's a lot of what has happened to IT security over the years. The new thing kept coming out and the secured version of the new thing always lags a bit behind.
So IT was beaten into allowing the UNSECURE new thing to be the standard. You can't have security in that environment. Can't. When people say you can't have security or that all the security is flawed. That is what they mean and assume. They are basically saying... This crap can't be secured and you're going to use it so we can't have security.
Well... I would tell you to check your premises. We don't need to use that tech or that software or use it in the way a consumer would use it.
And if we do things from the ground up with security being held as sacrosanct, then we can secure the system so that it is not penetrated.
Spherical cows you say? I don't see the utility of such a cow. So the analogy makes no sense. There's no point to a spherical cow and thus no reason to try to have cows be spherical. The analogy is therefore of no utility. Use a more contextually relevant analogy please or do not use analogies. I find that many people do not use analogies to describe situations but rather use them simply to "reductio ad absurdum".
I'm not stupid. Don't use stupid arguments against me. It is neither interesting nor effective.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
it isn't my only goal. The goal is to raise security to such a point that the system is not compromised while also permitting the system to be efficiently used by authorized persons.
This is obtainable. I believe I have obtained it. There is no legitimate task an employee needs to do with the system that they cannot do. I have disallowed all other things.
If they don't need to do something... then they can't. That is roughly the doctrine.
I work on a white listing philosophy.
So I basically start with an unplugged system in a cage. Then I list things that people must do and then enable functionality to see that those things can be done.
So if you need to use the machine then it needs to be plugged in.
I actually played with the idea of controlling power to the terminals based on whether an employee was supposed to be using them or not. But that seemed excessive. I do control power to certain offices and given machines. But I don't bother with the workstations.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
You're not doing it for free... you're getting a salary, health benefits, 401k, etc. Comical.
People are paid well. One of the things people are paid for is to take security seriously. if you're such a little prissy drama queen that you can't handle a company phone which used to be a standard requirement in most companies at one point... then you know what... who wants you? Seriously. You sound like a whiny cunt. If you work with us then you're going to be constantly bitching about something and causing problems. People like you are best not hired in the first place.
You want team players. People that cause problems are more trouble than they're worth.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
First, you are an asshole. You seem to think that having the upperhand, and maintaining it and forcing others to your will is respect. You are mistaken. That's just being an asshole, and one that no one else wants to deal with.
Second, why do you believe that IT security deserves more respect than it gets? Perhaps it is just you that doesn't get the respect that you feel you deserve because you are an ass. I replace twats like you because you think in terms of absolutes from the inside of your little fishbowl and fail to see outside it, when it is your job to do so. Following similar logic, we should never carry money or credit cards on us, unless we put it in a bank-level security vault. And then we buy armored cars to go to the grocery store so we don't get our $20 stolen.
Again, as I said before, it is not the job of IT security to lock the company down so tight that no one could ever break through their security. If that was the case, it would be easy. Unplug all the computers, and throw the office in 100' of concrete and call it a day.
No, the job of IT security is to balance the need to maintain security while balancing the need of the companies workers to, well... work. Instituting policies that cause 50-70% worker inefficiency in the name of security will bankrupt a company as fast as or faster than having no security at all.
The fact you haven't realized that it requires balancing different needs is beyond silly. Have fun living in your underground nuclear bunker my friend.
You want team players. People that cause problems are more trouble than they're worth.
Looked in the mirror lately.
My job is to get stuff done. I've done IT security for years, and I understand it well, but I'm not an ass like you, never was, never will be. I've long gotten out of that, and I my own business (technology based), and I write code as a consultant. Security is important, sure. But you know what happens if my company gets hacked? Wipe, restore from backups -- everything. Sure, it's not great, but the day or two we'd be down is far less than the time wasted implementing and enforcing draconian security measures.
Stuff that needs to be secure, is. All computers that gather, or store OTHER people's information (names, credit card info, etc) is on it's own separate network, firewalled off from everything else. Email servers are public facing. It is silly to say, sure, we will allow any old computer to send our email server mail, but oh no... an employee's iphone? Now that's a security threat. LOL. Seriously, WTF?
nope... I believe IT security deserves more respect because idiot users think security doesn't matter and the security in most systems... even supposidly high securiity systems is shit.
This is why hackers get into systems so easily. Because people like you systematically sabotage and undermine the people trying to do their jobs to such an extent that they just give up even trying to do their jobs. You're the ignorant abusive drunk of the IT world and most IT security suffers battered wive's syndrom from people like you to such an extent that they just take it for granted and accept it.
I don't. I have my priorities. You have yours. You don't like it when I fuck with your priorities? Fine. Don't fuck with mine.
Legal department doesn't take shit from people like you when your ignorance of the law exposes the company or lawsuits.
Accounting doesn't take shit from you when your ignorance and incompetence exposes the company to IRS audits, budget shortfalls, or fraud.
And I'm not putting up with your shit when it leaves the company's fly open so any passing hobo can come by and have a feel.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Your not understanding my argument. In physics, or math, often a problem will be stated as such, "find the velocity of a cow falling 100 ft down a shaft, assume the cow is falling in a vacuum and is a perfect sphere."
This greatly simplifies the problem. This is what alot of the security arguments do, in my experience. They ignore human nature, and often business needs. There is a right way to do things, but there is always a balance. Even ignoring that balance, and insisting everything is done right, will often get bad results due to ignored externals.
Cheap storage VM.
When I talk about legal action, I'm not talking about inter-company issues. Your records could be subpoenaed because your boss stiffed a supplier, or even something as stupid as a co-workers divorce. That puts your information out of control.
I personally use a company phone for everything, but I also manage security on it to MY standards, they don't always sync up with corporate standards.
Cheap storage VM.
Give me a specific example and I'll give you a specific way of mitigating the situation without compromising security.
What I find often as not is that people don't even like to ask for permission. They get offended that they even need to ask.
And then there are issues of "well, my home computer can do X so why can't my office work station do X"... never mind that X is sometimes something as dumb as installing iTunes or something that you should ask permission for like installing Y unknown software on the system.
Understand me.
The goal is for everyone to do what they need to do.
However... I'm not disemboweling the security system every time some jackass says they need to do something.
The reasons people have for this stuff are very rarely good reasons. It is often something silly.
BUT... if you have a good reason. I will move heave and earth to help you with the problem. I will join your team just as the legal team would send someone, or the accounting team would send someone if you need constant support in an extreme situation then that can be arranged.
I will sit there or someone like me will sit there and simply ensure that you can do what you need to do without fucking everything up.
For example, we have certain departments that have multiple computers at given desks. And one of those machines is unlocked and you can do whatever you want on it. And the other one is a thin client that links to the terminal server and that links to the file servers and databases.
Now how many people in the organization need a second machine to do that stuff? Very few. But if you need it and can explain why you need it convincingly... then you'll get it. The expense of the second machine is meaningless.
What if they need to input information from the unlocked system to the locked down system? We have a system for that. I won't get into it but it effectively transcribes certain files or information into templates and then pushes the output to a directory on a file server. The point is that viruses can't cross the blood brain barrier. No executable code or scripts. Even meta data is stripped. The files are cored and the data is transcribed by a program one of my colleagues wrote.
If you have a reason to do something... tell me what it is... I'll either show you how to do that inside the security bubble, I'll give you additional tools to allow you to do it, I'll give you a on hand security tech to help you so that there is no hamfisted user shenanigans, or I'm going to tell you no.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
I've been toying with x2go to allow people to browse the internet from locked down machines. It allows you to run a firefox or chrome window (seamlessly) on a separate machine. You should check it out.
Cheap storage VM.
That's fine... so long as your security doesn't conflict with mine, you can do whatever you want.
if your security conflicts with mine, then you're not connecting to company servers with that device.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
I'd just assume use RDP... What's the difference.
A lot of remote desktop solutions have issues. I personally use about 10 of them with each one contextual to platforms, programs, security situations, amount/type of media coming through, etc.
Look, so long as what you're doing doesn't compromise the lock down on secure systems so that executable code/unauthorized access remains EFFECTIVELY impossible... I'm cool with whatever you're doing.
That is my job. You do your job. I'll do my job. One big happy family.
I will fight in the trenches with you, trade war stories, and give you everything I have for the shared cause. But that only happens if we're on the same team. You undermine what I am doing and you're calling down artillery strikes on my position. Doing that occasionally out of ignorance or a mistake or something is annoying but unavoidable.
You do it on purpose... and:
https://www.youtube.com/watch?...
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
x2go give you a hardened linux for the browser OS, it also has no licensing costs.
Cheap storage VM.
Oh how it must be so nice to be so nieve.
The legal team and accounting teams do cost/risk analysis too. If you think they didn't, you are nieve. As I said, you are the general fish. In your fishbowl and can't see anything outside it. Enjoy.
Want to talk about that seriously and login or stay AC and keep trolling?
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
hardening a Windows system is easier than most people realize.
I mean... there are brute force things you can do anything.
1. None of the terminal operating systems can be modified. Files are locked at the file system level. Things that need to change for the OS to function properly can change... temp files and paging files etc. But things that don't change and don't need to change are literally locked. The virus isn't going to get the permissions to fuck with anything.
2. Even if it did, the operating systems are all restored from a static template on each login. And the OS on logout is entirely lost. I do this with all the terminals. There are a few templates and all users use one of the templates depending on their group.
We already have a lot of ways of controlling shitty web browsers. We don't bother with blacklisting systems. We do pervasive whitelisting. We determine what should run and we white list it. We add stuff to the white list all the time. The conventional blacklist system is a false sense of security that at this point everyone should know is worthless.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.