The technique is new, but the concept and prctice of it has been around for years. Does anyone remember the days of javascript embedded gifs? NO?... Hmmm. I think it's odd that people are just now starting to realize that more things on a site can hold code, besides an applet or widget.
An information security department. It's all well and good for a small business to have security minded IT pros, but there is something that every one should realize... management, IT, janitors... everyone. Ready? MANAGEMENT SHOULD NEVER BE IN CHARGE OF THE SECURITY DECISIONS!!! They will always be involved, but the moment you let them take charge of something they know next to nothing about, you get screwed. This is why businesses have weak passwords (or have them written on post-it nots, stuck to monitors).
Sounds harsh? Too bad... The only management types that you want heading something like this would be a CSO or at least a CIO, preferably with years of experience and a CISSP or other information security management type cert. You need someone who knows wtf security is and the fact that there is no such thing as secure software... You need someone who can tell the higher ups where it is not their place to make certain decisions, someone who can educate the ignorant, so to speak.. Why do you think AV's are getting cracked and exploited?
Not to beat a dead horse, here, but the idea sounds nice and is a good idea to a point. It should stop at which apps are allowed due to common sense and productivity. You do not want anyone to use limewire (malware) or bit torrent (bandwidth) in the workplace, but perhaps there is a need for IM clients to increase communication efficiency.
In short, it is always a good idea to have a dedicated infosec dept that is seperated from, yet works with the IT dept. The jobs that each department does is MARGINALLY different, but all management types know is that they work with computers. You cannot expect business majors to understand what it would actually take to do a threat analysis of each piece software, just as you cannot expect Johnny Helpdesk to know what it takes to keep a business from running itself into the ground. It doesn't work that way.
Helpful nuggets: Pentesting is your friend, if you can afford it. Security-minded staff and end-user education is the key to better security. And, lastly, HUMANS are the #1 threat to a security infrastucture, not software... always remember that.
...So, this means that 95% of the worlds IT staff is screwed then, doesn't it? I would like to see the detailed stipulations on what the 'dubious origins' are and who gets to decide on all of this.
Don't get me wrong. I'm not a big fan of the (quote-unquote) p2p revolution, but what better way to 'beta test' expensive software that has no trial download option? And honestly, if the government thinks that this will stop piracy, they are sorely mistaken. The only thing this does is punish the end user, rather than the one responsible. This will be like the prohibition... only the underground scene will, most likely, be bigger than any they have seen. I'm all for the rights of IP and anti-piracy laws, but can we aim for the source and not just the users?
Also, I think this is a gateway to internet monitoring... good ol' US of A! First the 'World Police', now we want to police the internet to our fullest extent.
The only possible security hole is the SSH.
Bunch of paranoid idiots if you ask me. Not exactly... if you do anything like connect to wifi (email, IM... anything), data is sent in plain text. Even if it is just a calander event being pushed to the phone, there is still authentication and the username and password can easily be sniffed.
To All those who think that there are no real risks in using PDAs, there is. PDAs are computers and have IP addresses. There are also rootkits and backdoor trojans for them. Recently, I've come across this topic and have been delving heavily into what has been termed 'Blackjacking', which is the art of hacking or hijacking PDAs and Smartphones (regular cell phones, too) or using a mobile device to compromise security in a network. The threat is real, but it is not widely known, yet...
Slashdot Mirror
The technique is new, but the concept and prctice of it has been around for years. Does anyone remember the days of javascript embedded gifs? NO? ... Hmmm. I think it's odd that people are just now starting to realize that more things on a site can hold code, besides an applet or widget.
An information security department. It's all well and good for a small business to have security minded IT pros, but there is something that every one should realize... management, IT, janitors... everyone. Ready? MANAGEMENT SHOULD NEVER BE IN CHARGE OF THE SECURITY DECISIONS!!! They will always be involved, but the moment you let them take charge of something they know next to nothing about, you get screwed. This is why businesses have weak passwords (or have them written on post-it nots, stuck to monitors). Sounds harsh? Too bad... The only management types that you want heading something like this would be a CSO or at least a CIO, preferably with years of experience and a CISSP or other information security management type cert. You need someone who knows wtf security is and the fact that there is no such thing as secure software... You need someone who can tell the higher ups where it is not their place to make certain decisions, someone who can educate the ignorant, so to speak.. Why do you think AV's are getting cracked and exploited? Not to beat a dead horse, here, but the idea sounds nice and is a good idea to a point. It should stop at which apps are allowed due to common sense and productivity. You do not want anyone to use limewire (malware) or bit torrent (bandwidth) in the workplace, but perhaps there is a need for IM clients to increase communication efficiency. In short, it is always a good idea to have a dedicated infosec dept that is seperated from, yet works with the IT dept. The jobs that each department does is MARGINALLY different, but all management types know is that they work with computers. You cannot expect business majors to understand what it would actually take to do a threat analysis of each piece software, just as you cannot expect Johnny Helpdesk to know what it takes to keep a business from running itself into the ground. It doesn't work that way. Helpful nuggets: Pentesting is your friend, if you can afford it. Security-minded staff and end-user education is the key to better security. And, lastly, HUMANS are the #1 threat to a security infrastucture, not software... always remember that.
...So, this means that 95% of the worlds IT staff is screwed then, doesn't it? I would like to see the detailed stipulations on what the 'dubious origins' are and who gets to decide on all of this. Don't get me wrong. I'm not a big fan of the (quote-unquote) p2p revolution, but what better way to 'beta test' expensive software that has no trial download option? And honestly, if the government thinks that this will stop piracy, they are sorely mistaken. The only thing this does is punish the end user, rather than the one responsible. This will be like the prohibition... only the underground scene will, most likely, be bigger than any they have seen. I'm all for the rights of IP and anti-piracy laws, but can we aim for the source and not just the users? Also, I think this is a gateway to internet monitoring... good ol' US of A! First the 'World Police', now we want to police the internet to our fullest extent.