I noticed Whitehat Security Declined to participate. I wonder why that is? We just purchased there service, I like there concept, especially as they sold it, we haven't gotten into full use of the product yet, but I can tell you some of the execution of there service could be improved. There seems to be a little bit of a disconnect between the sales force and the operations team. I would have been very interested to see how they fare in a test like this.
I would have to say that the countries of interest on the graph seem to be the countries of interest from a malware/hacking perspective. Perhaps it's bot net activity where there is a large amount of port scans that kickoff from all over the world and then some of the "increase" after the lines would be further recon activity. All very interesting.
Point taken, but closing your mind to certain music based on the type is a mistake I made for years. I shunned old country, bluegrass, acoustic jazz, dawg music, etc... but check out the "fun" factor in that music. Festivals, dances, the drinking, the moonshine... everyone is smiling and there is not a computer to be found. A wonderful ying to the yang of being a computer security engineer by day.
Civil war music... huh?
Do you know what civil war music is? Or did you see a show once that had a fiddle in in and now all music with fiddles is civil war music. By that logic all music with british guys singing is beatles music, and all music that has electric guitar is heavy metal. What logic did you use? If any thing, that music is a progressive acoustic folk.
Ya... there is a very unclear protection in the constitution, and trying to interpret it just so specifically from such ambigious wording is an approach that could make sense. However, the Supreme Court actually followed previous jurisprudence in maintaining their position of hands off on this issue. In the 1946 case Tennessee Valley Authority v. Welch, the Court put decisions regarding this aspect in the Hands of Legislative branch. The Kelo case (the one we are talking about in conneticut) didn't change the definition of public use, just the public perception of it. I agree, it sucks for the landowners, but the case stayed with previous case law, and said it's not for them to decide. As the result, we have many states with laws that protect this type of land grabbing, clarifying the law into a a TRUE protection for the public, instead of one in which interpretation is key.
Nice thing about this talk show it was local, and when I burnt a hole through his argument, and he came back with the incredibly witty "Are you a lawyer"... my answer of "no, just an informed citizen" shut him up about the topic. Local guys don't have the technique down enough to always win. (Note I did say the informed citizen line with a bit of smuggness... probalbly reaching too far for him to pick up on) They completely dropped the topic after I called in... it was quite humerous actually... normally when a claller makes a point, the talk show host will, with the caller no longer part of the conversation will rebuke the caller and not give the caller a chance back... causing one side listening to side with the host because he got last word, and others to side with the caller because it wasn't a fair argument... once again casuing more devisiveness.
Fun stuff.
TO be honest, your response is another example if devisiveness. Your response makes an accusition about the administration and and does more of the "us against them"
crap that is so common in American politics and on American news media. There are always shades of grey... I do think there is a value in wiretapping suspected terrorists, and that is important to protect our country, I just want it done within the law. Do I like the administration? No I do not... I just am taking a point of view that it's the system that is corrupt, not the administration. Attack the systems that forces the us against them stuff... watch some Jon Stewert, he summarizes these points much better (and much more entertaining) then I do, and think about it when you jump into political discussions... are you just one side of the debate? Maybe the debate needs to be addressed and then we can be a country again....
I was listening to a local radio talk show when this issue came up. The host, a right-leaning Bush mouthpiece used the if you are against this program, then you are pro-terrorist. I actually called in and explained to him about the FISA court, and how it is retroactive, and most people (including myself and those I have spoken to) don't have a beef with the program itself, but more so the warrantless methodology used by the administration. The talk show host, quick on the reponse as most of them are Asked "So you would have activist judges like the judges who ruled that goverments can take your land and give it to corporations making the decision on whether you are wiretapped?" He was basically using a tactic that many policial folks, use another unrealted issue to hide the issues with the one we are talking about.
Well, I responded quietly and firmly that he was using an unrelated case, AND in that case the Supreme Court did not rule it that goverment can take your land and give it to companies, but instead ruled that nowhere in the constitution does it state that people are protected from this, and as long as the process is lawful (which in Conneticut at the time it was) it wasn't the Supreme Court's decision to make. This is a correct judgement, and has lead to many newly passed state laws protecting citizens from this behavior.
His response was "What are you a lawyer or something?" to which I replied, no just an informed citizen.
My point? I am sick an tired of divisive issues like this being hidden in the terrorism crap... you are any NSA wire tapping, you are pro terrorism... that's BS. We just want security WITH protections of our rights. Some actually informed news people who could communicate the issues instead of getting all hot button on the issues wouldn't hurt as well.
So I am researching encryption for this very reason (laptop encryption) anyone have any links or insights into why anyone would choose file/directory encryption? I am heavily leaning towards whole disk, mainly because how can you be sure you get everything. (i.e. temp files, pagefiles, hibernation files) I have seen some items regarding "inteligent encryption" but I just can't see how any program can "know" what to encrypt and what not to without tons of administrative overhead.
That's why I like whole disk. Just do it all.
Any thoughts?
While California's SB1386 specifically mentioned encryption as a reason for not having to disclose to customers under that law, other laws do not. Specifically Wisconsin Act 138 does not mention encryption as a way to preclude disclosure. Basically Wisconsin's law states if someone unauthorized has a clients data, you must tell the client about it. Now, of course I am not a lawyer, nor do I play one on TV, but I know this is a new law (March 16th, 2006) and have any Jurisprudence clarifying this. On the flip side, encrypting the data sure makes the disclosure a lot less painful. I.e. Yes, we had laptops stolen, but all the data was encrypted per our policy and the likelyhood of you data being imporperly used is extremely low.
I am currently researching a workstation encryption project, so if anyone (a lawyer perhaps?) has any insight into this stuff, I'd be happy to hear it from the expert.
I don't think unions are the answer, I think like all things polictial they get corrupted over time. I wouldn't mind seeing a little protection for IT workers. For instance the loophole that allows the lowest level techies and programmers to be considered "management" and thus not be allowed overtime. Often times 60 hours a week is required with no extra pay. The way salaries was supposed to work is you do what it takes to get the job done, but few companies will let you leave early if you get the job done. So you end up spending hours trying to look busy until you can leave. We need to truly define what is management and what is not in the IT world, allow those who work there butts off 80 hours a week to get some extra compensation. Or perhaps help limit some of the hours requirements by some companies. We need some help, but unions aren't the answer.
Why would running (at least 2k) servers matter with group policy? You can easiliy install the managing ADM files for managing windows firewall etc, even though they don't exist in the default Windows 2k installation. You can also use novell to manage group policies through Console 1. As for Windows NT and 98... NT server? They are no longer supported, whether or not a firewall is running on the workstations should be less of a concern then running NT in the enviroment. 98... same deal, we are talking about VISTA's firewall not 98.
My grandmother would like to know what this "cron" you speak of is... it sounds like a old science fiction movie, but she can't figure out the connection between movies and backups....
Umm yeah... I am going to have go head and... disagree with you on this one
A. Google provides a free service. To pay their bills they use search data, add views, etc. They have a right to save that data. THey tell you up front they are saving it (check their terms of of use) and make no pretenses about it not being saved. They need to make money too... sorry, everything in this world is not free. Google worked for the information they store and have a right to it. The goverment does not.
B. This law suit would be like the goverment going up to a Bank and saying give us all your checking account transactions... names hidded (snicker) so we can see who is paying for porn. If that happened, the response would be insane. There is no difference, many checking accounts are free as well. Yes, if there is a crime suspected, the gov't can get bank records, but not just for statistic analysis.
I agree with the deny first policy. I don't use proxy servers, but instead use enforced high risk for all Internet sites in Internet explorer. This allows me to ensure that no activex/java code is executed without business causes. If there is a a business reason for a site, it's added to a global trusted site list which then allows it for everyone.
If it's a business site, then everyone has access else, it's blocked (er active code is blocked) This works well, keeps spyware WAY down, and makes employees think twice before asking the boss for access to a gaming site.
One of the issues in security in general is the permit all, deny bad stuff. This is model that can not succeed. More people need to deny all, permit good stuff. It's much easier to list all the good stuff, then attempt to list all the bad stuff.
I work as a security consultant for Hospitals and Banks. In some of the audits I have done, I have found that are controls, or even considerations for IM. Even P2P, I was at one bank that the VP of the place ordered the third party vendor to open ports on his firewall for P2P stuff. I am no legal expert, but I told the 3rd part to get it in writing from the VP (if he still wants it open after our scathing report) that the VP orders the 3rd party to open those ports. That way, the Bank and the VP are the liable ones. I couldn't believe that though. PLus if you consider IM, most places don't have checks on the application layers especially regarding IM. I have seen quite a few banks with Egress filters, but those only block some IM protocols from connecting, many just default to port 80. It's a scary world out there, and the IM and P2P isn't helping anything.
It's odd, on/. everyone complains that on Windows, many programs don't work unless you are administrator. (or have that power) It's something brought up all the time about the inadequecies of Windows. Now, Microsoft is doing something to attempt to change that, and in the first 3 posts, we get something about how they are just "reinventing Unix, poorly" That may be the case, but they are going down that road. Not every admin can run *nix, it is complex, it is hard to learn. Perhaps MS doing things to make their OS more nix like will actually help the adoption of open source *nix variants. I think the blast Microsoft for everything they do may backfire on/. crowd at somepoint...
Sure. But a wise admin at least periodically asks, "What opportunity is the company missing due to my particular risk management techniques?" Risks and rewards often correlate.
If you, for example, have a senior executive who is exploring a new or potential vendor's online training resources, but can't use them due to your policy, then the company may have missed an opportunity. If the vendor was offering something that seriously improved a manufacturing process, your employer could forfeit several millions in profit to avoid employing a single helpdesk employee dedicated to removing spyware from employee machines.
Sure. But anytime someone needs to do somethign, the email comes in, they say why and we add it. We don't have a formal process to enable something. If it's obviously something they need no questions, if it's not obvious (i.e. texasholdem.com) then we make them answer. No one has been unable to perform a business function because of it.
Man up and don't get so defensive. I don't think anyone means to imply that totalitarian network administration policies and totalitarian governments are morally equivalent.
Fair enough... I did get defensive. That being said, many assumptions were also made about my network and my style of administration...
That's the right answer, but the wrong question. Better than asking, "Who's network is this," is, "Why is this network here?" It's there to improve workflow, increase productivity, and more precisely, reduce the cost of operating the company and make it more profitable.
Yes it is. And there is responsibility by the owner to ensure that happens. The questions are more related then you think.
Empirical operating costs can be easily measured, but other costs, such as productivity reduction, can't.
For example, my company has online timesheets. We changed from a very employee friendly system a couple years back to a system with a very clunky, inefficient, and time-consuming employee interface, so that our small HR staff could do their work more easily and save processing time. So we slowed hundreds of employees down drastically to speed less than half a dozen employees up drastically. Good idea? Probably not.
I agree probably not in your case. In our case, having just one PC down, and the time for IT to fix, could be hugely costly. (how's that for grammar) The small time cost to get a site added helps prevent software that slows, prohibits, and discourages productive workflow.
For your company, whitelisting may be a perfect solution. For others, it may not be. How do you guess it would scale if your company grew 10x? Whitelisting and scalability are not good friends.
Sometimes anti-spyware, especially FOSS anti-spyware, is very cost effective and can scale quite well. And "catches enough" may be a more useful criteria for many companies than "catches everything".
Whitelists not scaling well is FUD put out by companies that would be out of customers if they were used. Think about process control. If it were easy to whitelist processes... (I actually am looking into it) AV would be obsolete... you take a known good process, and MD5 it... if it's on the list, and the MD5 is correct it gets to run, otherwise it doesn't The time up front will be higher, but in the longrun, PCs running faster due to no signature based rulse.. it would be great... now I admit that there is no easy solution at this time for the whitelisting of processes. We found an sufficently easy solution for websites, but even some (obviously) think it is too much. Well.. so be it. Whitelist are great... more people should consider default deny instead of defauilt allow... things would be much better. (Not a single piece of spyware in 3 years of having it implemented mush show something is working)
Uhoh. Time to tune your solution. Everything worthwhile should work.
It's tuned. some things = gaming sites etc Everything needed at this point for legitimate business uses works. Only those things that may be considered non-busine have soem problems. And
I don't care what they think is legtimate. If there "legitimate" activity causes downtime for the company, or forced man-hour wasting... then it's not legitimate. There are plenty of good workers who can abide by that. Matter of fact most employees are long time employees. I exaplain WHY I am doing it, and they all agree that it makes sense considering the risk of a compromise of any time could mean the business loses customers and that could affect thier job. I am not unreasonable, but if they want an IT resource, they have to tell me why they need it. What you are saying in a sense is white listing computer functions, and only blocking those that cause problems. That makes no sense...the default should be deny, and then permit. You have control then, defualt allow = no control of your computing resources. Check out the CSI/FBI studies... most attacks come from inside. I am not saying you do one thing and not the other (ala Backup Tapes) ya they should be encrypted as well. So what? Printers? Another issue. Everything has to have the risk/reward. Printers (at least in our enviroment) are needed. USB keys are not... Users know this as well, so why bother allowing them?
"You're probably equally Ok with..." what a silly statement. Because I follow good security practices that the employees of my company can tolerate and make our network more secure? Because I recognize that the employers resources ARE the employers resources? Since we are going to make genrealizations... let me try... You are probably the type of person who thinks it's ok to trespass on someones land... I mean they are not using it... why not?
Do you think that for moment that if the employee does get a computer compromised by being a typical User (tm) that it's not the employee who has to answer the ISPs phone call that their machine is trying to hack others computers.. but the responsibility is actually the employers?
You have no grasp of the world beyond what rights you think you are "owed"
Slashdot Mirror
I noticed Whitehat Security Declined to participate. I wonder why that is? We just purchased there service, I like there concept, especially as they sold it, we haven't gotten into full use of the product yet, but I can tell you some of the execution of there service could be improved. There seems to be a little bit of a disconnect between the sales force and the operations team. I would have been very interested to see how they fare in a test like this.
I would have to say that the countries of interest on the graph seem to be the countries of interest from a malware/hacking perspective. Perhaps it's bot net activity where there is a large amount of port scans that kickoff from all over the world and then some of the "increase" after the lines would be further recon activity. All very interesting.
Ha! I call BS. A girlfriend...and slashdot poster? Likely story.
Point taken, but closing your mind to certain music based on the type is a mistake I made for years. I shunned old country, bluegrass, acoustic jazz, dawg music, etc... but check out the "fun" factor in that music. Festivals, dances, the drinking, the moonshine... everyone is smiling and there is not a computer to be found. A wonderful ying to the yang of being a computer security engineer by day.
Civil war music... huh?
Do you know what civil war music is? Or did you see a show once that had a fiddle in in and now all music with fiddles is civil war music. By that logic all music with british guys singing is beatles music, and all music that has electric guitar is heavy metal. What logic did you use? If any thing, that music is a progressive acoustic folk.
Jeez... nerds talking music...
Ya... there is a very unclear protection in the constitution, and trying to interpret it just so specifically from such ambigious wording is an approach that could make sense.
However, the Supreme Court actually followed previous jurisprudence in maintaining their position of hands off on this issue. In the 1946 case Tennessee Valley Authority v. Welch, the Court put decisions regarding this aspect in the Hands of Legislative branch. The Kelo case (the one we are talking about in conneticut) didn't change the definition of public use, just the public perception of it. I agree, it sucks for the landowners, but the case stayed with previous case law, and said it's not for them to decide. As the result, we have many states with laws that protect this type of land grabbing, clarifying the law into a a TRUE protection for the public, instead of one in which interpretation is key.
Nice thing about this talk show it was local, and when I burnt a hole through his argument, and he came back with the incredibly witty "Are you a lawyer"... my answer of "no, just an informed citizen" shut him up about the topic. Local guys don't have the technique down enough to always win. (Note I did say the informed citizen line with a bit of smuggness... probalbly reaching too far for him to pick up on) They completely dropped the topic after I called in... it was quite humerous actually... normally when a claller makes a point, the talk show host will, with the caller no longer part of the conversation will rebuke the caller and not give the caller a chance back... causing one side listening to side with the host because he got last word, and others to side with the caller because it wasn't a fair argument... once again casuing more devisiveness. Fun stuff.
I have heard that reality has a well-known liberal bias...
TO be honest, your response is another example if devisiveness. Your response makes an accusition about the administration and and does more of the "us against them" crap that is so common in American politics and on American news media. There are always shades of grey... I do think there is a value in wiretapping suspected terrorists, and that is important to protect our country, I just want it done within the law. Do I like the administration? No I do not... I just am taking a point of view that it's the system that is corrupt, not the administration. Attack the systems that forces the us against them stuff... watch some Jon Stewert, he summarizes these points much better (and much more entertaining) then I do, and think about it when you jump into political discussions... are you just one side of the debate? Maybe the debate needs to be addressed and then we can be a country again....
I was listening to a local radio talk show when this issue came up. The host, a right-leaning Bush mouthpiece used the if you are against this program, then you are pro-terrorist. I actually called in and explained to him about the FISA court, and how it is retroactive, and most people (including myself and those I have spoken to) don't have a beef with the program itself, but more so the warrantless methodology used by the administration. The talk show host, quick on the reponse as most of them are Asked "So you would have activist judges like the judges who ruled that goverments can take your land and give it to corporations making the decision on whether you are wiretapped?" He was basically using a tactic that many policial folks, use another unrealted issue to hide the issues with the one we are talking about. Well, I responded quietly and firmly that he was using an unrelated case, AND in that case the Supreme Court did not rule it that goverment can take your land and give it to companies, but instead ruled that nowhere in the constitution does it state that people are protected from this, and as long as the process is lawful (which in Conneticut at the time it was) it wasn't the Supreme Court's decision to make. This is a correct judgement, and has lead to many newly passed state laws protecting citizens from this behavior. His response was "What are you a lawyer or something?" to which I replied, no just an informed citizen. My point? I am sick an tired of divisive issues like this being hidden in the terrorism crap... you are any NSA wire tapping, you are pro terrorism... that's BS. We just want security WITH protections of our rights. Some actually informed news people who could communicate the issues instead of getting all hot button on the issues wouldn't hurt as well.
Video games are enjoyed by adults and parents alike.
Agreed. The post is not 100% correct but is not flamebait.
Research Whole Disk Encryption. It's actually not that bad on performance (I am running it right now)
So I am researching encryption for this very reason (laptop encryption) anyone have any links or insights into why anyone would choose file/directory encryption? I am heavily leaning towards whole disk, mainly because how can you be sure you get everything. (i.e. temp files, pagefiles, hibernation files) I have seen some items regarding "inteligent encryption" but I just can't see how any program can "know" what to encrypt and what not to without tons of administrative overhead. That's why I like whole disk. Just do it all. Any thoughts?
While California's SB1386 specifically mentioned encryption as a reason for not having to disclose to customers under that law, other laws do not. Specifically Wisconsin Act 138 does not mention encryption as a way to preclude disclosure. Basically Wisconsin's law states if someone unauthorized has a clients data, you must tell the client about it. Now, of course I am not a lawyer, nor do I play one on TV, but I know this is a new law (March 16th, 2006) and have any Jurisprudence clarifying this. On the flip side, encrypting the data sure makes the disclosure a lot less painful. I.e. Yes, we had laptops stolen, but all the data was encrypted per our policy and the likelyhood of you data being imporperly used is extremely low. I am currently researching a workstation encryption project, so if anyone (a lawyer perhaps?) has any insight into this stuff, I'd be happy to hear it from the expert.
I don't think unions are the answer, I think like all things polictial they get corrupted over time. I wouldn't mind seeing a little protection for IT workers. For instance the loophole that allows the lowest level techies and programmers to be considered "management" and thus not be allowed overtime. Often times 60 hours a week is required with no extra pay. The way salaries was supposed to work is you do what it takes to get the job done, but few companies will let you leave early if you get the job done. So you end up spending hours trying to look busy until you can leave. We need to truly define what is management and what is not in the IT world, allow those who work there butts off 80 hours a week to get some extra compensation. Or perhaps help limit some of the hours requirements by some companies. We need some help, but unions aren't the answer.
Why would running (at least 2k) servers matter with group policy? You can easiliy install the managing ADM files for managing windows firewall etc, even though they don't exist in the default Windows 2k installation. You can also use novell to manage group policies through Console 1. As for Windows NT and 98... NT server? They are no longer supported, whether or not a firewall is running on the workstations should be less of a concern then running NT in the enviroment. 98... same deal, we are talking about VISTA's firewall not 98.
What barely noticeble "feature" do I "need" with blu-ray that I can't get with regular DVDs?
My grandmother would like to know what this "cron" you speak of is... it sounds like a old science fiction movie, but she can't figure out the connection between movies and backups....
Umm yeah... I am going to have go head and ... disagree with you on this one
A. Google provides a free service. To pay their bills they use search data, add views, etc. They have a right to save that data. THey tell you up front they are saving it (check their terms of of use) and make no pretenses about it not being saved. They need to make money too... sorry, everything in this world is not free. Google worked for the information they store and have a right to it. The goverment does not.
B. This law suit would be like the goverment going up to a Bank and saying give us all your checking account transactions... names hidded (snicker) so we can see who is paying for porn. If that happened, the response would be insane. There is no difference, many checking accounts are free as well. Yes, if there is a crime suspected, the gov't can get bank records, but not just for statistic analysis.
I agree with the deny first policy. I don't use proxy servers, but instead use enforced high risk for all Internet sites in Internet explorer. This allows me to ensure that no activex/java code is executed without business causes. If there is a a business reason for a site, it's added to a global trusted site list which then allows it for everyone.
If it's a business site, then everyone has access else, it's blocked (er active code is blocked) This works well, keeps spyware WAY down, and makes employees think twice before asking the boss for access to a gaming site.
One of the issues in security in general is the permit all, deny bad stuff. This is model that can not succeed. More people need to deny all, permit good stuff. It's much easier to list all the good stuff, then attempt to list all the bad stuff.
I work as a security consultant for Hospitals and Banks. In some of the audits I have done, I have found that are controls, or even considerations for IM. Even P2P, I was at one bank that the VP of the place ordered the third party vendor to open ports on his firewall for P2P stuff. I am no legal expert, but I told the 3rd part to get it in writing from the VP (if he still wants it open after our scathing report) that the VP orders the 3rd party to open those ports. That way, the Bank and the VP are the liable ones. I couldn't believe that though. PLus if you consider IM, most places don't have checks on the application layers especially regarding IM. I have seen quite a few banks with Egress filters, but those only block some IM protocols from connecting, many just default to port 80. It's a scary world out there, and the IM and P2P isn't helping anything.
It's odd, on /. everyone complains that on Windows, many programs don't work unless you are administrator. (or have that power) It's something brought up all the time about the inadequecies of Windows. Now, Microsoft is doing something to attempt to change that, and in the first 3 posts, we get something about how they are just "reinventing Unix, poorly" That may be the case, but they are going down that road. Not every admin can run *nix, it is complex, it is hard to learn. Perhaps MS doing things to make their OS more nix like will actually help the adoption of open source *nix variants. I think the blast Microsoft for everything they do may backfire on /. crowd at somepoint...
Sure. But a wise admin at least periodically asks, "What opportunity is the company missing due to my particular risk management techniques?" Risks and rewards often correlate. If you, for example, have a senior executive who is exploring a new or potential vendor's online training resources, but can't use them due to your policy, then the company may have missed an opportunity. If the vendor was offering something that seriously improved a manufacturing process, your employer could forfeit several millions in profit to avoid employing a single helpdesk employee dedicated to removing spyware from employee machines. Sure. But anytime someone needs to do somethign, the email comes in, they say why and we add it. We don't have a formal process to enable something. If it's obviously something they need no questions, if it's not obvious (i.e. texasholdem.com) then we make them answer. No one has been unable to perform a business function because of it. Man up and don't get so defensive. I don't think anyone means to imply that totalitarian network administration policies and totalitarian governments are morally equivalent. Fair enough... I did get defensive. That being said, many assumptions were also made about my network and my style of administration... That's the right answer, but the wrong question. Better than asking, "Who's network is this," is, "Why is this network here?" It's there to improve workflow, increase productivity, and more precisely, reduce the cost of operating the company and make it more profitable. Yes it is. And there is responsibility by the owner to ensure that happens. The questions are more related then you think. Empirical operating costs can be easily measured, but other costs, such as productivity reduction, can't. For example, my company has online timesheets. We changed from a very employee friendly system a couple years back to a system with a very clunky, inefficient, and time-consuming employee interface, so that our small HR staff could do their work more easily and save processing time. So we slowed hundreds of employees down drastically to speed less than half a dozen employees up drastically. Good idea? Probably not. I agree probably not in your case. In our case, having just one PC down, and the time for IT to fix, could be hugely costly. (how's that for grammar) The small time cost to get a site added helps prevent software that slows, prohibits, and discourages productive workflow. For your company, whitelisting may be a perfect solution. For others, it may not be. How do you guess it would scale if your company grew 10x? Whitelisting and scalability are not good friends. Sometimes anti-spyware, especially FOSS anti-spyware, is very cost effective and can scale quite well. And "catches enough" may be a more useful criteria for many companies than "catches everything". Whitelists not scaling well is FUD put out by companies that would be out of customers if they were used. Think about process control. If it were easy to whitelist processes... (I actually am looking into it) AV would be obsolete... you take a known good process, and MD5 it... if it's on the list, and the MD5 is correct it gets to run, otherwise it doesn't The time up front will be higher, but in the longrun, PCs running faster due to no signature based rulse.. it would be great... now I admit that there is no easy solution at this time for the whitelisting of processes. We found an sufficently easy solution for websites, but even some (obviously) think it is too much. Well.. so be it. Whitelist are great... more people should consider default deny instead of defauilt allow... things would be much better. (Not a single piece of spyware in 3 years of having it implemented mush show something is working) Uhoh. Time to tune your solution. Everything worthwhile should work. It's tuned. some things = gaming sites etc Everything needed at this point for legitimate business uses works. Only those things that may be considered non-busine have soem problems. And
I don't care what they think is legtimate. If there "legitimate" activity causes downtime for the company, or forced man-hour wasting... then it's not legitimate. There are plenty of good workers who can abide by that. Matter of fact most employees are long time employees. I exaplain WHY I am doing it, and they all agree that it makes sense considering the risk of a compromise of any time could mean the business loses customers and that could affect thier job. I am not unreasonable, but if they want an IT resource, they have to tell me why they need it. What you are saying in a sense is white listing computer functions, and only blocking those that cause problems. That makes no sense.. .the default should be deny, and then permit. You have control then, defualt allow = no control of your computing resources. Check out the CSI/FBI studies... most attacks come from inside. I am not saying you do one thing and not the other (ala Backup Tapes) ya they should be encrypted as well. So what? Printers? Another issue. Everything has to have the risk/reward. Printers (at least in our enviroment) are needed. USB keys are not... Users know this as well, so why bother allowing them?
"You're probably equally Ok with..." what a silly statement. Because I follow good security practices that the employees of my company can tolerate and make our network more secure? Because I recognize that the employers resources ARE the employers resources? Since we are going to make genrealizations... let me try ... You are probably the type of person who thinks it's ok to trespass on someones land... I mean they are not using it... why not?
Do you think that for moment that if the employee does get a computer compromised by being a typical User (tm) that it's not the employee who has to answer the ISPs phone call that their machine is trying to hack others computers.. but the responsibility is actually the employers?
You have no grasp of the world beyond what rights you think you are "owed"