Date: Fri, 14 Aug 2020 13:13:17 -0400 From: Jon Radel <jon@radel.com> To: freebsd-questions@freebsd.org Subject: Re: OT: Dealing with a hosting company with it's head up it's rear end Message-ID: <df55f102-228f-021d-62ba-b26520e78740@radel.com> In-Reply-To: <CAGBxaXnjDAnZPjx_nksb_ed-f%2BX=PowLTUYMX706oMScd8HDaw@mail.gmail.com> References: <CAGBxaXmg0DGSEYtWBZcbmQbqc2vZFtpHrmW68txBck0nKJak=w@mail.gmail.com> <CAGBxaX=XbbFLyZm5-BO=6jCCrU%2BV%2BjubxAkTMYKnZZZq=XK50A@mail.gmail.com> <CALeGphwfr7j-xgSwMdiXeVxUPOP-Wb8WFs95tT_%2Ba8jig_Skxw@mail.gmail.com> <CAGBxaX=CXbZq-k6=udNaXTj2m%2BgnpDCB%2Bui4wgvtrzyHhjGeSw@mail.gmail.com> <40xvq0.qf0q3x.1hge1ap-qmf@smtp.boon.family> <CAGBxaX=9asO=X32RucVyNz5kppPhbZc9Ayx-pyiXMBi85BeJ6w@mail.gmail.com> <20200814004312.bb0dd9f1.freebsd@edvax.de> <20200814065701.2b390145ac6d189161bc31b4@sohara.org> <173ed205550.27bc.0b331fcf0b21179f1640bd439e3f4a1e@tundraware.com> <CAGBxaX=gs57EXsm028%2B6Var89MUoGh-7d1gfPdGmbm5gPBnufA@mail.gmail.com> <4d320acd-a995-7a35-5c0e-c2c22e7e6f96@radel.com> <CAGBxaXnjDAnZPjx_nksb_ed-f%2BX=PowLTUYMX706oMScd8HDaw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On 8/14/20 10:44, Aryeh Friedman wrote:
> On Fri, Aug 14, 2020 at 10:32 AM Jon Radel <jon@radel.com> wrote:
>
>> On 8/14/20 09:48, Aryeh Friedman wrote:
>>> Unless it is 100% air gapped with no ability to plug in portable media
>>> and/or record the screen then nothing is 100% immune from such loss and
>>> thus not allowing it makes very little sense. If on the other hand the
>>> idea is to limit the damage that malware/spyware can do then it makes
>>> sense (even if someone does in [accidentally] install malware/spyware it can
>>> not send the results of its dirty work anywhere).
>>>
>> Untrue. As the CISO at my latest employer said to me (paraphrasing
>> some, as it's been a while):
>>
>> You and I know how to circumvent the restrictions, but the vast majority
>> of the staff hasn't a clue. This cuts down the noise I have to wade
>> through.
>>
> Oh great security by obfuscation! Sounds like the CSIO missed the first
> day of security 101. False sense of security is always a bad idea.
>
I'm a bit unclear on how a frank admission that the controls can be
circumvented translates, in your head at least, into a false sense of
security.
The playground is a bit bigger than the technical sandbox where you
appear, and I most certainly am, most comfortable. The CISO also has to
be comfortable hanging out with the compliance lawyers behind the shed
at the far end of playground, not to mention keeping HR happy.
If you write a policy document, implement controls that make
"accidental" circumvention of the policy difficult, while still keeping
a close eye on what else the staff is doing, you can:
1. Reduce the noise of having to track unthinking, largely innocent
violations and endless, tedious discussions about who deserves to be
fired.
2. Reduce the plausible deniability of the actual attempts to cause
harm to the company, now that actual "tricky" actions are required to
circumvent controls that give you big warnings in your browser, making
for much better confidence in making termination decisions and/or taking
legal action.
None of this particularly has anything to do with the technology.
>> Actually, better yet, you probably don't want to discuss that on a
>> public list......
>>
> If *YOU* think it doesn't belong on the list just come out and say it.
>
>
You may be under the impression that our interests are aligned on this
one. Personally, I'd find blow-by-blow updates on how your lawyer
freaks on finding that you are discussing his/her strategy on the
Internet, tidbits on the suit against you claiming torturous
interference by the hosting provider you've been bad-mouthing for days
and have now named, and the general unraveling of your contract, amusing
reading. (Others here probably feel differently, but they can speak for
themselves--I suspect the sensible ones have already killed this
thread.) If you think that was a mealy mouthed way for me to say that
I'd prefer you'd stop discussing this, you'd be most mistaken. I was
just trying to suggest, given that I'm not malevolent enough to wish all
that on you solely for my amusement, that you consider how much of your
laundry, with some mighty amusing and suggestive stains showing, you
wish to air in public. That's all.
Oh, and thanks for caring enough to check me out on LinkedIn. ;-)
--
--Jon Radel
jon@radel.com
[-- Attachment #2 --]
0 *H
010
`He�0 *H
��
00Πj8;+kٸRV0
*H
�01
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1+0)U"COMODO RSA Certification Authority0
130110000000Z
280109235959Z01
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1=0;U4COMODO RSA Client Authentication and Secure Email CA0"0
*H
��0
�W(vu@8v!P%y
L}:X>1.4vلj=4HK hyt4z|e`'"2@rF5P3*UT+%4D5+
ZSu+=7F_Zte
>)
94Fro8pNhFF#Ne6/M{UWֱmAYT"o)CI m84$.zW4 r^M9,R$
�<080 U
#0~=<8220
U
la| =+qH^ċ0U
0U
0�0U
00U
�0LU
E0C0A?=;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q+e0c0;+0/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$+0http://ocsp.comodoca.com0
*H
��x\(4O<_VΟV쏢kI/5@qB
!fk&kn{hJd| q[Lǿᓬ?"@fCOݐrX
urJH5;#68jle) )Y4Nezyq{:�kx%iچ:w#f6HLP~jo9KXnM#:!!6
9i\}^M;TSX7 ̯3]Tc6O$voX*5!4.aKE8HIĹ7?
Ar}r# �R/h<סnuy<1 3mɔv#~&p
vg' skMH#/ƨ$/uX
qTu(|^-vM҆NKX7fA\X5sh2qP\YǟENRarpGtZp
_" k7Dd JVGz00Ԡt$a,w0
*H
�01
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1=0;U4COMODO RSA Client Authentication and Secure Email CA0
180304000000Z
210303235959Z01
0 UUS10
U221501
0 UVA10U
Springfield10U 6917 Ridgeway Dr.10U
Jon T. Radel1200U
)Issued through Jon T. Radel E-PKI Manager1 0
U
Corporate Secure Email10U Jon Radel1
0 *H
jon@radel.com0"0
*H
��0
�
LNuOpS#OfK!UdYo
/Ǡ8,K +3ڄdI̓ h3f8\/9N
6(6/FY~˩
I¯
.~1$#DT]
~8҄YO7+8b °$aEr]bW8ECIGJZ
tTK�5ڈhӎڀ6Pc
3=dEH�00 U
#0la| =+qH^ċ0
U
t
ZI&Ҝ0U
0
U
0�0
U
%0++0FU
?0=0;
+10+0)+
https://secure.comodo.net/CPS0ZU
S0Q0OMKIhttp://crl.comodoca.com/COMODORSAClientAuthenticationandSecureEmailCA.crl0+0}0U+0Ihttp://crt.comodoca.com/COMODORSAClientAuthenticationandSecureEmailCA.crt0$+0http://ocsp.comodoca.com0U
0
jon@radel.com0
*H
��T4iYDP#3oN]k|QϵH2q-®%WK0P3c[7Г<w'A\|MkY&~X;#
`+;ok&I
sݕ?CfpHwg2
5A~=f|M~^=ArZSYQ-4A;֎n9hEkh
l^}Ky2B|(T]:1501001
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1=0;U4COMODO RSA Client Authentication and Secure Email CAt$a,w0
`He�Y0 *H
1
*H
0
*H
1
200814171317Z0/ *H
1"
ѬMUym_scxWo40l *H
1_0]0
`He*0
`He0
*H
0*H
�0
*H
@0+0
*H
(0 +71001
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1=0;U4COMODO RSA Client Authentication and Secure Email CAt$a,w0
*H
101
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1=0;U4COMODO RSA Client Authentication and Secure Email CAt$a,w0
*H
��g#zHuZ &~\n6L} A$QЇQMҺ:0xqT
гɥc6 a斱
Yi ɣ9v530p'x.߅]8z\
Ɇ
#}Z~
bS_d^D(
ufTePiջcQ2x2|.?}
Yeo"+-
3t#
v ,xН
^Nm[DfP΅]
%<5@
gĢ������
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?df55f102-228f-021d-62ba-b26520e78740>