From owner-freebsd-questions@freebsd.org  Fri Aug 14 17:49:01 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id C065D3C47EC
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Fri, 14 Aug 2020 17:49:01 +0000 (UTC)
 (envelope-from tundra@tundraware.com)
Received: from oceanview.tundraware.com (oceanview.tundraware.com
 [45.55.60.57])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mailman.tundraware.com",
 Issuer "mailman.tundraware.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BSrXX5166z3yd6
 for <freebsd-questions@freebsd.org>; Fri, 14 Aug 2020 17:49:00 +0000 (UTC)
 (envelope-from tundra@tundraware.com)
Received: from [192.168.0.2] (ozzie.tundraware.com [75.145.138.73])
 (authenticated bits=0)
 by oceanview.tundraware.com (8.16.1/8.15.2) with ESMTPSA id 07EHlbkC029666
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO)
 for <freebsd-questions@freebsd.org>; Fri, 14 Aug 2020 12:47:37 -0500 (CDT)
 (envelope-from tundra@tundraware.com)
Subject: Re: OT: Dealing with a hosting company with it's head up it's rear end
To: freebsd-questions@freebsd.org
References: <CAGBxaXmg0DGSEYtWBZcbmQbqc2vZFtpHrmW68txBck0nKJak=w@mail.gmail.com>
 <CAGBxaX=XbbFLyZm5-BO=6jCCrU+V+jubxAkTMYKnZZZq=XK50A@mail.gmail.com>
 <CALeGphwfr7j-xgSwMdiXeVxUPOP-Wb8WFs95tT_+a8jig_Skxw@mail.gmail.com>
 <CAGBxaX=CXbZq-k6=udNaXTj2m+gnpDCB+ui4wgvtrzyHhjGeSw@mail.gmail.com>
 <40xvq0.qf0q3x.1hge1ap-qmf@smtp.boon.family>
 <CAGBxaX=9asO=X32RucVyNz5kppPhbZc9Ayx-pyiXMBi85BeJ6w@mail.gmail.com>
 <20200814004312.bb0dd9f1.freebsd@edvax.de>
 <20200814065701.2b390145ac6d189161bc31b4@sohara.org>
 <173ed205550.27bc.0b331fcf0b21179f1640bd439e3f4a1e@tundraware.com>
 <CAGBxaX=gs57EXsm028+6Var89MUoGh-7d1gfPdGmbm5gPBnufA@mail.gmail.com>
 <4d320acd-a995-7a35-5c0e-c2c22e7e6f96@radel.com>
 <CAGBxaXnjDAnZPjx_nksb_ed-f+X=PowLTUYMX706oMScd8HDaw@mail.gmail.com>
 <df55f102-228f-021d-62ba-b26520e78740@radel.com>
From: Tim Daneliuk <tundra@tundraware.com>
Autocrypt: addr=tundra@tundraware.com; prefer-encrypt=mutual; keydata=
 xsFNBFlVgYoBEADIYD9W4mbKz5cEleX923hagDWkxyJl4kRiMJnz+dNAH71MItSdErMb0cFt
 CPxVncb4dR4R2ec0c0MjPcgVINNtbY1DMWsF7t31TKD8NG9ZjLqF6fZDFjgkRejqHytgjmCI
 UejrMSCf0UJsLtg+I3N1ZVVxd7ALj2bCvC/uc5S7j+YbNnhQvSoBbdFj/xOTjyOGGpk7WfB7
 e42PGKq1NSgnI7tcY6HSaSH+LHeoc0yUpBb5A1ge+RhR1N9JTniEFe0qvOBi+HgUltEoxsk4
 xb6IhpkDOTsxHvEg5h0ukfl8kG9cu+LrEBqwPaC8lPw3UmoTEAU+lXHanPE12JCF/54EtVCc
 rb4W0vqgGmLJzn5dRU/fWkar0FKPq4eoV0XMbGZKIC6pWQnMEsxEMpNvh7oefK6Kyn+LO+59
 +sNYHbv1RImDJccmfHTOA6/jHdwOcnYy37U8UF7e+mGrwNs8GsMQx2AaQbR6VErakH3GBgft
 bMFOGQxiaRBkbzba7BZCQ060yhiC3/Mb/xHoVi7PBEmKig1SErTMA7Fh3CYPYIRDphNs6OSr
 tf9O4hbzUAsjbU3rxOfiWQjP3fSOM0KUBj4wpIWZlMrjAGnMIz2wHb211wsBiLqSaGiiO1LR
 7RrcvbIFZvHQHiWe2tdRyuH3N/h7A316yoLfx+yy1gyP5weWsQARAQABzSRUaW0gRGFuZWxp
 dWsgPHR1bmRyYUB0dW5kcmF3YXJlLmNvbT7CwXcEEwEIACEFAllVgYoCGyMFCwkIBwIGFQgJ
 CgsCBBYCAwECHgECF4AACgkQdoOXo5EJFKntcA/9F9ags9Ik5C49N39iRq+yqBdn/Lr75rqv
 +Yg7JkjeVlwHpnQt1S6orTC7EaJc+AqY3szCEmhfuT0+E96Bw2k+G/XRnaedZ9SHSdImlmq0
 RmOFpWLr67ScvlA9YG1tyR+QYraEFqK5EB6qhOWRJoz1BYtAAntK9b9gUTXt/277sT7lAWaj
 oPi4CDd4DofHc4E9VRsniMQNMLCWqc/ygAK07cWbK2Rh90tS2C4nK6OHFkNkK94zDilfxod1
 NBFTUPPYfEU2CSa3eLlpfhYY3/2X7zNvmmCt+chHUnAhQLhldQ3WlqmTKP+ZK9LX002/bY1O
 M8Zk76WyA/A3EfsIUbnXBQvFyjwX6W4QEytlZWtp/yRIe64JOa3dZ8rkhragb2N4VgVLBVe3
 jtZgfQ72pHrfNk/T0uT+hjFqInvIYiXkhxB2GiD7Ga28VuXojTmeoaW3GKcvoVxONSju7WzD
 XgyxWRmNpd5uifJcC3YU3tNNAosnQ0/5FW4wkducSEVwwqnAiSMQEMDDa/e6oP6GyOzes5SV
 LTNCRYdHWVKbxjetYU4SKm5RdLx9XuJo0qL9vO97mCNwdNkTM7gO2ycQ49qUiGbCZJOh2gpP
 ZRFrpJDxbloosAfOEB6IYjhb38u6jvbScJKK3bWA+a8TK4SrQpdRd1cAnW9sA8jCTV8ejZq0
 CHnOwU0EWVWBigEQAJYuihAOOOe/kAn045Ayn+3is3S+6eV4IAgL6lJhoChkgUJJuFoRX9BY
 rd35z29+q2/UCoProzd4Mk66wXeWv6n4s5R79OUzjgMLCTVlVaMy4gjPL9NRDwMt7KYRF56g
 mnoKZwfPDi/oJ5toPPboW94FrMwonqbdqYM2Pyi/HPMe4e396WQ4TaA1CdhyzKHoFSpkGcjX
 zIQ5yQ5aaGS7wonRu/pg15dbu+8QOgxRNFa0bO+ntz/30u+VmxFqFVbExjuy3Or8fSBhJgx4
 cfyrrunKLclpZ/52VeK3l53yWYpR8RaTZfzpu8Ih+ijAY4XLO5F8P1T6sEviMaTY2F0sbFRx
 ZJXsgFpiKeWPHUn7/LX7qcoFJYoFqG6b3n5km+qy39x6lMgJDuxKpeN6lYj//LB6xVzn0JI+
 4ZHPrEkFqxu8VkL7deCPTI67ZJik18jXjTH9sha1YBvgvxIPFMA7ZwXX2AwNu7PzdcCpWarS
 usOAHbjQBUsQ+ZPpI1oeFnsCPZ+8/mMcTjVRZyJxOPs3KnXZv2cXNuaa7lwkWS366gHzQI7O
 l6WdC8TyNjiOzR654cL8BgYQ/xNSW1vTXqPWSRU8/b/5IueY2tQJh0CKIvfoP0rk8976wa1R
 8SRi08mwHX7+F5oSeXLRNHicQGpS1f0DywdRcQ0MFHyq/CV4dTltABEBAAHCwV8EGAEIAAkF
 AllVgYoCGwwACgkQdoOXo5EJFKkDNw//c8nailIVOV72l7Lze+2AuK9MYUCFb1i4qI1WTnG0
 OHQlCAltPhdwZPAozJw/eNqIcuWQh8rZspve9ipj589wLSsVyaFRsuYXTiYZ9RlRsnJYa36h
 2JML3ZGrRsSxaUEAggbiOKbwmw27JuOIPmC3Gln4tJuZ+nw6cfCgMI45bIzinVanxHwPLeLp
 BZKpaEYzAwtBykUfAXn3jDwrI95UlMJvhHDFuRgvb6uSyJIqmp5aR/BjnlSdEwICyWpRAVSt
 yqZeBMeHbCr1B97PIRzk/q0eHm9T+AoiZWwz1iVGGgkYdAaCfs2PBlNHmRm93cfgoEcaGvNb
 RbTXOe28niMJeYMQsnjOTy5AQIrhVKeP5E+qVs/oPK/inmLiTbjZcnrO2wR+uxpPGgmR6M/3
 p8qyRdaOvT87HZXO+Wr+r9A4UnwhCPsfELwPlEo+TJQ/oE71Mlkx/ddQCWELcHjXrQF9YbzA
 Ml7g0zTkgHysh4DNkV5iYteOcmCwsWdOwn0H0yZfz6weyr8nEdPngyOjFNKMIpcTbeg8866c
 GxXAJj46dub4VdVwfvMRHfmmRJkjdId7YHWMgz2Kf7S7KPCROLis7WjlOdSS0q2m/7qy9WL/
 ZW50YLS8ZZLMrnari5JxCyJX+8n6ZASo2AA93iTbKmYegK2LDwW1QLU1iAF3GyGOnSE=
Message-ID: <5b94aeea-e244-1ba4-63f9-06a5a3f85705@tundraware.com>
Date: Fri, 14 Aug 2020 12:47:31 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <df55f102-228f-021d-62ba-b26520e78740@radel.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2
 (oceanview.tundraware.com [45.55.60.57]);
 Fri, 14 Aug 2020 12:47:37 -0500 (CDT)
X-TundraWare-MailScanner-Information: Please contact the ISP for more
 information
X-TundraWare-MailScanner-ID: 07EHlbkC029666
X-TundraWare-MailScanner: Found to be clean
X-TundraWare-MailScanner-SpamCheck: not spam (whitelisted),
 SpamAssassin (not cached, timed out)
X-TundraWare-MailScanner-From: tundra@tundraware.com
X-Spam-Status: No
X-Rspamd-Queue-Id: 4BSrXX5166z3yd6
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of tundra@tundraware.com designates
 45.55.60.57 as permitted sender) smtp.mailfrom=tundra@tundraware.com
X-Spamd-Result: default: False [-1.86 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 R_SPF_ALLOW(-0.20)[+a]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1];
 NEURAL_HAM_LONG(-0.82)[-0.822]; DMARC_NA(0.00)[tundraware.com];
 NEURAL_SPAM_SHORT(0.12)[0.122];
 NEURAL_HAM_MEDIUM(-0.86)[-0.856]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:14061, ipnet:45.55.32.0/19, country:US];
 RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2020 17:49:01 -0000

On 8/14/20 12:13 PM, Jon Radel wrote:
> I'm a bit unclear on how a frank admission that the controls can be
> circumvented translates, in your head at least, into a false sense of
> security.
> 
> The playground is a bit bigger than the technical sandbox where you
> appear, and I most certainly am, most comfortable.  The CISO also has to
> be comfortable hanging out with the compliance lawyers behind the shed
> at the far end of playground, not to mention keeping HR happy.
> 
> If you write a policy document, implement controls that make
> "accidental" circumvention of the policy difficult, while still keeping
> a close eye on what else the staff is doing, you can:
> 
> 1.  Reduce the noise of having to track unthinking, largely innocent
> violations and endless, tedious discussions about who deserves to be
> fired. 
> 
> 2.  Reduce the plausible deniability of the actual attempts to cause
> harm to the company, now that actual "tricky" actions are required to
> circumvent controls that give you big warnings in your browser, making
> for much better confidence in making termination decisions and/or taking
> legal action.
> 
> None of this particularly has anything to do with the technology.

Hear, hear.  Unlike universities and government agencies, businesses do
not have A) An essentially limitless line of credit and B) Huge immunity
to legal action.   Businesses therefore must act in way to limit risk,
and said limitations cannot be avoided just because they are imperfect.

The irony is that of much of this risk avoidance is inflicted at the hands
of political agents and bureaucrats who themselves have no expertise in
the technology nor any actual risk exposure themselves.  This doesn't
prevent them from writing law and regulations the force CIOs and CISOs to
make unpleasant compromise decisions.

The truth is that technical elegance and ease are the least important
inputs into any CIO's calculus.  They have exposure to far larger problems
than whether or not you can tunnel ansible playbooks over an ssh session ...

DAMHIT


-- 
----------------------------------------------------------------------------
Tim Daneliuk     tundra@tundraware.com
PGP Key:         http://www.tundraware.com/PGP/