Date: Fri, 14 Aug 2020 21:37:06 +0200 From: Polytropon <freebsd@edvax.de> To: Aryeh Friedman <aryeh.friedman@gmail.com> Cc: Jon Radel <jon@radel.com>, FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: OT: Dealing with a hosting company with it's head up it's rear end Message-ID: <20200814213706.18eb16b9.freebsd@edvax.de> In-Reply-To: <CAGBxaXnjDAnZPjx_nksb_ed-f%2BX=PowLTUYMX706oMScd8HDaw@mail.gmail.com> References: <CAGBxaXmg0DGSEYtWBZcbmQbqc2vZFtpHrmW68txBck0nKJak=w@mail.gmail.com> <CAGBxaX=XbbFLyZm5-BO=6jCCrU%2BV%2BjubxAkTMYKnZZZq=XK50A@mail.gmail.com> <CALeGphwfr7j-xgSwMdiXeVxUPOP-Wb8WFs95tT_%2Ba8jig_Skxw@mail.gmail.com> <CAGBxaX=CXbZq-k6=udNaXTj2m%2BgnpDCB%2Bui4wgvtrzyHhjGeSw@mail.gmail.com> <40xvq0.qf0q3x.1hge1ap-qmf@smtp.boon.family> <CAGBxaX=9asO=X32RucVyNz5kppPhbZc9Ayx-pyiXMBi85BeJ6w@mail.gmail.com> <20200814004312.bb0dd9f1.freebsd@edvax.de> <20200814065701.2b390145ac6d189161bc31b4@sohara.org> <173ed205550.27bc.0b331fcf0b21179f1640bd439e3f4a1e@tundraware.com> <CAGBxaX=gs57EXsm028%2B6Var89MUoGh-7d1gfPdGmbm5gPBnufA@mail.gmail.com> <4d320acd-a995-7a35-5c0e-c2c22e7e6f96@radel.com> <CAGBxaXnjDAnZPjx_nksb_ed-f%2BX=PowLTUYMX706oMScd8HDaw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 14 Aug 2020 10:44:35 -0400, Aryeh Friedman wrote: > On Fri, Aug 14, 2020 at 10:32 AM Jon Radel <jon@radel.com> wrote: > > > On 8/14/20 09:48, Aryeh Friedman wrote: > > > On Fri, Aug 14, 2020 at 9:20 AM Tim Daneliuk <tundra@tundraware.com> > > wrote: > > > > > >> On August 14, 2020 12:58:49 AM "Steve O'Hara-Smith" <steve@sohara.org> > > >> wrote > > >> > > >> Again many corporate firewalls don't allow ssh out (or in directly) > > >>> because tunnelling bypasses the firewalls. And again it seems odd for a > > >>> hosting company. > > >>> > > >> > > >> ssh out is typically prohibited to lower the risk of employee transfer > > of > > >> sensitive data to external destinations - So called Data Loss > > Prevention. > > >> This, along with email scanning and man in the middle cert management is > > >> pretty common. > > >> > > > Unless it is 100% air gapped with no ability to plug in portable media > > > and/or record the screen then nothing is 100% immune from such loss and > > > thus not allowing it makes very little sense. If on the other hand the > > > idea is to limit the damage that malware/spyware can do then it makes > > sense > > > (even if someone does in [accidentally] install malware/spyware it can > > not > > > send the results of its dirty work anywhere). > > > > > Untrue. As the CISO at my latest employer said to me (paraphrasing > > some, as it's been a while): > > > > You and I know how to circumvent the restrictions, but the vast majority > > of the staff hasn't a clue. This cuts down the noise I have to wade > > through. > > > > Oh great security by obfuscation! Sounds like the CSIO missed the first > day of security 101. False sense of security is always a bad idea. But but but we are ISO-9660 certified! And we have that expensive snake oil sprinkled everywhere! ;-) There are measures that do not "add security", but can help to limit the line noise. A typical example is moving SSH to some non-standard port: That doesn't prevent anyone to perform a port scan and connect to that non-standard port, but it limits the fun for skript kiddies that connect as "Administrator" on the default SSH port. Those who _want_ to extract data will find a way. As it has been mentioned, a screen capture send per e-mail, or a screen photo taken with the private smartphone will work. There are so many possibilities of data extraction that you cannot stop with a firewall rule... > > And back to the main topic of this thread: What does your lawyer say > > about your client that is huffing and puffing threats over your > > inability to perform magic to paper over their unwise contracting > > actions in regard to a different vendor? Seems to me that you left the > > land of technology a ways back on this one. > > > > Actually the client has signed the one piece of paper we needed to move > forward which is a waiver of liability for stuff we said was inherently > risky (in writing) before we started the work. It should also be noted > that due to lack of competance by the hosting company and by the equipment > supplier we have become the client's defecto IT dept. Even though we were > originally hired as programmers only (this means when push comes to shove > the client almost always trusts us over anyone else and for the most part > "I will find someone else '' is just his lack of social graces and not an > actual threat). Tell them you're "devops" now. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200814213706.18eb16b9.freebsd>