Date: Sat, 15 Aug 2020 08:59:52 -0400 From: Aryeh Friedman <aryeh.friedman@gmail.com> To: User Questions <freebsd-questions@freebsd.org> Subject: Re: OT: Dealing with a hosting company with it's head up it's rear end Message-ID: <CAGBxaXk4T4Wnk0vvVKnswuACjh8iYmz3gTnyh=zz2L8BM1zF%2Bw@mail.gmail.com> In-Reply-To: <20200815081600.55107873@scorpio.seibercom.net> References: <CAGBxaXmg0DGSEYtWBZcbmQbqc2vZFtpHrmW68txBck0nKJak=w@mail.gmail.com> <CAGBxaX=XbbFLyZm5-BO=6jCCrU%2BV%2BjubxAkTMYKnZZZq=XK50A@mail.gmail.com> <CALeGphwfr7j-xgSwMdiXeVxUPOP-Wb8WFs95tT_%2Ba8jig_Skxw@mail.gmail.com> <CAGBxaX=CXbZq-k6=udNaXTj2m%2BgnpDCB%2Bui4wgvtrzyHhjGeSw@mail.gmail.com> <40xvq0.qf0q3x.1hge1ap-qmf@smtp.boon.family> <CAGBxaX=9asO=X32RucVyNz5kppPhbZc9Ayx-pyiXMBi85BeJ6w@mail.gmail.com> <20200814004312.bb0dd9f1.freebsd@edvax.de> <20200814065701.2b390145ac6d189161bc31b4@sohara.org> <173ed205550.27bc.0b331fcf0b21179f1640bd439e3f4a1e@tundraware.com> <CAGBxaX=gs57EXsm028%2B6Var89MUoGh-7d1gfPdGmbm5gPBnufA@mail.gmail.com> <4d320acd-a995-7a35-5c0e-c2c22e7e6f96@radel.com> <CAGBxaXnjDAnZPjx_nksb_ed-f%2BX=PowLTUYMX706oMScd8HDaw@mail.gmail.com> <20200814213706.18eb16b9.freebsd@edvax.de> <20200815081600.55107873@scorpio.seibercom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 15, 2020 at 8:22 AM Jerry <jerry@seibercom.net> wrote: > On Fri, 14 Aug 2020 21:37:06 +0200, Polytropon stated: > >On Fri, 14 Aug 2020 10:44:35 -0400, Aryeh Friedman wrote: > >> On Fri, Aug 14, 2020 at 10:32 AM Jon Radel <jon@radel.com> wrote: > >> > >> > On 8/14/20 09:48, Aryeh Friedman wrote: > >> > > On Fri, Aug 14, 2020 at 9:20 AM Tim Daneliuk > >> > > <tundra@tundraware.com> > >> > wrote: > >> > > > >> > >> On August 14, 2020 12:58:49 AM "Steve O'Hara-Smith" > >> > >> <steve@sohara.org> wrote > >> > >> > >> > >> Again many corporate firewalls don't allow ssh out (or in > >> > >> directly) > >> > >>> because tunnelling bypasses the firewalls. And again it seems > >> > >>> odd for a hosting company. > >> > >>> > >> > >> ssh out is typically prohibited to lower the risk of employee > >> > >> transfer > >> > of > >> > >> sensitive data to external destinations - So called Data Loss > >> > Prevention. > >> > >> This, along with email scanning and man in the middle cert > >> > >> management is pretty common. > >> > >> > >> > > Unless it is 100% air gapped with no ability to plug in portable > >> > > media and/or record the screen then nothing is 100% immune from > >> > > such loss and thus not allowing it makes very little sense. If > >> > > on the other hand the idea is to limit the damage that > >> > > malware/spyware can do then it makes > >> > sense > >> > > (even if someone does in [accidentally] install malware/spyware > >> > > it can > >> > not > >> > > send the results of its dirty work anywhere). > >> > > > >> > Untrue. As the CISO at my latest employer said to me (paraphrasing > >> > some, as it's been a while): > >> > > >> > You and I know how to circumvent the restrictions, but the vast > >> > majority of the staff hasn't a clue. This cuts down the noise I > >> > have to wade through. > >> > >> Oh great security by obfuscation! Sounds like the CSIO missed the > >> first day of security 101. False sense of security is always a > >> bad idea. > > > >But but but we are ISO-9660 certified! And we have that expensive > >snake oil sprinkled everywhere! ;-) > > > >There are measures that do not "add security", but can help to > >limit the line noise. A typical example is moving SSH to some > >non-standard port: That doesn't prevent anyone to perform a > >port scan and connect to that non-standard port, but it limits > >the fun for skript kiddies that connect as "Administrator" on > >the default SSH port. > > > >Those who _want_ to extract data will find a way. As it has > >been mentioned, a screen capture send per e-mail, or a screen > >photo taken with the private smartphone will work. There are > >so many possibilities of data extraction that you cannot stop > >with a firewall rule... > > > >> > And back to the main topic of this thread: What does your lawyer > >> > say about your client that is huffing and puffing threats over your > >> > inability to perform magic to paper over their unwise contracting > >> > actions in regard to a different vendor? Seems to me that you > >> > left the land of technology a ways back on this one. > >> > > >> Actually the client has signed the one piece of paper we needed to > >> move forward which is a waiver of liability for stuff we said was > >> inherently risky (in writing) before we started the work. It > >> should also be noted that due to lack of competance by the hosting > >> company and by the equipment supplier we have become the client's > >> defecto IT dept. Even though we were originally hired as programmers > >> only (this means when push comes to shove the client almost always > >> trusts us over anyone else and for the most part "I will find > >> someone else '' is just his lack of social graces and not an actual > >> threat). > > > >Tell them you're "devops" now. :-) > > I have a suggestion on how to rectify this supposed problem that is > causing Aryeh Friedman all this frustration and agita. > Says someone who refuses to help fix a bug because some hardware vendor refuses to give them free equipment, even though the bug affects equipment you already have. > The basis behind any successfully capitalistic society is the ability > of an individual or consortiums to create and manage their own > businesses. Since Aryeh obviously feels that he is the smartest man or > woman in the room, and the ultimate authority on the operation of > 'cable/hosting companies', why doesn't he simply assemble a group of > supporters and other financial institutions to back his creation of a > new "Supreme" hosting company, created in his own likeness and bound to > his rules. > A small piece of advice before you suggest something that someone else should do: you should check to see if they have already done it. Case in point I helped start and/or was the technical head of 5 different ISP's in the mid-90's to late 90's, including the first commercial grade ISP in Los Angeles and a different one that became the fifth largest ISP in California (every single one sold at a profit when the owners got out of the business). I left that world because the capital requirements became too great for anyone smaller than a small country to be in the game. Only problem is: to have that level of capital investment you need to involve the "suits" who are universally idiots when it comes to technical matters. Thus, from a purely technical standpoint (vs. what was technically possible) ISPs have gone steeply downhill from when most of the small ones were forced to leave since they didn't have the ability (or legal right) to lay their own fiber to every house in the known universe. > Now that sounds like a perfect solution to me. Besides, as my old > grandpa use to say, "You can curse the darkness or light a candle. In > either case, shut the f*%K up." > How about a better idea: people who make incorrect negative assumptions about others should bite their tongues. P.S. A trivial amount of internet research should have told you the above about my background. -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGBxaXk4T4Wnk0vvVKnswuACjh8iYmz3gTnyh=zz2L8BM1zF%2Bw>