On Wed, Jul 9, 2014 at 5:44 PM, Ted Mittelstaedt <t...@ipinc.net> wrote:
>
>
> On 7/9/2014 11:37 AM, Mauricio Tavares wrote:
>>
>> On Wed, Jul 9, 2014 at 2:23 PM, Ted Mittelstaedt<t...@ipinc.net> wrote:
>>>
>>>
>>> First of all why do people insist on hiding names of companies that
>>> do stuff like this? It just makes it look like your manufacturing
>>> an event that doesn't exist, it destroys your credibility.
>>>
>> You mean besides NDAs and policies that at the very least might
>> cause those people to be fired by their employers? If you ever went to
>> a defcon open presentation, they do their best not to divulge the
>> names of involved parties.
>>
>
> Correct, but THEY ARE SAYING that they are under NDA and can't talk about
> it. They readily admit they are profiting off the evildoing of
> their customers or whatever, and quite often they have worked relentlessly
> within their organizations to change the SOP, and are
> known a gadflys, and their employer is well aware of their views.
>
> They speak at DEFCON because they hope that if enough people are educated to
> bad security practices that sooner or later an outside force will either
> convince their employer they were right all along,
> or if there's enough agreement they are correct by 3rd parties, their
> employer may be convinced.
>
> David DID NOT say that. He said that "he was shocked to discover" Why are
> you assuming he is under NDA or he is an employee of this company?
>
> He did not say this large DP company was his meal ticket. Are YOU
> saying that this is his meal ticket?
>
> But there is a larger issue here that I will address - this insistence of
> cowardly hiding behind NDA to protect rule breakers. David DID not
> say he did that - YOU are saying he did - and YOU appear TO BE ARGUING
> IN FAVOR OF DOING IT.
>
> What it boils down to is who are your sympathies for? The people
> breaking the rules or the thousands of other
> people who are going to find out after signing up with the rule
> breakers that they use questionable and unsafe business practices?
>
> Now, in MY opinion there are only TWO ways to handle organizations
> like "large data processing company"
>
> The first is to work within the system - if for example Large DP
> Company _is_ a customer of David's he goes to them, explains the danger,
> recommends they correct it.
>
> Then when he posts here he says "I was shocked to discover and my
> customer and I are working to correct it" or some such. I have plenty of
> respect for that, and posting that encourages other IT people to
> do the same.
>
> The second way is to work outside of the system.
>
> You start by sending an anonymous letter to the large DP company
> outlining the security issue and giving them 3 months to correct it or
> you will go to the press.
>
> If they haven't corrected it in 3 months you anonymously post details
> of what they are doing to every security blog and mailing list you
> can find.
>
> In that case, you NEVER, EVER breath a word of the security problem to
> anyone. No one in the company, no one outside of the company. You make
> absolutely sure there's no possible way it can be traced back to you because
> trust me they are gonna try like hell to find whoever ratted them out.
>
> I presume David IS NOT doing that or we wouldn't be having this discussion.
>
> If you cannot do either of those options THEN GET THE HELL OUT OF HIGH TECH
> WE DON'T NEED YOU.
>
> You are an administrator. YOU ARE PAID BY CLUELESS USERS TO PROTECT THEM
> AND THEIR DATA, DAMMIT. They trust you. When you walk on by something like
> this business David posted about, and DO NOTHING, you are breaking their
> trust. THIS is my beef with David's post. Merely
> posting "hey this is what someone is doing" is just walking on by, kicking
> the can down the road, doing nothing. THIS is what destroys your
> credibility.
>
> Users don't understand the dynamics of it. They aren't qualified to advise
> you no matter what they tell you and what you think - if they were, they
> wouldn't be paying you to do the job.
>
> Defending the people like Large DP Company is morally wrong and
> bankrupt. Mauricio, you need to seriously think about what your saying.
> Would you want the doctor of your child to say nothing when you tell him
> your a 2 pack a day smoker in your home? Well probably
> you would - but the doctor's responsibility is to the helpless
> child, not to you. The IT admin's responsibility is to the helpless users
> not to a rule-breaking large data processing company.
>
You are putting words in my mouth. Since you assumed to know
what I am thinking and spent a lot of time writing those brilliant
paragraphs to expand on that, I think it would be unfair of me to say
anything else. And besides, I do not like horses, be them high or low.
Never did.
> Ted
>
>
>>> Secondly, if you think that this is an example of "badness" on Windows
>>> security best practices you simply have not seen Windows deployed in
>>> 90% of production networks out there. This is NOTHING compared to S.O.P.
>>> on
>>> most Windows setups.
>>>
>>> Imagine MS-DOS/LanManager network security model of 30 years ago. Now
>>> imagine Windows networks today in the vast majority of production
>>> installs.
>>>
>>> NO EFFING DIFFERENCE!!!!!!!!!
>>>
>>> Ted
>>>
>>>
>>> PS: Naturally there will be some Windows-kool-aid drinker who is going
>>> to angrily reply to this post claiming Windows is secure if people just
>>> followed Microsoft's directions.....
>>>
>>>
>>>
>>> On 7/9/2014 11:06 AM, David F. Skoll wrote:
>>>>
>>>>
>>>> On Wed, 09 Jul 2014 05:44:34 +0200
>>>> Karsten Bräckelmann<guent...@rudersport.de> wrote:
>>>>
>>>>> If you deliberately try to sneak past sensible security measures, you
>>>>> should not be surprised to be blocked. The attempt by an honest user
>>>>> to disguise any $file (he did it on purpose, so he knows there's
>>>>> issues with that) is in no way better than a dis-honest user
>>>>> disguising a file.
>>>>
>>>>
>>>>
>>>> Since implementing this rule, I have been *shocked* to discover that a
>>>> large data processing company (name hidden to protect the guilty)
>>>> sends out information about credit-card processing in the form of
>>>> obfuscated Microsoft Windows executable files!!! (They're renamed to
>>>> end in ".ex" instead of ".exe") I tried running one of these files
>>>> inside
>>>> Wine. It's a "PGP Self Decrypting Archive" that asks for a passphrase.
>>>>
>>>> The mind boggles! *THIS* is the state of Windows "security" best
>>>> practices?
>>>>
>>>> Regards,
>>>>
>>>> David.
>>>
>>>
>>>
>>> ---
>>> This email is free from viruses and malware because avast! Antivirus
>>> protection is active.
>>> http://www.avast.com
>>>
>
> ---
> This email is free from viruses and malware because avast! Antivirus
> protection is active.
> http://www.avast.com
>
