Re: Defending yourself against Nazi IT departments



On Sun, 22 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in
article <OHIWh.2140$V7.345@xxxxxxxxxxxxxxxxxxxx>, Bogwitch wrote:

Wayne wrote:

"Dana" <raff242@xxxxxxxxx> wrote

"Sebastian G" <seppi@xxxxxxxxx> wrote

He claimed to use his own webbrowser or a Java applet within one.

But well, if the IT department cares, he won't be able to run those
in first place.

Below - "care" doesn't enter into the argument.

Depending on the IT department, that may well be true, but in some
places that kind of security does not exist, and networks are pretty
much wide open.

When I saw the original post in this thread, I thought it was a sock
puppet of the skating/internet radio troll. Same useless technique,
same advice. The only thing missing was the line that I/T or the bosses
would "never _GUESS_ what is going on".

Unfortunatly, these last two statements say it all.
....if the IT department cares...that kind of security does not exist...
Most IT departments don't have the time/budget/manpower to care about
something like this. If you do have this much free time, I envy you.

It's not so much the IT departments as the company itself. No IT (or
similar level/function) manager should be setting policy without written
"direction" (read that as "policy") from on high. That direction should
include staffing and budgets, and the basic policy should be reviewed by
the legal staff of the company (who may have to defend it in court).

Some observations.

1. IT security is *NOT* an IT function. It is a security function.

It's also not a single object - like a firewall or proxy server, but is
a whole bunch of other things like company policies that the employees
are strongly aware of - like "Thou shall not use the network for personal
reasons." and "Thou shall not install unapproved hardware and/or software
on company computers." among other things. Another item is warning the
employees/users that the network is, OR MAY BE monitored at any (or all)
time, and that violation of company policies will have consequences.

2. Organisations that do not invest time/budget/manpower in 'something
like this' invariably invest time/budget/manpower in the subsequent
clearup, not to mention the potential losses that could be suffered due
to a lack of security/ lack of enforcement.

Boy, ain't THAT the truth.

3. IT departments should be monitored as closely, if not more so than
regular users. The OP demonstrated this VERY clearly.

I don't disagree, but I didn't get the opinion that the O/P was IT.
For certain, the O/P was quite clueless about this newsgroup, and
failed to even try using a search engine to see what past postings in
the group referred to.

Old guy
.



Relevant Pages

  • Re: General
    ... situation, the customer frankly doesn't care about how hard the task is, ... We can safely say the ROM upgrade was irrelevant to the problem ... of stuff that interacts with network adapters on your PC. ... vendors, anti-virus/anti-scripting programs from dozens of vendors, ...
    (microsoft.public.pocketpc.activesync)
  • Re: [kde] Automated import of camera photos
    ... had the primary browser being broken for TWO so-called stable-series ... Clearly, if kde4 itself is claimed to be stable, then either the kde and ... (such as the entire lack of GUI security cert management for several ... CARE about security enough to either code-up or make a public statement ...
    (KDE)
  • Re: Atguard?
    ... And those idiots typically install software without seeing any need for it, without any reasonable evaluation of their problem and without considering alternatives. ... Who said that I don't care for authors? ... As if locally exploitable wasn't worse enough, there are many other remotely exploitable security vulnerabilities including DoS with SYN, UDP and ICMP flooding or bypassing the filtering with overlapping IP fragments. ... Is that political correctness for "horribly broken"? ...
    (comp.security.firewalls)