Re: Defending yourself against Nazi IT departments

On Sun, 22 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in
article <lbQWh.4728$kb4.760@xxxxxxxxxxxxxxxxxxxx>, Bogwitch wrote:

Moe Trin wrote:

1. IT security is *NOT* an IT function. It is a security function.

It's also not a single object - like a firewall or proxy server, but is
a whole bunch of other things like company policies that the employees
are strongly aware of - like "Thou shall not use the network for personal
reasons." and "Thou shall not install unapproved hardware and/or software
on company computers." among other things. Another item is warning the
employees/users that the network is, OR MAY BE monitored at any (or all)
time, and that violation of company policies will have consequences.

Training, too.

True - we don't do as much training as we might, but the general class
of users we have can make rational decisions about violating the well
known policies and the possible consequences. But for the O/P trying to
order frilly knickers, we have systems in the employee break areas
that are completely isolated from the company network. They have
enough software on them to allow our users to do such things, and
they have a "guest" account for this purpose. When the user logs out,
part of the .logout script clears the cache files and /home/guest/
directory. The systems are running a Linux distribution, "guest" is
just an ordinary user whose shell is rbash. Remember the 'cd' command
to change directories? This shell doesn't have one, and doesn't
accept a directory separator character in any command.

Difficult to quantify though! Do you know of any work that attempts to
explain the cost/ benefit of pre-emptive security?

Ask your legal staff. I suspect they know of the benefits.

I don't disagree, but I didn't get the opinion that the O/P was IT.
For certain, the O/P was quite clueless about this newsgroup, and
failed to even try using a search engine to see what past postings
in the group referred to.

Fair point. My assumption was based on the fact that most of the
contractors *I* know, work in IT but that's probably more to do with the
environment *I* work in. There was also the assumption that the OP had
admin rights in order to install the client software or Java, assuming
it was necessary to have admin rights!

We're an R&D facility, so most of our contractors are in the support
areas - building maintenance, the cafeteria, stores, and the like.
At other divisions, there are contractors in the admin areas, and to
some extent in the general technical fields. One exception is that
we have contractor techs doing general computer maintenance, and
software installs.

How many companies are stupid enough to be running windoze in the
out-of-box configuration, with the users whining all the time that they
need to be admin in order to do anything useful? How many of them
are using Internet Explorer for their Internet activities (and just
about everything else) because that's the only piece of software they
"learned" - which in itself is probably an overstatement.

We're a *nix shop, and the user accounts don't have the capability to
alter the system. That makes it harder to set up, but then you don't
have to worry about the user trashing the system - they only thing they
can trash is their own account, and peer pressure makes sure they don't
do that very often. About 4 or 5 percent of our people have a
mechanism to do _some_ admin stuff

[compton ~]$ whatis su sudo
su (1) - run a shell with substitute user and group IDs
sudo (8) - execute a command as another user
[compton ~]$

'su' is normally used to become another user (typically the admin
user 'root') while sudo can be configured to allow a specific user
to do a specific command - and in the paranoid companies, these
activities are logged - to a printer.

Old guy
.

Relevant Pages

  • Re: My PC just broke down.... :(
    ... >> Fact is that if you really are a Linux server admin than the concept ... Problem is that I'm a *unix* admin, not a DOS (or, command ... "Recovery Console" doesn't clue you in that maybe there's a command ...
    (comp.sys.mac.advocacy)
  • Re: Use of credentials with UAC in vista
    ... user's account, from a command prompt with 'run as administrator' privledges, and it failed saying access denied. ... The user's account has power user permissions. ... There is no more Power User on Vista, ... It also appears from reading the above article that it did indeed cache my admin credentials. ...
    (microsoft.public.windows.vista.general)
  • Re: My PC just broke down.... :(
    ... >>I am not surprised that Josh McKee chimes in with Mayors lies. ... Being presented with a command prompt in something called the ... >>> say you're a Linux server admin. ...
    (comp.sys.mac.advocacy)
  • Re: My PC just broke down.... :(
    ... >>That I'd be among the first to start screaming that MS was out to put disk ... "help" is such an unusual command to try in order to obtain ... For a linux admin. ... Intelligent people want easy tools. ...
    (comp.sys.mac.advocacy)
  • Re: Mac OS X Security - Not Quite as Strong as you Thought
    ... then run it using the 'installer' ... view running as 'admin' is the same as running as 'root'. ... "Files" called.app are actually directories; you can cd to them in the command line. ... But these as you describe are nothing more than phishing scams. ...
    (comp.sys.mac.advocacy)
Quantcast