Sorry, got off topic.
I completely agree that users with assigned machines and email need to be able to filter within their mail clients. That needs to be part of the standard group policy.
Although, one place a friend does contract work for might actually justify locking down email.
They hired him to clean up their in-house exchange server, which had topped out for storage unexpectedly.
Apparently, employees at the place were either downloading movies and TV shows at work, or bringing them in on thumbdrives, dragging and dropping them into Excel files as embedded media to thwart the mail scanners, and emailing them to each other. They also apparently didnât understand the difference between âReplyâ and âReply Allâ. So they ended up with hundreds of copies of Avatar and Game of Thrones episodes clogging up the mailserver, and everyone was bitching about how slow sending and receiving email was.
I think a situation like that could justify enforcing simple, text-only emails and turning off any extra features in the mail client, unless you feel okay with firing maybe 20% of the employees, possibly more. Although inbox filtering could probably be left functional.
Wow thats a creative workaround.
Since I work in a cubicle farm environment I am surprised I havenât see that, but then again the exchange admins here are very on the ball.
Until my current application support position even though I was a sysadmin we all did not have admin rights to our workstations/laptops. Any software we need is available via an install tool that elevates rights just for the install and if there is some custom tool we can request say 4 days of admin rights to install it. Any server work is done with a 2nd account and âremote toolsâ are done via remote desktop to a bog standard windows terminal server (local to the data center, which worked way faster than running that stuff from our desktop) if we are not logging onto the server itself anyway. I never missed having local admin really as it turned out we really did not need it and from a security point a view that cuts out a big vector for stuff to get to the servers.
Of course now I support some developer tools and I have to make registry changes on the fly and the dumb tool isnât smart card aware yet so I am back to admin rights and passwords but I still have to request that at regular intervals.
Itâs control freaky with no interest in the consequences for business. Hereâs standard operating procedure for most large financial firms now.
Prohibit:
USB drives
document sharing sites
personal email
large email attachments, or any attachments other than .doc or .xls
installing software
Yet still expect consultants to produce code and deliverables - with no way to get them on or off the crippled laptops (although we all have secrets that I wonât share). Meaning that 40 hours of real work takes 200 or more.
Those are all reasonable restrictions, maybe aside from installing software (for developers,) provided there are testing servers and an internal DMS repository. Iâd screen out those .doc and .xls attachments too â adding â.julynewversion_by_fred.â to the name of a revised file before hitting Reply All is not version control.
They may be reasonable for internal users. When you have a new system that is customized using components that are packaged as zips and provide no way to move them environment to environment (canât usb, email, ftp, upload, etc.) then you have an issue. In the same way when you hire a $200 an hour consultant to configure a system that uses java applets for that configuration, but then take a month and a half to go through the process of enabling java on his or her laptop then you may have some broken procedures.
The issue is that the people making and enforcing these rules have no responsibility for the ongoing continuation of business - and those always need to be balanced. The most secure system is one that is not attached to the network, but then that is also a system that doesnât do anything outside its own bubble.
I basically have no idea what this person is talking about. Presumably, heâs addressing some target audience I have never been a part of. Just use filters or something, dude. I dunno.
Why just gaming? What about internet browsing machine, general use machine, PDF reading machineâŚ? Arenât games comparatively safe?
I for one am in favor of having small dedicated secured-to-the-point-of-unusability machines for banking (and other rare use of highly important âred dataâ) and nothing else, but thatâs about it. With Raspberry Pi and other computers in the $35-a-pop class it is even an affordable solution.
Or just use VMs. No, they wonât help if some Neal Stephenson supervillain is specifically targeting you, but in that event you got bigger problems to worry about. At least you wonât be on your banking site using the same image that has all your drive-by porn malware on it.
Actually, the prevailing vector for malware are the ad networks. âLegitimateâ, âsafeâ pages can be and are infected that way easily. Porn is safe in comparison.
An adblocker set to kill may be a pretty good antimalware.
Most malware is taken care of with NoScript anyway. And anyone who lets random strangers run arbitrary bits of code on their silicon are asking for trouble. Itâs not like there are internet police⌠And itâs not like a firewall will save you from running code your machine specifically asks for.
âYou need to have javascript and cookies enabled to view this site properly.â No I donât. I can view the site perfectly well with HTML and my eyeballs. What all those messages really mean is âwe canât make money if you donât let random strangers control your computer.â
The beautiful thing about NoScript is that I can very selectively allow scripting. So on Twitter, I only allow https://twitter.com to run scripts. Twitter works just fine if I decline downloading and running whatever the analytics and ad networks feel they have a right to run on my machine.
And if a site still refuses to load if I enable itâs domain, then itâs not worth it anyway.
Is it elitist to wear a condom?
ETA: Know the score. Iâm not twitterâs customer. Iâm twitterâs product. And I donât like being exploited, so as long as twitter doesnât stop me, Iâm going to use itâs services without giving it anything but the text and metadata of my tweets. Good luck finding my location. A good VPN works wonders for your information hygiene.
According to several sources, the VPN provider I use is very good. Itâs actually pretty expensive as far as VPNs go, but I think itâs worth it.
And the reason I use twitter is because it makes my life easier, and because itâs a huge, dishonest, amoral corporation I donât feel bad about ripping off. If they block people who donât allow 3rd party scripts, then Iâll just stop using it.
I used to know some people who worked for ad networks like quantserve and doubleclick. The shit those companies do is outrageous. If you arenât blocking scripting then identity thieves donât need to steal your identity from you. The dossier quantserve compiles for you is plenty if someone wanted to use it to get a mortgage or buy a car in your name. They collect so much identifying data that they probably rival the NSA, if not completely beat its ass at espionage.
Donât look at me. I run Ublock Origin and Privacy Badger in my copy of Firefox. I also go into about:config and turn off a few things. Donât forget my day job!
