Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Has Corporate Info Security Gotten Out of Hand?

Cliff posted more than 8 years ago | from the proper-security-is-like-walking-on-monowire dept.

Security 466

KoshClassic asks: "What is the right balance between security and productivity, in the corporate IT environment? Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline. On one hand, you can never be too secure, however on the other hand, have we become so secure that we're stifling our own ability to get things done? What is the situation like at other companies?"

cancel ×

466 comments

Sorry! There are no comments related to the filter you selected.

Management? (5, Interesting)

Tadrith (557354) | more than 8 years ago | (#14505614)

The only real problem is overzealous proxy servers, which can be tough to configure, but should have a whitelist of some sort... the rest of the problems mentioned are problems that have solutions. There are plenty of corporate-level antivirus solutions that will allow the control of virus scanning policies so that you could enable the sending of e-mail through SMTP. If it's corporate policy not to allow it, then it really isn't a computer problem, but a company policy problem. There are also plenty of options for keeping up on patches that would relieve the users of this responsibility. Even in the case of Windows, Microsoft distributes a free "private" version of Windows Update, called Windows Server Update Services [microsoft.com] that can be deployed on a network. This version allows you to choose when and how which patches are distributed; all you have to do is point your computers to the server. Assuming you are running a Windows network, the settings for the Windows Update can be deployed via Group Policy without ever having to visit a workstation. Workstations can be scheduled to update themselves without taking control away from the IT department in regards to which patches they want installed.

Most of that was assuming you are running a Windows-based network. I am not as familiar with Linux software, but I know that similar services are available for Linux as well. In my experience managing network environments, most of this has never been a major problem. It seems to me that the network environment doesn't suffer from too much security, but that the existing security needs to be better managed so that it doesn't prove detrimental to the productivity of the employees.

Re:Management? (1)

CDMA_Demo (841347) | more than 8 years ago | (#14505894)



In my experience managing network environments, most of this has never been a major problem. It seems to me that the network environment doesn't suffer from too much security, but that the existing security needs to be better managed so that it doesn't prove detrimental to the productivity of the employees.

Security is a moving target. What you meant by security 10 years ago and what you mean today is different in many ways. A better way to talk about security is: Security from BLAH where BLAH is something you discovered after a recent outbreak of windows worms.

Re:Management? (0)

Anonymous Coward | more than 8 years ago | (#14505904)

Yes things were different before. Things are NOT out of hand, people are just getting smarter. Virus's send out of port 25 (SMTP) to spread to others today, so corporations had to close this down to prevent this from happening. Web content filters stop things like spyware that break insecure browsers, or convince uneducated users to install crap on corporate machines. Corporations arn't doing too much, but in most situations they arn't doing enough. Although, where you are right is where some corporations have no clue what to do, and go to far or implement controls improperly. Having basic users attempt to keep their own machines secure can make things far worse. However, the bottom line is. You can lock people down and make a few employees unhappy, or you can keep yourself open, and then go to this web site:

http://your.company.justgotowned.com/ [justgotowned.com] ;)

Re:Management? (2, Insightful)

246o1 (914193) | more than 8 years ago | (#14505921)

"There are plenty of corporate-level antivirus solutions that will allow the control of virus scanning policies so that you could enable the sending of e-mail through SMTP. If it's corporate policy not to allow it, then it really isn't a computer problem, but a company policy problem."

Well, it seems to me that the question is really about whether corporate security policies have gotten out of hand, not about the technology itself (though a key feature of any technology, as any Mac user will be glad to lecture you about, is its usability/implementation). On this question, I can't speak much from my own personal experiences (never worked at a big corporation), but anecdotally there does seem to be a certain amount of paranoia in corporate environments beyond what is called for.

I believe that many "security measures" are actually implemented more broadly than necessary because the side effects (lessened ability to use the internet, etc.) are mostly seen as good by the people who make decisions. In business, the further the chain of underlings between the decision-maker and the regular employee, the less likely they will just trust you (the employee) to do your job and the more likely they will impose restrictions to insure you can't visit slashdot/fark/apple.com etc.

"It seems to me that the network environment doesn't suffer from too much security, but that the existing security needs to be better managed so that it doesn't prove detrimental to the productivity of the employees."

I think this is true (again, not from direct personal experience, so take this with plenty of salt), but part of it is due to a lack of understanding of network/security technology by many decision makers. If you are unsure about anything, and there's tons of money and/or your job riding on it, you err on the side of caution, regardless of inconveniences to your employees. Even in my very relaxed work environment, a great deal of our internet functionality has been taken away for little apparent reason.

Of course, even if all the security decisions were left to the IT people (never interfered with by less expert management types), there would still be plenty of problems for any company-wide network solutions. I look forward to hearing about what people think would be ideal (this being slashdot, there will be some good, specific answers somewhere in this thread).

Technology (3, Insightful)

biocute (936687) | more than 8 years ago | (#14505619)

I think overall mankind's productivity has increased thanks to the technology. I can't say if the IT world would be more convenient if 95% of us were using Linux.

It's like when cars were first introduced, there were not speed limits, cars were hardly locked and tyres were hardly threaded......

As cars become more common, more people died in car accidents, so you can't drive too fast anymore, must wear seatbelts and cannot drive drunk.

As car thefts become a norm, we must lock our cars, when that's not enough, we need to put on the steering lock, alarm, then immobalizer, and now the security datadot. However, I think overall we do benefit from the introduction of vehicles.

Re:Technology (0)

Anonymous Coward | more than 8 years ago | (#14505664)

I thought that when cars were first introduced everyone was extremely cautious, making people walk infront of their cars with flags and horns as a warning (well, in the UK at least).

Re:Technology (3, Insightful)

eobanb (823187) | more than 8 years ago | (#14505675)

The issue is not with the equivalent of locking your car. The issue is draconian policies like arbitrary blocking of sites like Google Groups. Therefore, I feel that your analogy isn't right for article in that it assumes that "well there are good and bad things about computers, but the good outweighs the bad." No one's arguing that point. Instead it's more like, "well there are good and bad security policies. At what point does it become simply stupid?"

Re:Technology (5, Informative)

CleverFox (85783) | more than 8 years ago | (#14505773)

Being a corporate IT security at large corporation I can tell you why google groups are blocked. If I am looking at porn on alt.binaries.erotica and a female co-worker walks up behind me she could sue for sexual harassment and say the company did not take adequate measures to prevent this situation. Basically they fear a lawsuit.

Re:Technology (1)

Rotund Prickpull (818980) | more than 8 years ago | (#14505850)

If you're not an idiot, post a link to porn on google groups.

Re:Technology (2, Interesting)

pete6677 (681676) | more than 8 years ago | (#14505858)

What if you were sitting at your desk "reading" a Penthouse instead? Or looking at porn pictures on your computer that you brought in on a flash drive? Where would the company's liability end? I'd say firing an employee that generated complaints by looking at porn in the office would be adequate.

Not a problem with technology. (0, Troll)

CyricZ (887944) | more than 8 years ago | (#14505906)

That's not a problem with technology. That's a problem with a legal system that's feeble against protecting free speech and free expression.

So what if you're looking at hardcore pornography at work? It's of no concern to any coworker of yours who might happen to notice while he or she is walking. Of course, your manager may get angry at you for wasting company time. But nothing about the act of you looking at midgets sucking on horse cock, for instance, is truly harmful to anyone.

Re:Technology (2, Insightful)

Kyosuke77 (783293) | more than 8 years ago | (#14505810)

But then the question is do they have legitimate reasons for doing things like browsing Google Groups? A friend of mine works for RBC Royal Bank as a personal banking manager. Their network is so restricted, he can't access Hotmail.

Yet why does he need to access Hotmail from his work computer? Besides, he can just access it from his Treo, on which he has an unlimited data plan. I don't see that as onerous security, and neither does he. They're a bank for goodness sake! They have very good reasons for locking their network down tight as a drum and restricting both what goes out and comes in. Good reasons like keeping their customers' financial information safe.

Re:Technology (0, Troll)

glowworm (880177) | more than 8 years ago | (#14505866)

The issue is draconian policies like arbitrary blocking of sites like Google Groups.

How can blocking Google Groups be seen as draconian. They have no place in a responsible workplace. They are only filled with warez requests, AOL Me Toos, kiddie porn and hentai anyway. For example as part of my job monitoring proxy logs I have reported a few people for browsing incest stories on groups before we just blocked it outright.

Windows workstations are designed to be insecure and as a result they need "draconian" protection put in place to ensure things don't get out of hand. Windows is prone to viruses, spyware and hijacking into zombie networks, not only through email infestation but through people browsing to undesirable sites.

To protect your company it is very important to block these questionable sites to stop even one person inside the firewall catching something then spreading it to the rest of the net.

Why is SMTP blocked outgoing on most machines (or why *should* it be blocked? Because it's only use is to automatically spread viruses.

To the OP, put SNORT onto your network and look at what crappy traffic is actually flowing. For example at home I get close to 900 sober worm attempts per day on my ADSL connection from people at the same ISP.

Re:Technology (4, Insightful)

Pig Hogger (10379) | more than 8 years ago | (#14505910)

How can blocking Google Groups be seen as draconian. They have no place in a responsible workplace. They are only filled with warez requests, AOL Me Toos, kiddie porn and hentai anyway.
You must be one of those pointy-haired bosses to say that Google Groups ain't got no business at work.

Whenever I work as a sysadmin, 90% of the solutions I apply to problems come from Google Groups.

Re:Technology (0)

Anonymous Coward | more than 8 years ago | (#14505870)

where it becomes over zelous is extremely hard to determine. it depends entirely on who is out to get you, remember it is not paranoia if they all are really out to get you. either way security is not meant to be secure, it instead should either make it so that it is harder than the other guys and it would be more profitable for the theif to get that guy or that it takes so long to do the damage that he wants that someone will notice what is happening and a person can deal with it. with the internet so close to everyone potential attackers are so many that it would be easier to form an agrarian commune and try to convince everyone elese to embrace your life style. there are just so many people out there these days that they will find targets and you will find a shooter.

Re:Technology (1, Troll)

hackstraw (262471) | more than 8 years ago | (#14505890)

I think overall mankind's productivity has increased thanks to the technology. I can't say if the IT world would be more convenient if 95% of us were using Linux.

I believe that CAD, CAM, robots, genetic engineering of crops, and assembly lines has much more to do with it. Well, I guess all of those things are technology. I love Linux. It has more creature features than "real" unix OSes. FreeBSD 4.9s 'ls' still does "ls -ke
ls: illegal option -- e
usage: ls [-ABCFGHLPRTWabcdfghiklnoqrstu1] [file ...]"

Thanks for reciting the alphabet for me, it only took 4 tries to find an illegal flag.

As car thefts become a norm, we must lock our cars, when that's not enough, we need to put on the steering lock, alarm, then immobalizer, and now the security datadot. However, I think overall we do benefit from the introduction of vehicles.

Its much easier to drive a car nobody wants to steal an leave the key in the ignition. I did it for years.

If corporate security is anything like the government security that I'm familiar with, its all a joke.

Password rules and changes are a joke. I never even use funky characters or upper case. If I can't type my password with one hand, its too much. I have had probably thousands of brute force ssh attacks with many users that I have no password rules on, and never had a breakin. Breakins happen primarily from buffer overflows (I have not had one, yet).

I work at a government research facility and the security is a joke. They relaxed the RFID locks on the doors so that you do not have to scan out. I believe its more suspicious to not be able to get out of a building than in. Especially if they have bags and junk on them. People politely open the door for people. Windows boxes still get owned. All the same crap.

I thought about this today. People are scared and lock their doors at home (I don't) and their car doors, but they are too stupid to buy a gun to defend themselves, their family, and their property.

They practically walk naked down the street, but armor up in their car. A guy I work with just got a new car, and I said that I wanted to steal it, and he said I couldn't because of all of the alarms and whatever gizmos were installed. I said that I could clock him and be off in 20 seconds. He didn't want to try me on that.

If you look on the net, its almost scary what you can buy. Cell phone records, boat purchases, aircraft purchases, address lookups, real estate purchases, basically anything. When I saw the boats and aircraft, I thought about trying to pick their pockets for something. Any ideas?

It's all possible... (5, Informative)

jabella (91754) | more than 8 years ago | (#14505622)

Security like most things, is a balancing act. Being able to manage the 'pain vs. protection' factor is the key to all of it, and unfortunately no tools seem to have the sliding adjustment with those options on it.

Ideally security will allow everything that's vital while not stepping on any services that are required. With most companies, what is 'required' ends up being pared down as the security net gets closed down tighter.

Nostalgia is one thing -- how many of us worked on systems that had telnet / ftp open to the outside without a firewall? I know I did back in the day. When management is behind security initiatives, being able to work on the business isses ("No, we CAN'T disable FTP!") becomes less of a problem.

Regarding individual workstations -- putting the burden on end-users doesn't seem to be a common (thankfully) configuration in the companies I've seen. Most larger places are doing automated patch management and deployment now. I know quite a few places where every single system (desktop and production) is patched within a 15 day window. While it's not bleeding edge, this relatively fast schedule combined with the concept of 'defense in depth' goes a long way to preventing issues. I know places that haven't lost a machine to a virus in YEARS.

Security that's preventing legitimate work from being done needs to be adjusted. All of the problems you've mentioned are fixable.

Security is Good on Paper (5, Insightful)

Alaren (682568) | more than 8 years ago | (#14505720)

I agree with most of what you've said, but there are two major problems:

The first is with the "appearance of security." Oftentimes management will hand down edicts based on something they've heard or read or even something a customer (when doing business with other businesses) has demanded. They may not understand why or how the security measure is preventing legitimate work from getting done. All they care about is that they can say "we have security measure X in place." In some cases they do understand that the problem hurts legitimate work, but believe for whatever reason that employees can/should adjust accordingly.

Second, security is often used as an excuse for "enabling workers through managed limitation of potential distractions." Increasingly, employers are concerned that one of their employees might not be thinking about work every second of every day. This stems from an unfortunate misunderstanding of the bounties technology has brought us. Instead of thinking (as they should) "I pay Joe to accomplish X task," they think, "I have purchased Joe for X hours." Hours are good, they think, because hours are quantifiable, but it makes more sense (especially in the tech industry) to tell people: this is your task. I don't care what you do between now and next month, so long as your task gets accomplished.

Maybe that's too utopian of me? I guess I just have a problem with a society that is increasingly able to accomplish great things in short periods of time insisting that the extra time must be filled only with more drudgery.

Re:Security is Good on Paper (2, Insightful)

jabella (91754) | more than 8 years ago | (#14505884)

Yes, security is most definitely being used as the stick to beat end-users down as far as 'distractions' go. I have had the fortunate experience to work for a company where the motto is:

"It's the result that matters."

If you spend time on slashdot or other forums during the day that's ok (and most definitely not filtered) -- but at the end of the month you have XYZ to get done. If you get it done by working nights / weekends that's your prerogative. Flexibility like this is one of the reasons why we've had zero turnover in my department in almost 5 years.

The tighter companies restrict internet usage and employee behavior, the less personally attached to the company (and their work) the people get, at least in my experience. Companies with fanatic employees can do great things. Companies with people that feel oppressed are just places to work.

The first problem you mentioned is what we always call 'management by magazine.' Some exec saw something on cnn / in a magazine / at his country club and wants to know what it's not being run. Thankfully most executives are adverse to spending money -- and in this case it's usually a good way to end some of the ideas they bring to the table.

Speaking of the idea of 'having something just to have it' -- I think this is a problem that's being pushed along by things like SOX / PCI / CISP / and other compliance programs. "We're required to have intrusion detection" so people get out a checkbook and make rash decisions just to put a check in a column.

Re:Security is Good on Paper (4, Funny)

Pig Hogger (10379) | more than 8 years ago | (#14505923)

Oftentimes management will hand down edicts based on something they've heard or read or even something a customer
...
They may not understand why or how the security measure is preventing legitimate work from getting done.
That's because, in case you haven't noticed, management does not do any legitimate work.

Work somewhere else (1)

Scott Lockwood (218839) | more than 8 years ago | (#14505634)

When I run into such a seriously aclueistic situation, I point it out. Once. Then, I go work somewhere else if they don't get a clue.

I work for El Arse Hosting! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14505714)

In The Ghetto XXXI (Special Guest Star: Grandma Lockwood)

A burning wet fart scalded Vlad's colon and rectum as he twitched awake. Vlad laid in bed, shaking at the horrible images that had danced through his sleeping mind. Sweat streamed from his forehead, trickled through his greasy scalp and soaked his pillow. This had been the worst nightmare yet. Vlad had dreamt that he was married to a 400-pound bag of soul-sucking gelatin. Living in a double-wide trailer filled with Jerry Springer moments, his only joy was his two sexy sons.

Vlad slipped out of bed and tip-toed into the next room. There, Grandma slept peacefully, snoring and farting in her usual comforting way. Vlad slipped under the covers with her and immediately felt his sense of security return. Grandma always made everything better. A loud, low rumble escaped from her buttocks. Vlad pulled himself lower down the length of the bed so that his nose rested against Grandma's ass. He inhaled deeply as the gas wafted around him and put him back to sleep. Vlad savored every moment, even in his sleep, for he knew tomorrow the other kids in his class would remind him of his countless inadequacies.

* * * * * * * * *

Vlad belched forcefully, sending chunks of hamburger helper spewing out into the living-room. The orange plastic of the couch stuck to his fat pale legs and his stained briefs bathed him in a rich sampling of unique Lockwood odors. At the opposite end of the couch, Reza sat in her usual spot. The cushion was practically non-existent, compressed as it was from her unimaginable mass.

"Oh Vladdie-Pop, I'm so glad Grandma has come to stay with us since little Vaginez came along! It is so nice to have some help around the house!"

"Yo, you fat cunt, I'm trying to watch the new Eminem video. One more word outta you, and your fat ass'll be laid out on the fuckin' floor for the next month."

Reza quivered at the thought of another merciless beating by her dear Vladdie-Pop. The last time he had "corrected" her, she had spent 22 hours huddled in the shower, weeping as the scalding water pelted her rubbery body. She had lost a whopping 1/2 pound that day. She spent the entire next day eating, fearful of her body wasting away to further displease her beloved.

Reza's ruminations were interrupted by a terrible screeching from Marticock's Chamber. Vlad's fleshy head reddened with rage. He just wanted to watch television. Why did everything always have to work against him? He turned to Reza, with a terrifying scowl on his face. Reza felt a pang of terror shoot through her massive gut and she frantically dislodged herself from the indentation in the couch.

Reza thudded across the double-wide's paper-thin floors, "Grandma! Grandma!"

Grandma Lockwood was sitting on the toilet relieving herself of the Metamucil she had consumed for breakfast, "don't worry, dear, I'll take little Marticock out for a nice walk and he'll be fine!"

"Oh Grandma," Reza blubbered.

Grandma Lockwood soaked a rag in some Clorox and cleaned her rump of the liquified feces that had spattered up from the toilet. She applied a thick coat of Johnson's Baby Powder and then pulled up her stockings. She flushed the toilet, which immediately backed up and spilled out over the floor.

"Reza, honey, you wanna clean up my shit while I take little Marticock for a nice walk?"

Reza was only happy to clean up in the bathroom. It would give her a purpose, a valid reason to be away from Vlad. Though she could never admit such a thing to herself, at a subconscious level she would do anything to avoid being with her Precious Love.

Grandma Lockwood prepared the grocery cart by throwing some used Taco Bell napkins in the bottom to make a nice nest for Marticock. She then lifted Marticock from his crib, careful not to agitate his pummelled rear, and placed him comfortably in the nest. She wrapped herself in her Eminem shawl - a Christmas gift from her grandson - and pushed Marticock out the door.

With Reza scrubbing furiously in the bathroom and Grandma Lockwood and Marticock strolling outside, Vlad popped open another can of beer and used it to wash down a handful of Prozac. His body melted into the orange vinyl of the couch as the flashing images of Slim Shady sang to the troubled teen within.

Vlad's tranquility was suddenly interrupted by the screeching of brakes and a loud blaring horn. Vlad heard a scream, a crunch and then the sound of an idling diesel engine. An explosion of gas propelled Vlad from the couch and he waddled as quickly as he could out the door. Vlad dropped his beer and his jaw in shock at the crumpled heap of Grandma Lockwood laying in the middle of the road. A pool of blood expanded around her. Marticock had been thrown from his cart and laid on the street kicking his feet. His diaper had been torn from his body and Grandma Lockwood's warm blood soothed his infected rectum as it oozed around him.

Marticock rolled over onto his stomach and the warm blood aroused his penis, which had grown to gigantic proportions due to Vlad's testosterone experiments. Marticock began to masturbate in the road, using the blood as a lubricant. Vlad's horror began to change, to mutate, into arousal. He knew of no other way to cope, emotionally crippled as he was. He could only think of satisfying his primal desires. But Marticock was out of the question until his anus healed. Vlad needed to stick it in something quick.

Then something caught his eye. Vlad was able to make out the form of Grandma Lockwood's ass in the mutilated heap of flesh. It was sticking high into the air and the warm evening breeze carried the scent of Clorox and Baby Powder to Vlad's discerning nose hairs.

Vlad peeled his briefs from his flaccid body and dropped the beer can as he lunged toward the alluring butt. Vlad tore away the old brown stockings and plunged his 1 inch missile of passion into the dry, boney rear. Vlad thrust forcefully, grinding himself against Grandma Lockwoods cold, lifeless rump. The truck driver hopped out of his cab and watched the gruesome act of Lockwoodphilia in complete shock and horror.

Vlad smiled in ecstacy. Even in death, Grandma Lockwood comforted Vlad's tormented psyche.

Re:I work for El Arse Hosting! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14505859)

In The last time he had spent the troubled teen within.

Vlad's tranquility was from the screeching from her and pushed Marticock strolling outside, Vlad had grown to make out of her Eminem shawl - a terrifying scowl on the door.

With Reza felt his nose rested against Grandma's ass. He turned to watch the gas propelled Vlad heard a subconscious level she had dreamt that his countless inadequacies.

* * * * * * * *

Vlad belched forcefully, grinding himself lower down the couch, Reza blubbered.

Grandma Lockwood comforted Vlad's testosterone experiments. Marticock from her rump of satisfying his face. Reza sat in his primal desires. But Marticock out into arousal. He just wanted to work against him? He knew tomorrow the beer can of hamburger helper spewing out of Slim Shady sang to change, to Vlad's discerning nose hairs.

Vlad peeled his only joy was sticking high into the sound of blood aroused his sleep, for he was. He inhaled deeply as it was suddenly interrupted by the toilet, which immediately felt a loud blaring horn. Vlad savored every moment, even in complete shock and Grandma Lockwood and he'll be fine!"

"Oh Grandma," Reza scrubbing furiously in the liquified feces that he knew of his greasy scalp and Grandma Lockwood's warm blood expanded around the mutilated heap of the living-room. The truck driver hopped out the bathroom. It is so nice walk and immediately backed up and Marticock had consumed for a valid reason to wash down a pang of brakes and his pummelled rear, and placed him of the covers with her dear Vladdie-Pop. The Ghetto XXXI (Special Guest Star: Grandma Lockwood's ass in her unimaginable mass.

"Oh Vladdie-Pop, I'm trying to herself, at the new Eminem video. One more word outta you, and rectum as the shower, weeping as he waddled as the road, using the entire next month."

Reza quivered at the gruesome act of another can as he was only happy to stay with a nice walk?"

Reza was his pillow. This had been the bed and she could out the form of the flashing images of Clorox and put him back to clean up my shit while I take little Marticock began to have some used it to agitate his forehead, trickled through his penis, which had spattered up in the street kicking his body wasting away the Metamucil she frantically dislodged herself of passion into the couch stuck to be away from her Precious Love.

Grandma Lockwood laying in the couch and tip-toed into the middle of Grandma Lockwoods cold, lifeless rump. The cushion was sitting on the question until his class would give her usual spot. The orange plastic of Grandma always made everything better. A loud, low rumble escaped from Vlad. Though she had been thrown from Marticock's Chamber. Vlad's horror began to Vlad's fleshy head reddened with us since little Marticock out the floor.

"Reza, honey, you fat cunt, I'm so glad Grandma slept peacefully, snoring and your fat ass'll be laid out over the other way to Reza, with rage. He could only think of gas wafted around her. Marticock for a thick coat of an idling diesel engine. An explosion of the bathroom and horror.

Vlad smiled in his fat pale legs and then pulled up her body melted into the blood soothed his beer and he lunged toward the warm blood as a Christmas gift from his crib, careful not to the double-wide's paper-thin floors, "Grandma! Grandma!"

Grandma Lockwood odors. At the next day eating, fearful of soul-sucking gelatin. Living in the next room. There, Grandma Lockwood soaked his 1 inch missile of no other kids in ecstacy. Even in the worst nightmare yet. Vlad tore away to watch television. Why did everything always have to cope, emotionally crippled as the house!"

"Yo, you wanna clean up from his two sexy sons.

Vlad slipped out on his jaw in something quick.

Then something caught his eye. Vlad needed to sleep. Vlad dropped his infected rectum as it oozed around him.

Marticock rolled over onto his stained briefs bathed him and the scent of the thought of unique Lockwood was out for breakfast, "don't worry, dear, I'll take little Vaginez came along! It would do anything to stick it in bed, shaking at the warm evening breeze carried the orange vinyl of the couch.

Reza thudded across the fuckin' floor for the crumpled heap of the door. Vlad from his briefs from his stomach and farting in her massive gut and plunged his sense of flesh. It was able to his cart by her rubbery body. She spent 22 hours huddled in her usual comforting way. Vlad thrust forcefully, sending chunks of his flaccid body and dropped the length of terror shoot through her stockings. She applied a double-wide trailer filled with her a rag in the old brown stockings and laid in a whopping 1/2 pound that had lost a nice to avoid being with Jerry Springer moments, his anus healed. Vlad slipped under the toilet. She then lifted Marticock was practically non-existent, compressed as he could never admit such a rich sampling of Johnson's Baby Powder and watched the grocery cart and soaked a purpose, a terrible screeching of bed so that day. She flushed the indentation in the dry, boney rear. Vlad was married to make a thing to masturbate in the bottom to gigantic proportions due to a scream, a lubricant. Vlad's tormented psyche.

Re:Work somewhere else (1)

smitty_one_each (243267) | more than 8 years ago | (#14505811)

You must have teh mad skillz to stay continuously employed, boss.
Me, I just printed out the proxy server settings, so that, when whichever asshatically configured server it is that can't cough up my roaming profile, I can at least get a browser to function somehow.
Uber-consultants can surf teh jobz, if they're that good. Most of us have to bite off the tongue and swallow the blood, as they used to say.

Re:Work somewhere else (1)

DevanJedi (892762) | more than 8 years ago | (#14505837)

You must change jobs quite often..

one time, for security's sake (4, Interesting)

yagu (721525) | more than 8 years ago | (#14505636)

One time for security's sake my office ethernet port was turned off by IT. Figuring it to be some outage I called support (hah!), and they looked up my IP address and said yes the port had been turned off because my machine had refused to accept recent XP updates.

Hmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port. I asked why I hadn't been notified -- they said ALL XP login scripts had been posting the notice for over a week, I had been given "plenty" of warning!

Hmmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port.

Fortunately I had a dual-boot, so I was able to comply.

But, ironic that one of their (in my opinion) least vulnerable machines on the network was mine.

(And, for the record, my assigned work had no specific XP requirement, and my responsibilities were heavily around Unix... so I wasn't in violation of any policy (such as they existed).)

Re:one time, for security's sake (4, Insightful)

badriram (699489) | more than 8 years ago | (#14505678)

Well if IT installed linux, well they should not be doing something that stupid. However if you decided to install Linux, and the IT folks maintain your computer, i would have to agree with them. Unless you work at a software company, developing apps, or a sys admin you are outta luck.

Re:one time, for security's sake (3, Insightful)

Vellmont (569020) | more than 8 years ago | (#14505783)

He said his responsibilities were heavily around Unix. I kinda doubt he's some low level secretary that wants to install linux for fun. Why not give him the benefit of the doubt and assume he's not in the wrong here?

I'm guessing the problem is one of compartmentalization. The IT department doesn't talk to the production department, and so doesn't know there's some people that are running linux and not XP. The standard drone-like response of "We're sorry, but until you're machine accepts the updates we can't re-enable the port." really sounds to me like extreme compartmentalization.

Re:one time, for security's sake (1)

eobanb (823187) | more than 8 years ago | (#14505704)

Honestly, if I was you in that situation, I would have simply sat back and explained that you could not do any work, and that they are free to try and turn on Windows XP updating, but oh of course any system re-installation and thus potential loss of data would be their fault, not yours, at which point you launch a flurry of complaints to whoever is even higher up in the corporate chain of command.

Re:one time, for security's sake (1)

Kyosuke77 (783293) | more than 8 years ago | (#14505722)

Oddly enough, I'm going to be replying to your sig, but in this case it's actually rather on topic.

If enough virus writers made viruses for Linux security vulnerabilities frequently enough that it necessitated monthly or even bi-weekly kernel updates, would not the statement about Windows in your sig then apply to Linux?

Re:one time, for security's sake (1)

colinrichardday (768814) | more than 8 years ago | (#14505792)

But will the kernel ever be so insecure that virus writers could achieve such levels of exploitation? Remember, if Linux ever gets that popular, there will be more money for kernel development.

Re:one time, for security's sake (0)

Anonymous Coward | more than 8 years ago | (#14505807)

No [ibm.com]

Out of curiosity, when will the wintendo crowd realize that there's plenty of people attacking Linux every day. Don't be upset just because Windows yields better results for their effort.

Re:one time, for security's sake (1)

KiloByte (825081) | more than 8 years ago | (#14505815)

Totally wrong. One of major flaws in Windows is that you can't replace any file that is currently open, and since the major system libs are not modular, nearly any patch issued by Microsoft requires a reboot.

On any Unix system, you can update anything except for the running kernel (actually, you can replace it on the disk but can't reload it). In the case of Hurd, you can update even it.

Since security updates to the kernel itself are pretty rare, you don't need to make almost any reboots. This enables you to have impressive uptimes and stay secure.

Re:one time, for security's sake (1)

rtb61 (674572) | more than 8 years ago | (#14505827)

To answer your linux question, if cyber terrorists were able to gain hold of the windows and internet explorer source code, would they be able to continually target and take over every windows box connected to the internet and be able to wreak financial havoc on busniesses around the globe (microsoft itself acknowledged it was an extreme security risk). If thens work in computer programimg, don't become stuck on possible failures when trying to avoid a known failure, windows security.

Re:one time, for security's sake (1)

rblancarte (213492) | more than 8 years ago | (#14505845)

Maybe, maybe not. But I don't think so. Consider that MOST patches with Windows (any version) call for a reboot, thus downtime just happened. Many patches in Linux don't require for the system to be brought down. Sure, you might need to bring down a service or two, but that would leave the system still up to fill other requests.

RonB

Re:one time, for security's sake (1)

Kyosuke77 (783293) | more than 8 years ago | (#14505899)

Well, my question was more hypothetical than anything. I was talking about kernel updates, though, which I know for a fact always require reboots on Linux. The way I see it, Windows is under constant security siege, and I was posing the question that if Linux's security were under that same siege, so that monthly kernel updates were necessary for safe operation, would it not then need reboots that frequently as well?

Re:one time, for security's sake (5, Insightful)

Thuktun (221615) | more than 8 years ago | (#14505761)

Hmmm, but my machine is a linux machine! [...] Hmmmm, but my machine is a linux machine! [...] Fortunately I had a dual-boot, so I was able to comply.

Yeah, weird that they might want a machine running Windows XP to be updated. You might have Linux on the machine, but you also had Windows XP, and it sounds like it was missing security patches.

And, for the record, my assigned work had no specific XP requirement, and my responsibilities were heavily around Unix.

And you apparently had a machine with Windows XP missing some (possibly significant) security patches sitting on their network.

I fail to see how this was stupid of the network admins. Draconian maybe, but it got you to apply the security patches.

Why it's stupid (4, Insightful)

Gorimek (61128) | more than 8 years ago | (#14505880)

The stupid part of the story (as told by the poster) is that these IT "professionals" didn't seem to understand that Linux is incompatible with XP.

Why are people who don't comprehend - or can't communicate - this employed in an IT organization??

Had they just explained things the way you explain them in your post, there would be no problem.

Re:one time, for security's sake (0)

Anonymous Coward | more than 8 years ago | (#14505794)

I think their behaviour is reasonable in this case - since you actually weren't running *just* a linux box, but a dual-boot. Your claim that it is a linux box is "the truth, but not the whole truth".

It sounds to me like you just hate them and want to prove them wrong - probably because they're so Microsoft focused and you hate Microsoft and hate feeling like you're being ignored or somehow left out.

However, I can't help but wonder how they expected you to know if you don't boot into XP very often and that's the only way they communicated the issue, plus how do you update your system when the port isn't enabled...

Re:one time, for security's sake (0)

Anonymous Coward | more than 8 years ago | (#14505805)

Could it be that they knew you had a Windows XP system on that network port from time to time?

They were right. (4, Insightful)

lheal (86013) | more than 8 years ago | (#14505843)

You should have simply rebooted to the XP side and run the updates. If you want the luxury of a dual-boot system, you should be willing to maintain both halves.

My policy for dual-boot machines is this: No. You can have two machines. I'll get you two monitors you can use dual-head on each machine, a KVM, your own switch, and I'll even clean the goo off your keyboard. But I won't manage a dual boot machine, and I don't want them on my network.

Why?

  • One side is always down, meaning network monitors need special work
  • Either both sides share one IP address, or each gets its own. Either figure out which one is running, or figure out which address to use.
  • It requires physical intervention (or extraordinary hacks) to reboot remotely to the other OS
  • I can't just wax the whole thing if something goes wrong
  • Rebooting implies root access for whoever is around
  • In short, they're a PITA

Seems pretty reasonable to me... (3, Insightful)

heatdeath (217147) | more than 8 years ago | (#14505637)

individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access

I don't think this is unreasonable at all. What's the downside of enforcing a little rigor in your employees, when the alternative is having your entire corporate network become a zombie farm overnight controlled by a mob boss in Russia named Vladamir?

Re:Seems pretty reasonable to me... (0)

Anonymous Coward | more than 8 years ago | (#14505684)

If a patch breaks your machine, you would understand.

Re:Seems pretty reasonable to me... (1)

blincoln (592401) | more than 8 years ago | (#14505862)

If a patch breaks your machine, you would understand.

Breaking a single machine, or even a single application on all machines, is a lot less of a problem than EVERY machine being rendered unusable by an exploited vulnerability.

Right now I am testing an SMS install of Office 2000 SP3 with the MS06-003 patch. It's going out to thousands of desktops that are still running outdated versions of Office. Will it break something somewhere? Probably. But that's a lot less of a concern than all ten thousand of those machines turning into automated network doomsday devices if their users receive an email based on the MS06-003 vulnerability.

Re:Seems pretty reasonable to me... (1)

networkBoy (774728) | more than 8 years ago | (#14505846)

About your sig,
I used it as the OGM for my phone and you would not believe the number of hangups I got!
-nB

Speak for yourself... (4, Interesting)

MicroBerto (91055) | more than 8 years ago | (#14505640)

What "we"?? The company I work at does none of those things, and the network runs almost perfectly. There is a balance.

But also realize how much the worms of 2003 and 2004 cost corporations. I saw it first hand when working in a plant, and it was seriously disastrous. I can understand why they don't want that to happen again.

If surfing "bad" sites is THAT important to you, perhaps its time to get your resume out to a company that trusts its employees more. Or quit complaining to a bunch of slashdotters and present a true solution that benefits everyone. There are ways to have both security and usability.

Re:Speak for yourself... (1)

eobanb (823187) | more than 8 years ago | (#14505724)

What "we"?? The company I work at does none of those things, and the network runs almost perfectly. There is a balance.

Sure there's a balance. Don't rely on Windows. It's quite simple. No draconian security policy needed (blocking Google Groups? Whiskey Tango Foxtrot?), AND there's but a miniscule risk of malware infection.

Re:Speak for yourself... (1)

Vellmont (569020) | more than 8 years ago | (#14505726)


If surfing "bad" sites is THAT important to you, perhaps its time to get your resume out to a company that trusts its employees more.

How do you know he's not about to do exactly that, but first wants to know if the draconian security policies are the norm and not the exception?

Or quit complaining to a bunch of slashdotters and present a true solution that benefits everyone. There are ways to have both security and usability.

Any why isn't asking for help from peers a good way of trying to find that exact solution? Where you hear complaints, I hear asking for help. I'm getting pretty tired of the standard "you loser, why are you asking us?" response to any Ask Slashot post.

Re:Speak for yourself... (1)

TubeSteak (669689) | more than 8 years ago | (#14505770)

Yea, he should polish his resume, but how many /.'ers download (or used to) MP3s, movies, warez, etc over their corporate connection because they don't/didn't have a highspeed connection at home?

For some companies, it is cheaper to just lockdown the network and reduce efficiency, than it is to have to spend $$$$ on playing whack-a-mole with computer problems as they show up. Or to deal with bandwidth issues because someone is leeching like crazy over the company connection.

Sorry... (4, Funny)

Necrotica (241109) | more than 8 years ago | (#14505648)

What is the situation like at other companies?

I'd love to tell you but that would be a breach of security.

My experience is the opposite (2, Interesting)

brokeninside (34168) | more than 8 years ago | (#14505658)

Everywhere I've worked seven to ten years ago (1995-1999) made IT workers who wanted Internet access sign special forms that had to be okayed by three levels of management before Internet access was granted. And once granted, it was heavily monitored.

Four to seven years ago (2000-2002) getting Infobahn access was far easier, but most companies still required that you use their proxy so that they could monitor who visited which sites and who spent more time posting to /. that checking code into CVS.

But lately, Internet is usually just taken for granted. At most you have have to worry about firewalls that don't let ports other than the standard http and https ports in or out. And that is fairly easy to bypass by anyone with a home machine.

No. (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14505662)

Software insecurity has gotten out of hand, and this is roughly what corporations must do in order to keep from getting pwnt too often.

You need better sysadmins (2)

scarpa (105251) | more than 8 years ago | (#14505667)

- Google Groups doesn't sound like a business website. That's "bad" from a management perspective.

- SMTP blocking would not be needed if users didn't keep clicking on emails from the "FBI" "CIA" , etc. Besides that, it's easy to configure an AV policy to exempt legitimage SMTP usage.

- Updates can and should be applied automatically and without user intervention. If a reboot is required a nightly shutdown policy will suffice.

I'd love to live in a happy land where all computers can be open and free but unfortunately malicious crackers, crappy programming and ignorant users have made that an impossibility these days.

Re:You need better sysadmins (1)

geekoid (135745) | more than 8 years ago | (#14505760)

and if you work for the "FBI" "CIA"?

Man "sorry boss, I couldn't check your email, it was from the FBI."
FBI Head honcho: "we ARE the FBI IDIOT!"
Assistant: "That's no way to talk to the president!"

Rimshot!

Re:You need better sysadmins (1)

Ph33r th3 g(O)at (592622) | more than 8 years ago | (#14505812)

- Google Groups doesn't sound like a business website. That's "bad" from a management perspective.

You're kidding, right? I've found more solutions to problems on Usenet than in all the search-engine-spamming "answers" sites put together.

Whose machine (0, Offtopic)

crack_vial (572312) | more than 8 years ago | (#14505668)

"under threat of their machines loosing network access" would be losing network access?

Google Groups? (1)

Adeptus_Luminati (634274) | more than 8 years ago | (#14505671)

Hmmm, maybe if you didn't filter out google groups you could actually find out what other companies are doing. That's like one of the #1 internet tools for troubleshooting everyday issues. Pop in an error message and out comes reems of articles with other users having the same issue and the fix to the problem. it's the best free knowledge base ever!
Adeptus

Re:Google Groups? (1)

Tony Hoyle (11698) | more than 8 years ago | (#14505757)

Was going to post something similar - Google Groups has saved my ass so many times I've lost count. If I worked at a company that blocked that complain *very* loudly, then wait for the first deadline to be missed because we couldn't solve a problem...

(Not going to happen though, I've graduated to management these days & run things my way.. no proxies ir filters.. if people wanna hava a little fun then it's fine by me - happy employees are far more productive than work slaves).

Yes....and no (1)

Chanc_Gorkon (94133) | more than 8 years ago | (#14505672)

I think that there are too many companies who have people who just decide iTunes purchases and downloading of podcasts specifically through iTunes is not a good use of resources, yet we are a educational institution that can have VALID reasons for purchasing music and downloading podcasts. There's a programmer that creates...things that are put into our login scripts to kick off antiviral scans at every reboot, scan inventories and update records at every log in among other things. It's to the point that I never log into the network with my laptop (I just use the ethernet) so that my tools like VNC are still around when I need them. I have no power on what I have on my PC any more because somsone things that X thing is "dangerous" to the network. This is what malware and Windows Bugs has done to a great industry.

Personally (2, Interesting)

oh_the_humanity (883420) | more than 8 years ago | (#14505676)

Being a memeber of the IT dept. at a school district , i am glad our secuirty policies are as stringent as they are. when you have a few thousands teenagers trying to download as much spyware and pr0n as possible. Now you may say most business dont have teenagers as employees, but even the teachers need to be protected from themselves because they dont know any better. What im getting at , is if he thinks its hard to get stuff with his security policies wait one week without them and see what he can do.

Local govt network admin here.... (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14505831)

I'm the network admin for a small city government and I have to fight hand, tooth and nail to keep acceptable security practices in place. My users, and the senior management also, are constantly trying to get me to basically negate the most essential security because they'd rather have more convenience and if something goes wrong, then they don't give a rat's patootie that I'll be the one getting punished. The users keep wanting full routability from their desktop to the public Internet without any firewall in place, the senior management wants me to place a bunch of unprotected Windows servers onto the raw Internet outside the firewall, everyone complains about spam, and then when they finally get me the funding to buy a Barracuda, they have me configure it to let over half the spam blaze right thru it anyway. Oh, and when anything bad happens because I was ordered to bore a hole thru what's left of my firewall to satisfy some clerk's need for more convenience to access some ftp site or whatever, it suddenly becomes my fault for allowing our network to become vulnerable. And here's the clincher... one of our own desktop support techs got caught using one of the cops' computers to download a bunch of porn, that somehow became my fault too even though I am not permitted to have any authority over the police dept network security or access controls.

It's tough when you are forced to bear all the responsibility, yet have no effective authority in matters of network security. I say give you network admins more power and authority... after all the company network (or govt org's network) is a business tool that was put in place for the purpose of conducting valid business, not for the users entertaining themselves on the Internet.

They need to be more strict. It's still too lax. (1, Informative)

Anonymous Coward | more than 8 years ago | (#14505680)

A couple years ago, right around May Day, we were nailed with the Sasser worm at work. It didn't take much for it to spread, and boy did it spread fast that weekend. Every XP box was hit, although the NT 4 Workstations and Servers didn't even burp. Thankfully we still had an NT box and a Solaris box handy while the chaos occurred. The 'Net just isn't safe anymore without proper protection, especially inside the corporations. It doesn't surprise me that they are gradually shifting toward Linux in the upcoming years at where I work.

A slow transition is better than sticking with the current situation.

my favorite from not so long ago (1)

BigGerman (541312) | more than 8 years ago | (#14505698)

At big big US government agency they block jakarta.apache.org because it is a "hacker tools site". Ironically the majority of their own stuff runs on Tomcat, et al.

Poor title (1)

The-Trav-Man (913000) | more than 8 years ago | (#14505701)

Your complaints are more about lazy and/or stupid and/or under resourced sysadmins and bad security setups than security in itself. Regardless the poor security is generally less of a dent on productivity than corporate lans without virus scanners or fire walls.

You work for AT&T too? (0)

Anonymous Coward | more than 8 years ago | (#14505702)

Curious.

Job Security (1)

helmutvs (912204) | more than 8 years ago | (#14505709)

Out of hand? Maybe. Bad? No. People in the IT industry don't have to worry about losing their jobs as long as viruses, worms, etc. exist. Therefore, malicious computer stuff is good for the economy. There's you're glass half-full perspective. :)

I think not... (1)

d34thm0nk3y (653414) | more than 8 years ago | (#14505710)

Has Corporate Info Security Gotten Out of Hand?

Obviously it still needs work.
google: stolen customer data [google.com]

Re:I think not... (1)

Infosec Geek (930840) | more than 8 years ago | (#14505822)

google: stolen customer data [google.com]

ROTFLMAO!!!

How many of us want to work for the next Card Systems Solutions? All in favor, raise your hands.

Ah. Like a forest after the clearcutters have come and gone. Thought so. :D

OT: "Loosing" Network Access (-1, Offtopic)

mad.frog (525085) | more than 8 years ago | (#14505717)

I'm ready to be modded offtopic for this, but I find it sadly ironic that on the same day an article on "On the Subject of Slashdot Article Formatting" is posted, we find that the editors don't bother to fix a blatant error in the text.

(Yeah, yeah, I know, the aforementioned article basically said "our readers don't care about spelling or grammar, so neither do we". I find this sad. Especially given the fact that spelling/grammar checkers are commodity technology. Can't we perhaps get one integrated into Slashcode?)

From http://www.lessontutor.com/eeslose.html [lessontutor.com] :

LOSE means to lack the possession of, to come to be without.

LOOSE means not tight.

LOOSEN means to unfasten something or make it less constraining.

Your complaints are unconvincing. (4, Interesting)

Saint Aardvark (159009) | more than 8 years ago | (#14505736)

  • Your company's proxy policy is a matter of policy at your company -- complain to them about it! If it's preventing you from getting work done, you should have no problem convincing them -- and if you do, light a fire under your manager; that's what managers are there for.
  • "the sending of email via SMTP" -- Maybe I'm misinterpreting this, but if you mean "our desktops and servers have to pass email to the designated relay", then I'm completely unsympathetic. If your complaint is about poor performance, complain about that -- but your desktop and your production machines are not mail servers!
  • "forced to apply security patches with little or no notice" -- I can guaran-fucking-tee you that each time that happens there is a wave of complaints to your IT department. And yet they keep doing it anyway. They're either heartless, bastard pyschopaths with no concept of sympathy, or it's important to apply these patches. Human nature being what it is, I'm willing to bet they think it's important...no one lets themselves in for a shitstorm voluntarily just 'cos it's, you know, second Tuesday of the month.

And, why, yes I am a network administrator, thanks. I'm lucky so far -- it's a small company, people are well-behaved, and I don't have to implement the policies you describe. I set up times for patches, there's no proxy yet and not too many firewall restrictions.

But if this place gets to be big enough that I can't count on collective intelligence and/or social pressure to keep people doing the right thing, I'm going to have to seriously consider policies just like the ones you describe, in order to keep things running as they need to -- because your complaints about the network not working 'cos of the latest virus outbreak are going to be a fuck of a lot louder than your complaints about your desktop machine not being allowed to be a mail server.

my employment (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14505824)

general manager of a franchise location-- think 'mcdonalds' but it was not foodservice.

chain (under the guise of 'uniformity' but really as a means to screw every last blood cent out of the franchisees) made mandatory for EVERY SITE in the flock a satellite internet connection, at $150.00 per month.

prior to that, I'd been running on a consumer class verizon dsl account for 30 a month- for me only.

of course, as soon as this high speed (incredible ping) service became mandatory, the owners refused to pay for the 30$ dsl

ya know what- the franchise blocked among others, groups.google.com and refused to unblock any site on the forbidden list.
with 4k locations total, they didn't care jack about one request, and there was no way to get it reversed.
 

As a user... (1)

Otter (3800) | more than 8 years ago | (#14505740)

None of the stuff you mention bothers me, except occasionally when a site I need to access is mysteriously blocked.

What does create havoc (and I jump in with this in every one of these discussions because it can't be said enough) is the insanity with multiple, long, complex, frequently-but-out-of-sync changed passwords. It causes huge hassles, prevents users from taking advantage of resources and is an absolute disaster for security.

This has been the status quo in DoD security for a (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14505752)

And not just on the IT side. Arbitrary security requirements often slow progress tremendously if the don't halt it altogether. It's grown its own huge beaurocracy & career path. And heaven help you if you question anything security requires. I've literally been told that I'm "unamerican" because I questioned a particularly useless security requirement that arbitrarily levied on us. And you wonder why I post this AC?

And the economic cost is enormous - I used to work in a major acquisition system program office (SPO). Various security costs amounted to the biggest budget line item in the program, although they were careful not to show it that way on any single chart. And that didn't account for military personell dedicated to security, as they didn't come out of that cost. And it certainly didn't account for the huge drain on productivity it caused.

Re:This has been the status quo in DoD security fo (1)

Ph33r th3 g(O)at (592622) | more than 8 years ago | (#14505826)

Exactly. Eye-tee has figured out the same thing the government has figured out. Few dare question anything done in the name of security. And those few can be dealth with harshly. It's how they're going to turn corporate computing back into a priesthood.

Forcing horrible workarounds... (1)

PornMaster (749461) | more than 8 years ago | (#14505763)

Of course, when companies get nonsensical security policies, they force people into horribly inefficient and/or insecure workarounds.

Rather than issuing in-office consultants a company e-mail address, CCing a Yahoo.com e-mail address, besides being insecure and unaudited, just looks damn unprofessional.

Don't have a document management system, SFTP, or even FTP? People clog up Exchange with huge attachments with no central control or even a sense of where the authoritative copy of something can be found.

How many of us have run SSH on port 443 on an outside box just for SSH tunneling? I had an employer who blocked 22 specifically because the firewall guys new that inbound tunnels could be opened... but damn it if 443 wasn't wide open.

When C-level execs bitch about things, though, it's not hard to get someone in IT to demand the security equivalent of a chmod -R 777 /

*sigh*

Re:Forcing horrible workarounds... (0)

Anonymous Coward | more than 8 years ago | (#14505888)

And often slightly worse. Both my previous employers forced me to run an SSH tunnel over SSL... through an HTTP(S) proxy. Gah! At least it was HTTP CONNECT and not http tunneling (like htc/hts does).

Fair security poorly adminstered (5, Interesting)

ayelvington (718605) | more than 8 years ago | (#14505767)

I work in a .mil environment with managed images and very good security. What I'm reading is that your company is still in the learning phase when it comes to customer service balanced with security.

We operate under a standard image architecture with updates and patches pushed out across the enterprise. Proxy servers are a necessary evil, but we are very reasonable on our block lists. (North Korean sites are discouraged along with Ebay...) This is for our unclassified network...

We learned the hard way too. Our first generation of machines were issued with padlocks on the cases and no CDROM drives...

Our IT system never compromises operations for security, and it never has to. Your IT staff may need a bit of fresh air, a few customer-centered workshops, and maybe some field trips to see how others work.

I feel your pain and wish you the best.

ay

Security is about keeping the clueless safe (0)

Anonymous Coward | more than 8 years ago | (#14505777)

Over zealous security is only the result of clueless co-workers. If the company didn't need to protect itself from the threats because people didn't try to open the mail offering them pictures of a tennis star, then I'm betting half the policies wouldn't exist.

I know at my last job the sysadmin lan was basically able to do pretty much anything they wanted - inbound access was controlled, but that was it. but then again, the people who had machines on that lan could be trusted not to be stupid.

Not really much of a problem... (0, Offtopic)

$ASANY (705279) | more than 8 years ago | (#14505778)

...under threat of their machines loosing network access...

Since you can get a replacement RJ45 modular plug for about $0.05, you can easily repair loose connections so you don't lose network access. It's not really that big of a problem.

Situation here is like this... (1)

CivilianHero (942419) | more than 8 years ago | (#14505781)

Security : Top-notch

Users: Some give away their personnal passwords(for legit purposes) instead to ask to the right persons to create new accounts.

Impact on security : The security becomes useless.

This is a problem in many large organisations, specialy when dealing with people who know about nothing about computers and security.

The right balance is... (3, Interesting)

canuck57 (662392) | more than 8 years ago | (#14505802)

What is the right balance between security and productivity, in the corporate IT environment?

Simple, more security. As more secure systems tend to run more reliably (less bugs) and with lower maintenance (removing root kits)than do less secure systems. Knowing most corporate environments, security tends to be lax.

Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software.

Yes, it was better more than ten years ago. If your computer was connected to the internet and caused someone problems you got kicked off for a week or two to think about it. Some were even blacklisted. And few if any ran Microsoft products as their gateways or terminals.

But the fact is with many hundreds of millions of Internet users today practicing self administration of an inherently insecure OS and trusting everything they click on -- without regard to others or their companies costs, security has had to evolve. And believe it or not, firewalls existed 10 years ago.

Then along comes the modern cowboy on an unmonitored cable connection hacking people for sport and profit. People hack computers just to send spam, and the system/ISP do nothing. They have long since abandoned kicking them off. The result is the problem is mow rampant.

have we become so secure that we're stifling our own ability to get things done?

Not at all, I have always kept important stuff on UNIX and Linux, and professionally manage them like I do at work. They haven't been hacked or wormed. I also tend to use "safe" tools as they also fail less as well are more secure.

But the optimum answer to be secure is to use securable tools and secure practices in what you do with your computer, something like safe sex.

Try a University (3, Insightful)

froschmann (765104) | more than 8 years ago | (#14505808)

Heh, my Christian University is a lot worse than that. We have mandatory antivirus (which seems to run scans at the most inconvienent times. Cancel them and you get kicked off the network.) We also have to run all traffic through a HTTP proxy, because they block all outgoing port 80 traffic. The HTTP proxy logs all traffic which is then sent to our deans and hall directors, as well as kept on record forever. In addition, it blocks such disgusting websites as Ebaumsworld, and hackaday (hacking is illegal, kids). It can be loads of fun trying to get programs without proxy support to work. We also get AIM file transfer (for my non-geek friends from home) disabled, along with bittorrent and pretty much every non HTTP protocol. They even have a packet shaper which detects traffic on the wrong ports and blocks it, so forget about using a proxy. Internet access at schoool can be much worse than at a workplace... Thank the gods for PGP and dial-up!

Re:Try a University (1, Informative)

Anonymous Coward | more than 8 years ago | (#14505856)

But I bet you they let DNS through...
http://freshmeat.net/projects/nstx/ [freshmeat.net]

You made me laugh. (2, Insightful)

catahoula10 (944094) | more than 8 years ago | (#14505828)

" Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice,"

Of course its out of hand. Companies, as well as individuals pay alot of money for computers. If we bought a car that needed patching every week to run properly it would be called a lemon. And we have lemon laws. If we bought a TV that needed to be patched every week to work properly we have a warantee to help resolve the issues with that product.

While the computer itself works fine, its the OS and Applications that need constant patching. When the OS makers and Application sellers are held to the same standards as other products are, then maybe you will see your cost of doing buisness with computers go down.

Lock Down (1)

tuba_ranger (848915) | more than 8 years ago | (#14505832)

You need to talk to my sys admin. Our corporate system is so locked down that it's next to impossible to get anything done! He enforces an insane level of "security" and wears it as a badge of honor that he is pissing off most of the workers; it shows he's doing a good job. It's an absolute pain in teh ass to work on our system.

Times Change. (1)

NetJunkie (56134) | more than 8 years ago | (#14505835)

Years ago people didn't lock their doors because everyone knew each other. Years ago you didn't need a firewall in many cases and these things weren't on your mind. Times change and you have to protect yourself.

Many of the complaints in the submission sound like bad IT or mis-directed policy. AV might block a server from sending SMTP mail, but how is it supposed to know it's legit? The IT staff should be telling it which is legit. Users shouldn't be responsible in a corporate environment for patches and updates. That's the Network Group's job. They need to be making it as painless as possible for the end user. I don't expect my users to know about updates and patches and exploits. That's why my team is there.

Sorry to sound Republican here (1)

Travoltus (110240) | more than 8 years ago | (#14505857)

but employers do have a right to dictate what happens on their own property. (Although some employers are abusing this right now to dictate what happens on their employers' property, which must be stopped and soon.)

Any employee computer activity on the job, especially internet activity, is a potential liability for the company, and if you browse to the wrong site you can get hit with spyware, cookies, etc. that could compromise the security of the network. Get nailed with a keylogger cookie and all your intellectual property could be stolen.

One day the employees are playing Unreal Tournament 2004 online. The next day it could be this. [slashdot.org]

Now, honestly, I feel bad about saying all that because I've lived through dialup and I loved to use my high speed access at work before I got my blazing high speed cable modem. But this is the reality of things. Employee optimization, as it is called, can save an employer from FBI raids, massive RIAA litigation, IP theft, and other horrors.

How about accounts and passwords? (1)

antdude (79039) | more than 8 years ago | (#14505861)

How about too many accounts and strict passwords? That part drives me nuts.

Unplug, people. (3, Insightful)

ubiquitin (28396) | more than 8 years ago | (#14505863)

Security has very little to do with updating your virus definitions hourly, and everything to do with knowing when to just unplug the box and find another way to get the job done. What's your risk model? Point granted: the network is a demanding mistress. But fortunately, everyday risk is often handled best by the simplest of means. Stop instant messaging the person one cubicle owner, and get to know your local coffeeshop owner. Or neighborhood banker.

"B A L A N C E BALANCE!" (Sean Connery, Highlande (1)

meregistered (895132) | more than 8 years ago | (#14505873)

Hey Cliff

My opinion is based on 10 years as a computer professional. I have predominantly performed some level or type of support working with end users. Which means I may be a little biased.

My opinion:
It is important that there is a balance between security and freedom. The best balance maximizes productivity.
"FREEDOM!"(Mel Gibbson, Bravehart)
On one side we have the users freedom to do whatever they want. This can and will cause hits to productivity in a number of ways. It's my opinion that the most significant of these ways is the productivity hit of viruses, spyware, and problems caused by the install of unapproved programs.

SECURITY (sorry can't think of a qoute)
On the security side productivity can be hampered by having to go through red tape to do your job, having to get special permission for important job related functions, or simply limiting your otherwise boundless resources.

After seeing and experiencing what I have I beleive the best is to provide all protection possible that doesn't limit freedom. Then make policies regarding misuse of the equipment. Create limitations as needed based on abuses that decrease productivity (if everyone is using internet radio they won't stop and it is hurting network bandwidth start blocking those sites or services).

Good luck.

"B A L A N C E BALANCE!" (Sean Connery, Highlander (1)

meregistered (895132) | more than 8 years ago | (#14505879)

(Whoops should have been Highlander (with an R))

It could be worse... (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14505874)

You're upset over your access to the Interent?

We have no e-mail, no web access, no ftp, nothing. We have no networking at all!

I work on a combat vessel. None of our systems are networked -- at all. The Commander won't allow it. We're defending a civilian fleet and every member of our enemy forces, literally every one, knows enough about computers that they could infect any of our systems with some of the nastiest computer viruses you've ever seen. The XO, on one occasion, allowed them to network a few computers to calculate our course so we could catch up to the rest of the fleet and it resulted in a firewall weak enough for the enemy to penetrate the system. They almost brought down all the systems on the entire vessel. At one point (the start of the recent hostilities), a number of our fighters were completely disabled and taken out by the enemy because their onboard computers were targeted, knocked offline, and the fighters left defenseless and were picked off one by one.

So if you're complaining about having to deal with web proxies and firewalls, be happy you're not serving on our ship.

Re:It could be worse... (0)

Anonymous Coward | more than 8 years ago | (#14505901)

We have no e-mail, no web access, no ftp, nothing. We have no networking at all!

Then how, pray tell, did you post this?


I work on a combat vessel. None of our systems are networked -- at all. The Commander won't allow it. We're defending a civilian fleet and every member of our enemy forces, literally every one, knows enough about computers that they could infect any of our systems with some of the nastiest computer viruses you've ever seen. The XO, on one occasion, allowed them to network a few computers to calculate our course so we could catch up to the rest of the fleet and it resulted in a firewall weak enough for the enemy to penetrate the system. They almost brought down all the systems on the entire vessel. At one point (the start of the recent hostilities), a number of our fighters were completely disabled and taken out by the enemy because their onboard computers were targeted, knocked offline, and the fighters left defenseless and were picked off one by one.


Oh hey, yeah, I saw that movie!

I've worked at both extremes ... (1)

Empty Yo (828138) | more than 8 years ago | (#14505875)

Company A - People in the office downloading music, chat programs, games, etc. to the HDDs of their workstations and causing general havoc. All PCs running Win98 on archaic machines even though the company was a 'tech company' and the PCs were over five years out of date. No patches applied automatically - applied when PC is 'sick'. Several multiple day issues with virii requiring re-imaging of desktops to fix.

Company B - XP Pro locked down so tightly that we can do browsing, email and that's it. No virii in 2 years that I've seen or known about. Patches done to all workstations in a two week window.

The staff in company B are more productive, less distracted and have significantly more uptime, so I think the heightened security is a good thing.

Patches (1)

vijayiyer (728590) | more than 8 years ago | (#14505887)

I am probably one of the only mac users on a large (50000+ employees) network. I practically daily messages about patches, reboots, viruses, malware, etc. from corporate IT. I ignore them, and simply keep my computer up to date via Software Update. Ironically, my computer being on the network technically violates IT policy. If I were to follow IT policy, I wouldn't get work done. Why can't IT leave people alone, especially in technical (engineering) environments?

Education too (1)

ndansmith (582590) | more than 8 years ago | (#14505895)

I have run into this problem at my college as well. Virtually every port is closed except those needed fot http, https, ftp, and smtp. I cannot use RDP, SSH, or VNC to check on my servers at home or at work. Frankly, with better security implementation they could allow these services to students without compromising themselves too much. I think it is mostly just the higher-ups in the college who are all concerned about "piracy" and hackers.

White Elephants (0)

Anonymous Coward | more than 8 years ago | (#14505897)

What a timely question. I have never seen so much time and effort spent on defensive measures that have no value other than to keep machines from being completely useless. Anti spyware. Anti virus. Bureaucratic hoops. Authoritarian policy smackdowns. Network restrictions. The sad thing is, it's not entirely unjustified. Without these measures, and even with them, we spend countless hours repairing the damage caused by viruses and other malware. So much time, money, and effort just to keep the ship from completely sinking. It's absolutely pathetic.

I spent some time talking to a guy who runs an IT department for an organization that almost exclusively uses Macs. They have no such problems. Stuff just works. My linux machines likewise just work, as do my BSD boxes.

I don't care if it's because MS products are inherently less secure, or if they just happen to be the biggest target. The obvious truth that so many people want to sweep under the rug is that MS products are one big rip roaring pain in the ass to maintain. I am so absolutely sick of MS apologists hiding behind Gartner group PR in an effort to promote this continuing assault on everyone's productivity. "More policies" they say. "More anti-this and anti-that! Stricter controls! Take people off of the network! Limit their use of the network!" On and on and on. If you have a rabid dog, don't wrap yourself up in blankets and swallow your medicine cabinet! Git rid of the git! Could anything be more obvious?!

It's about time someone got fired for buying Microsoft. Really. The people who are promoting Microsoft are wasting your company's money. They are wasting people's time. It's coming out of your pocket.

Except for extreme overzealousness... (2, Interesting)

kadathseeker (937789) | more than 8 years ago | (#14505903)

really, the only people that aren't a security risk without security disabled can easily get around it, if they need (or want...) to. The average luser will cause more problems than this security will. The key to this though, is punishment of those who circumvent security. At my school, I regularly aid even teachers in getting freemail access, around the filter, etc. They trust me because they know I'm smart enough to do this, and not do anything stupid with my 'superpowers'. Most of them are well aware that the security there is bad and the IT staff unskilled (with few exceptions) enough that if I really had ill will in my heart there's not much they could do to stop or even catch me. My cousin's school used to be like this, but then a new administrator came along and changed the rules. My cousin was found using a proxy that SOMEONE ELSE had once, A YEAR AGO, used to look at ONE pr0n site and was suspended for a week (and grounded). The biggest irony is that he used the proxy to get to a site he NEEDED for his assignment. I don't hate stupid people (everyone is stupid in some ways) but everyone hates having an idiot in charge and being unable to avoid their work. With a bad restaraunt, you can go elsewhere, with a bad leader, your options are limited (esp. when you don't get a say in determining the leader).

SSH (1)

feenberg (201582) | more than 8 years ago | (#14505905)

A few years ago we had to put an ssh server on the telnet port, because one of our users was at the Federal Reserve Board, whose security committee hadn't approved outbound access to ssh servers on the usual port! In a telephone conversation with me, their security person suggested I turn on the telnet server at my end, and said that he had read about security issues with ssh that discouraged them from allowing it!

Lots (not all) IT security is just dumb rules of thumb with no analysis or understanding. Lots of IT staff don't think the other employees have work to do, and don't mind interfering with their efforts. As the years go by, management will become more experienced at understanding who is a blowhard and who knows what they are talking about. But it will take time.

Basics (1)

schnibitz (904925) | more than 8 years ago | (#14505922)

It is imporant to get the basics, and most of the basics can be taken care of by IT. If done properly won't impact the user at all. "What about passwords?" you might ask. The most insecure thing at most companies will always be the user. The best thing to do is be sure that no normal user has access to everything; every record, every file, every database . . . This will limit a lot of damage. I tend to believe user education is a waste of time too. It isn't a user's job to worry about this stuff, and the fact that we have poorly designed OS's isn't their fault. Other than these issues, most security-related issues can be taken care of behind the scenes.

BTW not sure why your company is mandating manual patching versus implementing Windoz Update Services (WUS). Computers patch and reboot VERY early in the morning, and the user doesn't have any choice in the matter. I have never had problems with this procedure BTW.

-Schnibitz
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>