Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Thu, Sep 06, 2012 at 02:40:47PM -0400, Rich Pieri wrote: > On Thu, 6 Sep 2012 12:49:17 -0500 > Derek Martin <invalid at pizzashack.org> wrote: > > > Clear and present? Not in any computing environment I've ever managed > > or worked in. Most companies don't need this kind of security, and as > > I said, the cost of this loss of productivity is in the millions per > > annum for any given company of medium size, and substantial enough for > > any company. > > You asked for an example. I gave you one. That the example does not > match your experience or expectation does not invalidate the example. No, I asked for a *likely* example, where the cost was justified by the threat. You didn't provide one, and I offered simple counters for the example you did provide, which DOES invalidate the example, reducing it to an education issue or an administrative issue. Your example also assumed a complete lack of security awareness (weak filesystem permissions)... a fact not in evidence, neither in my case nor in the case of anyone posting in this thread, and one unlikely to be true given this list's educated user base, but required for validity of your example. And even if you did have such users in your environment, as a security-oriented system administrator, detecting and correcting them is utterly simple using tools found on every Unix-like system, and YOUR responsibility. I thus conclude that your premise -- "Walking away from a workstation and 'forgetting' to log out is a bad practice" -- is completely false. Again, this is not to say that logging out daily has no value whatsoever in a security frame of reference; it is rather to say that a requirement of mindlessly doing so is probably not worth the cost of lost productivity in the typical case. You have to know your environment (and threat model) and adjust your policy appropriately. The point is this: Security admins often overlook that too much security is as bad if not worse than too little, and security training does not focus enough on this idea, in my experience and opinion -- or at least it didn't when I had mine, which admittedly was quite some time ago. For your policy to be effective, your users need to trust you, and they won't if they see you as a mindless zealot who only knows how to get in their way. If you make policy that makes educated users think thusly, they're going to ignore you on general principle, and complain about your policies to coworkers who are already looking for a reason to ignore your cumbersome security measures, which only reduces the overall security of your environment. And worst of all, in most environments, you're not going to have the teeth to back up your policy, as management generally isn't about to fire productive employees for forgetting to log out of their workstations, which only tends to make you look even worse (to offending employees) for complaining about it... So you may as well design your policy to make those discussions you'll inevitably have with your users actually matter as much as possible. On the other hand, if you do actually work at, say, a defense contractor, managing the systems used to design the next super-secret insta-kill-all-the-bad-guys weapon, then go ahead and steamroll your users with your policy, and bring a big LART when they fail to comply. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |