Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On Fri, Sep 07, 2012 at 10:08:48PM -0400, Rich Pieri wrote: > On Fri, 7 Sep 2012 20:51:32 -0500 > Derek Martin <invalid at pizzashack.org> wrote: > > > Horse be damned, I think you're still missing the point. It's what > > you're protecting, how accessible and available it is, and it's value, > > that matters... not so much what solutions you're using to protect it > > (unless they're just plain inappropriate for the job). > > No. You are missing the point. Leaving a workstation logged in and > unattended weakens or neutralizes any system security you may have. I haven't missed the point; you haven't made one. All you're doing is regurgitating dogma. Your dogma is technically true, however practically speaking, it's next to worthless. Insisting, as you have here, that any security policy is absolutely and uniformly applicable to all computing environments, without consideration of the costs vs. the actual risk mitigated, and without considering cheaper, similarly effective alternatives, is pure and utter folly. The tendency for security engineers to do this is the very reason why many knowledgable people cringe whenever someone brings up the topic of security. It's not enough to recite garbage you read in some best practices wiki; you have to use your brain (unless your goal is to pass some standardized external audit, in which case acting like a parrot is exactly what's needed). Risk = potential cost, and security is the pursuit of cost minimization through risk mitigation (NOT elimination, which is impossible). If you're spending more on your solution than you're likely to lose, you've failed. If you haven't bothered to even attempt to cosider the cost, you've failed miserably. Did it also occur to you that it's equally true that leaving a workstation TURNED OFF and unattended weakens or neutralizes any system security you may have? Do you have any policies or technologies in place specifically to address that threat? If not, did you reason out for yourself that the reason it's OK to ignore the problem is because the COST of solving it is much greater than the RISK of loss? Effectively addressing that threat (i.e. theft of data by theft of hardware) would involve installing surveilance and alarms to detect the intrusion, and hiring 24x7 security (REAL security, not retirees sitting at a desk) to hopefully deter/catch the thieves. An expensive proposition, though if your data is really valuable it may be worth it. Chances are though, you didn't, because it's not. And if it's not, neither is making everyone log out all the time... locking the screen is just fine, for exactly the same reason: the risk of a costly compromise is small in comparison to the loss of productivity and morale. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |