Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] New IT security measures underway

Rich Kulawiec rsk at
Mon Feb 3 03:43:33 PST 2014

On Fri, Jan 31, 2014 at 09:01:06AM -0800, Yosem Companys quoted:
> "One of these mandates includes having employees with Windows XP
> laptops and desktops migrate to Windows 7 Enterprise or Ultimate, or
> Windows 8 Pro or Enterprise, by April 8. Employees will be able to
> download the latest Microsoft software for free under a new campus-wide
> license obtained in November 2013."

Let's stop right there.

If this entire initiative was actually about security in any way,
shape or form, then this paragraph would not be present.  Closed-source
software cannot be secured, and changing from one insecure version
of Windows to another is merely an expensive, time-consuming exercise
that achieves nothing of significance.

If that statement isn't clear:

So the people behind this farsical exercise at Stanford either don't
understand security or don't care about it.  If they actually did,
then they would *ban* Windows from the environment and phase out every
system currently running it.

That is not, by the way, equivalent to a claim that banning Windows fixes
all the security problems.  Of course it doesn't.  But it's a great
first step, and it facilitates many subsequent steps which, in combination,
could substantially raise the bar that attackers have to clear.  And that
would of course go a long way toward protecting PII from a multitude of
attack vectors.

But as long as Stanford sticks with an operating system that is not
only insecure, but insecurable (see above link), they have chosen a
path that inevitably leads to failure.

Which raises the question: what, exactly, are they playing at here?
Is this just a campus-wide CYA?  So that when the next breach, and
the next one, and the next one come along they can say "but see? look
at all the things we did!" and do the usual "nobody could have foreseen"
PR schtick?  Why doesn't Stanford *really* care about security
instead of just pretending that it does?


More information about the liberationtech mailing list