Search Mailing List Archives
[liberationtech] New IT security measures underway
jna at retina.net
Mon Feb 3 15:09:24 PST 2014
On Mon, Feb 3, 2014 at 3:43 AM, Rich Kulawiec <rsk at gsp.org> wrote:
> On Fri, Jan 31, 2014 at 09:01:06AM -0800, Yosem Companys quoted:
> > "One of these mandates includes having employees with Windows XP
> > laptops and desktops migrate to Windows 7 Enterprise or Ultimate, or
> > Windows 8 Pro or Enterprise, by April 8. Employees will be able to
> > download the latest Microsoft software for free under a new campus-wide
> > license obtained in November 2013."
> Let's stop right there.
> If this entire initiative was actually about security in any way,
> shape or form, then this paragraph would not be present. Closed-source
> software cannot be secured, and changing from one insecure version
> of Windows to another is merely an expensive, time-consuming exercise
> that achieves nothing of significance.
Disclaimer: I can't stand windows and I've nearly banned it from work place.
Reality: You don't understand business nor threat modeling.
Microsoft is, unfortunately, the backbone of most world-wide business.
There are a host of applications from finance, to statistical modeling, HR
planning and otherwise that only run on Windows. You can't easily kill it
off. When and if we manage to kill it off, attackers will move to the new
thing (say. Mac OS) and focus efforts there.
So, for the users that must run Windows on a daily basis, they're electing
to offer free upgrades. Good on them. The older versions (such as XP) are
reaching end of life for support (and security support) and potentially
will become a source of indefinite zero-days. Calling this
action meaningless due to your implicit bias against commercial software
and windows is a fallacy. Properly implemented, it will result in a
reduction of the overall threat to the University.
Unfortunately, their implementation process isn't very good. I don't agree
with the open-ended nature of their solution. Relying on the users to
upgrade themselves means generally that the upgrade will never occur. A
compliance-enforcing approach, such as those used in the Cisco and Juniper
VPN clients would be better. For example, "You have 30 days to upgrade to
Windows 7 or VPN and 802.1X will block you from joining our network" is
much better than "Go secure yourselves, we'll be over here"
Additionally, your statement of: "Closed-Source software cannot be secured"
-- I prefer open source software but I disagree that it cannot completely
be secured. It depends only on the motivation, financial resources, and
merit of the company attempting to secure said software. Just because you
don't happen to get a look at the source code doesn't make this a
definitive statement. There are numerous examples of commercial software
being immensely hard to defeat.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech