Re: I wrnd u abt ths ...

[Michael Graham <jmgraham () gmail com>]

On Thu, Jun 18, 2009 at 8:10 PM, Nick FitzGerald <nick () virus-l demon co uk>
 wrote:

> Michael Graham wrote:
>
> > ... or you're going to have to start treating your
> > user space as inherently hostile.
>
> Gee -- you don't do that already?

Pardon me, Nick, for launching off into a bit of a tirade here, I'm speaking
to some nebulous reader and not trying to preach directly at you.

There's a pretty wide gulf between "should" and "actually do" in most of the
real world.  I've security nerded one enterprise that was actually close to
being as controlled as it should be, and never even seen another (outside of
gov't space).  The majority of the enterprise space out there (not to
mention the vast wilderness of mid-sized businesses) works on a "defend
the perimeter and try to not inconvenience the users inside too much"
principle, and by and large, they've gotten away with it.  And they're going
to want to keep getting away with it.

My point was that if your user space isn't already locked down to the degree
that unpreventable (by you) twitter url redirects don't scare you, then you
probably aren't likely to be able to force a dramatic sea change in
management attitudes about user inconvenience.  So you should start planning
on treating that space as actively hostile and start talking to your
management about the changing threat environment and how you need money to
get ready for it unless they want to go do *50 things every user will hate*
instead.



>
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.