Re: Adobe investigates sophisticatic corporate networksecurity issue

[Dan Kaminsky <dan () doxpara com>]

On Thu, Jan 14, 2010 at 2:18 PM, Rich Kulawiec <rsk () gsp org> wrote:

> On Wed, Jan 13, 2010 at 03:05:19PM -0800, Paul M. Moriarty wrote:
> > Or put another way, expecting end users to change their behavior and
> > start doing all the things they "should" be doing is futile.  Any
> approach
> > based on this premise will fail.
>
> Absolutely true.  "Educating users" is listed as one of Marcus Ranum's
> six dumbest ideas in security, and it really is.  Spammers and phishers,
> among others, prove it millions of times a day.
A few years back, Jason Larsen explained to me the great irony of USB
sticks.  We've had networking for how many years?  But if you've got ten
people sitting around a conference room table, from three different
companies, and all of them need a slide show, guess what?  They're not using
network file sharing to share that file.  The odds that they'll all be able
to get on the same network are quite low.  See, it's always assumed by IT
that in general, the only people who need access work from the company, and
those people outside have bad untested insecure horrors of laptops.

So those bad untested insecure horrible outsiders bring in USB 3G networking
and USB sticks.  And those sticks get passed around, so people can get their
slides and business can be done.

How does security react?  By banning USB sticks.  And what will people thus
use?

Gmail.

Watch.  The war after USB sticks is 3G networking.  Because we've stopped
being good at saying, yes, we have a solution for you.  But we're damn good
at saying, HOLY CRAP YOU FOUND A SOLUTION, WE MUST SUPPRESS IT.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.