OT: Dealing with a hosting company with it's head up it's rear end

Fri Aug 14 14:44:48 UTC 2020

On Fri, Aug 14, 2020 at 10:32 AM Jon Radel <jon at radel.com> wrote:

> On 8/14/20 09:48, Aryeh Friedman wrote:
> > On Fri, Aug 14, 2020 at 9:20 AM Tim Daneliuk <tundra at tundraware.com>
> wrote:
> >
> >> On August 14, 2020 12:58:49 AM "Steve O'Hara-Smith" <steve at sohara.org>
> >> wrote
> >>
> >>  Again many corporate firewalls don't allow ssh out (or in directly)
> >>> because tunnelling bypasses the firewalls. And again it seems odd for a
> >>> hosting company.
> >>>
> >>
> >> ssh out is typically prohibited to lower the risk of employee transfer
> of
> >> sensitive data to external destinations - So called Data Loss
> Prevention.
> >> This, along with email scanning and man in the middle cert management is
> >> pretty common.
> >>
> > Unless it is 100% air gapped with no ability to plug in portable media
> > and/or record the screen then nothing is 100% immune from such loss and
> > thus not allowing it makes very little sense.   If on the other hand the
> > idea is to limit the damage that malware/spyware can do then it makes
> sense
> > (even if someone does in [accidentally] install malware/spyware it can
> not
> > send the results of its dirty work anywhere).
> >
> Untrue.  As the CISO at my latest employer said to me (paraphrasing
> some, as it's been a while):
>
> You and I know how to circumvent the restrictions, but the vast majority
> of the staff hasn't a clue.  This cuts down the noise I have to wade
> through.
>

Oh great security by obfuscation!  Sounds like the CSIO missed the first
day of security 101.    False sense of security is always a bad idea.

>
> -----
>
> And back to the main topic of this thread:  What does your lawyer say
> about your client that is huffing and puffing threats over your
> inability to perform magic to paper over their unwise contracting
> actions in regard to a different vendor?  Seems to me that you left the
> land of technology a ways back on this one.
>

Actually the client has signed the one piece of paper we needed to move
forward which is a waiver of liability for stuff we said was inherently
risky (in writing) before we started the work.   It should also be noted
that due to lack of competance by the hosting company and by the equipment
supplier we have become the client's defecto IT dept. Even though we were
originally hired as programmers only (this means when push comes to shove
the client almost always trusts us over anyone else and for the most part
"I will find someone else '' is just his lack of social graces and not an
actual threat).

Also as stated before the client is currently grandfathered into the older
config the hosting company uses and thus we don't need to do magic to do
the work.   The concern is if the hosting company starts insisting that the
grandfathering was "incorrect" and thus attempting to gather 3rd party
evidence they are being idiots and this thread is just one such piece of
evidence and thus still very relevant.

> Actually, better yet, you probably don't want to discuss that on a
> public list......
>

If *YOU* think it doesn't belong on the list just come out and say it.

-- 
Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org