OT: Dealing with a hosting company with it's head up it's rear end

Jon Radel jon at radel.com
Fri Aug 14 17:13:25 UTC 2020

On 8/14/20 10:44, Aryeh Friedman wrote:
> On Fri, Aug 14, 2020 at 10:32 AM Jon Radel <jon at radel.com> wrote:
>> On 8/14/20 09:48, Aryeh Friedman wrote:
>>> Unless it is 100% air gapped with no ability to plug in portable media
>>> and/or record the screen then nothing is 100% immune from such loss and
>>> thus not allowing it makes very little sense.   If on the other hand the
>>> idea is to limit the damage that malware/spyware can do then it makes
>>> sense (even if someone does in [accidentally] install malware/spyware it can
>>> not send the results of its dirty work anywhere).
>> Untrue.  As the CISO at my latest employer said to me (paraphrasing
>> some, as it's been a while):
>> You and I know how to circumvent the restrictions, but the vast majority
>> of the staff hasn't a clue.  This cuts down the noise I have to wade
>> through.
> Oh great security by obfuscation!  Sounds like the CSIO missed the first
> day of security 101.    False sense of security is always a bad idea.
I'm a bit unclear on how a frank admission that the controls can be
circumvented translates, in your head at least, into a false sense of

The playground is a bit bigger than the technical sandbox where you
appear, and I most certainly am, most comfortable.  The CISO also has to
be comfortable hanging out with the compliance lawyers behind the shed
at the far end of playground, not to mention keeping HR happy.

If you write a policy document, implement controls that make
"accidental" circumvention of the policy difficult, while still keeping
a close eye on what else the staff is doing, you can:

1.  Reduce the noise of having to track unthinking, largely innocent
violations and endless, tedious discussions about who deserves to be

2.  Reduce the plausible deniability of the actual attempts to cause
harm to the company, now that actual "tricky" actions are required to
circumvent controls that give you big warnings in your browser, making
for much better confidence in making termination decisions and/or taking
legal action.

None of this particularly has anything to do with the technology.

>> Actually, better yet, you probably don't want to discuss that on a
>> public list......
> If *YOU* think it doesn't belong on the list just come out and say it.
You may be under the impression that our interests are aligned on this
one.  Personally, I'd find blow-by-blow updates on how your lawyer
freaks on finding that you are discussing his/her strategy on the
Internet, tidbits on the suit against you claiming torturous
interference by the hosting provider you've been bad-mouthing for days
and have now named, and the general unraveling of your contract, amusing
reading.  (Others here probably feel differently, but they can speak for
themselves--I suspect the sensible ones have already killed this
thread.)  If you think that was a mealy mouthed way for me to say that
I'd prefer you'd stop discussing this, you'd be most mistaken.  I was
just trying to suggest, given that I'm not malevolent enough to wish all
that on you solely for my amusement, that you consider how much of your
laundry, with some mighty amusing and suggestive stains showing, you
wish to air in public.  That's all.

Oh, and thanks for caring enough to check me out on LinkedIn.  ;-)

--Jon Radel
jon at radel.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4177 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20200814/9a23167c/attachment.bin>

More information about the freebsd-questions mailing list