OT: Dealing with a hosting company with it's head up it's rear end

Aryeh Friedman aryeh.friedman at gmail.com
Fri Aug 14 17:49:16 UTC 2020

On Fri, Aug 14, 2020 at 1:13 PM Jon Radel <jon at radel.com> wrote:

> On 8/14/20 10:44, Aryeh Friedman wrote:
> > On Fri, Aug 14, 2020 at 10:32 AM Jon Radel <jon at radel.com> wrote:
> >
> >> On 8/14/20 09:48, Aryeh Friedman wrote:
> >>> Unless it is 100% air gapped with no ability to plug in portable media
> >>> and/or record the screen then nothing is 100% immune from such loss and
> >>> thus not allowing it makes very little sense.   If on the other hand
> the
> >>> idea is to limit the damage that malware/spyware can do then it makes
> >>> sense (even if someone does in [accidentally] install malware/spyware
> it can
> >>> not send the results of its dirty work anywhere).
> >>>
> >> Untrue.  As the CISO at my latest employer said to me (paraphrasing
> >> some, as it's been a while):
> >>
> >> You and I know how to circumvent the restrictions, but the vast majority
> >> of the staff hasn't a clue.  This cuts down the noise I have to wade
> >> through.
> >>
> > Oh great security by obfuscation!  Sounds like the CSIO missed the first
> > day of security 101.    False sense of security is always a bad idea.
> >
> I'm a bit unclear on how a frank admission that the controls can be
> circumvented translates, in your head at least, into a false sense of
> security.

If the controls can be circumvented they are essentially useless and
shouldn't be in place in the first place.   Besides anyone who knows what
RDP or SSH is would also know how to circumvent controls designed for
non-technical people so that makes the blocking of them even more short
sighted.   This is what I meant by security by obfuscation (i.e. hiding
obvious truths that everyone with any knowledge knows).

> The playground is a bit bigger than the technical sandbox where you
> appear, and I most certainly am, most comfortable.  The CISO also has to
> be comfortable hanging out with the compliance lawyers behind the shed
> at the far end of playground, not to mention keeping HR happy.

In our case it is also keeping a government agency happy.  And yes we do
deal with that level of decision making since we are the de facto IT dept.

> If you write a policy document, implement controls that make
> "accidental" circumvention of the policy difficult, while still keeping
> a close eye on what else the staff is doing, you can:
> 1.  Reduce the noise of having to track unthinking, largely innocent
> violations and endless, tedious discussions about who deserves to be
> fired.

The very idea that it is about who to fire instead of actually preventing
the issue in the first place is a mindset failure (and one of the primary
reasons why corporate America in general is screwed in the head).

> 2.  Reduce the plausible deniability of the actual attempts to cause
> harm to the company, now that actual "tricky" actions are required to
> circumvent controls that give you big warnings in your browser, making
> for much better confidence in making termination decisions and/or taking
> legal action.

Not the case with doctors who have staff that routinely break HIPAA (not
our problem but there are stores everywhere on it).   No level of "don't do
this" coupled with very hefty government fines stops them.  General
response from doctors is: we don't care.

> None of this particularly has anything to do with the technology.
> >> Actually, better yet, you probably don't want to discuss that on a
> >> public list......
> >>
> > If *YOU* think it doesn't belong on the list just come out and say it.
> >
> >
> You may be under the impression that our interests are aligned on this
> one.  Personally, I'd find blow-by-blow updates on how your lawyer
> freaks on finding that you are discussing his/her strategy on the
> Internet, tidbits on the suit against you claiming torturous
> interference by the hosting provider you've been bad-mouthing for days
> and have now named, and the general unraveling of your contract, amusing
> reading.  (Others here probably feel differently, but they can speak for
> themselves--I suspect the sensible ones have already killed this
> thread.)  If you think that was a mealy mouthed way for me to say that
> I'd prefer you'd stop discussing this, you'd be most mistaken.  I was
> just trying to suggest, given that I'm not malevolent enough to wish all
> that on you solely for my amusement, that you consider how much of your
> laundry, with some mighty amusing and suggestive stains showing, you
> wish to air in public.  That's all.

First there is no active lawsuit or even contemplation of legal action
whatsoever currently from any of the parties (that we know of).

I didn't say anything that is not already public knowledge (it might have
been a little more detailed than normal but it is not anything secret).
(If you cared enough to see that I checked my link in then you might want
to do some research on me to see that none of this was not already public
knowledge [the people that I didn't name were already named by other
sources]).    As to my clients strategy there is nothing I said that is not
already in their marketing material (and I never named the client's company
name, only one of the two vendors we are having issues with).

Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org

More information about the freebsd-questions mailing list