[conspire] About conditioned helplessness

Fri Sep 2 12:45:53 PDT 2011

On Fri, Sep 02, 2011 at 11:54:22AM -0700, Don Marti wrote:
> begin Luke S. Crawford quotation of Fri, Sep 02, 2011 at 01:16:14PM -0400:
> 
> > this problem of a authorized user's workstation getting compromised
> > is a very difficult one to solve.
> 
> The problem of the CFO taking the company checkbook
> when he goes to party at his favorite crack house is
> a hard one to solve.
> 
> Possible solution: have the CFO lock up the checkbook
> in the Accounting Dept. office before going out.
> 
> (Accounting Dept. office: minimal, up-to-date
> workstation with only needed software and minimal
> user privileges.  Crack house: recreational PC with
> Flash, games, adware, etc.)

I think 'crack house' is a poor analogy.   I think in most workplaces,
people expect to be able to watch a youtube video or two on work time,
and really, I think that's reasonable.    

But, okay, everyone at my company uses Linux.   So this would mean 
prohibiting flash and PDF, and enforcing the use of noscript or the
like.  

The easy part is buying employees laptops.   The hard part is saying 
"never use this for personal stuff"   I mean, saying that is easy.   
Enforcing it?  pretty difficult.  

Dono, maybe I'm a bad leader, but I have a hard time convincing 
employees to use ESD precautions.  (Do you use ESD precautions when
dealing with computers?)   That problem is easily enough solved
by doing the hardware work myself;  we've got maybe 60 servers, and 
I dono if it's the ESD or what, but we don't get many hardware problems,
so aside from deciding what parts to use, there really isn't that much
hardware work to be done.

The thing is, whenever you are convincing employees to do something like
this (and it would be convincing;  it's not like I can take root away
from a SysAdmin) you are not going to get 100% compliance.   And even 
100% compliance isn't going to completely protect you from this problem.

I mean, especally as a company that sells itself as a security company,
RSA should not have kept such a big, jucy target in one place, when they
didn't have to. 

What do you think my employees are going to say when I say they can't 
have flash and they can't have PDFs?   I mean, everyone here uses linux,
but have you tried to tell a SysAdmin he can't have something?   

Actually, I am buying people laptops.  I think I might try it.  Honestly, 
I bet it'll go over better than the ESD stuff.  