Re: Wlan @ bestbuy is cleartext?

[Jonathan Bloomquist <bocasolutions () yahoo com>]

--- Valdis.Kletnieks () vt edu wrote:
> On Wed, 01 May 2002 18:21:23 PDT, Jonathan
> Bloomquist said:
> > Corporate IT staff are paid to know better than to
> put
> > insecure technology into production and they need
> to
> > be held accountable if they make such a boneheaded
> > move.
>
> How many corporate networks have dumped Outlook so
> far?

I doubt many have but I wouldn't consider dumping
Outlook a solution to worms either.  Scanning and/or
disallowing attachments with the (in)appropriate
extensions would be a more reasonable reaction.

> How many corporate sites still run IIS because a
> conversion to
> Apache would be even more costly than getting hacked
> every 2 months?

IIS is OK (did I just say that? eww!) if your admins
patch it when updates are released.  This might keep
them pretty busy, of course ...

> It's *quite* possible that at least some of these IT
> staffers did
> the calculation: "Hmm... if we deploy this, we can
> expect $2M/year in
> writeoffs due to guys out in the parking lot with
> pringle-can yagis, but
> we'll save $4M/year, so we'll be ahead anyhow..." 
> It's all trade-offs,
> and nothing news to the big corporations - I'm
> *positive* that the master
> financial plan for Best Buy already has a line item
> for "write off 2.3%
> of all credit card transactions" and that such
> write-offs are a standard
> part of doing business.  They may decide that it's
> easier and cheaper to
> just raise their write-off margin to 2.7% rather
> than fix the problem....

Possibly.  That is a frightening concept - I guess
those types figure if they stick their heads in the
sand the predator can't see them too.

> And factor *THIS* into the equation - let's say that
> Very Large Chain
> Q-Mart decides to run wireless without any security.
>  Perhaps they had
> a *reason*.  Like - if any security is disabled, you
> can deploy devices
> that can hop onto the net without any assistance -
> so it's safe to give
> these handheld scanners/etc to a $7/hour functional
> illiterate.  On the
> other hand, if security is enabled, it's quite
> possible for the device
> to get confused and be unable to talk.  This not
> only means that you've
> just idled the $7/hour worker until it's fixed, it
> means you need to find
> an actual *literate* and *competent* person, who's
> probably costing you
> a lot MORE than $7/hour, to unsnarl the mess and
> figure out what happened.

Yikes.  Until very soon my 9-5 is in the banking
industry and auditors regularly come in and sweat our
users about their security practices.  When they have
findings (which is rare at our site :) IT implements
the fixes.  I cannot even imagine anyone who has data
they consider valuable allowing easy access to their
network simply because it is easier than if it was
secure.  This ia an entirely upside-down philosophy.

That said, you could be right.

__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com