Re: Wlan @ bestbuy is cleartext?

[Valdis.Kletnieks () vt edu]

On Thu, 02 May 2002 06:02:20 PDT, Jonathan Bloomquist said:

> I doubt many have but I wouldn't consider dumping
> Outlook a solution to worms either.  Scanning and/or
> disallowing attachments with the (in)appropriate
> extensions would be a more reasonable reaction.

Given that a *large* number of worms have leveraged off the inability
of Outlook to keep straight "MIME type" versus "extension", I think
that "blocking based on extension" may not be all that perfect an
idea.  Yes, it will *help*, but so few sites manage to get it right...

> IIS is OK (did I just say that? eww!) if your admins
> patch it when updates are released.  This might keep
> them pretty busy, of course ...

Remember that in large shops, it may take some time to test and convince
yourself that a given patch doesn't break things.  Also remember that
many shops won't rush out and install patches precisely because they've
gotten burnt before - right now there seems to be a number of sites that
have gotten hosed by applying the latest set of Microsoft patches.

> Possibly.  That is a frightening concept - I guess
> those types figure if they stick their heads in the
> sand the predator can't see them too.

They're *NOT* sticking their heads in the sand.  They're making a careful
evaluation of "We will most likely be hit for $2M per year in losses if
we do this, but we'll still come out ahead".

> Yikes.  Until very soon my 9-5 is in the banking
> industry and auditors regularly come in and sweat our
> users about their security practices.  When they have
> findings (which is rare at our site :) IT implements
> the fixes.  I cannot even imagine anyone who has data
> they consider valuable allowing easy access to their
> network simply because it is easier than if it was
> secure.  This ia an entirely upside-down philosophy.

Banks have *THEIR* line items for write-offs of bad loans and written-off
credit cards as well - and nobody calls it "sticking their head in the sand"
when they write a loan they know is a bit riskier, after having balanced the
higher interest they're charging against the chance it will end up in their
write-off pile.

And having said "you can't even imagine allowing easy access" - you might
want to ask yourself how much you pay the average teller, and how many
different screens of financial information they are able to get at from their
terminal, and exactly how much check-and-balance you *really* do.

Attachment: _bin
Description: