--- Valdis.Kletnieksat_private wrote: > On Wed, 01 May 2002 18:21:23 PDT, Jonathan > Bloomquist said: > > Corporate IT staff are paid to know better than to > put > > insecure technology into production and they need > to > > be held accountable if they make such a boneheaded > > move. > > How many corporate networks have dumped Outlook so > far? I doubt many have but I wouldn't consider dumping Outlook a solution to worms either. Scanning and/or disallowing attachments with the (in)appropriate extensions would be a more reasonable reaction. > How many corporate sites still run IIS because a > conversion to > Apache would be even more costly than getting hacked > every 2 months? IIS is OK (did I just say that? eww!) if your admins patch it when updates are released. This might keep them pretty busy, of course ... > It's *quite* possible that at least some of these IT > staffers did > the calculation: "Hmm... if we deploy this, we can > expect $2M/year in > writeoffs due to guys out in the parking lot with > pringle-can yagis, but > we'll save $4M/year, so we'll be ahead anyhow..." > It's all trade-offs, > and nothing news to the big corporations - I'm > *positive* that the master > financial plan for Best Buy already has a line item > for "write off 2.3% > of all credit card transactions" and that such > write-offs are a standard > part of doing business. They may decide that it's > easier and cheaper to > just raise their write-off margin to 2.7% rather > than fix the problem.... Possibly. That is a frightening concept - I guess those types figure if they stick their heads in the sand the predator can't see them too. > And factor *THIS* into the equation - let's say that > Very Large Chain > Q-Mart decides to run wireless without any security. > Perhaps they had > a *reason*. Like - if any security is disabled, you > can deploy devices > that can hop onto the net without any assistance - > so it's safe to give > these handheld scanners/etc to a $7/hour functional > illiterate. On the > other hand, if security is enabled, it's quite > possible for the device > to get confused and be unable to talk. This not > only means that you've > just idled the $7/hour worker until it's fixed, it > means you need to find > an actual *literate* and *competent* person, who's > probably costing you > a lot MORE than $7/hour, to unsnarl the mess and > figure out what happened. Yikes. Until very soon my 9-5 is in the banking industry and auditors regularly come in and sweat our users about their security practices. When they have findings (which is rare at our site :) IT implements the fixes. I cannot even imagine anyone who has data they consider valuable allowing easy access to their network simply because it is easier than if it was secure. This ia an entirely upside-down philosophy. That said, you could be right. __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com
This archive was generated by hypermail 2b30 : Thu May 02 2002 - 09:43:53 PDT