Re: The new normal
As someone who values their online privacy, I appreciate the laws and avoid companies that fail to comply with the law.
I also block around 2.5 million tracking websites that fail to comply with the mandatory opt-in.
6775 publicly visible posts • joined 27 Nov 2009
It seems most companies write policies based on their own HQ jurisdiction and often don't consult or don't listen to local lawyers.
Even Apple got caught out with OS X retail boxed sets in Germany. They tried to sue users who bought the retail box and installed it on home-build PCs. It didn't go very well, the court pointed out that the terms and conditions regarding installing it on Apple branded devices was inside a shrink-wrapped box, which the purchaser couldn't read at or before the point of sale, therefore the terms and conditions were null and void - under German consumer law, you cannot apply any additional terms and conditions not known at the point of sale / point of sign up (contracts or online services).
I think this is great and wholeheartedly support the initiative.
I was following the initial steps on Twitter last week.
Having been in a (non-sexual) abusive situation in IT, not specifically security, and seeing 3 or 4 of my colleagues have to leave with a nervous breakdown. I managed to get out before it got that bad, but it was still detrimental to my physical and mental health.
At another company, in the UK, back in the 90s (I posted this a couple of weeks back as well), we were working late one night, when the big boss came in and told us to leave, immediately. Sod the customer deadline of tomorrow, he'd deal with that, just go, NOW!
Turned out, one of the lesser managers had gone up to his secretary, opened his trousers and asked her, what she could do with its contents? Good for her, she called her boss for a second opinion. Good for him, he dealt with the situation directly and without any nonsense, he got everybody out, then marched said lesser manager to his desk, he collected his personal possessions, handed in his ID card and was gone... I have no idea what the guy told his fiance, when he got home.
That is how (upper) management should deal with this. No tolerance. I hope, in Lisa's case, she reported the incident to the CEO and HR department of the guy's employer and that he was dealt with swiftly. I have absolutely no idea, how these guys even think they can get away with such behavior. It is utterly reprehensible.
Yes, it looks like it was the 3 wheels and weight that were the key factors, at least in the post 1963 time frame. Until that date, the motorbike license required that the vehicle didn't have a reverse gear, so the Regal through to the Mk VI, I believe, didn't have reverse, after that, it was available.
The Bond Minicar was also fascinating, like a Regal, but more round and with a stretched bonnet. But the Bug was the most futuristic.
The Morgans and the Bucklands were 2 front wheels, 1 rear, and comparatively low, which gave them much more stability and good handling in the corners.
The Messerschmitt was even better. You turned off the ignition, then started the motor in the other direction, meaning you had 4 reverse gears!
The Isetta also, had a Robesto roof as an option, so you could roll it back and climb out the top. That or ask a passer-by to give you a little shove backwards.
As Paul said, without a reverse gear, it counted as a motorbike, so anybody with a bike license could drive it, without having to get a car license. Also, the road tax for motorbikes was less.
Hence the Reliant Supervan, and later, the Robin and Rialto and the Bond Bug - they were a hoot, or the Morgan 3-wheeler, a friend of my father's started a business selling replicas (Buckland).
Possibly because of the anonymity. If they are pushing from their own, Israeli based IP address, it might look a bit fishy and is easy to trace.
Just another anonymous AWS/Google Cloud/Azure IP address going through your firewall? Easy to overlook and harder to block.
Also, Parler could have enacted safeguards to ensure that they stayed within the bounds of the T&Cs, so they were given a chance to clean up their act, before being dumped.
NSO's raison d'être is to push malware out to unsuspecting Internet users. That is illegal is most jurisdictions (misuse of computer acts around the world), at least without a warrant, and I very much suspect the French justice system didn't give the Moroccans, for example, a warrant to tap Macron's phone.
So, yes, criminal liability.
I used to work for a company that sold industrial terminals. We regularly had them back for repair for abuse - mainly the butchers on the meat production lines trying to operating the terminals with the point of their knives...
But one came back after a forklift driver tried to "operate" the terminal with the prongs of the forklift. (He was careless and drove straight into the terminal, pushing the LCD display out the back of the stainless steel terminal cabinet.
I have a couple of such power blocks here, at home. If the PC power drops below a couple of Watts, it powers everything else down.
I made the mistake of plugging my laptop into it... When the battery is full, the charger pretty much shuts down for a few minutes (less than 1W draw), until the battery has lost 1 - 2%, then it starts up again... Very annoying when the external monitor keeps turning off mid sentence!
Very true. We are an IT department of 4, 2 of us have formal training in IT.
That said, there is nothing wrong with pointing out how things should be done. I still learn things from reading other readers thoughts on subjects, and it is one of the reasons why I offer up my experience.
Setting the policy takes 2 minutes, if the admin is experienced. If they aren't, the step-by-step way of setting up the policy shouldn't take more than 10 minutes or so, and if it is their first policy, maybe it will be an insight into what can be achieved and spur them on to learn more about how policies can make things safer and save the admin time.
"Our IT department is a one-man-band," is no excuse to ignoring security warnings, in fact, it is probably more important, because (s)he won't have the time or resources to fix things quickly, if they go wrong.
Not really. I think we get maybe half a dozen requests a week to access and convert an attachment. That over a company with in excess of 300 employees and tens of thousands of emails in- and outbound.
All users' Office installations are set-up to use Open XML documents as standard, when saving documents.
Likewise, a majority of external contacts use PDF most of the time. Unless you need to collaborate on a document, you shouldn't be sending the original format. As most of ours is commercial, it has to be PDF or signed PDF.
Then Office will refuse to open the file, because the contents are "corrupt".
Luckily renaming a file back to the correct extension is beyond most of our users.
And there is the AV software. But why rely solely on the AV software and user training, when you can stop a majority of the malware from even getting through the door.
Looking at the screenshots, I was surprised by how old-fashioned it looks and how much of the screen is taken up with toolbars and menus.
I'm not sure, if, for the screenshots, every possible toolbar was turned on, or whether that is the default, but it really put me off. It really looks like it comes from the Land that UI Design forgot, which is a real shame, because for people who aren't beholden to MS file-formats, it is a great product.
We strip off the attachments before they even reach the users inbox. If it contains an old format Office file, or a zip file, among many others, including the macro variants of the new formats, the attachment is simply removed.
The IT department can see the attachments and we often have to convert them to the new formats and send them on to the users. But we prefer that the users contact their email partner and inform them, that the format is unsafe and does not arrive.
Microsoft recommends not using the older formats.
As well as formatting and features being stripped out of documents, when they are saved, the formats are also insecure. There are many known malware strains that use old Office formats as an infection vector.
Our policy automatically rejects any attachments with .zip files, .doc, .xls, .ppt etc. and the new formats xlsm, docm etc. New formats, without macros, are the only ones allowed through the filter.
The new formats aren't 100% secure, but it is more manageable and you have to draw the line somewhere - like still allowing the dreaded PDFs through, as they are pretty much the defacto standard.
If it is unlawful, report it to the police. If it is breaking "company" policy, report it internally.
Selling it to the newspapers is not the answer, well, apart from quickly lining one's pockets.
It is a difficult one, yay, wrong-doing brought to light. Boo, misuse of power to obtain the images and sell them to the highest bidder. Two wrongs don't make a right and all that.
So, good that Matt Hancock is out, but how are you going to trust the people in the CCTV control room ever again, to do their job properly?
The kit was end of support in 2015. That meant, it had been supported for however many years and was then end of lifed in 2015, so probably a few years after it went out of production.
They didn't stop selling it in 2015, they stopped selling support and providing updates in 2015, so I'm guessing the kit is at least 8 to 10 years old.
And, at the end of the day, of course they are hoping that the customers will accept the goodwill gesture and buy new equipment from them, but they won't not give it to them or suddenly give them an invoice, if they go elsewhere.
And, if the customers are unhappy with the length of time the kit is supported, they should absolutely go elsewhere and look for kit with better support. But, if it is on the Internet (and doubly so, if it is providing your security perimeter), it needs to be in support and regularly patched! If it isn't in support and it isn't patched, you might as well stick up a sign saying "Fire Sale!" or "all you can eat buffett."
Every product has an end of life, especially in security, where ever more horsepower is required to cope with actual threats.
It is annoying that the kit gets too slow and under-powered to keep up, but that has been the IT way for over 40 years.
The question is, if people know the device that is keeping their network safe hasn't, itself, been safe for over half a decade, why is it still even online?
It is a pain, but a fact of life, that threats keep improving and the security hardware has to constantly play catch-up. I don't like it, but I have to keep my company protected, so I have to calculate in the regular maintenance and replacement of security kit...
What? They are offering a free workaround until the customers can sort out a supported solution - either from SonicWall or from somewhere else.
At least they are a) informing their customers and b) offering them a virtual solution to replace old kit that is out of support.
I don't know what more they could do? If the kit is so old that it can't be upgraded (and in one case for over half a decade), why are the devices even still in use?
We are talking about front-line security here, not an ancient CNC machine on the production line that can be isolated from the network, once it is out of support.
writing this article...
That about sums up everything I've done, although I started earlier and I went for a private email domain and PGP.
I never used GMail, well, I have an account, but I only ever used it to sign up to spammy or dodgy looking services. No "real" email ever goes through it.
The question is, who do you trust more? Microsoft and the NSA or the Russian and Chinese malware authors that control your employee's home networks?
I don't trust either, but I'd be happier with a "controlled" environment accessing my corporate resources than an uncontrolled environment.
It would be better if that was a hosted vPC in a local data centre, with no connections to the USA.
I wouldn't feel comfortable putting holes in my local firewall for untrusted devices to connect to local instances.
It is a trade-off, you have to take a risk somewhere along the line. As long as the Data Protection Officer is happy that every possible has been done to ensure everything is secure to the best available standards...
It means your employer doesn't need to provide you with a laptop for home office, they can argue, that you have a PC or tablet at home and can connect via that.
Letting private devices onto the corporate network is a big no-no in many sectors and providing home office users with a dedicated laptop is expensive, and, because it is also running on the home network, it is vulnerable to attacks from poorly configured devices on the home network.
Making the employee connect to a corporate image in the cloud (hopefully firewalled within the M365 instance) means that the vPC is secure (well, more secure than letting the user's malware riddled private device through the corporate VPN or a laptop on the user's network), can't be attacked by a malware infested device on your home network, it contains all the corporate (licensed) software, so no licensing problem or missing software and it means that it is under corporate group policies.
And if there is a problem, support can quickly bin the current vPC and roll a new one within minutes, instead of having to get the laptop delivered back to the office, reformatted, re-installed and delivered back to the user.
But if it happens, hey, well, if we don't notice it...
Logitech webcams went from around 50€ - 80€ to over 500€ in some instances, if they were available at all. The same for headsets, we were buying them and each new order was a lesser model for more than the previous higher end model.
We just didn't buy any webcams for our users for the first 6 months. But headsets were, unfortunately, a necessity.
Given the number of large fines handed out to local (EU) companies, compared to the number Google & Co. have received, I would say that US Big Tech still gets off relatively lightly.
Given the number of companies and government departments that receive fines or sanctions, US Big Tech just grabs the big headlines.
This is usually because the smaller companies can't afford the fines or the bad publicity, so they cooperate with the regional or national DPOs to remedy the situation and tighten up their practices. If they cooperate and are contrite, the fines are smaller. US Big Tech tends to try and bluster it out and therefore make more press than those that comply and, because they don't cooperate, but try and lawyer their way out of the situation, they end up with bigger, headline grabbing fines.
It is supposed to get companies to take data protection seriously and to put in place security and procedures to ensure the data is safe. If they don't comply, they will face heavy fines, which are more expensive than doing things right in the first place.
It also ensures that all those affected by a data breach are informed in a timely manner.
At the companies I've worked for, it has generally worked well.
Lots of things still use serial.
We have a lot of lab equipment, specialist printers (legacy kit from the early 90s, a replacement costs upwards of 80,000€), production line equipment.
In the meat processing industry, things like the Fat-O-Meter (yes, a real thing) are often still serial based.
Simple, secure, reliable. If the cable breaks or there is a dodgy connection, the electrician can patch it quickly or rewire a new cable.
I agree.
A friend of mine switched his company over to an AutoCAD server, instead of individual workstations, about 6 months before COVID hit.
Up to 12 engineers can work off the server, which has multiple mid-range nVidia Quadro cards stuck in it and 4 Xeons and 512GB RAM and a dedicated SAN. It means all the configuration and high end kit is central, the users only need a relatively basic PC on their desks.