Our corporate system is just being upgraded (that's the one that handles sales, order tracking, stock, all the trivial stuff...). This is an upgrade of the current application, from the current supplier, not a change to a totally different system.

This email just went out to everybody in the company:

Please note that a conversion of our company data has just been started.

It is very important that no-one accesses <bad_application>. Even opening the <bad_application> main screen but not logging in WILL cause the conversion to fail and it will have to be restarted.

Any program that accesses <bad_application> such as Excel, Access and other bespoke programs must not be used until further notice.

I don't know which is the worst WTF, that the system is so flaky, that it can't read its own previous database, or that the IT department can't work out how to lock out the users.

 

SenTree:

I don't know which is the worst WTF, that the system is so flaky, that it can't read its own previous database, or that the IT department can't work out how to lock out the users.

the IT department is a head above the rest in terms of WTF

belgariontheking:

 

SenTree:

I don't know which is the worst WTF, that the system is so flaky, that it can't read its own previous database, or that the IT department can't work out how to lock out the users.

the IT department is a head above the rest in terms of WTF

This is a universal truth.

 I've escaped and actually write code, not powerpoint.

 

belgariontheking:

 

SenTree:

I don't know which is the worst WTF, that the system is so flaky, that it can't read its own previous database, or that the IT department can't work out how to lock out the users.

the IT department is a head above the rest in terms of WTF

I thought so. This is the guy (there's only the one) who refused to provide a remote login for the one developer who wanted to work from home, 'because it's impossible to make it secure'. I have no admin experience, but I'm sure I could make a fairly good job of that after RTFM ! I guess it helps that his daddy is one of the company directors. Oh well, I can always amuse myself by requesting a Linux box (that being something else he'll never get his head round) ...

SenTree:

belgariontheking:

 

SenTree:

I don't know which is the worst WTF, that the system is so flaky, that it can't read its own previous database, or that the IT department can't work out how to lock out the users.

the IT department is a head above the rest in terms of WTF

I thought so. This is the guy (there's only the one) who refused to provide a remote login for the one developer who wanted to work from home, 'because it's impossible to make it secure'. I have no admin experience, but I'm sure I could make a fairly good job of that after RTFM ! I guess it helps that his daddy is one of the company directors. Oh well, I can always amuse myself by requesting a Linux box (that being something else he'll never get his head round) ...

 

Heres the deal... Theres no "TRUE" way to make a remote desktop secure. You can follow procedure BUT on your home computer you can browse any website you want which can install a virus which can track your key strokes. They don't have to crack encryption, they just have to see what you type. Because at work you have a good anti-virus (at least good enough) and anti-spyware and ant-malware and firewall and inability to browse to certain "bad" websites (the ones that will make your company run out of Xs) you are much less likely to have a virus. Also at work there is an IT department just incase they see anything suspicious going on with your machine.

At home you got none of that. Maybe a free anti-virus or windows firewall. In the end if the want to get ultra paranoid the best choice is laptops with VPN access. They control the laptops and can check what sites you browse and install w/e they want on em.

dlikhten:

You can follow procedure BUT on your home computer you can browse any website you want which can install a virus which can track your key strokes.

 

What the hell are you talking about?? Are you referring to all the people running unpatched IE 5 installs on Windows 98? Seriously, when was the last time this happened to someone who didn't deserve it?

dlikhten:

Also at work there is an IT department just incase they see anything suspicious going on with your machine.

Do you think the IT departments sit around all day looking for keyloggers? 

dlikhten:

At home you got none of that.

Speak for yourself. 

dlikhten:

Maybe a free anti-virus or windows firewall.

Which is all most people would need...

dlikhten:

In the end if the want to get ultra paranoid the best choice is laptops with VPN access. They control the laptops and can check what sites you browse and install w/e they want on em.

This doesn't even begin to make sense.

 

Did you smoke extra crack this morning?

MasterPlanSoftware:

Did you smoke extra crack this morning?

Actually, I think it was Crack Xtra™, infused with ginseng and taurine to keep you energized all day!

 

I was going to berate him for this nonsense but you seem to have done quite an acceptable job. 

dlikhten:

Because at work you have a good anti-virus ... you are much less likely to have a virus.

 

That isn't quite accurate.  In the general case with the "average" computer user, then yes I agree.  But for the "technically proficient", no so much.  (Hard part is convincing the IT dept that you can be trusted).  I've had a total of 1 virus on my home computer in the last 8 years.  And at least 5 outbreaks at work.

dlikhten:

Heres the deal... Theres no "TRUE" way to make a remote desktop secure. You can follow procedure BUT on your home computer you can browse any website you want which can install a virus which can track your key strokes. They don't have to crack encryption, they just have to see what you type. Because at work you have a good anti-virus (at least good enough) and anti-spyware and ant-malware and firewall and inability to browse to certain "bad" websites (the ones that will make your company run out of Xs) you are much less likely to have a virus. Also at work there is an IT department just incase they see anything suspicious going on with your machine.

At home you got none of that. Maybe a free anti-virus or windows firewall. In the end if the want to get ultra paranoid the best choice is laptops with VPN access. They control the laptops and can check what sites you browse and install w/e they want on em.

 

Yeah, we started with locked down corporate laptops, but they're a nightmare to manage.  What we've moved onto is an SSL VPN with one time passwords sent to the users mobile phone.  Sure it's not perfect, but it's under a grand to install and means malware from the remote machine has no way onto the corporate network, and even if somebody has a keylogger it's not going to grant them access to the network. 

The only risk is of data theft from the network, but we're not overly worried about that here.  Any user could e-mail out pretty much whatever they felt like anyway.

I'll admit it's a bit weird when you start from the assumption that you *want* employees to be able to work from a virus infested machine, but once you've gotten over the initial shock it's proving to be a very useful tool for our staff.

morbiuswilters:

I was going to berate him for this nonsense but you seem to have done quite an acceptable job

Crap I forgot my tag! Thanks for the reminder!

MasterPlanSoftware:

dlikhten:

You can follow procedure BUT on your home computer you can browse any website you want which can install a virus which can track your key strokes.

 

What the hell are you talking about?? Are you referring to all the people running unpatched IE 5 installs on Windows 98? Seriously, when was the last time this happened to someone who didn't deserve it?

No, I am referring to the fact that people who work often have kids who install some crap their friend downloaded from bit torrent which might contain a key logger. You don't need to break the VPN encryption of the remote desktop communication protocols and encryptions, just log the keys.

MasterPlanSoftware:

dlikhten:

Also at work there is an IT department just incase they see anything suspicious going on with your machine.

Do you think the IT departments sit around all day looking for keyloggers? 

No, but it makes the company "feel" more secure to management/sysadmins.

MasterPlanSoftware:

dlikhten:

At home you got none of that.

Speak for yourself. 

What I meant is: At home you don't have the same level of protection you have at work. At least not MOST people. Sure YOU might have a great setup, but not all programmers are good (as we know from this site) and the bad ones don't always know what they are doing administering even their own machine.

MasterPlanSoftware:

dlikhten:

Maybe a free anti-virus or windows firewall.

Which is all most people would need...

I agree. However the free versions often don't have all the features like firewall and anti-spyware. I use windows defender and spybot against spyware. Works rather nicely

MasterPlanSoftware:

dlikhten:

In the end if the want to get ultra paranoid the best choice is laptops with VPN access. They control the laptops and can check what sites you browse and install w/e they want on em.

This doesn't even begin to make sense.

If the company is paranoid about hackers using remote connection to infiltrate the company, offer laptops as you know exactly what is on the laptop and who uses it.

MasterPlanSoftware:

Did you smoke extra crack this morning?

 

I don't smoke crack. I inject it directly into my eyeballs.

myxiplx:

Yeah, we started with locked down corporate laptops, but they're a nightmare to manage.  What we've moved onto is an SSL VPN with one time passwords sent to the users mobile phone.  Sure it's not perfect, but it's under a grand to install and means malware from the remote machine has no way onto the corporate network, and even if somebody has a keylogger it's not going to grant them access to the network. 

The only risk is of data theft from the network, but we're not overly worried about that here.  Any user could e-mail out pretty much whatever they felt like anyway.

I'll admit it's a bit weird when you start from the assumption that you *want* employees to be able to work from a virus infested machine, but once you've gotten over the initial shock it's proving to be a very useful tool for our staff.

 

1) Paranoia is expencive to maintain, and is often a maintenence nightmare.

2) The benefits often outweigh the risks which you can minimize anyways. Companies can require that anyone logging into VPN has certain free or provided by company anti-virus/firewall/spyware software installed.

dlikhten:

No, I am referring to the fact that people who work often have kids who install some crap their friend downloaded from bit torrent which might contain a key logger. You don't need to break the VPN encryption of the remote desktop communication protocols and encryptions, just log the keys.

 

Then obviously the WEBSITE ISN'T THE ONE INSTALLING THE KEYLOGGER then. 

dlikhten:

No, but it makes the company "feel" more secure to management/sysadmins.

You still make no sense. 

dlikhten:

At home you don't have the same level of protection you have at work.

Right. I have more.

dlikhten:

but not all programmers are good (as we know from this site) and the bad ones don't always know what they are doing administering even their own machine.

Ok, so there are stupid people in the world. Whats your point again? Stupidity will always result in a lack of security.

dlikhten:

free versions often don't have all the features like firewall and anti-spyware.

Then stop being a cheapskate and go buy a copy. This is like pouring what you have around the house into your gas tank and complaining the car doesn't run as well as on gasoline...

dlikhten:

I use windows defender and spybot against spyware. Works rather nicely

If you need anything more than just Windows Defender, you have issues that I cannot begin to get into.

dlikhten:

If the company is paranoid about hackers using remote connection to infiltrate the company, offer laptops as you know exactly what is on the laptop and who uses it.

That doesn't provide any additional security. Not even a slight amount. That is just an argument someone uses to get their company to give them a laptop.

dlikhten:

I don't smoke crack. I inject it directly into my eyeballs.

Well either way, please don't give security advice to people.

dlikhten:

1) Paranoia is expencive to maintain, and is often a maintenence nightmare.

 

I will assume you actually mean 'security' and no it is not expensive or difficult to maintain if you know what you are doing.

dlikhten:

Companies can require that anyone logging into VPN has certain free or provided by company anti-virus/firewall/spyware software installed.

The fact that you keep mentioning 'free anti-virus' scares me.

MasterPlanSoftware:

I will assume you actually mean 'security' and no it is not expensive or difficult to maintain if you know what you are doing.

No, I mean paranoia. Security is necessary and not too expencive if you know what you are doing, no question there. If you want to get paranoid AND/OR not know what you are doing, thats when the expenses pile up and you get counter-productive policies. As it seems to be the case with the guy who I made the original reply to.

MasterPlanSoftware:

The fact that you keep mentioning 'free anti-virus' scares me.

 

There are free editions of Avast anti virus and AVG for personal use. You don't get any tech support from em, just updates, and an inferior UI, but the main anti-virus functionality works exactly as it would with the paid version.

 

MasterPlanSoftware:

Then obviously the WEBSITE ISN'T THE ONE INSTALLING THE KEYLOGGER then. 

Who cares HOW it got on the home computer, it just did. The important point is YOU DONT WANT THAT CRAP COMPROMISING YOUR COMPANY JUST CAZ SOME EMPLOYEE'S KID INSTALLED SOMETHING.

MasterPlanSoftware:

dlikhten:

At home you don't have the same level of protection you have at work.

Right. I have more.

Right... YOU have more. Not everyone else.

MasterPlanSoftware:

dlikhten:

but not all programmers are good (as we know from this site) and the bad ones don't always know what they are doing administering even their own machine.

Ok, so there are stupid people in the world. Whats your point again? Stupidity will always result in a lack of security.

So you want a stupid employee compromising your multi-million dollar company because of the porn he surfs at home and lack of AV software?

MasterPlanSoftware:

dlikhten:

free versions often don't have all the features like firewall and anti-spyware.

Then stop being a cheapskate and go buy a copy. This is like pouring what you have around the house into your gas tank and complaining the car doesn't run as well as on gasoline...

No.

MasterPlanSoftware:

dlikhten:

I use windows defender and spybot against spyware. Works rather nicely

If you need anything more than just Windows Defender, you have issues that I cannot begin to get into.

Thats just more MasterPlanSoftware FUD.

MasterPlanSoftware:

dlikhten:

If the company is paranoid about hackers using remote connection to infiltrate the company, offer laptops as you know exactly what is on the laptop and who uses it.

That doesn't provide any additional security. Not even a slight amount. That is just an argument someone uses to get their company to give them a laptop.

I would rather not get a company laptop. In any case you are mostly right on this point. Moving on.

 

dlikhten:

You don't get any tech support from em, just updates, and an inferior UI

 

Right, which would disqualify it from any kind of corporate use, which is what we are discussing here...

dlikhten:

Who cares HOW it got on the home computer, it just did. The important point is YOU DONT WANT THAT CRAP COMPROMISING YOUR COMPANY JUST CAZ SOME EMPLOYEE'S KID INSTALLED SOMETHING.

 

But your original statement that I objected to was about WEBSITEs being able to install keyloggers. I don't think you are even paying attention here are you?

dlikhten:

Right... YOU have more. Not everyone else.

Right, but again, you have no point here. There are clearly cheap and easy ways to defend your household against internet attacks. If you fail to do so it is no one's fault but your own.

dlikhten:

So you want a stupid employee compromising your multi-million dollar company because of the porn he surfs at home and lack of AV software?

How does one have to do with the other? I don't think you have any clue what you are talking about here.

dlikhten:

No.

Ok, with an answer like that, at least no one will mistakenly take you serious about anything security related. Mission accomplished there I guess.

dlikhten:

Thats just more MasterPlanSoftware FUD.

Right. Except I can back it up. I practice exactly what I preach there, and have many users that I administer the same way. Never had a problem.

The fact that you click on every flashy ad on every porn or warez site you visit necessitates your extra anti-spyware applications. I cannot even remember the last time I was even offered spyware.

dlikhten:

There are free editions of Avast anti virus and AVG for personal use. You don't get any tech support from em, just updates, and an inferior UI, but the main anti-virus functionality works exactly as it would with the paid version.

 

Ah, because the updates aren't about a day slower (sometimes) and AVG doesn't totally suck ass
I'd recommend NOD32 for personal use (very fast & light footprint; great heuristic detection; almost no false positives, I've actually witnessed the first one in 4 years yesterday). Kaspery is good too, but a little bit heavier. For business you could also use Sophos, but I don't think they have very good consumer products.
Also, your keylogging argument is no good. Good VPN's use a 2-tier-authentification system. Ie the mobile phone system mentioned earlier. A hospital I've worked with uses some sort of buzzer which gets a (every 5 minutes changing) keycode. It's actually a seperate service next to GSM provided by the biggest telco of my country (KPN). Cmiiw, on the first part, I'm pretty sure KPN is the largest.

MasterPlanSoftware:

The fact that you click on every flashy ad on every porn or warez site you visit necessitates your extra anti-spyware applications. I cannot even remember the last time I was even offered spyware.

I do, but I classify Google Toolbar & co. as spyware.