Re: How to access I/O port directly in VC6.0?

"Joseph M. Newcomer" <newcomer@xxxxxxxxxxxx> wrote in message
news:a0c8k3lkjtkbdashqfhiarm54ukj7ju4ni@xxxxxxxxxx
As soon as you have standalone machines, the picture changes. But they
also have to be
protected against sneakernet malware.

One thing I would NEVER rely on is someone saying "multinational company X
uses our
product". What that means is that someone in the hundreds of thousands of
employees
bought and used their product (in some cases, only bought), perhaps in a
very restricted
context, perhaps even their research division. I know this because I have
worked with
several multinationals, worked with the research division in one case, and
know that what
one individual does would not represent corporate policy. And yes, not
only are a lot of
IT managers naive, some of them are downright stupid. One multinational
had, as their
corporate policy, that all NT machines would run the FAT file system
"because it is more
secure". I kid you not, this was an actual policy IN WRITING. Of course,
in the research
division we laughed our heads off about this, and everyone immediately did
a "dconvert" to
convert to NTFS. Their "security" as far as servers was a joke; research
ran its own
servers, which WERE secure, including VPN access, but the corporate
servers in the same
room were not--they ran FAT file systems, of course, but the network
security was a joke,
and no one could convince the IT types that they were wide open. I could
tell many other
stories about how their secured routers weren't, their secured servers
weren't, etc., but
here's a classic: When a coffeehouse down the street installed free Wi-Fi,
it was
discovered the internal wireless network was completely unencrypted. This
research
division was working on the next generation product, and not only was the
wireless network
unencrypted, one of our research people got into the corporate servers
using anonymous FTP
from his wife's laptop, sitting in the coffeehouse one evening, just to
prove it could be
done! So yes, not only are they naive, they are in many cases so
irresponsible that when
the security breaches finally occur, the only sane corporate response
should be to fire
them immediately for malfeasance, misfeasance, and/or nonfeasance. Or
just being stupid
and naive.

So I would never place any faith in the competence of many multinational
IT managers! I've
seen at least three examples of total failure on their part.

No doubt you have valid security knowledge, but the fact that you refuse to
use Microsoft MSDN subscriptions and Connect because they require a
Passport/Live account, and also brag about triple firewalling your systems
makes you an extremist in the opposite direction. As such, I'm not sure
just how practical your recommendations are, which is a pity.

-- David


.

Relevant Pages

  • Re: [fw-wiz] I wonder, how to test..
    ... >responsible for security at our company, ... >of my head make me wonder how secure it all is. ... Internally locking down the servers: ... administrator's privileges if he managed to execute code with webserver ...
    (Firewall-Wizards)
  • Re: Anyone hear of ANSA (Asp.Net Security Analyser)??
    ... you if your servers that provide Asp.Net shared hosting ... ANSA (Asp.Net Security Analyser) is not a commercial ... results will tell us if your servers are secure or not. ...
    (comp.security.misc)
  • Re: How secure is software X?
    ... in my opinion a software can either be secure or not secure. ... to classify security like that would be to condemn every ... How in-depth a fuzzing to we apply for this standard? ... For example, SMTP servers have a pretty standard interface, ...
    (Bugtraq)
  • Ensuring that a sever and website are secure
    ... we would like to be as sure as possible that the servers and data on ... them are secure before we launch this service. ... Several people have recommended having a security audit done once our ... technical staff believe the website and servers are secure. ...
    (comp.security.misc)
  • Re: Controlling server security -- to domain or not to domain?
    ... compromising security, as securing domain - and maintaining security - will ... > I have about 25 windows 2000 servers that I have been told ... > What is the best practice to control group policy settings ... This would allow me to secure and update the ...
    (microsoft.public.security)