[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Rob Beard wrote: > Martijn Grooten wrote: >> On Fri, Sep 4, 2009 at 7:15 PM, Rob Beardwrote: >> >> I won't go into the debate whether if everyone used Linux there'd be >> fewer viruses, but if someone can make so much damage by plugging in >> an infected USB stick, then something more serious is the matter than >> "wrong operating system" or even "viruses are just really bad". Why >> did the IT security policy enable that person able to plug the >> infected stick in the first place? Nah an infected stick is just a sign of bad IT practices elsewhere. That it caused problems is the issue. USB sticks are useful, and I think the idea one can micromanage data down to every last bit is living in the past of IT. Sure there are IT systems that can do that kind of micromanagement, and there are situations where it is appropriate (nuclear weapon design for example). But council housing departments? > You'd have thought though that it would be IT policy that all USB > devices are banned from being used, or at least make it the policy that > only council provided USB devices could be used and not on anything > other than council machines (but I guess with a network it would in most > cases mean that USB mass storage devices would be pointless - albeit > handy for sending large amounts of data to remote sites with slow links > I guess). Mount with noexec, nosuid, nodev (oh damn wrong operating system). But there are ways and means to manage policy like this with Windows, Novell do some excellent tools, but it is hard work rather than the default. I note on Linux only nosuid and nodev are usually the default for this sort of thing, which would still allow malware to spread as the current user if they clicked the wrong icon. But the XP upgrade sounds like someone pushing through an upgrade they want with a "it'll be better" when they could have disabled autorun everywhere by tweaking a few bits if their IT organisation was together enough. Properly patched W2K will respect the autorun group policy. So this specific infection could have been stopped or delays this way. Although those patches only pre-date this infection by a couple of months! (Anyone want to argue for reactive patching still!). I think on the Windows v Linux, it should be noted that Microsoft fluffed the original updates to allow you to disable autorun. It is a classic case of Microsoft having switches to do the right thing, whicha re relatively easy to set, but those switches not being implemented correctly. Exactly the case I hit with Outlook Express many years ago when I discovered that using a tighter security group for your email just didn't implement the tighter security policy (eek and I was about to trust important stuff to it which is why I tightened the security settings and tested them!). Not that the Linux world is immune from such cock-ups but Microsoft Windows by being more complex is probably more prone to such confusion. Sometimes less is more. >> which is how I discovered it was Conficker -- but then I called the >> print shop, to warn them, and they weren't the least concerned. Name and shame. > Not a very good response from them really. On my Windows machines.... Outside work I don't have Windows machines, which seems to keep the malware issue well in check. But I'm probably complacent as a result. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html