OT: Dealing with a hosting company with it's head up it's rear end

Polytropon freebsd at edvax.de
Fri Aug 14 19:37:16 UTC 2020


On Fri, 14 Aug 2020 10:44:35 -0400, Aryeh Friedman wrote:
> On Fri, Aug 14, 2020 at 10:32 AM Jon Radel <jon at radel.com> wrote:
> 
> > On 8/14/20 09:48, Aryeh Friedman wrote:
> > > On Fri, Aug 14, 2020 at 9:20 AM Tim Daneliuk <tundra at tundraware.com>
> > wrote:
> > >
> > >> On August 14, 2020 12:58:49 AM "Steve O'Hara-Smith" <steve at sohara.org>
> > >> wrote
> > >>
> > >>  Again many corporate firewalls don't allow ssh out (or in directly)
> > >>> because tunnelling bypasses the firewalls. And again it seems odd for a
> > >>> hosting company.
> > >>>
> > >>
> > >> ssh out is typically prohibited to lower the risk of employee transfer
> > of
> > >> sensitive data to external destinations - So called Data Loss
> > Prevention.
> > >> This, along with email scanning and man in the middle cert management is
> > >> pretty common.
> > >>
> > > Unless it is 100% air gapped with no ability to plug in portable media
> > > and/or record the screen then nothing is 100% immune from such loss and
> > > thus not allowing it makes very little sense.   If on the other hand the
> > > idea is to limit the damage that malware/spyware can do then it makes
> > sense
> > > (even if someone does in [accidentally] install malware/spyware it can
> > not
> > > send the results of its dirty work anywhere).
> > >
> > Untrue.  As the CISO at my latest employer said to me (paraphrasing
> > some, as it's been a while):
> >
> > You and I know how to circumvent the restrictions, but the vast majority
> > of the staff hasn't a clue.  This cuts down the noise I have to wade
> > through.
> >
> 
> Oh great security by obfuscation!  Sounds like the CSIO missed the first
> day of security 101.    False sense of security is always a bad idea.

But but but we are ISO-9660 certified! And we have that expensive
snake oil sprinkled everywhere! ;-)

There are measures that do not "add security", but can help to
limit the line noise. A typical example is moving SSH to some
non-standard port: That doesn't prevent anyone to perform a
port scan and connect to that non-standard port, but it limits
the fun for skript kiddies that connect as "Administrator" on
the default SSH port.

Those who _want_ to extract data will find a way. As it has
been mentioned, a screen capture send per e-mail, or a screen
photo taken with the private smartphone will work. There are
so many possibilities of data extraction that you cannot stop
with a firewall rule...



> > And back to the main topic of this thread:  What does your lawyer say
> > about your client that is huffing and puffing threats over your
> > inability to perform magic to paper over their unwise contracting
> > actions in regard to a different vendor?  Seems to me that you left the
> > land of technology a ways back on this one.
> >
> 
> Actually the client has signed the one piece of paper we needed to move
> forward which is a waiver of liability for stuff we said was inherently
> risky (in writing) before we started the work.   It should also be noted
> that due to lack of competance by the hosting company and by the equipment
> supplier we have become the client's defecto IT dept. Even though we were
> originally hired as programmers only (this means when push comes to shove
> the client almost always trusts us over anyone else and for the most part
> "I will find someone else '' is just his lack of social graces and not an
> actual threat).

Tell them you're "devops" now. :-)





-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...


More information about the freebsd-questions mailing list