[LINK] Security vendors advocating workplace net bans

Chirgwin, Richard Richard.Chirgwin@informa.com.au
Thu, 21 Mar 2002 10:15:18 +1000 

Robert, agree violently! Another thought occurred to me as I read your
message: I sit here with a PC and a (crappy Cisco) IP phone sharing the same
connection ... so in the corporate spook view of the world, the (cC) IP
phone can connect to the Internet without restriction, but I should go to a
special terminal to read a Website?

And I'll make a prediction here: the sorts of people trying to sell
control-freakisms to tech-ignorant bosses will, within a year, be pitching
the need to snoop on IP telephony, to ensure that I'm not using my (cC) IP
phone to expose company secrets.

<Regrettably, the ignorant Reuters piece was run, unedited, on ZDnet.au
yesterday. Doesn't ZDnet have any lurkers?>

Richard
('scuse my creeping obsession about cC IP phones, but I'm so damn sick of
this phone system. Give me a competent operator and a manual switchbard,
gotta be better than echos, bad audio, lost calls, waiting several seconds
on pickup before the server actually connects me, etc. Cisco is just the
Microsoft of infrastructure.)

> -----Original Message-----
> From: hartr@interweft.com.au [mailto:hartr@interweft.com.au]
> Sent: Thursday, 21 March 2002 09:02
> To: Richard.Chirgwin@informa.com.au
> Cc: link@www.anu.edu.au
> Subject: Re: [LINK] Security vendors advocating workplace net bans
> 
> 
> On 20 Mar, Chirgwin, Richard wrote:
> > 
> http://story.news.yahoo.com/news?tmpl=story&u=/nm/20020318/wr_
> nm/tech_intern
> > et_security_dc_1&cid=582	
> 
> > The workplace Internet is a far more complex creature than 
> is given out by
> > this story. I certainly hope the local press don't suck 
> this sort of stuff
> > down without giving it some critical thought.
> 
> Unfortunately, critical thought (or more usefully analysis) 
> appears all
> too frequently to be in short supply in most places.
> 
> Attempting to solve issues that are fundamentally social 
> using a purely
> technical solution is as sensible as pissing into the wind.
> 
> Having worked with companies on 3 continents, I am no longer surprised
> when people advocate technological solutions to social issues (and
> almost every complex issue is a social issue - purely 
> technical problems
> are rare). 
> 
> * Site security is a social issue far more than a technical issue.
>   Unless an organisation's security policy has at minimum the grudging
>   understanding of staff, they WILL bypass it - and about 80% of all
>   security compromises are from internal sources, Nimda, Code 
> Red, Lion
>   et al not withstanding (something this article does hint at).
> 
>   Whilst it is certainly possible to have a mail server screen for
>   certain types of attachment, IT savvy staff that want to bypass this
>   will find ways to do so - and that solution will spread to all
>   other stadd faster than a bushifire in a hot north wind.
> 
>   Unless staff are involved and 'own' the solution, the 'gradual
>   adjustment' mentioned in the article will camoflage significant
>   non-compliance. Apart from the loss of personal utility 
> (like cutting
>   off personal local calls), if staff are not consulted, it is quite
>   probable that a legitimate business activity will be interrupted by
>   simply implementing such a policy.
> 
> Imposing solutions by fiat rarely works (or at least rarely works the
> way it was intended).
> 
> -- 
> Robert Hart					 hartr@interweft.com.au
> Strategic IT & open source consulting                +61 
> (0)438 385 533
> Brisbane, Australia			    http://www.interweft.com.au
>