http://www.windowsitpro.com/authors/author/author/3693639/rss/3693639en-USSun, 27 May 2012 03:27:00 GMTSun, 27 May 2012 03:27:00 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/conniptions-cognitive-dissonance-143072
By Orin Thomas
Mozilla and Google seem to be having conniptions over the fact that Chrome and Firefox won’t be allowed to run as Desktop applications on Windows 8 RT, even though they will be able to run as Metro apps. Chrome and Firefox will be able to run on the standard x86 and x64 Windows 8 desktops. Just not on the desktop of the specialized Windows RT version. Outside the Mozilla/Google echo chamber people find this odd because neither organization seems to have raised much of an objection to not being able to run their browsers on the iOS platform. Apple has very similar conditions to those that Microsoft is enforcing for Windows 8 RT - you can use WebKit or you can deploy on another platform. I can only imagine that Mozilla/Google are making so much noise about Windows RT because they concerned that the unreleased Windows 8 tablet OS is eventually going to surpass the market share of both iOS tablets and Android tables. Why else would they be concerned specifically about not being able to deploy to Windows when they are currently unable to deploy to the platform that dominates the market, Apple’s iOS? If you thought that it was going to be a minor player, and you don’t get excited about being unable to deploy to iOS, you wouldn’t bother getting angry about being blocked on Windows RT. Should vendors have the ability to control which applications run on platforms? Given that there isn’t a monoculture when it comes to tablet OS, why shouldn’t vendors be able to choose a strategy that suits them?]]>Orin ThomasFri, 11 May 2012 21:35:01 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/conniptions-cognitive-dissonance-143072http://www.windowsitpro.com/article/messaging/comparative-review-exchange-server-ediscovery-142672
By Orin Thomas
Sherpa Software’s Discovery Attender and Quest Software’s Archive Manager go beyond the basic e-discovery functionality offered in Exchange Server 2010.]]>Orin ThomasMon, 23 Apr 2012 12:42:00 GMThttp://www.windowsitpro.com/article/messaging/comparative-review-exchange-server-ediscovery-142672http://www.windowsitpro.com/article/backup-recovery/sql-server-backup-comparison-142269
By Orin Thomas
If SQL Server’s native tools aren’t meeting your database backup and restore needs, there are alternative tools you can use. Here’s a look at how backup solutions from Acronis, Quest Software, and Red Gate Software stack up against each other.]]>Orin ThomasSat, 21 Apr 2012 11:59:00 GMThttp://www.windowsitpro.com/article/backup-recovery/sql-server-backup-comparison-142269http://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/exploits-difficulty-day-market-142765
By Orin Thomas
“If it is so easy, why is there is more money in developing zero day exploits for Windows than OSX?” A common claim made by security researchers and commentators is that Windows exploits are more prevalent because the operating system has a higher installed user base. A claim made by other commentators, usually the sort that lurk at the bottom of comment threads, is that Windows exploits are more common because they are simple to create due to the Windows security model (usually expressed with an expletive and multiple exclamation marks). We know that there is a thriving underground market for exploits – which lead me to wonder if perhaps the value of an exploit on the black market might provide some sort of measure of the difficulty of creating the exploit and the desirability of the exploit. The supposition being that an undesirable exploit would be cheap and a desirable exploit more valuable. A few tweets exchanged on this issue with Charlie Miller ( http://twitter.com/0xcharlie ) and Ed Bott ( http://twitter.com/edbott ) lead me to this Forbes article (http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/ ). This article that provides approximate pricing for different types of exploits. It’s worth checking out in its entirety. Without an insane level of security knowledge about the Windows and OSX operating systems, it’s very difficult to determine which platform is more resistant to the development of exploit code. However, you can take a few guesses if you accept the following assumptions: Assumption 1: If developing exploits for a specific operating system was a straight forward simple affair – that is that it required relatively little skill – the value of those exploits would be low. Why? Because the market would be flooded. A corollary of this is that if the knowledge required developing an exploit for a specific operating system high, the market value of those exploits would]]>Orin ThomasSat, 07 Apr 2012 20:51:57 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/exploits-difficulty-day-market-142765http://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/schadenfreude-malware-hubris-142760
By Orin Thomas
Schadenfreude perhaps best describes the attitude of most Windows security experts to the OSX Flashback Botnet. For a long time security experts have argued that it was a matter of when, not if, we’d see a widespread infection on the Mac OSX platform. If the estimate of 600,000 infected hosts is correct - that suggests that somewhere between 3-5% of all computers running Mac OSX have become infected by the one piece of Malware. The popular and very dangerous perception is that "Macs never get viruses" is being proven to be a marketing message rather than a security reality. Apple might not have made the claim of invulnerability explicitly, but that’s the understanding that many people have been left with. In the last few days A thousand forums rang with statements such as "Macs don’t get viruses because they are UNIX based" as though being UNIX based was some sort of magical charm against the possibility of exploitable code. Given enough time and effort, all operating systems can be exploited. There is no deep philosophy within the structure of UNIX that makes UNIX like operating systems immune to compromise. UNIX was one of the first operating systems and it’s unlikely that through random chance the OS is inherently secure, especially given that it wasn’t designed from the very beginning with security in mind (security has certainly been added - but there is no magical component within UNIX that makes it unexploitable). If there was a way to make your operating system unexploitable, Microsoft would have included that when they went back to the drawing board after Windows XP. You can certainly make it more complicated to exploit something, but just as any safe can be broken into given enough time, any operating system can be exploited given enough talent. The difference between safes and operating systems is that once one person figures out how to successfully exploit, they can share those tools so less talented people can also leverage the ex]]>Orin ThomasFri, 06 Apr 2012 00:34:39 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/schadenfreude-malware-hubris-142760http://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/digitally-signed-malware-routine-142696
By Orin Thomas
Even the bad guys are using code-signing certificates. According to a recent report by McAffe http://blogs.mcafee.com/mcafee-labs/signed-malware-you-can-runbut-you-cant-hide "more than 200,000 new and unique malware binaries discover in 2012 have valid digital signatures" What this means is that attackers are able to provide malware versions of applications and drivers that look like they come from legitimate sources. While most of the malware detected comes from test-signing attacks, which can be detected and disabled, the more problematic signed malware comes from certificates issued by compromised Certificate Authorities. A compromised CA can generate a signing certificate that imitates a popular vendor like Apple, Adobe, Google, or Microsoft. Anti-malware vendors are aware of this and, if you’re running an effective anti-malware scanner, it should detect malware even when it is digitally signed. The problem comes for people running operating systems without anti-malware scanners who are relying on digital signatures as a way of sorting legitimate code from the more nefarious stuff. Even if operating systems of the future only run signed code, it looks as though the malware authors of today have a way around it. Follow me on twitter: @orinthomas]]>Orin ThomasWed, 28 Mar 2012 18:25:33 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/digitally-signed-malware-routine-142696http://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/windows8/windows-xp-8-142680
By Orin Thomas
"The day that the last Windows XP computer is powered down is in the distant future" Even if you’re running the latest "consumer preview" of Windows 8 on your day to day system, if you’ve spent much time around airport lounges or coffee shops you’ll have noticed that a lot of people’s laptops are still running Windows XP. Even at (most) technical conferences the cheery blue task bar is more commonly spotted than the aluminum casing with the white fruit logo. Today between 30 and 40% of the world’s computers are still running Windows XP. In a lot of cases these people aren’t running XP because they think "wow, this OS totally kicks gluteus over Windows 7" - but because the organizations that they work for haven’t got around to replacing Windows XP in their desktop operating system lifecycle. For some it’s a matter of "if it ain’t broke" and for others it is a lack of a "round tuit". Even though in 2 years Microsoft is going to stop providing updates to Windows XP (April 8 2014), it is likely that there are still going to be tens of millions of computers running the operating system. Eventually the last computer running Windows XP on a corporate network will be powered down, but given that there are still organizations out there running Windows NT 4 and Windows 98, that day is still in the distant future. The longevity of Windows XP is worth considering when it comes to the adoption of Windows 8. Although the tech press tends to get excited about new and shiny things, the reality for most organizations is that their desktop and server operating system lifecycles don’t follow Microsoft’s product release cycle. Introduction of a new desktop operating system in many organizations occurs years after initial release. Windows 7 is also enjoying a similar sort of popularity to that of Windows XP. It isn’t unreasonable to speculate that Windows 7 will have a similar sort of longevity to Windows XP (perhaps to Microsoft]]>Orin ThomasTue, 27 Mar 2012 06:51:30 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/windows8/windows-xp-8-142680http://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/windows8/windows-8-consumer-pro-strategy-142679
By Orin Thomas
"If consumers don’t like it, IT departments won’t be able to roll it out" Up to this point, Microsoft has been making the Windows 8 case more broadly for the "consumer" demographic rather than the IT professional demographic. Rather than spending a lot of bandwidth discussing IT Pro friendly features of the operating system, the primary coverage seems to be on items that are of more general interest such as file copy dialog boxes, the new start menu, and mobile broadband data usage enhancements. There are a couple of reasons why a consumer focused communication strategy is sound: The biggest group adopting Windows 8 after release isn’t going to be organizations with thousands of desktop computers. It’s going to be people buying new computers with Windows 8 pre-installed. The reaction of this group at launch is critical. If Windows 8 doesn’t wow early adopters at release, it the operating system is more likely to end up as "Vista" rather than "Windows 7" in terms of public perception. Lose that first battle and all the latter ones become an order of magnitude more difficult. The organizations that need to support tens of thousands of desktops won’t be deploying Windows 8 until sometime in mid to late 2013 at the earliest. By then the deployment tools (such as MDT) are going to have been supporting Windows 8 for some time and there will be resources, such as books and in depth blogs showing how big organizations can efficiently deploy the operating system. Discussion of Windows 8 deployment enhancements and IT Pro "must know features" can wait. Dessert needs to come first, then there can be a focus on the “meat and potatoes”. Learning from Vista. A lot of Microsoft’s pre-release coverage of Vista focused on aspects of the operating system that were of interest to IT pros. It was a "meat and potatoes" strategy. IT Pros knew exactly what the point of User Account Control was - because they had to m]]>Orin ThomasMon, 26 Mar 2012 20:08:04 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/windows8/windows-8-consumer-pro-strategy-142679http://www.windowsitpro.com/article/system-center/system-center-2012-suite-141827
By Orin Thomas
A major overhaul in the Microsoft System Center suite helps IT pros configure and manage applications, services, computers, and VMs.]]>Orin ThomasTue, 20 Mar 2012 09:00:00 GMThttp://www.windowsitpro.com/article/system-center/system-center-2012-suite-141827http://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/windows8/grocking-windows-8-start-menu-142475
By Orin Thomas
I’ve noticed a lot of consternation from friends about the new full screen start menu in the Win 8 preview. In reality it’s a bit like the Office Ribbon. First reactions are generally negative and then a while later you wonder how you lived without it. I think the thing that turns a lot of people off is the amount of rubbish that Microsoft has pinned there. To get the new Start screen to work for you, you need to populate it with stuff that you actually use rather than the "metro craplets" pinned by default. The first thing to do is right click to select everything on the Start menu that you don’t give a rats about and then choose unpin. That will lead to a substantial decluttering. The next thing to do is to use the Search "charm" to find all those apps that you do execute, to right click on them, and to pin them to the start menu and/or the Desktop taskbar. A big drawback of the Windows 7 interface is that (depending on your monitor size) you might only be able to pin about 14 items to your taskbar. Anything else had to sit in the start menu. You could pin items to the Win 7 start menu, but you were again limited depending on screen real estate to a couple of items before you needed to dig around in the All Programs folder. So the key to grocking the Windows 8 start menu is to first go through and unpin all the crap that you aren’t going to use, and then to go through and pin the stuff that you actually do use. Another myth that is out there is that you can only pin Metro apps to the Win 8 start menu. This isn’t the case. You can pin anything there - it’s just that the Metro apps use live tiles. Anyway here is the start menu on my smaller laptop. Once I got it set up the way that I felt comfortable with, I was able to launch my programs more quickly than I could using the older Windows 95 through Windows 7 Start Menu paradigm. Follow me or shout at me on twitter: @orinthomas]]>Orin ThomasMon, 05 Mar 2012 18:38:44 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/windows8/grocking-windows-8-start-menu-142475http://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/administration/installing-windows-server-8-wsus-142439
By Orin Thomas
: @orinthomas The following is a quick video screencast showing the installation of Windows Server 8 and the WSUS server role. I haven’t put commentary on it yet – but it’s designed to show you the differences in the Windows Server 8 interface, some of the new roles and features that are available, and the process of installing and configuring a role like WSUS.   ]]>Orin ThomasThu, 01 Mar 2012 06:11:37 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/administration/installing-windows-server-8-wsus-142439http://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/byod-internal-attacks-142438
By Orin Thomas
: @orinthomas As you are no doubt aware, a decent percentage of attacks that occur on an organization’s infrastructure are initiated by people internal to the organization. Most of these attacks are unsophisticated. Internal attacks are often initiated by disgruntled employees. In the past the tools that disgruntled employees could use to carry out these attacks were limited. Unless they have some level of skill, most people aren’t able to install hacking tools on locked down corporate desktops. Three trends will make the future of attacks against network infrastructure by disgruntled employees a “may you live in interesting times” affair. Trend 1: Gen-Y and millennials are far more computer literate as a cohort than their fellow Gen-X and Boomer employees. This doesn’t mean that they know the details of how to compromise a network, but it does mean that they are more likely to be able to locate “script kiddie” type automated exploit tools that take a lot of the complexity out of exploiting a network. Trend 2: BYOD means that a lot of people are no longer using locked-down corporate desktops. A disgruntled user in an organization that has a BYOD policy is going to be able to install and deploy an automated exploit tool on an organizational network with a lot less effort than a disgruntled user of a locked down corporate desktop. Trend 3: A growing culture of hacktivism, popularized by the efforts of “Anonymous” is going to mean that more of these disgruntled computer literate Gen-Y and millennial employees are going to lash out using hacking tools. In the past the automated “trash the network when I get fired” attack was the purview of the dyspeptic systems administrator. In the coming years we’re going to see a lot more “digital apple cart tipping” from disgruntled computer literate employees. The takeaway from this is that if you do choose to implement BYOD at your organization, you need to, more than ever, remember that your internal network infrastructure]]>Orin ThomasThu, 01 Mar 2012 05:12:48 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/byod-internal-attacks-142438http://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/byod-fired-142401
By Orin Thomas
: @orinthomas If a person is fired from an organization, you want to restrict their access to information as quickly as possible. Locking them out of their work computer and email is straightforward, a matter of disabling their logon account. If you control their work computer, you can quickly control their access to sensitive material. If they have a company issued laptop computer, you’ll have a procedure in place to get them to hand it over immediately. Things are more complicated in BYOD scenarios. A big fear in many sales departments is the idea of a salesperson wandering off with the contacts database. If the salesperson is using their own computer all the time the question arises: “What right does an organization have to purge data from a person’s personal computer that they use for work?” This is something that you probably want to get locked and stowed before you introduce BYOD into your organization. Come up with a policy for how to deal with the user who gets fired, but also has a substantial store of sensitive company information stored on their personal computer. It isn’t as though these issues haven’t existed in the past. Many people have a home computer that they might work from by using a VPN to connect to the office and telecommuting has its own set of challenges in terms of securing sensitive data. The main difference is that a BYOD computer that is used every day at the office for work purposes over the course of months or years is going to have substantially more sensitive organizational data stored on it than a computer used for an occasional telecommute. So what do you do when someone who has been bringing their own device to work on at the workplace for the last few years is let go? Let them wander off without some type of audit to determine what organizational data is on their machine? Or in allowing a BOYD policy is an organization assuming that it is impossible to control the movement of sensitive data outside the organization and no]]>Orin ThomasTue, 28 Feb 2012 04:41:23 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/byod-fired-142401http://www.windowsitpro.com/article/vmware/review-vmware-protect-essentials-141960
By Orin Thomas
The capabilities of VMware vCenter Protect Essentials Plus go well beyond what’s available in tools such as the Microsoft Baseline Security Analyzer (MBSA).]]>Orin ThomasWed, 22 Feb 2012 10:00:00 GMThttp://www.windowsitpro.com/article/vmware/review-vmware-protect-essentials-141960http://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/privacy-security-142309
By Orin Thomas
: @orinthomas Internet Explorer, through tracking protection lists, can protect you from websites that have a fairly wanton approach to your personal information. However tracking protection lists aren’t enabled by default and require a bit of technical know-how to configure. They certainly aren’t something that you’re average web surfer knows anything about. That’s something that flummoxes me - especially given the recent argy-bargy about Google’s treatment of P3P on IE. Why is this privacy feature of IE so hidden - especially as privacy is so important. IE’s always notifying me about stuff like unsafe sites and whether I want to disable add-ons. Why doesn’t it notify me by default when a site like Facebook or Google wants to use cookies cross multiple websites? By default is important here - because if the behavior isn’t by default - only knowledgeable nerds are going to be able to find and enable it. Protection or privacy isn’t something that should depend on technical knowledge - like protection of viruses, it’s something that should happen automatically. Something that you can choose to override if you want to expose your secrets, not having your activity tracked by a third party, be they Facebook or Google, so that they can show you more relevant advertisements. It’s pretty clear that voluntary standards aren’t going to cut it when it comes to privacy on the Internet. Enforcing rigorous privacy standards goes up against some lucrative business models. Switching IE 10 or 11 so that they are "privacy first" browsers would provide users with protection in the same way that IE 7, 8 and 9 increased protection against malware. Explain to your "friend" that your social networking site can (and does) track you to all those sites with free videos of naked couples calisthenics and their response is unlikely to be "well I’m okay with that". Actual people consider privacy a part of their security. The people who argue otherwise generally ]]>Orin ThomasTue, 21 Feb 2012 04:01:21 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/privacy-security-142309http://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/osx-108-block-unsigned-code-windows-142308
By Orin Thomas
: @orinthomas AppLocker and Software Restriction Policies have been around a long time on computers running Windows. With these group policies, you can lock down a system so that it only runs authorized files. The drawback is that setting up SRPs or AppLocker requires some faffing about. It certainly isn’t a one click solution. Unless an organization has a dire need for it, most don’t go to the effort to implement it. The next version of OSX, 10.8, will include similar functionality to AppLocker through a new service called Gatekeeper. Out of the box Gatekeeper will disallow the execution of applications not digitally signed by recognized publishers. Apple will make this simple to turn off - allowing those people running stuff like FINK on their Macs to continue to run unsigned code - but requiring signed code in the first place will definitely raise the bar in terms the difficulty of exploiting computers running OSX 10.8. (although given the increasing number of CA’s being rooted and the existence already of digitally signed malware, while it raises the bar, it doesn’t close the drawbridge on malware) As mentioned earlier, Windows has been able to implement similar functionality for some time. The problem is that it’s not something you can turn on in the control panel with a single dialog box. It’s something that requires some faffing about. The faffing has the advantage of allowing administrators to be nano-granular in the application of policies. However, given the strong consumer focus of the Windows client operating system, perhaps allowing users to enable this functionality through the control panel (or even making it default on Windows on ARM) might be a workable strategy. Especially considering that the technorati don’t seem to have choked to death on the idea of Apple doing it "first" in OSX 10.8 (if Microsoft had done it first, you’d hear the spluttering from Alpha-Centauri) -- My book Windows Server 2008 R2 Secrets is for experienced Windo]]>Orin ThomasMon, 20 Feb 2012 17:20:26 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/osx-108-block-unsigned-code-windows-142308http://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/security-rapid-mobile-application-development-142302
By Orin Thomas
: @orinthomas When Microsoft created the Security Development Lifecycle, which is one model of secure software development, it required that security be considered from the outset. Making an application secure after you’ve written it is a lot harder than making it secure from the beginning. With operating systems becoming better hardened against attack, exploits have moved up the stack to applications. As Pwn2Own shows, attacking something like Flash is more likely to work than going after the browser or operating system. Which brings us to the problem of rapid mobile application development. It is received wisdom that smartphones and tablet devices are performing are taking on an increasingly important role in the enterprise. App development on mobile platforms tends to be done with the goal of releasing quickly. Getting your app to the store is important. You can always release updates once you’re there and generating an income stream. As Dark Reading notes in this article: "coders … throw all of those secure development principles the industry has fought over … right out the window when it comes to mobile apps" The recent security issues with Google Wallet indicate that it just isn’t the small mobile app shops that are ignoring security as a way of getting the app in the public’s hands. Until the mobile app industry develops a culture of security, current apps are going to be as exploitable as a Windows 95 box connected to the Internet without a firewall with the hostname youcannot.hackme.net.au At the moment the easiest way to get malware on a device (at least on Android) seems to be to try to publish it to the Android store (as the gatekeepers seem to have a post hoc approach to weeding out malware published as apps). However, at some point in the future hackers are going to start to exploit the applications running on mobile devices themselves. Given that mobile app developers don’t seem to be considering security (and it’s not like the app s]]>Orin ThomasMon, 20 Feb 2012 05:27:12 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/security-rapid-mobile-application-development-142302http://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/traveling-overseas-youll-visa-disable-computers-encryption-142283
By Orin Thomas
: @orinthomas A New York Times article recently told me something I didn’t know about crossing borders with encrypted hard disks - namely that "both China and Russia prohibit travelers from entering the country with encrypted devices unless they have government permission" - http://nyti.ms/zVrGAE The article itself is about the precautions that organizations take when sending their staff across to these countries. Essentially they give them a clean laptop expressly for the purpose of travelling to these countries. They put them on a separate remote access network when they are using remote access to communicate back whilst travelling within these countries. The organizations assume that the computers will be compromised during travel (even though they turn off items such as Bluetooth, the computer’s microphone and cameras) and wipe the devices completely when the staff return to their point of origin. [Clearly they should only use MacOS when travelling because it’s so unhackable. *snerk*] I’m wondering when the "no encryption" policy will become standard for all countries. I imagine the argument for it will be something about "protecting the borders from certain types of pornography" - but it certainly simplifies the process of customs installing keyloggers on your laptop if they don’t have to worry about BitLocker protecting the boot environment. With the rumors of BitLocker on Windows Phone 8 swirling around, maybe the same policy will start to apply to phones as well. The first rule of travelling with sensitive data probably should be "don’t". If you must, there’s no reason why you can’t store an encrypted file somewhere in the cloud and keep the decryption key in a separate cloud. From the NYT article it sounds as though big business is taking the sort of approach you’d expect the characters in a Neal Stephenson novel to adopt. The precautions also doesn’t sound too crazy, though it’s always hard to tell the line betw]]>Orin ThomasWed, 15 Feb 2012 18:49:20 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/traveling-overseas-youll-visa-disable-computers-encryption-142283http://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/piracy-consumerizationbyod-142212
By Orin Thomas
: @orinthomas It shouldn’t be a surprise to anyone to learn that the personal computers of a lot of people have what might be delicately termed "software sourced through alternative methods of distribution". With corporate managed desktops, everything is locked down so it’s unlikely that a user would be able to download and install an application that they "sourced from bittorrent". A recent survey of corporate network internet traffic for large organizations (http://www.paloaltonetworks.com/researchcenter/2012/01/browser-based-filesharing-usage-work-or-entertainment/) found that a substantial percentage of traffic on corporate networks was people downloading not only movies and TV shows, but also applications. Photoshop being the most popular. It is interesting to speculate what happens when organizations encourage users to "bring their own devices (BYOD)" to use for work. It is not unreasonable to assume that if people are already using the company internet connection to download software like Photoshop to their locked-down desktops, they won’t suddenly decide to stop doing that now that they are using their own laptops. Spend any time around debates on piracy and you’ll hear that "pirating X is justifiable because X was too hard/complicated to acquire legally". I’m sure that organizations that have BYOD policies also have some sort of bureaucracy to ensure that these users are provisioned with software that allows them to do their job. I’m also sure that, as with any system, a certain number of users are going to do an end-run around the red tape and download the software that they feel they need to do their job from sites like MegaUpload’s many clones. In the past people might download Photoshop from Megaupload, but they couldn’t install it on their work computer because that computer was locked down. Now that they are using their own computers, there are no such restrictions. There are two big risks w]]>Orin ThomasTue, 07 Feb 2012 19:22:26 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/piracy-consumerizationbyod-142212http://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/data-retention-17th-century-aphorisms-142089
By Orin Thomas
: @orinthomas “If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him” Cardinal Richelieu (1585-1642) News Corporation is now finding out why they should have had and implemented a good data retention and deletion policy. http://www.theage.com.au/technology/murdochs-new-headache-the-secrets-of-data-pool-3-20120130-1qoq0.html Some organizations have a packrat mentality when it comes to the retention of data. They keep it all rather than expunging it after it is no longer legally required. That seems like a great idea until clever lawyers start discovery proceedings. Usually those involve "everything you’ve got" rather than "everything you should legally have". So if you’re meant to keep stuff for 7 years, a mechanism should be set up to automatically expunge data that is 7 years and 1 day old. Many organizations have approached retention laws with an approach of "just keep everything forever to be safe". While that’s a noble goal, just remember Cardinal Richelieu’s quote. If you don’t *need* to keep it, you *shouldn’t* keep it on the off chance that you *might* want it.]]>Orin ThomasSun, 29 Jan 2012 20:17:41 GMThttp://www.windowsitpro.com/blog/hyperbole-embellishment-and-systems-administration-blog-18/security/data-retention-17th-century-aphorisms-142089