[geeks] Gmail's attraction

Jonathan C. Patschke jp at celestrion.net
Sun Sep 5 22:47:17 CDT 2004


On Sun, 5 Sep 2004, Dan Duncan wrote:

>> If you have "Power User" access to your workstation, you can share
>> folders.  Most users have "Power User" access to placate them in that
>> they can change the date and such.
>
> When you expand user permissions, you increase the security risks.

My point is that most people have those rights to begin with.  Almost no
site uses NT's definition of "regular user".  In fact, in XP, a "regular
user" is a "power user", as previously defined.

> I can't answer that question, but email with files attached is no
> different than emails containing sensitive information inside, and
> presumably there is already a mechanism in place to audit it.

Uh huh.

>> And you -CAN- enforce
>> share-level audting as part of the domain policy.
>
> True, but it creates a flood of logs and requires someone to audit them.

That would seem to be the job of those auditors you keep refering to.

>> Oh, that's part of RFC 2822 now?  I must've missed that part.
>
> Do you really propose a company not do virus scans on attachments?

Why would they need to, if they don't run virus-ridden operating
systems.  The one I'm employed-by full-time, runs 'doze, so, yes.  The
two I work at part time do not, so they have no reason for one.

> How many SMTP servers does it pass inside the company?

It depends.  If you're sending it -inside the company-, then it'd be
insane to not use shares.  You share the folder, grant the rights to
someone already -in- the domain, and there, you're done.  You don't have
to create users are assign passwords or anything.  I was assuming we
were talking about over the Internet.

> If you're worried about passing in the clear, why propose FTP?

SFTP, then.

> And requires a lot more permissions and training for users to
> properly maintain and an additional audit trail to watch.

Email is not an audit trail.  It can be forged.  Easily.  Even if it is,
you have no way of knowing that an attachment called
"pictures.of.my.kids.jpg" isn't really FY06's R&D proposals.  Blocking
attachments and asking users to use sane methods of file transfer that
they already have access to isn't asking too much.

> Let me ask you this:  The last time you sent out a resume, how did you
> send it and why?

I sent a URL pointing at the page on my web site that offers it up for
download as HTML, PDF, PostScript, and LaTeX2e source.  FWIW, I got that
job.

-- 
Jonathan Patschke )
Elgin, TX        (  "Ma'am, I can do anything.  I own a game store."
USA               )             --Gord ( http://www.actsofgord.com )



More information about the geeks mailing list