Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What exactly was so terrible? I'd like to re evaluate my planned next phone purchase but you didn't provide details really. Thanks in advance :)


One specific thing that I have first-hand experience of is they have a culture of assigning blame instead of preventing access.

So for example, everyone has local admin access, or even network-wide admin access. Instead of Active Directory accounts, users are tracked by their client IP address. In effect, you are your IP address on the network.

Most activity is logged, and then correlated by IP address so that blame can be assigned after-the-fact.

So for example, if you're caught editing a production web page live on the server while 40K people are scratching their heads wondering why they can't log in that morning, you'll get blamed because the remote connection came from your desktop IP when that happened.

Nothing stops some random junior developer editing the production web site on the fly. He'll just be reprimanded or fired.

(NOTE: Some of the specifics above may be out of date now, but the security culture likely remains)


That does indeed sound like heaven for insider threats. Thank you very much for following up. I'll think about this information.


Have they not heard of IP spoofing?

Seems ripe for an insider threat - Sure, they'll catch and fire all the people who slip up or stupidly overstep their authorization or do some vandalism. But a determined and skilled attacker could come in at a very low level and install all kinds of interesting stuff... wow.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: