You must log in or register to comment.
Honestly, a policy of “no free-of-charge software installed on workstations except FOSS” might improve security a bit and probably without doing all that much damage to the day-to-day workings of the company.
For that matter, if my employer instituted a policy of “no software except FOSS”, my own particular job probably would be a surprisingly small adjustment. As long as they were willing to do the work to set up infrastructure and/or let us switch to FOSS alternatives that require third-party server providers as necessary. About all I can think of that’s installed on my work machine that’s proprietary is:
- Zoom
- A paid corporate VPN client
- A random program that I use to authenticate to Kubernetes clusters in use where I work (so I can use Kubectl)
- Chrome
- The Client Management software my company uses (the software they use to remotely administrate the company-provided machines – force install shit without telling you, spy on you, nag people who have computers that aren’t actually used to return them, wipe your computer if you report it stolen, etc)
- And, of course, bios, proprietary firmware blobs, etc
Beyond that, I honestly can’t think specifically of anything else proprietary installed on my work machine. My personal computers have far less proprietary software installed than the above list.
Not related, but did you ever use k9s? Quite nifty CLI tool to control Kube, albeit not on a very advanced level, it helped me a lot to not get drowned in Kube commands.
Everyday my misnathropy is justified
I majored in Anthropology in college. I should have done Misanthropology.
Print the fucking t-shirt man. I’ll buy one for every day of the week.
Every day I wake up I thank God I’m not an MBA 🙏
MBAs would just buy an LLM software subscription to fix it
“This fucking paycheck! What am I going to do with all this money?”
It’s not more secure, it’s so they can offload blame and have people to sue if/when something ugly happens. Liability control, essentially.
We had to pay for fucking Docker container licenses at my last job because we needed an escalation to the vendor in case our SMEs couldnt handle things (they could), and so we had a vendor to blame if something out of our control happened. And that happened: we sued Mirantis when shit broke.
Ever hear how the suit turned out, generally?
This pisses me off
Don’t forget your new 32 character/symbol/number/nordic rune passwords that will need to be changed every 17 days.
I hate sites that make me constantly change passwords. it’s been shown time and time again that making users change passwords often decreases security by a pretty large factor, and yet a lot of sites still do it
Our workplace did that. You had to change every month and you weren’t allowed to just add a digit. It meant that people started writing their passwords on post-its stuck to the monitor.
Mind you, back in the 90s your password was the same as your username. It was very handy, because if someone went home leaving a document locked, you could just log in and unlock it. Our first “proper” IT professional was horrified.
Interesting, stopped seeing this a while back. Forced change after the inevitable hack though of course
Could be because OWASP now actively recommends against periodic password changes.
Ensure credential rotation when a password leak occurs, at the time of compromise identification or when authenticator technology changes. Avoid requiring periodic password changes; instead, encourage users to pick strong passwords and enable Multifactor Authentication Cheat Sheet (MFA). According to NIST guidelines, verifiers should not mandate arbitrary password changes (e.g., periodically).
And don’t forget required 2-factor authentication, in an age where that becomes 1-factor authentication as soon as someone has your phone, because both factors are accessible there!
2FA is utterly worthless in the age of smartphones, and whenever my employer tries to implement it, I refuse and tell them that, if they want me to do 2FA, they can either provide me with a work phone, or they can give me a USB key that is just going to sit in my desk drawer.
which still requires someone to swipe the phone and the owner not recognizing it long enough to do a remote wipe. I am not someone who hangs on the smartphone 8 hours per day, and even i would realize my phone is gone within 15 - 30 minutes, giving an attacker a pretty small time window to act.
e: and they have to break into the phone as well - if it’s updated, that might buy more than enough time
My last boss got rid of the pfSense routers because “open source is not secure”. I argued that pfSense has been vetted over and over and over again. Nope. “Everyone can see the source code.” That’s the fucking point!
TBF, pfSense isn’t the fastest routing, but at our small company is was more than sufficient.
For a small to medium sized business pfsense is the only solution that makes sense. The only requirement is that you have a actual sysadmin on staff and not a vendor jockey.
OPNsense is also a viable alternative.
Sure, I’ve tried it but honestly there wasn’t much difference. I use pfsense because its what I started with. I imagine if you started with opnsense it would be the same thing. I use pfsense+ licensing for all the routers at work and that makes the higher ups happy that its has commercial support if needed.
Tried that for awhile at home, just didn’t seem as robust. Also, you can get Netgate hardware if the company doesn’t want a 10-yo Dell running the edge.
Bought some of the higher end negate routers for work. 1u rack mount. Five locations all linked with fail over tunnels. I run our filter and monitoring on them as well . Pfblockng works great for general purpose filtering. When you filter porn you really need a lot of ram. The intel boards they have are a little finicky on the type of SFP you can install but other than that they work great.
I’ve had opnsense running for 7 years without a single issue. It might be the most reliable part of my whole setup.
There is an entire sub-industry and probably thousands of jobs being propped up by this stupid way of thinking about software. I can’t be mad at it because it pays the bills for a few of my friends…
deleted by creator
I could really see companies just fork open source and give it a tweak like UI or new switches…
Terrible.
New wealth redistribution method?
At one point my company made us buy Eclipse from a vendor because free software was not allowed. It had no tweaks or support, just out of date Eclipse that I had to wait for purchasing to get
Whenever I hear about shit like this I wonder if I should just start a company and package free software lol. Could like donate a bunch of the profit to the actual projects.
I could really see companies just fork open source and give it a tweak like UI or new switches…
They should not be able to do that if it comes under non commercial licence
Won’t stop some people.
Vim? Oh wow. I’d be looking into a USB Keyboard that types the entire source code of vim into the machine, assuming there isn’t an easier option.
Fork vim, rename it, sell it back to your company
Donate cost back to vim
Worked for a company that had a similar policy against free software, but simultaneously encouraged employees to use open-source software to save money. I don’t think upper management was talking to the IT department.
It’s “more secure” because there’s a specific company to blame when it goes wrong.
Security through liability
The bigger you get the more this is a thing actually.
Yeah, i worked briefly at multinational japanese motor company and this was their logic. I was hired as a software developer contractor and HQ had rules stating, no open source software, no free software and the one that puzzled me the most no in house executables (WHY THE FUCK DID THEY HIRE ME?)
How were you supposed to test your software if you weren’t allowed to create an executable?
insert thats the neat part meme
Eventually it was decided I would write Javascript on a web page I made. Skills I never declaired having I told them I was a java dev.
So they essentially hired you for no reason and then had to come up with something for you to do?
Javascript is a part of Java, duh!
You had to go to the balcony to test it.
Honda?
Nope.
My old boss called that “one neck to choke”.
Nice. My response is my 2-week’s notice.
I am becoming increasingly more appreciative of the fact that I have root access to “my” company provided work device.
My boss went so far as to buy Macs because we have “special needs” (we don’t) because otherwise we’d be forced to use the corporate locked down crap. I’m not a big fan of macos (prefer Linux), but root access sure is nice.
I had to move to a Mac because of iOS development. Now I’m stuck with a Mac because the fucking thing refuses to break.
Wait till they learn about Jamf Pro and Mosyle 😜 (Well… granted they also have to deploy it correctly after…)
They did make us install Crowdstrike after 3-ish years of no spyware. We still have root access, they can just see every time I update my packages.
this is supposed to be more secure because it costs money
It makes blaming someone really easy though and that’s all that matters in a corporate world.
This is legitimately it. The same reason corporations often pay for Linux (e.g. RHEL)—the people in charge want to be able to pick up a phone and harass someone until they fix their problem. They simply can’t fathom any alternative approach to managing dependencies.
Not just pick up the phone and harass someone but to also have someone to press a lawsuit against if things go really wrong. With free software the liability typically ends at the user which means all they can do is fire the employee and eat the loss. Suppose now corporate paid for it, well now there is a contract and a party that can be sued.
I hear that a lot but would that actually work? Sure, you will get a redhat level 1 support employee within the hour for a severity 1 ticket. But does the actual contract (which I don’t have access to) make any legally binding guarantees regarding the time-to-resolution? I seriously doubt it. Which is to say – your legal team will be SOL.
They also won’t take responsibility for any fuckup on your part if you install a bad driver or deviate from the admin guides in anyway (which is why Legal says for a minor issue you can’t apply a patch from StackExchange, you must raise a ticket and wait 3 business days for RedHat to tell you to apply the patch from StackExchange).
Getting phished definitely falls in this category BTW. Vendors may or may not help you but they certainly won’t accept any liability.It’s still a good enough safety net to have for corporations with no trustworthy in-house expertise as vendors do have an incentive to keep their customers happy and most will help to the best of their abilities (which often isn’t as much as one might think…), but it’s hardly a legal panacea. If you need guarantees against catastrophic financial losses, that is what insurance is for.
As if the Eulas don’t make it all arbitration?
What software company allows liability for mistakes in a EULA?
Companies and individuals play by different rules.
When a big company purchases software a team of people from both parties (whose entire job and career are based on doing this) negotiate with each other to decide exactly who is liable for what and to what degree.
When you purchase software you agree to let the company fuck you over at their leisure because you literally do not have enough hours in the day to even read everything you agree to, let alone understand it, let alone argue with it. And even if you did you don’t have enough bargaining power to make a large company care.
Most do, but limited to the amount of the contract.
So corporations are just The Gang in It’s Always Sunny In Philadelphia?
The greentext reminds me of this FAQ entry: https://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#faq-vendor
A.9.17 As one of our existing software vendors, can you just fill in this questionnaire for us?
We periodically receive requests like this, from organisations which have apparently sent out a form letter to everyone listed in their big spreadsheet of ‘software vendors’ requiring them all to answer some long list of questions […]
We don’t make a habit of responding in full to these questionnaires, because we are not a software vendor.
A software vendor is a company to which you are paying lots of money in return for some software. They know who you are, and they know you’re paying them money; so they have an incentive to fill in your forms and questionnaires […] because they want to keep being paid.
[…]
If you work for an organisation which you think might be at risk of making this mistake, we urge you to reorganise your list of software suppliers so that it clearly distinguishes paid vendors who know about you from free software developers who don’t have any idea who you are. Then, only send out these mass mailings to the former.
I read only part of the URL and thought this was about puzzles. Never knew the guy made Putty as well
Would be really funny if they still get fucked over because of some fine print in the disclaimer
Or maybe the vendor goes with “take the money and run”.
“If you’re not paying for the product, then you are the product.”
The phrase has its uses, but shit like this is what happens when it’s taken to the extreme.
Often times when you pay for the product, you are still the product.
I’m the product in the sense that poo is the product of the intestines.
That is just a fact at this point
The simple exception is free software (free as in freedom). It’s really not that complicated.
Digital security education in schools actually give people brain tumour ffs
