tag:blogger.com,1999:blog-4088979.post115302650464062181..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: One Thought on State Department IncidentsRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-1153175872211090522006-07-17T18:37:00.000-04:002006-07-17T18:37:00.000-04:00Richard,With regard to my previous post, the follo...Richard,<BR/><BR/>With regard to my previous post, the following howto looks pretty good: http://www.unixwiz.net/techtips/deploy-webcert-gp.html Disclaimer: I have not tried this, just an idea. :)<BR/><BR/>JoshAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1153094587163086892006-07-16T20:03:00.000-04:002006-07-16T20:03:00.000-04:00Our local Univ. blocks ssl for wifi guests.Our local Univ. blocks ssl for wifi guests.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1153091499664849132006-07-16T19:11:00.000-04:002006-07-16T19:11:00.000-04:00I knew it! The SSL virus has spread! (W32.SSL.b fo...I knew it! The SSL virus has spread! (W32.SSL.b for those in the know!)<BR/><BR/>People were laughing at me, but here is the proof in the puddin. If only people would listen to the billster.<BR/><BR/>Just so everyone knows, I am ready and ready for some high payin consulting for the "DEPARTMENt!" to help them clean up their mess they went and got them selfs into. I fixed things up licky-splits at the bank, and I can do it here too!<BR/><BR/>My favorite fixer uper for this is to get everyones crdedit card numbers from them then use them for them and not trust end users to do it themselfs beucase they are not to be trusted and can only be trusted to do the wrong thing/ Then I have them so I can use them, and the more you get, the better you did it!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1153091115026501232006-07-16T19:05:00.000-04:002006-07-16T19:05:00.000-04:00Josh -- interesting! Got any references or KB art...Josh -- interesting! Got any references or KB articles?Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1153084796468808502006-07-16T17:19:00.000-04:002006-07-16T17:19:00.000-04:00Good post! To solve the "users will probably have...Good post! To solve the "users will probably have to accept an unexpected SSL certificate" problem, assuming a stricly Windows + IE enviornment, one could import the proxy cert as a trusted root cert using a group policy.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1153048979875804522006-07-16T07:22:00.000-04:002006-07-16T07:22:00.000-04:00Alastair,That is a good comment. On a related not...Alastair,<BR/><BR/>That is a good comment. On a related note, I've seen some security shops that are very quick to shut down switch ports at the slightest suspicion of compromise. Usually the "up-at-all-costs" crowd dominates and potentially compromised systems are kept on line despite evidence to the contrary.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1153033820752651102006-07-16T03:10:00.000-04:002006-07-16T03:10:00.000-04:00Hi Richard,I think your intentional pun raises an ...Hi Richard,<BR/><BR/>I think your intentional pun raises an issue which doesn't seem to be talked much about in the security community. It seems that the organization itself (and more specifically the IT department) is a security threat and should be treated as such. While we may not wish to question their motives, from the users perspective their actions are sometimes <A HREF="http://girtby.net/archives/2006/03/20/threat-modelling/" REL="nofollow">indistinguishable from a DoS attack</A>.<BR/><BR/>So there's always going to be a trade-off between a secure system and a usable/useful system. Those in the trenches attempting to secure networks may not always see the optimal tradeoffs. It's a hard job.Anonymousnoreply@blogger.com