Hallam-Baker, Phillip wrote:
The best way to stop such nonsense is to recognize what every mainstream security specialist working in the field recognized long ago - there is a difference between the network and the inter-network and connection to either is a privilege that should only be granted on the basis of need.
Your political strategy is naïve and fragile. You mistake a tactic for a strategy. Insisting that every component that connects to any network be absolutely unrestricted in its capabilities is unworkable, unsustainable and violates the security principle of least privilege. It is a tactic that is doomed to failure.
I think the problem that Keith is talking about is the problem of
"unreasonable" policies, which will instantly create
a "criminal" subculture in any networks that have such "unreasonable"
policies. For example, if the only ISPs that
are available to me insist that the machine I connect to their
precious network run Windows XP SP > foo, but I'm actually
a Linux user, then techniques will emerge that allow me to fool the
ISP into thinking that I'm a Windows XP SP > foo
machine.
Trying to enforce that a Turing-complete machine have capabilities "no
greater than X" might seem to an IT senior manager
to be a really good idea, but in practical terms, it can't be done.
And if you try to do this in any but the most tightly-purposed
networks, rebellion will be the inevitable result.
Some companies have an emerging draconian policy about users running
only "authorized" software on their machines, with
a cumbersome "approvals" process for any new software that someone
might want to run on their machine. Which includes
software written by the user themselves. That type of policy might be
"reasonable" in a call-center, or some other
tightly-purposed network, but it fails in the general case, and true
enforcement is impossible. This emerging draconian
policy is subtly re-defining that which constitutes "useful work" in
many places such that the only authorized things
you can do with your machine are to shuffle Word, PowerPoint, and
Excel documents around, surf the Web,
and e-mail your co-workers. If you want to do "real work", you
necessarily have to violate policy, or do your
"real work" on a machine not subject to the policy.
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf