On Fri, Sep 22, 2017 at 1:23 PM, Eliot Lear <lear@xxxxxxxxx> wrote: > Hi Warren, > > Just a point of information: > > > On 9/22/17 6:24 PM, Warren Kumari wrote: >> Unfortunately you cannot separate case 1 from case 2 -- if you make it >> something that enterprise folk can detect / block (on BYOD devices) >> then you have provided that facility to everyone. > > Good guys generally have an existing security association with the > device (if a bad guy has a security association with the box, we call it > 0wn3d). Yes, and no (and why I specified BYOD) -- a number of enterprises allow employees to bring in personal phones / tablets / computers and use them on the corporate network... without requiring that they install a profile / place the devices under management -- I've lost the reference (I'd thought it was off the BYOD wikipedia page), but the number of organizations doing this was scary (to me!). Now, perhaps these same organizations don't currently monitor their employee usage through DNS... W > > Eliot > > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf