Funny, I for one would not want to do business with a company that puts their customers' security and privacy as second class to a developer's whims. Would that developer take the fiscal responsibility if something should go wrong? Probably not.

Don't get me wrong, if there is a true business case and the solution chosen has been properly vetted so that a "company" can realistically take responsibility for the actions of its employees, then fine. But there have been too many cases of company (and government agencies) not taking this seriously enough.

What with every cheap cellphone double-acting as a media player and every clerk sharing yesterdays Youtube finds, complete with every attached virus, with all friends at work, there are few chances left to enforce that. You won't seperate the generations below 40 from their cellphones short of stripping them of all their clothes and belongings, walking them nude through a shower, and refitting them with a company uniform.

Actually, it is encouraged to use your own devices at my company..

We have an aditional WLan with a slow internetconection for Personal use, with no connection to our company lan.
Checking Emails or the internet on our corparate pcs is an absolute no, but for this we have the wlan. And as surfing with a pda or a handy isn't this much fun, most time its just a fast check for mails..

You have a valid point and I agree with you in cases in which that occurs.

That being said, I have never put my "whims" above any customer's best interest. I have faith and pride in my code and my security architecture to where this would never be an issue. In fact I would trust a developers commitment to perfection in all aspects of a project(RE: security practices) that they have put countless hours and sleepless nights into over any security policy chosen by a corporate IT department. If you can not grant a developer trust in this regard they should not be touching any code that accesses sensitive information. The thing is developers are going to be the users you should be LEAST concerned about. If you are worried about criminal or unmoral concerns with a particular developer, then address that issue with them on a individual, personal basis.

The chances of this happening at any corporation with a board or investors are next to none. Its all about passing the ball to the next person in line.

Gazoo: *thank you*

Bleek: Actually, I have nothing to do with operations or site support. In fact, my title was SQL developer and I dealt with report development (where my innovative ideas to make 75 min reports run in 5 mins *were* squashed), and worked closely with the guys who did the Java front end stuff for the dialer. My work issued laptop was actually beefier than the one the guy was using. (My guess is he wanted our software licenses to do freelance work on the side, which he did.)

Asking someone to use a work issued laptop doesn't stifle innovation, at least I can't think of many cases where it would. What it *does* do is bring uncertainty into the realm of security and as I said we were dealing with credit card numbers and personal information. *THE* reason for disallowing personal machines is accountability. If anything happened the company would be held responsible and I don't think a certain credit card company whose cards live in many of our pockets would appreciate knowing the source of the breach was a personal laptop being used in the workplace. The company is accountable regardless, but the company should be accountable on it's own terms. There's also the issue of data security once said employee rolls out to greener pastures. How can you ensure your data doesn't reside on that machine?

I got mine onto our private network and things are working ok.. even TTLS over peap yay! Also i have the vpn software working and the front end for it.. It even read in our cisco config file. So i now can vpn in and then remote into my mac with vnc. Deskside support rocks now that I can go to the user's desk and have my computer in my hands with me.
I have to admit the 810 just rocks.

I think you are having your priorities backward. If connecting a PC with malware on the network is all what it takes for a security breach, there is something very, very wrong with the IT department.



And here again: I think that if a firm lets vital data on one machine, or under the control of a single individual, there is something very, very wrong with their human resources management.

Ok, Normal reaction. Here we go again.

The IT does not run windows. It does not run an OS modeled on the MS design concept. What this means is that you cannot solve MS problems on a Linux box. It's an exercise in futility.

Linux doesn't have virus' period. Not in the way Windows does because unlike windows it is modeled on the concept of privilege separation. As a result in order for a virus to exist on a Linux device it would need to have a human user there to assist it by telling it root's password or intentionally running it as root. Then you would have to tell each of the other users on the box to run this program as well.

Second MS binaries don't run on Linux (Wine covered separately and doesn't work on the IT) as a result if a virus were stored on a Linux system it would require the conscious effort of a human to move it to a winbox.

Now one thing that can happen is that a Linbox can have a file put on it that later you put onto a windows box (sneaker net, samba drag and drop, scp perhaps) and then the user of the windows box can go "Hey what's this executable let me click on it and see." Then again any thing that can store a file could have this problem. The secret is to never execute any file put on your winbox until the winbox has virus scanned it.

On windows you have the concept of the box/MS/systems ability to do things for you automagically without you first telling it to do them. Linux has automagic yes. But, I told it, configured it, to do this, it doesn't happen without prior knowledge. I don't get Ubuntu or Mandriva downloading files in the middle of the night that I didn't want through some secret back door. (MS has this.) Any file transfered from anywhere to my Linux box has to first have a human initiate the action This initiation can be asynchronous (cron job) but it can't happen without a human knowing about it. Linux doesn't allow anonymous file transfer.

Security by obscurity also has little to do with it. Truth be know there are as many if not more Linux installs in corporate (insert country name) as there are WinBoxes. The problem is you don't know it. Cisco.... uses Linux.... Linksys, netgear, juniper, every little managed switch router etc etc etc. Yep most of them run an embeded Linux install (keeps Windriver and MontaVista alive) Not to mention the embeded Linux in some phones and most Centrex/VOIP/Telephone Exchange systems. (Astrix is everywhere!) Then you finally get down to the servers/mainframes/clusters/we all know and love.

The #1 single most dangerous thing, you let into your environment every day is not a computer or an OS. It's people. Keeping hardware out is a lot like trying to keep pregnancy from occurring by forbidding adult toys. It ain't the toys fault, it's the humans who made it happen.

It comes down to a function of trust. Frankly if you can't trust the people you work with it's time to go to work somewhere else. Period. Computers are stupid. The only dang thing they can do is add 1+1 1+0 or 1+-1 (Honeywell did 1+-0). But it can do it really, really fast, enabling Humans to be able to turn that into some very intricate programs. That at least, on Linux, can only run if a human sitting in front of a console (remote or local, gotta love ssh/vnc) says go.

Rick Moen's Linux Virus FAQ

Wine (Wine Is Not an Emulater) is a way of running windows programs on Linux. It has been so successful at running windows programs that even some virus' have been show to run there. Wine won't run on the IT (It's not x86) so no damage there.

Next, the IT is an ARM architecture. Guess what it can't run x86 binaries. Windows can't run ARM binaries. Guess what this means, it means A can't damage B unless if a human who owns A walks in and sits down at the console of B and starts deleting files.

Lastly, and this is again a result of poor security. I guess a HUMAN sitting with an IT that has been given access to your network, could start scanning for weak passwords and given a few weeks (the IT is slow) they can install a root kit. Root kits are fun, they are not virus's they are in fact a result of intentional effort applied to poor security practices. (Change the dang password on your IT to something other than a curse word, your wifes name or p455w0rD) tear up the sticky notes (even the stupid Apple program and it's "hidden" feature) that has your password and you can protect yourself.

Remember in the end 3 things are there for you no matter what OS.

1. Think before you act. If you don't have time to do it right, you'll never have time to do it over.

2. Trust, the human kind, if you don't have it, get a new job. No amount of retinal scans (rectal?) will replace the intimate knowledge of trust. Ask anyone who's been in combat, trust can keep you alive.

3. No matter how hard you work at keeping hardware out. while you are watching the hardware some human just walked off with a CD that has all of your customers CC numbers. The #1 hacking danger is social engineering, not rouge hardware.

I beg to differ. Sure, Windows is security nightmare compared to Linux, but Linux (or Unix, etc..) is far from perfect. For example worms targeted at specific server software have been a problem (type "apache worm" in google). On a more IT related basis: it would be fairly easy to write a virus for the N800, given that everything works under the control of the user account.

You seem to also ignore the problem of industrial espionage. This kind of viruses or trojans are less known from the general public, as they are typically designed to spread only on specific installations, but they are a problem whenever sensitive data is processed. Actually, all this boils down to the commercial interest of malware: windows viruses are known by the general public, because they are used for botnets and therefore designed to spread massively. But if infecting a single machine will bring you lots of money (credit card lists, the blueprints of a prototype, etc...) it will be tried.

I'll say it again: windows is the worst for all this. But you should not believe that Linux is 100% safe, just because virus have not been massively reported. It's safer, but typically far less than you think.

So I stand by my opinion: "If connecting a PC with malware on the network is all what it takes for a security breach, there is something very, very wrong with the IT department."

If you only could convince the drones that won't let me connect my embedded linux computer, with no servers running, no open ports and physical access available only to qualified personnel (which, BTW, had no problem in managing another linux computer that luckily needed no access to the network), to the factory network, unless I install a "certified" antivirus.....(which, BTW, is a real POS and I'm sure it'll disrupt the operation of my embedded controller).
Oh, and their security policies are so good that you can take any computer (with an approved antivirus solution, of course) on the factory floor and get access to the internet at large (apparently their peripheral access control is based on windows, 'nuff said).