On Tue, 2005-05-10 at 10:24 -1000, Scott Weeks wrote:
Don't give folks that have access to machines that hold sensitive info the ability to download software unless you know they're savvy enough to do so safely.
I don't see that as root of the problem. To me the real problem is in the use and handling of usernames and passwords. Take your typical contractor or SE (i use to be one) they have usernames and passwords for their corporate systems as well as customer systems. OK, so they may be careful who they share those credentials with, but they aren't careful enough with how they use those credentials themselves. I wish I had a nickle for every time I've seen a person assume everything was a-ok since they were using ssh, even though they couldn't have told you who installed ssh (or the remote sshd) on the systems. So, the SE ssh's into *your* corporate systems using ssh on their laptop (probably d/l'ed by googling for PuTTY or SSH and pulling the first available URL) while on a service call to your facility. Or how about the SE who ssh's into *their* corporate network from some rogue contractor box inside your network. Then there are those people who run bleeding edge O/Ses that constantly update from god-only-knows-where servers all over the world... what version of ssh is installed today? And there are those co-workers who "think" they know what they are doing but really don't. Ever dropped a BSOD screensaver on to a co-workers computer, dropping a bogus ssh executable is even easier. Use LDAP? Isn't it nice having one username and password for *all* things? The l33t [ch]4ck3rs love LDAP credentials. Your SSH password is the same as your IMAP/SMTP/POP3/HTTP/RDP password. In short: people need to not only respect their login credentials, they need to only use them from trusted systems and constantly be vigilant about the level of trust they have for those systems. DON'T mix usernames and passwords between differing classifications of systems. -Jim P.