The Problem with Pundits, part III.
When an exploit comes out based on some vector or user activity, pundits are all over it and saying, “Duh! Well, just don’t DO that!“
Dudes. If it were that easy to stop, we’d have stopped it already. We can’t just strip all .gif files at the gateway willy-nilly. And password-protected zip files are often the poor man’s “encryption” for email. Would you like to explain to a few hundred non-technical business partners how to download and use AxCrypt as an alternative? Would you like to buy them a real encryption product? Would you like to explain to hundreds of internal users why they suddenly can’t get legitimate attachments from external correspondents?
I didn’t think so.
I’m taking your pragmatic armchairs away for a time-out now.
UPDATE: Mike Rothman gets all bombastic on my ass about how there are “no excuses” for not just stripping .zips at the gateway. (He also seems really to care about my chromosome allocation; I suppose he can’t decide whether to patronize me or buy me a beer.) Come on, Mike, I thought you were all about pragmatism.
There are a lot of workarounds to getting secure information from one location to another. They are not all overly technical and hard to use.
Great. Give me a practical solution, right now, as to how to get around the lack of available mail encryption. AxCrypt classes for hundreds of external business partners? Tell them all to send us password-protected CDs in the mail? And how do you deal with correspondents who HAVE to zip up their 10-meg files just so they don’t melt down their ISP dialup connection? (They still exist, y’know.) Seriously, when was the last time you actually had to implement a quick solution in a real-world environment where things were NOT perfect and getting a new solution in required not only hours of your time, but hours of everyone else’s?
It ain’t excuses, son, it’s reality. Give me a workable solution, and I’ll be glad to implement it. Don’t give me the security equivalent of “just say no.“
I can solve that problem: no attachments; plaintext email only.
Of course, then those pundits will cry that their pretty signatuers and dancing hamsters won’t display their personal branding…
You’re right, we had this come up yesterday as well and we just quickly blocked .zip files for a short period and vetted anything caught in that net so we could forward anything legit. Our users don’t always use .zip files, but they can and sometimes do.
When your spam catcher (we outsource ours) and your AV signatures are not quite updated to catch brand new threats and you’re getting spammed, you do have to do something, not yank away email and hope the business lavishes you with flowers and candy for being so attentive. I could only wish I ever work in that theoretical environment some day.
Although, maybe these pundits are ok with explaining to all their non-technical users (and technical ones!) how to use SFTP/SSH and then in turn teach all their customers and contacts how to use it…blah blah….buy products…blah…
Naughty pundits!