• 0 Posts
  • 79 Comments
Joined 1 year ago
cake
Cake day: July 9th, 2023

help-circle
  • This is fundamentally true. However it is possible to limit the bandwidth of data the employee can exfiltrate.

    That’s fair, but the OP was talking about having the sensitive data directly on the laptop, which rather limits your ability to control access to it, and why I was suggesting keeping the data on a server and providing access that way, so limits can be put in place.

    Assuming a privileged employee suddenly becomes a bad actor.

    Your threat model probably isn’t the employee who suddenly goes rogue and tries to grab everything, but the one who spends and extended period of time, carefully, extracting key data. As you, the former can be be mitigated against, but the latter is very much harder to thwart.

    But I couldn’t for example download our entire customer database, I could get a specific record, I could maybe social engineer access to all the records of a specific customer, but there is no way I’d be able to extract all of our customers via an analog loophole or any standard way. The data set is too big.

    That’s well set up, but, whilst your competitor would love the whole database, what they’re really interested in is the contact details and contract information for maybe your largest three customers. When the dataset to extract is small enough, even quite advanced rate limiting can’t really help much. Making sure no one person has access to all of the most valuable data is a good start, but can present practical problems.

    And this is what you are trying to limit. If you trust your employees (some you have to), you can’t stop them from copying the keys to the kingdom, but you can limit the damage that they can do, and also ensure they can’t copy ALL the crown jewels.

    I think we’re basically saying the same thing. The OP talked about putting all the sensitive information on the employee’s laptop, and that’s what I was trying to steer them away from.

    In the past I’ve been asked if we can provide our developers access to pull the full source tree, but not copy it anywhere, and, to quote Charles Babbage, “I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question.”

    I enjoy the security side of sysadmin work, but I find it rather depressing, as all you can hope to do is lose slowly enough that it’s not worth attacking you.


  • I agree that you should assume you’re being monitored, but, while that helps against malware type exfiltration, it does little to stop someone who is determined to exfiltrate the data as there are a myriad of ways to do so that aren’t possible to monitor, such as simply taking a video of the screen whilst displaying the information.

    Ultimately, the company has to trust the employee or not give them access to the sensitive data, there’s no middle ground.






  • notabot@lemm.eetoScience Memes@mander.xyzShorebirbs
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    22 days ago

    Even if they were surveilance drones they’d still be real, as opposed to mass hallucinations beamed into our visual cortexes by satellites. Of course, they’re not actually surveilance drones, that’s just a conspiracy theory started by the CIA to identify and monitor conspiracy ‘super-spreaders’ who can be used to spread whatever memetic trope the goverment of the day wants. No, really they genetically altered most plant species to act as resonant cavity bugging devices like The Great Seal. They monitor them with the same satellites they definately don’t use to beam out mass hallucinations.

    /s of course, because, haha, that would just be silly, and I don’t want to be picked up and ‘reprogrammed’.



  • notabot@lemm.eetoScience Memes@mander.xyzIt hurts me.
    link
    fedilink
    English
    arrow-up
    8
    ·
    29 days ago

    Isn’t one of the main issues with carbon-monoxide that hemoglobin preferentially binds with it over oxygen, and so it doesn’t get expelled from your bloodstream via your lungs? You can tolerate quite large doses with little more than a headache, so I doubt you could overdose from internally generated amounts, but a large enough dose dangerously reduces your blood’s oxygen carrying capacity.






  • Interestingly, whilst Wikipedia does say that, the language in RFC 1591 (Domain Name System Structure and Delegation) only says:

    There are a set of what are called “top-level domain names” (TLDs). These are the generic TLDs (EDU, COM, NET, ORG, GOV, MIL, and INT), and the two letter country codes from ISO-3166.

    Likewise, in ICANN’s PRINCIPLES FOR THE DELEGATION AND ADMINISTRATION OF COUNTRY CODE TOP LEVEL DOMAINS, they say:

    ‘Country code top level domain’ or ‘ccTLD’ means a domain in the top level of the global domain name system assigned according to the two-letter codes in the ISO 3166-1 standard

    In neither case do they actually limit two letter TLDs to being country codes, they only state that all country codes in ISO 3166-1 are ccTLDs. In the RFC, the author does suggest it is unlikely that any other TLDs will be assigned, but this has obviously been superseded with the advent of gTLDs. Thus I still consider it likely that the .io TLD will simply transition to being a commercial one, rather than a country one.

    Having said all that, it’s entirely possible I’ve missed some more recent rule that tightens this up and only allows two letter domains from ISO 3166-1. If I have I’d be glad of a pointer to it.



  • It’ll get eliminated as a country code, yes, but that leaves it available as a generic TLD. Seen as it will be available and is obviously lucrative, someone will register it and, presumably allow domains to be registered under it. Off the top of my head, I think it costs $10,000 and you have to show you have the infrastructure to support the TLD you register, so an existing registrar is the most likely. That figure is probably out of date, it’s been many years since I checked it, but the infrastructure requirement is the more costly part anyway.



  • I enjoy reading dead tree books as much as anyone, and whilest the publisher/distributor can’t take it away, there are plenty of ways you can lose access to them. Fire and flood being the two obvious ones, whereas digital books can be backed up offsite. It’s also easier to carry many books when they’re digital compared to physical.

    For books I care about I try to get both a physical and a (drm free) digital copy for the best of both world.