But now I think this is a brilliant idea. My thinking here is if this opens the door to suing the manufacturers of the AR-15 rifle for the Orlando attack and all the other mass shootings for their "material support" then it's for the greater good.
Good points. Yahoo, Gmail and Hotmail are much better now than they were 10 years ago.
Regardless, their license agreement is pretty clear: use our services at your own risk.
The IT Security guy at the House can only assume that those sites are "mostly harmless" for the most part until evidence presents itself which points to the contrary. Thus he will take precautions accordingly to mitigate the risk.
He can't hold them accountable for malware infecting the House network any more than I can blame my ISP for my home computer being infected by my 10 year old.
With respect to those users who elected to turn off their wifi to bypass the website block.
If they were using their own personal phones, then they are doing so at their own risk. If they are not using them to access corporate data then the best case scenario is their personal phones get hit with malware and they have only themselves to blame.
On the other hand, if they were using corporate phones and opted to turn off their wifi so they could access the blocked site, that opens up a whole can of worms.
Because if they were notified that the site was being blocked and still went ahead and bypassed the network security AND that turns out to be a vector by which the corporate network gets infected, then those employee risk losing their jobs.
If they did so after reading Ted Henderson's message which gave them instructions on how to bypass their network security, --- see the language I'm using here, yes that's exactly what might have just happened --- he may be held liable. Techdirt might also be partially liable thanks to your sage advice Mike. We'll let the lawyers figure it out.
If Ted Henderson is reading this, he better damn well be writing an email to all his users that reads:
"FOR THE LOVE OF ALL THAT IS HOLY IN THIS WORLD, PLEASE LISTEN TO YOUR CORPORATE IT SECURITY STAFF AND DO WHAT THEY TELL YOU."
Because that's what I would be doing right now if I were him.
This is probably one of the worst articles I've ever read.
1. APT is pretty nasty stuff to have to deal with. You don't want that getting into your environment.
2. One cannot selectively block yahoo accounts in yahoo mail, gmail or Hotmail for that matter. You either allow access to the whole domain or no access at all.
3. This is not going nuclear as you call it. Going nuclear is shutting down all access to the internet completely.
4. Users in any government office are granted access to personal mail websites as a courtesy. It is not their right. They are made well aware of this in the form of an network acceptable usage agreement they must read and sign prior to being given access to the corporate network. They have no right to bitch.
5. Obviously you're some kind of expert in holistic Security and Threat management if you can deem this situation is a case of over-reaction without any knowledge of the tools at their disposal, or their processes and procedures.
5a. Hell you don't even know if they've already encountered infected systems at this point.
5b. Anyone with a shred of IT security knowledge will tell you anti-malware is always behind the detection curve. Any IT manager worth the paper their resume is printed on is going to operate their shop from that stand-point and err on the side of caution. BECAUSE...
5c. While you likely don't have any accountability for anything you write, the IT Security Manager at the House of Representatives probably will have to answer to his boss for the entire environment getting hosed with a zero-day APT.
5d. I will also guarantee there is a threat and risk assessment in said manager's hands that says the House of Representative's network is a target rich environment with a whole list of hostile actors with high motivation. See where I'm going with this? No you don't because you're not an IT security expert. See point 6.
6. If we replace the words "it seems odd to me" in this article with "Now I don't know anything about this field other than what I just read in Wikipedia ten minutes ago" that pretty much sums up the content.
Techdirt has not posted any stories submitted by Kisama.
I used to agree...
Re: Let's fix the blame where it belongs
Regardless, their license agreement is pretty clear: use our services at your own risk.
The IT Security guy at the House can only assume that those sites are "mostly harmless" for the most part until evidence presents itself which points to the contrary. Thus he will take precautions accordingly to mitigate the risk.
He can't hold them accountable for malware infecting the House network any more than I can blame my ISP for my home computer being infected by my 10 year old.
(untitled comment)
With respect to those users who elected to turn off their wifi to bypass the website block.
If they were using their own personal phones, then they are doing so at their own risk. If they are not using them to access corporate data then the best case scenario is their personal phones get hit with malware and they have only themselves to blame.
On the other hand, if they were using corporate phones and opted to turn off their wifi so they could access the blocked site, that opens up a whole can of worms.
Because if they were notified that the site was being blocked and still went ahead and bypassed the network security AND that turns out to be a vector by which the corporate network gets infected, then those employee risk losing their jobs.
If they did so after reading Ted Henderson's message which gave them instructions on how to bypass their network security, --- see the language I'm using here, yes that's exactly what might have just happened --- he may be held liable. Techdirt might also be partially liable thanks to your sage advice Mike. We'll let the lawyers figure it out.
If Ted Henderson is reading this, he better damn well be writing an email to all his users that reads:
"FOR THE LOVE OF ALL THAT IS HOLY IN THIS WORLD, PLEASE LISTEN TO YOUR CORPORATE IT SECURITY STAFF AND DO WHAT THEY TELL YOU."
Because that's what I would be doing right now if I were him.
(untitled comment)
1. APT is pretty nasty stuff to have to deal with. You don't want that getting into your environment.
2. One cannot selectively block yahoo accounts in yahoo mail, gmail or Hotmail for that matter. You either allow access to the whole domain or no access at all.
3. This is not going nuclear as you call it. Going nuclear is shutting down all access to the internet completely.
4. Users in any government office are granted access to personal mail websites as a courtesy. It is not their right. They are made well aware of this in the form of an network acceptable usage agreement they must read and sign prior to being given access to the corporate network. They have no right to bitch.
5. Obviously you're some kind of expert in holistic Security and Threat management if you can deem this situation is a case of over-reaction without any knowledge of the tools at their disposal, or their processes and procedures.
5a. Hell you don't even know if they've already encountered infected systems at this point.
5b. Anyone with a shred of IT security knowledge will tell you anti-malware is always behind the detection curve. Any IT manager worth the paper their resume is printed on is going to operate their shop from that stand-point and err on the side of caution. BECAUSE...
5c. While you likely don't have any accountability for anything you write, the IT Security Manager at the House of Representatives probably will have to answer to his boss for the entire environment getting hosed with a zero-day APT.
5d. I will also guarantee there is a threat and risk assessment in said manager's hands that says the House of Representative's network is a target rich environment with a whole list of hostile actors with high motivation. See where I'm going with this? No you don't because you're not an IT security expert. See point 6.
6. If we replace the words "it seems odd to me" in this article with "Now I don't know anything about this field other than what I just read in Wikipedia ten minutes ago" that pretty much sums up the content.
Techdirt has not posted any stories submitted by Kisama.
Submit a story now.
Tools & Services
TwitterFacebook
RSS
Podcast
Research & Reports
Company
About UsAdvertising Policies
Privacy
Contact
Help & FeedbackMedia Kit
Sponsor/Advertise
Submit a Story
More
Copia InstituteInsider Shop
Support Techdirt