On Fri, Jan 31, 2014 at 09:01:06AM -0800, Yosem Companys quoted:
> "One of these mandates includes having employees with Windows XP
> laptops and desktops migrate to Windows 7 Enterprise or Ultimate, or
> Windows 8 Pro or Enterprise, by April 8. Employees will be able to
> download the latest Microsoft software for free under a new campus-wide
> license obtained in November 2013."
Let's stop right there.
If this entire initiative was actually about security in any way,
shape or form, then this paragraph would not be present. Closed-source
software cannot be secured, and changing from one insecure version
of Windows to another is merely an expensive, time-consuming exercise
that achieves nothing of significance.
If that statement isn't clear:
https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007499.html
So the people behind this farsical exercise at Stanford either don't
understand security or don't care about it. If they actually did,
then they would *ban* Windows from the environment and phase out every
system currently running it.
That is not, by the way, equivalent to a claim that banning Windows fixes
all the security problems. Of course it doesn't. But it's a great
first step, and it facilitates many subsequent steps which, in combination,
could substantially raise the bar that attackers have to clear. And that
would of course go a long way toward protecting PII from a multitude of
attack vectors.
But as long as Stanford sticks with an operating system that is not
only insecure, but insecurable (see above link), they have chosen a
path that inevitably leads to failure.
Which raises the question: what, exactly, are they playing at here?
Is this just a campus-wide CYA? So that when the next breach, and
the next one, and the next one come along they can say "but see? look
at all the things we did!" and do the usual "nobody could have foreseen"
PR schtick? Why doesn't Stanford *really* care about security
instead of just pretending that it does?
---rsk
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
change to digest, or change password by emailing moderator at
compa...@stanford.edu.
