On Fri, Jan 31, 2014 at 09:01:06AM -0800, Yosem Companys quoted: > "One of these mandates includes having employees with Windows XP > laptops and desktops migrate to Windows 7 Enterprise or Ultimate, or > Windows 8 Pro or Enterprise, by April 8. Employees will be able to > download the latest Microsoft software for free under a new campus-wide > license obtained in November 2013."
Let's stop right there. If this entire initiative was actually about security in any way, shape or form, then this paragraph would not be present. Closed-source software cannot be secured, and changing from one insecure version of Windows to another is merely an expensive, time-consuming exercise that achieves nothing of significance. If that statement isn't clear: https://mailman.stanford.edu/pipermail/liberationtech/2013-March/007499.html So the people behind this farsical exercise at Stanford either don't understand security or don't care about it. If they actually did, then they would *ban* Windows from the environment and phase out every system currently running it. That is not, by the way, equivalent to a claim that banning Windows fixes all the security problems. Of course it doesn't. But it's a great first step, and it facilitates many subsequent steps which, in combination, could substantially raise the bar that attackers have to clear. And that would of course go a long way toward protecting PII from a multitude of attack vectors. But as long as Stanford sticks with an operating system that is not only insecure, but insecurable (see above link), they have chosen a path that inevitably leads to failure. Which raises the question: what, exactly, are they playing at here? Is this just a campus-wide CYA? So that when the next breach, and the next one, and the next one come along they can say "but see? look at all the things we did!" and do the usual "nobody could have foreseen" PR schtick? Why doesn't Stanford *really* care about security instead of just pretending that it does? ---rsk -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.