On Wed, 9 Jul 2014, Ted Mittelstaedt wrote:
You are an administrator. YOU ARE PAID BY CLUELESS USERS TO PROTECT
THEM AND THEIR DATA, DAMMIT.
<recovered_monk>
...unless it involves some actual, you know, effort on their part.
</recovered_monk>
And in this instance, Large DP Company *is* doing something proactive to
protect the data they are providing to their customers - they are putting
it in a strongly-encrypted wrapper.
That in doing so they are training their customers to behave in a manner
that makes them vulnerable to malware delivered by social engineering
*may* not be something they would worry enough about to actually spend
money and time on fixing, especially if fixing it involves them forcing
their costomers to install PGP or GPG in order to access a
non-self-extracting encrypted archive. That won't be as visible a security
feature as the PGP archive itself is, and it's not, strictly speaking, a
hole in *their* security practices.
I'm not excusing their approach, but I'm saying there are a lot of sources
of real-world friction that lead to suboptimal solutions like this. I
expect the desire to avoid requiring installation (and maintenance!) of
PGP/GPG by their (assumed non-technical) customers is the primary reason
they are doing it this way.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Drugs will always be around. Politicians are therefore making an
active decision to distribute them through violent gangs. --Twitter
-----------------------------------------------------------------------
11 days until the 45th anniversary of Apollo 11 landing on the Moon
