Re: [PLUG] that's nice

[Rich Freeman via plug <plug@lists.phillylinux.org>]

On Thu, Apr 8, 2021 at 9:27 PM Fred Stluka via plug
<plug@lists.phillylinux.org> wrote:
>
> Yes, physical access does open up a lot of possibilities.
> But Microsoft keeps claiming that it doesn't.

I think most competent companies are using TPM-backed encryption for
this reason.  You can take advantage of OS exploits, but you can't
just bypass the OS security entirely.  Their main concern is laptop
theft, but user tampering is also something that it prevents.

Chromeboxes use TPM-backed encryption for user data only, but they use
boot verification for the OS, which also prevents tampering.  Those
have a slightly different security model than typical Windows
desktops.

To be fair, most Linux distros do not support TPM-backed full disk
encryption.  They might let you set a disk encryption password, but in
this case the user typically knows the password, and thus the user can
bypass the encryption when booting from a rescue disk.  This probably
reflects that most big companies don't care about Linux on the
desktop.

> Windows doesn't really have file permissions at all, or at least
> they're pretty much always not being used, or are being deleted
> from files all the time.

Maybe if you're talking about small companies.  I can't imagine most
Fortune 500 companies are deploying desktops without file permissions.

Granted, some of them just worry about security on fileservers and
don't worry about client PCs so much.  Companies have been moving away
from this in recent years for a couple of reasons:

1.  They want to prevent users from storing data on local PCs where it
is more vulnerable.
2.  Ransomware/phishing/etc attacks are getting more common, and
securing the local PC helps keep this stuff out.
3.  Targeted laptop theft for espionage/etc instead of just petty
theft is becoming more common, so they want to make sure the OS
security settings aren't disabled if this happens.

A lot of what you say might have been true 20 years ago, but I think
it is less true today.

Also, we're talking about antivirus software in this thread.  Almost
all corporate antivirus software phones home.  If you go fiddling with
it, and it doesn't phone home with the expected status, you're
probably going to get a visit.  I imagine that this sort of thing is
not going to be tolerated for just about anybody.  Maybe a star
performer gets a very stern talking to and a chance to never do it
again.  Really though it isn't a situation you want to be in.

My advice is to just let the company IT manage THEIR computer the way
THEY want to, and just stick to the SOP.  If you can't get your work
done as a result, talk to your boss about it, and make it IT's
problem.  There are almost always ways to escalate such things.  I
stopped caring about how the company manages their hardware a long
time ago - if I want to do something not company related I use my own
PC for this.  If I'm traveling or whatever I bring my own PC with me
alongside the company one.  I tend to pick ultralight laptops/etc as a
result since they're mainly for travel.  If I ever had to carry a
company phone I'd just carry my own phone alongside it for the same
reason - don't mix personal and employer stuff.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug