Path: utzoo!censor!geac!torsqnt!news-server.csri.toronto.edu!cs.utexas.edu!tut.cis.ohio-state.edu!wolfman.cis.ohio-state.edu!francis From: francis@wolfman.cis.ohio-state.edu (RD Francis) Newsgroups: comp.sys.mac.misc Subject: Re: computer security Message-ID: Date: 26 Nov 90 15:52:25 GMT References: <1990Nov20.221333.4619@cunixf.cc.columbia.edu> <36124@cup.portal.com> <1990Nov21.190134.19749@uncecs.edu> <36149@cup.portal.com> <1990Nov25.101038.17650@world.std.com> Sender: news@tut.cis.ohio-state.edu Distribution: na Organization: Ohio State Computer Science Lines: 58 In-reply-to: boris@world.std.com's message of 25 Nov 90 10:10:38 GMT Re: the discussion on the removal of software from company-owned equipment used by an individual. I used to work at a ~15 person consulting firm. They had a stated policy; there is a standard system folder, and everyone is to have that system folder. Theoretically, they could remove anything from someone's system that wasn't in the standard system folder (most likely, by copying over it with an updated system folder, as tehy weren't exactly heavily policing this). There was a reason, however: consistency. Despite the fact that each of us had a Mac on our desk (most of the time at least), there would come occasions where we would need to use someone else's Mac. Also, there were a few Macs set up for demonstration purposes, that were frequently used by various staff members, and tended to accumulate every init/cdev/driver/whatever in the known universe. There was a desire to keep these machines clean. Finally, viruses were a major concern. Risking a virus on your own machine is bad enough, but when you consider that you could spread that virus to a client's machine trivially, or to other machine in the company (and then on to clients), it was a risk to the company itself. Even with the precautions we took, it likely that on one occasion, a virus was picked up from a customer, and spread to two others before it was noticed, and that we gave our new customers WDEF for a month or so before it was discovered. If any significant damage had been done in either of those cases, we could have lost the client, at best, and faced a law suit at worst (I believe that the law suit would have been futile, since it was an accident, but bad word-of-mouth on something like this could cost you your business). This policy was not inflexible. Another programmer and I were given permission to bring things up for evaluation purposes (i.e., is this something that everyone should have?). The biggest concern is that, while we would probably think to use Disinfectant (OK, they used Virex, truth in advertising and all) to check for viruses, not everyone would do so. All it would take is one person screwing up to cause significant problems. Another note on personal software stored on work computers. My fellow programmer was canned (about a month before I left, and if I hadn't already decided to leave, that would have pretty much clinched it) and wasn't around to clean out his desk. I helped someone in a more management oriented position clean it out, primarily to ensure that none of his stuff got tossed/lost. I think he got back all of his physical personal possessions; however, I don't know if he ever got back his personal computer files. They backed up his computer and then wiped it out for their new networking guy to use. They would have been real reluctant to let him at his files. Why? Two former employees had started up their own consulting firm, leaving managementpossibly overly concerned when an employee left. They would have had to worry about him taking company-owned information/software in addition to personal stuff. Do I think this was fair? No. Do I think they didn't have the right to do this? No. -- R David Francis francis@cis.ohio-state.edu