Hacker News new | past | comments | ask | show | jobs | submit login

Which regulation requires spyware on endpoints, and where in the text does it say that?



In Germany for example most companies in the automotive space require all contractors to conform to the [TiSAX](https://enx.com/tisax/tisax-en.html) regulations.

These state, that there needs to be proof of several data security aspects on all devices of all people working in a facility for one of these companies/clients as a contractor:

- Anti Virus software up to date - Firewall active - Harddisk encrypted - Ability to remotely lock device - Ability to remotely wipe device

To ensure that this is in place at all times on all devices one needs a programatic solution - Endpoint Management. And as this needs to be root (for remote wipe) - this could be seen as spyware (as I like to call it internally).

So yeah - there are a lot of companies/industries enforcing this. As someone above said - banking is another industry, insurance, medical and other high profile stuff with sensitive data might come to mind.

The text does not say this - but this I added just from experience. And I actually hope that someday companies like mine could go the Apple way and ensure Endpoint Management on a per user account basis. That way I could still take home my company laptop and use it privately with a different user.


What kind of anti-virus is required on a Mac? (Not debating, just curious.) I work for a FAANG on fairly sensitive projects and I’ve never heard of anyone in my org having anti-virus. FileVault, remote wipe, etc., but not anti-virus. Are their credible anti-virus systems form Mac and Linux?


Don't ask me. It is in the enrollment standard.

I strongly believe all this software only enlarges the potential attack surface.

Not sure if this "zoo" of software is more of a security theater and a legal protection to be able to tell everybody "we did all we could possibly do" in case of an attack/hack/what not.

But even if I strongly suspect my device was more secure before, I know, that lot's of less tech-savvy people will have at least some standard (encrypted SDD, and such) enforced. So I am not yet decided if in the end the net benefit is positive.


Symantec or Macfee come to mind, regardless what we might think about them.

It all about fulfilling IT and law checklists.


iOS allows remote wipe functionallity in the standard mail client. Hopefully this doesn't enable any spying... Personally, I'm happy for my employer to have this functionality (trusting them not to abuse it)... My personal data is backed to the cloud anyways, so if I lose my phone I want it to be wiped.


Lots of them. It's under reasonable and appropriate security measures.

You say spyware; I say software that guarantees there is a password, that there is a reasonable lock-out time, that encryption is enabled, etc. Leaking data because you let your most gullible employee install whatever he or she liked on their laptop and phone (eg facebooks spyware certs so they can read all your traffic) is going to get you in trouble in a hurry.

For example, CCPA. Which applies to a lot of us in 6 months.

> duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information

https://leginfo.legislature.ca.gov/faces/codes_displaySectio....


> You say spyware; I say software that guarantees there is a > password, that there is a reasonable lock-out time, that > encryption is enabled, etc.

I am undecided if in the end the additional software is a net positive. I am totally on your side that some basic security measures need to be enforced. And I know that this might be possible in terms of culture and processes like onboarding with a small number of employees.

And I know, that in a global corp this isn't feasible.

Non the less am I not sure that just throwing software at a basic problem of awareness really helps in the end. Esp. if the to be enforced standards like ISO 27001 are in some cases weakening the security.

I am enforced to use shorter passwords now. And I need to rotate them after a specific amount of time. I automatically have software installed (because next to security stuff we get some additional software) that does not exactly have a reputation of being secure.

So while there is light there is also quite some shadow.

If in the end this proves to be net positive. We will have to wait and see.

Any yes: I call it spyware. It has its own SSL certs, could potentially open my connections, monitors all and every connection my device makes, can (without me knowing) download any file on my device. And also can plant any file on my device without my knowledge.

As root it can add any additional functionality without my knowledge. And it does, as far as I have been told, scan any network I connect to for unmanaged devices and transmits (to quote) "a rich set of information for the located assets, including the hostname, MAC and IP addresses, device manufacturer, operating systems, open ports, applications, and historical information such as the first and last time the asset was seen on the network."

And it is not only being marketed as being compliant to GDPR, but actively helping and supporting companies to become compliant with this exact feature.


fwiw, I've done SOC-x stuff, and I talked our auditors out of requiring routine password changes. That said, we seriously invested in 2fa, with high-pri stuff protected via yubicos.

I also talked them out of requiring virus detection on our macs, but this took a lot of work to avoid trusting (most) laptops.


I can see this approach as something quite interesting. Suspect it would not work in our current environment. But we will have to see.

But also thanks a lot for the idea to do this and try that. Not sure if it works with being ISO 27001 certified - but at least one can try.


Anything in financial services and probably health requires you to secure company data.


A regulation is a specific text, not a general idea about the importance of security or the sensitivity of an industry.


This is common anywhere you work with ITAR-controlled data.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: