Hacker News new | past | comments | ask | show | jobs | submit login

> You say spyware; I say software that guarantees there is a > password, that there is a reasonable lock-out time, that > encryption is enabled, etc.

I am undecided if in the end the additional software is a net positive. I am totally on your side that some basic security measures need to be enforced. And I know that this might be possible in terms of culture and processes like onboarding with a small number of employees.

And I know, that in a global corp this isn't feasible.

Non the less am I not sure that just throwing software at a basic problem of awareness really helps in the end. Esp. if the to be enforced standards like ISO 27001 are in some cases weakening the security.

I am enforced to use shorter passwords now. And I need to rotate them after a specific amount of time. I automatically have software installed (because next to security stuff we get some additional software) that does not exactly have a reputation of being secure.

So while there is light there is also quite some shadow.

If in the end this proves to be net positive. We will have to wait and see.

Any yes: I call it spyware. It has its own SSL certs, could potentially open my connections, monitors all and every connection my device makes, can (without me knowing) download any file on my device. And also can plant any file on my device without my knowledge.

As root it can add any additional functionality without my knowledge. And it does, as far as I have been told, scan any network I connect to for unmanaged devices and transmits (to quote) "a rich set of information for the located assets, including the hostname, MAC and IP addresses, device manufacturer, operating systems, open ports, applications, and historical information such as the first and last time the asset was seen on the network."

And it is not only being marketed as being compliant to GDPR, but actively helping and supporting companies to become compliant with this exact feature.




fwiw, I've done SOC-x stuff, and I talked our auditors out of requiring routine password changes. That said, we seriously invested in 2fa, with high-pri stuff protected via yubicos.

I also talked them out of requiring virus detection on our macs, but this took a lot of work to avoid trusting (most) laptops.


I can see this approach as something quite interesting. Suspect it would not work in our current environment. But we will have to see.

But also thanks a lot for the idea to do this and try that. Not sure if it works with being ISO 27001 certified - but at least one can try.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: