it firm softserve hacked locked down plundered

[jsmorley]

True that. This wasn't a matter of computer security though, IMHO, but rather a matter of employee behavior. This is easier to alleviate or correct than strict matters of security, at least in theory. None of them can be fully "fixed" though, and that's a matter of life in the end.

One of the biggest challenges for a security administrator is how to "balance" the security needs of the company with giving appropriate "freedom" to the end-users, to ensure that they can effectively do their jobs and be creative, and not have them live in some version of North Korea. It's a balance that is really, really complicated to find.

"Trust" and "assume" are not words that are, nor should be, in the vocabulary of any security administrator.

[Yincognito]

Agreed. In addition to all that, they have changed the environment in such a way that a particular community like Rainmeter "skins" are no longer supported as something separate, but just mixed into the overall vast sewer of furry pornography and endless anime drawings by 12-year-olds on the site.

But isn't there the Rainmeter "group", where a skin can be added? Or is it a thing of the past and today you can't add your skin to that group anymore? I'm asking since it's been a while since I updated my things on DA, and I'm late with the "news" in that regard.

[jsmorley]

But isn't there the Rainmeter "group", where a skin can be added? Or is it a thing of the past and today you can't add your skin to that group anymore? I'm asking since it's been a while since I updated my things on DA, and I'm late with the "news" in that regard.

There is the Rainmeter "group", which helps some with visibility. As long as an author adds their "submission", which is just thrown in the general pool, to the Rainmeter "group", that can make it a bit easier to find.

What there used to be is a Rainmeter "category", which allowed skins to be separately listed and found on the general site, and probably as important, restricted submissions to the .rmskin file type. That restriction is no longer supported on the site.

[Yincognito]

One of the biggest challenges for a security administrator is how to "balance" the security needs of the company with giving appropriate "freedom" to the end-users, to ensure that they can effectively do their jobs and be creative, and not have them live in some version of North Korea. It's a balance that is really, really complicated to find.

"Trust" and "assume" are not words that are, nor should be, in the vocabulary of any security administrator.

Yep, indeed. I have some doubts regarding the level of complexity in finding a good solution. It's not that it is simple, but rather that it can be made to be eaiser to find when thinking outside the box of the old style "you should do this and that". Like 15% wage reduction if your computer isn't clean at the end of a day's work: you can have your freedom as long as the result isn't harmful. And don't rely on people to verify this, but on automated solutions.

[Yincognito]

There is the Rainmeter "group", which helps some with visibility. As long as an author adds their "submission", which is just thrown in the general pool, to the Rainmeter "group", that can make it a bit easier to find.

What there used to be is a Rainmeter "category", which allowed skins to be separately listed and found on the general site, and probably as important, restricted submissions to the .rmskin file type. That restriction is no longer supported on the site.

Ah, I see.

[jsmorley]

Yep, indeed. I have some doubts regarding the level of complexity in finding a good solution. It's not that it is simple, but rather that it can be made to be eaiser to find when thinking outside the box of the old style "you should do this and that". Like 15% wage reduction if your computer isn't clean at the end of a day's work: you can have your freedom as long as the result isn't harmful. And don't rely on people to verify this, but on automated solutions.

Trouble is, once your company's system has been hacked, and 5 million credit card numbers belonging to your customers are out on the dark web for sale to the highest bidder, closing that particular barn door after 5 million horses are out hardly seems effective when your company is front page news on CNBC.com, and Jim Cramer is screaming at the TV audience to sell the stock.

Your CEO is going to listen patiently while you explain that it happened even though you made all those employees promise not to download Rainmeter skins from sputnik.com, but trust me, while he is listening, he is texting security to clear out your office and disable your keycard.

[Yincognito]

Trouble is, once your company's system has been hacked, and 5 million credit card numbers belonging to your customers are out on the dark web for sale to the highest bidder, closing that particular barn door after 5 million horses are out hardly seems effective when your company is front page news on CNBC.com, and Jim Cramer is screaming at the TV audience to sell the stock.

Your CEO is going to listen patiently while you explain that it happened even though you made all those employees promise not to download Rainmeter skins from sputnik.com, but trust me, while he is listening, he is texting security to clear out your office and disable your keycard.

Haha, yes, I know - but I just said that the way I'd do it is not looking for empty promises, but prevention measures through automated systems and a hefty financial penalty for non-compliance. Anyway, I still believe doing things like people use to do is going to bring back the issue again, this time for another program instead of Rainmeter. This isn't about Rainmeter being "unsafe" in a business environment, this is about almost every software out there being like that - it just happened that it was Rainmeter this time, but it could have been any other. Sure, your advice is probably correct and should be followed, but it doesn't guarantee that it won't happen again with another program - even one that was considered "safe" by the "experts", if you know what I mean.

[brax64]

IMHO this discussion is a classic example of a "never ending" one...
At the foundation sit a very simple but very evil/good concept (it depend how you see it); in technology (and in science in general) always apply the principle "there's a countermeasure for each measure" (or viceversa..), it's embedded in human nature the willingness to find the smarter answer to the smartest question.
In IT security this "cat and mouse" game is even more amplified because money, at the end, (and lots of it!) are involved, as rightly jsmorley pointed out.
So, at least for now, considering this factors, that's why, in my opinion, this is a "never ending" discussion
With this is not my intention to criticize any of yours arguments, all pertinent and on point, just my 2 cents...

[Yincognito]

IMHO this discussion is a classic example of a "never ending" one...
At the foundation sit a very simple but very evil/good concept (it depend how you see it); in technology (and in science in general) always apply the principle "there's a countermeasure for each measure" (or viceversa..), it's embedded in human nature the willingness to find the smarter answer to the smartest question.
In IT security this "cat and mouse" game is even more amplified because money, at the end, (and lots of it!) are involved, as rightly jsmorley pointed out.
So, at least for now, considering this factors, that's why, in my opinion, this is a "never ending" discussion
With this is not my intention to criticize any of yours arguments, all pertinent and on point, just my 2 cents...

I fully agree - any defence can be broken eventually. My point was that this did not happen because Rainmeter "isn't safe" in a business environment, but because of the company's employees behavior. This can happen for "safe" software as well - simple example: have a running antivirus but disabling it (or its relevant options). Even "dangerous" programs (like virus samples) can be made to not cause harm by using them appropriately.

Irresponsible behavior cannot be fixed by banning X or Y program from use in a specific environment, but by making the behavior to be responsible. I know it's often easier and more realistic to apply the former as human nature is rather difficult to control, but the effective solution is nevertheless the latter.

[jsmorley]

I fully agree - any defence can be broken eventually. My point was that this did not happen because Rainmeter "isn't safe" in a business environment, but because of the company's employees behavior. This can happen for "safe" software as well - simple example: have a running antivirus but disabling it (or its relevant options). Even "dangerous" programs (like virus samples) can be made to not cause harm by using them appropriately.

Irresponsible behavior cannot be fixed by banning X or Y program from use in a specific environment, but by making the behavior to be responsible. I know it's often easier and more realistic to apply the former as human nature is rather difficult to control, but the effective solution is nevertheless the latter.

Yes, but has often been said: "Everyone in the world is crazy except you and me Bob, and lately I've been wondering about you..."