loading...

Discussion on: Setting up a company's IT

Collapse
lietux profile image
Janne "Lietu" Enberg Author

A password you can't remember is not a good password.

Most systems really shouldn't require a password from you. Passwords are an anti-pattern. No human being can generate unique strong passwords at the rate that is required for the modern world.

What you can do to help, is use a way to help you deal with the hurdle in a secure manner, which also makes life more convenient for you.

You should have a strong master password for a password manager, and then use it's tools to generate new unique strong passwords, and they can autofill your passwords later making them even more convenient than plain passwords can ever be, while clearly increasing your security.

Any other strategy depends on your limited capability to remember and generate passwords, which typically ends up with either just reusing passwords, or using something like mypassword-dev.to, both of which depend too strongly on every developer on the planet knowing (and caring) how to sensibly store passwords in their systems. Quite a lot of them still don't.

If even ONE site with your "clever" mypassword-dev.to variant (or even worse, just your reused mypassword) gets compromised, then ALL your accounts are potentially compromised. It depends a bit on your luck in terms of how good the developer was (did they use plain text, or plain MD5, or properly configured PBKDF2), and a bit on your password complexity.

Now, even if it's just an MD5, if you use a good long random password, it won't get cracked even with rainbow tables - collisions will be more easy to generate, but ultimately quite pointless as it's random and you don't reuse it anywhere.

Anti-virus software should be dropped, except on Macs. Honestly, those things open more holes than they could ever close.

Seems like a rather weak argument. Since computers have security problems, we should stop using computers. Since there have been security problems in browsers, we should stop using browsers. Eh, I don't buy it.

They might open up new attack vectors for e.g. advanced persistent threats, but most people don't get targeted like that. Most people simply bump into malware the normal way (bad links, worms, ...), and these tools do an excellent job at protecting against those.

You're of course free to choose to apply whatever security strategy you wish.

I fail to understand why third-party tools based on the security failure Electron -- like Slack, Discord and so on -- have made it into the list of "internal communication tools". What is wrong with Jabber/XMPP and/or the IRC?

Frankly, quite a lot. There is a reason those tools are getting out of fashion and being replaced typically with Slack in the tech world.

With these tools I can:

  1. Search the history
  2. Use formatting
  3. Do calls, incl. video calls, screen sharing, and teleconferencing
  4. Attach files
  5. Get tons of productivity and convenience increasing integrations

If you don't trust their Electron clients, don't use them. They web based clients as well.

Collapse
tux0r profile image
tux0r

Most people simply bump into malware the normal way (bad links, worms, ...), and these tools do an excellent job at protecting against those.

Most people should be taught to not click on everything that looks like a link. Problem solved. ;-)

I can't deny you to install dangerous software for more "theoretical protection". I just wanted to remind you that a good security concept can't be replaced by software. Also remember that modern malware is usually out in the wild for days before those scanners detect it.

I warmly recommend intrusion prevention systems instead. Less resources, more detection. :-)

There is a reason those tools are getting out of fashion

Fashion is a weak argument in technology. Nobody should replace a working system because of fashion. However, all of your numbered advantages are possible with XMPP as well.

If you don't trust their Electron clients, don't use them. They web based clients as well.

I thought we were talking about security. If a software is a risk because of Javascript, using a web version of it makes no sense.

(On mobile, sorry for the shortness.)

Thread Thread
lietux profile image
Janne "Lietu" Enberg Author

However, all of your numbered advantages are possible with XMPP as well.

There's always options, but just try to get your marketing guys, business people, CEO, and external partners to use your XMPP over the convenient Slack/Microsoft Teams/Discord installation.

It might work for you, but it's unlikely to go well for most.

If a software is a risk because of Javascript, using a web version of it makes no sense.

So now you're against using the web. Good luck with that.

Thread Thread
tux0r profile image
tux0r

try to get your marketing guys, business people, CEO, and external partners to use your XMPP

I did once. It was fine. Have you actually tried it?

you're against using the web.

I'm against pressing anything into the web. The web is (broken, but) fine for what it wants to be. But your web browser is a glorified document viewer, not a decent hardware emulator. Just because something is possible and beginners, usually learning JavaScript :-), are able to solve (already solved) "problems" with it, there is still a big chance that it is not the best solution.

All I can do is point out the flaws and the alternatives. If the audience still decides to stick with their adoption, nothing's wrong with it. But nobody will think about the options if they only know one anyway.