He was really pissed that our company does not give out admin access to developers. And raised this problem in big company wide meeting and called our IT team ridiculous and told developers know how to handle computers.
Week later IT team did company wide phishing test. Same new junior failed this test.
Yes, even if rules are ridiculous. These rules help.
I’d be annoyed too (I often work on Windows and services); fortunately it is possible to grant people local admin access scope to their own machines and treat their OS install as fungible cattle (e.g. Boot-from-VHD derived from a common image with preinstalled software, so if anything goes wrong they can be back-to-normal in under 60 seconds; and give people (non-admin) access to VDI for reliable access to Office/Email/SharePoint, especially if devs use Linux as a daily-driver but the rest of your org runs Windows).
At the very least, people can just install a VM with admin rights in there - and what’s the difference between that and a physical machine?
He wanted 100% admin account all the time.
If you complain 100 ppl meeting that it is annoying to install Spotify and you fail most obvious phishing test then I would not give him that local admin access.
Because those second ones where an email tricks you into clicking a link are a bad because they do two things. Firstly, they propagate the idea that you can click a link and the world ends. which rarely happens these days. Your corporate IT dept should have some network level controls on malware attachments and embedded scripts in HTML emails. And secondly, it breeds distrust from anyone with critical thinking in the motivations of the IT department.
He demanded Spotify install at 100 ppl meeting...
These are very different scenarios.
He demanded Spotify install at 100 ppl meeting...
Just use web app and shut up next time :)
I see some comments saying you can perfectly allow local installs of Spotify with the same security.
What's your example that defends the original ridiculous policy vs this better one with less inconvenience to the users?
Fine for HR or whatever.
My stepfather went to a grey power meeting (a kind of seniors meetup) and the speaker of the day terrified everyone there with talk of viruses.
When I next saw him he proudly told me no longer had any fear of viruses - in fact he had installed 7 different anti-virus products just to be safe. When I asked him where he had found them, he told me he simply googled for them (or maybe yahoo-ed back then) and downloaded them straight off the interweb. I simply could not persuade him that that was not a wise strategy.
Funny how with Germany's extensive paperwork bureaucracy where every little detail must be recorded and tracked, the healthcare workers couldn't catch this guy earlier.
It's precisely because of this extensive paper-based bureaucracy such things happen, not despite of it.
German bureaucracy is a complete and utter mess. By and large, it's a self-perpetuating end in itself that doesn't serve any purpose other than keeping itself (and the people and organisations involved in it) alive.
Which is more, due to the Germany aversion towards digitization and digital processes (with a misconceived notion of privacy commonly known as "data protection" in Germany often used as an excuse) the data recorded by those bureaucratic processes basically is stored in a gargantuan pile of paper nobody is able to make sense of.
and from the experiences I had, the people that ran them, and their sheer abundance, this number is probably a very conservative number, and it doesn't include yet all the ones that operated on the brink of scamminess. There wasn't a need to completely and obviously fake the numbers to funnel a lot of public money into your pockets, often without providing any tangible benefit (no qualified personnel, unreliable tests, inadequate execution).
Way into 2021 many streets in the city I live in had one improvised testing center next to the other, mostly ran by people without any medical qualification, using tutorials from the internet and a process almost designed for corruption, where setting up a test center was a state-funded get-rich-quick scheme for quite a while.
[1] https://www1.wdr.de/nachrichten/landespolitik/betrug-corona-...
That was by design, to facilitate and speed-up the vaccination process, and in the context, there was nothing wrong with that approach to keep the population safe and the country running.
The AV scammers must have paid the SOC2 racket at lot of cash.
Our password policy still demands periodic changes despite ncsc/microsoft/etc advice saying not to do that, because who wants to take the risk of changing policy.
I think the causes are deeper. At the end of the thread you will probably find some horribly outdated "best practices" and some big consulting firm that is paid $$$ to security-audit your company. The IT department are just the poor buggers that need to do whatever is needed to get that audit, although they may well know that much of it is theater.
Edit: Source: have been through a few SOC 2 audits, enough to understand why they ask for most of the things in there. My personal thoughts on the matter aside, modern audits spend a lot more time on other malware than viruses.
Oh okay! Would you mind running a really cool program I have here for you?
And if I have to run your bespoke program, I will use a sandbox or VM whether an antivirus is running or not.
Don't we have cpu's with a whole set of hardware features to limit what <insert executable here> can or can't do? Don't we have OSes with fine grained permissions, VM's, capabilities, etc, etc? Weren't these things figured out like, in the late 70's?
Then what do I need a computer for? /s
But seriously, when I had my work laptop and therefore didn't have adblock enabled, I was very surprised at what kind of sites had very... let's say questional ads. There are a lot of tech sites like Baeldung that have very shady looking ads.
I wrote to them, and got no response. Why is that needed for a on-demand scanner? Why should I trust malwarebytes?
My point was to advise readers that there is an Uninstall option; just dragging the app to the trash is not enough.
If OP has comments about specific droppings being left around, maybe in /private/var or wherever, would like to learn about it.
For those unfamiliar with the recesses of macOS, there's a venerable tool called Etrecheck that is helpful for sussing out Mac config affecting security and performance.
https://www.reddit.com/r/antivirus/comments/1c690so/learned_...
Chrome vulnerabilities at this point are far too valuable to use indiscriminately. They'll be sold on the grey market to be used against journalists in the middle east or whatever.
Even downloading films from bittorrent and playing them in VLC seems to be safe too, even though I would have thought that was an obvious attack vector. Maybe the social aspect if bittorrent helps a bit there.
I think the most likely ways to get infected these days are by falling for fake download sites, and maybe cracked games, though I don't play those so I'm not sure.
https://consumer.ftc.gov/consumer-alerts/2024/02/software-pr...
I appreciate a website devoted to documenting the privacy nightmare and helping people with settings, but this is just bad advice. I work in the incident response field; yes, you need A/V.
I consider uBlock Origin to be my primary "antivirus" software, though having had some infections back in the DOS days and some scares later, it feels wrong running without anything else.
[1]: https://ia804703.us.archive.org/14/items/CIAVAULT7PDFFILES/2... (slides)
For example, my father wanted to watch some YouTube videos offline. He naively Googled " YouTube video download." The result was obvious: most of the links were scams. When you work on dev every day, your first option will be to search for open-source or a well-trusted source and distrust a scammy-looking website that promises you many things.
After that experience, I started to see the value of Apple's App Store. Sadly, the chain of trust provided by the App Store is ruled by one company.
I wonder why the industry couldn't agree on a single standard or method to do different chain of trust checks. For example, if all email clients adopt a sender identity check (like GPG), then spam and phishing will be extremely easy to eliminate.
Suppose applications have a sort of group approval. In that case, the OS can warn you before trying to install or run a scammy app. (something like Apple's notarization + user vote, but without the control of a single entity). Is that a bad idea? What will be the flaws?
So the same experts the author relies on to defend the Defender have a much higher opinion of the alternatives
(and Defender is very slow, why do you not care about the "average user" using average hardware enough to suggest he avoids the pains of slow computers)
And recommendations in the end without real time protection is just ridiculous, so with all that I'd not rely on the author's opinion re anything security
[0] https://learn.microsoft.com/en-us/microsoft-365/security/def...
https://support.apple.com/guide/security/protecting-against-...
For home use, sure, just use defender and be careful, like the article says and you'll mostly be fine.
