Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Zigurd 3 hours ago

Personal computers were used in office environments long before the technologies to make them administer-able as if they were a mainframe. Before blindly jumping in and reproducing those technologies, better to ask why they emerged in the first place.

Most workplaces don't have strict bans on personal mobile devices, and some of the ones that do, don't have the kind of physical perimeter defense that can detect people getting lazy about whether or not they carry their personal mobile devices into the workplace. That makes perimeter defense into security theater anyway. We need a rethink about what we are guarding against and how we're doing it.

ethbr1 2 hours ago | parent [-]

> Most workplaces don't have strict bans on personal mobile devices

If you're talking about select work apps on your mobile device, sure, but that's limited attack surface.

If you're talking about employers who let unmanaged mobile devices hop on their internal network... I've never seen that. Maybe at a hypothetically perfect zero-trust shop?

Zigurd 2 hours ago | parent [-]

I've seen a lot of un-seriousness about security. One that's easy to spot is old unpatched IP phones that aren't segregated on the network. I've given demos at companies that are serious, where a device I accidentally left behind caused an urgent search of every room I had been in. Security didn't have to be told which rooms those were.

ethbr1 2 hours ago | parent [-]

You likely know better than I, but I've always had a weird intuition that enterprise IT security is bifurcated into "Leaders who understand compliance+details" and "Leaders who confuse compliance for details" with very different results.

And I get it's extra work, but I've seen some weird "But if you'd just built this a bit differently, you would have gotten all these free security bonuses to your posture" gaps.

Imho, a huge part of the problem is invisibility. I'm firmly of the belief the US government should be running scans on entities in regulated industries (defense, healthcare, utility, telecom) with regulated redress of any findings.

Trusting private industry isn't working.