Don't make me hack your software

Dmitry Yakimenko on April 17, 2019

I got a new corporate VPN tool the other day. It's called Pulse Secure. It worked fine, thank you very much, no complains there. But then I tried... [Read Full]
markdown guide
 

I've had similar experiences with poorly chosen or poorly managed 'security' software, and I too have spent a little effort working around those poor choices, partly because it's satisfying but mostly because it helped a team or three be productive when the specific product was invasive and interfered with their day jobs. However - and this is the important bit for me - I didn't stop there with two fingers pointed at the infosec team, because I'm on that team too (it's called the company I work with!). I took the productivity issues to my colleagues whose job is to protect the rest of us from ourselves and too much hasty clicking through warnings.. and challenged all of us to find a better way to meet our security requirements.

In one specific example: a duty of care regulation requires the company to make efforts to protect employees from accessing harmful material on the 'net during their use of company equipment. The infosec team chose (poorly) to deploy Websense, which is a client-side proxy-based filtering product that diverts some http requests through the Websense filters. Unfortunately it only partly protects the end user, depending on which software honours the proxy settings, but does destroy anyone's ability to use Fiddler or other proxy-based network debugging tools - cue large drop in productivity from dev/QA/ops teams. Once challenged to find a better way, and with input from other team members who have worked for other organisations that have already been round this loop, we looked again at the requirements, and decided that we could use network-based transparent filtering to cover the majority of users on corporate networks without any client-side software products, then apply VPN tunnelling and managed default routes for remote workers / road warriors so their 'net traffic is filtered by default. This means our users can disable the protection if they wish, but it has to be a deliberate, knowing action, thus they are taking ownership of the risk, and the company is not at fault should something then go wrong.

 

I wish my company would agree on this, but they will never.

We also have Websense and we all HATE it. It caused lots of serious trouble to all the developers in my company (lately they force-installed a google chrome extension for it, but I figured out how to delete it :D).

 

Yep, Websense is not popular. FWIW my workaround was ridiculously easy as Websense relies on a hostname lookup to find it's PAC file.. so I resolve that in my hosts file to 127.0.0.1 then provide my own PAC. It took me 10mins to find and implement this, it would similarly allow a malware author to bypass it's protection, giving me a strong argument for not using client-side security controls, and encouraging the infosec team to look at other options.

 

Thanks for your reply. I'm going to talk to the admins about this. TBH I don't expect a quick resolution here. Our company is quite large and these things take a while usually.

 

Thx a lot ! I m feeling less alone !
I will bring your story to my sysadmin

 

I hope it works. From my experience, though, sysadmins are pretty stubborn people. Wish you luck. Or you could just patch the config file.

 

"Why would any remote admin tell me what to do on my local machine? Even if it's a company machine."

Because it's not your machine! It's not your ram, CPU, or disk. Kudos on figuring out how to disable it, but even that file was not yours to touch. Buy your own MacBook if you want full control.

 

I don't own the machine, that is true and there you're right. I use it though to do stuff for work and if it prevents me from doing it I have to do something about it. Plus there's no company policy that I have to have VPN on at all times, especially not when I'm offline. Then why do I have to have it running? It's either an oversight or admin power games that make no sense.

 

Andre, are you an admin? Just curious.

Dmitry sounds like a brilliant developer to me who wants to do his work on the computer that his company provided for him.

Technically, it is not his computer, but when you make him admin on that computer, you are giving him all the right to do as he please to finish his work, and if that means to uninstall a BLOCKIN/ANNOYING program, then he can do that too.

We have had MAJOR problems with security programs in my company, where our lead architect had to launch a very important service live but he COULDN'T because of the security program was eating up all his RAM then it was moving to eat his paging file!

They need to improve these security programs or just remove them!

code of conduct - report abuse