The dismal state of proprietary corporate security

Dear editor,
 
As free software speeds along, more and more happy users live in a
world without proprietary offerings. Sheltered from serious security
problems, using libre-and-gratis software which also happens to be
more reliable, and in charge of their own machines; they tend to
misunderstand what is happening on the other side of the fence. This
letter is an attempt to let them peek within, but without feeling the
actual pain.
 
First, a disclaimer. I live in Spain, not the world center of
information technologies but probably closer to the third world of
computing. I have however worked for large multinationals, and on
occassion with some European partners and research facilities. My
impressions are based on first-hand experience, and may therefore be
biased by my own career. Your mileage may (and hopefully will) vary.
 
Now, what is happening on proprietary corporate networks? 'Dispair'
would be an understatement: given that the dominant operating system
family is so inherently insecure, corporate IT departments have mostly
quit trying to provide such extravagant facilities as private e-mail.
In the trade-off between privacy and security, privacy has all but
lost -- taking security down with it, of course.
 
I have experienced workplaces where private accounts do not exist;
instead, people log on to whatever computer they are assigned to,
using the machine id or e-mail handle as username and trivial
passwords. It is against policy to change these passwords. User
documents do not of course travel with the user, but have to be
carried painfully since folder sharing is not allowed and USB ports
are disabled. Administrative rights for the computer are never granted
by the IT department (the old "systems and networks"); their staff has
acknowledged that it is too labor-intensive to administer the network
in any sensible way, so they just replace hardware and format hard
drives. By the way, IT staff erect like a natural barrier for any
sensible request like installing software required for work. It is not
easy to work this way, having no control of your own computer; luckily
hacks are available that grant full administrative rights to any
machine, at which point you are on your own.
 
Mind you, this is in companies specialized in software development.
Where any source code control exists at all, seldom is it anything
beyond CVS. Usernames are again trivial as are passwords, so the
repository is usually wide open to anyone who happens to be on the
right side of the firewall. The only solution ever considered is to
switch to proprietary source code control systems. E-mail is similarly
unprotected; that is when you don't find random mail folders available
on network disks. By the way, certificates used for remote access to
the intranet are usually not accepted by common browsers and/or
expired, and therefore brittle.
 
As a last straw, network topologies are difficult to understand, with
egress filtering (a pet peeve of mine) the only reliable constant.
Those responsible for "peripheral defenses" have not yet understood
that limiting the destination port of outgoing connections usually
serves no good purpose; it is a giant leap they will never be ready to
make.
 
So, the corporate response to the invasion of malware and security
holes has been to give up. No security for anyone means that security
cannot be breached; any problem will be handled as a matter of policy.
Next time you see Microsoft's (or for that matter anyone else's)
claims to a secure operating system, try to view them as
tranquilizers, to be shot intravenously for IT managers who get the
fits every time they see a new intrusion; when they wake up, they will
start looking for a new software product to protect them or new
features to cut down on.
 
Thanks for your attention,
 
Alex Fernández.