Bruce Satow wrote:
> No one is criticizing the role of SNS or lack of professionalism.
> There is no worry or stress, just questioning the rational behind the
> lack of disclosure.
>
> It is important for SNS to make sure that the endpoint user knows
> exactly what the installed software does - both risks and benefits.
> If this information is not supplied, then it does seem like SNS is
> trying to act as 'big brother'.
>
> There are many people on campus who may be interested in having their
> installation of Symantec software centrally managed, but it should be
> an option for the endpoint user NOT to have it managed.
>
> I believe that the systems that were compromised in May 2006 were
> installed with the "managed" option of Symantec AntiVirus and NOT
> those installed with the "unmanaged" standalone option. Please
> correct me if I am wrong.
>
> The "custom" version is a managed version. Symantec states that the
> new versions of the software have been corrected, but as an option,
> it should still be up to the endpoint user to choose which version to
> install.
>
>
Bruce,
Well, rationale implies that we were clever enough to come up with
reasons for concealing our true intent. You give us too much credit; we
just ended up not supplying all of the information that we intended to
on the download page.
I agree that if we don't provide reasons for our actions that our intent
can not possibly be clear. We have an oversight committee, the CISPC,
composed of members from various campus departments. You can find the
charter, governance, and current membership list here:
https://security.berkeley.edu/cispc/. That website also has notes from
past meetings. Until recently, Greg Paschall was the member that
represented SSL. The CISPC provides oversight for campus information
security, which includes acting as a steering committee for SNS. We
make every effort to discuss all systems that we implement and the use
of any information the we collect with the CISPC so that the campus
community has a chance to comment and provide us with guidance.
You are correct that the last big vulnerability with the Symantec
software was with the managed version. If I recall correctly, we
advised folks to upgrade well before there was an exploit.
I strongly encourage departments to use the UCB Custom installer for
Symantec software. You are correct to point out that the Symantec
security software can have bugs. This is one of the reasons for defense
in depth. On the whole, I think that folks are better off with software
that helps us notify security administrators when the Symantec software
on machines under their management are not being updated.
If I correctly understand Allison's earlier email, there is a somewhat
reasonable way to extract and install the unmanaged version of
Symantec's software. I agree that it is more work to do this, and that
it would be more convenient to install the unmanaged standalone version
if it were available as a pre-configured option. From my somewhat
biased point of view, the campus gets a better security service from the
managed version and I would like to keep that as the easier to use option.
Michael
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:
To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Received on Thu Dec 13 2007 - 15:19:58 PST
This archive was generated by hypermail 2.2.0 : Thu Dec 13 2007 - 15:19:58 PST