10年前...gmail还没有出现. "Google Mail is the preferred email system at Stony Brook University for faculty, staff, and students on West Campus, Southampton, Manhattan, and select departments within the Health Sciences Center. Members of Stony Brook Medicine, including Stony Brook Hospital and the School of Dental Medicine will continue to use Microsoft Exchange for email due to HIPPA compliance requirements." 感觉学生没有选择的余地. 需要compliance的部门用exchange, 其他用gmail.
【在 q*c 的大作中提到】 : 结果发现 it 们用的都是 gmail... : XX XX : Status Faculty : E-mail Address X***[email protected] : MailBox Google Mail : ... : 10 年前这根本是不可想象的事情。 : 今天的学生就是明天的决策者。
【在 z*n 的大作中提到】 : 10年前...gmail还没有出现. : "Google Mail is the preferred email system at Stony Brook University for : faculty, staff, and students on West Campus, Southampton, Manhattan, and : select departments within the Health Sciences Center. Members of Stony Brook : Medicine, including Stony Brook Hospital and the School of Dental Medicine : will continue to use Microsoft Exchange for email due to HIPPA compliance : requirements." : 感觉学生没有选择的余地. : 需要compliance的部门用exchange, 其他用gmail.
真是极品呀。自己看你怎么写的吧。具体产品的audit的结果文件跟compliance的要求 是俩码事。政府给你个compliance要求,软件做了才做audit。你连基本常识都没有居 然敢敢来丢人。outlook的种种傻逼功能,还敢叫唤是compliance的要求。如果不在要 求里,你提个屁audit。尼玛有脸别瞎叫唤,那天被打脸尿遁了。才两天就敢来翻案了。 发信人: goodbug (好虫), 信区: PDA 标 题: Re: 报告称微软营销失败 Gmail用户不愿转投Outlook 发信站: BBS 未名空间站 (Mon Feb 18 21:20:40 2013, 美东) 尼玛露怯了,大家来看极品呀。居然连这个都不知道就出来装了。 Minimum Security Requirements for Federal Information and Information Systems http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-m
【在 z*n 的大作中提到】 : 10年前...gmail还没有出现. : "Google Mail is the preferred email system at Stony Brook University for : faculty, staff, and students on West Campus, Southampton, Manhattan, and : select departments within the Health Sciences Center. Members of Stony Brook : Medicine, including Stony Brook Hospital and the School of Dental Medicine : will continue to use Microsoft Exchange for email due to HIPPA compliance : requirements." : 感觉学生没有选择的余地. : 需要compliance的部门用exchange, 其他用gmail.
n*2
22 楼
Let me play devil's advocate here. You are still confusing compliance REQUIREMENTS with the SOLUTIONS (provided by MS Outlook and other products here). There are many ways to meet the compliance requirements, including user education, procedural methods, and technical means. A compliance requirement often does NOT specify a concrete mechanism. For example, HIPAA requires data confidentiality but does not explicitly specify encryption. Of course, encryption is a sound technical means for data confidentiality. The problem with your solution in Exchange is that it is sold as a technical means but it is _not_ technically sound. It is vulnerable to class attacks. We have seen many such examples before, including DRM. More than ten years ago, many companies (including MS) built many DRM products. Where are they now? One worse probability is that your product is actually a safety product, but I bet that it will be sold as a security product and will cause a false sense of security. In the security field, a false sense of security is worse than without security itself.
【在 n*********2 的大作中提到】 : Let me play devil's advocate here. : You are still confusing compliance REQUIREMENTS with the SOLUTIONS (provided : by MS Outlook and other products here). There are many ways to meet the : compliance requirements, including user education, procedural methods, and : technical means. A compliance requirement often does NOT specify a concrete : mechanism. For example, HIPAA requires data confidentiality but does not : explicitly specify encryption. Of course, encryption is a sound technical : means for data confidentiality. : The problem with your solution in Exchange is that it is sold as a technical : means but it is _not_ technically sound. It is vulnerable to class attacks.
【在 n*********2 的大作中提到】 : Let me play devil's advocate here. : You are still confusing compliance REQUIREMENTS with the SOLUTIONS (provided : by MS Outlook and other products here). There are many ways to meet the : compliance requirements, including user education, procedural methods, and : technical means. A compliance requirement often does NOT specify a concrete : mechanism. For example, HIPAA requires data confidentiality but does not : explicitly specify encryption. Of course, encryption is a sound technical : means for data confidentiality. : The problem with your solution in Exchange is that it is sold as a technical : means but it is _not_ technically sound. It is vulnerable to class attacks.
Wow, are we discussing the technical merits of a solution or simply comparing our qualifications? (Personally, I have nothing against LeftEye [ or MS] and a few years back I actually read one of his Chinese novels. At least, in this discussion thread, he behaved much more reasonably than you.) What we are saying is that the no-copy and no-forward mechanisms in MS Exchange do not make technical senses. You can argue for their business merits but if you are proud of doing this kind of work ...
【在 z*n 的大作中提到】 : 我觉的扫盲的工作还是必须的。
q*c
39 楼
左眼地位比 SS 的地位咋样?咋就被fire 了? 我说地位这么高的咋可能做蠢事捏?lol
【在 z*n 的大作中提到】 : 我觉的扫盲的工作还是必须的。
b*7
40 楼
Ss被fired?哪儿来的出处?
【在 q*c 的大作中提到】 : 左眼地位比 SS 的地位咋样?咋就被fire 了? : 我说地位这么高的咋可能做蠢事捏?lol
【在 q*c 的大作中提到】 : 结果发现 it 们用的都是 gmail... : XX XX : Status Faculty : E-mail Address X***[email protected] : MailBox Google Mail : ... : 10 年前这根本是不可想象的事情。 : 今天的学生就是明天的决策者。
b*7
44 楼
u know, there's really nothing free in this world. you didn't get FREE gmail . what you pay is your privacy.
呵呵,没讨论outlook no copy/no forward功能前我还真不知道你们的水平。 可是老左特意把这些功能提出来,当outlook比gmail强的证据。我只能说微软这些糊弄 人的feature,没糊住外人,先把自家人蒙晕了。 A false sense of security is worse than no security at all。这个道理都不明白 ,职位再高,读再多的internal confidential documents又有什么用?
【在 h******k 的大作中提到】 : 呵呵,没讨论outlook no copy/no forward功能前我还真不知道你们的水平。 : 可是老左特意把这些功能提出来,当outlook比gmail强的证据。我只能说微软这些糊弄 : 人的feature,没糊住外人,先把自家人蒙晕了。 : A false sense of security is worse than no security at all。这个道理都不明白 : ,职位再高,读再多的internal confidential documents又有什么用?
呵呵,你继续掉书袋吧,实战中只在乎feature work不work。你觉得有如下缺陷的 feature能ship吗? http://www.mitbbs.com/article/PDA/32089947_3.html However, IRM can't prevent information from being copied using the following methods: • Third-party screen capture programs • Use of imaging devices such as cameras to photograph IRM-protected content displayed on the screen • Users remembering or manually transcribing the information
【在 h******k 的大作中提到】 : 呵呵,你继续掉书袋吧,实战中只在乎feature work不work。你觉得有如下缺陷的 : feature能ship吗? : http://www.mitbbs.com/article/PDA/32089947_3.html : However, IRM can't prevent information from being copied using the following : methods: : • Third-party screen capture programs : • Use of imaging devices such as cameras to photograph IRM-protected : content displayed on the screen : • Users remembering or manually transcribing the information
h*k
50 楼
这feature连锁都不算,就是门上贴一封条,一扯就掉。
【在 L*****e 的大作中提到】 : 你啥意思,如果装锁仍然有可能被撬,所以锁根本没必要装?锁的发明就是无厘头? : : following
It's good you realize the discrepancy between solution and requirement/ guidline.There is no conerns as "false sense of security", if we take security professionaly. Everything is measurable and has to be measurable to account against compliance. There is professional team inside those companies to evaluate different techniques and solution, where compliance is mandatory. For example, is password secure? No. But it still can be part of a package to pass HIPAA when people only allowed to input password under the monitor with fingerprint. Any technique has limitation and we have clearly ways to measure that. Compliance is a bar that you can evaluate against if all your measurable techniques and solutions can reach that or not. Bottom line, Exchange Server offers abundant security options and passed many top-line compliance requirements.
provided concrete technical attacks.
【在 n*********2 的大作中提到】 : Let me play devil's advocate here. : You are still confusing compliance REQUIREMENTS with the SOLUTIONS (provided : by MS Outlook and other products here). There are many ways to meet the : compliance requirements, including user education, procedural methods, and : technical means. A compliance requirement often does NOT specify a concrete : mechanism. For example, HIPAA requires data confidentiality but does not : explicitly specify encryption. Of course, encryption is a sound technical : means for data confidentiality. : The problem with your solution in Exchange is that it is sold as a technical : means but it is _not_ technically sound. It is vulnerable to class attacks.
I agree with you that it will look better that if outlook can prevent this. I think that requires admin prvilidge and this complicates the deployment of software in many environments. So it leaves out the job to other monitoring solutions. If someone really care about that, he can install monitoring sofware on all workforce machines. Those software can log every stoke and block webmail, usb and trigger alert to IT department. Plus, you can hire security to make sure no camera is carried in working space. Without cost constaints, you can build another pentagon. Ultimately, you reply on law enforcement authority.
【在 L*****e 的大作中提到】 : 别瞎杰宝绕了, : IRM requirements属不属于compliance requirements? : 答案是什么?只需要回答Yes or No, 痛快点?
h*k
63 楼
能具体解释下: “There is no concerns as "false sense of security", if we take security professionally.” 就我所见很多人(包括读到这些讨论前的lefteye)真诚地以为 outlook no copy/no forward works,我认为这就是false sense of security。 我觉得微软有义务非常明确地(比如在每封IRM处理过的email前加disclaimer)告诉普 通用户这些功能存在缺陷,很多情况下不保证能达到用户期待的效果。
your
【在 c****e 的大作中提到】 : It's good you realize the discrepancy between solution and requirement/ : guidline.There is no conerns as "false sense of security", if we take : security professionaly. : Everything is measurable and has to be measurable to account against : compliance. There is professional team inside those companies to evaluate : different techniques and solution, where compliance is mandatory. : For example, is password secure? No. But it still can be part of a package : to pass HIPAA when people only allowed to input password under the monitor : with fingerprint. Any technique has limitation and we have clearly ways to : measure that. Compliance is a bar that you can evaluate against if all your
n*2
64 楼
Do not be too judgmental. From what you (and your colleagues) have written in this thread, you could be easily dismissed as an amateur in security and thus would not be qualified to work in security-related compliance: the security mindset required is just missing and you are selling snake oil. But this kind of labeling is not helpful in the discussion. There is no god in this technical discussion and anybody may be challenged. LeftEye's analogy to physical locks is deeply flawed and misses a fundamental point here. In our physical world, we have all kinds of locks, large and small. As a result, we get an intuitive impression on what is less secure and we would not put our jewels at home (it is better to store them in a safe deposit box in a bank). This kind of intuition is missing in the digital world and the no-forwarding, no-printing feature in Exchange will definitely lead to a false sense of security.
【在 n*********2 的大作中提到】 : Do not be too judgmental. From what you (and your colleagues) have written : in this thread, you could be easily dismissed as an amateur in security and : thus would not be qualified to work in security-related compliance: the : security mindset required is just missing and you are selling snake oil. But : this kind of labeling is not helpful in the discussion. There is no god in : this technical discussion and anybody may be challenged. : LeftEye's analogy to physical locks is deeply flawed and misses a : fundamental point here. In our physical world, we have all kinds of locks, : large and small. As a result, we get an intuitive impression on what is less : secure and we would not put our jewels at home (it is better to store them
If doing nothing is not an option, IF doing no-forward and no-copy is essential for getting your product certified and distinguished from Gmail, a couple of reasonable tradeoffs could be made. You guys are smart and will certainly find that out.