• 10 Posts
  • 108 Comments
Joined 1 year ago
cake
Cake day: June 6th, 2023

help-circle
rss

  • That was kinda my point. Securing a laptop that will have access to data you want to protect from loss is a near bottomless pit of issues. There comes a point you have to do a risk assessment and apply a level of security that meets your legal requirements and contractual obligations. I’m sure this is all doable on Linux as well but the low cost / easily available tools are mostly for Windows.

    I suspect that taking the “secured remote session” approach is probably good enough for their needs. It just needs a client app you can trust to respect the security rules they want to enforce (no screen shots, no screen recording, no data transfers for any sort, etc).

    OCRing what is on screen is not really stoppable unless you force them to keep their camera on so you can monitor them 24/7. But if you try hard enough there is usually a way around most security measures.

    Either way, they need to decide what the risk impact vs likelihood profile is, and what the business can tolerate. They’ll need to discuss it with legal and data protection folks to assess that.

    One tip is to embed records and values that look meaningful, but are unique, into the copy of the data given to the specific employee. This can be used to potentially prove that a data breach was a result of something that employee did. We like to put QUID’s as invisible watermarks in document headers. These trigger our DLP systems which is always funny cos its usually an employee who is leaving and wants to keep something. I love those conversions.



  • This is the only reliable solution. To expand:

    1. Provide a Laptop with Windows on it, because that is easier to lockdown.
    2. apply desirable OS lock downs like blocking usb ports prevent storage devices, don’t give the user admin rights, etc.
    3. Setup a VPN server (openvpn should do) and configure the laptop with a VPN client. Configure the client so it blocks network connections that don’t go via the VPN. If you want to give them internet access you’ll need a proxy and firewall and DLP solution. At this point it all gets very complex and expensive.

    The real answer is you are probably screwed without investing a bunch of time, effort, and cost.

    You might get away with more basic security measures if the user has very limited IT knowledge.

    I suggest getting legal advice before you give the user access to your data in the manner you intend.









  • I liked Jellyfin when I tested it last year but it had 3 show stoppers for me.

    1. Samsung app was flakey and had to be side loaded.
    2. Each profile had to use a password and had a full keyboard to enter. Needs a no password option, and a pin pad option.
    3. Not everything played successfully.

    Have any of these things been fixed?










  • mubtoLinux@lemmy.mlA word about systemd
    link
    fedilink
    22 months ago

    Me too. I enjoy the @myservername thing as it lets me have one file to maintain lots of servers (Minecraft in my case). I’m sure someone will say other init systems can do the same, but I learnt this one and I like it.


  • mubtoLinux@lemmy.mlLinux middle ground?
    link
    fedilink
    62 months ago

    My server has been on Endeavour OS (arch with a gui installer) for at least 18 months. I run updates roughly every 10 days (basically whenever I remember). Never had a problem with it. I dare say it could go horribly wrong at some point so I keep the LTS kernel installed as well just as a fall back.

    My main pc is also running Endeavour OS (dual boot with windows 11). Other than having to keep Bluetooth downgraded to support the ps5 dual sense controller, it runs great.

    My only gripe is that updates often contain something that forces the kernel rebuild process and so it needs a reboot afterwards.

    Every other Linux I’ve run has had some sort of “rebuild to fix” type issue at some point, or had been hard to find good support information for. Endeavour OS has been the most reliable and the easiest to fix and find support for.