[ale] running OPA (other people's apps) on my network

Greg Freemyer greg.freemyer at gmail.com
Fri Jun 26 14:05:00 EDT 2009


I've read most of the emails and I think the one issue not discussed
is "trusted sources".

ie. You say " I try to run only apps that I compile myself or from
trusted sources."

Clearly in the modern enterprise it is nearly impossible to run
exclusively apps you compile yourself, so the definition a "trusted
sources" is key to the whole discussion.

Apparently you don't consider CDS a trusted source, but some of your
company execs do.

I would ask the company exec that trusts CDS to provide you a memo
stating your company has performed sufficient due-diligence research
of CDS that their software should be treated as coming from a trusted
source.

At that point your policy is preserved, and the exec has taken
ownership of doing the due-diligence work.

If they refuse, but still mandate you run the software, then create a
dedicated DMZ just for it.

Greg


On Thu, Jun 25, 2009 at 2:23 PM, Chris
Kleeschulte<chris.kleeschulte at it.libertydistribution.com> wrote:
> I need opinions here.
>
> For a while now, I have been forced to run Custom Data Solution's
> DataStreamer Jar file on hardware under my care. For some reason the
> before-mentioned company insists on me running this jar file to be
> able to submit data to them so we can get a discount from the vendor
> that is a customer of theirs.
>
> I have asked to just POST the data to them and they can run their own
> app against it on their machines, they refuse.
>
> I have asked to see the source code for the datastreamer java app,
> they refuse.
>
> I have told my company not to comply with their data plan, my company
> refuses.
>
> Custom Data Solution says that they have many customers who run their
> app on the customer's machines/network, nary a complaint.
>
> I have quarantined this app as much as possible, but this is extremely
> bad business for CDS to ask me to run their app on my network without
> providing me the source code. I try to run only apps that I compile
> myself or from trusted sources.
>
> What would you all do in this situation? I guess I am just wondering
> if you think that it is absurd for a client to ask a supplier to run
> their software? The unmitigated gall.
>
>
>
> Chris Kleeschulte
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>



-- 
Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
Preservation and Forensic processing of Exchange Repositories White Paper -
http://www.norcrossgroup.com/forms/whitepapers/Forensic%20Processing%20of%20Exchange%20WP%20final.pdf

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com


More information about the Ale mailing list