See here and here.

But the Cisco incident is relevant too.

Wow. Just wow.

Please don't tell me you're in any way shape or form responsible for IT security.

I hope you understand that graphical exploit kits do exist that target UNIX systems. This commenter pointed it out.

An attacker who knows what he is doing will attack both Windows and UNIX systems. One that doesn't will just use a tool that a skilled person wrote to "point and click" his way into a box regardless of what OS it is running.

I respect your point, but I think you overlook some very easy to imagine scenarios where the laptop can be compromised.

One case would be the employee has his laptop out, lets say in a meeting (but this could be anywhere, like the airport lounge, cafe, and etc.). Employee is distracted for a while (maybe a phone call, or maybe somebody is striking up a long-winded conversation) - somebody has physical access to the laptop for a minute or two. A backdoor is loaded on the laptop during the distraction. The usual Windows group policies to lock out the laptop after 5 minutes are meaningless.

Is it farfetched? Maybe you think it is. But a long time ago, people never thought the exploits we battle today would be a problem on the Internet.

Again, the question goes back to what this employee is really doing. Does he want his ass on the line if his Ubuntu laptop gets compromised and then later traced back to his laptop? It's really situational. Not all mobile users handle sensitive data or are really targets for attacks. Not all laptop users travel - many laptops are just issued for home and office use.

As an alternative, you can also compromise the boot loader and/or device driver that is used to actually enter the password to decrypt the system. Since the loader/driver itself is not encrypted, it is subject to being compromised.

Once the correct password is entered in later by the authorized user, the password can either be stored somewhere (maybe in the MBR) or if you're clever enough, you can actually use the compromised driver to run unauthorized code once the system is connected back to the internet.

Then there is the cold boot attack.

Encryption helps, but does not seal up all possible avenues of attack.

1. The laptops carry sensitive data. Treating them as hostile is a good start, but it in no way validates leaving the user to install his own malware/crapware, etc.

Strawman. Nobody said the employee should be deliberately installing malware. What kind of idiot would think that is a good idea?

The point is situational - if the employee can be responsible enough to secure the laptop and get away with it (i.e. they don't have a little Hitler in the IT department with a keylogger running or something), then by all means I don't personally have a problem with it.

If the employee is actually handling sensitive data (i.e. something where law enforcement, lawyers, SEC, or shareholders might get involved if there is a breach or loss), then it is probably in his best interests to let the IT department take the heat if the laptop is hacked, stolen and then subsequently recovered, or found manipulated by a virus later.

IT departments are pretty good about patching Windows/MS Office etc

I love how you speak for all IT departments.

Just who's post is the 'tarded one now? (If you can bait the flames, then you can take the flames too!)

But they haven't lost physical control of the machine, they've given it to an employee with clear guidelines on how to maintain security.

Look, you don't get it. A desktop PC never leaves the office. You always know where it is. If your facilities are secure like they're supposed to be, you know who comes in and out of the building, and ultimately, who has had access to that desktop.

If you give a laptop to an employee for work use, you don't know *exactly* where that laptop is going and you don't know who else might have access to it while it is away.

If you think you do, you're really deluded. I'm not trying to be an ass, but I do IT security for a living. We go through these scenarios on a nearly daily basis with our clients.

You absolutely cannot trust a device once it has left the premises until it has been wiped totally clean and reinstalled from the standard company OS image.

A client I've worked with recently had their network breached because an employee connected to a rouge hotspot while traveling in China and picked up a virus from an exploit that the vendor had only *just released* the patch for but the company had yet to deploy. And that's just *one* scenario of what could happen with a mobile device.

You should be embarrased to post that in what used to be technical forum

Name one technically inaccurate point made in my post. Tick, tock. I'm waiting.

A laptop in possession of a trustworthy employee governed by policy is not losing physical control

So you're saying that all employees will carry their laptop on their person at all times, including while they're going through airport security (in which the agent asks you to take the laptop aside), never left in a hotel room, never left in a meeting room at a conference while everyone goes to grab lunch, and etc?

You really have no clue. You should be the embarrassed one.

The OP didn't mention what the policies and so this entire thread will be a flame war.

Well thanks for taking the high road buddy.

Except the last paragraph which is dangerously naive

No, it's not naive just because you don't like the point I made. Just because you've never worked with a company that can't keep up with patches doesn't mean these IT departments don't exist. Unlike you, I've actually done real IT work, done IT consulting, and do IT security for a living.

Name a piece of software that can detect when Windows has been 0-day'd to allow a monitoring kit to be installed.

Name a piece of software that can tell when a laptop is being tinkered with (perhaps by a guy with a USB key loaded with hostile software) while the employee is distracted.

Sorry, software does not solve these problems.

Once you lose physical control of a machine, you really can't say much about the security of it. You don't know where that laptop has been or who else might have tampered with it while it has been traveling the globe. The best you can really do is the standard antivirus scans. But that doesn't stop a 0-day or a custom written trojan.

You really ought to be treating all portable devices as potentially hostile devices and securing (and monitoring) your networks accordingly.

IMO if the user is competent enough to install Linux or their own custom Windows image on there, I don't think you are any worse off than it was previously. Seeing how out of date some IT departments are with patching and service packs, the machine may end up being more secure.

Got laid tonight ... check.

Cool story bro.

Your post is full of grammatical errors so don't get started.

What these students did was a jailable offense

Maybe in North Korea or China. In America something like this is at most a civil tort of libel.

Sodomy was made legal by the supreme court.

The law makes no distinction if the child porn you possess was obtained accidentally or intentionally.

Its just like buying a used car from a drug dealer and going across a border checkpoint.. The sniffing dogs smell some dope that got stashed underneath the seat and YOU are the one who gets put in prison.

I'm not a libertarian but even I can see how utterly broke and immoral the system has become to get to such a point.

Calling the cops is a complete gamble. The cops will likely say "you have child porn, I am required to arrest you and charge you with possession, you can explain it to the judge".

Best thing to do is a low-level multi-pass format, or a new HD. But that is if you *know* that you downloaded CP. If you don't know, cops may bust down your door some months later, seize your computer, then charge you once they find a thumbnail in some cache folder that was deleted 4 months ago.