> In the US [...] you can sue (not that you'd be likely to win,
> but you can sue almost anyone for almost any reason)

That is normal in any sane jurisdiction. In _civil_trial_ you can sue almost everyone for compensation (not for freedom restraints). Please do distinguish civil vs. criminal law. Basically in civil law you can sue anybody (f.e. me) for anything (f.e. for educating you). In criminal law that is the state or the victim that sues and the penalty would be freedom restraint (jail or something similar). In civil right there is compensation for the side suing. Usually sane countries have some protections about bogus claims. For example in my country if you wish to sue somebody on civil basis for an ammount exceeding ~20,000EUR you need to pay in a vadium of about 10% prior. If you win the trial - you win. But if you loose you also loose the vadium and you need to pay up for all associated costs.

> I have always been interested in how and why users break policies,
> despite being trained carefully.

Well this is a different question than topic subject about mobile devices. They break it because they can I guess.

> I watched people take iPhones into highly sensitive government facilities on several occasions.

They were not as highly sensitive then. If they were there would be actually some guards at the doors searching people to prohibit bringing in devices such as smartphones.

It is quite easy - you can build a really big fence. Like 20m high but if nobody is going to watch over it there would be a guy with 20m ladder... so I guess you get security wrong. If there is a policy prohibiting iPhones in certain area - do execute that policy and have guards executing it physically.

> That led me to wonder to what extent the same problem exists in the
> private sector:

It depends but usually not. If it is concerning REALLY SENSITIVE AND PRECIOUS DATA like medical research, military contractors, finance and so on - then yes the problem exists. But usually in private sector the data is just not so sensitive to protect it with such costly measures.

> Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property.

Nah. They are not. If they are then you are doing something wrong.

> So, do you use a smart phone or other PED during work hours,
> even though you are not supposed to?

No. That is I can use my smartphone whenever I want. No company policy forbids me that and I know nobody that has similar policy in place. In my opinion you have reached a wrong target to ask that question.

Sounds intresting but I hate SUSE. It is not for me - I prefer more basic and barebone distro without UI configuration tools getting in my way. Arch Linux is perfect for me.

I forgot one important thing - before settling on Arch Linux I've tried different distros - mostly mainstream like RHL, CentOS, Fedora, Debian and with their release policy (as opposed to rolling releases) I recall that each time new major version came out I ended wasting entire evening reading release notes, upgrading, fixing things that stopped working etc. Now I prefer to spend few minutes weekly after each update session to act on potential small changes than to waste few hours on upgrade to next major version.

> I make sure I have LVM snapshots between each update
> procedure as at least 1/4 of the time something breaks.
> I really wish arch didn't use rolling updates, but the vast
> AUR repository unique to arch is more than worth it.

I use Arch and I can't confirm it. I've never had a problem with update process breaking anything. For me it just works as advertised. But it is essential to manage the update process. This is IMO the philosophy about Arch Linux that you need to keep control over it. Rolling releases means that there is no promise of API/ABI compatibility and of course there will be some major changes down the road on which you need to act.

When updating Arch Linux you need to read what is going to be updated. Major changes (like package replacements) are higlighted and you need to act on those changes after update. Also you need to look for configuration changes (*.pacnew files) and act if it occurs.

Also it is better to update regulary like once a week than to pile up the updates and do lots of them at once (since you can miss something important). I tend to update once a week and never had a problem. Well once I ended with unusable system after update but it was not Arch Linux related - it was a kernel bug specific to my hardware and configuration (regarding power management on laptop - it can be quite tricky on Linux but hybrid sleep/hibernation is a nice thing to have).

What problems did you have? You are stating that 1 in 4 updates cause problems so you probably can throw few examples?

Or maybe you are reffering to AUR packages breaking during update - well AUR is completely different thing from Arch Linux main repo. Some packages in AUR are of terrible quality (outdated, not working, not tested) so I guess if you have lots of obscure AUR packages installed the update process may break some things but usually it is userland. I wouldn't dare to use AUR packages for core functions of my OS (like kernel and important services).

Personal machines:

Home laptop (primary, I also tend to work on it) - I stick with Windows 7. Obviously it is the last sane/usable version of Windows. Skipped Vista entirely. I always tend to use the Good Windows release (95, 98SE, 2000, XP, now 7). Looking forward to install Windows 10 as it looks quite sane and 7 is getting old. I apply patches automagically. With Windows it happens that some patches break stuff but it is easy enough to uninstall them. Also I run Secunia Psi to notify me about outdated apps and it also can update them automagically which is convinient.

Home Macbook (secondary, for fun) - I stick with Mavericks since I don't like the new flat look and basically it still works and apps are working so not a big deal for me. I install patches as they show up.

Home server (router, network functions, VMs for development) - Arch Linux - it is a rolling release distro so I just upgrade everything from time to time when I have security related updates pending. It works - never had broken for me.

Raspberry Pi - I use few for dedicated projects (media player, dedicated retro gaming system). When I set it up and it works I tend not to update it since I don't see the point.

Now for work computers we have strong policy. Workstations and laptops have frozen Windows version (licensing obviously, compatibilty), we push all updates via WSUS on which we accept them. We test updates on selected group of machines (IT staff) before pushing them to all. For servers we also have standardised versions (Windows, RHEL/CentOS). We roll any major upgrade through change management with backup/recovery plans in place (VM snapshots, application backups prior to upgrade i dedicated time windows etc.).

> I assume you don't have kids. Or work in security, for that matter.

So you have lots of kids and work in security and it didn't occur to you that it would be easier and more effective to just take kids laptop and lock it up somewhere?

> that's all he needs

No it is not. You have contradicted yourself in your post. You have described a solution which from begining is flawed. Then you described that flaw (the kid could just change his IP to grandparents machine or even MAC if you would go for MAC based filtering). So you have basically posted a solution that is not a solution at all if you wish to make things working without beating the child.

So in hardware VPN device VPN related stuff is being done in their ROM or maybe there are physical gears doing the VPN stuff...?

In my opinion you are making this issue more complicated than it really is. You really don't need site-to-site VPNs and custom routing to accomplish your goals.

If I understand you correctly your goals are:

1) To have remote access to machines (Linux, Windows, others) in few remote networks.

Just set up VPN server in each of these remote networks. OpenVPN is probably a good way to go. It would run on any Linux machine, Windows machine (if you dare), even on some routers (f.e. DD-WRT compatible). If these networks are behind dynamic IPs you will also need somekind of dynamic DNS service.

Having VPN server running in all locations you just login to it and access whatever machine in that network remotely. For Windows machines DameWare is probably not a bad idea. It is commercial software but you only need to pay for one license - the license is for an operator (you), not for client machines. You could also use VNC - why not? For Linux machines SSH is a no brainer. And other devices (like printers, networking gear, etc.) probably have HTTP interface anyway.

Also you wrote: "me being able to log in and apply patches and security updates without requiring someone on the other end sending me Desktop Sharing invites". Well are you aware that you DO NOT need to log in to Windows systems to apply patches and security updates? It just happens automatically. Just turn on Windows Update.

And since it looks like you are required to take 4hr trips to fix your parents computers that makes you basically their administrator - DO NOT give them administrator rights on their machines. Set them up with quite secure configuration - no admin rights, antivirus software running and set to automatic, backup running and set to automatic, updates running and set to automatic. If you do so I hardly see a need to physicaly access their machines (modulo hardware failures).

2) You have described your second goal in such convulted way with buts/ifs and so on that I need to cite this mess: "I'd also like some way to be able to monitor/control my son's online activities while he's away (hence my desire to route at least his traffic, if not all Location B internet traffic, through Location A). Also note: I'm not a helicopter parent by any means and only monitor once in a while to get a general idea of what his online trend is; and the extent of "control" is if grandpa and grandma say he needs time off the computer for x days for bad behavior or whatever, I want to be able to enforce that rule where he won't be able to sneak around while they're in bed. This connection will not have any firewalling or blocking enabled by default.".

So basically you want to:
* monitor your sons network usage
* enforce policies on your son (like no Internet after eight since you were bad)
* enforce password usage (or other form of authentication) on your users since you don't want to allow your son to use their grandpas computers while they are not around physically guarding the machines

Well what you basically wish for is corporate-like network with authentication to local systems and to network usage. It can't be done without enterprise class systems - you will need an internet access proxy/gateway for accounting and enforicing access policies for network, user directory to enforce password usage and restrict access to certain machines for certain users (namely your son), network access protection system (and network hardware supporting it) so your son can't just use his Linux machine to access network however he likes.

That means that you are contradictiong yourself by saying that you dont want to have any firewall or blocking - you do.

How you are claiming that you have any training in network administration is beyond my understanding.

Some lights have separate segments where it's only straight or only left-turn. Pedestrians only have the walk sign during the straight traffic.

True but it is uncommon. It is indicated by a *red* left arrow light. I think that works.

However if there is only a green left arrow light that turns off when opposing traffic starts moving, you are still allowed to turn left, though you have to wait for a gap in the oncoming traffic. For obvious reasons (the driver is looking only at the oncoming traffic) this is when the pedestrians are hit.

> Don't listen to the amateurs. Block by default, require business justification

So your boss emals you and asks you to implement a policy (read the post) - in my opinion it is business justifiend enough, at least his (boss) responsibility. Just doing your job is not amateur in my opinion. If it is extremely stupid you should go on and warn him but nevertheless don't object and do your job.

> and offer a risk assessment for all exception requests,

This is fair - given boss request you reply - OK I'll do that but it introduces certain risks. Right on it while you review the risk assesment. Amateur enough?

> monitor and report suspicious activity.

This is obvious - it does not hold you from doing your job (what your boss expects you to do).

> Don't trust your internal users.

What does it mean?

> Segment wherever possible. Plan for failure. Exercise recovery plans. Due diligence.

Yes.

> It is the Company's network connection, block whatever you like.

If you are the owner of course.

> But, and this is important, have an easy mechanism where a user
> can submit an url,

Browsers adress bar easy enough?

> an admin can verify it is a legitimate business related site, and have the
> site whitelisted immediately. That way you can block "Big Butt Russian
> Teens" or whatever, but when the SmartFilter(tm) randomly decides
> that Fairchildsemi.com contains "adult content, sports, gambling and
> lotteries" (happened to me) the legit business use is not impeded.

Oh great. So now an admin administering f.e. 5k users network should also babysit them? :)

Consider that your company relies heavly on email usage. It is probably more important service than web - you could function without web browsing I guess... but without email service - you can all go home for what I guess. Email works similar to web - there are emails sent back and forth, emails are interpreted in client, emails can contain files (like downloads) etc. Now I don't see you arguing that you should have an admin looking and verifing every email sent to your user right? That would be extremely stupid and retarded right? Well you are sugesting exactly same stupid and retarded method for the web. Just use email scanning technologies for your email like you would use web scanning technologies for your web. Don't be retarded.

> If you want to allow open downloading, provide a restricted AV protected share
> to retrieve downloaded files, if you do not want to allow open downloading,

You DO realise that AV usually fails?

> provide one anyways but require an IT person to review it manually.

OK so from now on exept from your usuall duties as an IT administrator (I like them) now you also need to review files downloaded by 1000 users. Expect calls when urging you to review downloaded files. Expect angry people. And how you will review these files anyway? What if these files to be review are sensitive data (like medical, financial) that are not for IT eyes? Does not scale well isn't it? Legal problems no?

> Reimage nightly if paranoid.

Why nightly? Why not every 17 minutes? Why not spawn new image on every access - certainly possible.

While I agree on your view about access policy one thing struck me:

> They can as well pierce your firewall with personal VPN services, they are very cheap nowadays.

In a network structured properly (routers than IPS/security appliaces than filtering proxy) how could users pierce that with VPN services? If users can pierce your "firewall" (meaning just oubound Internet access) with cheap VPNs that you mean malware could just as easy transfer data out of your network? Something is wrong with what you are stating.