You might want to reread that self-defense clause again.

Yep

If the cop is doing something to your car or truck that is legal, then that's ok. You can't shoot them when they show up to execute a search warrant either.

It's rare that official sites have viruses

Sadly that's really not the case anymore.

there is no need for a technical solution..assuming this is for a business, fire anyone who decides to infect a company-owned PC with malware. (make sure your AUP/HR Policies *clearly* state this).

Great! So all someone needs to do to get his boss fired is to get his machine infected? What about the CFO? CEO? How long would that policy be in place with a little targeted mischief?

What about the case of the user that gets infected because he visited a legitimate website that was serving up malware because they got hacked by a SQL injection attack last night? What if visiting the (now malicious) website was part of her job (reviewing press releases, whatever).

Not sure if your "Just set the AUP right in the first place" suggestion was a joke or a legitimate suggestion.

I swear that's me in the striped izod with the scowl on my face because the girls are typing something wrong. The kid is the right age too.
Has it really been 30 years? I don't remember being anywhere near Mass. 30 years ago, though...

Oooh, it's a sunny day, I think I'll make 6 glasses of lemonade today

Don't bet on the cop not looking at your documents anyway. In the interest of "security".

http://volokh.com/2009/11/04/the-deputy-who-helped-himself-to-the-defense-attorneys-casefile

The video shows a criminal court hearing in which a deputy assigned to court security walks over to the defense attorney’s papers on the counsel table and starts to look at the papers. Eventually he reaches down and pulls out a document from the stack of papers, passes it off to another deputy, and then the other deputy walks away with it.

At least in some jurisdictions....

Excellent examples, and kinda proves the point I was trying to make. If you can't trust them with root then you can't trust their code. He's lucky if getting fired is as far as it went.

The examples you point out are kind of exceptions to the rule (purposeful security policies, production systems, dev teams different than build teams, etc). The grandparent post was talking about "local admin" so I wasn't really trying to address the production system example but rather the local desktop/dev server type restrictions.

The requirement for local admin for most Windows code is one of my peeve issues with Windows.

Agreed and ditto. Security isn't a setting but an end-to-end process.

Sorry for being snarky before, the "forgmarch" line set off my BS meter, especially in a "local admin" context.

And oops on my part for posting the reply initially as AC

All hail you! The mighty sysadmin. I'd love to know details, especially since it got him "frogmarched", but it sounds like so much bravado.

As I said, there are HIDS packages that will track this, as would a competent sysadmin. In my unix example some admins would check permissions on files they put in your sudo list, most don't, especially if they have to do it all the time. The cool thing about social engineering is that you usually aren't even breaking corporate policy, your getting someone ELSE to break corporate policy for you!

In my experience most admin's aren't worth their salt. I say this as an admin myself but with a developer background. I've been on both sides of the issue.

There are other ways. Keyloggers,for example. "Hey Mr. admin, it says I need admin authority to do xyzzy, can you enter your credentials on my keyboard here? Thanks very much.

I don't bring up these examples as ways around security, but rather to bring up the issue of trust. If you can't trust your developer with local admin, you probably can't trust his code, especially compiled code.

For an excellent example see Ken Thompson's paper.

Personally, with vmware and cheap hardware it's easy enough to run your own non-corporate image than it is to get around the security, but there are ways. YMMV.

It's trivial to get admin priveleges. You are a developer after all. Just develop/package your own backdoor trojan/etc that gets installed with root priveleges. Then get those fancy administrators to install it for you with their admin rights. If they ask what it is, tell them its some libraries for a development project. The number of times you'll be asked will be next to nil though. Voila, you can do what you want after that. Not that I've done it, but on the unix side, you could ask for a sudo exception for a program that's in a directory that's writable to you. Boom you have root any time you need it. You're a developer! Use your skills! Yeah yeah, there are some HIDS systems that will catch this sort of thing, but there are ways around that too. After all your root/admin at some point. If you don't trust your developers with root, then you shouldn't trust their code!