Re: Waning Security

[Frederick M Avolio <fred () avolio com>]

At 04:43 PM 4/22/2004 -0400, Paul D. Robertson wrote:
> It was asking for advice, and while many may see it as "dirty laundry,"
> that's more because they're holding pre-conceived notions about how much
> information is already out there.

I'm not. I think this list has shown maturity in thinking. If it was my 
company, he'd be fired for lack his exceedingly poor judgement. And shifing 
from the poster (him) to the post ("It") doesn't fool anyone. :-)

>  Simple obscurity isn't going to help-

Bogon alert. Broadcasting inside-verified holes in security isn't either.


> out there?  How many of them know the deal?  How many customers can't
> count how many keys a cashier presses?  How many attackers have profiled
> how many stores?  How many attackers have social engineered how many
> employees to gain the information?  How many former employees are
> attackers?  How many current employees are attackers?  This just isn't the
> level of badness that people keep proclaiming.

I don't think it was bad. I think it was foolish.


> It may be popular to sensationalize "Leaking information!" but let me tell
> you- anyone who thinks the attacker community hasn't already profiled
> places like the one in question is _kidding_themselves_.

Okay, you can't bait me. :-) I don't buy it.


> Sanitizing it probably would have cost a potential attacker an additional
> 15 minutes of Google time.  Do other people in this community not
> regularly track folks on the Net?  Anyone who thinks removing the company
> name would have made the hurdle that much harder doesn't understand the
> attacker community, and should probably go check their defenses again.

I guess then I don't understand it. Because I don't want to give them that 
15 minute edge. Especially if it costs me nothing to keep quiet or ask a 
smaller community.


> Personally, I would refuse to do business with any company that allowed
> its infrastructure to go downhill, then blamed it on someone seeking
> information on how to get it changed.

But, you know, sometimes it is the only place open late at night when you 
need copying. :-)

> Security is *everyone in an organization's responsibility* but that means
> that the people in charge have to pay attention.  If there's not an easy
> and well-known way for an organization to inform and indeed complain about
> it, it's STILL not the messenger's fault.  Shooting the messenger ensures
> you get no more messages-

I'd not shoot the messenger for noticing a problem. I'd shoot the messenger 
for telling the world about it.


> While the original message contains some embarrassing stuff, there's 
> nothing in there that an attacker couldn't (a) easily find out and (b) 
> publish at will.

Bogon alert. A would-be attacker can *now* easily find out. I am not 
convinced that is the case however. Publish at will? Sure.

"I'm sorry the plans on that new weapons system leaked. But, they were 
already probably out there before I leaked them to the enemy."

I'd really encourage other people, the first day they stumble on this -- or 
any -- list to think more before posting.

Fred
Avolio Consulting, Inc.
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911 (fax)
http://www.avolio.com/
http://www.avolio.com/weblog/
Instant Message: AIM-fmavolio, Yahoo-avolio, MSN-fred () avolio com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards