Re: [fw-wiz] Waning Security

From: Frederick M Avolio (fred_at_avolio.com)
Date: 04/23/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Waning Security"
    To: "Paul D. Robertson" <paul@compuwar.net>, "S. Jonah Pressman" <jpressman@sympatico.ca>
    Date: Thu, 22 Apr 2004 18:49:36 -0400
    
    

    At 04:43 PM 4/22/2004 -0400, Paul D. Robertson wrote:
    >It was asking for advice, and while many may see it as "dirty laundry,"
    >that's more because they're holding pre-conceived notions about how much
    >information is already out there.

    I'm not. I think this list has shown maturity in thinking. If it was my
    company, he'd be fired for lack his exceedingly poor judgement. And shifing
    from the poster (him) to the post ("It") doesn't fool anyone. :-)

    > Simple obscurity isn't going to help-

    Bogon alert. Broadcasting inside-verified holes in security isn't either.

    >out there? How many of them know the deal? How many customers can't
    >count how many keys a cashier presses? How many attackers have profiled
    >how many stores? How many attackers have social engineered how many
    >employees to gain the information? How many former employees are
    >attackers? How many current employees are attackers? This just isn't the
    >level of badness that people keep proclaiming.

    I don't think it was bad. I think it was foolish.

    >It may be popular to sensationalize "Leaking information!" but let me tell
    >you- anyone who thinks the attacker community hasn't already profiled
    >places like the one in question is _kidding_themselves_.

    Okay, you can't bait me. :-) I don't buy it.

    >Sanitizing it probably would have cost a potential attacker an additional
    >15 minutes of Google time. Do other people in this community not
    >regularly track folks on the Net? Anyone who thinks removing the company
    >name would have made the hurdle that much harder doesn't understand the
    >attacker community, and should probably go check their defenses again.

    I guess then I don't understand it. Because I don't want to give them that
    15 minute edge. Especially if it costs me nothing to keep quiet or ask a
    smaller community.

    >Personally, I would refuse to do business with any company that allowed
    >its infrastructure to go downhill, then blamed it on someone seeking
    >information on how to get it changed.

    But, you know, sometimes it is the only place open late at night when you
    need copying. :-)

    >Security is *everyone in an organization's responsibility* but that means
    >that the people in charge have to pay attention. If there's not an easy
    >and well-known way for an organization to inform and indeed complain about
    >it, it's STILL not the messenger's fault. Shooting the messenger ensures
    >you get no more messages-

    I'd not shoot the messenger for noticing a problem. I'd shoot the messenger
    for telling the world about it.

    >While the original message contains some embarrassing stuff, there's
    >nothing in there that an attacker couldn't (a) easily find out and (b)
    >publish at will.

    Bogon alert. A would-be attacker can *now* easily find out. I am not
    convinced that is the case however. Publish at will? Sure.

    "I'm sorry the plans on that new weapons system leaked. But, they were
    already probably out there before I leaked them to the enemy."

    I'd really encourage other people, the first day they stumble on this -- or
    any -- list to think more before posting.

    Fred
    Avolio Consulting, Inc.
    16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
    +1 410-309-6910 (voice) +1 410-309-6911 (fax)
    http://www.avolio.com/
    http://www.avolio.com/weblog/
    Instant Message: AIM-fmavolio, Yahoo-avolio, MSN-fred@avolio.com

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul D. Robertson: "Re: [fw-wiz] Waning Security"

    Relevant Pages

    • Re: Racial Tolerance - Im Lovin it!
      ... Here is another fine example of the trend of violence in fast food ... while several black employees stand by and watch. ... The two black females exit, then re-enter the store to continue the ... point the camera operator warns the black female attackers to flee, ...
      (alt.guitar.amps)
    • Re: Racial Tolerance - Im Lovin it!
      ... while several black employees stand by and watch. ... Note: the black male ... point the camera operator warns the black female attackers to flee, ... the police are on the way. ...
      (alt.guitar.amps)
    • Re: Racial Tolerance - Im Lovin it!
      ... while several black employees stand by and watch. ... One black male manages to ... point the camera operator warns the black female attackers to flee, ... the police are on the way. ...
      (alt.guitar.amps)
    • Messenger Service Pop-ups
      ... >ups state that I'm an unsafe user & that my system is ... >wide open to attackers. ... Scroll down to shoot the messenger. ...
      (microsoft.public.security)