Re: IT-ISAC Information Bulletin re MS04-004

[Clyde Hoadley <hoadleyc () MSCD EDU>]

I have a sinking feeling that I'm being baited <grin>
Oh, well - her it goes...

> http(s)://username:password@server/resource.ext

I suggest that use of the above syntax is a poor computing
practice - it is unsafe.  I suggest the above syntax is
a violation of the Confidentiality portion of the Confidentiality,
Integrity, Availability (CIA) security triad - the corner stones
of Information Security.

Book marks are stored in clear text on the users hard drive
and can be read using any one of 100's of techniques - including
the windows "type" command, notepad or the web browser itself.

Links created on a web page using the above syntax can be discovered
by moving the mouse over the link or viewing the source code of
the downloaded web page.

I've seen untrained Web Masters create such links on their web
pages, I've seen users Email their book marks and, I've seen
users create unprotected file shares to their hard drive.  These
can all be Confidentiality violations depending on the content
and value of the asset.

Security involves striking a balance between ease of use and
protecting the assets.  Too often users and Management focus
only on the ease of use at the total expense of the security
of their assets.  Ease of use is important but, simply because
something is easy to do does not mean that it is the right thing
to be doing!

In my opinion, Microsoft removing this feature is the responsible
thing for them to do.
--
Clyde Hoadley, CISSP
Security & Disaster Recovery Coordinator
Division of Information Technology
Metropolitan State College of Denver
hoadleyc () mscd edu
http://clem.mscd.edu/~hoadleyc/
(303) 556-5074

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.