Have a laugh on me...

[iamnowonmai at gmail.com (iamnowonmai)]

I'm sure it won't take long for "Bob" to turn it into a warez site if you
set back long enough....
;)

On Mon, Oct 12, 2009 at 4:44 PM, Jason Wood <tadaka at gmail.com> wrote:

> I asked a lot of folks who's opinion I highly respect about this issue.
> Their opinion was largely the same as Vincent's.  You can and should
> suggest, recommend, and take every chance you get to move people towards
> protecting their data.  However, you still need to document what you feel
> needs to be done and CYA.  In the end, if/when the system gets hacked the
> security guy is a likely scapegoat.  Protect your backside and be the person
> with the plan to deal with it.
>
> For a differently worded opinion on it...
> http://taosecurity.blogspot.com/2008/09/is-experience-only-teacher-in-security.html
>
>
> Jason
>
>
>
> On Mon, Oct 12, 2009 at 2:19 PM, Kennith Asher <herrasher at gmail.com>wrote:
>
> > I have to disagree with your approach Vincent.
> >
> > The point is to protect people from themselves, not point a finger after
> > they've failed.
> >
> > Security is a tough biz since it gets in the way of most people just doing
> > their job.  It's up to us to convince them that the risk of breach is much
> > worse than the inconvenience caused by good security policy.  Us versus them
> > is simply not the way to a more secure environment.
> >
> > As much as I enjoy a good laugh at the expense of an uninformed person's
> > Epic Fail, documented conversation + CYA response - customer data = FAIL on
> > both of you IMO.
> >
> > Ken
> >
> >
> > On Mon, Oct 12, 2009 at 12:42 PM, Vincent Lape <vlape at me.com> wrote:
> >
> > > document your conversation with "top buy" create a report stating the
> > > issue and remediation recommendations and just wait till it gets
> > > pwned. Once customer data is out there in the wild im sure they will
> > > have a different outlook on the issue. Just make sure you CYA so "top
> > > guy" doe snot come back and say hey that dude was responsible to
> > > fixing that problem.
> > >
> > >
> > > On Oct 12, 2009, at 10:24 AM, Soft Reset wrote:
> > >
> > > > Without spilling details, I told the IT team to remove an exposed
> > > > web portal from the internet as it was not SSL protected and the
> > > > password was easy enough to be found in my kid's "My First
> > > > Dictionary".  This is the response I got back from our "top guy":
> > > >
> > > >  "Many people need access to the web portal.  Remember that one of
> > > > the objectives is to develop a strategy
> > > >   for the customer. Easier access, not harder, should be the goal."
> > > >
> > > > I laughed.  How about you?
> > > >
> > > >
> > > > --SR6
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom at mail.pauldotcom.com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
>
> --
>
> irc: Tadaka
> Twitter:  Jason_Wood
> jwnetworkconsulting.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091012/30e31d6d/attachment.htm