Re: Administration of PCD DSS Program

[Harry Hoffman <hhoffman () IP-SOLUTIONS NET>]

I honestly think that's a mis-interpretation but to each their own.

Visit the list web-page for unsubscribing, or send a unsubscribe command
to the listserv email address.

Or just lurk. You might find valuable information.

Cheers,
Harry

On 03/13/2013 09:47 AM, Mitcham, Zachery S. wrote:
> This is exactly what I'm saying. Excellent interpretation and reading between the lines 
>
> Zachery S. Mitcham, MSA
>
>
> On Mar 13, 2013, at 9:46, "Harry Hoffman" <hhoffman () IP-SOLUTIONS NET> wrote:
>
> > I don't understand what you are trying to say with these URLs. Is it
> > that somehow these hacks happened as a result of open discussions?
> >
> > Or are you just saying that hacking is possible?
> >
> > Or something else entirely?
> >
> > Cheers,
> > Harry
> >
> > On 03/13/2013 09:17 AM, Mitcham, Zachery S. wrote:
> > > http://tech.mit.edu/V132/N62/hack.html
> > >
> > > [cid:image001.gif@01CE1FCB.9B8A0920]
> > > Zachery S. Mitcham, MSA | Information Technology Security Officer| Information Technology Systems (ITS)|
> > > 910 962 3047|mitchamz () uncw edu<mitchamz () uncw edu%20> | http://www.uncw.edu/itsd/about/ITS.html |UNC 
> > > Wilmington |
> > > 601 South College Road | Wilmington, NC  28403-5616<x-apple-data-detectors://3>
> > > "Security is Everyone's Business"
> > > [cid:image002.png@01CE1FCB.9B8A0920]<https://asktac.uncw.edu/>  AskTAC for self-service solutions and immediate 
> > > assistance! (https://asktac.uncw.edu/)
> > >
> > > NOTICE: Emails sent and received in the course of university business are subject to the North Carolina Public 
> > > Records Act (N.C.G.S. §132-1 et seq.) and may be released to the public unless an exception applies.
> > >
> > >
> > >
> > > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> > > Jeffrey Schiller
> > > Sent: Wednesday, March 13, 2013 9:11 AM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] Administration of PCD DSS Program
> > >
> > > Actually there are two different schools of thought here. They address different issues.
> > >
> > > 1.  Your security should not depend on obscurity.
> > > 2.  Defense in depth, you shouldn't give the adversary any advantage.
> > > They are not necessarily in conflict. [1] is primarily targeted at developers. As developers your code's security 
> > > shouldn't depend on the source remaining secret. Because quite frankly, the bad guys will get a copy and if you 
> > > hide "secrets" in your code, your code probably isn't that secure in the first place.
> > >
> > > So when developing systems, [1] should be your guide.
> > >
> > > [2] is more often associated with operational practices. Here the attack surface isn't always technical, it is 
> > > human oriented. I.e., the attacks here are social engineering related. Letting the attacker know the chain of 
> > > command only makes it that much easier to launch a social engineering attack. Ideally the principals of [1] 
> > > *should* apply here, but thousands of years of human experience demonstrates that it doesn't always work.
> > >
> > > So in summary you should do [1] when developing code (and procedures) but do [2] when it comes to operational 
> > > concerns.
> > >
> > > -Jeff
> > >
> > > On Wed, Mar 13, 2013 at 8:51 AM, Mitcham, Zachery S. <mitchamz () uncw edu<mailto:mitchamz () uncw edu>> wrote:
> > > I can tell by your coy comment that you are a novice.  Intel can be gathered from the things that you discuss that 
> > > you feel are crumbs and insignificant records of public knowledge.
> > >
> > > If you are telling someone that you are using the Symantec enterprise suite  for A/V eradication they could develop 
> > > their APT around this intel in such a way as to prevent your infected systems from getting to the host site that 
> > > could save them.
> > >
> > > My 2 cents.
> > >
> > > Zachery S. Mitcham, MSA
> > >
> > >
> > > On Mar 13, 2013, at 8:13, "Daniel Wozniak" <dan () orvant com<mailto:dan () orvant com>> wrote:
> > >
> > > > If your systems can be circumvented from information discussed on a
> > > > public list you have bigger problems to worry about. If your systems are
> > > > really secure, you should have no problems discussing the measures you
> > > > took to secure them openly and in the public. Public discussion of good
> > > > security practices is the best way promote good security (assuming there
> > > > is such a thing). Just my 2 cents.
> > > >
> > > > ~Daniel
> > > >
> > > >
> > > > --
> > > > Daniel Wozniak
> > > > Orvant, Inc.
> > > > Email/XMPP : dan () orvant com<mailto:dan () orvant com>
> > > > Phone : +01 480 553 8939 ext 103<tel:480%20553%208939%20ext%20103>
> > > >
> > > >
> > > >
> > > > On 3/13/13 4:25 AM, Mitcham, Zachery S. wrote:
> > > > > I didn't know that everything posted on this listserv is made public on the Internet.  It's like we're giving our 
> > > > > enemy all of the information that they need to circumvent the systems that are discussed here.  Not a good idea.
> > > > >
> > > > >
> > > > >
> > > > > Zachery S. Mitcham, MSA
> > >
> > >
> > >
> > > --
> > > _______________________________________________________________________
> > > Jeffrey I. Schiller
> > > Information Services and Technology
> > > Massachusetts Institute of Technology
> > > 77 Massachusetts Avenue  Room E17-110A
> > > Cambridge, MA 02139-4307
> > > 617.253.0161 - Voice
> > > jis () mit edu<mailto:jis () mit edu>
> > > http://jis.qyv.name
> > > _______________________________________________________________________