Firewall Wizards mailing list archives
Re: Waning Security
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 22 Apr 2004 16:43:41 -0400 (EDT)
On Thu, 22 Apr 2004, S. Jonah Pressman wrote:
Chuck, you make excellent points and seem to be extremely passionate about corporate security. Your methodology of airing corporate dirty laundry in public leaves a lot to be desired. In fact, you've just
It was asking for advice, and while many may see it as "dirty laundry," that's more because they're holding pre-conceived notions about how much information is already out there. Simple obscurity isn't going to help- how many hundreds of thousands of ex-company employees do you think are out there? How many of them know the deal? How many customers can't count how many keys a cashier presses? How many attackers have profiled how many stores? How many attackers have social engineered how many employees to gain the information? How many former employees are attackers? How many current employees are attackers? This just isn't the level of badness that people keep proclaiming. It may be popular to sensationalize "Leaking information!" but let me tell you- anyone who thinks the attacker community hasn't already profiled places like the one in question is _kidding_themselves_.
single-handedly issued an invitation to "black-hats" to sample the fruits inside your corporate walls. If I were your manager, I'd
Any serious attacker would validate this anyway- at which point the information would be known to them- and I honestly don't believe that half the information is that pertinent. That's why I responded the way I did.
introduce you to the corporate legal counsel ans then escort you to the door.
Anyone who does that isn't thinking, and probably doesn't have the right employment contract in place in a retail environment anyway.
I am surprised that your note was posted by the moderator. Frankly, it should have been sent back to you with the suggestion to sanitize it before resubmission.
Sanitizing it probably would have cost a potential attacker an additional 15 minutes of Google time. Do other people in this community not regularly track folks on the Net? Anyone who thinks removing the company name would have made the hurdle that much harder doesn't understand the attacker community, and should probably go check their defenses again. We defenders *have* to work *together*- otherwise, we lose. Personally, I would refuse to do business with any company that allowed its infrastructure to go downhill, then blamed it on someone seeking information on how to get it changed. Now, there may have been better ways to approach this, and there may have been some sensitivity to sanitizing it- as in not hurting the feelings of whoever's responsible for the architecture- but that's not a security issue, and if they have the ability to remove someone who's concerned, but can't fix the underlying issues, then honestly, the wrong person's being removed. Security is *everyone in an organization's responsibility* but that means that the people in charge have to pay attention. If there's not an easy and well-known way for an organization to inform and indeed complain about it, it's STILL not the messenger's fault. Shooting the messenger ensures you get no more messages- that's not good business, that's not good FOR business, and that's a good way to piss off a bunch of people. Retail environments make lots of security/risk/cost trade-offs that people outside that environment don't understand. Then they tend to adjust after the fact if they need to. If that's true in this case, then again, no use in looking at the messenger, it wasn't them that made the choice. If it's not true, then again, it wasn't the messenger who was responsible for fielding such systems. If I had an employee who wanted to know what to do to make my business better, and who asked experts in the field how to achieve that, I'd give them more work to do- helping improve the situation. Then I'd let them tell the world what a great company we had by doing that. If your reaction after thinking about it is to shoot the messenger, then we should *all* have an issue with that. While the original message contains some embarrassing stuff, there's nothing in there that an attacker couldn't (a) easily find out and (b) publish at will. If anyone from the company in question has any questions, I'd be happy to enlighten them via phone, if they e-mail me directly I'll send contact info. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Kinko's Waning Security Chuck Vose (Apr 22)
- Re: Kinko's Waning Security Paul D. Robertson (Apr 22)
- Re: Kinko's Waning Security Ryan M. Ferris (Apr 22)
- Re: Kinko's Waning Security Paul D. Robertson (Apr 22)
- Re: Kinko's Waning Security S. Jonah Pressman (Apr 22)
- Re: Kinko's Waning Security Chuck Vose (Apr 22)
- Re: Waning Security Paul D. Robertson (Apr 22)
- Re: Waning Security Frederick M Avolio (Apr 23)
- Re: Waning Security Paul D. Robertson (Apr 23)
- Re: Waning Security Chuck Vose (Apr 23)
- Re: Kinko's Waning Security Ryan M. Ferris (Apr 22)
- Re: Waning Security Crispin Cowan (Apr 23)
- Re: Kinko's Waning Security Paul D. Robertson (Apr 22)
- Re: Kinko's Waning Security Marcus J. Ranum (Apr 22)