PaulDotCom mailing list archives

Have a laugh on me...

From: herrasher at gmail.com (Kennith Asher)
Date: Mon, 12 Oct 2009 13:19:27 -0700

I have to disagree with your approach Vincent.

The point is to protect people from themselves, not point a finger after
they've failed.

Security is a tough biz since it gets in the way of most people just doing
their job.  It's up to us to convince them that the risk of breach is much
worse than the inconvenience caused by good security policy.  Us versus them
is simply not the way to a more secure environment.

As much as I enjoy a good laugh at the expense of an uninformed person's
Epic Fail, documented conversation + CYA response - customer data = FAIL on
both of you IMO.

Ken

On Mon, Oct 12, 2009 at 12:42 PM, Vincent Lape <vlape at me.com> wrote:

document your conversation with "top buy" create a report stating the
issue and remediation recommendations and just wait till it gets
pwned. Once customer data is out there in the wild im sure they will
have a different outlook on the issue. Just make sure you CYA so "top
guy" doe snot come back and say hey that dude was responsible to
fixing that problem.


On Oct 12, 2009, at 10:24 AM, Soft Reset wrote:

Without spilling details, I told the IT team to remove an exposed
web portal from the internet as it was not SSL protected and the
password was easy enough to be found in my kid's "My First
Dictionary".  This is the response I got back from our "top guy":

 "Many people need access to the web portal.  Remember that one of
the objectives is to develop a strategy
  for the customer. Easier access, not harder, should be the goal."

I laughed.  How about you?


--SR6
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091012/0a16041d/attachment.htm

Current thread:

Have a laugh on me... Soft Reset (Oct 12)
- Have a laugh on me... Carlos Perez (Oct 12)
  - Have a laugh on me... Bradley McMahon (Oct 12)
  - Have a laugh on me... Tim Krabec (Oct 12)
- Have a laugh on me... Robert Portvliet (Oct 12)
- Have a laugh on me... Jason Wood (Oct 12)
- Have a laugh on me... Jim Halfpenny (Oct 12)
- Have a laugh on me... Vincent Lape (Oct 12)
  - Have a laugh on me... Kennith Asher (Oct 12)
    - Have a laugh on me... Vincent Lape (Oct 12)
    - Have a laugh on me... Kennith Asher (Oct 12)
    - Have a laugh on me... Dan McGinn-Combs (Oct 13)
    - Have a laugh on me... infolookup at gmail.com (Oct 13)
    - Have a laugh on me... Jason Wood (Oct 12)
    - Have a laugh on me... iamnowonmai (Oct 12)
  - Have a laugh on me... Dimitrios Kapsalis (Oct 12)
  - Have a laugh on me... craig bowser (Oct 12)
- Have a laugh on me... Michael Dickey (Oct 12)
- Have a laugh on me... Paul Asadoorian (Oct 12)