I agree with Geoff - I think closing off the list archives to the
outside would serve very little purpose from a security point of view
(and, as one person pointed out, might give us a false sense of
security). I find list archives are a great resource for IT info -
let's keep it open.
On 9/15/2010 11:40 AM, Geoffrey Duke wrote:
> I think restricting access to the list archives will reduce access to
> helpful information, reduce the utility of this list as a resource, and
> do very little to enhance security or protect UVM assets.
> Information about IP addresses, applications and network ports is easy
> for someone to determine, without trolling through list archives. Iím
> donít see how any messages that Iíve seen in my time here ó aside from
> the occasional passwd posting ó has revealed anything exploitable that
> isnít easily determined by an interested individual.
> Will we also have a policy proscribing discussion of these matters on
> public web pages? Blogs? As a member of the broader IT community, Iím
> eager to share my solutions to problems I encounter. I think we all rely
> on the availability of quality information on blog posts, forums, and
> email archives posted by our colleagues and counterparts at other
> I feel strongly that concealing this information doesnít prevent the bad
> guys from doing what they are going to do: it will, however, make it
> harder for other folks to find the information they need to solve problems.
> I sometimes use the permalinks to particular posts to respond to
> clientsí request for help. If the list is made private, then I need to
> copy and paste the content, perhaps a whole thread, unless the person
> Iím contacting has a listserv-specific login (listserv doesnít use NetID
> With regard to personal email collections, in generally I donít save
> copies of email messages that I know are retained in an online archive.
> Geoffrey Duke
> 802.656.1172 | Sr System Administrator <http://www.uvm.edu/~gcd> |
> Enterprise Technology Services <http://www.uvm.edu/ets> | University of
> Vermont <http://www.uvm.edu/>
> *From:* Technology Discussion at UVM [mailto:[log in to unmask]]
> *On Behalf Of *Dean Williams
> *Sent:* Tuesday, September 14, 2010 4:04 PM
> *To:* [log in to unmask]
> *Subject:* IT-Discuss archives: public or members-only?
> IT-Discuss has proven to be a helpful forum for UVM's IT community to
> share information, report problems, and help each other do our jobs.
> From time to time, there is some concern that it could also be helpful
> in ways we'd all like to avoid, such as providing bits of information
> that a malicious individual could use, perhaps along with information
> gathered through social engineering or other means, to compromise UVM
> systems. Another point of view is that the risk of exploiting
> information posted on IT-Discuss is outweighed by the value of being
> able to use external search services like Google to pull useful
> information from IT-Discuss archives.
> A compromise solution might look something like this:
>  Allow subscription only from uvm.edu <http://uvm.edu> email
> addresses (this restriction is already in place)
>  Make the IT-Discuss archives "private" so they're accessible only
> to subscribers, and aren't visible to others, including search engines
> If we did make the archives private, they'd still be searchable by
> logging in at list.uvm.edu <http://list.uvm.edu>. There are pros and
> cons to that, but it does work. If you haven't tried it, you'll find the
> search and browse functions at
> http://list.uvm.edu/archives/it-discuss.html. If we were to make the
> IT-Discuss archives private, we'd have to go through the additional
> steps of setting a listserv password and logging in, but one can stay
> logged in more-or-less forever. And of course, we can always search
> messages saved in our own email accounts.
> Another alternative would be for us to remember to use a separate list
> for discussions that could contain sensitive system information, but
> that seems prone to confusion and likely to discourage timely exchange
> of information.
> So what do you think? Could we live with private IT-Discuss archives,
> and is the extra security worth the slight inconvenience? Should we try
> it and see?
> Thanks in advance (aTdHvAaNnKcSe) for your thoughts.
> Dean W.
> Dean Williams
> Director, Client Services
> Enterprise Technology Services
> University of Vermont
> [log in to unmask] <mailto:[log in to unmask]> | 802-656-1174