Print

Print


Colleagues,

 

I think restricting access to the list archives will reduce access to
helpful information, reduce the utility of this list as a resource, and do
very little to enhance security or protect UVM assets.

 

Information about IP addresses, applications and network ports is easy for
someone to determine, without trolling through list archives. I'm don't see
how any messages that I've seen in my time here - aside from the occasional
passwd posting - has revealed anything exploitable that isn't easily
determined by an interested individual.

 

Will we also have a policy proscribing discussion of these matters on public
web pages? Blogs? As a member of the broader IT community, I'm eager to
share my solutions to problems I encounter. I think we all rely on the
availability of quality information on blog posts, forums, and email
archives posted by our colleagues and counterparts at other organizations.

 

I feel strongly that concealing this information doesn't prevent the bad
guys from doing what they are going to do: it will, however, make it harder
for other folks to find the information they need to solve problems.

 

I sometimes use the permalinks to particular posts to respond to clients'
request for help. If the list is made private, then I need to copy and paste
the content, perhaps a whole thread, unless the person I'm contacting has a
listserv-specific login (listserv doesn't use NetID login).

 

With regard to personal email collections, in generally I don't save copies
of email messages that I know are retained in an online archive.

 

-Geoff

 

Geoffrey Duke
802.656.1172 |  <http://www.uvm.edu/~gcd> Sr System Administrator |
<http://www.uvm.edu/ets> Enterprise Technology Services |
<http://www.uvm.edu/> University of Vermont

 

 

 

 

 

From: Technology Discussion at UVM [mailto:[log in to unmask]] On
Behalf Of Dean Williams
Sent: Tuesday, September 14, 2010 4:04 PM
To: [log in to unmask]
Subject: IT-Discuss archives: public or members-only?

 

Colleagues, 

 

IT-Discuss has proven to be a helpful forum for UVM's IT community to share
information, report problems, and help each other do our jobs.  From time to
time, there is some concern that it could also be helpful in ways we'd all
like to avoid, such as providing bits of information that  a malicious
individual could use, perhaps along with information gathered through social
engineering or other means, to compromise UVM systems.   Another point of
view is that the risk of exploiting information posted on IT-Discuss is
outweighed by the value of being able to use external search services like
Google to pull useful information from IT-Discuss archives.  

 

A compromise solution might look something like this:  

 

[] Allow subscription only from uvm.edu email addresses (this restriction is
already in place)

 

[] Make the IT-Discuss archives "private" so they're accessible only to
subscribers, and aren't visible to others, including search engines

 

 

If we did make the archives private, they'd still be searchable by logging
in at list.uvm.edu.  There are pros and cons to that, but it does work.  If
you haven't tried it, you'll find the search and browse functions at
http://list.uvm.edu/archives/it-discuss.html.  If we were to make the
IT-Discuss archives private, we'd have to go through the additional steps of
setting a listserv password and logging in, but one can stay logged in
more-or-less forever.   And of course, we can always search messages saved
in our own email accounts.   

 

Another alternative would be for us to remember to use a separate list for
discussions that could contain sensitive system information, but that seems
prone to confusion and likely to discourage timely exchange of information.


 

So what do you think?  Could we live with private IT-Discuss archives, and
is the extra security worth the slight inconvenience?  Should we try it and
see?  

 

Thanks in advance (aTdHvAaNnKcSe) for your thoughts.  

 

Best, 

Dean W. 

----------------------------

Dean Williams                                   

Director, Client Services          

Enterprise Technology Services      

University of Vermont

[log in to unmask] | 802-656-1174 

http://www.uvm.edu/it/