Print

Print


I also strongly agree with Geoff.  Keep the list open.  Invite people to 
openly discuss and read about IT issues.  This is a public research 
university; let's continue to demonstrate our capability to run secure 
systems while keeping our IT discussions public.

Ben

On 9/15/10 11:40 AM, Geoffrey Duke wrote:
> Colleagues,
>
> I think restricting access to the list archives will reduce access to
> helpful information, reduce the utility of this list as a resource, and
> do very little to enhance security or protect UVM assets.
>
> Information about IP addresses, applications and network ports is easy
> for someone to determine, without trolling through list archives. Iím
> donít see how any messages that Iíve seen in my time here ó aside from
> the occasional passwd posting ó has revealed anything exploitable that
> isnít easily determined by an interested individual.
>
> Will we also have a policy proscribing discussion of these matters on
> public web pages? Blogs? As a member of the broader IT community, Iím
> eager to share my solutions to problems I encounter. I think we all rely
> on the availability of quality information on blog posts, forums, and
> email archives posted by our colleagues and counterparts at other
> organizations.
>
> I feel strongly that concealing this information doesnít prevent the bad
> guys from doing what they are going to do: it will, however, make it
> harder for other folks to find the information they need to solve problems.
>
> I sometimes use the permalinks to particular posts to respond to
> clientsí request for help. If the list is made private, then I need to
> copy and paste the content, perhaps a whole thread, unless the person
> Iím contacting has a listserv-specific login (listserv doesnít use NetID
> login).
>
> With regard to personal email collections, in generally I donít save
> copies of email messages that I know are retained in an online archive.
>
> óGeoff
>
> Geoffrey Duke
> 802.656.1172 | Sr System Administrator <http://www.uvm.edu/~gcd> |
> Enterprise Technology Services <http://www.uvm.edu/ets> | University of
> Vermont <http://www.uvm.edu/>
>
> *From:* Technology Discussion at UVM [mailto:[log in to unmask]]
> *On Behalf Of *Dean Williams
> *Sent:* Tuesday, September 14, 2010 4:04 PM
> *To:* [log in to unmask]
> *Subject:* IT-Discuss archives: public or members-only?
>
> Colleagues,
>
> IT-Discuss has proven to be a helpful forum for UVM's IT community to
> share information, report problems, and help each other do our jobs.
>  From time to time, there is some concern that it could also be helpful
> in ways we'd all like to avoid, such as providing bits of information
> that a malicious individual could use, perhaps along with information
> gathered through social engineering or other means, to compromise UVM
> systems. Another point of view is that the risk of exploiting
> information posted on IT-Discuss is outweighed by the value of being
> able to use external search services like Google to pull useful
> information from IT-Discuss archives.
>
> A compromise solution might look something like this:
>
>     [] Allow subscription only from uvm.edu <http://uvm.edu> email
>     addresses (this restriction is already in place)
>
>     [] Make the IT-Discuss archives "private" so they're accessible only
>     to subscribers, and aren't visible to others, including search engines
>
> If we did make the archives private, they'd still be searchable by
> logging in at list.uvm.edu <http://list.uvm.edu>. There are pros and
> cons to that, but it does work. If you haven't tried it, you'll find the
> search and browse functions at
> http://list.uvm.edu/archives/it-discuss.html. If we were to make the
> IT-Discuss archives private, we'd have to go through the additional
> steps of setting a listserv password and logging in, but one can stay
> logged in more-or-less forever. And of course, we can always search
> messages saved in our own email accounts.
>
> Another alternative would be for us to remember to use a separate list
> for discussions that could contain sensitive system information, but
> that seems prone to confusion and likely to discourage timely exchange
> of information.
>
> So what do you think? Could we live with private IT-Discuss archives,
> and is the extra security worth the slight inconvenience? Should we try
> it and see?
>
> Thanks in advance (aTdHvAaNnKcSe) for your thoughts.
>
> Best,
>
> Dean W.
>
> ----------------------------
>
> Dean Williams
>
> Director, Client Services
>
> Enterprise Technology Services
>
> University of Vermont
>
> [log in to unmask] <mailto:[log in to unmask]> | 802-656-1174
>
> http://www.uvm.edu/it/
>
>
>