 |
 |
I also strongly agree with Geoff. Keep the list open. Invite people to openly discuss and read about IT issues. This is a public research university; let's continue to demonstrate our capability to run secure systems while keeping our IT discussions public. Ben On 9/15/10 11:40 AM, Geoffrey Duke wrote: > Colleagues, > > I think restricting access to the list archives will reduce access to > helpful information, reduce the utility of this list as a resource, and > do very little to enhance security or protect UVM assets. > > Information about IP addresses, applications and network ports is easy > for someone to determine, without trolling through list archives. I’m > don’t see how any messages that I’ve seen in my time here — aside from > the occasional passwd posting — has revealed anything exploitable that > isn’t easily determined by an interested individual. > > Will we also have a policy proscribing discussion of these matters on > public web pages? Blogs? As a member of the broader IT community, I’m > eager to share my solutions to problems I encounter. I think we all rely > on the availability of quality information on blog posts, forums, and > email archives posted by our colleagues and counterparts at other > organizations. > > I feel strongly that concealing this information doesn’t prevent the bad > guys from doing what they are going to do: it will, however, make it > harder for other folks to find the information they need to solve problems. > > I sometimes use the permalinks to particular posts to respond to > clients’ request for help. If the list is made private, then I need to > copy and paste the content, perhaps a whole thread, unless the person > I’m contacting has a listserv-specific login (listserv doesn’t use NetID > login). > > With regard to personal email collections, in generally I don’t save > copies of email messages that I know are retained in an online archive. > > —Geoff > > Geoffrey Duke > 802.656.1172 | Sr System Administrator <http://www.uvm.edu/~gcd> | > Enterprise Technology Services <http://www.uvm.edu/ets> | University of > Vermont <http://www.uvm.edu/> > > *From:* Technology Discussion at UVM [mailto:[log in to unmask]] > *On Behalf Of *Dean Williams > *Sent:* Tuesday, September 14, 2010 4:04 PM > *To:* [log in to unmask] > *Subject:* IT-Discuss archives: public or members-only? > > Colleagues, > > IT-Discuss has proven to be a helpful forum for UVM's IT community to > share information, report problems, and help each other do our jobs. > From time to time, there is some concern that it could also be helpful > in ways we'd all like to avoid, such as providing bits of information > that a malicious individual could use, perhaps along with information > gathered through social engineering or other means, to compromise UVM > systems. Another point of view is that the risk of exploiting > information posted on IT-Discuss is outweighed by the value of being > able to use external search services like Google to pull useful > information from IT-Discuss archives. > > A compromise solution might look something like this: > > [] Allow subscription only from uvm.edu <http://uvm.edu> email > addresses (this restriction is already in place) > > [] Make the IT-Discuss archives "private" so they're accessible only > to subscribers, and aren't visible to others, including search engines > > If we did make the archives private, they'd still be searchable by > logging in at list.uvm.edu <http://list.uvm.edu>. There are pros and > cons to that, but it does work. If you haven't tried it, you'll find the > search and browse functions at > http://list.uvm.edu/archives/it-discuss.html. If we were to make the > IT-Discuss archives private, we'd have to go through the additional > steps of setting a listserv password and logging in, but one can stay > logged in more-or-less forever. And of course, we can always search > messages saved in our own email accounts. > > Another alternative would be for us to remember to use a separate list > for discussions that could contain sensitive system information, but > that seems prone to confusion and likely to discourage timely exchange > of information. > > So what do you think? Could we live with private IT-Discuss archives, > and is the extra security worth the slight inconvenience? Should we try > it and see? > > Thanks in advance (aTdHvAaNnKcSe) for your thoughts. > > Best, > > Dean W. > > ---------------------------- > > Dean Williams > > Director, Client Services > > Enterprise Technology Services > > University of Vermont > > [log in to unmask] <mailto:[log in to unmask]> | 802-656-1174 > > http://www.uvm.edu/it/ > > >