I think restricting access to the list archives will reduce access to helpful information, reduce the utility of this list as a resource, and do very little to enhance security or protect UVM assets.
Information about IP addresses, applications and network ports is easy for someone to determine, without trolling through list archives. I’m don’t see how any messages that I’ve seen in my time here — aside from the occasional passwd posting — has revealed anything exploitable that isn’t easily determined by an interested individual.
Will we also have a policy proscribing discussion of these matters on public web pages? Blogs? As a member of the broader IT community, I’m eager to share my solutions to problems I encounter. I think we all rely on the availability of quality information on blog posts, forums, and email archives posted by our colleagues and counterparts at other organizations.
I feel strongly that concealing this information doesn’t prevent the bad guys from doing what they are going to do: it will, however, make it harder for other folks to find the information they need to solve problems.
I sometimes use the permalinks to particular posts to respond to clients’ request for help. If the list is made private, then I need to copy and paste the content, perhaps a whole thread, unless the person I’m contacting has a listserv-specific login (listserv doesn’t use NetID login).
With regard to personal email collections, in generally I don’t save copies of email messages that I know are retained in an online archive.
802.656.1172 | Sr System Administrator | Enterprise Technology Services | University of Vermont
From: Technology Discussion at UVM [mailto:[log in to unmask]] On Behalf Of Dean Williams
Sent: Tuesday, September 14, 2010 4:04 PM
To: [log in to unmask]
Subject: IT-Discuss archives: public or members-only?
IT-Discuss has proven to be a helpful forum for UVM's IT community to share information, report problems, and help each other do our jobs. From time to time, there is some concern that it could also be helpful in ways we'd all like to avoid, such as providing bits of information that a malicious individual could use, perhaps along with information gathered through social engineering or other means, to compromise UVM systems. Another point of view is that the risk of exploiting information posted on IT-Discuss is outweighed by the value of being able to use external search services like Google to pull useful information from IT-Discuss archives.
A compromise solution might look something like this:
 Allow subscription only from uvm.edu email addresses (this restriction is already in place)
 Make the IT-Discuss archives "private" so they're accessible only to subscribers, and aren't visible to others, including search engines
If we did make the archives private, they'd still be searchable by logging in at list.uvm.edu. There are pros and cons to that, but it does work. If you haven't tried it, you'll find the search and browse functions at http://list.uvm.edu/archives/it-discuss.html. If we were to make the IT-Discuss archives private, we'd have to go through the additional steps of setting a listserv password and logging in, but one can stay logged in more-or-less forever. And of course, we can always search messages saved in our own email accounts.
Another alternative would be for us to remember to use a separate list for discussions that could contain sensitive system information, but that seems prone to confusion and likely to discourage timely exchange of information.
So what do you think? Could we live with private IT-Discuss archives, and is the extra security worth the slight inconvenience? Should we try it and see?
Thanks in advance (aTdHvAaNnKcSe) for your thoughts.
Director, Client Services
Enterprise Technology Services