Print

Print


Even later...but I too agree with Geoff.

Kor

-----Original Message-----
From: Technology Discussion at UVM [mailto:[log in to unmask]] On Behalf Of David Houston
Sent: Tuesday, September 21, 2010 11:36 AM
To: [log in to unmask]
Subject: Re: IT-Discuss archives: public or members-only?

I know I am late but....

I agree fully with Geoff.

What on earth is on IT-DISCUSS that might be of interest for nefarious use?  Are we not supposed to model the kind of behavior that others would aspire to and avoid posting information like SSNs and such?  The would-be outlaws will find all that stuff regardless.

More to the point, isn't transparency something that should thrive in a Higher Ed space?  There's such a distressing increase in a secrecy mindset in all walks of life - let's not add to it, especially when it seems entirely unjustified. (Has there been even a single instance of egregious violation by way of the open archive in question?)

	David Houston
	University of Vermont
	Phone: (802) 656 2013
	**
        "You are nestled in our hearts forever"
        **


On Wed, 15 Sep 2010, Geoffrey Duke intoned:

GD:
GD:Colleagues,
GD:
GD:
GD:
GD:I think restricting access to the list archives will reduce access to helpful GD:information, reduce the utility of this list as a resource, and do very little to GD:enhance security or protect UVM assets.
GD:
GD:
GD:
GD:Information about IP addresses, applications and network ports is easy for someone GD:to determine, without trolling through list archives. I’m don’t see how any messages GD:that I’ve seen in my time here — aside from the occasional passwd posting — has GD:revealed anything exploitable that isn’t easily determined by an interested GD:individual.
GD:
GD:
GD:
GD:Will we also have a policy proscribing discussion of these matters on public web GD:pages? Blogs? As a member of the broader IT community, I’m eager to share my GD:solutions to problems I encounter. I think we all rely on the availability of GD:quality information on blog posts, forums, and email archives posted by our GD:colleagues and counterparts at other organizations.
GD:
GD:
GD:
GD:I feel strongly that concealing this information doesn’t prevent the bad guys from GD:doing what they are going to do: it will, however, make it harder for other folks to GD:find the information they need to solve problems.
GD:
GD:
GD:
GD:I sometimes use the permalinks to particular posts to respond to clients’ request GD:for help. If the list is made private, then I need to copy and paste the content, GD:perhaps a whole thread, unless the person I’m contacting has a listserv-specific GD:login (listserv doesn’t use NetID login).
GD:
GD:
GD:
GD:With regard to personal email collections, in generally I don’t save copies of email GD:messages that I know are retained in an online archive.
GD:
GD:
GD:
GD:—Geoff
GD:
GD:
GD:
GD:Geoffrey Duke
GD:802.656.1172 | Sr System Administrator | Enterprise Technology Services | University GD:of Vermont
GD:
GD:
GD:
GD:
GD:
GD:
GD:
GD:
GD:
GD:
GD:
GD:From: Technology Discussion at UVM [mailto:[log in to unmask]] On Behalf Of GD:Dean Williams
GD:Sent: Tuesday, September 14, 2010 4:04 PM
GD:To: [log in to unmask]
GD:Subject: IT-Discuss archives: public or members-only?
GD:
GD:
GD:
GD:Colleagues,
GD:
GD:
GD:
GD:IT-Discuss has proven to be a helpful forum for UVM's IT community to share GD:information, report problems, and help each other do our jobs.  From time to time, GD:there is some concern that it could also be helpful in ways we'd all like to avoid, GD:such as providing bits of information that  a malicious individual could use, GD:perhaps along with information gathered through social engineering or other means, GD:to compromise UVM systems.   Another point of view is that the risk of exploiting GD:information posted on IT-Discuss is outweighed by the value of being able to use GD:external search services like Google to pull useful information from IT-Discuss GD:archives.
GD:
GD:
GD:
GD:A compromise solution might look something like this:
GD:
GD:
GD:
GD:      [] Allow subscription only from uvm.edu email addresses (this
GD:      restriction is already in place)
GD:
GD:
GD:
GD:[] Make the IT-Discuss archives "private" so they're accessible only to GD:subscribers, and aren't visible to others, including search engines
GD:
GD:
GD:
GD:
GD:
GD:If we did make the archives private, they'd still be searchable by logging in at GD:list.uvm.edu.  There are pros and cons to that, but it does work.  If you haven't GD:tried it, you'll find the search and browse functions at GD:http://list.uvm.edu/archives/it-discuss.html.  If we were to make the IT-Discuss GD:archives private, we'd have to go through the additional steps of setting a listserv GD:password and logging in, but one can stay logged in more-or-less forever.   And of GD:course, we can always search messages saved in our own email accounts.
GD:
GD:
GD:
GD:Another alternative would be for us to remember to use a separate list for GD:discussions that could contain sensitive system information, but that seems prone to GD:confusion and likely to discourage timely exchange of information.
GD:
GD:
GD:
GD:So what do you think?  Could we live with private IT-Discuss archives, and is the GD:extra security worth the slight inconvenience?  Should we try it and see?
GD:
GD:
GD:
GD:Thanks in advance (aTdHvAaNnKcSe) for your thoughts.
GD:
GD:
GD:
GD:Best,
GD:
GD:Dean W.
GD:
GD:----------------------------
GD:
GD:Dean Williams
GD:
GD:Director, Client Services
GD:
GD:Enterprise Technology Services
GD:
GD:University of Vermont
GD:
GD:[log in to unmask] | 802-656-1174
GD:
GD:http://www.uvm.edu/it/
GD:
GD:
GD:
GD:
GD:
GD:
GD:
GD:
GD:
GD:
GD:
GD:
GD: