[LINK] a little light diversion

Sat Aug 11 15:52:06 AEST 2007

At 03:34 PM 11/08/2007, Roger Clarke wrote:

> Ten Things Your IT Department Won't Tell You
> The Wall Street Journal .. By VAUHINI VARA July 30, 2007;
> <http://online.wsj.com/article_email/SB118539543272477927-
> lMyQjAxMDE3ODM1MDMzOTA1Wj.html>
>
> With even the WSJ offering 'advice' that invites a whole host
> of insecurities (Google Desktop, for heaven's sake!!??), what
> chance is there of small business or consumers avoiding the pitfalls??

True enough, Roger, one agrees in principle .. but, others say ...

Stop complaining and shut the door!  
By Frank Hayes on Fri, 08/10/2007 - 2:54pm
<http://www.computerworld.com/blogs/node/6013>

I didn't see this Wall Street Journal article, "Ten Things Your IT 
Department Won't Tell You," when it appeared at the beginning of last 
week. The piece was a tip sheet for how employees can get around corporate 
IT policies, and it seems to have stirred up great fury in some quarters --

I understand why the security people are unhappy with the WSJ for 
publishing this piece.

But the security people should understand that, on this one, they're dead 
wrong.

Not a little wrong -- completely, 100% wrong.

And I'm really appalled to think that serious security professionals 
believe what the WSJ published was a bunch of deep, dark secrets to 
corporate users.

Users know this stuff already! They don't have to read an article in the 
WSJ to learn about it. They have departmental power users who have been 
diving through the holes in their company's IT security for years. The Web 
and print magazines are full of information on everything that was in the 
WSJ article. And everybody's brother-in-law is full of misinformation 
about how there's really nothing wrong with it.

This isn't even a case of depending on "security through obscurity." It's 
not obscure! The idea that this is new information to users falls under 
the category of "security through wishful thinking."

Was the WSJ wrong, irresponsible and evil to publish the article? Hogwash. 
They revealed nothing.

But they did do every corporate IT security pro a huge favor.

It's not too late to dig up the Monday, July 30, issue of the paper. 
Photocopy the article. Take it to your boss, and recite the following 
speech:

"We must now assume that every user can do these things.

"I need your sponsorship and the budget and resources necessary to close 
these 10 security holes in our systems.

"And I need them now, because users have had this article for two weeks."

Face it, if you just e-mailed that boss a list of those same stupidly 
dangerous user tricks, you'd get no action. You'd likely get nothing if 
you sent a copy of an article with the same information that appeared in 
Computerworld or CSO or any other infosec trade pub.

But the Wall Street Journal? That's something that will get respect all 
the way up the chain.

Quit whining. Use the opportunity this presents.

And for petesake stop assuming your users are stupid. Your worst enemies? 
Maybe. Grossly misinformed and undereducated and uncooperative when it 
comes to security? Probably. But not stupid. That stopped being a secure 
assumption a long time ago.

Filed under : IT Management | Security
Frank Hayes's blog

--

Message sent using MelbPC WebMail Server