Last week I read an article in the Wall Street Journal entitled Ten Things Your IT Department Won’t Tell You. It’s a really good article.
My first reaction to hearing this was “the writer and editor who approved it should be fired.” There are reasons we don’t want people to know this stuff! So here’s one of the most respected news publications in the country is telling people how to circumvent corporate content filters, access their company files on their home PCs, and how to install applications on their work PC that aren’t allowed. Brilliant, WSJ. Way to turn a bunch of ordinarily (mostly) harmless users into serious threats to network integrity and security. Not to mention how many kids you just informed of ways to circumvent content filters so they can surf porn while at school. Oh yeah, brilliant move.
Yes, like the Anarchist’s Cookbook, if someone really wants to learn how to do any of these things, there are plenty of other places they can go to find them. And now, thanks to the WSJ, a lot more people know this.
However, after further consideration, I asked myself “is just another form of full disclosure?” After all, all the WSJ has done is pointed out that these techniques and tools are out there, which is really no different from what security analysts and hackers do on a daily basis when they find flaws in applications and systems across the Internet. Okay, so now everyone knows about file-sharing sites for sending large files. So we need to YouSendIt.com on our content filter along with Playboy.com. Now they know you can use Google as a proxy. Similarly to how we block Gmail, Google Talk and Google Image Search without blocking the rest of Google itself.
I’m curious to do some further reading on what the rest of the sysadmin/security community has to say about this.
The personal blog of Peter Nikolaidis