There’s this big company out there whose name everyone knows. I’ll just call them “Example Corp” because this is a good example of how things can go wrong. What happened was, this morning I glanced at my server logs and saw hits from http://legal.example.com/blog; puzzled, I checked it out and was challenged for my email before it would let me in. They were fine with my ordinary address, and I found myself in their legal department’s internal blog, full of discussions of people suing them, reports to management, real juicy stuff. Nice Moveable Type group-blog setup; and they’d pointed to my recent bulleted-list rant, leaving a trail of crumbs back to their unprotected unmentionables. I saw that a few of the posts were by a jbloggs and Google, via a search for jbloggs@example.com, revealed that this particular Joe was their Senior Vice President and General Counsel. So I sent him an email saying “Er, your legal department blog is open to the public.” and a couple of hours later got friendly email from someone @example.com saying “I think we closed it, could you check?” and they had. A couple of details in the narrative have been changed to protect the guilty, but if I told you what went between legal. and .com you’d gasp. Anyhow, we already knew these things, but on the evidence it can’t hurt to say them again: First, security by obscurity just doesn’t work, and second, never assume something on a Web server isn’t Internet-visible until you’ve had somebody try from outside and prove it.


author · Dad · software · colophon · rights
picture of the day
December 17, 2003
· Technology (85 fragments)
· · Security (35 more)

By

I am an employee of Amazon.com, but the opinions expressed here are my own, and no other party necessarily agrees with them.

A full disclosure of my professional interests is on the author page.