· · 2003
· · · December
· · · · 17 (2 entries)
Insecurity by Obscurity
· There’s this big company out there whose name everyone knows. I’ll just call them “Example Corp” because this is a good example of how things can go wrong. What happened was, this morning I glanced at my server logs and saw hits from
http://legal.example.com/blog; puzzled, I checked it out and was challenged for my email before it would let me in. They were fine with my ordinary address, and I found myself in their legal department’s internal blog, full of discussions of people suing them, reports to management, real juicy stuff. Nice Moveable Type group-blog setup; and they’d pointed to my recent bulleted-list rant, leaving a trail of crumbs back to their unprotected unmentionables. I saw that a few of the posts were by a
jbloggs and Google, via a search for
firstname.lastname@example.org, revealed that this particular Joe was their Senior Vice President and General Counsel. So I sent him an email saying “Er, your legal department blog is open to the public.” and a couple of hours later got friendly email from someone
@example.com saying “I think we closed it, could you check?” and they had. A couple of details in the narrative have been changed to protect the guilty, but if I told you what went between
.com you’d gasp. Anyhow, we already knew these things, but on the evidence it can’t hurt to say them again: First, security by obscurity just doesn’t work, and second, never assume something on a Web server isn’t Internet-visible until you’ve had somebody try from outside and prove it.
· My personal reading metabolism has been suffering for quite some time from severe constipation induced by Neal Stephenson’s Quicksilver. This book is very large and not a snappy read and I felt guilty about starting other things until I’d finished it. Now I have ...
By Tim Bray.
The opinions expressed here
are my own, and no other party
necessarily agrees with them.
A full disclosure of my
professional interests is
on the author page.