Stop complaining and shut the door!

Good grief, not again.

Good grief, not again. Please will people stop this. Check your facts, get the story straight and then write something considered, not something which propagates an already irresponsible attitude. I'm really disappointed in this from Computer World.

When you say: "Not a little wrong -- completely, 100% wrong. And I'm really appalled to think that serious security professionals believe what the WSJ published was a bunch of deep, dark secrets to corporate users."

You are completely wrong. 100%.

We don't care about the "secrets". We care about the fact that a message is being printed by ignorant non-professionals in widely read journals which are STILL basically saying: "It's ok to dick around with IT to see if you can break it, everyone's doing it and you won't get caught".

That's irresponsible, and you are just propagating that attitude with your reactionary article.

I think Dave and Frank

I think Dave and Frank missed the point of my, and Andy's posts. Yes, we know these things are out there, yes, we know our users know (or could easily search for) them. But the tone of the WSJ article was something like "Your IT department is just getting in your way and adding minimal security in the process." That is what Andy and I took exception with in our blog posts.

To address Dave's points, I'm all in favor of responsible disclosure, whereby a vendor is given an appropriate time period in which to fix a vulnerability, then the details are released. I am not, however, in favor of a 0-day full disclosure. I think it is counterproductive to promoting legitimate security research. Also, I believe that a limited amount of personal computer usage at work is acceptable and expected, just as if the Internet were the telephony network. I have, in fact, seen times when YouTube was an appropriate use of resources and have made sure it was available. Yes, it was our marketing department.

I think that the misunderstandings here come from a stereotype of IT Security guys all wanting to lock down everything and run around preventing people from doing things which might possibly in some remote galaxy present a significant security risk. It is the way all Internal Affairs cops are portrayed on TV or the movies -- as bad apples who are unjustifiably harsh. I'll bet most of the IA guys aren't like that and neither are we.

As I said, being full disclosure on discovery of a bug is counterproductive to security research. But being totally against any disclosure make sure that only the attackers will know the issues with a system. Similarly, being unwilling to work with the IT department (if a user) or the users (if on the IT staff) does a great disservice to your organization. If your IT staff doesn't see it this way, don't just whine and moan about it, do something.

Count one vote in agreement

Count one vote in agreement with this post. I'm a WSJ subscriber, and when I saw the article, I thought, "Great! Now we know *exactly* what tactics the WSJ readers around the company will be trying for the next while!"

If companies would stop over

If companies would stop over paying their executives, then perhaps they could afford to spend more money taking care of business. Things like security and training and quality improvment.

The fact that security funding is limited is no one's fault but management.

I didn't see the WSJ article

I didn't see the WSJ article when it first came out, either (I was on vacation -- yes, some of us actually get away from business now and then!), but took a look before replying to this column. Just three quick comments:

1. The first three respondents all sound like the type who believe security flaws shouldn't be published, either, because then the "bad guys" know another way to exploit IE, Firefox, or what-have-you. This is simply another case of people who are going to do this sort of thing competently are already doing it, and anyone else is going to mess up somewhere.

2. To be fair, it should be pointed out that the WSJ article also emphasizes in most cases that you still shouldn't be doing these things, and that you do so at your own risk.

3. Roughly half of the items mentioned are things that almost every IW columnist has pointed out are bad policies in the first place. Perhaps the security folks should be looking at ways to make IM viable, make it safe for people to check their personal email (arguments about allowing personal activity during office time because the company expects work to be done during personal time aside, sometimes there are things that need to be addressed during the regular business day), increase the file size limit, and so on. That said, I do have to admit that I haven't yet seen any justification for viewing YouTube in most work places (maybe a marketing environment would find a good reason, but certainly not in accounting, for example).

Let me feed back what you're

Let me feed back what you're all saying in excruciatingly simplified form:

(1) We have security holes, and it's a terrible thing that users make use of them to get around our policies.

(2) We can't afford to close these security holes because we have limited budget and other priorities.

(3) If the Wall Street Journal didn't tell users how to circumvent these holes, they wouldn't know how to do it.

Bluntly, (3) is an effort at security by obscurity, and we all know it won't work. Whether the WSJ piece was irresponsible or unethical is irrelevant. These aren't secrets. Some, like AOL's web version, have substantial marketing budgets behind them. Yes, users know.

And (1) isn't fundamentally about IT security. Here's the headline from a press release issued by a consulting outfit the day after the WSJ article ran: "Survey Finds Most Workers in Big Companies (65%) Rely on One Another, Not Management, to Solve Problems...and Many (37%) Ignore Company Rules Because They Have a Better Way to Get Things Done." The whole press release is at http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070731005934&newsLang=en and there's a link to the full report on that page.

Simply put, users believe management is clueless. Infosec gets caught in that mudbath. But imagining that users don't have access to this information without the Journal is, um, clueless.

Finally, (2) gets to the guts of what I wrote above. Yes, I know that CSOs know about these problems. And CSOs (or whoever happens to fill their function) have almost certainly tried to get the CEO to care about this stuff. And failed. And failed again, and again.

Yes, budgets and resources are limited. The question is, who gets the money? Infosec's function is to reduce risk. The CSO can now go to the CEO and say "We need to increase the priority for this set of risks -- and we need to do it right now."

And the fact that the piece is in the WSJ -- the CEO's kind of paper -- makes it much harder to ignore.

Go ahead and be unhappy about the WSJ article if you like. Then get over it, and use it to try to get the budget you need to improve the situation.

Otherwise, you're just taking the position of being a victim. And that's the one thing nobody wants from an Infosec professional.

I agree with Andy here. The

I agree with Andy here. The reason we security pros feel strongly about this piece is not that it exposes some ways to subvert legitimate security controls, but that it actively encourages the practice. Yes, the information is available elsewhere on the Internet and no, we're not whining about all of those pages. The WSJ article comes at the issue from the perspective that the controls are unreasonable and that circumventing them is perfectly alright. For a major news outlet and a paper that should be touting employee and corporate responsibility, this is absolutely the wrong angle to take.

Now if I were to take this article into my boss and she didn't know this stuff, I'd be shocked. My boss knows everything in this article and the Information Security department has been working tirelessly for years to mitigate these techniques. But we have also had dozens of other security and privacy related issues to cover. And my boss does everything she can to get the department more funding and resources, but our organization simply can't spare them.

The two issues that I have with your assumption are that money and resources are freely available and not being utilized elsewhere, and that the tone of the article is appropriate. In a perfect world, I would have all the resources at my disposal as soon as I laid the article on my boss's desk. But in a perfect world, I'd already have taken care of these problems and wouldn't have to do anything after reading the article. I believe that anything this piece could accomplish with an indignant presentation to my boss could still be accomplished if it more thoroughly demonstrated the risks of circumventing the controls, both to the organization and to the individual. But it would also prevent employees from getting the wrong impression about the security controls that the IT department has established in their workplace.

Frank, I also think you are

Frank, I also think you are wrong on this. Even though most of this is readily available that doesn't mean that most users are already doing these things. Secondly, any article encouraging users to subvert company policy is wrong in every way. What if the article was about how to break your state laws? What if it was how to sneak illegal drugs into our schools? These actions can cost the employees their jobs and possible the company lots of money or even court action. A breach, no matter how it happens, is still a breach and has ramifications on the company. Then to say that we should be glad and use it to our advantage is wrong. Many companies can't implement controls to prevent this. Either money or staff shortages prevent it. Plus most controls less than effective in doing what they are supposed to do. Now our jobs are even harder to do because more people know about these things. I'm not sure what your background is but it sure doesn't seem that it is in actually working in the trenches and dealing w/ this stuff on a regular basis.

With all due respect Frank,

With all due respect Frank, you're wrong.

I would wager that 90% of people who read the article, or heard about it, didn't know about all these work-arounds. For the Wall Street Journal to publish that information in the way that it did was out and out irresponsible. It's one thing to point out the flaws; it's another thing to detail the work-arounds. Now we'll have more and more workers out there, the ones who aren't our "power-users", trying these out and significantly increasing the risk of data loss to our businesses.

If several windows in your office building wouldn't close properly, and you couldn't fix them, you wouldn't want that information published in a major international newspaper, would you? Of course not, because then anyone that wanted to come in and steal your coffee machine (or more) would know how to get in quickly and easily. When the Journal detailed these work-arounds, they might as well have been telling their readers about the vulnerabilities that exist in almost every computing environment. These are broken windows that cannot be easily fixed.

While I applaud any actions that would increase awareness of security issues among senior management and business leaders, the reality is that, if in the wake of SOX, PCI-DSS, GLB, Cal SB1386, etc. they haven't gotten security by now then they'll never get it.

Unfortunately, there is no such thing as 100% security. While security and IT professionals do what they can to get us as close as possible to that 100% security, they know that there are always going to be people, good and bad, who try and get around the defenses they have put in place. The Wall Street Journal's article just made their already difficult jobs even more difficult.