Whitepaper: Top Five Instant Messaging Security Risks for 2006
Though widely adopted, IM is generally unprotected and unmonitored in consumer and enterprise environments, leaving it vulnerable to attacks and exploits. These attacks have grown exponentially over the past three years, increasing the need for real-time threat response for IM and peer-to-peer (P2P) applications.
Whitepaper: E-Mail Discovery–Worst Case Scenarios Versus Best Practices
Searching through volumes of back-up tapes for requested e-mails is costly and time-consuming, with no guarantee that all the requested records will be recoverable. Veritas Enterprise Vault, now from Symantec, enables organizations to implement automated, policy-based archiving of e-mail and related files to a fully indexed, searchable online archive.
Whitepaper: Using Backup and Archiving Technology to Meet Compliance Objectives
Along with an increasing amount of information to store, enterprises are subject to a number of data retention requirements. Backup and archiving solutions can help address these challenges. They will even help you remain flexible for future developments and changes, such as the next generation of regulations and policies that are sure to come along.
For a while, the mere mention of it seemed like an open invitation for men in black, noiseless helicopters to land on your roof, haul you out to the curb and whisk you away in a nondescript van strangely lacking in license plates and windows in the back.
Security researchers (we'll call them whitehats) still feel a chill when discussing newly discovered security threats and exploits in public venues. Ciscogate (the DEFCON/Cisco flap) is another example of how a seemingly well-intentioned act turned into high drama.
The whole episode ultimately required some impassioned lawyering for the central figure, Michael Lynn. To read some of the harrowing details, here is an article by the attorney that represented him, Jennifer Granick, in Wired and an interview she granted Search Security.
Who wants to deal with that?
It's little wonder, then, that so many opt to go underground and stay there. But that begs the question; are we harming the IT community in general by keeping potentially meaningful security talk out of the general public's eye?
Some say that in cases like DeCSS and Ciscogate, the ability for movie studios to combat pirates and banks to be able to trust their routers trump a hacker's curiosity. Let's not forget the impending legal quagmire if your discovery circumvents some very important protections.
Others argue that keeping such information private is an exercise in futility since the ill-intentioned ones (those would be blackhats) already have easy access to the information they require. Plus, the ability to discuss weaknesses in encryption schemes and other exploits openly can lead to stronger, more hack-resistant software and systems down the road.
No matter which side of the fence you sit on, this is one debate worth engaging in. If nothing else, it brings to the surface the ethical undercurrents that are tugging at today's attitudes toward information security.
Which side of the issue are you being pulled into?
Note: Any opinions expressed below are solely those of the individual posters on the AntiOnline forums.
A plea for some advice on how not to get "negged" sparks a fierce debate.
Alright, a friend and I both have spare boxes. Were setting up a VPN connection and starting to get into some war games with each other for bragging rites (war games as in exploiting each others machines, bragging, then explaining how it was done). This is all being done internally and we both know the other person is doing this. Now my question to you gurus and other board members is; if I were to ask some security related questions from an offensive perspective would I get negged for it?
MsMittens believes that disclosure ultimately serves the greater good.
Personally, I see nothing wrong with doing wargames and encourage you to do so. I like the suggestion that Aspman has put forward -- it would be interesting to see what you discovered worked and didn't work as well as what things you would do to improve the wargames experience.
I'm a firm believer in full disclosure in that you should understand how an attack feels and how it is done if are to better defend against it (much like an immune system knowing what a germ is like -- our society is too germ-free these days). A lot of it, however, does boil down to some responsibility. Those lovely words, "If you choose to do this for illegal reasons, you're on your own," are ones that you may need to pepper your posts with.
Egaladeist feels that such knowledge may benefit those with less-than-honorable things in mind.
The problem is, as rowdy mentioned, that any information posted on the forums can be used by OTHER people as well; people who may not have the same intentions as yourself.
My advice is to make yourself known then invite people to a conference room where you can discuss this matter in private.
catch feels that when put in the proper context, security questions need not set off alarms.
The only people who neg for asking penetration testing/wargame questions are self-important [contemptible people] who haven't a clue themselves and just wish to play thought police. These same people tend to have little concept of what actual legal considerations exist.
If all you're looking for is packaged exploits for the latest vulnerabilities, you are at the wrong site. If you wish to have a conversation about methods and considerations then you'll find a few people here with worthwhile insight, but until you know who is who, take everything with a grain of salt.
Ask intelligent questions (gotta be smarter than Google) and you shouldn't have too much trouble.
Remember it is only illegal if you outline an illegal activity in your post.
Your turn. When it comes to computer security, do you speak freely or hold your tongue?