[AusNOG] RISK - IT Industry - Concern Over Equipment Being Installed in Data Centre Facilities

Karl Auer kauer at biplane.com.au
Mon Sep 26 11:41:21 EST 2016


Sam Silvester wrote:
> Skeeve Stevens wrote:
> > But... I don't think we should theorise in an open forum giving
> > anyone ideas on how you could abuse this situation.
> > I'd even scrub the archives of this if possible.

> I always find it strange when people put forward advice like this.

So do I.

The idea that "if the good people don't mention it, the bad people
won't think of it" is a thoroughly discredited approach. Why? Because
some good people are bad people and some good people become bad people.
That's why any good security approach assumes that the bad people know
at least as much as the good people do.

Public discussion about vulnerabilities means the good people get to
fix them, guard against them or at very least know about them and plan
for them.

It's the same for physical holes in security as it is for software
vulnerabilities. For actual holes, inform the affected party first,
giving them time to act, then inform the world. For theoretical holes,
just inform the world as soon as you think of it.

That's what Chris did - thought of a hole and asked what others thought
of it. And the response was "Shh! They might hear you!"

Public discussion of vulnerabilities is the IT equivalent of
vaccination. Secrecy around vulnerabilities is the IT equivalent
of anti-vaxxing.

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4





More information about the AusNOG mailing list