There’s this big company out there whose name everyone knows.
I’ll just call them “Example Corp” because this is a good
example of how things can go wrong.
What happened was, this morning I glanced at my server logs and saw hits
from http://legal.example.com/blog; puzzled, I checked it out
and was challenged for my email before it would let me in. They were fine
with my ordinary address, and I found myself in their legal
department’s internal blog,
full of discussions of people suing them, reports to management,
real juicy stuff. Nice Moveable Type group-blog setup; and they’d pointed to
my recent bulleted-list
rant, leaving a trail of crumbs back to their unprotected unmentionables.
I saw that a few of the posts were by a jbloggs and Google, via
a search for jbloggs@example.com, revealed that this particular
Joe was their Senior Vice President and General Counsel. So I sent him an
email saying “Er, your legal department blog is open to the public.” and a
couple of hours later got friendly email from someone @example.com
saying “I think we
closed it, could you check?” and they had.
A couple of details in the narrative have been changed to protect the guilty,
but if I told you what went between legal. and .com
you’d gasp.
Anyhow, we already knew these things, but on the evidence it can’t hurt to
say them again: First, security by obscurity just doesn’t work, and
second, never assume something on a Web server isn’t Internet-visible until
you’ve had somebody try from outside and prove it.
