The other night I met an individual who was very close to the creation of the WSJ article linked above. Said individual told me that the article pitch was not the same as the final result. While I do not have any hard documents to support this, it makes sense to me based on some personal experiences dealing with major media outlets.
My feeling is that the WSJ wanted to digg-ify their content. They use the “top 10” approach, they “reveal” things you shouldn’t know, etc.
On a different note: when I spoke at a networking the other night, I asked a number of professionals — approximately 40 — whether they thought the WSJ should publish these types of articles. Unlike the response on the blog-o-sphere, the overwhelming opinion was that the WSJ should continue these types of articles and that Information Security Managers should bring these articles to their executive management to show the threats to their infrastructure are real.
Personally, I was not happy with the article for a few reasons:
1. The premise that management “asked their information-technology departments to block us from bringing our home to work” is due to increased risk is not correct.
Our goal as information security managers and practitioners is that employees should be enabled to do their work in a safe and secure manner. If management feels that the gains in productivity do not outweigh the investment in the technology (of lets say purchasing and distributing laptops with full disk encryption, etc) it should be them you address.
2. There were technical inaccuracies giving the end user a false sense of security:
* When describing how to transfer large files, the WSJ suggests using a number of third party services. To know one is secure they suggest to “Look for a “secure” icon — in Internet Explorer, it’s a little lock on the bottom of the screen — which signifies that the site is using encryption to protect its visitors’ confidential information.” Unfortunately this does not protect the data at rest. The correct answer is that the large document should be encrypted before it is sent outside the organization.
* The WSJ writes, “When you receive personal email on your BlackBerry, it’s coming to you without passing through your company’s firewall. That means viruses or spyware could sneak onto your BlackBerry via a personal email.” Technically, most firewalls do not run anti-virus: could we consider a UTM appliance an exception? It’s the anti-virus that runs on the email server that will be bypassed and one needs to hope that the workstation anti-virus catches the potential issue. Also, the network IPS devices are bypassed that could potentially trip a signature and send an alert.
3. It insinuates that breaking policy for productivity reasons is OK.
This one is self-evident.
4. It’s aim is more along the lines of full-disclosure than responsible disclosure.
While I believe that full-disclosure is justified in certain instances, I do not believe that this was one of them. Full-disclosure is justified when one is trying to ultimately create a more secure environment and when one has exhausted most other options for creating the greater good. The aim of the article was to attract the readers attention: if it bleeds, it reads! Unfortunately, the ones bleeding are the WSJ’s constituents and the information in the article teaching users how to bypass controls generally does not contribute to the greater good.
I also realize that this article certainly would not have had the same impact if it was more informative than a how-to, as dictated under the responsible disclosure model.