unix_fan <[email protected]> writes:
> "poorly informed" = speculation
perhaps I wasn't clear enough, but I was trying to make it clear
that my statement had no real evidence backing it, which is to
say it was speculation.
My only source of information was a news article I read
quite some time ago and that I can't find at the moment.
> My first hand experience:
> It's not about "us" providing tech help to less-technical law enforcement
> ("them")
> It's about collaboration and info sharing in a less than public forum, where
> people can be a little more candid.
what can you say to law enforcement that you can't share with other
people?
I guess some people try to obscure the details of how their network
works, but for me, at least, right thing to do or not, that ship has sailed.
Personally, I think my customers have a right to know, and I don't
see any reasonable way of telling my customers without telling everyone.
> The FBI folks running the exercise were very savvy; they were out to help
> raise
> InfoSec awareness in private organizations that may be less savvy.
Huh, that's interesting. Of course, I don't get much any contact with
law enforcement, so my estimation of their competence is based on pure
speculation, as you said. (for a while I was executing warrants at a small
ISP, but those were all given to someone else who would just tell me what
data they wanted, then I'd go find it. I didn't actually deal with
law enforcement or anything.)
> they were restrained in the amount of specific help they were able to offer
> (my
> $0.02: because of a lawsuit happy society) and lines they can cross. They
> even
> put up with me at one point telling them that they were not being as helpful
> as
> *I* wanted them to be due to their self imposed restraints.
Ah. Okay, so they were able to be more candid with you than they
could be in public, rather than the other way around?
There is one advantage to being small and poor; It's unlikely I will
find myself on the receiving end of a frivolous lawsuit. I'd have
to piss someone off to the point where they are willing to actually
pay up front for the lawyer time.
> If they are chasing white collar criminals for months and my evidence is
> crucial, I don't want to trample it because of business expediency pressures
Do you share your data retention policies with your customers?
I don't formalize my data retention policies at the moment, but I'm working
on doing so right now, and examples would be appreciated. My big
concern is that right now it's all over the place; the data might
be there and it might not; it takes a bunch of digging for me
to even know if I have something, half the time, and aside from wasting
everyone's time, this could lead to me looking uncooperative, even
when it would be legally required of me to cooperate.
(of course, prgmr.com has yet to be served with a warrant, so it hasn't
really been a problem yet.)
> This was one of many intriguing competing forces that was exposed by our
> tabletop exercise.
>
> Membership costs nothing. If it turns out it's not value added, you simply
> leave.
Huh. It may be worth another look. Are there NDAs involved? or
can I blog what I learn? because if they really do know what they
are doing, it does sound like it could be interesting.
On the other hand, I'd want to be /very clear/ with my customer base
just what I was doing, and I'd probably want to make sure my
data retention and disclosure policies are formalized, just to
make sure nobody thinks I'll be handing out their data to anyone
with a badge who asks.
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
