I’m bringing out to the blog an argument I’m having with someone on IM about the private versus “private” and Ipconfig posting issue just to make a point about the risks of life in general on the Internet.
I’m arguing that in a mere email, there is as much risk of information “leakage” about a firm as there is when we post in ipconfig in the newsgroups.
Let me show you want I mean. Send an email from your SBS firm network to an outside email box. Open up the email and adjust it so you can see the headers [Outlook is a pain in the butt for doing this, Thunderbird much easier].
Okay let’s look at the clues that come from a email
- Inside that email in your internal name. Probably something.local or maybe .lan both clues that you are an SBS box. Therefore there’s about a 99% chance that your internal IP address scheme is 192.168.16.x
- Inside that email is your public IP address
- Inside that email is the “stamp“ of what version of Exchange you are on. So if I see “Produced by Microsoft Exchange V6.5.6944.0” or “Produced by Microsoft Exchange V6.5.7226” I know you either have or don’t have Exchange 2003 SP1. [During the XP sp2 betas the beta testers would read the email headers of the MS folks and track what “next’ build number of XP sp2 they were on versus the beta participants…. sick puppies …weren’t we?
- Given that last I checked Dr. J’s job wasn’t to specifically target SBS boxes, I would argue that the fact that you can google the phrase “Remote Web Workplace“ and see potential SBS boxes and get just as much stuff from email headers that the risks are the in the same category.
Will I still feel that way in a week…. a month… or a year… maybe not. Probably not. But I see that email headers “bleed out” just as much private information that we probably don’t realize.
So is Tony right about freaking out about ipconfig postings in the newsgroups? Probably. psssst.. just don’t anyone tell Tony I posted that….Jeff also states that to post that information indiscriminately in the newsgroup is not wise. To post internal information in a public manner that is forever googlable is a bad idea.
But I would still argue that email is just as much of a “bleeder“ of information.
So …what do you disclose about YOUR firm by just sending emails?