Half your luck Fido. Perhaps I'll get half way there someday.
There is a big difference between an IT expert and an IT security expert.
An IT expert wants to be found. S-he is keen to get famous and spread the word. The more people they can convert to Window shopping or Penguin fancying the happier they are. The higher the profile the easier it is to evangelise.
An IT security expert is a different story however. The more successful the security expert, the bigger the secrets s-he protects. The very best security experts protect the biggest secrets of all. Important, valuable secrets. Secrets that some people may be motivated to very nasty things like kidnap, torture and kill to learn about. People like that don't brag about their expertise on web sites.
You seem to be confusing a decent human being who enjoys helping others with a security expert. The two enbreasties may or may not intersect.
cut
I have worked in places where they have pretty good security. Data transfer techniques were quite slow, they involved multiple independently locked physical containers inside other locked containers, people watching other people at all times, armed guards and lots of other exciting stuff. The crypto system on the comms was probably something Mark knocked up in his tool shed ;-) It could all be rendered useless by showing an insider a photo of one of their kids in the cross hairs of a rifle scope and telling them to bring you something interesting. Or even, as actually happened to us on one occasion, a beautiful girl smiling at a lonely guy in a pub.
Now it is possible to guard against that kind of thing but it is horrendously expensive. As I said, practically no-one does that kind of thing over here. If anyone does it over your way, as Mark mentioned, No- one Says Anything about it.
In my case they made a mess of some publicly accessible data at an inconvenient time. The real secrets were safe and nowhere near the Internet until it was time for the public to know. The people I was working for at the time thought I was a paranoid nut until it happened.
cut
If you are trying to protect secrets, conventional telephone and fax are easy to compromise. Also, are you *sure* you aren't continuously connected to the net? Jacking into an ether net with a wireless repeater is pretty cheap nowadays. Pump it into one of those "pringles tin" directional antennas and you can be part of the action 5km away.
The Physics Dept at ADFA use something like that for telemetry to their balloon launching site 9km away back in 2000. I never knew anything about it till a routine sweep picked up an unusual MAC address.
My take is that an unsecured network has the same vulnerabilities as a paper system, but requires more technical knowledge to extract the information.
Start adding encryption and the network immediately gets an advantage. You can read papers upside down on someone's desk, you can pocket them while they are distracted but you can't pluck a document off someone's WPA encrypted wireless link without a hell of a lot more effort.
Keep your files in a filing cabinet ? One key gives access to all the contents.
Keep your files in a database ? Without an appropriate GRANT statement in the DDL you may as well play solitaire, you won't get access to an enbreasty without the right authentication.
Paper again? Too easy to remove a page from a file, or add one. No-one will ever know you did.
Database? ON DELETE RESTRICT is a good one. Not to mention the audit log. And backup tapes, off site storage etc. Anyone smell smoke?
Thats a few to be going on with.
Be a suspicious bastard like me and expect the worst. Open source software is your friend if you have the time-money-need to check it for backdoors. If MS hasn't got at least one with stars and stripes on its handle I'd be disappointed.
At a place I worked once we didn't wonder if our phones were bugged, for instance. We knew they were because we had people paid to bug them. Whether anyone else bugged them wasn't so important after that.
Did you know all koalas on mainland Australia have chlamydia? Hope you didn't get *too* friendly with them ;-)
Next time you are over here take a look at Canberra. Check out ADFA, my old stomping ground. Over 3000 serious hacking attempts every single day and only two successes. One was a net based attack and the other a social engineering raid. Not bad over ten years.
DM personal opinion only
