Hi,
I also have to disagree with this: "Logging is NOT a
privacy risk;
inappropriate use for collected data is."
Logging is not a privacy risk, _unauthorized_ inappropriate
use of
logs is. And the mere fact of presence of all-including logs
poses the
risk of unauthorized inappropriate use. Just recall the
vulnerabilities where passwords got into log files. So why
deal with
this risk if you don't need the data?
Still I agree that in the corporate environment the more
logging you
have the better - you end up with more controlled
environment. And
usually there is "no expectation of privacy" at
work nowadays...
Regards,
Amiran Alavidze, CISSP
On 9/26/06, Anton Chuvakin <anton chuvakin.org> wrote:
> All,
>
> Yeah, yeah, yeah - some might say this is shameless
self-promotion,
> but, seriously, it ain't  I just
want to have a fun discussion...
>
> I wrote this piece on logging everything:
> http://chuvakin.blogspot.com/2006/09/access-or
-accessaudit_22.html
>
> Some criticism, not unexpected, already materialized.
> E.g. http://securosis.com/2006/09/23/sorry-logging-is
-a-privacy-risk/
>
> What do you think?
>
> Best,
> --
> Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
> http://www.chuvakin.org
> http://chuvakin.blogspot
.com
> http://www.securitywar
rior.com
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysislists.shmoo.com
> h
ttp://lists.shmoo.com/mailman/listinfo/loganalysis
>
_______________________________________________
LogAnalysis mailing list
LogAnalysislists.shmoo.com
h
ttp://lists.shmoo.com/mailman/listinfo/loganalysis
|