Some good points for message board security

Message boards and operational security can be a tough fit, so you've got to be smart (and I think you all have been smart when it comes to this).

However, for the folks who haven't thought about this issue, here's what I suggest:

1. Do not disclose any security vulnerabilities if they can be identified to your site/store/business/agency/etc.
2. Do not give complete details of security operations -- provide enough to move the discussion along, but don't weaken opsec.
3. If you think you've overstepped your details, go back and tweak/edit your post to remove unsavory details that might breach your operational security
4. Detailed information (rather than simple "best practices" and "theoretical situations") should be passed over IM or email; don't post it unless you're willing for everyone here to see it. Even on PMs and direct email, ask yourself, would I give this information to this person if I met them face-to-face?
5. Keep in mind that this is a community, and although we are set up to limit membership now to people in security, electronic alarm design/sales, LEO and defense, we are not set up as a background check agency for verification -- you need to do your own investigative work before you disclose private details of sec.ops to anyone.
6. Ask this question before you post to our "on-topic" sections: Am I rasing the level of professional discussion without weakening the strength of my employer's security?

Of course, also be aware that SIW is not going to give up your privacy without a court order or very clear indication of highly illegal activity (that clears all you guys, because I must say, this board is filled with very professional people (and the boneheads WILL CONTINUE to be dealt with -- thanks to all of you who bring them to my attention)).

I think everyone here has been pretty smart about this, and this point has been raised before, but it's always worthwhile to raise. Thanks for being such pros, and these kind of issues don't mean you should stop being active on any forums, but it does mean that you have to apply a little thought to what you're doing.

Incidentally, I always try to give myself a 5-second rule before I post anything -- Instead of hitting submit, I pause for a few seconds, review my message, and then if appropriate, I'll re-edit and/or post it.

Good day,
Geoff Kohl
SecurityInfoWatch.com

Incidentally, this is perfect (from one of our recent "introductions"):

"I'm from Central Ohio and currently work as a Security Officer in a major metropolitan hospital. I also work part time as a Security Officer in a mid size mall."

You know all you need to know to welcome this person into the group but he/she has NOT yielded the details that could compromise themselves. Again, everyone IMHO has done a good job of this. People who are identifying themselves I've noticed also do a great job at making sure that even though you "know" who they are, they aren't giving up operation details that compromise them/their employer.

Keep up the good work.

Geoff

I like how this site continues to raise the bar and not condone illegal and unethical behavior in the industry. I also like how posters who talk about abusing the system, breaking the rules and doing illegal activities are dealt with in a swift and quiet manner. This is the sign of a professional site. The moderators, while different and unique in their opinions and professions are respectful in presenting ideas.

I cannot say the same for other sites and they are silent, allow abusive posters to remain and do not confront abusers in a timely manner. The moderators also ignore problems and there silence condones it.

If anyone did not know, I am one of the members being targeted. I did not reveal any confidential information or even my name (besides my first) or even my workplace. In fact, the only people who knew my full name, work email, work phone, company and my level with the company are "esteemed professionals" in the loss prevention industry. My meeting with my regional manager is tomorrow and it is a good possibility that I will not have a job due to my post about Organized Retail Theft. While I did not even make the original post (merely copied and pasted from another site to start a discussion) I was targeted because my company is VERY pro ORT and the VP of LP is a member in an NRF sponsored ORT database. Coincidence? I think not.

That being said, I agree with the Editor and thank you for all the work you do keeping this board the best Security/Loss Prevention Board on the internet!

How on earth could you lose your job for posting something that came from the New York Times, Washington Post and Kansas City Star?
We had one network working the I-95 corridor.
The FBI was sending out notices to law enforcement, retail and wholesale industries.
Security has always been proactive; local, state and federal law enforcement have jumped on the bandwagon through crime prevention initiatives.
You were only trying to warn us slow learners as to the pitfalls out there.
Enjoy the day,
Bill

LPCap and other person appear to be victims in a attempt to extract vengence for unknown incident. IMHO

Only thing I can add to this is that each poster, on both sets of sub-forums, should review OPSEC and practice it.

Problem is that the post in question (on other sites not here) did not violate OPSEC nor did it misrepresent any of the companies taking the actions. That is case with these two person

Panther, Nathan is right about OPSEC. In the process known as item analysis, folks can piece together a lot of information to form an opinion as to what the targets intentions.
In this particular case, our young friend and his immediate supervisor brought to their leadership the things their leadership did not want to hear or be put on notice about. Once leadership has been put on notice they must take action to remedy the situation. Some leadership elements love to bask in blissful ignorance. "Who sir, me sir?" "Yes sir, you sir!"
Enjoy the day,
Bill

Bill, it may of been that the posts in question were used as trumps to remove unpopular people from an organization. I think this is what people are getting at. In that case, no amount of preparation other than preparing for finding the next job is going to help.

I'm afraid its not that either I believe. Based on what some of us have put together.

If you used a client computer to make your post it may be deemed as personal use and many companies do review all out going messages. It may not be the content as much as the personal use issue. You didn't mention that you posted at work but many folks do. Could that be it?

Based on my knowledge of incidents for both parties that does not appear to be the case

I just wanted to get some thoughts from everyone regarding this type of issue. Obviously, the issue at hand is regarding a store level person who posted info on a bulletin board. What about a little different scenario?

There is a department head in your company who has a confidentiality agreement in place with specific requirements on when it is acceptable to release information. He obtains information from within the organization about an individual that works for another company that he feels the company that individual works for should know about. However, releasing the information would violate the confidentiality agreement. He happens to know the VP of the similar industry department for that company, so he calls him and tells him. As a result of the report, the individual gets fired, but was all based upon completely true and accurate information.

Do you think this action is appropriate by the department head or should he have honored his confidentiality agreement? Is there an integrity concern about this individual? If you were in a position to have authority over the department head, what action would you take with that person?

No it is not



Absolutely thats why its there. If it violated in this case which I see no just cause then where is line drawn?