[Calendar] Confidential video conference information

[Patrick P Murphy]

All,

As many of you have noticed, we have seen a recent uptick in the
number of interruptions ("spam" IP calls out of the blue from the
internet) to ongoing video conference meetings.

A quick google search reveals that there is information on publicly
accessible NRAO web pages -- and other sites that have "harvested"
those pages and republished them -- with detailed instructions on how
to call in to our Polycom video conference systems and hubs.  This is
almost certainly where these interlopers are obtaining the
information; the pattern of calls from these IP addresses is
consistent with knowledge by the callers of that information.

I have contacted some of the parties responsible for the currently
publicly accessible video conference information on our own web
servers, but I would ask that in future you apply the "principle of
least privilege" when you encounter a need to share connection
information for video based meetings.

Please do not post such details on a public web page or wiki; instead,
either use the NRAO staff wiki, a restricted access topic (page) on
the NRAO public wiki, or a restricted topic on a JAO based wiki as
appropriate for your audience.  Also, do not include the details in an
email message that is (a) archived, and (b) whose archives are
publicly accessible.

While the cat is most definitely out of the bag, we may be able to
reduce the number of future interruptions in meetings by selective
blocking[*], and ensuring known copies of this information are taken
down or moved to restricted servers.  Your cooperation with this
effort will be greatly appreciated.

 - Pat

[*] mariginally effective, but too much like "whack-a-mole".  We
    already have hundreds of block rules in our router configurations.

-- 
Patrick P. Murphy, Ph.D.               https://www.nrao.edu/~pmurphy/
Info Services Site Manager          NRAO Information Security Officer