An article on the Wall Street Journal’s online edition caught our eyes – and apparently the eyes of more than a few security pros.

Handler Lenny Zeltser of the SANS Internet Storm Center detailed “Ten things your IT department won’t tell you” on the organization’s dairy today. As a result, quite a few IT pros may call the Journal to cancel their subscriptions.

The article details ways to use your work PC with some of the comforts of home, distributing advice on risqué practices from the somewhat harmless (how to look like you’re working) to potentially dangerous (how to get software your company won’t let you download).

One ISC reader claimed that the article “ultimately tries to convince our users that forwarding sensitive company information to free web-based storage solutions, installing any application, surfing porn or forwarding your email to a free third-party service is perfectly acceptable.”

I’ll leave it up to you to decide if that’s true or not. Here’s a link to the article.

My two cents is that it did, intentionally or not, portray IT professionals as dumb and insensitive gatekeepers, trying to block off employees from their friends and families in the outside world. Most employees would disagree, and rest assured, the average IT pro has known about these freshly declassified shortcuts for quite a while.

It’s also a surprising opinion in the pages of the Journal, whose opinion pages are known to be, as Lowell Bergman pointed out in the motion picture The Insider, “not exactly a bastion of anti-capitalist sentiment.”

The ISC handlers make a great point, noting that the article may be less than up-front about the potential risks for putting the article to use:

“ISC handler Swa Frantzen mentioned that the article left out one big risk: Violating the company’s policy may be a reason for dismissal. He pointed out that IT staff can use the article as a way of raising awareness for the policies that exist at the companies, and the sanctions associated with violating the policies. He also emphasized the need to develop IT practices that support the mobile nature of the modern workforce. “We will need to evolve from the medieval walled city model we all build with our current security technology to a modern grid pattern city, where the people live in the suburbs and are mobile.”

His point in short: if the human resources office calls, don’t blame Rupert Murdoch.

Here’s one blog post worth revisiting.

On Monday, Rahul Kashyap took TippingPoint’s ZeroDay Initiative to task for paying researcher Dino Dai Zovi $10,000 for a flaw he disclosed at CanSecWest.

That incident reached its zenith when Gartner analysts made their feelings clear on hacking contests and vendor association with them.

What’s more interesting than the post is the discussion it set off between Kashyap and Terri from TippingPoint – two opposing sides of the debate on vulnerability disclosure ethics. And don’t overlook Thomas Ptacek’s challenge to McAfee to link to its own code of conduct.

It’s also worth clarifying that the nCircle commentary - the one slamming ZDI - quoted in the post is from August 2005. In relation to the flaw purchased at CanSecWest, nCircle has been supportive of TippingPoint’s efforts.

It seems like every week there’s a new IT security blog. We at SC Magazine know all about this, since last week it was us.

But Microsoft’s new Security Development Lifecycle team blog is especially noteworthy. Michael Howard, senior security program manager in the Security Engineering Group, kicked off this week by explaining what the company has learned from the ANI cursor vulnerability.

Howard, who’s been penning his own blog for a few years now, gives a better explanation of the situation in Redmond than I can, so please check it out for yourself.

It’s no secret that Microsoft is everyone’s favorite punching bag, whether the software empire deserves it or not. But give them credit for adding another layer of disclosure with this blog.