Asking Technical Questions on Forums – How Much Client or Company Information Do You Include?

I’m going to assume that anyone reading this post with at least a few weeks of professional information technology work to their credit has at one time asked a question on a forum in pursuit of a technical solution. I have my own favorite forums and communities that I keep on the short list for when I need to ask questions. I’m also fairly active in answering people’s questions when I have the time.

Over the years of participating on forums, it’s fairly common to see people post logs or diagnostic information as they and the forum’s population try to troubleshoot the issue. Most of the time people remove any sensitive information, but once in a while you’ll see someone post the entire config file for a router that includes username and password (unencrypted, of course).

Recently I’ve noticed that, sometimes, the inhabitants of a forum or community will get a little cranky if not enough somewhat-private information is posted. We’re not talking about usernames and passwords, of course. Usually it revolves around domain names and DNS entries. That is, if a person is having issues surrounding DNS, especially public DNS records, a forum member will sometimes complain that the original author hasn’t provided enough information to help solve the problem. What follows is usually a request for the author to provide the public DNS name of the domain that is having problems.

I take immediate issue with wanting to know the public domain information of a post’s author, and have finally put my finger on the controversy. This is why I do not think people should post DNS information in public forum posts:

My Position, Part 1

If you post information on a public website concerning your workplace or a client, one should exclude as much information as is possible. Any amount of information concerning a client can be used to bootstrap a potential intruder into your infrastructure. I recommend avoiding the mention of any real names that could trace your post back to a real company. That includes even public DNS entries.

Counter Argument: The above idea is commonly countered by something along the lines of “If attackers can gain entry into your systems simply by knowing a few relatively innocuous bits of information, then you have larger problems.” The rebuttal is that, while that might be a certain shade of true, narrowing down the scope of an attacker’s knowledge is undeniably helpful. If a potential attacker knows that a specific company uses SuperMicro, it’s just a little bit easier to either spearfish or attempt to attack external services using known exploits for that vendor and the stock hardware / software / firmware that often comes with it.

(Side note: That’s why I’m on my guard when working for American non-profits. Each non profit has to file what is known as a “Form 990” which includes major purchases. I’ve perused through a few 990s for organizations that I’ve worked for or supported and learned a lot about equipment purchases and brand preferences. Knowing major vendor relationships can bolster an attacker’s ability to do evil deeds.)

(Second side note: I don’t live this out perfectly because I do enjoy and see good business sense in being open with how an infrastructure is built. When building my own hosted services, I prefer to swing the door open and show build and status information that violates this position. However, in certain scenarios, it should still be carefully considered before information is shared about an infrastructure.)

My Position, Part 2

Furthermore, if you volunteer your time on a forum or in a community of some kind, don’t ask for specific information concerning a poster’s problem that could identify a company. Certainly don’t complain about people not posting those specifics. Don’t ask for real domain names, even if it’s a DNS question concerning public records.

First Counter Argument: “But wait! DNS names are public information!” you might howl. That’s true, however if a poster reveals the domain name of the company he is working with, then suddenly the relationship between the author and a company has been established. Now that poster’s history on a forum or group of forums (people often use the same nickname on multiple forums) has a greater liklihood of being pertinent to that specific company. Did a person ask a series of questions months ago concerning how to run SMTP services on IIS 7? Oh but they were cautious and didn’t mention any company affiliations! Months later, tracking down a public DNS issue, if at a forum volunteer’s request they post the results of nslookup including full domain information, suddenly their posting history could be correlated to a specific company.

Second Counter Argument: “If they’re asking for help for a public DNS issue, then how can I help the person without being able to perform my own dig and nslookup queries?” Teach a man to fish, don’t hand him a plate of fish and chips.

Oh sure, perhaps they no longer work for the same place that used IIS 7 or maybe they’re a consultant like myself and have multiple clients come and go so relationships would be very hard to correlate. However, the likelihood is that there’s a solid relationship between that author, his posting history and a specific company. Certainly a quick look on LinkedIn or some other social networks could easily reveal if the poster is a consultant or has changed jobs in a certain time period. Nevertheless, all of this shows that a person’s history and relationships can be relatively easy to track down and will help in the event that an intruder starts an information gathering mission as a precursor to an attack.

My Position, Part 3

Finally, there’s this thing called Google. Or Yahoo, or Bing, or Baidu, or DuckDuckGo, or Wolfram Alpha, or Cuil (har har), or whatever search engine you like to use. They index anything and everything and, unless you’re asking on a private site that disallows indexing, your question will be indexed within mere minutes of being posted. That can be bad for two reasons:

  1. If someone searches the company / domain name that you’ve posted, your post may come back. If you’re working for a SMB, your post could be on the first page of results. Now, anyone who searches for that company will see a page that says in essence “Something ain’t working right over here!” From a customer perspective, that could mean the difference between a relationship or them looking elsewhere. From the company’s perspective, well, it’s not uncommon for a company executive to have a Google search alert for their company’s name. Don’t be surprised if they see your post as a result. Depending on the company culture and your relationship to the company (internal IT or external consultant) that might not endear you to them.
  2. If someone searches for a name associated with you, such as a real name, your consultancy’s name if you’re independent, or your forum name, then they will see who you’re working for and what problems and weak spots might exist. The trouble associated with that has largely already been dealt with above.

Counter Argument: “That’s just silly.” No it isn’t. Nya nya nya you’re stupid and ugly. Or… something.

The Overarching Counter Argument to All of This:

“But still, you’ve got larger problems if information like that can lead to a break in!”

I disagree. Everyone has problems. Every grouping of infrastructure can be compromised, broken into and owned given enough time and effort. Every last thing. Every speck of code, every network appliance, everything that has a network presence and anything that plugs into an electrical socket can be compromised and turned against an organization.

The goal is to reduce not only the possible targets of attack, but to reduce the known information about the existing targets. “Security through obscurity” has gotten a bad reputation that isn’t universally deserved.

Don’t leave behind a public trail of problems that you have been working on solving that have a direct connection to a specific company. I realize it’s already easy enough to check someone’s LinkedIn profile for work history and then correlate the person to forum accounts. However, hanging it out directly in a forum post is just more low hanging fruit that is unnecessary.

This isn’t always easy to practice, and certainly public facing services like SaaS, Iaas, and Whatever-aaS do get a customer-relationship benefit from being open and transparent with what they’re building and the products that are being used to build it, however those scenarios seem to be edge cases. In most cases, privacy is preferred.


I am paranoid.

What Say Ye?

The TL;DR summary of this post would be: “Don’t post info that can reveal who you’re working for. Don’t ask for info that could reveal who a person is working for. Don’t believe the fallacy that because public DNS records are public that it’s okay for an author to include it in their forum post.”

Do you agree? Am I unreasonably paranoid? Support or slay me in the comments below.



  1. R.I.Pienaar

    July 9, 2012 at 5:11 am

    I think your paranoia blinded you to the actual reason people ask this. Most often people ask for this information because they know that people just make typos.

    You typed ‘’ in your config and when provide the supporters with anonymised information you subconsciously fixed the problem tell us you have ‘’ . Note the extra ‘o’. This has happened so many times over and over again on the channels I frequent. It’s a simple common case of a second pair of eyes to validate what you have and most often this resolves the problems.

    The arguments you make are all very valid and I cannot fault your logic.

    BUT: its up to the community in question to decide how they wish to donate their spare time to you – it’s your choice to do it their way or not to ask questions there.


    • Wesley David

      July 9, 2012 at 10:16 pm

      You typed ‘’ in your config and when provide the supporters with anonymised information you subconsciously fixed the problem tell us you have ‘’ . Note the extra ‘o’. This has happened so many times over and over again on the channels I frequent. It’s a simple common case of a second pair of eyes to validate what you have and most often this resolves the problems.

      Oh goodness yes, this has happened to me in nearly this exact scenario. However, I think my argument still stands (at least to some degree) even if a person subconsciously fixed their issue as they typed out the anonymized information. The technology will still work according to standards, and I’ve seen plenty of forum members say “Nope, this is impossible. Re check your configs and pay attention to $foo.”

      Admittedly, in those scenarios where someone fixed the problem while anonymizing, there will be more typing about “Maybe it’s this…” or “Have you checked that…” so yes, that does waste people’s time. Not sure how to resolve that potential for trouble except to say that people will either have to accept the potential for insecurity or accept the possibility of time being wasted on wild goose chases. =/

      (P.S. As a consultant, I still get skeeved when I see other consultant posting their client’s DNS information in the course of trying to track down problems. Then when I Google their client’s business name, the post with the DNS problem is now high on the SERPs. I think “Do you even know what that looks like from a business perspective? What is your client going to think if they ever search for their own business name and see you talking about a problem on the first page? Good luck getting more business from them.”)


      • R.I.Pienaar

        July 10, 2012 at 3:40 am

        Many pastebins have expires now where anything posted can be set to be removed after a hour, this doesn’t solve the full problem because there might still be IRC logs discussing pastes that might include company names etc but it can go some way toward addressing the issues. I maintain my own pastebin and just delete things I dont care for.

        I often tell people to gather *actual* logs then use their editor search and replace function to change only to leaving all host names the same, this at least gives us some hope for spotting the issue as often only the hostnames really matter when debugging and the search/replace will likely capture errors in domain names.

        Regardless, communities differ – some communities are known to have a higher level of user in them less likely to make simple translation errors while others are full of noobs. Those communities will approach this differently, the ones full of noobs are likely so sick of this style of error that they’ll insist on actual pastes and I really cant blame them.

        I’ve spent hours debugging what seems to be some obscure bug while trusting someone when they say they’re showing you actual code or carefully anonymised code only to find they arent and you could have saved yourself a lot of time had you the right information.

        So I stand by my last point in the comment. If you are seeking help from volunteers in the community who are donating their spare time you have to do it by their rules, they’ve more than likely observed the general quality of the community and know what enables them to be effective at helping you. You still have a choice to not ask questions there and possibly pay for support from vendors in many cases where your confidentiality is protected. The choice is in your hands not theirs, expecting them to ask questions differently is futile.


        • Wesley David

          July 10, 2012 at 3:09 pm

          You speak wisdom.


  2. Devdas Bhagat

    July 9, 2012 at 7:31 am

    The problem often is that the questioner does not have enough experience to diagnose issues beyond “this is not working”.

    No one else can help them, or even teach them unless they can duplicate those conditions. Sometimes you can get them 90% of the way there based on unique error messages, but for things like DNS or email, that’s next to impossible.


    • Wesley David

      July 9, 2012 at 10:09 pm

      The problem often is that the questioner does not have enough experience to diagnose issues beyond “this is not working”.

      Exactly! So let’s spend the same amount of time typing a few encouraging, clueful paragraphs about the topic rather than saying “Put up with a little insecurity and give me your domain – I’ll carry you on my back and do your work for you!” =)

      No one else can help them, or even teach them unless they can duplicate those conditions.

      I think we will simply disagree on this point. One does not need to duplicate a person’s conditions to help or teach that person. Although, I think this is the difference between a forum member and a consultant. A consultant needs to reproduce a problem to best fix it. However, I’ve always looked at a forum as a place to help people learn, rather than actually come to their rescue and fix their very specific technical problems. Maybe that’s where some of the difference in my opinions is coming from.


  3. StrawnmanSlayer

    July 9, 2012 at 9:10 pm

    In your zeal to try and justify… well, I’m not exactly sure what you’re getting at, but whatever it is, in your attempt to justify it, you failed to address the only point that really matters: knowing what the DNS information *is* is almost certainly the only efficient way to determine what’s wrong. Now, if you’re paying me consulting rates, I’m happy to spend hours guessing randomly at what could be wrong, but for free on the Internet? Nope, forget it. Give me the information I need to tell you what’s wrong, or work it out yourself. No skin off my nose if you don’t want to tell me, I’ve got nothing invested in making your system work. If you can find someone who’ll guess at problems until they stumble upon the answer, good for you, but otherwise, your problem will go unsolved without the information needed to solve your problem.


    • Wesley David

      July 9, 2012 at 10:04 pm

      In your zeal to try and justify… well, I’m not exactly sure what you’re getting at

      Hmm… I suppose I should have tried to summarize the overall points a bit better. The first idea that caused this topic to spur a full post was that it’s borderline irresponsible to post information directly tied to a company especially concerning something that is malfunctioning. I’ve seen too many posts here and there that showed real domains in config files, log output, and of course DNS questions. That information suddenly opened up a world of possibilities. Bad, evil, wicked possibilities that I was tempted to test the bounds of just to give the OP a clue about data security.

      The second point was that to ask for DNS information seems, in most cases but not all, to be encouraging bad habits in the post’s author. I don’t want to dig/nslookup their domain. Even if they offered their real domain, I wouldn’t lift nary a finger to dig it for them. I want them to learn DNS. Therefore I don’t ask “What’s your domain” but rather “dig your zone and check your glue records. It should look roughly like $foo because $bar. For more info: books!”

      90wpm typing speeds allow me to post a quick few-paragraph summary that is sufficient for the author in roughly the same time it would take to ask for their domain and then dig for records and post back the results and conclusions.

      knowing what the DNS information *is* is almost certainly the only efficient way to determine what’s wrong.

      Completely agreed. However, I think herein lies the crux of the matter. I don’t want to give someone their fish, skinned, deboned, cooked, and with a twist of lemon (parsley to garnish; napkin unfolded on their laps). Note that I feel mostly the same about big config file dumps on forums. “OHAI! Here’s httpd.conf. HALP!” I don’t want to peruse a .conf file. I want to give broad suggestions to spur a person to think. Then, if they come back with “Tell me what’s wrong with my configuration file” I’ll likely ignore them or at best queue them low on my things to do.

      Now, if you’re paying me consulting rates, I’m happy to spend hours guessing randomly at what could be wrong, but for free on the Internet?

      I find it takes roughly the same amount of time to peruse a config file / zone dump as it is to type a few paragraphs of broad to semi-scoped information that the OP obviously needs to learn. I then add a few encouragements to larger bodies of work and wish them well. Their answer will almost always be within my text, unless there’s a problem that is completely untouched in the author’s post. So no, I don’t advocate random guessing at all. I don’t encourage sending people away with no answer. Just not a direct “Here, I dug your zone and your SOA is borked. Fix it with this…”

      I tend to only peruse config files and give laser-scoped answers to friends and those on tightly knit groups / mailing lists that are obviously competent but hamstrung for time or just need fresh eyes.


  4. Biggles77

    July 11, 2012 at 11:54 pm

    Totally agree. Personal identifying info is absolutely NOT necessary to solve a problem posted on a public forum. If however it is, then the OP needs to bring in an outside consultant who should then keep the info confidential and then the info is not required to be posted in a public forum. So often OPs are just too effing lazy to do the research to figure out the problem for themselves.

    I am not the greatest tech but in the 13 years (doing mid to high end work) I have resorted to posting 4 times to a public forum. Twice the problem wasn’t solved but twice it was. What really annoyed me the most was that I have never had to use my 2 free MS support calls that I got each year.

    Apart from hemorrhoids, the only other oids I get are paranoids. Go Nubby!!


    • Wesley David

      July 12, 2012 at 11:12 am

      Don’t tell anyone, but you might want to use your support calls to set up a quirky theoretical problem just for fun. Or you can just call to talk. “Hello, where do you work? Can I pick you up for lunch?”



  5. MadHatter

    July 23, 2012 at 6:31 am

    POW! I felt this question was aimed squarely at me (amongst others). You and I are both SF regulars, and I *know* that I am in the habit of asking people to un-redact their questions, and have done so often, and recently.

    Firstly, let me be clear that **I can’t tell other people what to do**. I can request the information until I go blue in the face, but I can’t make them do anything. What they choose to do is up to them.

    But what I choose to do is up to me. My professional time is hugely valuable, and I’m no longer prepared to waste it, for free, winkling critical information out of people with problems, one line of output at a time. If you’ve got a problem, and you want my unpaid help, you need to lay all the facts in front of me as quickly as possible. Not just what you think is relevant, because if you understood the problem you’d’ve fixed it; by definition you don’t know what the problem is, so you don’t know what’s relevant. Give me everything. Sure, I could step through all the possibilities with the questioner, teach them how to frame, test, and exploit each hypothesis, but life’s too short and my time’s too valuable to do that.

    My canonical recent example in support of my point of view is the question at . The issue wasn’t anything to do with the problem as stated in the title. The original poster even typed what he was getting on telnet, *and corrected the crucial error as he typed it*. If he’d been redacting, that information would surely have disappeared. But since she was honest about her domain name, I could run a quick test in 15 seconds, use my super-power of OCD to identify an anomaly, and draw her attention to that anomaly, which apparently turned out to be the key to the problem.

    So my answer boils down to this: if you want my help to solve your problem, don’t tie my hands. Sure, you might be embarrassed by going public, but you’ll maximise the chances of getting your problem fixed. If you redact, your face stays clear of egg, but your computers may stay broken.


    • Wesley David

      July 23, 2012 at 2:22 pm

      POW! I felt this question was aimed squarely at me (amongst others).

      I promise you weren’t on my mind when I wrote this. =)

      Give me everything. Sure, I could step through all the possibilities with the questioner, teach them how to frame, test, and exploit each hypothesis, but life’s too short and my time’s too valuable to do that.

      I think this is where my thoughts diverge from many people’s, or at least most of the people commenting on this post. When I participate on a forum / community, I’m not there to solve people’s problems. I’m there as an educator; to teach people better. I don’t want to tell someone “Oh, there’s your problem. Your directive isn’t in the proper syntax…” because that seems like rather emaciated help. The person seems just as likely to be seen tomorrow asking a similar question. I’d rather say “Your error seems indicative of a directive syntax error of this form…” Yes those answers are often longer than simply handing out a “fix” though.

      I totally skip over questions that have config file dumps. I’m not there to parse a config file. As you rightly said, your time is valuable and I’m not going to give it away for free to spot check someone. I will, however, give my time away for free to be an educator even if that time is longer than giving out fixes. I think that’s just my personal values being exposed, though. I find that my time is $150 an hour (as of this writing) to fix problems, but it’s often free to educate someone since I find the role of an educator to be of such high honor and great societal value. Certainly if I was a trainer by profession that would be different to an extent, but I am digressing too far now.

      I think it’s boiling down more and more to personal preferences and me being something of an ideologue in even mundane, daily activities..

      My canonical recent example in support of my point of view is the question at .

      Excellent example, and all very true. Had I seen that I probably would have been off on a rabbit trail. I might also have merely said “Go check your config files for typos. No, do it. I said do it. DO IT RIGHT NOW AND CALL ME SIR!!!” =)

      So my answer boils down to this: if you want my help to solve your problem, don’t tie my hands.

      I think my answer boils down to this: If you want me to solve your problem, hire me. Otherwise I’ll educate you and please stop posting corporate information online no matter how small. =)


      • MadHatter

        July 24, 2012 at 1:32 am

        That’s an excellent summary, and neatly outlines our different approaches. I’m glad there’s room for both kinds of helper on SF; I’ll educate those who I think can be trained (usually those who have done a half-decent investigation already, which the presence of the dumps helps me to verify), but I’m still happy to fix those who I can fix simply and easily.

        But I do note that the final line of your approach – “please stop posting corporate information” – prevents me from helping people my way, while it’s presence doesn’t prevent you (though it may, as you note, dissuade you). So whilst I greatly respect your pedagogical aims, and freely acknowledge that in the long run teaching people to fish is much better than giving them sardines, sometimes people just want, and need, a quick snack. If the entry price for fishing lessons is that people disqualify themselves from snacks, some people may end up disappointed.


        • MadHatter

          July 24, 2012 at 1:36 am

          Oh, and I should have added that you owe a new keyboard for the “go check your config file for typos… I said do it… and call me Sir!” line. Somehow the old one just filled up with tea.


  6. Nick Danger

    July 23, 2012 at 7:46 am

    I post on websites all the time, using forums and other places for help. LUG mailling lists are always good. I do try to ‘scrub’ the questions/data for any really incriminating evidence but anyone slightly familiar with me/the industry can figure out who I work for at the moment. If any of my coworkers ever read the threads they can probably tell what systems in house I am having issues with :-) I only sort of agree with you. Scrub the pws, scrub any ‘incriminating evidence’ and don’t let your boss know you just called him a jerk on a public form. And really, if you have to post your full config on a forum, you are probably asking in the wrong place.


    • Wesley David

      July 23, 2012 at 2:08 pm

      Yeah, in most cases it’s relatively easy to find out who a person works for. I find that as a consultant, it’s a matter of image and not putting any ties to your client out in the public. That way they’re not ever surprised later on if they find their name tied to some questions about a job they hired you to do. Then again, I felt the same way when I worked in an IT department. Maybe I’m just weird. That’s a very real possibility…


Leave a Reply

Follow TheNubbyAdmin!

follow us in feedly

Raw RSS Feed:

Contact Me!

Want to hire me as a consultant? Have a job you think I might be interested in? Drop me a line:

Contact Me!

Subscribe via Email

Your email address is handled by Google FeedBurner and never spammed!

The Nubby Archives

Circle Me on Google+!

Photos from Flickr

Me on StackExchange

The IT Crowd Strava Group

%d bloggers like this: