Home page logo
/

basics logo Security Basics mailing list archives

Re: application for an employment
From: Don Bailey <don.bailey () gmail com>
Date: Wed, 22 Mar 2006 13:36:27 -0700

It's a sad thing that the overwhelming majority of respondents to this question advise Matthias against informing his prospective employer of the security problems he's observed in his employer's network. As a practical matter I guess they are correct. He's more likely to be shown the door (if not actually prosecuted) than to be admired for his technical skill and initiative, should he reveal his discoveries.

But the fact that this is true does not in any way make it right, and it makes me sad and angry that these attitudes and policies, born of ignorance and paranoia, are now becoming codified as standards of ethics and professionalism.


Let's forget about the word "ethics" for the moment, since
more often than not discussions on "ethics" are skewed
based on the character of those involved in the discussion.

Let's focus, instead, on the actual goal of a company or
university. When hiring an employee, the generic goal
of that employee is to help facilitate the survival of his
or her employer. The goal of this entity is solely survival
in order to pursue some eventual goal.

Now, when accepting an employee for placement into a
job, are you going to consider their character? Absolutely.
Their actions define how they perceive your institution.
If their actions are proving to be more directed towards
fulfilling their own selfish goals of proving skills rather
than respecting the privacy of the institution, are you going
to hire them?

To hire someone without the ability to constrain themselves
against unauthorized activity is foolish. More often than not
these are the kinds of people that will speak about their
findings to others outside the institution because they believe
the discussion is of some intellectual merit. Rather, they're
risking the institution's security by discussion information
with people that have no right to know such information.

Forget "ethics", it's all about doing what is necessary to
pursue the survival of a given institution so their long term
goals may be achieved. *That* should guide your best
practices.

Don "north" Bailey


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]