Home page logo
/

basics logo Security Basics mailing list archives

RE: Spam: Re: application for an employment
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 23 Mar 2006 07:39:17 +1100


Hello

Kurt Stated; "Matthias' actions are just about as unethical as mine would be if I were walking by neighbour's house at 
night, saw that his front door was swinging open, and called him up or knocked on his door and woke him up to tell him 
about it."

The analogy is poor at best. Matthias was not noticing issues by accident. The use of nmap is port scanning. This would 
be an equivalent to walking around buildings and testing the doors. Further the use is to gain a privilege through 
deceptive methods (read up on the Tort of Deception for the legal aspects and definition of deception).

Matthias did not accidentally see a breach. He did not ask permission. This is a trespass. He is also expecting gain 
from the action. He is NOT altruistically going to the University with no expectation just to help them (even better 
would be sending a report anonymously). He has an expectation. He has a belief in doing the action that he can 
gain/garnish benefit - i.e. a better position in the interview (i.e. more or greater consideration).

The example is not if you notice your neighbours open door - it is one of you walking around the street looking at all 
doors seeking one that is open. This includes side doors, back doors, obscured doors and even testing the windows for 
good measure.

Not ethical.

Regards
Craig

-----Original Message-----
From: Kurt Reimer [mailto:greimer () fccc edu]
Sent: 23 March 2006 1:50
To: PCSC Information Services
Cc: Matthias Güntert; security-basics () securityfocus com
Subject: Spam: Re: application for an employment


        It's a sad thing that the overwhelming majority of respondents to this question advise Matthias against 
informing his prospective employer of the security problems he's observed in his employer's network. As a practical 
matter I guess they are correct. He's more likely to be shown the door (if not actually prosecuted) than to be admired 
for his technical skill and initiative, should he reveal his discoveries.

        But the fact that this is true does not in any way make it right, and it makes me sad and angry that these 
attitudes and policies, born of ignorance and paranoia, are now becoming codified as standards of ethics and 
professionalism.

I echo the sentiments of most
respondents in that it's not information that's relevant to your
application for employment

        It is OF COURSE RELEVANT to his application for employment as a Systems Administrator. This is part of what a 
competent and responsible System Administrator should be concerned with, and should be technically competent to do. The 
fact that these conditions exist at his prospective employer make it even more relevant.

nor is it representative of the ideal ethical standards by which
you're no doubt holding yourself.

        Matthias' actions are just about as unethical as mine would be if I were walking by by neighbor's house at 
night, saw that his front door was swinging open, and called him up or knocked on his door and woke him up to tell him 
about it. Sure, I saw his door flapping around open just the same way a thief might have seen his door flapping around 
in the breeze. It is after all the same door open the same way. What a sick world it would be if, after seeing that 
open door, I had to worry about being accused of eavesdropping or some other such garbage to the point that I might 
decide to just look down at the ground and keep on walking!!

        It even more infuriating that these are the prevailing attitudes towards Electronic Security in my country, and 
yet a majority of my countrymen are quite happy to have our government spy on our email and phone conversations. And my 
government does not even do us the courtesy of telling us about it afterwards, as Matthias common-sense impulse was to 
do.

        No, the worst thing that any sensible person could accuse Matthias of is a certain political naivete, and the 
best that you could say is that his common sense and concern for his neighbors have not yet been perverted by the 
prevailing paranoias.

        But don't call him unethical. That's an insult to ethics. Maybe it's unethical of me to spend half an hour 
writing this reply at work, but he's NOT being unethical, and I wish that he and I could afford to be so naive.

Yours,

Kurt Reimer

Matthias et al,

I don't know if this is an ethical practice for a security
administrator to undertake at all, let alone in the context of
pre-employment research. I echo the sentiments of most respondents in
that it's not information that's relevant to your application for
employment nor is it representative of the ideal ethical standards by
which you're no doubt holding yourself.
It's important to discuss your skillset including the use of security
tools, and understanding of current best practices and methodologies.
How you brought these skills to bear on an already unfortunate
situation could deleteriously impact your application here. Clearly
you have some insights that the University could benefit from and
having some prior knowledge is beneficial immediately should you
become employed by them, however, disclosing the information before
your even employed by the University could raise ethical questions
that I'm sure you're not wanting to answer.

Sincerely,

Sean Swayze
PCSC Information Services

On 20-Mar-06, at 7:45 AM, Matthias Güntert wrote:

Dear listmembers,

i am seeking for a new job as a Unix/Linux systemadministrator. There
has been an advertisement at a well known university. So I started to
prepare my self for the application. While collecting some
information about the network, using nmap, dig, etc... I was able to
read the whole namespace from the ip range (255.255.0.0)

My question is should I use some of the information I have found out
to push my application forward? What do you think how a director
would react?

--
Mit freundlichen Grüßen

               Matthias Güntert


----------------------------------------------------------------------
----- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The
Norwich University program offers unparalleled Infosec
managementeducation and the case study affords you unmatched
consulting experience.Tailor your education to your own professional
goals with degreecustomizations including Emergency Management,
Business Continuity Planning,Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------
-----

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • RE: Spam: Re: application for an employment Craig Wright (Mar 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault