Home page logo

basics logo Security Basics mailing list archives

Re: application for an employment
From: Raoul Armfield <armfield () amnh org>
Date: Thu, 23 Mar 2006 10:59:00 -0500

Kurt Reimer wrote:

It's a sad thing that the overwhelming majority of respondents to this question advise Matthias against informing his prospective employer of the security problems he's observed in his employer's network. As a practical matter I guess they are correct. He's more likely to be shown the door (if not actually prosecuted) than to be admired for his technical skill and initiative, should he reveal his discoveries.

But the fact that this is true does not in any way make it right, and it makes me sad and angry that these attitudes and policies, born of ignorance and paranoia, are now becoming codified as standards of ethics and professionalism.

I echo the sentiments of most
respondents in that it's not information that's relevant to your application for employment

It is OF COURSE RELEVANT to his application for employment as a Systems Administrator. This is part of what a competent and responsible System Administrator should be concerned with, and should be technically competent to do. The fact that these conditions exist at his prospective employer make it even more relevant.

nor is it representative of the ideal ethical standards by which you're no doubt holding yourself.

Matthias' actions are just about as unethical as mine would be if I were walking by by neighbor's house at night, saw that his front door was swinging open, and called him up or knocked on his door and woke him up to tell him about it. Sure, I saw his door flapping around open just the same way a thief might have seen his door flapping around in the breeze. It is after all the same door open the same way. What a sick world it would be if, after seeing that open door, I had to worry about being accused of eavesdropping or some other such garbage to the point that I might decide to just look down at the ground and keep on walking!!

I disagree with certain aspects of this reasoning. While it is the sysadmins responsibilities to keep the systems secure, Matthias does not have the permission of the University to poke around to do a Security evaluation and/or audit. While I understand your analogy to the open door, what he is suggesting is analogous to walking into the house and checking if the interior room doors are open and trying the handle on the safe. We all agree that that is unacceptable.

By your reasoning anyone would have the right to run scans of anyone else's network but we all know that most, if not all, AUP's ban this activity.

Raoul Armfield
rarmfield at amnh dot org

The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]