Home page logo

basics logo Security Basics mailing list archives

RE: application for an employment
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 27 Mar 2006 12:32:29 -0800

  I have routinely approved requests from employees who want to
try something like this.  They become (a) someone I may be able
to call upon in an emergency (because they know about this stuff),
and (b) someone I can reasonably expect to trust (because they
asked first).
  I've occasionally had to ask them to limit the scope or schedule
of their activities to avoid negative impact on real business 

  I have gotten employees reprimanded (but not *yet* fired) for
running scans etc *without* asking first for permission.  Non-
employees tend to just get banned from the network.

David Gillett

-----Original Message-----
From: Craig Wright [mailto:cwright () bdosyd com au] 
Sent: Friday, March 24, 2006 1:34 PM
To: Kurt.Reimer () fccc edu; security-basics () securityfocus com
Subject: RE: application for an employment



You are correct in that analogy or anecdote may never act as 
proof. Proof should be determined using scientifically 
verifiable means.

Where you state, "trying and convicting based upon them" is 
not so correct. The newly codified laws in computer crime etc 
just reflect "criminal damage" as it existed previously. 

Damage and trespass are nothing new. It comes to property 
rights, which have been defined in common law since the 
1200's (since 1066 actually).

Mathias was applying for a role of system admin. This does 
not mean that he should be scanning. In fact, this is a role 
for other departments - i.e. audit. Segregation of duties. I 
would sack a system admin who took scanning on to him/herself 
without blinking twice.




      -----Original Message----- 
      From: Kurt Reimer [mailto:greimer () fccc edu] 
      Sent: Fri 24/03/2006 11:48 AM 
      To: security-basics () securityfocus com 
      Subject: Re: application for an employment

      Hello All,
            The list of addressees atop these messages seems 
to be getting
      bigger and bigger, so I'm confining my reply to just 
the mailing list.
            The course of this thread illustrates that the 
use of analogies
      can't reliably prove a proposition to be right or 
wrong, but they can
      serve to illustrate different aspects of and viewpoints 
towards a new
      and interesting situation. Then we can call them good 
or bad analogies,
      but I think that says more about our pre-existing 
opinions about the
      situation than it does about anything else.
            Having said that, as I read the continuing replies to this
      thread I can't help but feel that I was being way too 
optimistic when I
      wrote before of my upset with attitudes towards 
Electronic Security born
      of fear and paranoia that were BECOMING codified into 
      ethical, and even legal standards. It seems like I'm 
much too late! Not
      only are the standards set, but we're already trying 
and convicting based
      upon them.
            I take Mathias' description of his situation to 
be true and not
      intentionally misleading. And the plain fact is that he 
had no ill
      intentions toward his prospective employer or anyone 
else, and everything
      that he did was motivated by mothing other than an 
eager desire to impress
      and please the organization that he hopes will hire him.
            When I read that his behavior is suspect under 
"the Ethics clauses in
      any of the IT Security Professional's organizations" or 
that "we all know
      that most, if not all, AUP's (Acceptable Use Policies?) 
ban this activity"
      then, well, I don't reject that out of hand, but when I 
see them make a
      pariah (if not an actual criminal) out of an innocent 
job applicant I have
      to wonder if they are fair and reasonable policies. 
Certainly they are
      advantageous for and serve the interests of large 
organizations (and the
      Security Professionals who are employed by them). It's 
not clear to me
      that they are as advantageous or even fair towards the 
individual user of
      the Internet or towards the rest of society in general.
            The Internet is something new under the sun, and 
the mores of
      Internet Society are even newer. For that reason alone 
I'd feel sort of
      presumptuous in making up some rules and then 
condemning people according
      to them. Maybe the rules need to be in flux for awhile 
longer. Certainly
      when you consider how tiny a portion of the present 
Internet Community has
      forged these rules, and how much more of humanity will 
be accessing the
      Internet for the first time in the coming years and 
decades, doesn't
      somebody besides me see a little pomposity going on here?
            And try as I might, I just can't within my mind 
equate running a port
      scan with walking onto somebody's property and trying 
their door and
      window locks. Maybe because it is so easy to do, as 
easy as typing a URL
      in your browser and looking at the output, just like 
turning your eyes in
      a particular direction. Maybe it's because everyone on 
the Internet has
      chosen to make themselves available to everyone else on 
a shared and
      commonly-paid-for public medium, and the Internet as a 
whole is much more
      like a great big village public square than it is like 
people's private
      property. Maybe it's because just about every personal 
datum  that I
      generate on the Internet, every purchase I make, every 
website I visit,
      every email I send, is for available for use or sale by 
someone (if we
      include the government) to all sorts of other people 
with no percentage
      returned to me, thank you very much.
            When all our AUP's and Ethical Standards take no 
pains to make any
      explicit distinction between someone who runs a port 
scan and some who
      runs a port scan and then exploits a discovered 
vulnerability, I'd say
      that those policies are kind of biased. Maybe a 
healthier attitude would
      be to regard a large organization with an insecure 
Internet presence
      rather like the way we would regard an individual 
walking down the street
      with no pants on?
            And here's an observation that's got to be from 
some strange and
      bizarre alternate universe where individuals and deep-pocketed
      corporations with large legal teams are treated equally 
in the Electronic
      Village: Mathias did not randomly choose an 
organization upon which to
      run his nefarious portscans. The university that he 
scanned was SOLICITING
      APPLICATIONS FOR EMPLOYMENT. (Now remember, this is the 
bizarre alternate
      universe, where we do not automatically kowtow in 
abject gratitude,
      kissing the feet (and whatever other anatomy is shoved 
in our faces) of
      those who would grace us with the privlege of toiling 
for them. In this
      bizarre alternate universe the flesh-and-blood citizen 
dares to consider
      whether or not the *EMPLOYER* is *WORTHY* (gasp) of 
HIM!). To quote
      another participant in this thread: "It has been my 
personal experience,
      having audited a University for license compliance 
alone, that internal
      politics often prevents best practices from being 
            Maybe, just maybe, Mathias has a RIGHT to an 
informed decision about
      whether or not he wants to tie his fortunes, his 
career, his professional
      development, and the next several years of his life (at 
least) to this
      particular organization. Maybe he has a right to know 
if he's walking into
      some political morass, and maybe he has a right to data 
that will help him
      make that determination.
            Or maybe he doesn't. But it's certainly true that 
the University has
      the right to examine below the surface of lots of 
information that Mathias
      will offer. And if they don't have the right, well then 
they'll just offer
      you a paper to sign giving them the right to examine 
your police record,
      credit history, your urine,  and lord knows what else, 
and of course you
      don't HAVE to sign it, and thanks for your time there's 
plenty of other
      applicants for the job.
            In this country the corporate citizen with 
limited liability was
      invented during the 19th century. It took several 
decades before society
      would admit to itself that they'd created an entity 
which could work poor
      people literally to death, and that maybe some 
regulatory statutes were a
      good idea.
            My sense is that the evolving mores, ethics, and 
coming along behind
      them the laws, in the Electronic Village (and there is 
only one) are so
      far much better for the big folks than the little guys.
      PS - I wrote most of this in the evenings.
      Kurt Reimer
      The Norwich University program offers unparalleled 
Infosec management
      education and the case study affords you unmatched 
consulting experience.
      Tailor your education to your own professional goals with degree
      customizations including Emergency Management, Business 
Continuity Planning,
      Computer Emergency Response Teams, and Digital Investigations.

Liability limited by a scheme approved under Professional 
Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such 
legislation exists.

The information contained in this email and any attachments 
is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have 
received this email in error, please inform us promptly by 
reply email or by telephoning +61 2 9286 5555. Please delete 
the email and destroy any printed copy.  

Any views expressed in this message are those of the 
individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO 
or it is subsequently confirmed by letter or fax signed by a 
Partner of BDO.

BDO accepts no liability for any damage caused by this email 
or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]