It's a sad thing that the overwhelming majority of respondents to
this question advise Matthias against informing his prospective
employer of the security problems he's observed in his employer's
network. As a practical matter I guess they are correct. He's more
likely to be shown the door (if not actually prosecuted) than to be
admired for his technical skill and initiative, should he reveal his
discoveries.
But the fact that this is true does not in any way make it right, and
it makes me sad and angry that these attitudes and policies, born of
ignorance and paranoia, are now becoming codified as standards of
ethics and professionalism.
Let's forget about the word "ethics" for the moment, since
more often than not discussions on "ethics" are skewed
based on the character of those involved in the discussion.
Let's focus, instead, on the actual goal of a company or
university. When hiring an employee, the generic goal
of that employee is to help facilitate the survival of his
or her employer. The goal of this entity is solely survival
in order to pursue some eventual goal.
Now, when accepting an employee for placement into a
job, are you going to consider their character? Absolutely.
Their actions define how they perceive your institution.
If their actions are proving to be more directed towards
fulfilling their own selfish goals of proving skills rather
than respecting the privacy of the institution, are you going
to hire them?
To hire someone without the ability to constrain themselves
against unauthorized activity is foolish. More often than not
these are the kinds of people that will speak about their
findings to others outside the institution because they believe
the discussion is of some intellectual merit. Rather, they're
risking the institution's security by discussion information
with people that have no right to know such information.
Forget "ethics", it's all about doing what is necessary to
pursue the survival of a given institution so their long term
goals may be achieved. *That* should guide your best
practices.
Don "north" Bailey
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
