Kurt Reimer wrote:
It's a sad thing that the overwhelming majority of respondents to
this question advise Matthias against informing his prospective employer
of the security problems he's observed in his employer's network. As a
practical matter I guess they are correct. He's more likely to be shown
the door (if not actually prosecuted) than to be admired for his
technical skill and initiative, should he reveal his discoveries.
But the fact that this is true does not in any way make it right,
and it makes me sad and angry that these attitudes and policies, born of
ignorance and paranoia, are now becoming codified as standards of ethics
and professionalism.
I echo the sentiments of most
respondents in that it's not information that's relevant to your
application for employment
It is OF COURSE RELEVANT to his application for employment as a
Systems Administrator. This is part of what a competent and responsible
System Administrator should be concerned with, and should be technically
competent to do. The fact that these conditions exist at his prospective
employer make it even more relevant.
nor is it representative of the ideal ethical standards by which
you're no doubt holding yourself.
Matthias' actions are just about as unethical as mine would be if I
were walking by by neighbor's house at night, saw that his front door
was swinging open, and called him up or knocked on his door and woke him
up to tell him about it. Sure, I saw his door flapping around open just
the same way a thief might have seen his door flapping around in the
breeze. It is after all the same door open the same way. What a sick
world it would be if, after seeing that open door, I had to worry about
being
accused of eavesdropping or some other such garbage to the point that I
might decide to just look down at the ground and keep on walking!!
I disagree with certain aspects of this reasoning. While it is the
sysadmins responsibilities to keep the systems secure, Matthias does not
have the permission of the University to poke around to do a Security
evaluation and/or audit. While I understand your analogy to the open
door, what he is suggesting is analogous to walking into the house and
checking if the interior room doors are open and trying the handle on
the safe. We all agree that that is unacceptable.
By your reasoning anyone would have the right to run scans of anyone
else's network but we all know that most, if not all, AUP's ban this
activity.
--
Raoul Armfield
rarmfield at amnh dot org
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
