Security Basics mailing list archives
Re: Ethics Question
From: Paul Ledin <paul_ledin () yahoo com>
Date: Fri, 22 Aug 2003 07:52:28 -0700 (PDT)
i can't really see any arguement for u to get involved. if your old boss/company is too dumb, lazy, etc. to perform their duties then from an economic perspective leaving the hole there is arguably the best thing to do. becoz eventually someone finds and exploits it, company Y says why are we paying these bozos @ company X who are obviously incapable performing the job for which their paid and they ax company X and tell their friends @ companies a, b, and c. eventually company X goes tits up and a compentent and more efficient company takes their place so over the long term even company Y(assuming they survive as well) is better off for the intrusion and your lack of action. on the other hand if u inform company Y and they go to company X and say what's the story, then company X gets a free(or least least much less damaging) heads up and says oh ya we were just about to fix that. and they fix it while leaving 10 other holes that they haven't got around to/don't know about. meanwhile company Y will be much more hesistent to badmouth company X to their friends becoz they we're assured by X that it will never happen again and since they didn't suffer damages they won't be nearly as incensed and possibly fearful of a slander/defamation suit. it's like if i see u about to walk into the path of oncoming traffic, most people would agree that there is a level ethical/moral responsibilty to warn u of your impending demise. but if after i warn u, u say ya ya and step out into traffic anyway i'm under no obligation moral or otherwise to dive into traffic to save u. and in fact @ that point in time your actions are probably doing the gene pool a favor. --- Mike Taylor <mtaylor () ablenology com> wrote:
Hello all Question I have is do I tell a company that I did work for that a system they have is not secure. Background I worked for Company X(left them because I could not get paid regularly) they have a contract to support and keep secure Company Y. I noticed on an audit that the machine that is used for finances is VERY insecure. It is a terminal server machine that is set up so that 2 people can get to it from the outside. When you remote to this machine it bypass's login and gives you a blank desktop with the finance package login. To bypass all you have to do is send a ctrl-shit-esc get the task manager and file run -explorer and you have a machine that can browse the whole network. I had brought this to my then boss's attention he said don't mention it we will fix it later. The hole is still there. What would you do ? Thanks, Mike
---------------------------------------------------------------------------
----------------------------------------------------------------------------
===== I can't die until the government finds a safe place to bury my liver. -- Phil Harris __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Purging Blaster.worm, (continued)
- RE: Purging Blaster.worm Stuart (Aug 16)
- Re: Purging Blaster.worm Meritt James (Aug 14)
- Re: Purging Blaster.worm Meritt James (Aug 19)
- RE: Purging Blaster.worm David Gillett (Aug 19)
- Ethics Question Mike Taylor (Aug 21)
- Re: Ethics Question Adam Newhard (Aug 21)
- Re: Ethics Question Suzanne Rodday (Aug 21)
- Re: Ethics Question Sebastian Schneider (Aug 22)
- Re: Ethics Question Michael Thornhill (Aug 21)
- Re: Ethics Question Schneider Sebastian (Aug 21)
- Re: Ethics Question Paul Ledin (Aug 22)
- Re: Purging Blaster.worm Ansgar Wiechers (Aug 16)
- RE: Purging Blaster.worm Rory (Aug 13)