Re: application for an employment

[Kurt Reimer <greimer () fccc edu>]

	It's a sad thing that the overwhelming majority of respondents to 
this question advise Matthias against informing his prospective employer 
of the security problems he's observed in his employer's network. As a 
practical matter I guess they are correct. He's more likely to be shown 
the door (if not actually prosecuted) than to be admired for his technical 
skill and initiative, should he reveal his discoveries.

	But the fact that this is true does not in any way make it right, 
and it makes me sad and angry that these attitudes and policies, born of 
ignorance and paranoia, are now becoming codified as standards of ethics 
and professionalism.

> I echo the sentiments of most
> respondents in that it's not information that's relevant to your application 
> for employment

	It is OF COURSE RELEVANT to his application for employment as a 
Systems Administrator. This is part of what a competent and responsible 
System Administrator should be concerned with, and should be technically 
competent to do. The fact that these conditions exist at his prospective 
employer make it even more relevant.

> nor is it representative of the ideal ethical standards by which you're no 
> doubt holding yourself.
	Matthias' actions are just about as unethical as mine would be if 
I were walking by by neighbor's house at night, saw that his front door 
was swinging open, and called him up or knocked on his door and woke him 
up to tell him about it. Sure, I saw his door flapping around open just 
the same way a thief might have seen his door flapping around in the 
breeze. It is after all the same door open the same way. What a sick world 
it would be if, after seeing that open door, I had to worry about being
accused of eavesdropping or some other such garbage to the point that I 
might decide to just look down at the ground and keep on walking!!

	It even more infuriating that these are the prevailing attitudes 
towards Electronic Security in my country, and yet a majority of my 
countrymen are quite happy to have our government spy on our email and 
phone conversations. And my government does not even do us the courtesy of 
telling us about it afterwards, as Matthias common-sense impulse was to 
do.

	No, the worst thing that any sensible person could accuse Matthias 
of is a certain political naivete, and the best that you could say is that
his common sense and concern for his neighbors have not yet been perverted
by the prevailing paranoias.

	But don't call him unethical. That's an insult to ethics. Maybe 
it's unethical of me to spend half an hour writing this reply at work, but 
he's NOT being unethical, and I wish that he and I could afford to be so 
naive.

Yours,

Kurt Reimer

> Matthias et al,
>
> I don't know if this is an ethical practice for a security administrator to 
> undertake at all,
> let alone in the context of pre-employment research. I echo the sentiments of 
> most
> respondents in that it's not information that's relevant to your application 
> for employment
> nor is it representative of the ideal ethical standards by which you're no 
> doubt holding
> yourself.
> It's important to discuss your skillset including the use of security tools, 
> and
> understanding of current best practices and methodologies. How you brought 
> these
> skills to bear on an already unfortunate situation could deleteriously impact 
> your
> application here. Clearly you have some insights that the University could 
> benefit from
> and having some prior knowledge is beneficial immediately should you become
> employed by them, however, disclosing the information before your even 
> employed by
> the University could raise ethical questions that I'm sure you're not wanting 
> to answer.
>
> Sincerely,
>
> Sean Swayze
> PCSC Information Services
>
> On 20-Mar-06, at 7:45 AM, Matthias Güntert wrote:
>
> > Dear listmembers,
> >
> > i am seeking for a new job as a Unix/Linux systemadministrator. There
> > has been an advertisement at a well known university. So I started to
> > prepare my self for the application. While collecting some information
> > about the network, using nmap, dig, etc... I was able to read the whole
> > namespace from the ip range (255.255.0.0)
> >
> > My question is should I use some of the information I have found out to
> > push my application forward? What do you think how a director would
> > react?
> >
> > --
> > Mit freundlichen Grüßen
> >
> >                Matthias Güntert
>
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec 
> managementeducation and the case study affords you unmatched consulting 
> experience.Tailor your education to your own professional goals with 
> degreecustomizations including Emergency Management, Business Continuity 
> Planning,Computer Emergency Response Teams, and Digital Investigations.
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------