Re: application for an employment

[Kurt Reimer <greimer () fccc edu>]

Hello All,
     The list of addressees atop these messages seems to be getting
bigger and bigger, so I'm confining my reply to just the mailing list.

     The course of this thread illustrates that the use of analogies
can't reliably prove a proposition to be right or wrong, but they can
serve to illustrate different aspects of and viewpoints towards a new
and interesting situation. Then we can call them good or bad analogies,
but I think that says more about our pre-existing opinions about the
situation than it does about anything else.

     Having said that, as I read the continuing replies to this
thread I can't help but feel that I was being way too optimistic when I
wrote before of my upset with attitudes towards Electronic Security born 
of fear and paranoia that were BECOMING codified into professional, 
ethical, and even legal standards. It seems like I'm much too late! Not 
only are the standards set, but we're already trying and convicting based 
upon them.

     I take Mathias' description of his situation to be true and not 
intentionally misleading. And the plain fact is that he had no ill 
intentions toward his prospective employer or anyone else, and everything 
that he did was motivated by mothing other than an eager desire to impress 
and please the organization that he hopes will hire him.

     When I read that his behavior is suspect under "the Ethics clauses in 
any of the IT Security Professional's organizations" or that "we all know 
that most, if not all, AUP's (Acceptable Use Policies?) ban this activity" 
then, well, I don't reject that out of hand, but when I see them make a 
pariah (if not an actual criminal) out of an innocent job applicant I have 
to wonder if they are fair and reasonable policies. Certainly they are 
advantageous for and serve the interests of large organizations (and the 
Security Professionals who are employed by them). It's not clear to me 
that they are as advantageous or even fair towards the individual user of 
the Internet or towards the rest of society in general.

     The Internet is something new under the sun, and the mores of 
Internet Society are even newer. For that reason alone I'd feel sort of 
presumptuous in making up some rules and then condemning people according 
to them. Maybe the rules need to be in flux for awhile longer. Certainly 
when you consider how tiny a portion of the present Internet Community has 
forged these rules, and how much more of humanity will be accessing the 
Internet for the first time in the coming years and decades, doesn't 
somebody besides me see a little pomposity going on here?

     And try as I might, I just can't within my mind equate running a port 
scan with walking onto somebody's property and trying their door and 
window locks. Maybe because it is so easy to do, as easy as typing a URL 
in your browser and looking at the output, just like turning your eyes in 
a particular direction. Maybe it's because everyone on the Internet has 
chosen to make themselves available to everyone else on a shared and 
commonly-paid-for public medium, and the Internet as a whole is much more 
like a great big village public square than it is like people's private 
property. Maybe it's because just about every personal datum  that I 
generate on the Internet, every purchase I make, every website I visit, 
every email I send, is for available for use or sale by someone (if we 
include the government) to all sorts of other people with no percentage 
returned to me, thank you very much.

     When all our AUP's and Ethical Standards take no pains to make any 
explicit distinction between someone who runs a port scan and some who 
runs a port scan and then exploits a discovered vulnerability, I'd say 
that those policies are kind of biased. Maybe a healthier attitude would 
be to regard a large organization with an insecure Internet presence 
rather like the way we would regard an individual walking down the street 
with no pants on?

     And here's an observation that's got to be from some strange and 
bizarre alternate universe where individuals and deep-pocketed 
corporations with large legal teams are treated equally in the Electronic 
Village: Mathias did not randomly choose an organization upon which to 
run his nefarious portscans. The university that he scanned was SOLICITING 
APPLICATIONS FOR EMPLOYMENT. (Now remember, this is the bizarre alternate 
universe, where we do not automatically kowtow in abject gratitude, 
kissing the feet (and whatever other anatomy is shoved in our faces) of 
those who would grace us with the privlege of toiling for them. In this 
bizarre alternate universe the flesh-and-blood citizen dares to consider 
whether or not the *EMPLOYER* is *WORTHY* (gasp) of HIM!). To quote 
another participant in this thread: "It has been my personal experience, 
having audited a University for license compliance alone, that internal 
politics often prevents best practices from being implemented,..".

     Maybe, just maybe, Mathias has a RIGHT to an informed decision about 
whether or not he wants to tie his fortunes, his career, his professional 
development, and the next several years of his life (at least) to this 
particular organization. Maybe he has a right to know if he's walking into 
some political morass, and maybe he has a right to data that will help him 
make that determination.

     Or maybe he doesn't. But it's certainly true that the University has 
the right to examine below the surface of lots of information that Mathias 
will offer. And if they don't have the right, well then they'll just offer 
you a paper to sign giving them the right to examine your police record, 
credit history, your urine,  and lord knows what else, and of course you 
don't HAVE to sign it, and thanks for your time there's plenty of other 
applicants for the job.

     In this country the corporate citizen with limited liability was 
invented during the 19th century. It took several decades before society 
would admit to itself that they'd created an entity which could work poor
people literally to death, and that maybe some regulatory statutes were a 
good idea.

     My sense is that the evolving mores, ethics, and coming along behind 
them the laws, in the Electronic Village (and there is only one) are so 
far much better for the big folks than the little guys.

PS - I wrote most of this in the evenings.

Yours,

Kurt Reimer

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------