Re: application for an employment

[PCSC Information Services <info () pcsage biz>]

Good Morning All,

While I agree Kurt that we are in a sad state of affairs generally,  
in that good information must be withheld until the appropriate  
juncture due to liability restraints, this discussion is whether or  
not it's advisable for Matthias to include his unauthorized network  
probes as information supporting his application for employment. I  
maintain that in most legal jurisdictions probes of this nature are  
considered illegal, and unethical. For example, I am a locksmith, and  
because I understand the flaws in locking mechanisms, I go about  
probing people's locks on their houses, ahead of trying to sell them  
my new and improved lock. This situation is directly correlative to  
Matthias' probes of the University network before seeking employment  
with them.
To address your other concern about the state of affairs in the world  
with respect to these findings, it might be a good practice for ALL  
industries and service based businesses to provide 'Good Samaritan'  
protections for Security Researchers who make these probes in a safe  
way, and provide the information FOC (free of charge) with the  
greater public good as a motivation. There is a real danger in  
allowing unauthorized security probes by all parties, in that the  
computers of the researchers may very well be compromised, and thus  
defeat the original purpose of an otherwise innocent network probe  
and analysis, in that the information could quickly fall into the  
wrong hands. A 'Good Samaritan' approach protects all stakeholders  
and allows best practices to quickly be adopted and adhered to. It  
has been my personal experience, having audited a University for  
license compliance alone, that internal politics often prevents best  
practices from being implemented, and Security Administration by  
committee does little to further the bleeding edge requirements of a  
healthy network facility.
To be completely frank, if the world were a much more stable place  
perhaps we could all be able to get each other's backs a little  
better, but competitive capitalism requires this modality, in that  
there is always someone willing to capitalize on the weakness of  
others. Societal problems aside, it is intelligent for Matthias to  
withhold this information pending some 'Good Samaritan' style  
protections for researchers, because even though I agree with your  
frustration, it would present an unnecessary audit exposure to  
Matthias' own security and freedoms. Should Matthias be employed by  
the University, it would of course be his moral obligation to ensure  
that these practices are corrected in the most timely way possible.

Sincerely,

Sean Swayze
PCSC Information Services

On 22-Mar-06, at 9:50 AM, Kurt Reimer wrote:

> 	It's a sad thing that the overwhelming majority of respondents to  
> this question advise Matthias against informing his prospective  
> employer of the security problems he's observed in his employer's  
> network. As a practical matter I guess they are correct. He's more  
> likely to be shown the door (if not actually prosecuted) than to be  
> admired for his technical skill and initiative, should he reveal  
> his discoveries.
>
> 	But the fact that this is true does not in any way make it right,  
> and it makes me sad and angry that these attitudes and policies,  
> born of ignorance and paranoia, are now becoming codified as  
> standards of ethics and professionalism.
>
> > I echo the sentiments of most
> > respondents in that it's not information that's relevant to your  
> > application for employment
>
> 	It is OF COURSE RELEVANT to his application for employment as a  
> Systems Administrator. This is part of what a competent and  
> responsible System Administrator should be concerned with, and  
> should be technically competent to do. The fact that these  
> conditions exist at his prospective employer make it even more  
> relevant.
>
> > nor is it representative of the ideal ethical standards by which  
> > you're no doubt holding yourself.
> 	Matthias' actions are just about as unethical as mine would be if  
> I were walking by by neighbor's house at night, saw that his front  
> door was swinging open, and called him up or knocked on his door  
> and woke him up to tell him about it. Sure, I saw his door flapping  
> around open just the same way a thief might have seen his door  
> flapping around in the breeze. It is after all the same door open  
> the same way. What a sick world it would be if, after seeing that  
> open door, I had to worry about being
> accused of eavesdropping or some other such garbage to the point  
> that I might decide to just look down at the ground and keep on  
> walking!!
>
> 	It even more infuriating that these are the prevailing attitudes  
> towards Electronic Security in my country, and yet a majority of my  
> countrymen are quite happy to have our government spy on our email  
> and phone conversations. And my government does not even do us the  
> courtesy of telling us about it afterwards, as Matthias common- 
> sense impulse was to do.
>
> 	No, the worst thing that any sensible person could accuse Matthias  
> of is a certain political naivete, and the best that you could say  
> is that
> his common sense and concern for his neighbors have not yet been  
> perverted
> by the prevailing paranoias.
>
> 	But don't call him unethical. That's an insult to ethics. Maybe  
> it's unethical of me to spend half an hour writing this reply at  
> work, but he's NOT being unethical, and I wish that he and I could  
> afford to be so naive.
>
> Yours,
>
> Kurt Reimer
>
> > Matthias et al,
> >
> > I don't know if this is an ethical practice for a security  
> > administrator to undertake at all,
> > let alone in the context of pre-employment research. I echo the  
> > sentiments of most
> > respondents in that it's not information that's relevant to your  
> > application for employment
> > nor is it representative of the ideal ethical standards by which  
> > you're no doubt holding
> > yourself.
> > It's important to discuss your skillset including the use of  
> > security tools, and
> > understanding of current best practices and methodologies. How you  
> > brought these
> > skills to bear on an already unfortunate situation could  
> > deleteriously impact your
> > application here. Clearly you have some insights that the  
> > University could benefit from
> > and having some prior knowledge is beneficial immediately should  
> > you become
> > employed by them, however, disclosing the information before your  
> > even employed by
> > the University could raise ethical questions that I'm sure you're  
> > not wanting to answer.
> >
> > Sincerely,
> >
> > Sean Swayze
> > PCSC Information Services
> >
> > On 20-Mar-06, at 7:45 AM, Matthias Güntert wrote:
> >
> > > Dear listmembers,
> > > i am seeking for a new job as a Unix/Linux systemadministrator.  
> > > There
> > > has been an advertisement at a well known university. So I  
> > > started to
> > > prepare my self for the application. While collecting some  
> > > information
> > > about the network, using nmap, dig, etc... I was able to read the  
> > > whole
> > > namespace from the ip range (255.255.0.0)
> > > My question is should I use some of the information I have found  
> > > out to
> > > push my application forward? What do you think how a director would
> > > react?
> > > --
> > > Mit freundlichen Grüßen
> > >
> > >                Matthias Güntert
> >
> >
> > --------------------------------------------------------------------- 
> > ------
> > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > The Norwich University program offers unparalleled Infosec  
> > managementeducation and the case study affords you unmatched  
> > consulting experience.Tailor your education to your own  
> > professional goals with degreecustomizations including Emergency  
> > Management, Business Continuity Planning,Computer Emergency  
> > Response Teams, and Digital Investigations.
> > http://www.msia.norwich.edu/secfocus
> > --------------------------------------------------------------------- 
> > ------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------