Re: application for an employment

[Raoul Armfield <armfield () amnh org>]

Kurt Reimer wrote:
>     It's a sad thing that the overwhelming majority of respondents to 
> this question advise Matthias against informing his prospective employer 
> of the security problems he's observed in his employer's network. As a 
> practical matter I guess they are correct. He's more likely to be shown 
> the door (if not actually prosecuted) than to be admired for his 
> technical skill and initiative, should he reveal his discoveries.
>
>     But the fact that this is true does not in any way make it right, 
> and it makes me sad and angry that these attitudes and policies, born of 
> ignorance and paranoia, are now becoming codified as standards of ethics 
> and professionalism.
>
> > I echo the sentiments of most
> > respondents in that it's not information that's relevant to your 
> > application for employment
>
>     It is OF COURSE RELEVANT to his application for employment as a 
> Systems Administrator. This is part of what a competent and responsible 
> System Administrator should be concerned with, and should be technically 
> competent to do. The fact that these conditions exist at his prospective 
> employer make it even more relevant.
>
> > nor is it representative of the ideal ethical standards by which 
> > you're no doubt holding yourself.
>     Matthias' actions are just about as unethical as mine would be if I 
> were walking by by neighbor's house at night, saw that his front door 
> was swinging open, and called him up or knocked on his door and woke him 
> up to tell him about it. Sure, I saw his door flapping around open just 
> the same way a thief might have seen his door flapping around in the 
> breeze. It is after all the same door open the same way. What a sick 
> world it would be if, after seeing that open door, I had to worry about 
> being
> accused of eavesdropping or some other such garbage to the point that I 
> might decide to just look down at the ground and keep on walking!!

I disagree with certain aspects of this reasoning.  While it is the 
sysadmins responsibilities to keep the systems secure, Matthias does not 
have the permission of the University to poke around to do a Security 
evaluation and/or audit.  While I understand your analogy to the open 
door, what he is suggesting is analogous to walking into the house and 
checking if the interior room doors are open and trying the handle on 
the safe.  We all agree that that is unacceptable.

By your reasoning anyone would have the right to run scans of anyone 
else's network but we all know that most, if not all, AUP's ban this 
activity.



--
Raoul Armfield
rarmfield at amnh dot org

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------