Re: FYI: Another round of spear Phishing (ethics)

[Sheri J Thompson <sthomp8 () LSU EDU>]

I strongly advise against what I would deem an unethical practice.
Furthermore, if your students send private information through unsecure
email at your institution's behest, would that not be a potentially
embarrassing and reportable data breach? 




   
   Sheri J. Thompson
   IT Planning & Communications Officer
   LSU Information Technology Services
   Baton Rouge, Louisiana 70803
   tel 225.578.5739
   fax 225.578.7710
   e-mail sjt () lsu edu

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Thursday, June 19, 2008 10:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FYI: Another round of spear Phishing (ethics)

Dean,

> scam.  I am curious to hear what others think of using "deception" to
> educate.

 Discussion about people being fooled is one way to express ethical
concerns. One could also look at abuse of power/entrapment/etc, in terms
of using your insider knowledge to target and exploit users. While the
intent is good (exploit users in order to educate them), one could have
a debate about the relationship of means and ends. 

 There is plenty of room for debate on ethical issues. Personally, I
believe that the means must coincide with the desired ends, and that
using methods that you seek to prevent is a misalignment of objectives.
Specifically, while using methods to test/identify vulnerabilities is
acceptable, in this case, we already know the vulnerability. Thus, I
think a somewhat fair analogy/moral equivalent is hacking into someone's
server in order to tell them their server is vulnerable and should be
fixed. 

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College