Re: Ethics Question

From: Paul Ledin (paul_ledin_at_yahoo.com)
Date: 08/22/03

  • Next message: Richard Shanks: "RE: SNORT config Question" 
    Date: Fri, 22 Aug 2003 07:52:28 -0700 (PDT)
To: security-basics@securityfocus.com

    i can't really see any arguement for u to get
    involved. if your old boss/company is too dumb, lazy,
    etc. to perform their duties then from an economic
    perspective leaving the hole there is arguably the
    best thing to do.

    becoz eventually someone finds and exploits it,
    company Y says why are we paying these bozos @ company
    X who are obviously incapable performing the job for
    which their paid and they ax company X and tell their
    friends @ companies a, b, and c. eventually company X
    goes tits up and a compentent and more efficient
    company takes their place so over the long term even
    company Y(assuming they survive as well) is better off
    for the intrusion and your lack of action. on the
    other hand if u inform company Y and they go to
    company X and say what's the story, then company X
    gets a free(or least least much less damaging) heads
    up and says oh ya we were just about to fix that. and
    they fix it while leaving 10 other holes that they
    haven't got around to/don't know about. meanwhile
    company Y will be much more hesistent to badmouth
    company X to their friends becoz they we're assured by
    X that it will never happen again and since they
    didn't suffer damages they won't be nearly as incensed
    and possibly fearful of a slander/defamation suit.

    it's like if i see u about to walk into the path of
    oncoming traffic, most people would agree that there
    is a level ethical/moral responsibilty to warn u of
    your impending demise. but if after i warn u, u say
    ya ya and step out into traffic anyway i'm under no
    obligation moral or otherwise to dive into traffic to
    save u. and in fact @ that point in time your actions
    are probably doing the gene pool a favor.

    --- Mike Taylor <mtaylor@ablenology.com> wrote:
    > Hello all
    >
    > Question I have is do I tell a company that I did
    > work for that a system
    > they have is not secure. Background I worked for
    > Company X(left them because
    > I could not get paid regularly) they have a contract
    > to support and keep
    > secure Company Y. I noticed on an audit that the
    > machine that is used for
    > finances is VERY insecure. It is a terminal server
    > machine that is set up so
    > that 2 people can get to it from the outside. When
    > you remote to this
    > machine it bypass's login and gives you a blank
    > desktop with the finance
    > package login. To bypass all you have to do is send
    > a ctrl-***-esc get the
    > task manager and file run -explorer and you have a
    > machine that can browse
    > the whole network.
    >
    > I had brought this to my then boss's attention he
    > said don't mention it we
    > will fix it later. The hole is still there.
    >
    > What would you do ?
    >
    > Thanks,
    >
    > Mike
    >
    >
    >
    >
    ---------------------------------------------------------------------------
    >
    ----------------------------------------------------------------------------
    >

    =====
    I can't die until the government finds a safe place to bury my liver.
                    -- Phil Harris

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Richard Shanks: "RE: SNORT config Question"
    Loading