RE: application for an employment

I have routinely approved requests from employees who want to
try something like this. They become (a) someone I may be able
to call upon in an emergency (because they know about this stuff),
and (b) someone I can reasonably expect to trust (because they
asked first).
I've occasionally had to ask them to limit the scope or schedule
of their activities to avoid negative impact on real business
processes.

I have gotten employees reprimanded (but not *yet* fired) for
running scans etc *without* asking first for permission. Non-
employees tend to just get banned from the network.

David Gillett


-----Original Message-----
From: Craig Wright [mailto:cwright@xxxxxxxxxxxxx]
Sent: Friday, March 24, 2006 1:34 PM
To: Kurt.Reimer@xxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: application for an employment





Hello,

You are correct in that analogy or anecdote may never act as
proof. Proof should be determined using scientifically
verifiable means.

Where you state, "trying and convicting based upon them" is
not so correct. The newly codified laws in computer crime etc
just reflect "criminal damage" as it existed previously.

Damage and trespass are nothing new. It comes to property
rights, which have been defined in common law since the
1200's (since 1066 actually).

Mathias was applying for a role of system admin. This does
not mean that he should be scanning. In fact, this is a role
for other departments - i.e. audit. Segregation of duties. I
would sack a system admin who took scanning on to him/herself
without blinking twice.

Regards

Craig



-----Original Message-----
From: Kurt Reimer [mailto:greimer@xxxxxxxx]
Sent: Fri 24/03/2006 11:48 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Cc:
Subject: Re: application for an employment




Hello All,
The list of addressees atop these messages seems
to be getting
bigger and bigger, so I'm confining my reply to just
the mailing list.

The course of this thread illustrates that the
use of analogies
can't reliably prove a proposition to be right or
wrong, but they can
serve to illustrate different aspects of and viewpoints
towards a new
and interesting situation. Then we can call them good
or bad analogies,
but I think that says more about our pre-existing
opinions about the
situation than it does about anything else.

Having said that, as I read the continuing replies to this
thread I can't help but feel that I was being way too
optimistic when I
wrote before of my upset with attitudes towards
Electronic Security born
of fear and paranoia that were BECOMING codified into
professional,
ethical, and even legal standards. It seems like I'm
much too late! Not
only are the standards set, but we're already trying
and convicting based
upon them.

I take Mathias' description of his situation to
be true and not
intentionally misleading. And the plain fact is that he
had no ill
intentions toward his prospective employer or anyone
else, and everything
that he did was motivated by mothing other than an
eager desire to impress
and please the organization that he hopes will hire him.

When I read that his behavior is suspect under
"the Ethics clauses in
any of the IT Security Professional's organizations" or
that "we all know
that most, if not all, AUP's (Acceptable Use Policies?)
ban this activity"
then, well, I don't reject that out of hand, but when I
see them make a
pariah (if not an actual criminal) out of an innocent
job applicant I have
to wonder if they are fair and reasonable policies.
Certainly they are
advantageous for and serve the interests of large
organizations (and the
Security Professionals who are employed by them). It's
not clear to me
that they are as advantageous or even fair towards the
individual user of
the Internet or towards the rest of society in general.

The Internet is something new under the sun, and
the mores of
Internet Society are even newer. For that reason alone
I'd feel sort of
presumptuous in making up some rules and then
condemning people according
to them. Maybe the rules need to be in flux for awhile
longer. Certainly
when you consider how tiny a portion of the present
Internet Community has
forged these rules, and how much more of humanity will
be accessing the
Internet for the first time in the coming years and
decades, doesn't
somebody besides me see a little pomposity going on here?

And try as I might, I just can't within my mind
equate running a port
scan with walking onto somebody's property and trying
their door and
window locks. Maybe because it is so easy to do, as
easy as typing a URL
in your browser and looking at the output, just like
turning your eyes in
a particular direction. Maybe it's because everyone on
the Internet has
chosen to make themselves available to everyone else on
a shared and
commonly-paid-for public medium, and the Internet as a
whole is much more
like a great big village public square than it is like
people's private
property. Maybe it's because just about every personal
datum that I
generate on the Internet, every purchase I make, every
website I visit,
every email I send, is for available for use or sale by
someone (if we
include the government) to all sorts of other people
with no percentage
returned to me, thank you very much.

When all our AUP's and Ethical Standards take no
pains to make any
explicit distinction between someone who runs a port
scan and some who
runs a port scan and then exploits a discovered
vulnerability, I'd say
that those policies are kind of biased. Maybe a
healthier attitude would
be to regard a large organization with an insecure
Internet presence
rather like the way we would regard an individual
walking down the street
with no pants on?

And here's an observation that's got to be from
some strange and
bizarre alternate universe where individuals and deep-pocketed
corporations with large legal teams are treated equally
in the Electronic
Village: Mathias did not randomly choose an
organization upon which to
run his nefarious portscans. The university that he
scanned was SOLICITING
APPLICATIONS FOR EMPLOYMENT. (Now remember, this is the
bizarre alternate
universe, where we do not automatically kowtow in
abject gratitude,
kissing the feet (and whatever other anatomy is shoved
in our faces) of
those who would grace us with the privlege of toiling
for them. In this
bizarre alternate universe the flesh-and-blood citizen
dares to consider
whether or not the *EMPLOYER* is *WORTHY* (gasp) of
HIM!). To quote
another participant in this thread: "It has been my
personal experience,
having audited a University for license compliance
alone, that internal
politics often prevents best practices from being
implemented,..".

Maybe, just maybe, Mathias has a RIGHT to an
informed decision about
whether or not he wants to tie his fortunes, his
career, his professional
development, and the next several years of his life (at
least) to this
particular organization. Maybe he has a right to know
if he's walking into
some political morass, and maybe he has a right to data
that will help him
make that determination.

Or maybe he doesn't. But it's certainly true that
the University has
the right to examine below the surface of lots of
information that Mathias
will offer. And if they don't have the right, well then
they'll just offer
you a paper to sign giving them the right to examine
your police record,
credit history, your urine, and lord knows what else,
and of course you
don't HAVE to sign it, and thanks for your time there's
plenty of other
applicants for the job.

In this country the corporate citizen with
limited liability was
invented during the 19th century. It took several
decades before society
would admit to itself that they'd created an entity
which could work poor
people literally to death, and that maybe some
regulatory statutes were a
good idea.

My sense is that the evolving mores, ethics, and
coming along behind
them the laws, in the Electronic Village (and there is
only one) are so
far much better for the big folks than the little guys.

PS - I wrote most of this in the evenings.

Yours,

Kurt Reimer


--------------------------------------------------------------
-------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled
Infosec management
education and the case study affords you unmatched
consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business
Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus

--------------------------------------------------------------
-------------




Liability limited by a scheme approved under Professional
Standards Legislation in respect of matters arising within
those States and Territories of Australia where such
legislation exists.

DISCLAIMER
The information contained in this email and any attachments
is confidential. If you are not the intended recipient, you
must not use or disclose the information. If you have
received this email in error, please inform us promptly by
reply email or by telephoning +61 2 9286 5555. Please delete
the email and destroy any printed copy.

Any views expressed in this message are those of the
individual sender. You may not rely on this message as advice
unless it has been electronically signed by a Partner of BDO
or it is subsequently confirmed by letter or fax signed by a
Partner of BDO.

BDO accepts no liability for any damage caused by this email
or its attachments due to viruses, interference,
interception, corruption or unauthorised access.



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • Controlling internet forums
    ... Compare this control of internet forums with China's. ... to snoop on their employees. ... punished for their online postings, said George Lenard, an employment lawyer ... concern about online publication of personal information. ...
    (soc.retirement)
  • Re: Cellphone / GPS tracking services ... big brother, or mom, or wife ... is watching
    ... >>Having been in upper management for a major international engineering ... >>Though all of my employees have Internet access and some have company issued ... >>It is interesting to see the trend that implies distrust of one's employees. ... punished in a court of law for doing such a thing. ...
    (sci.geo.satellite-nav)
  • Does Computer Spy on You at Your Work?
    ... As the number of workers using the Internet for pleasure as well as ... all sizes to monitor computer misuse among employees. ...
    (comp.dcom.telecom)
  • Re: Draft I: Selling Internet Whitelisting
    ... Internet Whitelisting: Salvation for the Business Owner ... most businesses have allowed employees full access to ... allow us to reconfigure ISA Server not to allow unlimited access. ...
    (microsoft.public.windows.server.sbs)
  • RE: application for an employment
    ... The course of this thread illustrates that the use of analogies ... Security Professionals who are employed by them). ... the Internet or towards the rest of society in general. ... Mathias did not randomly choose an organization upon which to ...
    (Security-Basics)