RE: application for an employment

["David Gillett" <gillettdavid () fhda edu>]

  I have routinely approved requests from employees who want to
try something like this.  They become (a) someone I may be able
to call upon in an emergency (because they know about this stuff),
and (b) someone I can reasonably expect to trust (because they
asked first).
  I've occasionally had to ask them to limit the scope or schedule
of their activities to avoid negative impact on real business 
processes.

  I have gotten employees reprimanded (but not *yet* fired) for
running scans etc *without* asking first for permission.  Non-
employees tend to just get banned from the network.

David Gillett


> -----Original Message-----
> From: Craig Wright [mailto:cwright () bdosyd com au] 
> Sent: Friday, March 24, 2006 1:34 PM
> To: Kurt.Reimer () fccc edu; security-basics () securityfocus com
> Subject: RE: application for an employment
>
>
>  
>  
>
> Hello,
>
> You are correct in that analogy or anecdote may never act as 
> proof. Proof should be determined using scientifically 
> verifiable means.
>
> Where you state, "trying and convicting based upon them" is 
> not so correct. The newly codified laws in computer crime etc 
> just reflect "criminal damage" as it existed previously. 
>
> Damage and trespass are nothing new. It comes to property 
> rights, which have been defined in common law since the 
> 1200's (since 1066 actually).
>
> Mathias was applying for a role of system admin. This does 
> not mean that he should be scanning. In fact, this is a role 
> for other departments - i.e. audit. Segregation of duties. I 
> would sack a system admin who took scanning on to him/herself 
> without blinking twice.
>
> Regards
>
> Craig
>
>  
>
>       -----Original Message----- 
>       From: Kurt Reimer [mailto:greimer () fccc edu] 
>       Sent: Fri 24/03/2006 11:48 AM 
>       To: security-basics () securityfocus com 
>       Cc: 
>       Subject: Re: application for an employment
>       
>       
>
>
>       Hello All,
>             The list of addressees atop these messages seems 
> to be getting
>       bigger and bigger, so I'm confining my reply to just 
> the mailing list.
>       
>             The course of this thread illustrates that the 
> use of analogies
>       can't reliably prove a proposition to be right or 
> wrong, but they can
>       serve to illustrate different aspects of and viewpoints 
> towards a new
>       and interesting situation. Then we can call them good 
> or bad analogies,
>       but I think that says more about our pre-existing 
> opinions about the
>       situation than it does about anything else.
>       
>             Having said that, as I read the continuing replies to this
>       thread I can't help but feel that I was being way too 
> optimistic when I
>       wrote before of my upset with attitudes towards 
> Electronic Security born
>       of fear and paranoia that were BECOMING codified into 
> professional,
>       ethical, and even legal standards. It seems like I'm 
> much too late! Not
>       only are the standards set, but we're already trying 
> and convicting based
>       upon them.
>       
>             I take Mathias' description of his situation to 
> be true and not
>       intentionally misleading. And the plain fact is that he 
> had no ill
>       intentions toward his prospective employer or anyone 
> else, and everything
>       that he did was motivated by mothing other than an 
> eager desire to impress
>       and please the organization that he hopes will hire him.
>       
>             When I read that his behavior is suspect under 
> "the Ethics clauses in
>       any of the IT Security Professional's organizations" or 
> that "we all know
>       that most, if not all, AUP's (Acceptable Use Policies?) 
> ban this activity"
>       then, well, I don't reject that out of hand, but when I 
> see them make a
>       pariah (if not an actual criminal) out of an innocent 
> job applicant I have
>       to wonder if they are fair and reasonable policies. 
> Certainly they are
>       advantageous for and serve the interests of large 
> organizations (and the
>       Security Professionals who are employed by them). It's 
> not clear to me
>       that they are as advantageous or even fair towards the 
> individual user of
>       the Internet or towards the rest of society in general.
>       
>             The Internet is something new under the sun, and 
> the mores of
>       Internet Society are even newer. For that reason alone 
> I'd feel sort of
>       presumptuous in making up some rules and then 
> condemning people according
>       to them. Maybe the rules need to be in flux for awhile 
> longer. Certainly
>       when you consider how tiny a portion of the present 
> Internet Community has
>       forged these rules, and how much more of humanity will 
> be accessing the
>       Internet for the first time in the coming years and 
> decades, doesn't
>       somebody besides me see a little pomposity going on here?
>       
>             And try as I might, I just can't within my mind 
> equate running a port
>       scan with walking onto somebody's property and trying 
> their door and
>       window locks. Maybe because it is so easy to do, as 
> easy as typing a URL
>       in your browser and looking at the output, just like 
> turning your eyes in
>       a particular direction. Maybe it's because everyone on 
> the Internet has
>       chosen to make themselves available to everyone else on 
> a shared and
>       commonly-paid-for public medium, and the Internet as a 
> whole is much more
>       like a great big village public square than it is like 
> people's private
>       property. Maybe it's because just about every personal 
> datum  that I
>       generate on the Internet, every purchase I make, every 
> website I visit,
>       every email I send, is for available for use or sale by 
> someone (if we
>       include the government) to all sorts of other people 
> with no percentage
>       returned to me, thank you very much.
>       
>             When all our AUP's and Ethical Standards take no 
> pains to make any
>       explicit distinction between someone who runs a port 
> scan and some who
>       runs a port scan and then exploits a discovered 
> vulnerability, I'd say
>       that those policies are kind of biased. Maybe a 
> healthier attitude would
>       be to regard a large organization with an insecure 
> Internet presence
>       rather like the way we would regard an individual 
> walking down the street
>       with no pants on?
>       
>             And here's an observation that's got to be from 
> some strange and
>       bizarre alternate universe where individuals and deep-pocketed
>       corporations with large legal teams are treated equally 
> in the Electronic
>       Village: Mathias did not randomly choose an 
> organization upon which to
>       run his nefarious portscans. The university that he 
> scanned was SOLICITING
>       APPLICATIONS FOR EMPLOYMENT. (Now remember, this is the 
> bizarre alternate
>       universe, where we do not automatically kowtow in 
> abject gratitude,
>       kissing the feet (and whatever other anatomy is shoved 
> in our faces) of
>       those who would grace us with the privlege of toiling 
> for them. In this
>       bizarre alternate universe the flesh-and-blood citizen 
> dares to consider
>       whether or not the *EMPLOYER* is *WORTHY* (gasp) of 
> HIM!). To quote
>       another participant in this thread: "It has been my 
> personal experience,
>       having audited a University for license compliance 
> alone, that internal
>       politics often prevents best practices from being 
> implemented,..".
>       
>             Maybe, just maybe, Mathias has a RIGHT to an 
> informed decision about
>       whether or not he wants to tie his fortunes, his 
> career, his professional
>       development, and the next several years of his life (at 
> least) to this
>       particular organization. Maybe he has a right to know 
> if he's walking into
>       some political morass, and maybe he has a right to data 
> that will help him
>       make that determination.
>       
>             Or maybe he doesn't. But it's certainly true that 
> the University has
>       the right to examine below the surface of lots of 
> information that Mathias
>       will offer. And if they don't have the right, well then 
> they'll just offer
>       you a paper to sign giving them the right to examine 
> your police record,
>       credit history, your urine,  and lord knows what else, 
> and of course you
>       don't HAVE to sign it, and thanks for your time there's 
> plenty of other
>       applicants for the job.
>       
>             In this country the corporate citizen with 
> limited liability was
>       invented during the 19th century. It took several 
> decades before society
>       would admit to itself that they'd created an entity 
> which could work poor
>       people literally to death, and that maybe some 
> regulatory statutes were a
>       good idea.
>       
>             My sense is that the evolving mores, ethics, and 
> coming along behind
>       them the laws, in the Electronic Village (and there is 
> only one) are so
>       far much better for the big folks than the little guys.
>       
>       PS - I wrote most of this in the evenings.
>       
>       Yours,
>       
>       Kurt Reimer
>       
>       
> --------------------------------------------------------------
> -------------
>       EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
>       The Norwich University program offers unparalleled 
> Infosec management
>       education and the case study affords you unmatched 
> consulting experience.
>       Tailor your education to your own professional goals with degree
>       customizations including Emergency Management, Business 
> Continuity Planning,
>       Computer Emergency Response Teams, and Digital Investigations.
>       
>       http://www.msia.norwich.edu/secfocus
>       
> --------------------------------------------------------------
> -------------
>       
>       
>
>
> Liability limited by a scheme approved under Professional 
> Standards Legislation in respect of matters arising within 
> those States and Territories of Australia where such 
> legislation exists.
>
> DISCLAIMER
> The information contained in this email and any attachments 
> is confidential. If you are not the intended recipient, you 
> must not use or disclose the information. If you have 
> received this email in error, please inform us promptly by 
> reply email or by telephoning +61 2 9286 5555. Please delete 
> the email and destroy any printed copy.  
>
> Any views expressed in this message are those of the 
> individual sender. You may not rely on this message as advice 
> unless it has been electronically signed by a Partner of BDO 
> or it is subsequently confirmed by letter or fax signed by a 
> Partner of BDO.
>
> BDO accepts no liability for any damage caused by this email 
> or its attachments due to viruses, interference, 
> interception, corruption or unauthorised access.


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------