Re: Re: Ethics, morality and the industry

["\"Vin McLellan\"" <vin () theworld com>]

   It restores my faith in humanity to so often run across a
message that is half nonsense and half common sense. Mind you,
I'm an optimist, so I tend to see the glass half-full, and sustain my
hope that rain and other weathering experience will fill it further in time.

   Alan Holmes <alan () tympaniinc com> wrote:

<snip>
> Not one of the corporations that claimed damages actually reported the
> losses in their annual report. Based on that, Scott McNealey should be
> sharing a jail cell with Martha Stewart and consequently no one should 
> ever
> listen to Mr. McNealey speak again, because after all, if he signed an
> annual report that didn't reveal losses the size of what Sun claimed due 
> to
> Mitnick copying the source code then, he is a criminal.

   This is childish nonsense.  When there is evidence that some malicious 
little monster, human or maleware, has penetrated a corporate network, 
talented folk with real jobs are told to ignore their assigned tasks and 
search for evidence of loss or damage, repair what they can, ameliorate what 
they must, and built or install new defense lines as needed.
.
   This sort of disaster managment entails very real losses: time, money, 
misdirected energies, and lost opportunities.   Where in those annual 
reports, pray tell, would you like to see McNealy et al tally a dollar 
estimate for those unproductive and wasteful expenditures, Alan?  Where 
would you tally the loss entailed in the work not done, the sales not made, 
and ideas unthought?

   I recall a lot of unsupported estimates of loss being bandied about when 
Mitnick was finally snared. As I recall, many of the numbers sounded silly. 
Whatever the butcher's bill really was, however, I've got to wonder what 
sort of babe in the woods innocent thinks there is no serious loss involved 
network intrusions; malware attacks; stolen software; confidential business 
and customer data changed or copied; corporate and personal reputations 
besmirched?

   Alan Holmes <alan () tympaniinc com> also wrote:

> The message I got from the original post wasn't whether reformed black 
> hats
> are good or bad or can even be reformed but that some people still have a
> strong conviction in their own beliefs and are willing to forego $$$ in
> exchange for standing behind those beliefs. I think that is a very 
> admirable
> trait and something that is quite rare today.

   This, I thought was nicely put.

   Professionals in this industry have been learning useful things about 
ethics from William Hugh Murray for 30-odd years, and the choice he and 
Howard Schmidt made in this situation was, as this discussion suggests, 
usefully thought-provoking.

   I would add only that such purposeful actions probably also reflect the 
admirable forbearance of their respective institutional patrons -- since the 
meager honorariums are not really what pays for the labor of most conference 
speakers of this caliber.

   Murray and Schmidt are, of course, preachers of a sort. For years, both 
have sought to infuse InfoSec with the principles essential for real 
professionalism.  My own gut sense is that you would have to make such 
decisions on a case by case basis.  In this case, I trust their judgement.

   Conference organizers are like publishers: they book whatever will sell. 
I hope the actions of Bill and Howard will effectively pressure those 
organizers to bring a more selective criteria to bear on their booking 
decisions.

   Personally, I think guys like Abagnale and Mitnick reek of 
self-aggrandizement and cheap thrills, but someone like Randall Schwartz --  
who was praised by someone in this thread -- is far more dangerous because 
of his long campaign to cloak his egregious behavior as an Intel contractor 
with a patina of remorseless self-righteousness.  System admins who go bad 
worry me more than hackers.

   Malware authors, the arsonists of cyberspace, are a special case, but I 
haven't seen anyone yet celebrating their own orgy of distruction on the 
conference circuit. Of course, without someone like Murray or Schimdt 
drawing a moral line -- and their peers endorsing their decision -- I 
suspect we would see them too on a CSI conference program before long.

   "Netsky, Blaster, and me: What I did during my summer vacation and why 
it is all the users/vendors/network's fault that Cyberspace burnt."

Suerte,
     _Vin


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards