ergo@ames.arc.nasa.gov (Isaac Rabinovitch) (05/28/90)
kitty!larry@uunet.uu.net (Larry Lippman) writes: >> I feel the need to let them know about the gaping (and I mean gaping) >> computer and physical security holes they have, but I'm not sure about >> the best way to approach it (or even if I should). > I suspect your "need" is born of the guilt of trespass. In my >travels I have found that most people who *volunteer* information >about security flaws in a manner which is not part of their regular >job responsibilities are usually trying to hide something and I tend >to be suspicious of their motives. I've been holding this message in my NN directory for over a week, so I could summon up a semi-mature response. Here's a try. Lippman is confusing ignorance with innocence and lack of accountability with lack of responsibility. Our anonymous might well have been "trespassing" (though Lippman ignores the legal responsibility of the "offended" party in this sort of property rights issue). But what in Watergate's Name has that got to do with anything? If somebody sees your house being robbed, you expect them to do something about it, even if that somebody is a peeping tom. Attacking our "snoop" instead of dealing with the moral issues is an Ad Hominem argument, which is Latin for "Stick to the Facts, damnit." >Security issues are a *sensitive* topic, and right or wrong, >management does not usually appreciate unsolicited advice on this topic. And why do you suppose that is? (Socratic/rhetorical question.) > I fully agree with the Moderator. Extending to you the >benefit of the doubt that your motives are genuinely pristine and >altruistic, this is NOT YOUR PROBLEM, and YOU WILL GET NO REWARD for >disclosing this information to management. More likely than not, >should you do elect to disclose the information, your action in doing >so will make you a suspect for *something*. As I said in a previous posting, it's easy to get burned by a security problem, even if you're not responsible for it. True, bringing that to public attention raises your risk factor, but that's a self- preservation issue, not an ethical one! In any case, your "if nobody knows it's a problem, it's not a problem" attitude is childish. >I would suggest that you chalk this up as one of life's many >"lessons", get on with your career, and try not to get in the same >situation a second time. Such situations are unavoidable. You cannot work in a multiuser environment without encountering security slipups. And a computer professional who takes no interest in how his system works and what might go wrong with it is in the wrong job.
Joel B Levin <levin@bbn.com> (05/30/90)
In article <8344@accuvax.nwu.edu> claris!netcom!ergo@ames.arc.nasa.gov (Isaac Rabinovitch) writes: X-Telecom-Digest: Volume 10, Issue 391, Message 7 of 12 |Our anonymous might well have been "trespassing" (though Lippman |ignores the legal responsibility of the "offended" party in this sort |of property rights issue).... An interesting legal theory (which I don't understand very well and which may only apply to some other area of law) is called something like "attractive nuisance" -- if the owner of a property leaves a ladder up to his second story window and a kid climbing it to break in falls and injures himself, the owner may be liable for damages even though the injured party was committing a criminal act. (I don't know whether that somehow excuses the criminal act.) Could it be the employer who leaves a system sitting around with security holes waiting to be entered shares some guilt or is at least liable for some damages for injuries to the employee which result from his being fired? Far out speculation; I'm sure the lawyers hereabouts will flatten this idea fast. /JBL Nets: levin@bbn.com or {...}!bbn!levin POTS: (617)873-3463