At 04:45 PM 6/24/96 -0400, Alex Filacchione allegedly wrote:
No offense, but if it isn't too much trouble, could you preface
the comments made by someone else (me, for instance) with ">"?
It would makes the mail easier to read (and saves me from having
to put this in). Most mailers will do this for you automatically
if you hit the "reply" button instead of pasting the text in.
Also, setting the maximum width to this far:
will help keep the messages from wrapping.
>#1 to all... please don't flame. I think this is appropriate to
discussions on >computer security practices in general. A nice civilized
note to take this to private >email will suffice. There's no need to get
irate and yell the moment something appears >off topic. The only reason I
state this is that messages deemed off-topic by some on >this list are met
with irate responses and not civilized requests.
I wouldn't dream of flaming you. I think the discussion is pertinent
(particularly when applied firewall administrators). <grin>
>>The gov't has a set of minimum standards for access to nukes & intelligence
>>info and IMHO, there are good reasons for this.
>A couple of things...
>1) I really was speaking in the most general of terms, speaking to
employment practices >in general (hope no one misunderstood this, sorry if I
was not clear in my intentions)
>2) I said where not necessary (or words to that effect). Let me clarify
myself... The >Constitution claims that we have the right to privacy, etc.
It also says that these >rights are total EXCEPT when they start to infringe
upon the rights of others. When >talking about Nukes, covert operations,
National Security and all of that, of course >you run the serious risk of
these activities (drug & alcohol use, for example) causing >exactly the
things that you listed. The result of which could very easily infringe
>upon the right to life, liberty, etc., etc. of not only any one single
individual, but >possibly the whole country. It is obvious that these
situations are exactly the types >of exceptions implied (we could argue the
vagueness of that, but let's not :) ). >However, when you talk about
situations where that is not the case then drug testing >gets a lot more
difficult to justify, IMO.
I disagree, but that's OK.
> >Would you really go with an inferior proposal just because the architect
>>of the better proposal has smoked pot?
Probably, it depends. In any case, I would have someone else (another
architect) his work - particularly the load-bearing stress data & the
general design. Hate to have the house collapse on me because the
architect forgot to move a decimal point over a place or two or use a
dry-wall as part of a load-bearing external wall because he was under
>>I've seen the above argument before. One flaw that it has is that a it
>>isn't very easy to make another person disclose confidential information
>>or install a trojan horse by forcing them to drive at the posted speed
>>limit. 8^) The opposite is not true of drugs. (BTW, I do not condone
>No, but it shows a case in which there is really no case of infringing upon
someone else's life, and where justification of drug tests gets hard.
While many companies security will not directly impact the lives of
others, others do: health insurance companies, doctor's offices,
hospitals, airports, emergency services (police, fire, ambulance,
etc), utility companies (power, gas), phone/communications services,
etc. Also, regardless of whether the company's services directly
impact the lives of others, it makes good security sense to reduce
risks where possible.
BTW, I know of one health insurance company (which shall remain
nameless) which allegedly had personnel who appeared to be smoking
pot during break. The personnel had access to blank (signed) medicare
checks. Oh yeah, I almost forgot the best part. The doors were open
& the checks were left unattended - easily visible and accessible to
anyone walking by the building. To make matters worse, blank ID cards
were on a pallet next to the blank (signed) checks. Hmmm. What are
the risks (and the probabilities) of an employee with a possible drug
habit having access to a pallet full of blank (signed) checks & a pallet
full of blank ID cards???
Movig right along, if a company wants decides to test their personnel
(firewall administrators, for instance) 8^) for drugs, that is their
business. I am just stating my viewpoint (the value of which is just
as good or just as worthless as anyone else's). 8^)
We are in agreement on the validity of polys.
>>Even if the hacker entered a system and did nothing, damage was done.
>>The company can't know that the hacker didn't upload any files,
>>compromise sensitive information, or weaken the system's security.
>=========I hate M$=========
>Ahh, but does this mean that you should not hire this person? Could this
not be >misdirected energy? Could it not be turned in another direction?
(trying not to sound >like Obi-Wan Kenobi) If the person knows their stuff
real well, and you feel that you >can trust them (based on "X" criteria),
then they may be the best security person that >you can have. Ask Bob
Yes. I would not hire this person. The energy is misdirected and
should be rechanneled into something positive, but the InfoSec field
isn't the place for it. InfoSec is a field which requires a very
high level of integrity & ethics. A person who has a history of
integrity/ethics problems should really look for another field, IMHO.
Granted that hackers, like other people can turn over a new leaf -
and I think that this is indeed a possibility. However, even if
this is the case, I would recommend that their talents be used in
another field and not InfoSec. This helps them avoid any possible
relapses (BTW - one of the best cures against a relapse is to remove
the temptation). Couple of analogies: Asking a reformed pedophile to
babysit for your children or asking a reformed alcoholic to guard
the distillery. Either of these cases places enormous temptations
on the individuals involved that are much greater than that of
other individuals who haven't had these types of problems. Why not
avoid the issue by removing the area of temptation?
IMHO, there was no need to put it on. Although we disagree, the
points you raised were worth considering.
>Come visit the growing Vulnerability Database
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
Home of the Free Internet Firewall Evaluation Checklist