Great Circle Associates Firewalls
(June 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: RE: Pilot Network Services
From: Frank Willoughby <frankw @ in . net>
Date: Mon, 24 Jun 96 18:04:39 -0400
To: Alex Filacchione <alexf @ iss . net>
Cc: firewalls @ GreatCircle . com

At 04:45 PM 6/24/96 -0400, Alex Filacchione allegedly wrote:

Alex,

No offense, but if it isn't too much trouble, could you preface 
the comments made by someone else (me, for instance) with ">"?  
It would makes the mail easier to read (and saves me from having 
to put this in).  Most mailers will do this for you automatically 
if you hit the "reply" button instead of pasting the text in.  
Also, setting the maximum width to this far:

==================================================================>|

will help keep the messages from wrapping.


>#1 to all... please don't flame.  I think this is appropriate to
discussions on >computer security practices in general.  A nice civilized
note to take this to private >email will suffice.  There's no need to get
irate and yell the moment something appears >off topic.  The only reason I
state this is that messages deemed off-topic by some on  >this list are met
with irate responses and not civilized requests.

I wouldn't dream of flaming you.  I think the discussion is pertinent
(particularly when applied firewall administrators).  <grin>



>>The gov't has a set of minimum standards for access to nukes & intelligence 
>>info and IMHO, there are good reasons for this.
>
>A couple of things...
>1) I really was speaking in the most general of terms, speaking to
employment practices >in general (hope no one misunderstood this, sorry if I
was not clear in my intentions)
>
>2) I said where not necessary (or words to that effect).  Let me clarify
myself...  The >Constitution claims that we have the right to privacy, etc.
It also says that these >rights are total EXCEPT when they start to infringe
upon the rights of others.  When >talking about Nukes, covert operations,
National Security and all of that, of course >you run the serious risk of
these activities (drug & alcohol use, for example) causing >exactly the
things that you listed.  The result of which could very easily infringe
>upon the right to life, liberty, etc., etc. of not only any one single
individual, but >possibly the whole country.  It is obvious that these
situations are exactly the types >of exceptions implied (we could argue the
vagueness of that, but let's not :)  ).  >However, when you talk about
situations where that is not the case then drug testing >gets a lot more
difficult to justify, IMO.

I disagree, but that's OK.


>	>Would you really go with an inferior proposal just because the architect 
>>of the better proposal has smoked pot?

Probably, it depends.  In any case, I would have someone else (another 
architect) his work - particularly the load-bearing stress data & the 
general design.  Hate to have the house collapse on me because the 
architect forgot to move a decimal point over a place or two or use a
dry-wall as part of a load-bearing external wall because he was under 
the influence.


8< [snip]

>>I've seen the above argument before.  One flaw that it has is that a it 
>>isn't very easy to make another person disclose confidential information 
>>or install a trojan horse by forcing them to drive at the posted speed 
>>limit.  8^)  The opposite is not true of drugs.  (BTW, I do not condone 
>>speeding.)
>
>No, but it shows a case in which there is really no case of infringing upon
someone else's life, and where justification of drug tests gets hard.

While many companies security will not directly impact the lives of 
others, others do: health insurance companies, doctor's offices, 
hospitals, airports, emergency services (police, fire, ambulance, 
etc), utility companies (power, gas), phone/communications services, 
etc.  Also, regardless of whether the company's services directly 
impact the lives of others, it makes good security sense to reduce 
risks where possible.  

BTW, I know of one health insurance company (which shall remain 
nameless) which allegedly had personnel who appeared to be smoking 
pot during break.  The personnel had access to blank (signed) medicare 
checks.  Oh yeah, I almost forgot the best part.  The doors were open 
& the checks were left unattended - easily visible and accessible to 
anyone walking by the building.  To make matters worse, blank ID cards 
were on a pallet next to the blank (signed) checks.  Hmmm. What are 
the risks (and the probabilities) of an employee with a possible drug 
habit having access to a pallet full of blank (signed) checks & a pallet 
full of blank ID cards???


Movig right along, if a company wants decides to test their personnel 
(firewall administrators, for instance)  8^)  for drugs, that is their 
business.  I am just stating my viewpoint (the value of which is just 
as good or just as worthless as anyone else's).  8^)


8< [snip]
We are in agreement on the validity of polys.


8< [snip]
>>Even if the hacker entered a system and did nothing, damage was done.
>>The company can't know that the hacker didn't upload any files, 
>>compromise sensitive information, or weaken the system's security.  
>
>=========I hate M$=========
>Ahh, but does this mean that you should not hire this person?  Could this
not be >misdirected energy?  Could it not be turned in another direction?
(trying not to sound >like Obi-Wan Kenobi)  If the person knows their stuff
real well, and you feel that you >can trust them (based on "X" criteria),
then they may be the best security person that >you can have.  Ask Bob
Stratton :)
>========================

Yes.  I would not hire this person.  The energy is misdirected and 
should be rechanneled into something positive, but the InfoSec field 
isn't the place for it.  InfoSec is a field which requires a very 
high level of integrity & ethics.  A person who has a history of 
integrity/ethics problems should really look for another field, IMHO.  

Granted that hackers, like other people can turn over a new leaf - 
and I think that this is indeed a possibility.  However, even if 
this is the case, I would recommend that their talents be used in 
another field and not InfoSec.  This helps them avoid any possible 
relapses (BTW - one of the best cures against a relapse is to remove 
the temptation).  Couple of analogies: Asking a reformed pedophile to 
babysit for your children or asking a reformed alcoholic to guard 
the distillery.  Either of these cases places enormous temptations
on the individuals involved that are much greater than that of 
other individuals who haven't had these types of problems.  Why not 
avoid the issue by removing the area of temptation?


>(asbestos off),

IMHO, there was no need to put it on.  Although we disagree, the
points you raised were worth considering.



>Alex F 
>
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>Alexf @
 iss .
 net
>Marketing Specialist
>Come visit the growing Vulnerability Database
>http://www.iss.net
>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Best Regards,


Frank
Any sufficiently advanced bug is indistinguishable from a feature.
	-- Rich Kulawiec

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.

Fortified Networks Inc. - Information Security Consulting 
http://www.fortified.com     Phone: (317) 573-0800     FAX: (317) 573-0817     
Home of the Free Internet Firewall Evaluation Checklist





Follow-Ups:
Indexed By Date Previous: Re[2]: CIFS - To Firewall or not to Firewall ?
From: "Jim Meritt" <jmeritt @ smtpinet . aspensys . com>
Next: A response from CSI
From: "Power, Richard" <rpower @ mfi . com>
Indexed By Thread Previous: Re: Pilot Network Services
From: Frank Willoughby <frankw @ in . net>
Next: Re: Pilot Network Services
From: Kent Crispin <kent @ bywater . songbird . com>

Google
 
Search Internet Search www.greatcircle.com