Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12345»»»

Frustration with Bad Design Expand / Collapse
Author
Message
Posted Monday, July 28, 2014 7:13 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 11:58 AM
Points: 5,819, Visits: 3,739
rot-717018 (7/28/2014)
Jeff Moden (7/28/2014)

I totally disagree as written above especially when it comes to private information such a Social Security Numbers. It MUST be proven if it exists and action must be taken. I consider it to be one of those unwritten laws that is the responsibility of every IT worker.

I had a training 10ish years ago about money laundry. After a while I wondered why I was sitting there; I had no contact with customers nor with Financial institutes, so what? "Except that you are one of the first persons who can see strange behaviours in the data! These need to be reported immediately to your compliance officer" was the answer.
The same applies to security and you may be held for responsible if you do not report it. Now it's up to the management to decide what to do ...


Exactly. Everyone is responsible in ensuring that is gets to the next appropriate stage. Not necessarily any more. Certainly no less.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1596845
Posted Monday, July 28, 2014 7:36 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Monday, December 15, 2014 7:14 AM
Points: 494, Visits: 819
Steve, While I agree that the guy broke the law, the points you made in your post stopped too soon. Before I comment on that, let me be clear that I believe the points you made are correct.

IMO the guy uncovered evidence of a crime. I do not believe that can be disputed. Federal law covers writing a virus and deploying it. The first thing you need to do when you find corporate resources infected by a virus is to report it to the team that handles that. You then need to let your boss know.

Now when you then find your reports were ignored, and you fail to notify authorities, you are in fact legally accountable for failing to report the crime. This is not just my opinion, it is the opinion of an FBI agent who attended a seminar about this very topic, and gave advice on how to respond. Whether the crime was committed by your employer or not is irrevelant. The fact that federal law was broken, especially in this manner where thousands of people are affected, means you have the responsibility to act.

How you act is what matters. The guy in the post got upset, and chose the wrong path. Had he notified authorities he would have been protected. As much as the federal government frustrates me and others with their illegal acts, I can't believe the FBI would have ignored his report of this type of crime. They tend to ignore specific types of crimes, but not these.

Had he done nothing, and someone else reported this, he would have still had his home raided by the FBI. He might still have been charged. It is possible he feared this, and acted out of that fear, but more likely he just had a case of stupidity.



Dave
Post #1596857
Posted Monday, July 28, 2014 7:41 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Monday, December 15, 2014 7:14 AM
Points: 494, Visits: 819
Jeff Moden (7/28/2014)
From the article:
However it's usually not your company, and it's not your place to prove that there is a flaw in a system. It's especially true that it's not your place to prove things without having been given permission to do so. Proving a point on your own is something children do, not professionals.


I totally disagree as written above especially when it comes to private information such a Social Security Numbers. It MUST be proven if it exists and action must be taken. I consider it to be one of those unwritten laws that is the responsibility of every IT worker.

I DO, however, totally disagree with the manner in which David Helkowski did his proof. There's no way in hell that I'd prove a security violation by violating someone's privacy by posting their hacked SSN on something like Reddit. A private email to that person should have sufficed. If no action was taken to fix the security problem, then there are proper channels to certain agencies to correctly and properly report such a problem.

So, with mixed emotion, I applaud David Helkowski for all of his actions EXCEPT for posting private information on a very public website. I say "mixed emotion" because, on the other hand, he's getting what he deserved for being too freakin' lazy to do things the right way.


Jeff, I agree with you and Steve both. Steve focused his comments on the manner Helkowski chose, specifically tp "prove there is a flaw" in an illegal manner. You seem to be saying that he should have acted, but in a different manner. My other post was an attempt to say the same thing as you are. I deleted the part I was going to post that in some way supported Helkowski's views, and am glad I did because you said it much better.


Dave
Post #1596862
Posted Monday, July 28, 2014 7:45 AM


SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Thursday, December 18, 2014 8:10 AM
Points: 421, Visits: 442
That story about David Helkowski was pretty crazy. It reminds me of the Seinfeld episode where Jerry's mechanic goes nuts because Jerry isn't babying his car enough, so the mechanic just drives off with it. I think the fact that Helkowski stated he wouldn't do anything differently shows his current state of mind - I'm not sure how someone like that would ever expect to get hired in the IT industry again.
Post #1596865
Posted Monday, July 28, 2014 7:45 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, August 12, 2014 9:15 AM
Points: 2, Visits: 9
Raising your concerns and documenting the concerns and that you have communicated them are crucial.
If/When TSHTF, management will look for a scapegoat or someone to blame and it is easy for them to 'forget' you warned them. YOU become the convenient scapegoat because it was YOUR responsibility.
Even with documentation, you might still be the convenient scapegoat, but it becomes harder to paint you as the negligent one.
Post #1596867
Posted Monday, July 28, 2014 7:48 AM
Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: 2 days ago @ 2:47 PM
Points: 708, Visits: 1,789
Don't forget that there is likely to be a legal issue in doing that. Formally posting something somewhere can leave oneself open to being sued (slander and/or libel) or getting a reputation for "slagging off" companies. There is a balance to made and I think that personal enquiries within ones own network is best.


You can damage your career or destroy your marriage or health with a poor job. Recruiters will lie or ignore conditions that don't affect them. A bad company that needs people due to attrition might be a recruiters bread and butter client.

There are thousands of companies, many with toxic or dead-end environments. Not every network knows about every company. Something as simple as a numerical score or comment whether the company would pass the "Joel Test" serves a decent substitute for true internal knowledge.

So far among the four user groups and other events we've talked about this at , the reviews that exist on Glass Door are running about 90% accurate. You can usually spot the crazies and bashers. And there's several local companies that have gained by having positive, but accurate reviews. And several confirmed companies with extreme technical debt and mismanagement.
Post #1596870
Posted Monday, July 28, 2014 9:09 AM


SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Wednesday, July 30, 2014 9:35 AM
Points: 28, Visits: 99
Have there been any clear legal decisions where the IT worker was held in error or legally responsible for failing to report security issues outside the company if the company refuses to fix problematic practices or if the worker fails to report it up the management heirarchy?

Put another way is there case law that says what your duties are, when and where you must report security issues?

It is easy enough to imagine health care reporting laws might require you to report issues outside the company, HIPPA rules might be rather strict on Hospitals who let their patient histories leak out, for example. And if you, as a DBA say, know it is leaking, it may not be sufficient to only report it up the food chain to your manager.

Another example is state or federal work where you are required to speak up upon finding an issue, here channels must be observed but when do you or must you step outside channels and continue to report? Again, it seems less clear what is required of you legally if the management structure remains inert.

In many mid and large size companies, it is a long way from the group manager in some IT area, to the CEO and CFO and CTO... they each may have very different motivations in how they would respond to questions of security. Some or all may just go into CYA mode. Some may really want to know and fix the issue but the information is not going to naturally float up the food chain to reach them...And that is where the difficulty for the reporter of issues seems to sit.

There are many ways to state a problem, almost always there is a way to state it so that sufficient motivation will exist to fix the real problems.
Post #1596912
Posted Monday, July 28, 2014 9:52 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 3:11 PM
Points: 31,368, Visits: 15,837
chrisn-585491 (7/28/2014)
I'm taking option 2, Steve. Goals are set, plans are in place, nights are spent working on skills and such.

Currently there are enough shops, companies and corporations demanding our talents that we can be picky. We should professionally let our colleagues know that certain companies may not meet their expectations, either through networking or sites like Glass Door.


Tend to agree, though I certainly understand if someone can't be picky in their situation. If that's the case, then make plans to move on.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1596930
Posted Monday, July 28, 2014 9:55 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 3:11 PM
Points: 31,368, Visits: 15,837
djackson 22568 (7/28/2014)
Steve, While I agree that the guy broke the law, the points you made in your post stopped too soon. Before I comment on that, let me be clear that I believe the points you made are correct.

IMO the guy uncovered evidence of a crime. I do not believe that can be disputed. Federal law covers writing a virus and deploying it. The first thing you need to do when you find corporate resources infected by a virus is to report it to the team that handles that. You then need to let your boss know.

Now when you then find your reports were ignored, and you fail to notify authorities, you are in fact legally accountable for failing to report the crime. This is not just my opinion, it is the opinion of an FBI agent who attended a seminar about this very topic, and gave advice on how to respond. Whether the crime was committed by your employer or not is irrevelant. The fact that federal law was broken, especially in this manner where thousands of people are affected, means you have the responsibility to act.

How you act is what matters. The guy in the post got upset, and chose the wrong path. Had he notified authorities he would have been protected. As much as the federal government frustrates me and others with their illegal acts, I can't believe the FBI would have ignored his report of this type of crime. They tend to ignore specific types of crimes, but not these.

Had he done nothing, and someone else reported this, he would have still had his home raided by the FBI. He might still have been charged. It is possible he feared this, and acted out of that fear, but more likely he just had a case of stupidity.



Agree. You can't ignore the issue and fail to report it.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1596933
Posted Monday, July 28, 2014 10:00 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Monday, December 15, 2014 7:14 AM
Points: 494, Visits: 819
knausk (7/28/2014)
Have there been any clear legal decisions where the IT worker was held in error or legally responsible for failing to report security issues outside the company if the company refuses to fix problematic practices or if the worker fails to report it up the management heirarchy?

Put another way is there case law that says what your duties are, when and where you must report security issues?


Legal decisions are made in the courts, the law applies long before then. In the example we looked at in the seminar I was at, the FBI agent agreed that if you found evidence of a crime involving computers, the information pertaining to that crime is now on your PC, and therefore you could be charged as an accessory, or you could be charged with covering up a crime. The minute you become aware of computer crime and do not report it you put yourself at risk.

The question isn't whether anyone has been charged. The question is what options the individual had, and reporting it to the authorities is be far the best option when the corporation ignores you.


Dave
Post #1596939
« Prev Topic | Next Topic »

Add to briefcase ««12345»»»

Permissions Expand / Collapse