July 28, 2014 at 7:48 am
Don't forget that there is likely to be a legal issue in doing that. Formally posting something somewhere can leave oneself open to being sued (slander and/or libel) or getting a reputation for "slagging off" companies. There is a balance to made and I think that personal enquiries within ones own network is best.
You can damage your career or destroy your marriage or health with a poor job. Recruiters will lie or ignore conditions that don't affect them. A bad company that needs people due to attrition might be a recruiters bread and butter client.
There are thousands of companies, many with toxic or dead-end environments. Not every network knows about every company. Something as simple as a numerical score or comment whether the company would pass the "Joel Test" serves a decent substitute for true internal knowledge.
So far among the four user groups and other events we've talked about this at , the reviews that exist on Glass Door are running about 90% accurate. You can usually spot the crazies and bashers. And there's several local companies that have gained by having positive, but accurate reviews. And several confirmed companies with extreme technical debt and mismanagement.
July 28, 2014 at 9:09 am
Have there been any clear legal decisions where the IT worker was held in error or legally responsible for failing to report security issues outside the company if the company refuses to fix problematic practices or if the worker fails to report it up the management heirarchy?
Put another way is there case law that says what your duties are, when and where you must report security issues?
It is easy enough to imagine health care reporting laws might require you to report issues outside the company, HIPPA rules might be rather strict on Hospitals who let their patient histories leak out, for example. And if you, as a DBA say, know it is leaking, it may not be sufficient to only report it up the food chain to your manager.
Another example is state or federal work where you are required to speak up upon finding an issue, here channels must be observed but when do you or must you step outside channels and continue to report? Again, it seems less clear what is required of you legally if the management structure remains inert.
In many mid and large size companies, it is a long way from the group manager in some IT area, to the CEO and CFO and CTO... they each may have very different motivations in how they would respond to questions of security. Some or all may just go into CYA mode. Some may really want to know and fix the issue but the information is not going to naturally float up the food chain to reach them...And that is where the difficulty for the reporter of issues seems to sit.
There are many ways to state a problem, almost always there is a way to state it so that sufficient motivation will exist to fix the real problems.
July 28, 2014 at 9:52 am
chrisn-585491 (7/28/2014)
I'm taking option 2, Steve. Goals are set, plans are in place, nights are spent working on skills and such.Currently there are enough shops, companies and corporations demanding our talents that we can be picky. We should professionally let our colleagues know that certain companies may not meet their expectations, either through networking or sites like Glass Door.
Tend to agree, though I certainly understand if someone can't be picky in their situation. If that's the case, then make plans to move on.
July 28, 2014 at 9:55 am
djackson 22568 (7/28/2014)
Steve, While I agree that the guy broke the law, the points you made in your post stopped too soon. Before I comment on that, let me be clear that I believe the points you made are correct.IMO the guy uncovered evidence of a crime. I do not believe that can be disputed. Federal law covers writing a virus and deploying it. The first thing you need to do when you find corporate resources infected by a virus is to report it to the team that handles that. You then need to let your boss know.
Now when you then find your reports were ignored, and you fail to notify authorities, you are in fact legally accountable for failing to report the crime. This is not just my opinion, it is the opinion of an FBI agent who attended a seminar about this very topic, and gave advice on how to respond. Whether the crime was committed by your employer or not is irrevelant. The fact that federal law was broken, especially in this manner where thousands of people are affected, means you have the responsibility to act.
How you act is what matters. The guy in the post got upset, and chose the wrong path. Had he notified authorities he would have been protected. As much as the federal government frustrates me and others with their illegal acts, I can't believe the FBI would have ignored his report of this type of crime. They tend to ignore specific types of crimes, but not these.
Had he done nothing, and someone else reported this, he would have still had his home raided by the FBI. He might still have been charged. It is possible he feared this, and acted out of that fear, but more likely he just had a case of stupidity.
Agree. You can't ignore the issue and fail to report it.
July 28, 2014 at 10:00 am
knausk (7/28/2014)
Have there been any clear legal decisions where the IT worker was held in error or legally responsible for failing to report security issues outside the company if the company refuses to fix problematic practices or if the worker fails to report it up the management heirarchy?Put another way is there case law that says what your duties are, when and where you must report security issues?
Legal decisions are made in the courts, the law applies long before then. In the example we looked at in the seminar I was at, the FBI agent agreed that if you found evidence of a crime involving computers, the information pertaining to that crime is now on your PC, and therefore you could be charged as an accessory, or you could be charged with covering up a crime. The minute you become aware of computer crime and do not report it you put yourself at risk.
The question isn't whether anyone has been charged. The question is what options the individual had, and reporting it to the authorities is be far the best option when the corporation ignores you.
Dave
July 28, 2014 at 10:26 am
Steve,
I agree with all that is said but with the caveat that once the product is determined "production ready" this all kicks in.
I have over the years been asked to test drive various new applications as part of the alpha, and beta testing. Depending on what is found there, I have been involved with various levels of more in-depth testing as well. In those tests, I have felt that it is my job to find and exploit any security, operational, or processing bug that can be found. Then I also document the items and the ways to make them happen.
From the findings of the testing, I can make recommendations as to what should change, and if I have the position and authority, I can halt the deployment of the product until certain things are done. I am required to internally do all I can to make the product as strong and right as possible, and if the company heeds the product grows better. If the decision is made to roll out the product with known problems, I do not openly expose, but still work internally to try to make it better.
So yes, once the product is out in production, I support the decision to move forward as best I can while I hope and pray for the best.
M.
Not all gray hairs are Dinosaurs!
July 28, 2014 at 10:56 am
david.gugg (7/28/2014)
...I think the fact that Helkowski stated he wouldn't do anything differently shows his current state of mind...
I believe people who say that are just trying to emphasize their innocents. I bet he never does anything like this again (if he truly was innocent). I couldn't imagine having that close of a run-in with the FBI, not being prosecuted and then going about the same innocent activity. I used to try and email webmasters about their sites being compromised when I received links in SPAM messages...you know, www dot LegitimateSite dot com slash FakeFolder1 slash HackersPage dot PHP. I've probably reported 6 or 7 to LegitimateSite because they've clearly been hacked (in fact, one was a university) but when I get no "Thank you" or not even a response, I start wondering if they think I'm up to something. I haven't tried to help in that capacity for years now though I think about doing it again from time-to-time because I know I'm just trying to help. I'd never help again if I was threatened by the FBI, despite my innocents.
July 28, 2014 at 11:58 am
And where does Edward Snowden fit into this piece?
July 28, 2014 at 1:06 pm
David.Poole (7/28/2014)
And where does Edward Snowden fit into this piece?
IMO Snowden is a hero. He broke the law in order to expose our government's illegal violation of every US citizen's rights. He chose to suffer the consequences knowing it was the only way to expose the abuse, while also recognizing we (our population) are too stupid to do anything about it.
IMO the person referenced in this thread is simply an idiot. Violating the law in order to force a company to do the right thing is different in that he had other options yet chose the method that was easiest. Snowden didn't have any options at all, and made up his own option to help the greater good.
Dave
July 28, 2014 at 1:28 pm
Steve Jones wrote:
Bad design, bad decisions, mistakes, even poor security practices will occur. However it's usually not your company, and it's not your place to prove that there is a flaw in a system. It's especially true that it's not your place to prove things without having been given permission to do so. Proving a point on your own is something children do, not professionals.
I'm not sure I agree with this. So long as one 'proves a point' in a diplomatic and legitimate manner, and the motive is positive, does this not show initiative on one's part?
July 28, 2014 at 2:33 pm
I'm not sure I agree with this. So long as one 'proves a point' in a diplomatic and legitimate manner, and the motive is positive, does this not show initiative on one's part?
See:
1) "Shooting the messenger"
2) "Never let your boss look bad"
3) Bucket of crabs
July 28, 2014 at 2:38 pm
chrisn wrote:
See:
1) "Shooting the messenger"
2) "Never let your boss look bad"
3) Bucket of crabs
Yup, I've seen them all. And if this is what one's workplace is like, then I would agree with Steve Jones: it's time to find another job.
It all comes down to integrity: both one's own, and that of the business in which one labours. I want to work in a place which has as much or more integrity than I have. I want to be able to look up to my boss, not look away.
July 28, 2014 at 3:05 pm
djackson 22568 (7/28/2014)
David.Poole (7/28/2014)
And where does Edward Snowden fit into this piece?IMO Snowden is a hero. He broke the law in order to expose our government's illegal violation of every US citizen's rights. He chose to suffer the consequences knowing it was the only way to expose the abuse, while also recognizing we (our population) are too stupid to do anything about it.
IMO the person referenced in this thread is simply an idiot. Violating the law in order to force a company to do the right thing is different in that he had other options yet chose the method that was easiest. Snowden didn't have any options at all, and made up his own option to help the greater good.
Interesting take on that. Personnally, I feel that his actions put a lot more people at risk that what he "saved".
--Jeff Moden
Change is inevitable... Change for the better is not.
July 28, 2014 at 3:41 pm
GoofyGuy (7/28/2014)
Steve Jones wrote:Bad design, bad decisions, mistakes, even poor security practices will occur. However it's usually not your company, and it's not your place to prove that there is a flaw in a system. It's especially true that it's not your place to prove things without having been given permission to do so. Proving a point on your own is something children do, not professionals.
I'm not sure I agree with this. So long as one 'proves a point' in a diplomatic and legitimate manner, and the motive is positive, does this not show initiative on one's part?
you're a little out of context.
You do so in a legitimate manner by getting permission, which I would guess involves some diplomacy and basic polite social behavior. You ask.
July 28, 2014 at 3:43 pm
Jeff Moden (7/28/2014)
djackson 22568 (7/28/2014)
David.Poole (7/28/2014)
And where does Edward Snowden fit into this piece?IMO Snowden is a hero. He broke the law in order to expose our government's illegal violation of every US citizen's rights. He chose to suffer the consequences knowing it was the only way to expose the abuse, while also recognizing we (our population) are too stupid to do anything about it.
IMO the person referenced in this thread is simply an idiot. Violating the law in order to force a company to do the right thing is different in that he had other options yet chose the method that was easiest. Snowden didn't have any options at all, and made up his own option to help the greater good.
Interesting take on that. Personnally, I feel that his actions put a lot more people at risk that what he "saved".
We can certainly debate that, Mr. Moden, but I suspect that is not true. It's the view of many people that fundamentally dislike exposure and want secrecy in government/military dealings.
I'd agree those are important, but Mr. Snowden showed many abuses, many of which continue today. Far, far too often, I'd say the fruits of surveillance efforts were unnecessary for security.
For those potential problems involving security, both Mr. Snowden and the Guardian attempted to work with the NSA to redact problem data.
Viewing 15 posts - 16 through 30 (of 55 total)
You must be logged in to reply to this topic. Login to reply