Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

What Should We Do About Security Ethics?

kdawson posted more than 6 years ago | from the try-wikileaks dept.

Security 244

An anonymous reader writes "I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business. It's truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information. All so executives can look good and make their bonuses? How should people start blowing the whistle on companies like this?"

Sorry! There are no comments related to the filter you selected.

What Should We Do About Security Ethics? (4, Funny)

doti (966971) | more than 6 years ago | (#23084660)

Ignore it?

Re:What Should We Do About Security Ethics? (1)

creimer (824291) | more than 6 years ago | (#23084682)

If you're a slacker, yes. Masterminds violate the heck out of security ethics before blaming the slacker.

There are very few ethical companies. (5, Insightful)

EmbeddedJanitor (597831) | more than 6 years ago | (#23085030)

Most are only limited by what the law allows. Although a company might speak of ethics, don't expect them to actually practice it.

And why bother about security ethics when there are much more important ethical considerations like how they treat staff? Again, most companies screw most of their staff to the limit of the law.

In short: If you're looking for ethics you got off on the wrong planet.

Re:There are very few ethical companies. (3, Interesting)

TheLinuxSRC (683475) | more than 6 years ago | (#23085258)

Most are only limited by what the law allows. Although a company might speak of ethics, don't expect them to actually practice it.

I agree with these two statements 100%, however...

And why bother about security ethics when there are much more important ethical considerations like how they treat staff? Again, most companies screw most of their staff to the limit of the law.

Treatment of staff is a strawman. It has no bearing on whether security is an issue. I was employed in a medical software company that did not treat their staff terribly yet managed to deploy products that were genuinely unsafe. This was in the imaging dept.of a medical records company - imaging handled diagnostic images as well as records for archival. This needed to be 100%+ HIPPA [hhs.gov] compliant and was nowhere close. While treatment of staff was decent, security with regard to medical records/images was not at all. I believe this to be an area where security is a huge priority over how the staff is treated.

Re:There are very few ethical companies. (5, Interesting)

Anonymous Coward | more than 6 years ago | (#23085458)

Don't even get me started. I work at a company which makes document imaging software and our customers send us all kinds of crap that honestly, scares the shit out of me. Not to mention information specifically protected by law. Most of the time, I get the sense that the sender didn't even remotely think about it. All they know is "this is not viewing/printing how it should" and so off they send it, as an attachment on unencrypted email.

So now I am put in the position of -- do I actually work on the client's problem? Or do I immediately destroy the information and tell them they are a dumbass? You know what the reality is? The highly sensitive document gets printed out, sometimes hundreds of times (as I tweak things during the debugging process), and I try to shred everything but when there's hundreds of copies, I'm sure I've missed one. If I was unscrupulous I could have made several million dollars off the information I see on a daily basis and I'm not exaggerating. Millions. Honestly it pisses me off.

Three Words: (5, Insightful)

canUbeleiveIT (787307) | more than 6 years ago | (#23084662)

Cover your ass.

Re:Three Words: (5, Insightful)

NeverVotedBush (1041088) | more than 6 years ago | (#23084814)

Actually this is probably better advice than most realize. I don't know if it was tongue in cheek or not, but it is damned good advice.

Where I work, security is a really big issue and I have to deal with people all the time that don't realize that security is something they should consider with every decision they make during the day. Needless to say, many don't feel the same way. They are about to get raked over the coals by management.

Unfortunately for some, they are in the crosshairs for their lax stance on security. I don't know what management is going to do with them, but management knows who they are and they stand a good chance of at least repremands and loss of pay increases, and at the worst for them, pink slips.

Anyone in IT who thinks data security isn't their job is fooling themselves and setting themselves up for a new career. If you read the SANS Newsbites, you see breach after breach and people getting sacked or worse.

People need to tighten up their systems, audit their systems, run configuration management, and even penetration test their systems. If you can show you are at least trying to cover your ass, you stand a better chance of being seen as proactive and trying to protect the company even if it does get breached.

But if something happens and it comes time to pick up the pieces, and all you can say is well, we shoulda done that but we didn't, you might want to have a plan B in terms of a career because you will probably need it.

Re:Three Words: (4, Insightful)

zappepcs (820751) | more than 6 years ago | (#23084974)

This is about as good as I know to do. Document everything. Where I work, I politely make my senior (not plural) aware of something I see as a security risk and ask for direction after giving what I think are the two-three possible methods to cure the issue. If that direction is 'do nothing' or worse, I have at least documented it. I always do this with a follow up email, or as part of my bi-weekly report.

When I am running a tech project at work, I simply schedule resources in the project plan for security assessment and risk abatement. If these are cut from the resource budget of the project, it is documented on whose authority such was removed from the project.

Basically stated: COVER your ass, and those below you. When those internal emails get leaked onto the internets or wikileaks it will be you shown as having 'concerns' about the security practices, and others who are guilty of the massive security problems being allowed to propagate. That makes finding the next job much easier.

Additionally, all managers can find a few hours here and there within their department resources to do some security auditing and testing. Showing these results on your status reports documents proactive use of company resources. Additionally, if you can show that customer xyz just survived an attack because of something you did, you may end up being given more slack to accomplish your true and altruistic goals ( - that is sad state of affairs ) of providing secure products and services. Each time the company suffers a loss through security problems and documents the cost of recovery, you can show next time what security auditing would have saved them if they had taken actions earlier, such as the nice plan you hand them to peruse which would stop future such attacks.

Re:Three Words: (1)

mrsteveman1 (1010381) | more than 6 years ago | (#23084994)

Pink slip eh....that doesn't sound so bad.

What can i redeem it for?

oh PLEASE say action figures and concert tickets!

Re:Three Words: (2, Insightful)

NeverVotedBush (1041088) | more than 6 years ago | (#23085078)

The job market isn't all that good out in the real world right now -- especially if you have been fired for cause.

Why add another hurdle to finding a job?

And that kind of attitude is what I see in some of my coworkers. Smartass people who think they know it all and just don't care about consequences. And coincidentally, those are the same ones in management's crosshairs. Pretty much without exception.

Re:Three Words: (2, Interesting)

Heembo (916647) | more than 6 years ago | (#23085304)

If you read the SANS Newsbites, you see breach after breach and people getting sacked or worse.
Ouch, you are implying SANS has integrity. Newsbites is a advertising vehicle for one of the most low integrity organizations in the security industry. For real information, Bugtraq is where it's at.

Re:Three Words: (0)

Anonymous Coward | more than 6 years ago | (#23085034)

Very true, no matter which option he takes... That said, is it just the Slashdot in me that makes me read this:

I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business.
... and think it means he works for Microsoft?

Re:Three Words: (2, Informative)

Heembo (916647) | more than 6 years ago | (#23085342)

... and think it means he works for Microsoft?
MS spent billions to improve AppSec. They take is seriously, because customers screamed so loud. The secret? Fortune *300*. The the company you are looking for is here: http://money.cnn.com/magazines/fortune/fortune500/2007/full_list/201_300.html [cnn.com]

Re:Three Words: (2, Funny)

wellingj (1030460) | more than 6 years ago | (#23085496)

There are some really scary ones in there.

Google
Bank of New York
SAIC
Amazon.com

But my bet is on Toys "R" Us

And also... always remember that... (3, Insightful)

Nick Driver (238034) | more than 6 years ago | (#23085184)

...he who dares tell the Emperor that he's wearing no clothes gets his head chopped off.

Re:Three Words: (1)

Heembo (916647) | more than 6 years ago | (#23085260)

Cover your ass.
This is the only way to roll. Email the the Security Officer about your disagreement over the issue at hand, and include factual evidence. CC the CEO. Print out a copy for your personal records and use registered mail to mail it back to yourself. When the PCI/SOX/HIPPA/etc shit hits the fan, bust out the sealed envelope.

It really simple. (0)

Anonymous Coward | more than 6 years ago | (#23084664)

When the companies start following ethics, we won't have to blow the ethics whistle on them.

Gee, I dunno (4, Insightful)

Gewalt (1200451) | more than 6 years ago | (#23084674)

how about you gather some evidence and publish it?

Of course, you'll lose your job over it. So decide now. Do you want to sleep at night? Or do you want to feed your family?

Re:Gee, I dunno (3, Funny)

Anonymous Coward | more than 6 years ago | (#23084820)

how about you gather some evidence and publish it?

Of course, you'll lose your job over it. So decide now. Do you want to sleep at night? Or do you want to feed your family?
That is one end of the spectrum. Another is to gather some evidence in order to ensure job security and hefty pay raises!

Re:Gee, I dunno (1)

The Analog Kid (565327) | more than 6 years ago | (#23085276)

Indeed, when they fire all the higher ups, you can move in and take their former positions. That is if the company is still standing, and none of this ever got out.

Re:Gee, I dunno (1)

snl2587 (1177409) | more than 6 years ago | (#23084928)

Lose your job over this? Probably not necessary. But I would recommend documenting everything you've noticed and told your boss in a detailed set of memos so that you're safe if an ethics committee ever investigates. If that's what you're worried about, of course.

Going the "get fired" route is probably a really bad idea under normal circumstances as you're likely to be passed up for jobs in the future for "lack of loyalty" or whatever the hell they're calling it now. Publishing anonymously, like on Wikileaks, would be better if you really feel the need to publicize it.

Re:Gee, I dunno (1)

whoever57 (658626) | more than 6 years ago | (#23085436)

But I would recommend documenting everything you've noticed and told your boss in a detailed set of memos so that you're safe if an ethics committee ever investigates. If that's what you're worried about, of course.
You probably want to document it in a format that does not alert your boss to the real danger, but later, when people are looking for a scapegoat, will show that your boss was negligent in not following up your report..

Re:Gee, I dunno (1)

mrsteveman1 (1010381) | more than 6 years ago | (#23085000)

I duno, you could also just make it publicly known how incompetent your security practices are, without being "that guy".

Wikileaks (5, Informative)

Mondo1287 (622491) | more than 6 years ago | (#23084680)

Re:Wikileaks (1, Redundant)

BountyX (1227176) | more than 6 years ago | (#23084706)

i also want to encourage you to wikileak it.

Re:Wikileaks (4, Insightful)

couchslug (175151) | more than 6 years ago | (#23084758)

If you leak it, not only do it on the sly in a manner that can't be traced to you (or you'll probably never be hired in a position of trust again!) but have an authentication method that can PROVE it's you in case the Feds come looking and you need to roll over.

Re:Wikileaks (5, Interesting)

Anonymous Coward | more than 6 years ago | (#23085088)

I work for a very large US government department. Our agency oversees all of the child agencies. If we leak information about how we fast-talk the 20-some year old college graduate security auditors that know jack about computers, we would surely lose our contract. Our contract pays big, on the order of a few million per year. We have a total staff a little over 20, do the math. If the federal it director says to do it one way, we do it that one way to ensure nice paychecks to our employees.

Now, I am one of these employees and I'm not going to watch my job burn because the government is hiding blatent security problems. The next person that comes in will comply the same way and I'm left searching for a new job. No. What I do is purposely delay audit results. Miss a deadline here and there. Specifically mention other areas of concern while satisfying the customer by fast talking through another area. Results? It turned your governments security finding report from a B to a D. This past year sucked, work wise, but we're far more secure now than we were a year ago.

Just to scare you some more, we were sending backup tapes offsite without using encryption. We also didn't encrypt our laptops until the day before the government stipulated deadline. The best one? One of our budget management systems runs a public X server as root. Guess what else? We hold tons of medical, legal, and personal information for a very large number of you americans. Yea.

You're damn right we need to change how we address security concerns. I have no ideas on how to change this, so I will continue to be very cautious in my personal life. I will also continue to take contracts like this to ensure I can feed my family for the next couple of decades.

Re:Wikileaks (2, Interesting)

NoobixCube (1133473) | more than 6 years ago | (#23084976)

This is pretty much what Wikileaks is for. Though if you're in Australia, that avenue will soon be sealed off from you if that new law gets approved. All in the name of our safety, of course. Can't have terrorists bringing down the economy by trying to improve it.

Re:Wikileaks (1)

Deanalator (806515) | more than 6 years ago | (#23084998)

full disclosure
full-disclosure@lists.grok.org.uk

Re:Wikileaks (0)

Anonymous Coward | more than 6 years ago | (#23085096)

http://www.wikileaks.org/wiki/Wikileaks

Speaking of which, Wikileaks and most/all of its mirrors were down this morning. Was it a random glitch, a DDOS by the Scilons for the thousands of pages of cult secrets that went live today, or a DDOS by the Chinese for the Tibet pix, or something unrelated?

Meh (0)

Anonymous Coward | more than 6 years ago | (#23084684)

Leak the data/information :)

How my company handled it. (5, Informative)

awyeah (70462) | more than 6 years ago | (#23084704)

It's more common than you think. Some of it is due to laziness, some due to a lack of knowledge, and some due to time constraints. Fortunately, for the really sensitive information, management at my company finally put into place very strict policies on how we handle the data: How we store it, erase it, encrypt it, and display it. Granted, most of these policies are actually put in place by vendors that require it, but we've taken those standards and extended them across all sensitive information.

If you're failing SOX/SAS-70/404 audits (or whatever types of audits apply to you)... that's bad, although you've already identified that.

We formed a data security team - it's just one dedicated person right now, but since he's really only involved with the policy stuff, that's enough for us - however, he does hold frequent and regular meetings with management across all departments. The DS team recently published our "best practices" which every developer now has posted at his/her desk.

Because management took this very seriously, we became one of the first companies in our industry to have all of the current versions of our software fully compliant with industry security standards.

If there are no standards set forth for you, I suggest you make your own. It takes time and they must be well thought out, and no comprimises can be made (that's a bad pun, sorry). Use your audit results (the actual audit results, not the strong-armed ones) as a baseline for improvement. Dedicate a resource to data security. Whatever you have to do. Since you're a senior level person, you should be able to convince people to allow you to do it.

If you have security issues and a breach occurs, well... I think you know what could happen.

Good points... (1)

jd (1658) | more than 6 years ago | (#23085068)

...but one thing that would improve matters is if sensitive information automatically kicked in compulsary external audits by some independent watchdog. That would require some creative legislation, not only to make acceptable to courts, corporations, etc, but also to keep sufficiently current that poor practices or malpractice aren't actually required. That, I fear, is beyond any Government currently out there, and given the track record of Governments on IT issues, I suspect skepticism and wholesale rejection by the industry to be a more likely response than improvement on practices. Mind you, given that IT is often an afterthought of corporations and security is but a fleeting glint in the eye of IT, I suspect wholesale rejection would be the end result regardless.

Re:How my company handled it. (2, Insightful)

Martin Blank (154261) | more than 6 years ago | (#23085238)

Standards are often slow to form, and then just as slow to be bought into. Everyone knows that they're needed, but they're too often set aside "just for this one thing."

I think one of the problems is the idea that has become prevalent that "business drives IT." This is taken by many to mean that business decides what IT does, and that IT's rules have to bend to the desires of business whenever they clash. Personally, I think this is asinine, especially because it leads to a completely unnecessary adversarial relationship. I was told once that if IT was going to start telling business what it could and could not do, they'd go back to filing cabinets and typewriters. Not at all realistic, but it shows the frustration levels that are present.

While it's true that without business, there would be no IT, the reverse is also true -- no IT, no business. It has to be a partnership. There are people on our side of the fence that are just as bad, and sometimes worse. Between business managers feeling superior because they fund IT and IT people feeling superior because they support the business applications, the battle of egos can only end up hurting the overall enterprise.

Re:How my company handled it. (2, Informative)

pclminion (145572) | more than 6 years ago | (#23085480)

If you're failing SOX/SAS-70/404 audits (or whatever types of audits apply to you)... that's bad, although you've already identified that.

Now how the FUCK can you fail a SAS-70 audit? You get to set your own damn criteria for passing!

Ethics? Where? On Slashdot? (3, Interesting)

Anonymous Coward | more than 6 years ago | (#23084708)

I work for many clients, most are lobbyists and lawyers. Ethics are different for everyone.

We have laws to restrict what people do and police to enforce those laws.

I know of one client, in an attempt to get a Federal contract, created a multi-million dollar program just to meet the "green" requirements that the Federal government is placing on new contacts.

Turns out - nothing much is being done except the bare minimum.

What is ethical is very different from that which is legal.

Because of my personal beliefs which stem from an often insulted and bashed faith, constantly mocked here on Slashdot, I do not sell the information I am privy to.

Re:Ethics? Where? On Slashdot? (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23084804)

Because of my personal beliefs which stem from an often insulted and bashed faith, constantly mocked here on Slashdot, I do not sell the information I am privy to.
Nothing funnier than a whining Christian with a persecution complex.

Re:Ethics? Where? On Slashdot? (0)

Anonymous Coward | more than 6 years ago | (#23085038)

No wonder jesus ended up on the cross

Re:Ethics? Where? On Slashdot? (1)

Anonymous Coward | more than 6 years ago | (#23085160)

You mean the punishment he brought upon himself through his own traitorous actions against Rome? There's no difference in the way that the US treats it's own traitors. In Rome they'd crucify their traitors and in the US we hang em. You aren't a martyr same as the vast, vat majority of the other 2 billion Christians out there. The Christians in the US who constantly whine and cry about how they are being persecuted do nothing but spit on the actual persecution that people in other countries truly face.

BTW not getting special treatment from the government and being disallowed from forcing kids in schools to pray to only your god isn't persecution. Though I'm well aware that your average Christians isn't able to understand this.

Re:Ethics? Where? On Slashdot? (2, Funny)

Lunix Nutcase (1092239) | more than 6 years ago | (#23084812)

So you're saying that you're a Muslim?

Re:Ethics? Where? On Slashdot? (2, Funny)

Lunix Nutcase (1092239) | more than 6 years ago | (#23084944)

Awwww, the user behind this AC post must be really PMSing today to mod me down.

Re:Ethics? Where? On Slashdot? (3, Funny)

eln (21727) | more than 6 years ago | (#23084880)

Because of my personal beliefs which stem from an often insulted and bashed faith, constantly mocked here on Slashdot, I do not sell the information I am privy to.
I have a very strong sense of ethics too, and don't sell the information I'm privy to either. Since you say these beliefs stem from your faith, then we must be of the same faith. Always nice to meet a fellow atheist.

Re:Ethics? Where? On Slashdot? (1)

zonky (1153039) | more than 6 years ago | (#23084896)

Are you Tom Cruise's Agent?

Re:Ethics? Where? On Slashdot? (0)

Anonymous Coward | more than 6 years ago | (#23085366)

Because of my personal beliefs which stem from an often insulted and bashed faith, constantly mocked here on Slashdot, I do not sell the information I am privy to.

So get over it. What "faith" or religious belief out there isn't insulted and bashed is some culture? You think that your beliefs have a monopoly on getting insulted? Get in line brother.

Re:Ethics? Where? On Slashdot? (1)

Lunix Nutcase (1092239) | more than 6 years ago | (#23085432)

But you're forget the fact that Christians are the stalwarts of religious tolera... BWAHAHAHAHAHAHAHAHAHAHA. Sorry, couldn't keep a straight face.

Ethics in Business (2, Insightful)

TheRecklessWanderer (929556) | more than 6 years ago | (#23084720)

It's interesting that you talk about ethics in one branch of business, when clearly, there is a lack of ethics in most branches of business.

Unfair labor practices, shady reporting practices, Enron, The entire legal profession, The entire political category (is it truly a profession).

The point is, why single out one area of unethical behavior? Does it surprise you that the executives in our (Techie's Rule) should be any different?

Most executives make their way to the top by lying, cheating and stealing better than the next guy.

What can you expect?

Re:Ethics in Business (2, Insightful)

compro01 (777531) | more than 6 years ago | (#23084760)

The point is, why single out one area of unethical behavior?
because it's the area most of us are in and the area most of us are most likely to be able to have an effect on.

Re:Ethics in Business (1)

The End Of Days (1243248) | more than 6 years ago | (#23084780)

Your brush is too broad to take you seriously. Sorry.

Part of the precipitate (4, Insightful)

overshoot (39700) | more than 6 years ago | (#23084854)

It's interesting that you talk about ethics in one branch of business, when clearly, there is a lack of ethics in most branches of business.

No, not really. After all, there are children dying of AIDS in Africa, of hunger all over the world. Old people are being neglected, education is a mess, etc. Apparently your strategy is to give up on doing anything because we can't do everything. The advantage of this approach is to make the problem so far beyond our powers to solve that we can justify not even trying.

In response, I call your attention to the words of a sage from when things were a hell of a lot worse: "It is not for you to finish the task - nor are you free to desist from it."

It may be trite, but doing something to improve one corner of the world beats whining on /. about how bad it all is.

"Most" executives? (1)

mi (197448) | more than 6 years ago | (#23085522)

Most executives make their way to the top by lying, cheating and stealing better than the next guy.

Wow! Do you have numbers to back up the above assertion?

Think about where the problem really lies (4, Insightful)

jay2003 (668095) | more than 6 years ago | (#23084726)

Ask yourself whether your "internal findings" are really representative or just attempt to CYA in case there is a problem. Coming at this problem from the side of someone whose job it is to get things done rather create objections, I frequently see security people asking for extremely expensive security "enhancements" that provide marginal if any value.

All business decisions should be made on the basis of cost-benefit analysis. Most staff positions including security usually do a poor job of assessing either side and instead focus on potential risks without quantifying them. Just because security would be better by doing X, does not mean X is good idea. If X is really expensive and your competitors do not it, your firm is now at a cost disadvantage
which depending on the industry can be catastrophic.

I really have no way of knowing whether actions you are talking about really negative expected value actions or not in the sense that over a long period the risks involved will be realized and the damage will be far greater than the cost of taking preventative action. However, changing ratings is troublesome. A much better process is a well defined override or exception procedure. The business should understand what they are doing. A rigid system that says we can not do anything rated 'Y' even if there is 100M at stake will only result in the rating be changed.

Re:Think about where the problem really lies (1)

Lunix Nutcase (1092239) | more than 6 years ago | (#23084878)

Yeah, we sure can't have companies worrying about the security of classified information if it's going to hurt the bottom line!

Re:Think about where the problem really lies (2, Insightful)

jay2003 (668095) | more than 6 years ago | (#23084972)

One the problems with question is that there is no mention of what is at stake if this breach occurs.

Is it national security?

Is somebody going to die or come to serious harm?

Or is it more mundane? Maybe some future business ideas will leak out and diminish their value. There's a whole spectrum of possibilities and the mundane once ought to be decided on cost.

After all the most secure computer is one that's kept in a locked, guarded room with no network connections what so ever. It's just not a very productive setup.

Re:Think about where the problem really lies (0)

Anonymous Coward | more than 6 years ago | (#23085456)

I agree entirely. In my experience, security people tend towards ideological and unreasonable (probably a consequence of the previously mentioned ideology).

That said, I think too few designers worry about security when designing a system and too many security people got interested in security because they're *not* designers.

I've learned something recently--why not plan for people to break out of whatever sandbox they're in and just design the least interesting sandbox possible?

To use an example from my current work, we spent a bunch of money for this complex* security framework that's used to contain daemons where we would've been far ahead by just designing critical daemons in a way that breakouts wouldn't matter beyond a DOS.

*complex in that another team in a different country (developing a security product no less) misconfigured the system and we ended up with an exploit our purchased framework would've prevented if it wasn't so damn difficult to get right.

Re:Think about where the problem really lies (3, Insightful)

Fnord (1756) | more than 6 years ago | (#23085490)

This is the problem with modern business methodology. Engineers do cost-benefit analysis also, but not with monetary cost. Every design decision in a piece of software is a balance of how much cpu time does this save me vs. how much memory does this eat up vs. how much complexity does it add to my system, etc.

But before cost-benefit analysis even begins, problems to be solved are classified by their risk. There is a class of problems that absolutely must be solved regardless of the cost. If you're writing a filesystem, anything that has the remotest chance of data loss is unacceptable, regardless of how slow it is. If one of these crucial elements costs too much for the system to handle, take out something else.

A large number of businesses don't seem to see anything as unacceptable risk. Medical companies, car manufacturers, baby toy manufacturers, etc. consider anything that could possibly cause loss of human life an unacceptable risk. Banks and retailers should treat anything with the remotest possibility of leakage of customer data a must fix problem, and this means IT security should get done, regardless of cost.

Essay: Catch 222-22-2222 (4, Interesting)

ThinkComp (514335) | more than 6 years ago | (#23084730)

I wrote an essay about this very issue a while back.

http://www.aarongreenspan.com/essays/index.html?id=9 [aarongreenspan.com]

The sad fact is that I don't report flaws anymore because I've been threatened too many times.

Re:Essay: Catch 222-22-2222 (1)

NeverVotedBush (1041088) | more than 6 years ago | (#23084870)

I've also been threatened. It's a very bizarre world out there.

Re:Essay: Catch 222-22-2222 (3, Informative)

oyenstikker (536040) | more than 6 years ago | (#23084938)

It isn't bizarre. It is very simple. To any business, an amount of money larger than the profit they will make from you until the person in charge leaves is worth more than your life. If you are an ex-customer, they'd rather see you die than lose $1.

Company Loyalty? (1)

visualight (468005) | more than 6 years ago | (#23084746)

Is it ethical to place the interests of your employer above the needs of yourself or your family?

Not much (4, Interesting)

MBCook (132727) | more than 6 years ago | (#23084750)

I don't see how there is much you can do. There was an article here a few months ago about a group that started sending out bad XML because too many people were using the DTD they were hosting, to the tune of 10,000s of hits a day that were completely unnecessary.

The company I work (not Fortune 500, smaller) sees some stuff that continues to floor me. Our dealings are mostly transactions of information (containing important things like bank accounts) between our computes and those of other companies. We have had to, quite a few times, flat out turn people down because they refuse to run securely. Not without massive DB encryption. Not hashing everything. Just not using SSL, an easy to implement addition on top of HTTP (which carries our conversations with people).

Every two months or so, we are put in the position of telling people that the SSL certificate on their production system expired last night. This usually entails a discussion as to why we can't just let them slide, or give them a day, etc. We've had people switch off good SSL certificates from very valid authorities to self-signed certificates.

In fact the expiration problem happened enough that someone seriously suggested we consider making a little program to check people's certificates and warn us when they were going to expire so we could warn them. Things got better and it didn't happen. Many people just don't care.

I'm not sure how this happens either. We recently let a certificate lapse on a domain we stopped using and gave up on. For the 6 months before it expired I got emails from the certifying company up to one every 2 weeks or so at the end. Then they called our office to make sure we knew it was about to expire and to find out if we really wanted that to happen. Then today, a few weeks after it expired, I got an email reminding me that it expired and they'd be glad to renew it. I don't know how many companies are this proactive about renewing SSL certs, but I'd have had to have my head buried pretty far in the sand to not have noticed all that.

We've seen plenty of poor security designs. I don't expect other operations to be perfectly secure. But the number of these companies who seem either ignorant or dismissive of SSL continues to surprise me from time to time.

Best advice? If you can at all, shut them down. Very few of the companies we have worked with have been very nice about turning on SSL. Some have said "just add S to the URL" (it was secure, they just didn't give us that URL). Some have said "sorry, we'll get that right up". More than a few have not been that easy. Turning people off is the best power we have. If your contracts are big enough (as a Fortune 300 company, they might be) you could try to put security provisions in them with penalties for shenanigans. But we've found that when discussions aren't working, just disconnecting people usually gets their attention.

Re:Not much (2, Funny)

Qzukk (229616) | more than 6 years ago | (#23085434)

I'm not sure how this happens either. We recently let a certificate lapse on a domain we stopped using and gave up on. For the 6 months before it expired I got emails from the certifying company up to one every 2 weeks or so at the end.
Actually, it's pretty easy. See, Jim punched in his email address back when we first got the certificate, so we'd been getting the notices at jim@example.com. Things were fine for a while, but then Jim moved on to another company. Fortunately, we had another Jim, so we just gave the email account to him when the first Jim left, and things were fine.

Last month Jim turned in his two weeks' notice.

By the way, we've got an entry level opening some of you might be interested in, just need a PhD, 10 years experience in C#, salary starts at $45k. Oh, and you have to be named Jim. Just send your resumes to jack@example.com...

fire the CEO (1)

PetriBORG (518266) | more than 6 years ago | (#23084752)

I've been in enough places at this point to know that security does not matter.

As much as it pains me to say it, there just isn't a good enough reason to do it. I think thats why its the OpenBSD guys that end up providing OpenSSL and SSH and the like... Cooperate pressure just kills any desire to get security right.

Of course, the languages and libraries do not help the issue. Its just too easy to make stupid mistakes that result in code with security problems. People always argue that security will always make your software more difficult to use and to write - but I don't buy that. I just don't think we've yet invested enough programmer time into the problem.

Re: Developer time (1)

perlchild (582235) | more than 6 years ago | (#23085098)

Security happens when you think things through.

Thinking things through all the time is hard

Security makes things harder

More developer time can at best, optimise how much we have to think before we act. But as long as users can't act without thought, they will think it's "hard" and will try not to do it.

Battle between developers and human nature, human nature wins.

That's to use, not to write though, more secure code should be easier to understand and debug, and actually be easier to write(provided you take the time to do it right). Good, fast, cheap, pick two.

Bosses don't fear security breaches (4, Interesting)

Anonymous Coward | more than 6 years ago | (#23084754)

Security won't be taken seriously until the powers-that-be worry that they will be directly impacted. A giant security breach that compromises tens of thousands of other people doesn't worry them. Once someone brings a successful (maybe class action) lawsuit and wins a lot of money, the powers-that-be will start paying attention.

It is strange. We can't let a piece of equipment that isn't UL approved within a mile of our building. We have a guy whose whole job is to audit all the equipment and make sure it conforms. Security, on the other hand, isn't audited. The bosses sure don't fear us the way they fear the outside people who do all the other audits.

Clearly it would be a good thing if someone were setting standards for security the way UL does for electrical equipment. It would be good to have outside auditors. Only then will the in-house security people get any respect.

Re:Bosses don't fear security breaches (1)

NeverVotedBush (1041088) | more than 6 years ago | (#23084908)

Check out NIST: http://csrc.nist.gov/ [nist.gov]

They not only have standards to follow but also scripts that can check security configurations to tell you if you meet standards or not.

I know DHS gets mocked a lot but they are working with NIST to help harden computer systems. It's worth checking out.

How to blow the whistle (4, Insightful)

overshoot (39700) | more than 6 years ago | (#23084762)

Step one: gut check.

Step two: Find another job. If you take a cut, see step one.

Step three: Pull no punches when you resign. Leave a resignation letter stating that you cannot in good conscience continue to sweep serious liabilities under the rug, and that under the circumstances you have no choice but to leave. Copy the BOD. If you want to really play hardball, copy the company's liability underwriters.

Make no mistake, this is a major bridge-burning exercise. It may turn out to be the best thing that ever happened to your career, but don't count in it. See step one.

Re:How to blow the whistle (1)

SirGarlon (845873) | more than 6 years ago | (#23085302)

Sounds like a great way to get blacklisted. I'd recommend leaving without comment.

n a Fortune 300 company (1)

frovingslosh (582462) | more than 6 years ago | (#23084790)

"How should people start blowing the whistle on companies like this?"

Unh, perhaps by having the guts to name the company and maybe even the data at risk, rather than just saying n a Fortune 300 company. Oh, I guess you don't want to risk your bonus either, or maybe your job is more important than the safety and security of the citizens of your country. So why the hypocrisy to act like it's only your bosses who are vile evil bloodsuckers hiding the truth for their own enrichment?

Re:n a Fortune 300 company (1)

NeverVotedBush (1041088) | more than 6 years ago | (#23084956)

It's easy to criticize when you aren't the one in the hotseat. Sometimes, working from the inside to make things better, in spite of what management wants, can be the better approach. If the poster is being confronted with big security issues, and management that thinks they can skate (or are betting they can skate), and really confidential data is at risk that would harm people if it were compromised, working from the inside to change attitudes is sometimes the best way.

Maybe signing up for SANS Newsbites and sending management a few blurbs about what has happened to other companies and people who get held responsible for breaches might wake management up a bit.

These days breaches and compromises get pretty good press and there can definitely be some big monetary (or worse) consequences for those responsible when they do. When people see how things can really go bad, they tend to get a conscience.

Re:n a Fortune 300 company (1)

jrothwell97 (968062) | more than 6 years ago | (#23085192)

But what's the point in that? If we knew, the said F300 company would immediately become a target for corporate espionage, malicious hackers and crackers and all sorts of other nasties. That would be catastrophic for the company, and customers' (and members of staff's) personal data.
There's a reason why security flaws are almost never reported by whistleblowers. Almost all data protection scares in the news ONLY occur once a breach has occured, and the damage has been done. Naming the company would be like erecting a sign reading "OSAMA BIN LADEN'S CAVE: COME IN, THE DOOR'S UNLOCKED."

Consider very carefully if it's worth it. (1)

Vellmont (569020) | more than 6 years ago | (#23084808)


How should people start blowing the whistle on companies like this?"

If it's as bad as you're indicating, everyone learns eventually, even if it's the hard way. What you need to consider is, is it worth it?

The questions I'd ask are:

Are peoples lives at risk from these vulnerabilities?
Are peoples lives going to be ruined because of these vulnerabilities?
Is the company at serious threat of going under because of these vulnerabilities?

If you can answer yes to one or more of these questions, you might consider risking your job because of it, especially the first two. If you can't answer yes to any of these questions, maybe it's best to either quit, or CYA. The latter means making sure everyone knows what the situation is, and they've ignored it (be sure to get written documentation they've done this). If you're going the CYA route, you can't make a big enough stink to get fired, but you can't be quite enough that you'll eventually get the blame when it comes down.

Kay Sara Sara (3, Informative)

WwWonka (545303) | more than 6 years ago | (#23084816)

Just let them be.

I too worked for a company that catered to the people that made money for it. $40 billion+ in assets at the time. No matter how hard I tried security ALWAYS took a back seat to profit, ease of use, and not rocking the boat. I was the head of network security, there was not even a CSO. The hierarchy wasn't even in place. One day I even saw a live network hack in progress as one of our network engineers was using a VNC server not protected by our corporate firewall! Someone on the outside had found it and started using his desktop! I couldn't believe my eyes! In the end it came down to me just accepting that this company, and a vast majority of corporations, will always and forever be run this way...until, of course, the proverbial $#It hits the fan, at which point I didn't want to be there.

So I left and never looked back. I suggest that this also be your course of action before the one left holding the bag is you.

make a false save (0, Troll)

circletimessquare (444983) | more than 6 years ago | (#23084824)

unknown intruders penetrated xxx, because of security failure yyy you have always complained about, and the only reason you just happened to catch it is because you implented zzz as an afterthought

the catch of course, is that you are also the intruder, and the whole exercise was to deliver a lesson: things are too lacadaisical

that you look like a hero is just gravy

and if you think it is too risky to fake the intrusion, i guess you aren't up to the high standards you hold others by, huh?

put your money where your mouth is, or swallow your anxiety

Happening in all industries for eons. (1)

liftphreaker (972707) | more than 6 years ago | (#23084838)

This sort of unethical high pressure tactic has been happening in not just your industry but in almost every other big-money industry for ages. Banks like Citibank used the same tactic to pressure stock analysts to give Enron a high rating or risk losing business, since Enron at that time was a great source of money for Citibank, Credit suisse, Lehman bros, JP Morgan among others, as they were the ones who helped inflate Enron's shares through their enormous Ponzi schemes.

quit (1)

david_bonn (259998) | more than 6 years ago | (#23084842)

There's lots of other jobs out there where you won't be confronted with this quandary. Your never going to get any credit for pointing out the security problems of your current employer. You run considerable legal risks (and might, in practice, render yourself unemployable in the future) if you try to blow the whistle.

Find another job. Your family will be fed. You will also sleep somewhat better, except when you realize your ex-employer is still out there.

well that's simple (1)

ILuvRamen (1026668) | more than 6 years ago | (#23084850)

How should people start blowing the whistle on companies like this?
Um...anonymously! DUH! Post some internal e-mails or outgoing to vendor e-mails proving this bullshit to wikileaks using a proxy or something. Or anonymously e-mail the business owners or other high level people about what's going on. Unless they're the ones doing it, then sneak an e-mail to their bosses: THE CUSTOMERS! Lol send out a fake newsletter e-mail to everyone in the database saying you'd just like to let them know about the new security policies of ignoring massive problems and exposing their sensitive data.

Wrong thought line (1)

teh moges (875080) | more than 6 years ago | (#23084852)

You are looking at the problem from the wrong direction:

"the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information"

And so it should.

However, you should put up a case to your higher ups about the business reasons why they need the security measures and that they need to be followed. The higher ups recognise this (in theory) and the practise of lowering security threats is classed as a "punishable offence". If a person's job is security, then their job should rely on that security being properly managed. If a critical security breach happens because of a "low risk" security bug, then heads will roll.

If you can't get the higher ups to understand, sit back, wait for the unavoidable security breach and being your "I told you so" speech. Don't be aggressive, but highlight that with proper measures this can be avoided in the future.

Your options are to either collect evidence and go over the heads of your managers (don't be stupid, do it in an explicitly confidential/anonymous manner) or to sit back and not do anything. I do not recommend doing this without actual solid evidence or the only thing that will happen is a lot of blame passing and eventually you will be known as 'that person', despite your good intentions.

Explain yourself (1)

Meostro (788797) | more than 6 years ago | (#23084856)

Your best bet is to find someone higher up who understands the problem or to whom you can explain the problem.

You eventually need to get to a C-level officer, something like CTO or COO who can actually mandate change. Somehow, in the places that I've worked I've been lucky enough to have CTOs that understand the concept of (and need for) security. They made a lot of changes that made sense to me (passwords must be changed more than once every 3 years, user data must not be stored on local machines, principles of least access, etc.) but other users didn't understand the business need behind them. "Yes, your department could hit all of its goals and produce its reports a day faster if everyone had access to everything, but if you use these rules then you take the extra day and you know it's right because it's auditable!"

Convince them that your business goals will be met faster / more auditably / with less risk if you implement certain policies. Risk is your best friend, although it sounds like your upper-level managers ignore it rather than mitigate it. It's going to take you a while, so get started now. Does your boss understand the problem? If not, can you explain and convince them that you know what you're talking about?

If you can't explain or justify your views on security, either learn some more or find a new job - it's not worth your while or the damage to your reputation from being associated with an insecure company if your title is Senior Security anything.

Suck my dongle (0, Flamebait)

photomic (666457) | more than 6 years ago | (#23084874)

Did you ever think this environment was created because the security policies simply do not scale? There's a difference between best practices that keep information secure and having everyone use a dongle and a password that changes weekly to check their fucking e-mail. In my experience, also at a Fortune XX company, "security" is simply a one-size-fits-all plan to cover your ass, which usually results in the least convenient and productive practices possible for average Joe-user. For that matter, security "experts" are rarely experts in security at all; they've just survived the longest by sticking to kneejerk strategies. Because this is Slashdot, let me add that any shop that uses Microsoft in its security platform deserves a shareholder lawsuit. So there.

Re:Suck my dongle (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23085048)

Because this is Slashdot, let me add that any shop that uses Microsoft in its security platform deserves a shareholder lawsuit. So there.
Fuck off you nigger dick sucking, lunix faggot.

it's as they say... (1)

chayharley (1273758) | more than 6 years ago | (#23084882)

no good deed ever goes unpunished...

Check out the culture. If doomed, leap. (4, Insightful)

Nefarious Wheel (628136) | more than 6 years ago | (#23084898)

In the spirit of "The Unwritten Laws of Business" (W.J.King, Profile Books) you need to choose your boss carefully. If the company you're with is not transparent enough for that, check their culture against the culture you'd like to associate yourself with. To do that, I'd suggest large amounts of common sense or read "Good to Great" (Jim Collins, check Amazon).

Don't be a whistleblower, be an activist for change. See if you have a risk compliance manager and talk to them, ask for their advice. At worst, you'll get your name known in the higher echelons, at best you'll get your own way. Most people will shy away from a confrontation, but love giving advice in a tricky situation.

Your mileage may vary, and I may be full of compost. Think and do.

Start at the top (1)

noz (253073) | more than 6 years ago | (#23084986)

Make an appointment with the CEO/MD with a draft of your findings. If he doesn't care, you shouldn't care.

hmmm... trouble (1)

suck_burners_rice (1258684) | more than 6 years ago | (#23085010)

Here's the trouble. If you rat them out, you'll lose your job and they'll make you look so bad you won't be able to get another job in this hemisphere again. But if you don't rat them out, then some security exploit will take place in the future, and 900,000,000 customers' private information will fall into the hands of some con artist in Zimbabwe, who will then proceed to jack a billion dollars from said customers, resulting in an investigation. (Luckily, each consumer will only lose a little more than a dollar, but it's still wrong.) And when you're at the deposition answering why the security problems existed and the issue comes up that you knew about them and didn't rat anybody out, then you will be held responsible for it. In other words, damned if you do, and damned if you don't.

My suggestion is that you should shut the heck up and at the same time gather evidence to make extremely clear what is happening in terms of security, evidence that is easy for any idiot to corroborate, but that doesn't violate any contractual obligations you might have or NDAs, that sort of thing. Do everything on the up-and-up but without exposing your name for the safety of yourself and your family. Send that info to CNN. They don't have to worry about getting fired. If it's really a Fortune 300 company, it's a well enough known brand name that any idiot will recognize it. That will get the management's attention to get the problem fixed. Next thing you know, they'll order you to run everything on OpenBSD heh heheh...

Document risk acceptance and reduction (1)

Raleel (30913) | more than 6 years ago | (#23085012)

Make sure that it's documented. Make sure that it's spread into multiple places who took responsibility for it.

Ask tough questions like "alright, this is exploited, what can happen? How much is that worth? What sort of risk reductions do we have in place?".

Fraudulent Security Audit practices (5, Insightful)

Anonymous Coward | more than 6 years ago | (#23085046)

I have had to make a similar choice twice now and both times, I had to leave the company to feel good about the situation. In one case, I also insisted that my name be removed from all company communications and government vendor documents. I do not regret my decision, although it has cost me.

You say you are an uber security drone with a Fortune 300 company and that you *know* of fraudulent business practices to help the company earn better ratings on its security policies. I'm guessing that some of these impact SOX/404, SAS-70, and probably ALL would be of concern to the company's shareholders and business trading partners. Like it or not, you are now either complicit or you are obligated to inform oversight authorities. Your first duty
should be to your own profession's standard of behavior, your second to the company shareholders, your third to the public's interest, and last to your management chain.

You seem to be entertaining the idea of moving management's priorities to the head of the list and that would be to make yourself complicit. The fact that it would be difficult to prosecute you does not make that considered behavior any less criminal. You will have to live with that knowledge for a long time. I have friends who worked at Enron who to this day have valid concerns about the resume stain they have earned from their time there. Are you willing to bear that also?

How you go about protecting yourself from reprisals is up to you and the reporting authority, but surely anonymous 'tip' reporting is possible. Given senior management is the problem, that is a strong candidate for your response. I would also recommend you document your allegations as best you may and make them to the SEC and your local branch of the FBI. Either agency might request you remain with the company while they investigate your allegations. Otherwise, it may be time to vote with your feet and find employment elsewhere.

You more than anyone should know what will be the eventual outcome of improperly securing vital systems. Do you want it to happen on your watch or to have to answer difficult questions later
about why you did not strongly resist or report events which will lead to that security breach? Do you want the stigma to attach itself to your resume? Do you want to sleep on the knowledge that you passively participated in criminal conspiracy by voluntarily remaining silent?

You cannot fault the ethics of your superiors if you fail to execute upon your own. What are you made of? Decide,and then live with the decision. It only appears to be a difficult decision if you have an off-switch upon your professional ethics.

They've got it backwards (1)

billcopc (196330) | more than 6 years ago | (#23085126)

It seems to me, if there is knowledge of someone downplaying security risks/breaches, their job should be threatened IMMEDIATELY. It is their duty to analyze risk and report it, and they should be held responsible if they neglect those responsibilities.

Yeah, sometimes it's ugly. Some workplaces are a security nightmare, but that's precisely why we create security jobs in the first place. Identify the problems, build a game plan and implement it! A security advisor that finds no problems, is not doing their job right. There's no such thing as a 100% secure environment, it's all about evaluating risk vs benefit, and that is a moving target.

Two-way street (1)

Spazmania (174582) | more than 6 years ago | (#23085196)

Security ethics is a two-way street. I've seen reasonable risks downplayed when they shouldn't be but I've also had to argue with an auditor about "failed" checklist items whose security implications were clearly understood and very obviously addressed elsewhere in the system's overall architecture.

perspective (4, Insightful)

J.J. (27067) | more than 6 years ago | (#23085204)

Take a few steps back and consider your perspective. Try reading about engineers vs. managers: http://www.fourmilab.ch/hackdiet/e4/eatwatch.html [fourmilab.ch] (scroll halfway down)

Many computer guys tend to be alarmist and see the world in black and white. Many security firms rate problems only based on potential damage without consideration for existing mitigations elsewhere in the system or the reality of targeting from attackers. Consider your company's situation carefully.

If, after much deliberation, you are certain legitimate problems exist that must be fixed (versus managed) then talk to the managers in their language: build a business case. You work for a company, the company's job is to make money. Security costs money. You must clearly articulate how the security improvements will make money or stop the company from losing money. It's all engineering, in the end. It's just engineering with words and numbers.

Cheers.
- jj

I can only tell you what I told my boss... (0)

Anonymous Coward | more than 6 years ago | (#23085224)

I can only tell you what I told my current boss: "You're about to double the size of the company, sir. Afterwards increasing security to the minimum level will cost four times as much, take twice as long, and require many gallons of coffee, 1000s of hours of overtime and several strippers. And right now we couldn't pass any credit handler's, let alone a GSA inspector's, minimum audit requirements."

He asked me what strip bar IT partied at, so at least the speech wasn't a total loss.

I'm at a fortune 150 company (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23085248)

Take my words as an example of why you may need to be careful.

Number one, be a successful example of your policies.

Number two, understand, you are expendable, security is not a tangible deliverable to many. Strong arming people is the worst move that can be made, it will alienate your team. Security is extremely important, but getting a product across the finish line is even more important. If you stand in the way of delivery the barrier will be removed. If your security offerings help deliver a product faster and cheaper, then you'll be a hero.

Here is why I say these two things.

In my environment the security group is the worst example of security as a process, so nobody takes them seriously. People across the board are actually writing code to work around their systems as we need to deliver a product. It is ironic that in the latest audit, they failed worst than the groups, more or less because they didn't follow the enterprise security standards.

I can assure you that the barriers at some point will be removed one way or another. :)

Pick your battles, and be strategic.

Ain't no FYCK'EN difference for years now ... PTB (1)

OldHawk777 (19923) | more than 6 years ago | (#23085254)

I have observed for over a decade now that index finger pointing is passee at Fortune 50+... pecker-order old-boy corporate welfare companies and the USA government congress, DoD ... use of the middle finger for FU is the management rage for CYA. I suspect the Whitehouse, congress members, some mayors/governors, and many CEOs, CIOs, CFOs ... have a staff of blame-stormers. Blame-stormers are used when the best-framed-truth is (determined by the lawyers on staff) not believable to a jury, idiots and/or dogmatist (Cheney & Rove ... CIA leak) find the best fall-dummy for the boss (point them out with the FUFinger). Things are becoming more FU, because nothing holds these criminals accountable, and negligence is defined as being caused by unpredictable events which does nothing more then extends the victimization of the public. Cheney/Bush/... prove that all good patriotic lawful citizens should fear politicians/corporatist/... as far more dangerous to US than terrorist.

I was told that when POTUS Bush/Cheney, Dummy Rummy the War Don ... took the oath of office to protect and defend "The USA Constitution" against all enemies foreign and domestic they intentionally crossed their fingers, eyes, or legs ... never intending to serve the public, but to service the public like good shepherds for money and personal gain. I never saw the pictures; So, I cannot be sure....

PBS news has even been turned to the will of the dark-side by Bush-Vader and Sith-Lord Cheney. Are all our Jedi Masters dead or seduced by a Monicabj hope of everlasting fame? Tune in after the next exciting election when we will all see more of the same or a spectacular USA finally for democracy and capitalism. I suspect it will be a real tear-jerking, neck-clinching, and nail biting disappointment to USAll.

There's no teacher like experience... (1)

bgibby9 (614547) | more than 6 years ago | (#23085270)

If there are issues, probably the only true way of them waking up to themselves is for the violation to take place in a controlled manner. Show them where the problems are by exploiting the problem so that they may fix it. I think you're in for a hard sell but there's no teacher like experience, especially in my customer's business lives. In the end, if it's a controlled violation, my customers are always greatful!

Change starts with you. (2, Interesting)

rindeee (530084) | more than 6 years ago | (#23085330)

Sorry my friend, but the biggest reason people 'fear losing their job' and not being able to support their family is due to personal irresponsibility. I promised myself a looooong time ago that I would do my best not to get into a situation where my job could bend my ethics due to need for the check every two weeks. Show me a person with little to no debt, a stout (not huge mind you) savings that knows how to live within or below their means and I'll show you someone who won't hesitate to 'blow the whistle', call a spade a spade, insert cliche here. Sadly, employers know as well as retailers and lenders that debt equals power over the indebted. This is not 100% of the problem, but in my opinion it is a very big part of it.

Re:Change starts with you. (0)

Anonymous Coward | more than 6 years ago | (#23085508)

a stout (not huge mind you)

It'll run out eventually, and having to move cross country to get out from under the umbrella of the company (and the newspapers running the story...) is going to drain it that much faster.

Insulting him about his "personal irresponsibility" isn't helping either. It's not like companies line up to hire honest people to positions of any real import, if they did, we wouldn't need whistleblowing laws.

I call your oxdung! (1)

Pig Hogger (10379) | more than 6 years ago | (#23085348)

"I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business. It's truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information. All so executives can look good and make their bonuses? How should people start blowing the whistle on companies like this?"
Aw comeon, don't tell me you went up the croporate food chain up to where you are without intimately knowing the little gears that made the company go, and knowing where the weak links are, and without being able to figure out which gentle, subtle push on which weak links will be able to bring the whole edifice crashing down without getting the blame?

Sarbanes-Oxley (2, Interesting)

PPH (736903) | more than 6 years ago | (#23085378)

This law makes the company CEO responsible for making any material mis-statements. If the security in question involves financial information, or if it would affect the financial standing of the company in the eyes of investors, it cannot be covered up.

There may also be other regulatory agencies involved, such as the FDA, FAA, etc.

If this is the case, tell the people pushing for the cover-up that you will gladly comply. But, after the sh*t hits the fan, you will visit the CEO in prison and tell him/her exactly who was responsible for generating the mis-statements.

IANAL, so you should check with one first.

CYA and document it. (1)

DragonTHC (208439) | more than 6 years ago | (#23085394)

fulfill your requirements and document your protests. When your manager comes to collect, point out your protests and mention that they've been documented from the start. Do your due diligence my friend.

The uses of publicity (3, Insightful)

Animats (122034) | more than 6 years ago | (#23085416)

Public embarrassment can be useful. We publish a list of major domains being exploited by active phishing scams [sitetruth.com] . These are major domains where an attacker has found a security hole allowing them to exploit the site for phishing purposes. There are 65 sites on the list. There used to be about 140, but by nagging and publicity, we've been able to get most big-name sites to tighten up. Now and then some big site makes the list, but it often disappears within hours as the hole is plugged.

So it actually is possible to get big companies to tighten up security, if you do it right.

John (1)

jab9990 (1260764) | more than 6 years ago | (#23085420)

America is rotting from the inside out. There is no way to stop it.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?