After the heartbreak of missing our opportunity to get some dandelion wine, and not being able to break the cipher given to us by the professor, I've decided to drown my woes in Lab 0.
We are to pick two puzzles by Matt Bishop and answer the questions; one has to be about an ethics issue.
For my first pick I chose the puzzle regarding a student that discovers a security flaw in the department's computer system. The student exploited the flaw and gained root access on the machine. The puzzle goes on to explain that the system did not provide sufficient mechanisms to prevent the student from gaining root access. The question is whether she actually "broke in" to the system, and if she actually acted unethically in exploiting the flaw in the departments security.
I believe this was a breach of ethics because the first paragraph states the student "exploited a flaw" in the system to gain root access; this does constitute a violation of ethics by the student because she gained access by means not usually used on the system. The student, after discovering the flaw, should have reported the issue to the correct personnel, and offered suggestions to fix it. In my own personal experience I believe this should be the default action when any security flaw is detected. If I were to exploit a security flaw I discovered on the network at my current employer without informing the proper personnel, I would not only be subject for dismissal, but I could also be brought up on charges by the United States government. I’m not completely sure the chairperson acted ethically; the student did bring a glaring security issue to the attention of the University. In my opinion, the student should have been reprimanded for her actions, and made to sign a waiver stating she would never again knowingly exploit a security flaw on the University’s network.
My second blog is regarding two MIT graduate students that bought a number of hard drives from the Internet, and were able to recover data on the drives.
The question is if the data being discarded on the disks is actually a security vulnerability. I believe it could be depending on who the drives belonged to. If this was an employee that stole the drives from their employer, and decided to make extra money by selling them on Ebay, then this could be a very big vulnerability. The drives could consist of personal employee information, or industry secrets. If this was just someone believing that the “delete” command actually removes the data, than I believe that person should gain more knowledge on computing systems before putting any kind of sensitive information on one. There has to be a level of personal accountability for situations such as these. If it’s a person putting his own old drives on Ebay, he should definitely verify they have been completely wiped with a utility such as BCWipe, or any other utility that will over-write each sector of a hard drive.
I can once again point to my own experiences to illustrate a point regarding this puzzle. Once a computing system comes into my work, the hard drive remains the property of my employer indefinitely. If there needs to be warranty work done on the machine, it is done without the hard drive (and in some instances without RAM as well). Discarded or defective drives are wiped, using a system that writes a ‘0’ to every sector on the hard drive, and the drive is destroyed. While that may seem kind of extreme, it will definitely prevent the spread of sensitive information.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment