Ethics and passwords

Steve Acheson satch at cisco.com
Fri Aug 29 14:27:03 PDT 2008 

Well, I can answer for myself, at least, but I'm probably biased since
I've been doing Infosec for the last 15 years and have always been a bit
paranoid about both mine and others access...

I also find that 88% number hard to swallow.  Perhaps that's 88% of the
people that they offered $10 for their password to that were then
interviewed...  It's gotta either be a typo or some bizarre demographic
that they interviewed.

I wouldn't bother with stealing corporate info just because I was laid
off...  I won't say I never would, because if someone pointed a gun at
my girlfriend or had my thumbs in a screwvice I'd happily give them
whatever they wanted.

But, for my own ethics, I wouldn't.  Whenever I leave a company, I make
sure all of my accounts are deactivated and locked or deleted.  I want
no chance that someone could later say that I still had access and did
something.  My paranoia speaking again, but I've seen it happen to
friends in the past, and I like to learn from other people's lessons not
just my own...

Plus, after spending years enabling SSH, moving to SSO, encrypting
databases, PKI+SMIME, etc, I guess it would just be wrong to subvert all
that work...

satch

Jennifer Davis wrote:
> I just saw this on Slashdot:
> "According to identity management firm Cyber-Ark's annual 'Trust,
> Security & Passwords' survey, a whopping 88% of IT administrators
> would steal CEO passwords, customer database, research and development
> plans, financial reports, M&A plans and the company's list of
> privileged passwords if they were suddenly laid off. The survey also
> found that one third of IT staff admitted to snooping around the
> network, looking at highly confidential information, such as salary
> details and people's personal emails."
>
> I can not believe the 88% number.  Seriously, there are ethics about
> having access to information.  The people I know in the field are
> pretty strongly willed ethically.  What are people's personal ethics
> with regards to stealing passwords?  If you have access to the
> information do you do this kind of thing? (maybe it's best to ask this
> anonymously).
>
>

More information about the Baylisa mailing list