im not sure where to put this

podgeen

moderators move this if ye think its more appropriate somewhere else..

right , One of my modules is college is Professional Issues in software engineering. The lecturer presents us with different real-life scearios, for which we discuss the ethical, social and legal issues involved. Firstly im not asking ye to do my homework, just looking for opinions on one of the scenarios. (for homework we've to discuss it and back up any thing we say with references to previous cases etc..)

I know alot of boards users work within the computer industry so id be interested to hear yer opinions, maybe this has happened to you in the past. I think it would be interesting to see how you would react if you were in this situation.

Anyways here's the scenario =>
Jones Consulting

Johnson, D.G., "Professional Ethics" in Computers, Ethics & Social Values,
(eds) D. G. Johnson & H. Nissenbaum, Prentice-Hall Inc, 1995

After getting an undergraduate degree in computer science, Diane Jones was
hired by a large computer company. She initially worked as a programmer,
but over the years she was promoted to technical positions with increasing
responsibility. Three years ago she quit her job and starter her own
consulting business. She has been so successful that she now has several
people working for her.

At the moment, Diane is designing a database management system for the
personnel office of a medium-sized company that manufactures toys. Diane
has involved the client in the design process, informing the CEO, the
director of computing, and the director of personnel about the progress of
the system and giving them many opportunities to make decisions about
features of the system. It is now time to make decisions about the kind
and degree of security to build into the system.

Diane has described several options to the client, and the client has
decided to opt for the least secure system because the system is going to
cost more than they planned. She believes that the information they will
be storing is extremely sensitive, because it will include performance
evaluations, medical records for filing insurance claims and salaries.
With weak security, it may be possible for enterprising employees to
figure out how to get access to these data, not to mention the
possibilities for on-line access from hackers. Diane feels strongly that
the system should be much more secure.

She has tried to explain the risks to her client, but the CEO,. Director
of computing, and director of personnel are all willing to accept a system
with little security. What should she do? For example, should she refuse
to build the system as they request?

podgeen

I dont think it belongs in security.

flamegrill

It may or may not belong here, but this board doesnt get much traffic so it would have been a better bet to post to the general Technology forum.

Regards,

Paul

p.s pm spod and maybe he will move it for you.

DeVore

Diane has discharged her duty to the company imho.

She should have done (or should do) a few things.

1. Explain in detail why the low security is bad.

2. Explain the consequences of thelow security option.

3. Do both 1 and 2 in writing.

4. Get written confirmation from her boss that they accept the
consequences of their decision. Get them to sign it in triplicate.

5. File a copy herself and make sure one goes into the company records.

6. Ensure that as little publicity connects her name to their site.

Ok, here the explanation of the answer I've given.

Either take the job as a consultant or dont. It isnt your place to preach your opinions to your client. Everyone is free to make their own decisions. Diane feels they are wrong. Thats her perogative. She's not privvy to the company's situation and THATS what upper management are for. They take input from ALL sources, tech, logistics, HR, PR, etc. Then they make a decision in light of the full facts.

For someone down the chain of command to arbitrarily decide that they "arent going to do that" isnt their place.
If she feels that strongly about it she should either not take the job or take the job and act responsibly as described above.
Object, STRONGLY object, get it in writing and then do as you're feckin well told by your client.

Its facile to say the company is obviously wrong here, we'd all think that because this is a tech/security board. But we dont know the full story. What if by paying the extra cash they are endangering the cashflow of the company?
Suppose their accountant is telling them "pay this extra and we could be looking at bankruptcy?".
Suppose they have to meet some contractual obligation which requires it done faster and so they've chosen the less secure approach for speed of coding reasons? There are other issues which can apply. Security should be a high concern to the company, but its not an overridding concern, other things have to be taken into consideration..

If you had to choose between your co-workers seeing your wages slip and medical record... or you not having a JOB any more ...I know what my first choice would be.

Either take the job and act professionally or walk away. The options of refusing to do it, or insisting on being paid isnt appropriate.

btw: I have walked us away in some cases from clients who didnt have a notion about web-dev. Sometimes its the smart move.

Tom Murphy
MD, Spin Solutions.

Gambler

What Dev said

I had started on a big post when I saw devs post there .. his makes more sense than mine was making but was the same basic principle. You have to cover yourself by making sure that the company knows that you don't apprive of their choice, but if you are hired for a job you have to do it

[Edit] Oh yeah, and of course security is a good place to post it [/Edit]

spod

Firstly, this seems to be a suitable forum to discuss such things.

Secondly, my brief .02euro...

It's a tricky problem. I've been in something similar twice, although not as someone bidding for a contract, just as an employee.

First one was working on a proprietary software product which was installed on client sites. I pointed out a nasty security hole, was told, pffh, doesn't matter, said er ok but I warned you, bah.
As far as I know to this day it hasn't been an issue.

Second one, was with a different employer, I was working on a large Internet site, found a skew of input validation nastiness in a secure e-commerce section of the site. I pointed it out, and after my then technical manager checked it out, got me to fix them next day.

A third scenario I can think of is a mate who works for a big corporation finding nastiness in an application he was updating which was already live. He pointed it out, went on holidays, came back was given a different project and as far as he knew last time I asked him it was still an issue, but someone elses problem now.

Not quite the same scenarios, to be honest DeV's reply is probably best but I felt I should at least say something.

podgeen

We discussed the above scenario as part of an assignment for college. It was discussed with respect to legal, social and ethical issues. If your interested in reading it reply here and ill add you to the UL study group. (have to wait till our lecturer has looked at it first)

Hobbes

Originally posted by spod
A third scenario I can think of is a mate who works for a big corporation finding nastiness in an application he was updating which was already live. He pointed it out, went on holidays, came back was given a different project and as far as he knew last time I asked him it was still an issue, but someone elses problem now.

Some companies are more paranoid about employees then actual exploits. I would hazard a good guess that your friend was moved because they considered him a security risk in that area.

I had a similar senario exactly as listed above.

Years ago I was asked to fix a payroll problem (on a certain payroll system). Because I had done dev/support work before on it for a different company I knew the sequence of keys and passcode to go into diagnostic mode. Once I came out of diagnostic mode after making the fix the woman who was in charge of payroll went white and then went off and told my manager I was never to set foot in the payroll office again. It seemed at the time they had asked for more password protection but didn't want to pay extra for it, and going into diagnostic mode had bypassed all thier protection (lazy developers ).

My manager was pretty cool about it but he did tell me that if you were to share a security exploit odds on the company is more likely to fire you/shuffle you somewhere then fix the problem.

This was years ago, the net has shown this sort of thing doesn't work, but it still goes on.

sceptre

Originally posted by podgeen
We discussed the above scenario as part of an assignment for college. It was discussed with respect to legal, social and ethical issues. If your interested in reading it reply here and ill add you to the UL study group. (have to wait till our lecturer has looked at it first)

Add me if you can Dave - interesting in reading this

Ta

sceptre

ecksor

Once the explanation of the risk has been clearly given to management, then it is their decision on how to mitigate it and whether it makes good business sense to accept the risk or not.

In this case however, because they are storing medical records (i.e., an incident doesn't just affect the company's bottom line), then if I genuinely felt they were being negligent or I was uncomfortable with the system, I'd be inclined to run a mile.

The next interesting question then is should you spill the beans or not?