Slashdot Mirror
Ethical Obligations
MaxwellStreet writes "There's a great editorial on msnbc.com about the ethical dilemma of whether or not a system administrator (or the business they work for) is obligated to disclose credit card number theft from their machines. What does everyone here think?"
The credit card system could be changed to reduce the risk but it isn't. So people are obviously willing to trade in some security for convenience. If disclosure would hurt your company, don't disclose. Customers won't get hurt anyway because the risk is on the CC companies' side.
sure there are some system administrators who would rather not reveal themselves as having an insecure network, for the fear of having more security violations or even, god forbid, having to fess up to a mistake, however we all make mistakes and protecting the commerce of your website and payment processing system should be top priority while disclosing to your customers the potential of the intrusion as well as informing them that there is a fix in the works, otherwise the check and balance system that any worker must follow, as well as trust would be violated in the process.
The company is legally obliged to inform their customers of the theft.
If they won't, they are (at least partially) responsible for any damages caused by the criminals.
The sysad should inform his manager and point out all legal consequences. This should sort out all problems.
Owner of a Mensa membership card.
"Security through obscurity" has two senses - hide the system's vulnerabilities ("we're secure because nobody knows we have bugs") or hide failures of that system when they occur ("we're secure because nobody knows we got 0wn3d"). Both are bad ideas. They're basically trying to make a problem go away by hushing it up. Plus it does nothing for a company's credibility, when the world finds out anyway.
Do unto others as you would have them do unto you.
Sorry but this is not an ethical dilemma - You should always disclose to the customers that you perceive a theft to have taken place.
The company has a duty to it's customers information. Demonstrating that your company is ignoring its duty is *far* more damaging than any reports of breached systems.
Also, if everybody knows about an insecurity then the company will HAVE to take remedial action.
Sadly many executives do not see it this way and some slimeballs will even punish those employees who tattle. In the UK we have the whistleblowing act that is designed to prevent loss of employment due to actions in the interest of the public good. I wonder if our stateside companions are as well protected.....
Remember kids! Guns don't kill people - Americans kill people.
Dealing with this kind of ethical quandry isn't an admin's job and yet it seems that they end up stuck. In other professions where we have similar possible ethical dilemmas (medical, legal, etc.) there are established and deeply entrenched codes of ethics to which practitioners are expected, even by employers and associates, to adhere. Why don't system administrators have such a thing?
I think the revelation in the article that a business would prefer to sweep such a theft under the rug is frightening and opens the door to all kinds of problems. Maybe making employers understand that their admins are obligated by their own professional standards to expose this kind of thing will effect a positive change. I can't imagine what hiding it will achieve. You don't have to think hard to come up with examples of past situations where hiding "undesireable" information caused more problems than it solved. We're seeing the end results of that very attitude playing itself out with Enron/Arthur Andersen as well as the Catholic church right now.
Admins should be expected to expose this kind of thing with the understanding that doing so will avoid bigger and worse problems down the road. It should be viewed as a service to the public which takes priority over protecting petty business interests.
We will either learn from history or repeat it... again.
--Rick
--Rick "If it isn't broken, take it apart and find out why."
Of COURSE the ethical thing to do would be inform the customer, so that they may take measures to protect themselves from theft. It is absolutely pointless to try and argue against that option as the most ethical choice. Unfortunately in this world, the ethical choice is not rewarded or even encouraged by those in charge. No one got rich being ethical, and every manager alive seems to know it. When an admin's job is in question, undoubtedly the choice will be made to not inform anyone of anything unless forced to. This dishonesty is encouraged and rewarded in the corporate world.
She might have thought her boss forced her to be unethical.
What she must do is to report the instance to his boss immediately, and her job is done. It's up to her boss to decide the next action. Bear in mind, Dana is just an administrator and she's not in the front line dealing with the customers, nor dealing with the legalese.
Her boss is doing good for her, because he took up the responsibility. I understand Dana's feeling that she thinks she has the social responsiblity on every unethical matter she comes across. In this case she really has to find a company which is so pure that has nothing to hide.
Basically your credit card company gives you a bunch of numbers and says "that's the key to your money, to pay you just have to give those numbers to a vendor, and trust that they won't give the key to anyone else because we're not going to change the key before 2006".
Sorry but I don't buy it. I don't understand why the system hasn't collapsed yet.
Wouldn't it rather be beneficial for the company to go public with this incident?
It would be the opposite of security-through-obscurity - security through publicity instead. By going public, any future attackers will know that if they indeed go after this target, it will be noticed, and the company will inform the CC companies, rendering the stolen numbers pretty much worthless.
Compare that to if the company keeps the lid on - future attackers can then feel a certain degree of safety that any "obtained" card numbers will not be barred quickly.
Just my $.02 for an idea...
/Coolgopher
I'm sorry, but i think if my bank is going to be keeping a close eye on my credit card i'd like to know about it. I'll normally go for several weeks or a month making only small purchases and then suddenly splurge on several big things at once. I sometimes fly out of town for the weekend, and certainly don't think much of using my credit card out of state at the time.
If i was informed that my account was being watched over i might decide to do things a little differently. I might space out those big purchases, i might use a different credit card or carry more cash for that trip, or let my bank know if it's going to be a long one.
Knowing that the bank is keeping tabs on my card might allow me to avoid inadvertently doing something that could appear suspicious and get my account put on hold while the bank tries to get in contact with me.
Yeah having to change my life for the sake of those precautions sucks, but they're going to be checking anyway, and i'd rather know than not.
This Space Intentionally Left Blank
YES!! Absolutely! They hold 'in trust' information about us, and the consequences are possibly extreme ( financially ). If a crime is being comitted , like a break-in, and a person sees it, and doesn't report it, then they become an accomplice. Same thing here.
This may not be obvious to geeks, but the ethical dilemma is not between disclosure itself or keeping it secret: It's the choice between backstabbing your boss and not warning customers who after all may not even be victims. This situation is only produced by the boss saying "no disclosure", as opposed to the other situation, which would only occur if this decision were the admin's responsibility.
Maybe it's just early and I'm not thinking this thru...
But it seems like a no-brainer... YES! If 500 records are stolen that could mean that up to 500 people could be targeted for fraud and theft.
I would think that a responsible business (net or not) would give a customer a call and let them know.
This is not a single receipt stolen from a register, of even if it was... it's not simply the name & number stolen... most of the time it's a persons full information: name, shipping/billing address, phone numbers, etc, etc...
Post logs.
And if my 'spare' set of keys gets stolen from my apt. manager I want to know. It's not only the right thing to do, but an issue of security. Physical security, financial, you name it. I have the right to know and the company has the duty to disclose this info to me. Maybe not the rest of the world, but at least to me. IMHO :)
PS: I think we have a whistleblowing act in the US as well. I've heard mention to it with respect to a whistleblower at the FBI.
The Whistleblower Protection Act gives protection only the Federal Employees. Employees of private entities are not afforded protection. However, recent legislation is working towards giving protection to certain sectors, such as airlines, and because of the Enron/Anderson scandal, public corporations under the SEC.
Not only are they doing the 'ethical' thing, but they could be sued by consumers/CC companies if they don't.
Secondly, I still can't understand why CC companies don't have a one-time CC# system in place. Something like S/Key would work great. You enter your credit-card number (e.g. 1234-1234-1234) and an ammount (e.g. $450.00) into a program and get a one-time-use credit-card number. That way, stealing credit-card numbers is a thing of the past. Of course, the slight inconvience comes in carrying around a handheld and writing down the number, and not being able to just give the CC# to a company just once, and automatically having the future purchaces charged to the previous number. Of course, many people would like that system, and I would be at ease using credit-card numbers online.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Always deny!
Life's too short to worry about 'ethics' and 'morals'.
A crime has been committed. Of course they must disclose it to authorities and to those potentially affected. If you got a flaw, tough, fix it up. Do it right the first time.
Secondly, I still can't understand why CC companies don't have a one-time CC# system in place. Something like S/Key would work great. You enter your credit-card number (e.g. 1234-1234-1234) and an ammount (e.g. $450.00) into a program and get a one-time-use credit-card number.
My Citibank Mastercard provides this service via an online service. I also hear that many credit cards, like the GetSmart Visa offer it via physical card readers that you connect to your computer.
When your customer trusts you with the financial information to complete a transaction you have taken on a great deal of responsibility. If you respect your customers and appreciate the business this would not be a problem at all.
This is just another example of why in our current culture trust and respect are hard to come by.
I agree, but I would have worded it like this:
Your fundamental obligation to fellow man outweighs your temporary obligation to an employer. This should be taught in schools.
Also, it seems to me that in the particular case of credit card theft from a website, the sheer volume of the theft is great enough to make any attempt at less than full disclosure extremely shady and obvious on investigation.
--
Daniel
Actually, on second thought, I'm not surprised.
If I were to have a list of credit card numbers on my computer and found out someone stole it, then covered up the theft I would be held responsible in civil court, and perhaps I would be tried as an accessory after the fact in criminal court. Corporations manage to dodge criminal charges on a regular basis.
Ethically, yes, the company has a responsibility to inform their customers of the lost information. This doesnt mean that they have to go to CNN and post it in the news. It should be done discreetly, with a list of affected customers being generated from another source. Do it by comparing diffrences in lists. Of course, at that point the company should also start working on security and figuring out how to prevent these problems.
Here is the tricky part. And the part that is true ethical question. As a customer, what do you do once you've been told that your info has been ripped? I recommend quietly cancelling your credit card and allowing the authorities a chance to track future purchases. Of course, you cant go around warning people not to use the compromised service, because that would be a security breach. And therein lies the rub.
The question is not "Should the company inform the consumer." Of course they should. They may be legally obligated to. The question is do we warn others about unsecure companies and prevent future problems, or do we join the law enforcement effort by keeping quiet and co-operating with the authorities?
The pros are good at being bad. You can try to fight them by not using software with great big holes in it, but they are going to get through anyway.
I think the usual fix for the problem is part of the credit card service - insurance to the merchant and card holder. If thieves make it impossible for the merchant, I expect merchants to stop taking credit cards. So sad, to bad, the credit card companies are the folks that need to fix the problem. They have plenty of money to throw at the problem.
All of that said, the banks in question should be notified so that they can be alert for suspicious activity. If your boss says no, find a new boss. The issue of not disclosing the "break in" is a non issue - it's part of your job. The worst thing that can happen is you get fired - generally a blessing from an unethical company. You will only look worse when the thefts are reported by others without your warning.
MSNBC - I'm glad the article was so well researched that they touched on all of the above issues. Such typical M$ FUD - blame the user for security problems and failing systems. Fear, people, fear.
Next!
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
tux@penguin > whois microsoft.com
.com, .net, and .org domains can now be registered
.....Y BIRTH.ARTISTICCHEESE.COM
IP Address: 202.182.69.39
I ST.COM
IP Address: 63.195.209.13
G
X YTECH.NET
O M
R G
I GHT.ORG
O V.ORG
O N.COM
S TS.AT.JIMPHILLIPS.ORG
S TICCHEESE.COM
H IT.NET
. JUST.BEFORE.THE.GULFWAR.ORG
. FRANCS.DOUZE.ORG
A SS.EVILJAM.COM
. FOR.THE.MORE.PRACTICALMAC.COM
K ADELIC.NET
. EXEGETE.NET
. IL.FUMAIT.DU.COLA-COCA.ORG
. NUMEA.COM
Whois Server Version 1.3
Domain names in the
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Aborting search 50 records found
Server Name: MICROSOFT.COM.WILL.LIVE.FOREVER.BUT.LUNIX.SUCKS-B
IP Address: 209.191.22.24
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Server Name: MICROSOFT.COM.WILL.CRASH.IN.6MN.ORG
IP Address: 62.4.22.195
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Server Name: MICROSOFT.COM.WILL.BE.BEATEN.WITH.MY.SPANNER.NET
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.WILL.ALWAYS.FEARPENGUINS.COM
IP Address: 204.201.247.22
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Server Name: MICROSOFT.COM.WHOIS.RESULTS.MAKE.A.GREAT.HUMOUR-L
IP Address: 192.68.135.13
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.WAS.HACKED.TODAY.BY.JAMESSMALL.COM
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Server Name: MICROSOFT.COM.WANTS.TO.GET.IN.BED.WITH.CURTYV.COM
IP Address: 216.55.129.84
Registrar: ABACUS AMERICA, INC. DBA NAMES4EVER
Whois Server: whois.names4ever.com
Referral URL: http://www.names4ever.com
Server Name: MICROSOFT.COM.TONY.HAS.SEXUAL.IN.ADEQUACY.ORG
IP Address: 216.254.38.242
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Server Name: MICROSOFT.COM.TAKES.IT.IN.THE.BUTT.FROM.WHILE1.OR
IP Address: 128.151.85.218
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Server Name: MICROSOFT.COM.SUX.BUT.PYROFREAK.ORG.RULEZ.AND.DIO
IP Address: 207.236.217.177
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Server Name: MICROSOFT.COM.SUKZ.ORG
IP Address: 198.142.141.191
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.SUCKS.MUCUS.COM
IP Address: 65.184.189.33
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Server Name: MICROSOFT.COM.SHOULD.GIVE.UP.BECAUSE.LINUXISGOD.C
IP Address: 65.160.248.13
Registrar: G.K. GROUP, L.L.C.
Whois Server: whois.gkg.net
Referral URL: http://www.gkg.net
Server Name: MICROSOFT.COM.SE.FAIT.HAX0RIZER.PAR.TOUT.LE.ZOY.O
IP Address: 138.12.12.12
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Server Name: MICROSOFT.COM.RUNSLINUX.NET
IP Address: 128.61.44.13
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Server Name: MICROSOFT.COM.RAWKZ.MUH.WERLD.MENTALFLOSS.CA
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.PRODUCTS.WILL.NEVER.BE.SEEN.AT.MCNE
IP Address: 209.119.81.237
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Server Name: MICROSOFT.COM.OWNED.BY.MAT.HACKSWARE.COM
IP Address: 211.63.57.1
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.NOTHING.HAPPENS.XYZZY.COM
IP Address: 206.20.183.101
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.NAO.VALE.UM.CARALHO.NET
IP Address: 213.58.160.20
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Server Name: MICROSOFT.COM.MUST.STOP.TAKEDRUGS.ORG
IP Address: 12.5.4.8
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: http://www.register.com
Server Name: MICROSOFT.COM.IS.THE.COMMERCIAL.ARM.OF.THE.WORLDG
IP Address: 192.68.135.15
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.IS.SOON.GOING.TO.THE.DEATHCORPORATI
IP Address: 62.92.244.245
Registrar: G.K. GROUP, L.L.C.
Whois Server: whois.gkg.net
Referral URL: http://www.gkg.net
Server Name: MICROSOFT.COM.IS.SO.VERY.SKANKY.NET
IP Address: 129.250.176.143
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Server Name: MICROSOFT.COM.IS.NOTHING.COMPARED.TO.EVILGOAT.NET
IP Address: 207.46.131.199
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Server Name: MICROSOFT.COM.IS.NOT.SEXYCOOL.ORG
IP Address: 62.4.18.24
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Server Name: MICROSOFT.COM.IS.NO.MATCH.FOR.THE.WANNABE.TERRORI
IP Address: 24.240.60.24
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.IS.NO.MATCH.FOR.A.UNIXNINJA.COM
IP Address: 209.236.159.253
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.IS.HOPELESSLY.INSECURE.ORG
IP Address: 64.32.188.250
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.IS.GOD.BUT.LINUX.SUCKS-FOREVER.ARTI
IP Address: 209.191.99.161
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Server Name: MICROSOFT.COM.IS.AT.THE.MERCY.OF.DETRIMENT.ORG
IP Address: 216.229.2.231
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Server Name: MICROSOFT.COM.IS.A.STEAMING.HEAP.OF.FUCKING-BULLS
IP Address: 63.99.165.11
Registrar: THE NAME IT CORPORATION DBA AITDOMAINS.COM
Whois Server: whois.aitdomains.com
Referral URL: http://www.aitdomains.com
Server Name: MICROSOFT.COM.IS.A.PERVERTED.ORG
IP Address: 204.157.104.13
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Server Name: MICROSOFT.COM.HQ.SHOULD.HAVE.BEEN.MOVED.TO.BAGDAD
IP Address: 192.68.135.16
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.HIJACKED.BY.THOLO.ORG
IP Address: 211.63.57.61
Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Whois Server: whois.directnic.com
Referral URL: http://www.directnic.com
Server Name: MICROSOFT.COM.HEBERGEUR.DE.SCHIZOPHRENE.ORG
IP Address: 217.128.96.127
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Server Name: MICROSOFT.COM.HAS.NO.LINUXCLUE.COM
IP Address: 209.208.48.121
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.HAS.ITS.OWN.CRACKLAB.COM
IP Address: 209.26.95.44
Registrar: DOTSTER, INC.
Whois Server: whois.dotster.com
Referral URL: http://www.dotster.com/help/whois
Server Name: MICROSOFT.COM.HACKED.BY.HACKSWARE.COM
IP Address: 211.63.57.62
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.FILLS.ME.WITH.BELLIGERENCE.NET
IP Address: 130.58.82.232
Registrar: CRONON AG BERLIN, NIEDERLASSUNG REGENSBURG
Whois Server: whois.tmagnic.net
Referral URL: http://nsi-robo.tmag.de
Server Name: MICROSOFT.COM.FAIT.VRAIMENT.DES.LOGICIELS.A.TROIS
IP Address: 138.12.12.42
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Server Name: MICROSOFT.COM.EMPLOYEES.CANT.GET.SHAGZ.ORG
IP Address: 198.142.141.98
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.DAN.HILLIER.OF.EXETER.UK.IS.A.DUMB.
IP Address: 217.32.139.162
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.CODERS.SHOULD.DUMP.WINDOWS.AND.CODE
IP Address: 192.68.135.14
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Server Name: MICROSOFT.COM.CANT.GROOVE.WITH.THE.PARLIAMENT.FUN
IP Address: 68.2.32.53
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Server Name: MICROSOFT.COM.AND.MINDSUCK.BOTH.SUCK.HUGE.ONES.AT
IP Address: 63.241.136.53
Registrar: DOTSTER, INC.
Whois Server: whois.dotster.com
Referral URL: http://www.dotster.com/help/whois
Server Name: MICROSOFT.COM.AINT.WORTH.SHIT.KLUGE.ORG
IP Address: 216.181.127.195
Registrar: THE NAME IT CORPORATION DBA AITDOMAINS.COM
Whois Server: whois.aitdomains.com
Referral URL: http://www.aitdomains.com
Server Name: MICROSOFT.COM.A.ETE.CREE.PAR.BILLOU.A.L.EPOQUE.OU
IP Address: 217.128.36.126
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Server Name: MICROSOFT.COM.A.BIEN.BU.DU.COLA-COCA.SUR.L.ILE.DE
IP Address: 212.198.2.7
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Domain Name: MICROSOFT.COM
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: DNS1.CP.MSFT.NET
Name Server: DNS1.TK.MSFT.NET
Name Server: DNS3.UK.MSFT.NET
Name Server: DNS3.JP.MSFT.NET
Name Server: DNS1.DC.MSFT.NET
Name Server: DNS1.SJ.MSFT.NET
Updated Date: 07-jun-2002
>>> Last update of whois database: Sat, 15 Jun 2002 04:51:16 EDT
If you disclose it, people will be miffed but may buy from you again. If you don't disclose it and it gets out that you didn't tell anyone, nobody will ever buy from you again.
I don't see how this is even a question. If someone broke into your machine, do what Egghead did. Tell every customer and the police.
If someone used my credit card to ship weapons to Iraq, I would be really pissed if I didn't notice because some vendor did not disclose anything to cover his ass.
http://www.iccp.org/iccpnew/ethics%20practice%2
full text below, doesn't address this issue directly. However, it states clearly that a computer professional has an "obligation to the public at large," must "Serve the interests of their employers and clients' loyally," and "shall have special regard for the potential effects of computer-based systems on the right of privacy of individuals whether this is within one's own organization, among customers or suppliers, or in relation to the general public".
This would seem to me to require disclosure of privacy breaches to members of the public who might be affected.
However, the ICCP has never emphasized the code of ethics much and I've always suspected they just did it because (some) definitions of a "professional" requires adherence to a code of ethics.
I once told my employer that I couldn't do something because I hold a CDP and was bound by the CDP code of ethics. To say he was shocked was putting it mildly. He knew I was a CDP but didn't believe it meant anything. He was not happy with the notion that I had obligations to anyone but my employer, but fortunately it wasn't an important matter and he "let me get away with it, this time."
Code of Ethics
ICCP Code of Ethics
Certified computing professionals, consistent with their obligation to the public at large, should promote the understanding of information processing methods and procedures using every resource at their command.
Certified computing professionals have an obligation to their profession to uphold the high ideals and level of personal knowledge as evidenced by the Certificate held. They should also encourage the dissemination of knowledge pertaining to the development of the computing profession.
Certified computing professionals have an obligation to serve the interests of their employers and clients loyally, diligently and honestly.
Certified computing professionals must not engage in any conduct or commit any act which is a discredit to the reputation or integrity of the information processing profession.
Certified computing professionals must not imply that the Certificates which they hold are their sole claim to professional competence.
Code of Conduct and Good Practice for certified computing professionals
The essential elements relating to conduct that identify a professional activity are:
A high standard of skill and knowledge.
A confidential relationship with people served.
Public reliance upon the standards of conduct and established practice.
The observance of an ethical code.
Therefore, these Codes have been formulated to strengthen the professional status of certified computing professionals.
1. Preamble
1.1: The basic issue, which may arise in connection with any ethical proceedings before a Certification Council, is whether a holder of a Certificate administered by that Council has acted in a manner which violates the Code of Ethics for certified computing professionals.
1.2: Therefore, the ICCP has elaborated the existing Code of Conduct, which defines more specifically an individual's professional responsibility. This step was taken in recognition of questions and concerns as to what constitutes professional and ethical conduct in the computing profession.
1.3: The ICCP has reserved for and delegated to each Certification Council the right to revoke any Certificate which has been issued under its administration in the event that the recipient violates the Codes of Ethics, as amplified by the Code of Conduct. The revocation proceedings are specified by rules governing the business of the Certification Council and provide protection of the rights of any individual who may be subject to revocation of a certificate held. The ICCP may bypass revocation proceedings and automatically revoke any Certificate for non-compliance with mandatory recertification processes, providing the certificate was awarded subject to mandatory recertification requirements.
1.4: Insofar as violation of the Code of Conduct may be difficult to adjudicate, the ICCP has also promulgated a Code of Good Practice, the violation of which does not in itself constitute a reason to revoke a Certificate. However, any evidence concerning a serious and consistent breach of the Code of Good Practice may be considered as additional circumstantial evidence in any ethical proceedings before a Certification Council.
1.5: Whereas the Code of Conduct is of a fundamental nature, the Code of Good Practice is expected to be amended from time to time to accommodate changes in the social environment and to keep up with the development of the information processing profession.
1.6: A Certification Council will not consider a complaint where the holder's conduct is already subject to legal proceedings. Any complaint will only be considered when the legal action is completed, or it is established that no legal proceedings will take place.
1.7: Recognizing that the language contained in all sections of either the Code of Conduct or Code of Good Practice is subject to interpretations beyond those intended, the ICCP intends to confine all Codes to the matters pertaining to personal actions of individual certified computing professionals in situations for which they can be held directly accountable without reasonable doubt.
1.8: Certified computing professionals have a responsibility to respect intellectual property rights, including copyrights, patents and trademarks. Violation of copyrights, patents and terms of license agreements is prohibited by law in most circumstances. Even when not so protected, such violations are contrary to professional behavior. Software should be copied only with proper authorization. Unauthorized duplication of both printed and electronic materials must be discouraged including those cases where the work has not been explicitly protected by any means. Credit should not be taken for the work of others. The work of others should not be used without specific acknowledgment and authorization.
2. Code of Conduct
2.1: Disclosure: Subject to the confidential relationships between oneself and one's employer or client one is expected not to transmit information which one acquires during the practice of one's profession in any situation which may seriously affect a third party.
2.2: Social Responsibility: One is expected to accept a responsibility to the public to diminish, through a continuing educational process, confusion and misconceptions surrounding the information processing industry. One is expected to be cognizant of and act in accordance with all procedures and regulations to improve public safety through the protection of information vital to the security of the nation and its people, both collectively and individually.
2.3: Conclusions and Opinions: One is expected to state a conclusion on a subject in one's field only when it can be demonstrated that it has been founded on adequate knowledge. One will state a qualified opinion when expressing a view in an area within one's professional competence but not supported by relevant facts.
2.4: Identification: One shall properly qualify oneself when expressing an opinion outside one's professional competence in the event that such an opinion could be identified by a third party as expert testimony, or if by inference the opinion can be expected to be used improperly.
2.5: Integrity: One will not knowingly lay claims to competence one does not demonstrably possess. One shall not take advantage of the lack of knowledge or inexperience of others.
2.6: Conflict of Interest: One shall act with strict impartiality when purporting to give independent advice. In the event that the advice given is currently or potentially influential to one's personal benefit, full and detailed disclosure to all relevant interested parties will be made at the time the advice is provided. One's employer especially should be made aware of any potential conflicts of interest. One will not denigrate the honesty or competence of a fellow professional or a competitor, with the intent to gain an unfair advantage.
2.7: Accountability: The degree of professional accountability for results will be dependent on the position held and type of work performed. For instance: A senior executive is accountable for the quality of work performed by all individuals the person supervises and for ensuring that recipients of information are fully aware of known limitations in the results provided. The personal accountability of consultants and technical experts is especially important because of the positions of unique trust inherent in their advisory roles. Consequently, they are accountable for seeing to it that known limitations of their work are fully disclosed, documented and explained. Furthermore, information processing professionals have a responsibility to take appropriate action regarding any illegal or unethical practices that come to their attention. Charges should be brought against a person only when a reasonable basis for the allegations has been established, without regard to personal interest.
2.8: Protection of Privacy: One shall protect the privacy and confidentiality of all entrusted information. One shall have special regard for the potential effects of computer-based systems on the right of privacy of individuals whether this is within one's own organization, among customers or suppliers, or in relation to the general public. Because of the privileged capability of computing professionals to gain access to computerized files, especially strong strictures will be applied to those who have used their position of trust to obtain information from computerized files for their personal gain.
Where it is possible that decisions can be made within a computer-based system could adversely affect the personal security, work or career of an individual, the system design shall specifically provide for decision review by a responsible executive who will thus remain accountable and identifiable for that decision.
3. Code of Good Practice
3.1: Education: One has a special responsibility to keep oneself fully aware of developments in information processing technology relevant to one's current professional occupation. One will contribute to the interchange of technical and professional information by encouraging and participating in educational activities directed to both fellow professionals and to the public at large. One will do all in one's power to further public understanding of computer systems. One will contribute to the growth of knowledge in the field to the extent that one's expertise, and ability allow.
3.2: Personal Conduct: Insofar as one's personal and professional activities interact visibly to the same public, one is expected to support, respect and abide by the appropriate laws and in general to apply the same high standards of behavior in one's personal life as are demanded in one's professional activities.
3.3: Competence: One shall at all times exercise technical and professional competence at least to the level one claims. One shall not deliberately withhold information in one's possession unless disclosure of that information could harm or seriously affect another party, or unless one is bound by a proper, clearly defined confidential relationship. One shall not deliberately destroy or diminish the value or effectiveness of a computer? based system through acts of commission or omission.
3.4: Statements: One shall not make false or exaggerated statements as to the state of affairs existing or expected regarding any aspect of information technology or the use of computers. In communicating with lay persons, one shall use general language wherever possible and shall not use technical terms or expressions unless there exist no adequate equivalents in the general language.
3.5: Discretion: One shall exercise maximum discretion in disclosing, or permitting to be disclosed, or using to one's own advantage, any information relating the affairs of one's present or previous employers or clients.
3.6: Conflict of interest: One shall not knowingly hold, assume, or accept a position or a client with which one's interests conflict or are likely to conflict with one's current duties or clients unless that interest has been disclosed in advance to all parties involved.
3.7: Public Safety: One has a responsibility to protect fundamental human rights and dignity and to respect cultural diversity. Those who design, develop and maintain computer systems shall be alert to and make others aware of any potential damage to the local and global environment. When developing information systems, computing professionals must ensure that their efforts are used to benefit humanity. Harmful effects to general health and welfare of the public shall be avoided.
3.8: Violations: One is expected to report violations of the Code, testify in ethical proceedings where one has expert or firsthand knowledge, and serve on panels to judge complaints of violations of ethical conduct.
4. Procedural requirements for revocation of certificate awarded
4.1: The ICCP may automatically revoke Certificates for non?compliance with mandatory recertification processes, providing the certificate was awarded subject to mandatory recertification requirements.
4.2: A Certification Council, on behalf of the Institute for Certification of Computing Professionals, has the right to revoke any Certificate which has been awarded by it in the event that the recipient violates the Codes, or engages in conduct which is a discredit or disgrace to the computing profession.
4.3: The grounds for revocation, except for failure to comply with mandatory recertification requirements, will be based upon the opinion of at least two-thirds of the members of the Council.
4.4: Procedure for handling revocation:
1. A formal written statement of charges alleging facts which constitute the grounds for revocation will be prepared.
2. A copy of said charges will be forwarded to the person accused, fixing a time within which such person may file with the Council answers to the charges.
3. If the charges are denied in the answer, the Council will fix a time for the hearing and give notice of the time and place of the hearing to the person accused.
4. Presentation of evidence in support of the charges will be made by the secretary (a nonvoting member) of the Certification Council.
5. Presentation of the evidence in defense of the charges will be made by the accused or the designated representative of the accused.
6. Ample opportunity for both sides to present facts and arguments will be allowed at the hearing.
7. At the conclusion of the hearing, the Council will determine whether or not the charges have been sufficiently established by the evidence and whether the Certificate should be revoked or should not be revoked.
8. The accused will be notified of the decision by registered mail.
9. The accused has the right to request review of the decision by the Executive Committee of ICCP, provided an appeal in writing is submitted to the President of ICCP within 30 days of the accused's receipt of the Council's decision.
"How to Do Nothing," kids activities, back in print!
I see a lot of people just jumping on this issue without thinking things through. Many think the admin SHOULD notify the consumers asap.
Now let me throw some wrenches into this quick conclusion:
- How do you know FOR SURE data was stolen? How about in cases when the sysadmin is only 10% sure, or 100% sure but 100% wrong because of an error in judgement or misunderstanding?
- And if the admin mis-fires and causes the company sales to die, how responsible is he for the financial/reputation loss to the company?
- What if an evil or disgruntled sysadmin wanted to kill the company? He can use purposeful bad judgement or assumptions and contact customers, telling them their cc information has been stolen.
The sysadmins should ONLY be obligated to inform their boss of the possibility of a breach. Once he does that the rest of the liability should be with the higher-ups. There's no need for an admin to feel quilty.
Look, we all want what's best for us. But there are just some things that aren't that simple. There's a give and take. The burden of such things shouldn't be with the admins.
eTrade SUCKS
While most people don't realize it there is more than an ethical problem here; there is a legal one. Assuming that an administrator works in the U.S. here is the legal situation:
Anyone who has knowledge of a Federal Felony in the U.S. is required by law to report it to the proper law enforcement authorities ( U.S. Attorney, FBI etc.). Failure to do so makes that person an indictable co-conspirator.
Computer break-ins and credit card theft are Federal Felonies; if 'Dana' is in the U.S. he has no choice but to report or become a criminal himself.
Federal whistle blower statutes apply once something has been reported to the legal authorities but not before; Dana could be fired now - but not once he reports the theft and invokes the whistle blower act.
Found out about this from some federal agents and attorneys I work out with after some bad personal experiences with a company.
I suggest that 'Dana' talk to an attorney and make a decision about how good his information is. Like Spider Man ignoring the theft of the gate receipts - a failure to act can come back to bite you; how does he know that this theft was not an Al-Qaeda action?
Do the right thing!
Sleep better at night!
Be a man, accept the responsibility.
Admit your mistakes, create a plan to correct them, and follow thru on that plan to completion.
I've very disappointed that we are even having this discussion.
Also, if everybody knows about an insecurity then the company will HAVE to take remedial action.
That magic word "should". I should floss more often. I also should get on the treadmill (and off the PC) more often. I should do the dishes every night, should save more money for retirement, should take classes to finish my cert, should thank a veteran on Veteran's Day, should clean my garage, should mail Dad a gift, and should eat out less. A perfect world would be a busy world, to be sure.
That said, there's about a 1 in 6.02x10^23 chance that corporations will voluntarily disclose theft of sensitive data. If everyone knows about Company A's insecurity, the customers will go to Company B which doesn't disclose such information. Press releases are sent out about getting pantsed, competitors create disparaging ads, customers leave, investors get nervous, stock prices drop. And then companies learn it pays to keep your mouth shut.
In fact, I'd wager a company is more likely to pay other people to keep their mouths shut as well than it is to be open and honest and forthcoming. Remember, a public company has one -- and only one -- duty: increase or maintain shareholder value. If they don't do that, then the board can be sued, the chairman ousted, etc, etc. Yeah, I'd bet that not getting thrown off the board is worth some hush-up money in the right places. If I were The Chairman, for instance, I'd make damn sure my sysadmins and IT group had fairly hefty NDAs/non-competes as well as hefty bonuses for "resolving" security issues in a discreet way.
Here's a hypothetical example: Datek gets broken into every once in a great while, has an insecure setup, whatever. Confidential data gets lost or intercepted easily maybe, who knows. But it decides to be honest with everyone. It gets a web page going of all the recent compromises, sends email to people whose info was pinched, fixes the problems via the aforementioned remedial actions. E*trade keeps quiet, Datek starts looking sloppy and has a "history" of being insecure, E*trade gets more business even if they don't decide to smear Datek. Datek is soon a fading memory with secure business systems.
Disabuse yourself of the notion that you will know who got what and when. It is not in a company's best interest to let you know your privacy and financial security was compromised, no matter how much grandstanding they do over security and trust. Just don't use a Visa/Mastercard debit card or your SSN online and everything will be fine.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
That's pretty good actually...
I still don't see the problem. If I discover this kind of problem, the first one I inform is my boss. If he fails to react, I have two things to consider:
And as I sit here typing this.. I think I shuold take a fellow admin as a witness, so we have no he-said/he-said crap later on.
-f
-'fester
although i'm sure the folks over at fud.con.troll would love for you to bulleave you have some moral leeway in the question of what to do when your IIS machine is pilfered, butt there is not.
if your cc inf. was stolen of sum billybox somewhere, would you FEEl asp dough you had the write to know? would you FEEl asp dough the inept fuddite apologists had the right to fail to, or MiSinform you, about the situation? m$0k.
be sure to read this report , just re-leased buy the billonlyUS de FUDgeville Institute, on sum of the "other" horrors of becoming involved in the ill eagle kingdumb's FraUDuleNT infactdead payper liesense hostage ransom scams.
On the one hand corporations don't want any official policy about network security, on the other hand they're not willing to go to the lengths of due viligance. In most cases this would involve hiring an outside agency to design the software and network infrastructure to handle client billing and data.
Chris Kuivenhoven is a thief, beware
I agree. Many people consider issues to be "dilemmas" just because they don't understand that ethics really isn't a matter of opinion. This is clear cut. Just be prepared to lose your job if you announce it to the public. Business cannot do without at least the ILLUSION of quality. Real quality costs money. Therefore it makes business sense to lie to your customers and profit from deception.
Secure, anonymous digital cash has been here for a long time. It solves all these problems since you treat it as cash. No extra bits of customer information needed so no extra risk of identity theft, or fraud, or whatever.
Any system of financial transaction that relies on a publicly known number to protect your privately held assets is doomed to failure from the start. Using credit cards is kind of like paying for cash but handing over your wallet and expecting the sales clerk to take out the appropriate amount!
This is not a technological problem. It's a social and political problem.
However, one all of that has failed, the decision then gets forced onto the sysadmin. That person then is stuck with the delimma of making that decision and losing his or her job. Even worse, if they are under contract, they could be personally sued as well for breaking terms of the contract.
It's a shame that we even have to read articles like this. The SANS institute was way off - I would rather know that something happened to my CC so that I can simply get it replaced then have my credit card used to purchase items (like equipment for the "enemy") and have to dispute the charges.
Random Musings
This is a nobrainer. Yes, ofcourse the company should be honest about what happened to data that's not theirs. It's only fair to the customers that trust them with their valuable information. It also shows that the company puts more value on the customers and the way they are treated, than on profits and deception.
It also seems to me admitting 'guilt' (well, things can always go wrong, nothing is 100% secure, and we're all human), they show respect for their customers, take responsability and very likely have the intention to do something about it, while if they choose to keep everything hidden, it's like shhh... nobody knows = nobody cares... not an attitude I would want to show to the people depending on my services.
In general, I would rather trust a company that can give good _and bad_ points about itself, completely open and honest, than a company that's always best, greatest, biggest, 100% secure, etc.
Especially so when it's purely an internet company.
The editorial brings up a good point regarding the larger business role of the admin. The admin has done her job, it's up to the business/legal department to manage the relationship with the customers, vendors, and law enforcement people.
If the admin feels her company is not doing everything it can, she ought to be careful how she proceeds depending on her concern for her job and the legality of everything. If she's morally conflicted and the company violates her code of ethics even after she points out all the issues from her side, she ought to leave the company. Of course, that leaves the customers without an advocate within the company. However, we all know from the umpteen examples recently of the problems of being an internal whistleblower. The internal whistle-blower rarely changes things from within. It's only after the story breaks that everyone admits that the whistle-blower might have had a point.
Therefore, if she really cares about the customers and the company is clearly hurting the customers, she should leave the company and then break the story. If she doesn't want to participate in a company that doesn't match her ethics but she also doesn't want to risk legal and career problems for customer advocacy, she should still leave the company and go find a company that's more in tune with her. The point is that internal battles are almost always a losing proposition when you are talking about widely differing ethics.
Unfortunately, this puts a burden on the admin to do the right thing according to her gut and suffer the consequences. It's unfair that she has to change jobs or risk her career. That is the yoke of responsible individuals though.
This is how I think...if it's illegal and it occurs on your system you should immediately report it to authorities and inform the people who may be affected. If it is directly linked to a failure on the administrators part to adequately secure the system then why is that person a sysadmin? security should be priority 1 period. To ignor security and not inform those affected is morally wrong, you're harming another individual and I would say you are being negligent and may even be culpable for that negligence...
+----DuBBs2ooo----+
+The King of Fools+
+-----------------+
"Only the merchant, left holding the bill for selling merchandise to a thief, suffers"
WRONG
Only when your identity is stolen will you know the meaning of "suffers". Only when your identity is stolen will you understand that the merchants' losses are a mere pittance compared to your own losses.
"...Paller said, but he's not convinced the victims need to know. In fact, it may accomplish little other than "making people worry," he said.
"If you can avoid harm to someone then you have some form of ethical obligation to act... But just letting people know things isn't necessarily going to make things better," he said. "Given that the person who's card is stolen has no economic liability, and we don't know if it was actually stolen, my guess is the only obligation is to meet the requirement under their privacy policy. I don't think people have an obligation to say 'I screwed up.'"
Yes you do have an ethical obligation to say you "screwed up". Your "screw up" has released personal information that can be used not only to steal merchandise, but to steal identities. Combining the credit card data with other data freely available on the 'net enables much more elaborate identity theft crimes. Once that data is available, once the identity info is established, it doesn't matter if the number is cancelled. The info has been put together. It doesn't matter if the thief is busted. The identity/credit card thieves normally work in gangs, and are affiliated with other gangs. Once one member is caught, someone else is always there to take his/her place. Credit card data contains a full name, credit card number, expiration date, phone number and billing address at a minimum. This is enough to get the ball rolling. Add in information that is included in a large percentage of purchases, such as date of birth or other info, even social security number in some instances, and you have the makings of a disaster. Time Warner's sites have even asked for social security number and mother's maiden name in the past, simply to register to access some of their web sites. Colleges and Universities associate everything to your social security number (except starting this year, California). Ever heard of a college/university computer being breached? How about the moral dilemma of notifying individuals that their social security number, date of birth, address, physical description, medical/immunization records, grades, classes taken, major, and other info has been breached from a school computer? If we leave it to Alan Paller, if the organization responsible for the breach keeps its mouth shut, so should the network administrators.
Only the merchant suffers? No economic liability on the part of the cardholder? Really? Do you really believe this?
How about the fact that here in the US, the banks have a 100% writeoff on these losses. So what you say? That 100% writeoff reduces the taxes these banks pay dollar for dollar. That means that for every dollar stolen due to your "screw up", the US, me and every other citizen in the US collects one dollar less in taxes. One dollar less that can be used to fight the war on terrorism. One dollar less that can be used for education. One dollar less that can be used for social security. One dollar less that can be used for medical research grants. One dollar less...
The situation is similar in other countries as well. Banks and merchants have gone a long way to ensure that. And legislators have accommodated them, not wanting to miss the internet wave.
How many billions of dollars are written off yearly due to credit card/internet crime?
"making people worry"? How about a heads up that they are about to experience a nightmare? How about a heads up that they may be having problems with their credit for years to come? How about problems that they may have trouble purchasing items for minimally the next seven years because the banks refuse to correct the errors. Or resubmit the errors to the credit reporting agencies after they have been cleared, due to "technical errors". How about banks that require multi-page reports/affidavits notarized? How about banks that require police reports? How about collection agencies that hound you knowing that you are more likely to pay so that they leave you alone rather than get the error fixed? How about the fact that collection agencies have a financial incentive to get you to pay that bill regardless of whether you really instituted the charge?
While some credit card number losses due to security breaches may be rectified by banks taking simple steps to nullify the situation, not all banks are as accomodating. Merchants are often left holding the bag when these losses occur, because the banks have more clout, and more lobbyists than individual merchants. But the merchants deduct these losses as well. And the banks have routinely exposed card holder info as well. Nor are the accomodating banks always accomodating. Will Alan Paller be there to hold your hand when you are the victim? Or will Alan Paller be more concerned about his network administrators?
Universities across the US instituted morality and ethics classes for business students many years ago due to abuses in the business and stock industries. Perhaps its time to do the same at the Sans Institute. The issue IS black and white. Removing Alan Paller should be the first step.
Making credit card numbers available due to exposure of the servers on the internet is a major problem. But it is a nightmare for some cardholders because of what they are put through subsequent to the numbers being released. Believe the nightmare scenarios you hear about, because they are true. And it is Alan Paller's attitude, and his position at the Sans Institute that is enabling these scenarios to continue.
Just as licensed engineers and architects passing by a building that is likely to collapse have an obligation to notify responsible parties, just as off duty police officers have a duty to uphold the law (New Jersey trooper/basketball player killing limo driver incident, trooper being prosecuted), just as an electrician has a duty to notify responsible authorities if he sees a serious exposed faulty wiring condition, just as any professionals have a duty to notify responsible parties when a health/safety/legal issue is presented to them in their area of expertise, then so does a network administrator have a duty to notify responsible parties when a financial crime can reasonably be prevented by such disclosure.
Only Alan Paller would find a gray issue in this. Is the Sans Institute equally confused on this issue?
There is no dilemma here, it's about as clear cut as you get. If the admin finds a breach, report it and fix it. Next, inform those affected. If your boss won't inform people that their credit card numbers may be compromised, then I suggest looking for a new job. On the way to your new job, drop the list by your local law enforcement office, the feds, the credcard companies, and the media.
two administrators: one system admin and one security admin, you better should outsource all credit card transactions to PayPal or WorldPay.
Whether or not the merchant is required to disclose credit card theft from their files should be covered by their agreement with the card issuer.
Why?
Because THAT is who the cards and numbers belong to. It's right there on the back of my cards.
"THIS CARD IS THE PROPERTY OF AND ISSUED BY *** AND MUST BE RETURNED ON REQUEST"
and..
"ESTA TARJETA ES PERSONAL, INTRANSFERIBLE Y PROPIEDAD DEL BANCO"
Let's all *please* remember what a credit card really is. It's a token, issued to the customer of a credit card issuer, used to identify yourself to merchants who are also using that credit system.
it is not yours. it is merely a token.
Many card contracts only hold you liable for charges if your card is physically stolen and you don't report it; you are not liable *at all* for fees charged to your card unless
a) You charged them yourself
b) Through your own actions permitted someone to charge them
c) Failing to report a stolen card.
In other words, if my card is in my pocket, and whatever merchant some gomer used my number at can't prove that it was ME who authorized the use... he gets no money, visa doesn't charge me.
If you card DOESN'T work this way, please shop around, you are getting screwed.
Why are they legally requird to inform them? What law?
What has been stolen? Not the customer's credit cards; those are in their wallets still.
Unless their merchant agreement requires them to inform customers (Which it very well may).... there may not BE a law requiring them to disclose the breach.
Because, it's not just about the number.
In order for a merchant to be guaranteed his money, he has to be able to PROVE that the authorized person used the card.
A signature is a good way to start.
A shipping address that is the home address of cardholder is another. (why many internet sites will only ship to the address on the card)
The system hasn't collapsed because
a) You can get in deep shit for credit card fraud
b) Customers can easily dispute charges they did not make, the onus is on the merchant to prove they were legit.
c) Visa (or whoever) is thus protected on both ends.
You see, they can't inconvenience their product (you, me, the next guy) because their customers (merchants) only see value in accepting credit cards, and paying the associated fees, if lots of people hold them. If credit cards/charge cards became a pain in the ass to use, the value would be gone.
Remember.. it's about making it easier than cash.
Legally? No. And they never should be required to.
Morally? Yes. And employers should fire if not.
One of our clients uses a proprietary system which, among other things, keeps records of customers paying by credit card. Unbeknownst to them (or us) this system has an "undocumented feature": a back door. Probably coded to allow easy access to systems by help-desk techies, there was no mention of it in any documentation we could find.
The client received an email from someone who told them about the back-door and provided clips of actual credit card information taken from the system! Luckily enough, this person disclaimed any intent to do harm and provided the information for us to eliminate the problem.
Of course, our dilemma was whether to advise the client to tell his customers about a possible theft of information. We decided that, since the email sender performed a service and had only used the credit card information to illustrate the problem, that the client was safe in not telling customers that their data might have been compromised.
No one ever had to evacuate a city because the solar panels broke!
Yeah, covering up a crime makes you an accomplice in America. They are legally required to fess up. It seems that little things like the law aren't really considered in corporate America, as that didn't come up in the discussions in the article at all. :
"Never, never suspect the dreams within the dreams of dreaming children." ~The Amazon Quartet
Is this an issue?? Is the data allowed to be disclosed or is it protected by law because it is personal to the user?
Hard Work Often Pays Off After Time, but Laziness Always Pays Off Now.
My MBNA Mastercard already has this feature. They call it "Online Shopsafe" or something like that.
You log into their site, tell them how much of a "credit limit" you want and how long the credit card number should be active.
Works pretty good if you ask me.
As a sysadmin, your duty is to report what is going on to those who run the business; from there it is their call. It is not YOUR job to assess the legal and financial risks of the company. It is theirs.
If the company won't report it, and you have an ethical issue with this, then that's your call, same as with ANY action your employer does. You can report it behind their back, sure. I, for one, would fire you. I sure as HELL would not trust someone with my business data who goes behind my back.
As for talk of sysadmins doing cover-your-ass stuff... if you have to, you have to, that's reality. We gotta put food on the table, right?
Really, though, you should not be secretive about security. If you have issues about what the company does/does not have for security, document it. Keep up with patches. Make sure there is a paper trail showing that you did what is reasonable to protect things.
Especially if there are several one-use numbers involved which all point to the same company. The company needs to reevaluate their risks, particularly if they want to continue using cards.
Unfortunately, what happens in real life is that, if the theft comes to light at all, companies cry "hacker" and that their customers and the rest of society end up paying the cost for their negligence.
A lot of people here are simply saying "Yes, he has to disclose it." It's not that easy. There are two big problems to this that I can see. First, the customers are NOT the victims here. Second, the sysadmin clearly has ethical obligations to his employer; whether he has ethical obligations to his employer's customers is less clear.
When a credit card number is used fraudulently, the credit card company is the victim. The holder of the credit card (the consumer) has no responsibility to pay for fraudulent charges; he only has a responsibility to notify the credit card company that the charges are not legitimate.
Some may say that the consumer is ultimately the victim because the credit card company will pass losses from fraud to their customers in the form of higher fees. If you believe this then you probably also believe that copying a CD actually takes money out of the music industry's bank accounts. The credit company has the power to change their system to stop fraud -- it is simply more profitable for them to absorb the losses instead.
This is one of the reasons I've never been afraid to use my credit card number online -- why there was ever fear over this is beyond my understanding. If someone steals my credit card number (it happened to me once), I just call up the credit card company and tell them. I don't have to pay for something I didn't buy. Period.
Anyway, my point is that there is not an ethical obligation to the customer because the customer is not a potential victim here. Some have said there is a legal obligation but I do not believe that (i am not a lawyer). If a restaurant discovers a waiter has been stealing credit card numbers they are not going to notify their customers. They will fire the waiter and notify the credit card company and possibly the police.
The second part of this -- who the sysadmin has an ethical obligation to -- goes like this: As a sysadmin you have an ethical obligation to your employer to not harm your employer. You also have an ethical obligation to not use your employer's customer data to contact the customers directly -- you would be stealing data just like the credit card thieves and could face prosecution from your (by this point, former) employer. You also have an ethical obligation to understand your position in the company and operate within those bounds -- you are a sysadmin, not a lawyer, not a PR person, not a manager. You also have an ethical obligation to your employer to notify an appropriate person *within the company* when someone else is behaving unethically. The company has an ethical and probably legal obligation to notify the credit card company -- since the credit card company stands to lose money of the stolen numbers are used.
Credit card companies have entire departments to deal with fraud -- they have the expertise the handle this situation. Joe sysadmin doesn't. Joe sysadmin's employer doesn't. And the customers certainly don't. The credit card company is really the one that should be notified here -- and since the credit card company is the potential victim, it should be up to them to decide whether or not to involve law enforcement.
If I were the sysadmin in this situation I would first try to convince my manager to involve the company's legal dept to find out what our legal obligations and risks are. I would encourage them to notify the credit card company and offer my time to work with the credit card company to investigate whether or not something actually happened. If the company decides to keep quiet, I would put my objections in writing and make sure they are known, and I would look for another employer. In this case, though, I wouldn't take it upon myself to notify anyone outside the company. If the crime involved human victims rather than corporate ones, I think I would feel obligated to notify law enforcement.
If it happened to a company I deal with I'd want to know about it.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
So your basic ethical stance is that you have no obligations of any sort with respect to your customers?
Who do you work for? (Not that I could believe your answer.)
I can sort of understand why a corporation would decide to not disclose the data. It's corrupt, but it definitely improves their financial picture, up until the time the information is revealed (and they may be able to whitewash that). But corporations have no ethics or morals. They only have "cultures". The people who are in them are the ones with the ethics (or, in your case, something else).
Personally, I prefer not to deal with companies that employ unethical people. That's one of the reasons that I read the news. (Mind you, the news is so fictionalized that I can only guess at what reality is behind the reports. But I'm aware of that, and do my best.)
I think we've pushed this "anyone can grow up to be president" thing too far.
This is from someone that thinks that lawyers should be made a sporting game and fall under population control measures. Too many sue to get rich, but that is a problem unrelated to the lawsuits themselves. (It has everything to do with simple greed and the $10,000,000 for 'emotional trauma' crap)
First step, kill all but 20 lawyers in the country. Then with the biological products we get from them, we can use that as fertilizer and food (mmmmm.... soylent green). This issue however would best be solved by simply applying the existing laws about negligence and incompetence already in existence.
You must disclose this. It would be unethical to not disclose it. People often don't do what they should.
Furthermore, you would be open to lawsuits if you didn't.
Speaking of privacy, anyone know how I can see a list of all the websites owned by a company?
tell them it is lost/needs to be recovered, get it back, save the day. it's not the sysadmin's fault the data was lost but it is the sysadmin's responsibility to take the blame for anything that goes wrong. or so my employers tell me.
We live in an increasingly broken culture, broken infrastructue, broken economy, and a broken legal system. I no longer do technology for a living. Intractible realities such as Dana's dilemma are precisely the reason why. Things are going to get MUCH worse before they get any better, you can be quite sure. Our civilization lacks the infrastructure to adequately manage the technology that we have created, and it is only a short matter of time until this rapidly accelerating train jumps the tracks, if it has not already done so.
If all the system held was personal information, names, email addresses, etc and it was comprimised, the worst that would probably happen is that someone would get more spam. And that individual is going to get spam no matter how hard they try to keep their information secret.
However, all that breaks down when you're talking about credit card numbers. He knows the data was comprimised. Credit card fraud on the internet is real. It happens all the time. And anytime fraud occurs, someone suffers as a result, and typically it isn't the theif that stole the creditcard number.
Say this was you and you were in a similiar situation. Upon reporting the crime (and this is a crime) to your boss, your boss informs you that it would be better for thieves to succeed than to look incompetant. This is someone who would rather cover his own ass by hiding the problem than to take appropritate responsibility and to assist law enforcement, the credit card companies, and the credit card holders in protecting their property. Have you got his decision in writing? Do you have witnesses that you reported it? After all, you ARE the sysadmin. To some degree you are responsible for the comprimised data. Lets say that in the unlikely event the theft was traced back to you. And you have knowledge of it happening. It doesn't appear that your boss is going to stand up and claim responsibility at that point. He's going to cover his ass and point the finger at you. Do you REALLY want to work for someone like that?
Yes, the job market is tight right now. Sometimes making the right choice comes with certain consequences. But that's what ethics is all about. Its not just aobut not doing the wrong things, its about doing the right things when others attempt to dissuade you. If you choose to sit back and look the other way, in the end you will lose. Maybe this event will result in no problems, but something else will happen. Someday. A lot of people get dragged through criminal court solely because they felt the consequences of doing the right thing were too severe.
So consider what would happen if the hammer did fall. You'll lose not only your job, but you'll also lose your respect and integrety as well. At least while you go out interviewing for a new job, you get to tell the interviewer you left your previous company because they wanted you to do something illegal or unethical, and not because you were fired for doing something illegal or unethical. The fact that you're willing to sacrifice a comfortable lifestyle to do the right thing will outshine any other element of your resume.
-Restil
Play with my webcams and lights here
Ask yourself the following questions:
1. Would you call the cops if your neighbor's house was getting ransacked?
2. Would you like to go to jail?
3. Could you live with the thought that it's possible families could go hungry because of you?
There is no dilemma. Anyone who doesn't report something like that deserves to go to jail. If they report it and get fired, throw their bosses in jail for 2x as long. ANYONE who thinks not reporting that kind of stuff is ok is scum.
Yea, it's a flame, but come on people, use your head.
Right.
I'm sorry.. but accusing corporate america of avoiding that particular law is a bit rediculous.
I'm sure you cover up a few crimes.. or are you known locally as "Blue Boy the Rat"
I thought failing to report a crime was a crime.
When you take on a fiduciary responsibility you owe the client every protection.
The police and the clients should be informed that the theft may have occurred. The press should not.
As someone who has had his credit card number stolen from web sites before, I can say that it sure would help to be notified when a database containing my credit card numbers has been compromised. When it happened to me, I didn't find out until whoever got the numbers actually started trying to use them. And then, I only really found out because the web site they were trying to use my CC # on -- eBay -- notifies a credit card's owner whenever the card is used on their site. I don't know what site was hacked to get my credit card number, but had it not been for eBay's notifications, I may have lost a huge chunk of money.
I pledge allegiance to the flag...
of the Corporate States of America...
Here is what needs to happen:
1: Companies should have a clear security plan which needs to be followed in these cases. It is the sysadmin's job to help forming this plan and follow it when there are problems.
2: Credit card companies should start asking for these plans for their on-line merchant account holders.
The problem is a system which rewards poor ethics on the part of the business. CC companies are partly responsible for this problem and need to take some responsibility for the problem, and start penalizing poorly prepared businesses, and/or those that fail to follow their own proceedures.
LedgerSMB: Open source Accounting/ERP
It's not his/her job.
Forget the moral angle b'se it's relative...(my high morals might actually be low to you)
However, from an ethical point of view Sys Admins should inform the relevant people or dept. (legal, PR,...) who should inturn take the neccessary steps to inform the customers ASAP.
( Keeping quite is unethical, and too risky... If you gave away my CC # I'll take you to the cleaners.)
Sys Admins should be worry about fixing the security breach instead.
That said if no one else can inform the customers then the Admin has no choice but to do so.
We do have laws like that, but they are essentially meaningless. The courts are full of right wing pro business judges that let corporations get away with way too much.
The Uncoveror: It's the real news.
Ethical issues should not be in conflict with good business. However, more and more often, we hear the same old claim that profit is the only concern of Corporate officers and employees. It is little wonder we are having to deal with the fallout of Enron and Arthur Anderson (a prestigious company with a long history and a BUISNESS of ethics) - a stock market in a state of flux due to flagging investor confidence and trust.
Customer financial data falls rather neatly in to the ethics of good business. It is good business to protect that data. Failure to do so is often a sign of negligence. Business will be affected. And the Board should rightly begin to consider what aspects of management needs to be "adjusted" to weed out future negligence and incompetence.
It is certainly possible to have an incident where data theft happened despite proper due diligence on the part of the company. However, the unfortunate fact is that today many IT environments are woefully insecure for no other reason than a lack of attention. Negligence.
Any corporate structure who's IT systems contain valuable data (to include customer financial information) should focus as much (if not more) on information security as other IT issues such as cost, management, and availability.
The infosec industry is changing after years of dire warning. Some large organizations have built their own internal infosec groups specifically tasked to protect corporate (and customer) data and systems. Others seek outside help and have grown the number of infosec consultancies. And infosec issues are becoming more and more important to a product's offerings. There is still much to be done - as evidence by this even being an issue for discussion. But at least companies are finally taking a proactive stance.
After all, its not only good ethics... its good business.
wacko commie liberal
You are forgetting that if this truly is an ethical issue, laws don't matter at all. Ethics is not about obeying the law. However, I think you're correct that this really isn't an ethical issue at all, but a legal one.
Report the breach and your penalty is that your security methods are audited.
Don't report the breach, and get caught covering it up? You, not the cardholder, bank, or population at large, you are liable for fraudulent purchases made with the stolen info.
I think most people have heard of the on-line services which provide temporary numbers. The problem is that it requires internet access when you use it, rather than just a handheld with a simple program. It is better than nothing though.
What I'm surprised about, is that this process isn't more wide-spread. The CreditCard companies have to foot the bill, so I would expect they would provide/require that service for everyone.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Why not post the ethical code from a viable organization, like ACM, ISACA, or ISC2?
First, to any sysadmin who has to deal with these problems, you have my sympathies. As a sysadmin myself and a former employee of a company that developped e-commerce software, e-commerce is a minefield in itself.
I personally don't see the sysadmin to be ethically obligated any more than if a similar theft occured at a brick and mortar establishment. For instance, would the security guard be ethically obligated to inform the store's customers that someone may have stolen credit card purchase slips stored in a safe?
And if we open the ethical debate, we cannot simply ignore the said consequences. What would the credit card holder do? Sue the sysadmin or the company? Become irate? Would he even thank the sysadmin that disclosed the information?
The truth is that in the brick and mortar world, you generally require at least a signature to charge a purchase on your card. When business involved to purchases over the phone or on the Internet, the credit card companies should have brought that philosophy with them.
What is sad is the fact that this does exist. It's called SET (Secure Electronic Transactions) which was being actively developed to handle electronic signatures for electronic credit card purchases.
The big question is why it isn't in place right now. The answer is quite simple. The credit card companies instantly realize that e-commerce transactions equals profit. Force SET down the throats of merchants and credit card holders would cost the credit card companies big.
So the system is insecure simply because the losses in the volume of transactions (which equals profit) would be more than the losses caused by credit card fraud. It is their definition of "risk management" that makes e-commerce transactions insecure.
So, if you as a credit card holder want to question the ethics of the sysadmin, remember these very key points:
Personally, I believe that ethical obligations are proportional to those benefit the most from the stated conditions. And trust me on this one; the sysadmin does not benefit at all from these conditions.
From the Simpsons:
Snake: Wallet Inspector!
Geeks: Here you go. (Geeks hand over wallets) I'm sure you'll find everything is in order.
Snake: Whoah - I can't belive they fell for that (he runs off).
Homer: (looking concerned and confused) Wait... That wasn't the wallet inspector!
Credit card companies are pros at dealing with fraud, and they spend a lot of money on fraud detection.
If a list of CCs get stolen, and more than one or two of them gets used fraudulently, the CC companies are pretty quick at figuring out what company the theft occurred at (it's a no-brainer database query). This is true even in the real world, when a gas station attendant goes bad.
If anything, detection is easier online, as customers don't have as much spatial locality online.
So if there's fraud, the CC companies WILL worry about it, and if there isn't, what's the big deal?
The bit that galls me is that CC companies, after creating products whose security is a joke, are often badgering governments to spend more time and money on fraud investigations and prosecutions.
What I'm surprised about, is that this process isn't more wide-spread.
I use one-time numbers with MBNA, but the process is somewhat annoying to go through each time I want to use my credit card. Let's just say, the average grandmother wouldn't be able to do it, and those that could, wouldn't see the need to go through all the extra effort. It's an excellent idea, it just needs to be made a little less cumbersome.
Comment removed based on user account deletion
Nevertheless, every professional must take into account who it is they are effectively working for.
The line must be drawn somewhere. Drawing the line between "legal" and "illegal" is frequent. You are ethically bound not to do any illegal action, even if requested by your employer. You are also ethically bound not to do any legal action at the request of your employer if by doing it you knowingly act as a tool of your employer in performing an illegal action.
The admin has no obligation towards the credit card holder. The admin has no commercial or professional relationship with the credit card holder. If a sysadmin called me at home and told me he knew my credit card number had been stolen, I'd probably think he was trying to fool me into some kind of scam, or blackmailing me, and would probably sue him. If a sysadmin informed anyone that MY credit card number had been stolen, I'd probably want to sue him, too, since I'd consider that an unlawful intrusion into my privacy.
The holder has a relationship with the credit card company. No one but the credit card company can tell the user that his card number has been stolen. And the credit card company's customer is the commerce company, not the sysadmin. The flow must be sysadmin->corporation->credit card company->card holder. There can be no other flow. Your ethical duty is to report to your immediate management. If your immediate management does not report it further, you may be inclined to "leak" that there is something management should know about, and let top management start investigating. All of this within your company. It's the company's liability, never yours, once you reported to immediate management.
And if by any reason you feel that someone else should know, all you can do is "hint" that someone should look into things. If you want more than hinting, file a formal complaint and force an inquest to start. But don't just "disclose" to whomever you want to. By doing that, you are violating a few ethical codes yourself...
free the mallocs!
Well, I meant more my version of the system. You have a piece of software on your computer/notebook/handheld, and simply fill out the fields like a check... Then write down, or show the screen with the one-time number to the cashier. Perhaps I'm missing something, but it seems straight-forward to me.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Well, I meant more my version of the system. You have a piece of software on your computer/notebook/handheld, and simply fill out the fields like a check... Then write down, or show the screen with the one-time number to the cashier. Perhaps I'm missing something, but it seems straight-forward to me.
Have you considered how it's going to authenticate and communicate this information with the credit card company?
do you know anything about S/Key? It determines one-time keys based on a MATHEMATICAL FORMULA.
Think of this system like using PGP/GPG to sign a file (with the dollar ammount, and date encoded in it). That data could only have been made/signed with your private key (private key being your credit card number). And there's no way someone with that signed information may deduce your private key.
Make sense to everyone?
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant