Slashdot Mirror
Ethical Obligations
MaxwellStreet writes "There's a great editorial on msnbc.com about the ethical dilemma of whether or not a system administrator (or the business they work for) is obligated to disclose credit card number theft from their machines. What does everyone here think?"
sure there are some system administrators who would rather not reveal themselves as having an insecure network, for the fear of having more security violations or even, god forbid, having to fess up to a mistake, however we all make mistakes and protecting the commerce of your website and payment processing system should be top priority while disclosing to your customers the potential of the intrusion as well as informing them that there is a fix in the works, otherwise the check and balance system that any worker must follow, as well as trust would be violated in the process.
Dealing with this kind of ethical quandry isn't an admin's job and yet it seems that they end up stuck. In other professions where we have similar possible ethical dilemmas (medical, legal, etc.) there are established and deeply entrenched codes of ethics to which practitioners are expected, even by employers and associates, to adhere. Why don't system administrators have such a thing?
I think the revelation in the article that a business would prefer to sweep such a theft under the rug is frightening and opens the door to all kinds of problems. Maybe making employers understand that their admins are obligated by their own professional standards to expose this kind of thing will effect a positive change. I can't imagine what hiding it will achieve. You don't have to think hard to come up with examples of past situations where hiding "undesireable" information caused more problems than it solved. We're seeing the end results of that very attitude playing itself out with Enron/Arthur Andersen as well as the Catholic church right now.
Admins should be expected to expose this kind of thing with the understanding that doing so will avoid bigger and worse problems down the road. It should be viewed as a service to the public which takes priority over protecting petty business interests.
We will either learn from history or repeat it... again.
--Rick
--Rick "If it isn't broken, take it apart and find out why."
One of our clients uses a proprietary system which, among other things, keeps records of customers paying by credit card. Unbeknownst to them (or us) this system has an "undocumented feature": a back door. Probably coded to allow easy access to systems by help-desk techies, there was no mention of it in any documentation we could find.
The client received an email from someone who told them about the back-door and provided clips of actual credit card information taken from the system! Luckily enough, this person disclaimed any intent to do harm and provided the information for us to eliminate the problem.
Of course, our dilemma was whether to advise the client to tell his customers about a possible theft of information. We decided that, since the email sender performed a service and had only used the credit card information to illustrate the problem, that the client was safe in not telling customers that their data might have been compromised.
No one ever had to evacuate a city because the solar panels broke!
As a sysadmin, your duty is to report what is going on to those who run the business; from there it is their call. It is not YOUR job to assess the legal and financial risks of the company. It is theirs.
If the company won't report it, and you have an ethical issue with this, then that's your call, same as with ANY action your employer does. You can report it behind their back, sure. I, for one, would fire you. I sure as HELL would not trust someone with my business data who goes behind my back.
As for talk of sysadmins doing cover-your-ass stuff... if you have to, you have to, that's reality. We gotta put food on the table, right?
Really, though, you should not be secretive about security. If you have issues about what the company does/does not have for security, document it. Keep up with patches. Make sure there is a paper trail showing that you did what is reasonable to protect things.