Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

im not sure where to put this

  • 02-05-2002 12:56pm
    #1
    Registered Users, Registered Users 2 Posts: 1,176 ✭✭✭


    moderators move this if ye think its more appropriate somewhere else.. :)

    right , One of my modules is college is Professional Issues in software engineering. The lecturer presents us with different real-life scearios, for which we discuss the ethical, social and legal issues involved. Firstly im not asking ye to do my homework, just looking for opinions on one of the scenarios. (for homework we've to discuss it and back up any thing we say with references to previous cases etc..)

    I know alot of boards users work within the computer industry so id be interested to hear yer opinions, maybe this has happened to you in the past. I think it would be interesting to see how you would react if you were in this situation.

    Anyways here's the scenario =>
    Jones Consulting

    Johnson, D.G., "Professional Ethics" in Computers, Ethics & Social Values,
    (eds) D. G. Johnson & H. Nissenbaum, Prentice-Hall Inc, 1995

    After getting an undergraduate degree in computer science, Diane Jones was
    hired by a large computer company. She initially worked as a programmer,
    but over the years she was promoted to technical positions with increasing
    responsibility. Three years ago she quit her job and starter her own
    consulting business. She has been so successful that she now has several
    people working for her.

    At the moment, Diane is designing a database management system for the
    personnel office of a medium-sized company that manufactures toys. Diane
    has involved the client in the design process, informing the CEO, the
    director of computing, and the director of personnel about the progress of
    the system and giving them many opportunities to make decisions about
    features of the system. It is now time to make decisions about the kind
    and degree of security to build into the system.

    Diane has described several options to the client, and the client has
    decided to opt for the least secure system because the system is going to
    cost more than they planned. She believes that the information they will
    be storing is extremely sensitive, because it will include performance
    evaluations, medical records for filing insurance claims and salaries.
    With weak security, it may be possible for enterprising employees to
    figure out how to get access to these data, not to mention the
    possibilities for on-line access from hackers. Diane feels strongly that
    the system should be much more secure.

    She has tried to explain the risks to her client, but the CEO,. Director
    of computing, and director of personnel are all willing to accept a system
    with little security. What should she do? For example, should she refuse
    to build the system as they request?


Comments

  • Registered Users, Registered Users 2 Posts: 1,176 ✭✭✭podgeen


    I dont think it belongs in security.


  • Registered Users, Registered Users 2 Posts: 1,862 ✭✭✭flamegrill


    It may or may not belong here, but this board doesnt get much traffic so it would have been a better bet to post to the general Technology forum.

    Regards,

    Paul

    p.s pm spod and maybe he will move it for you.


  • Business & Finance Moderators, Entertainment Moderators Posts: 32,387 Mod ✭✭✭✭DeVore


    Diane has discharged her duty to the company imho.

    She should have done (or should do) a few things.

    1. Explain in detail why the low security is bad.

    2. Explain the consequences of thelow security option.

    3. Do both 1 and 2 in writing.

    4. Get written confirmation from her boss that they accept the
    consequences of their decision. Get them to sign it in triplicate.

    5. File a copy herself and make sure one goes into the company records.

    6. Ensure that as little publicity connects her name to their site.

    Ok, here the explanation of the answer I've given.

    Either take the job as a consultant or dont. It isnt your place to preach your opinions to your client. Everyone is free to make their own decisions. Diane feels they are wrong. Thats her perogative. She's not privvy to the company's situation and THATS what upper management are for. They take input from ALL sources, tech, logistics, HR, PR, etc. Then they make a decision in light of the full facts.

    For someone down the chain of command to arbitrarily decide that they "arent going to do that" isnt their place.
    If she feels that strongly about it she should either not take the job or take the job and act responsibly as described above.
    Object, STRONGLY object, get it in writing and then do as you're feckin well told by your client.

    Its facile to say the company is obviously wrong here, we'd all think that because this is a tech/security board. But we dont know the full story. What if by paying the extra cash they are endangering the cashflow of the company?
    Suppose their accountant is telling them "pay this extra and we could be looking at bankruptcy?".
    Suppose they have to meet some contractual obligation which requires it done faster and so they've chosen the less secure approach for speed of coding reasons? There are other issues which can apply. Security should be a high concern to the company, but its not an overridding concern, other things have to be taken into consideration..

    If you had to choose between your co-workers seeing your wages slip and medical record... or you not having a JOB any more ...I know what my first choice would be.

    Either take the job and act professionally or walk away. The options of refusing to do it, or insisting on being paid isnt appropriate.

    btw: I have walked us away in some cases from clients who didnt have a notion about web-dev. Sometimes its the smart move.

    Tom Murphy
    MD, Spin Solutions.


  • Registered Users, Registered Users 2 Posts: 1,825 ✭✭✭Gambler


    What Dev said ;)

    I had started on a big post when I saw devs post there .. his makes more sense than mine was making but was the same basic principle. You have to cover yourself by making sure that the company knows that you don't apprive of their choice, but if you are hired for a job you have to do it :)

    [Edit] Oh yeah, and of course security is a good place to post it :)[/Edit]


  • Registered Users, Registered Users 2 Posts: 332 ✭✭spod


    Firstly, this seems to be a suitable forum to discuss such things.

    Secondly, my brief .02euro...

    It's a tricky problem. I've been in something similar twice, although not as someone bidding for a contract, just as an employee.

    First one was working on a proprietary software product which was installed on client sites. I pointed out a nasty security hole, was told, pffh, doesn't matter, said er ok but I warned you, bah.
    As far as I know to this day it hasn't been an issue.

    Second one, was with a different employer, I was working on a large Internet site, found a skew of input validation nastiness in a secure e-commerce section of the site. I pointed it out, and after my then technical manager checked it out, got me to fix them next day.

    A third scenario I can think of is a mate who works for a big corporation finding nastiness in an application he was updating which was already live. He pointed it out, went on holidays, came back was given a different project and as far as he knew last time I asked him it was still an issue, but someone elses problem now.

    Not quite the same scenarios, to be honest DeV's reply is probably best but I felt I should at least say something.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,176 ✭✭✭podgeen


    We discussed the above scenario as part of an assignment for college. It was discussed with respect to legal, social and ethical issues. If your interested in reading it reply here and ill add you to the UL study group. (have to wait till our lecturer has looked at it first)


  • Registered Users, Registered Users 2 Posts: 21,264 ✭✭✭✭Hobbes


    Originally posted by spod
    A third scenario I can think of is a mate who works for a big corporation finding nastiness in an application he was updating which was already live. He pointed it out, went on holidays, came back was given a different project and as far as he knew last time I asked him it was still an issue, but someone elses problem now.

    Some companies are more paranoid about employees then actual exploits. I would hazard a good guess that your friend was moved because they considered him a security risk in that area.

    I had a similar senario exactly as listed above.

    Years ago I was asked to fix a payroll problem (on a certain payroll system). Because I had done dev/support work before on it for a different company I knew the sequence of keys and passcode to go into diagnostic mode. Once I came out of diagnostic mode after making the fix the woman who was in charge of payroll went white and then went off and told my manager I was never to set foot in the payroll office again. It seemed at the time they had asked for more password protection but didn't want to pay extra for it, and going into diagnostic mode had bypassed all thier protection (lazy developers :)).

    My manager was pretty cool about it but he did tell me that if you were to share a security exploit odds on the company is more likely to fire you/shuffle you somewhere then fix the problem.

    This was years ago, the net has shown this sort of thing doesn't work, but it still goes on.


  • Registered Users, Registered Users 2 Posts: 19,608 ✭✭✭✭sceptre


    Originally posted by podgeen
    We discussed the above scenario as part of an assignment for college. It was discussed with respect to legal, social and ethical issues. If your interested in reading it reply here and ill add you to the UL study group. (have to wait till our lecturer has looked at it first)

    Add me if you can Dave - interesting in reading this

    Ta

    sceptre


  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Once the explanation of the risk has been clearly given to management, then it is their decision on how to mitigate it and whether it makes good business sense to accept the risk or not.

    In this case however, because they are storing medical records (i.e., an incident doesn't just affect the company's bottom line), then if I genuinely felt they were being negligent or I was uncomfortable with the system, I'd be inclined to run a mile.

    The next interesting question then is should you spill the beans or not?


Advertisement