[Techtalk] Re: Gender as a weapon? Pen-testing and female auditors

[Tracey]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 18 March 2004 08:39, Raven Alder thought we should read 
this:
>Quoth Devdas Bhagat (Mon, Mar 15, 2004 at 10:35:02PM +0530):
> >  So long as you are not doing something that violates your
> > personal moral principles here, its perfectly all right. Just
> > remember that you are acting (as in a play/movie) and that this
> > is not your real character.
>
> 	I can't induce that artificial separation. 

Heh, I did live roleplaying for 6 years. There *are* certain roles I 
had trouble playing (notably very evil "hurt everyone to get what I 
want" characters). I don't know what I would do in your situation 
FWIW.

> 	Yes, I am being paid 
> to be SecretUndercoverHacker, but that doesn't remove the moral
> responsibility from me for my choice to do so.  "Just following
> orders" doesn't cut it.

On the other side of that coin, think of the vulnerabilities which you 
could test but do not which does get exploited later - how much 
responsibility would you feel for the real life penetration which 
could have been prevented by your pen-testing? I understand and 
support not agreeing to "any tactics possible" because there are 
certain things which will not be OK even in pen-testing. The idea is 
to get a realistic idea of vulnerabilities without actually causing 
much real-life harm.

> 	Similarly, I feel bad taking more extreme measures against
> anyone that's not a TLA or megacorp.  I don't want to get Grandpa
> Joe fired because he let the nice young lady in to PopAndMom.com. 

Would it come down to firing the lady necessarily? Is there a 
possiblity for her to be re-trained? I suspect the answer depends on 
the company. However, I'd be inclined in your position to try to do 
my job to the limits of my ability and morals with the idea that 
covering for an incompetent sys admin could cost that company and its 
customers mucho money, downtime, etc etc later if that sys admin 
fails to do the right job later. Ideally it would be great if all 
companies would train first and only fire if training fails, but I 
realize that is not reality.

> That feels like I'm contributing to making the world a nastier
> harsher place. 

Understandable. But your job isn't about contributing compassion to 
the world either. It is about making a network as secure as possible. 
The reality is that there is a nasty harsh side to the world, one 
which it is your job to prevent touching the networks of the 
companies which hire you. :( Obviously you're in the job, and you are 
most qualified to judge what is appropriate in a given situation.

> 	Heh.  I wonder if I would be vastly more successful in security
> if I had less morals.  (Stupid Ethics degree.  [grin])  I'm doing
> pretty well, though.

Unfortunately, in order to prevent security breaches, you have to know 
the mindset of the bad guys. Stare not too long into the abyss and 
all that.

> > > Is it encouraging or setting back feminism?
> >
> > Perhaps neither? In the best case, it might expose the guy who
> > fell for your charms to a certain amount of ridicule, and that
> > will hopefully keep him from treating women as just another piece
> > of meat

I agree. Using social engineering in pen-testing is a tool, and that 
can be used for good or ill. As pointed out, it can be used to lessen 
stereotypes against women and it can be used to make people realize 
exactly how stupid they can get when a pair of pretty eyes bat their 
way. That can lead to people being less vulnerable to being 
manipulated, in an ideal scenario.

> 	Read my .sig line for the best quote ever to that effect, from
> my ex.  [grin]  It rocks.

:D

- -- 
Tracey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAWZy0cPn30pxfYeQRAvhYAJkBn5/vkQZ/aoh2Dl4UIGZYFmOqVQCdF2ph
+l3sVwfyfYHo60FFJ3Bz6W0=
=g+p9
-----END PGP SIGNATURE-----