[Techtalk] Re: Gender as a weapon? Pen-testing and female
auditors
Tracey
grrliegeek at elenari.net
Thu Mar 18 13:57:22 EST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 18 March 2004 08:39, Raven Alder thought we should read
this:
>Quoth Devdas Bhagat (Mon, Mar 15, 2004 at 10:35:02PM +0530):
> > So long as you are not doing something that violates your
> > personal moral principles here, its perfectly all right. Just
> > remember that you are acting (as in a play/movie) and that this
> > is not your real character.
>
> I can't induce that artificial separation.
Heh, I did live roleplaying for 6 years. There *are* certain roles I
had trouble playing (notably very evil "hurt everyone to get what I
want" characters). I don't know what I would do in your situation
FWIW.
> Yes, I am being paid
> to be SecretUndercoverHacker, but that doesn't remove the moral
> responsibility from me for my choice to do so. "Just following
> orders" doesn't cut it.
On the other side of that coin, think of the vulnerabilities which you
could test but do not which does get exploited later - how much
responsibility would you feel for the real life penetration which
could have been prevented by your pen-testing? I understand and
support not agreeing to "any tactics possible" because there are
certain things which will not be OK even in pen-testing. The idea is
to get a realistic idea of vulnerabilities without actually causing
much real-life harm.
> Similarly, I feel bad taking more extreme measures against
> anyone that's not a TLA or megacorp. I don't want to get Grandpa
> Joe fired because he let the nice young lady in to PopAndMom.com.
Would it come down to firing the lady necessarily? Is there a
possiblity for her to be re-trained? I suspect the answer depends on
the company. However, I'd be inclined in your position to try to do
my job to the limits of my ability and morals with the idea that
covering for an incompetent sys admin could cost that company and its
customers mucho money, downtime, etc etc later if that sys admin
fails to do the right job later. Ideally it would be great if all
companies would train first and only fire if training fails, but I
realize that is not reality.
> That feels like I'm contributing to making the world a nastier
> harsher place.
Understandable. But your job isn't about contributing compassion to
the world either. It is about making a network as secure as possible.
The reality is that there is a nasty harsh side to the world, one
which it is your job to prevent touching the networks of the
companies which hire you. :( Obviously you're in the job, and you are
most qualified to judge what is appropriate in a given situation.
> Heh. I wonder if I would be vastly more successful in security
> if I had less morals. (Stupid Ethics degree. [grin]) I'm doing
> pretty well, though.
Unfortunately, in order to prevent security breaches, you have to know
the mindset of the bad guys. Stare not too long into the abyss and
all that.
> > > Is it encouraging or setting back feminism?
> >
> > Perhaps neither? In the best case, it might expose the guy who
> > fell for your charms to a certain amount of ridicule, and that
> > will hopefully keep him from treating women as just another piece
> > of meat
I agree. Using social engineering in pen-testing is a tool, and that
can be used for good or ill. As pointed out, it can be used to lessen
stereotypes against women and it can be used to make people realize
exactly how stupid they can get when a pair of pretty eyes bat their
way. That can lead to people being less vulnerable to being
manipulated, in an ideal scenario.
> Read my .sig line for the best quote ever to that effect, from
> my ex. [grin] It rocks.
:D
- --
Tracey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAWZy0cPn30pxfYeQRAvhYAJkBn5/vkQZ/aoh2Dl4UIGZYFmOqVQCdF2ph
+l3sVwfyfYHo60FFJ3Bz6W0=
=g+p9
-----END PGP SIGNATURE-----
More information about the Techtalk
mailing list