Marc, in your latest message you bring up a very good anaology. The idea of a car not being locked is a good point. If I'm in the car with you and happen to notice your car not locked as you head to your local retail outlet, I say, hey, your car door is unlocked!.

You turn and say it's locked, I just locked it.

If I look at your car and pull the handle of the door, am I not doing the same as a ping sweep or a port scan?

If the door opens I've penetrated the system (car).

The point is in this case as a passenger (employee) I am concerned over the contents of the system (car). I bring that issue to your attention. Because I've pulled the handle of the door (port scan) should I now be arrested, tried and subjected to civil or criminal procesuction?

What if I don't say anything and the car is stolen because of the unlocked doors? As your employee am I guilty of aiding and abeting?

Why are employees awarded for bringing up issues of economic value for saving a few hundred dollars on coffee cups? Is there no economic value to information security?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/167/20547#20547