[BBLISA] Quick Poll: Would you trust system software from an anonymous source? (fwd)

Dean Anderson dean at av8.com
Wed Mar 10 13:47:31 EST 2010 

Results of the poll:

I conducted the poll on the DJBDNS list and the BBLISA list. The BBLISA 
list is made of Boston Large Scale System Administrators. No one on the 
BBLISA list deviated from:

1. No, Absolutely not.
2. Decrease.
3. Decrease.
4. Yes.  Bad, professional negligence
5. No.  But a severe warning. Depends on seniority, too.
6. Yes.  Yes.

One person mentioned whether there was a policy against installing
malware, and whether there were warnings and repeated offenses. This
might be a good point, but I'm not sure. Most companies don't have a
policy on installing malware, and most malware doesn't destroy data, but
steals data. Of course, they don't have usualy have a policy against
theft and embezzelment, either. Nor a lot of other things that appear to
be contrary to common sense or "crimes mala prohibita" (things we
obviously don't permit)

On the DJBDNS list, things were markedly different. A number of the
"expected people" (trolls) responded as well, asserting almost uniformly
that there was nothing wrong with installing untrusted software, and
that expecting system administrators to inquire about trust and
accountability was somehow unreasonable.

		--Dean


On Fri, 26 Feb 2010, Dean Anderson wrote:

> 
> By anonymous, I mean a source that traces only to an email address with
> no phone number, no address, no anything.  Not even a significant
> history of email from that account.  This source has no accountability,
> because they are anonymous.
> 
> By 'System software' I mean software whose integrity a company relies on
> to perform its functions. If the software were remotely exploitable, it
> could potentially result in remote access being obtained, and/or
> confidential information being exposed, firewall being circumvented, etc
> 
> Here are the specific questions:
> 
> 1. Would you trust (meaning use) system software from an anonymous
> source?
> 
> 2. Would the fact that the software is a derivative of well known
> software, but with apparently gratuitous "security fixes": would that
> increase or decrease your willingness to trust the software?
> 
> 3. Would the fact that source implements a variation of discredited
> changes advocated by gray-hat or black-hat hackers increase or decrease
> your willingness to trust the software?
> 
> 4. Would you consider it a bad judgment to use such software knowing (1)
> for sure, and perhaps (2) and (3)?  How serious is the bad judgment?
> 
> 5. Would it be reasonable to fire the admin responsible if they knew of
> (1), and perhaps (2),and (3), but used it anyway?
> 
> 6. Does the reasonableness of termination depend on actually knowing
> (1)? That is, supposing the admin didn't know (1), should the admin have
> made an effort to find out if the software was from a dependable (or at
> least accountable) source?
> 
> 
> Please reply off list.
> 
> Thanks,
> 
> 		--Dean
> 
> 
> 
> 
> 

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 256 5494

More information about the bblisa mailing list