[NTLUG:Discuss] I PASSED... I'm an LCA

[Jeremy Blosser]

Chris Cox [cjcox at acm.org] wrote:
> The Security and Ethics test is what trips most people up.  It's very
> important to remember that all of your life belongs to the company
> you work for... every bit of email you send and receive, etc.
> IF YOU REMEMBER THAT... you'll do well on the Security exam. To
> often people think that "ethics" means their own "ethics"...
> the law overrides ethics though.

The law defines what a company is allowed to do without getting sued.  It
does not define things like 'you must routinely invade your users' privacy
at any opportunity'.

Part of my approach to looking at this is to see if it's a decent
certification that I want to see get industry recognition and use.  If it
is, I'm glad to take the tests and push my employer to compensate me for
them and write them into future job requirements, etc.  In that sense, this
is an open source process, and my ethics are very relevant to what I think
of their approach to ethics.  That's not even just true as a potential
test-taker, either; if I'm in a hiring position, with my company's own
ethical standards, and I'm going to rely at all on someone else's
certification of a system administrator's ethical standards, I want to know
that the certification means that they're only going to breach privacy
where they need to and not just because they're bored or worse yet want to
try to blackmail people.  As an employer I want to know my sysadmins will do
their job as necessary but be above reproach, and if they violate user
privacy without cause they're going to be fired.

A lot of the questions related to ethics really feel like they're trying to
preach the 'your life belongs to the company, you have no rights' thing,
probably because they expect the ethics of free software hackers to go
against it and for it to trip them up.  But that's all only one component
of sysadmin ethics.  A certification test should be testing people on
implementation of industry standard best practices, not taking a soap box.

> > Some examples, all from the 'security and ethics' test:
> > 
> >  "Select the least secure host from the list below.
> > 
> >  A.A multi-user system that is connected to the Internet directly but runs
> >  only a minimum number of services, all of which are started by TCP wrappers
> >  B.A multi-user system that is connected to the Internet through a firewall,
> >  which runs a minimum number of services.
> >  C.A single-user system that is used primarily as an NFS server, that is
> >  connected to the Internet directly, and that only runs NFS services
> >  D.A single-user system that is used primarily as a development server and
> >  that is connected to the Internet through a firewall, which runs a minimum
> >  number of services
> > 
> >  Explanation : Answer C is correct. With NFS, a client can log in and mount
> ....
> > 
> > Er, huh?  This one just has to be a typo or something.  D is connected
> > through a firewall, for one thing, so the bit about not being behind a
> > firewall eliminating D makes no sense.  They say the NFS server is the
> > answer, then give all the reasons NFS is insecure.  Etc.
> 
> You are correct that the explanation isn't right... but the answer is
> correctly given.

Why?  NFS is infamously insecure.  We have no idea what D is running
(again, crappy question), but if it's "minimum" it can't be much worse
than NFS, and reasonable expectation of "minimum" makes it quite a bit more
secure.  The fact they mention NFS explicitly implies it goes beyond
"minimum".  I think this whole question is just broken, hopefully due to
typographical error only.

> You won't get any explanation when you take the exam...

I would assume not.

> you either get it right or wrong.... and I really hate the ones where
> there are multiple correct choices.... I mean, as an administrator you
> tend to favor a certain way of doing things... sometimes to the exclusion
> of alternatives just because you know you'll never need the
> alternatives.... but in the case of the exam, there are a few questions
> where you'll need to have a pretty broad understanding of various methods
> to due the same thing.

That's all fine, provided we can be confident they are going to pick the
industry-standard most correct answer and not just their own subjective
neat way of doing things.  Otherwise they have no value as a certification.

> >  "Which of the following is the most secure method for a system
> >  administrator to log in as root to a host? (This host may be accessed
> >  through the local area network if necessary.)
> > 
> >  A.Use the "rlogin" command.
> >  B.Use the "ssh" command.
> >  C.Use Telnet.
> >  D.Log in as root at the physical terminal.
> >  E.All of the above are equally suitable options.
> > 
> >  Explanation : Answer D is correct. Using rlogin, ssh, and telnet place the
> >  root password on the network, subjecting it to potential snooping. Further,
> >  rlogin relies on the "trust" of another host and can be easily fooled.
> >  Secure shell is probably the next best choice because it uses encryption to
> >  protect the data. It is still feasible, however, that someone could decrypt
> >  the message. Telnet transmits data in plain text which can easily be
> >  intercepted by a password sniffer. Physically logging onto the terminal is
> >  the only method that totally prevents network snooping of the root
> >  password."
> > 
> > Maybe this is just a poorly worded question, but saying the host may be
> > accessed through the network implies that that is relevant to the question,
> > ie. that we're talking about the most secure method that still allows
> > remote access.  Also, root should not be allowed to login directly even at
> > the console, which is the reasonable interpretation of "log in as root at
> > the physical terminal".
> 
> I diagree... this question is worded sufficiently to arrive at the correct
> answer.  If the question said that root MUST be through the network...well
> that's different.  The question said "if necessary"... and I think
> that was designed to trip some up.  Remember it's a security exam....
> so it's designed to mess with your mind a bit.  A good security
> manager is often very paranoid.

Messing with one's mind and being paranoid about security is one thing.
Failing to accurately describe the scenario, or being deliberately
misleading, is another.  Real security is not based on mindless second
guessing and paranoia, it is based on understanding of what's going on at
the network and hardware level and taking appropriate measures.

> >  "It is ethical for a network administrator to read other users' e-mail
> >  without permission on a server that he is administrating.
> > 
> >  A.True
> >  B.False
> > 
> >  Explanation : Answer A is correct. The Electronic Communications Privacy
> >  Act specifically grants this right to authorized personnel. Courts have
> >  generally ruled that there is no reasonable expectation to privacy and,
> >  further, states that employers have the right to read e-mail to protect
> >  their interests."
> > 
> > This is no doubt debatable, but the phrasing of the question certainly
> > implies that they're asking about a sysadmin doing this at their own whim,
> > and not just as part of their authorized duties (I guess we're supposed to
> > intuit that 'without permission' just means 'without the user's permission,
> > but with the permission associated with your job').  Trick question?  Even
> > if technically correct, if people are being quizzed on ethics, the standard
> > should be quite a bit higher than 'the bare minimum the law allows'.
> 
> Though we would all LIKE to think of this as debatable, the company and
> their authorized systems administrator (basically a delegated agent of
> the company) can peruse your email at its leisure I'm afraid.  It all
> belongs to them. What is ambiguous is how far they can take the information
> in the email. If you are concerned... don't put anything in your corporate
> email system that contains personal or private information PERIOD!
> 
> Remember, the Sys Admin can read your email AT WILL! (so bribe your
> Sys Admin today!)

I'm well aware of what the sysadmin can do with email and other files and
what the law says.  That isn't the point.  The question lacks enough data
for an ethical sysadmin to determine if they have cause to read someone's
mail.  Given that lack of cause, the default has to be no, you should not.
Or, if they had instead said "it is LEGAL for", they could have been
correct and continued to make their pet point.

> >  "While monitoring routine network traffic, a network administrator notices
> >  that a user is violating the company's appropriate use policy. As part of
> >  his job, the network administrator is expected to report any violations of
> >  the policy.  From an ethical standpoint, who should the network
> >  administrator inform about the violation?
> > 
> >  A.The person who has violated the policy
> >  B.The boss of the person who has violated the policy
> >  C.The owner of the company
> >  D.The network administrator's boss
> >  E.Both a and b
> >  F.All of the above
> > 
> >  Explanation : Everyone listed here can be notified of the of the violation,
> >  especially since an appropriate use policy (by convention, a statement of
> >  rights, privileges, and consequences) is in effect. However, notification
> >  does not mean that the inappropriate material can be shown to everybody in
> >  the list.  NOTE: This question does not address the issue of
> >  chain-of-command with respect to company policy.  Jumping the
> >  chain-of-command is a separate issue from the ethics of monitoring system
> >  activity and should be respected per company policy."
> > 
> > Also debatable I guess, but I don't think you can even attempt to really
> > answer this one without knowing what the company policy is.  If you work in
> > a company of a few thousand people, notifying the owner and everyone else
> > of one AUP violation makes no sense and is an unnecessary (and probably
> > unethical) embarassment to the offender.  It's also doubtful it would be
> > appropriate or ethical for the admin to take it up with the user directly
> > instead of referring it through those responsible for dealing with such
> > things.
> > 
> > Their explanation says "can be notified", and in that case "all of the
> > above" is correct, but again, the question didn't ask who can be, it asked
> > who should be.
> 
> Again... the law rules over "what is right" in our own eyes.  If the
> administrator fails to notify the world (so to speak), he may be
> putting his own career in jeopardy....he is failing to protect
> the company's interests potentially.

In the majority of companies, if you go tell the world about something like
this (especially if you bother the owner) instead of just your boss, you're
as good as fired.  If you are the boss, you have a defined route to take
the issue, usually through HR.  This really has nothing to do with 'in our
own eyes' and everything to do with appropriate (as defined by the company)
dissemination of that information.
  
> Right now the law favors the business.  I think under the law they can
> tar and feather the offender and drop him off of the top floor if they
> are found guilty of violating a company computer policy...  which as the
> law stands right now can be just about anything the company wants to make
> it to be .... at any given time.
> 
> These are all good questions though... and again, it's probably why so
> many members of the "Free Software" movement tend to fail this exam.... I
> mean, the law couldn't be this bad (owners of companies certainly would
> diagree with that word)... could it?... yes it can... and is.  The main
> problem is that one of the largest lobbies for change in the law could be
> the ACLU.... you don't want their kind of world (unless facism appeals to
> you).

Again, this has nothing to do with personal ideas of right and wrong and
everything to do with what is ethical and appropriate (as defined by the
industry and the company), not just what is legal.  If they want to test on
what the law says, they should just do that.

-- 
Jeremy Blosser