I'm going to agree with two of the posts in here just to clarify some points based on experience at one of my jobs (I help teach cyber security and ethics is a huge part of it).
Quote:
Originally Posted by Libby K
Unfortunately, creating an interruption is not the way to 'make a point'. Sorry, I'm not giving anyone a pass on this one. You're supposed to listen to staff and volunteers, and this person didn't.
|
This is absolutely correct, when you are doing security audits and penetration tests there are very specific rules of how you do things. And executing an attack during a very visible time is NOT one of those ways to do things.
Quote:
Originally Posted by JVN
No. No. No.
There are any number of things which could have been done after Einstein to fix this issue. Don't fall into the trap of "he spoke up and was ignored so he had to make his point." There are plenty of ways to get "unignored" (later on) without knowingly sabotaging an event.
The existence of this vulnerability could have been made known, and fixed, after the fact. Suspecting that someone else is exploiting it, is not a valid reason for exploiting it yourself.
|
(please note, all genders are generic)
THIS is the correct process, the person raised the issue at the time. It was not addressed. He should have documented his findings and sent them to FIRST. After giving FIRST a period of time to respond or fix the issue (think 6 months) he could have published a paper documenting his findings. At the end he should have included his original communication with FIRST and any steps they took or responses.
As it stands the person went from doing the right thing to being an attacker when they tried to "demonstrate" the vulnerability.