Gawker has run a very interesting expose on a Certified Ethical Hacker who infiltrated Occupy Wall Street (OWS) as a private citizen, and shared internal OWS e-mails with Andrew Breitbart’s Big Government page. The question that he did it is fairly well established with his own writing on the Big Government page, and the Gawker expose.
The question I have as a professional security engineer is did he violate the ethics statement of his own Certified Ethical Hacker (CEH) credential that he has on his LinkedIn page.
While I personally believe that he violated multiple tenants of his agreement with the CEH code of ethics (right here), this brings up the eternal question of what happens when a good security engineer does things that might be considered shaky ethically. We all at some point are going to deal with a security engineer that for whatever moral, ethical or personal reason does something that could technically if not legally be considered wrong.
If he didn’t have a certificate, he would have signed or agreed to no ethics statement, which is a decided down side to who comes into the information security profession. Every time I see something like this I realize we need a truly professional society much like Doctors who can nationally or internationally enforce the ethics we all need to have in this industry. Needless to say I am troubled by what has happened because by his actions he is no better than Anonymous, nor no different from Bradley Manning who is accused of giving wikileaks hundreds of thousands of classified diplomatic cables. They all fall into the same category, spying without authorization, and the release of information that could reasonably damage the people or systems involved.
The motivations and intent might be pure, but it is events like this that make me think once again, we need a professional society, one of national or international scope that can help define who is a security professional and who is not. Once we have that definition, we can then go about policing our own information security community from elements that for whatever reason chose to violate the trust people have in us.
A bad security engineer, much like a bad doctor, a bad nurse, a bad lawyer has the potential to irreparably harm others. We need better control and processes around people who are in our industry.
- thedailyfeed: Occupy Wall Street becomes a world… (shortformblog.tumblr.com)
- Conservative Security Consultant Reported Occupy Wall Street Protesters To FBI And NYPD To Discredit Movement (alan.com)
- Finding the Organic Truth of Occupy Wall Street using Infinigraph and The Recorded Future (webmetricsguru.com)
- Thousands of alleged Occupy Wall Street emails leaked (100gf.wordpress.com)
(Cross-posted @ Techwag)