Friday, February 11, 2011

Unethical Security Professional is a contradiction in terms

This is a post I never thought I would write. That I never thought I would have to write. Let me start with a quote from the CISSP Code of Ethics

Code of Ethics Canons:

  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principals.
  • Advance and protect the profession.

Rather than walk you through the tale, you can read about how three so-called security companies proposed to engage in activity ranging from the unethical to the illegal to "take down" WikiLeaks. Don't take my word for it, don't even take The Tech Herald's word for it, read the proposal that so-called security firms HBGary, Palantr, and Berico Technologies delivered to Bank of America to attempt to "deal" with WikiLeaks through disinformation and "cyber attack."

But don't stop there, this gets better. And by better, I mean disgusting. Read the e-mail by HBGary CEO Aaron Barr in which he attempts to show his Mad Hacker Skills by collecting information on the registrar of, including the "Jewish Church" he attends and information regarding his children.

There's more, but I think you get the idea.

I do not believe it is possible for me to overstate this: the activities proposed by these three companies are not things in which ethical human beings, let alone ethical security professionals engage.

This may not be a joke, but there's a punchline: once word got out that Mr. Barr was representing himself as having "infiltrated" Anonymous, Anonymous hacked into HBGary's network, put this announcement up on their web page, and obtained several dozen thousand e-mails... that they uploaded to WikiLeaks.

Shortly after word about this got out, Palantr and Berico have both cut their ties to HBGary, and issued public statements that they didn't know the firm was planning to use their products and services for the ends outlined in the proposal, even though their trademarked symbols appear in the document. I reserve judgement. I'd be more impressed by the press releases if they were accompanied by letters from attorneys regarding the dim view they take of unauthorized use of their brand marks.

I do not have such reservations about HBGary. Their statements to date have made vague assertions that some of the documents now circulating are forged. Their statements to date are not categorical denials that they would ever dream of engaging in such conduct. I can only conclude that HBGary as an institution and Aaron Barr as an individual do not subscribe to the most common principals of my profession.

I think Palantr and Berico have the right idea, and I'm following suit, pre-emptively to some degree. Full disclosure: I have in the past had discussions with HBGary regarding employment. That is now off the table: I am a professional and will only work with reputable, ethical companies. I strongly recommend my colleagues closely examine their relations with HBGary and ask themselves if that's a name they want on their resumes, or if Mr. Barr is someone they would be comfortable listing as a reference.

Mr. Barr and his company are welcome to rebut my conclusion, but as things stand I sure wouldn't.