In this episode of The Deep Queue I propose something I’m calling “ethical administration”. Most people have heard of ethical hacking – doing what the bad guys do on behalf of and in cooperation with the good guys. Ethical administration as I have imagined it is acting like the good guys on behalf of the good guys in spite of their failure to act or commit resources.
From time to time we hear about employees who, when their warnings fall on deaf ears, hack the system to demonstrate how vulnerable it is. These people usually end up in jail but the fact that it happens as much as it does speaks to the incredible frustration of knowing the system is wide open and not having resources to do anything about it. I have met through my security consulting a large number of WMQ administrators who are experiencing this exact frustration. In many cases I have delivered the worst possible findings from an assessment – that the system is open to anonymous administrative access by anyone with an IP route to the queue manager – only to have the client decide that the risk is so low as not to justify any investment in securing the network. As a customer of some of these companies it makes me want to move my accounts somewhere else. Some of my acquaintances who are employees of these companies get so frustrated they want to find another employer. The problem we both have is finding an alternative employer/vendor who is any better. What I am proposing is a way to take action but doing so completely within the scope of a WMQ administrator’s duties so as not to incur any disciplinary wrath of one’s employer.
That said, nothing here should be construed as legal advice. If in doubt, seek the advice of an attorney or just don’t take matters into your own hands.
Links from the podcast:
- Network Security blog and podcast – Martin McKeay’s blog and podcast with co-host Rich Mogull
- MO04 – WMQ SSL Wizard
- MO72 – MQSC client and stand-alone tool for making client channel table files
- setmqaut templates – Templates to use when adding MCAUSER values to your channels. I need to move these to stand-alone files but for now they are in a blog post.
- DOJ – Man breaches network of former employer from job application kiosk in lobby
- DOJ – Man breaches wireless networks of retail chains to steal credit card data