Geek Answers Handbook

Ethics and personification: alternatives?

Have you ever tried to troubleshoot a problem for your client and ask for (or really want) their credentials to check their settings if a problem exists? Our solution is to implement the impersonation function for logging in as users and to have access to all users. In this case, the mail application. Although we do not need a password to impersonate, I, however, worry about user privacy. Basically 2 things: their mail and POP3 / IMAP settings (which simulator can get the user and user password gmail / yahoo / etc).

What are other good alternatives / suggestions for this?

Some offered magazines. Of course, this is an important component, but you cannot register everything. Moreover, there are not so many things to register that are not related to user settings.

+4
source share
6 answers

  • The best solution is Michael above (there is a way to reset / report settings for the user)

  • Another great solution is to abbreviate the CLONE account settings in a completely new account. Then you can experiment with the clone.

  • Alternatively, make sure that the user is actively aware that you have such an opportunity for impersonation, subscribes to be in order with him, and subscribes explicitly every time you use it,

+6
source

You must have a way in which the client can collect and send their settings to you with their knowledge and agreement. Similarly for magazines.

There should be no reason to switch significantly to the customer system in order to β€œsupport” them.

+8
source

I agree with No. 3 in the DVK answer, but I think he also missed an important component: audit. You should demand that your system record your real username, the person to whom you impersonate yourself, time, and an explanation of the reasons. This data must be stored in a place where users who have permission to impersonate cannot be changed, so records cannot be falsified. It is much less likely to be abused if people know that they can be tracked. You can further reduce the likelihood of abuse by showing this log to the end user that you personalize through the application. For example, if this is a webapp, you may have a section under their profile (private profile) so that they can see when and why their account was available (maybe do not disclose who will leave this for investigators on your side). If they see something suspicious in her, they can report it to the appropriate leaders in your company, and the offender will be disciplined. Transparency keeps people honest.

+2
source

Ethics and Impersonation

I believe that the function that allows you to personify someone else is not ... in itself ... unethical. A piece of software is ethically neutral, just like (IMO) rock is ethically neutral ... even if someone throws it at you!

Ethics enters the equation in two places:

Q: Is it ethical to use software to impersonate someone else?
A: It depends. If this is done with the full knowledge and permission of all concerned, and in order to achieve a goal that is ethical, then it will be difficult to assert that the act of impersonation is unethical. But for something else, ethics is at least controversial.

Q: Is it ethical to write a piece of software that allows you to impersonate others? A: If the creation of the function is properly authorized and you have taken adequate precautions, then this is probably ethical. But it’s hard to understand what is β€œadequate”. But some people might argue that ethics is not part of creating this function.

These issues are always difficult and will be discussed forever. But at least you are thinking about a problem ... and looking for a less difficult alternative.

+2
source

Ultimately, it comes down to trust. Do you trust your (colleagues) employees and yourself?

You can (and should) set up audit logs and make sure that the user knows that you are logged in as they are, but in any small company (I assume you are not working for Google), most of the developers are likely to end up account, will have access to the database and may delete or modify these audits if they really want to.

One small way to deal with this aspect is to make backups daily and send them off-site β€” at least you can compare databases if you think someone is catching books.

0
source

Read the Raymond fetchmail mode discussion on "The Art of UNIX Programming ". It deals with email settings, etc. And it explicitly masks the passwords in the trace, so traces can be sent without compromising user security.

0
source

More articles:


All Articles