The ethical pot is a style of pottery and an associated theory. The name ethical pot was first coined by Oliver Watson in his book Studio Pottery: Twentieth Century British Ceramics in the Victoria and Albert Museum for a 20th century, back-to-basics pottery movement that endorsed plainer utilitarian styles over fine art. Other names for pots in this style are the ego-less pot or utilitarian pot. The ethical pot theory was conceptualized and championed by potter Bernard Leach and a more controversial subset of the Arts and Crafts movement of post-war potters.[1] The proponents were theoretically opposed to the expressive pots or fine art pots of other post-war potters such as William Staite Murray, Lucie Rie and Hans Coper.[1]
The ethical pot theory and style was popularized by Bernard Leach in his book A Potter's Book published in 1940.[2] He expanded the theories that ethical pots should be utilitarian, "naturally shaped" and originally as conceived should derive from "Oriental forms that transcended mere good looks." [3] Leach had previously spent considerable time in Japan studying eastern crafts and mingei. His ethical pot idea was a rough interpretation of mingei for the western world; he exonerated simplicity (ideally the best pots are so quick to make that they could be "thrown before breakfast"), and pots made to look natural and hand crafted.
According to ceramic art critics of today, this pot style was intended to be modernist, useful, and "democratic in usage" as opposed to the the fine art pot.[1] and also opposed to industrial art.
The potters apprenticed to Bernard Leach include: Michael Cardew, Katherine Pleydell-Bouverie, Nora Braden, David Leach and Michael Leach (his sons), Janet Darnell (whom Leach married, 1956), William Marshall, Kenneth Quick and Richard Batterham. His American apprentices included: Warren MacKenzie, Byron Temple, Clary Illian and Jeff Oestrich. He was a major influence on the leading New Zealand potter Len Castle, and they had worked together in the mid-1950s.
In the context of a code that is adopted by a profession or by a governmental or quasi-governmental organ to regulate that profession, an ethical code may be styled as a code of professional responsibility, which may dispense with difficult issues of what behavior is "ethical".
Some codes of ethics are often social issues. Some set out general principles about an organization's beliefs on matters such as quality, employees or the environment. Others set out the procedures to be used in specific ethical situations - such as conflicts of interest or the acceptance of gifts, and delineate the procedures to determine whether a violation of the code of ethics occurred and, if so, what remedies should be imposed.
The effectiveness of such codes of ethics depends on the extent to which management supports them with sanctions and rewards. Violations of a private organization's code of ethics usually can subject the violator to the organization's remedies (in an employment context, this can mean termination of employment; in a membership context, this can mean expulsion). Of course, certain acts that constitute a violation of a code of ethics may also violate a law or regulation and can be punished by the appropriate governmental organ.
Ethical Codes are often not part of any more general theory of ethics but accepted as pragmatic necessities.
They are distinct from moral codes that may apply to the culture, education, and religion of a whole society.
Even organizations and communities that may be considered criminal may have their own ethical code of conduct, be it official or unofficial. Examples could be hackers, thieves, or even street gangs.
Ladd, John. "The Quest for a Code of Professional Ethics: An Intellectual and Moral Confusion." In Deborah G. Johnson (ed.) Ethical Issues in Engineering. New Jersey: Prentice Hall, 1991.
Flores, Albert. "The Philosophical Basis of Engineering Codes of Ethics." In Vesilind P.A. and A. Gunn (eds), Engineering Ethics and the Environment. Cambridge: Cambridge University Press, 1998: 201-209.
James B. Sumner "Ethical related to Engineering" In eds G (Cambride Youth Club)
ca:Deontologia professional cs:Etický kodex de:Verhaltenskodex et:Eetikakoodeks es:Código deontológico fr:Code de déontologie it:Codice etico sr:Етички код
An ethical hack or penetration test is performed on enterprise applications by a third party to find vulnerabilities in the application so that they can be remediated before a new application goes live in production. This can also be done on existing applications, typically on a yearly basis, to find out vulnerabilities so that they can be fixed.
Ethical hacking is essentially the act of unearthing vulnerabilities in a web based application before going live so that they can be fixed before being accessed by anyone. This function is usually undertaken by Vulnerability Assessment (VA) team of organizations such as banks or ISPs to safeguard external facing (internet) applications they host so that they can remediate any vulnerability before a hacker can exploit them. Usually companies use third party providers for ethical hacking services.
For example, one large bank or large internet vendor might utilize outside professional services to test their major applications yearly, using a different firm each time. After EH testing, a report is produced outlining all open EH findings that are graded along with respective severities. Then all vulnerabilities are remediated. The idea to use different firms is to get a different perspective, because methodologies differ from firm to firm, not to mention the different habits of the people performing the test. People who do it are IT professionals, not by hackers with darker intentions.
While published text, articles and books abound on how to conduct EH test, there is hardly any material available to help large corporations show a way to monitor and implement remediation for the EH findings across thousands of web applications running on possibly tens of servers.
For new web applications, the penetration testing is typically done before it is moved to production. Typically the system will be deployed on a pre-production environment where the penetration testing on it will be done. In almost all cases, large organizations give this job to an outside vendor. The outside vendor conducts penetration testing and provides the corporation with a report on the test.
It is common for potential clients to delay the evaluation of their systems until only a few weeks or days before the systems need to go on-line. Such last minute evaluations are of little use, since implementations of corrections for discovered security problems might take more time than is available and may introduce new system problems.
The final report is a collection of all of the ethical hacker’s discoveries made during the evaluation. Vulnerabilities that were found to exist are explained and avoidance procedures specified. Remember, for web-based systems, an ethical hack testing is conducted against a URL, and, an EH report must mention the URL tested and the corresponding IP address in the report. Typically, the findings are listed this way in the EH report:
| Sr No | Issue description | Risk | Status | Fix |
|---|---|---|---|---|
| 1 | Weak SSL Ciphers | [High][Med][Low] | [Open][Close] | Strong SSL Ciphers should be used at Upper Layer |
| 2 | Cross-site scripting | [High][Med][Low] | [Open][Close] | Sanitize user input |
If the ethical hacker’s activities were noticed at all, the response of the client’s staff is described and suggestions for improvements are made. If social engineering testing exposed problems, advice is offered on how to raise awareness. This is the main point of the whole exercise: it does clients no good just to tell them that they have problems. The report must include specific advice on how to close the vulnerabilities and keep them closed. The actual techniques employed by the testers are never revealed. This is because the person delivering the report can never be sure just who will have access to that report once it is in the client’s hands. For example, an employee might want to try out some of the techniques for himself or herself. [1]
It is worthwhile to remember that although high priced consultants run EH Test for you and generate a thick report, it must contain precisely defined actionable remediation steps. If it has too many false positives and false negatives, no real vulnerabilities are acted on.
After the EH report is obtained, the findings need to be evaluated and the findings need to be co-related. Corelating specific vulnerabilities discovered is a skill that gets better with experience. Over time, one ends up knowing their systems as well as anyone else. This makes the evaluation process much simpler moving forward.
EH Reports contain all the issues discovered for the system being tested. It will at the very minimum contain a thorough description of the issues discovered as well as a precisely described remediation. It also contains a severity level of vulnerability,[2] often classified as High, Medium or Low.
Note that for any large corporation, the goal of this exercise is to remediate all the findings in the EH reports. This is a monumental task. Since any major organization hosts thousands or tens of thousands of sites (applications) spread across hundreds of servers, they will be required to handle as many EH reports and remediate the findings quickly so that (1) the new sites can be moved from pre-production to production and (2) existing sites can continue to operate before existing vulnerabilities are exploited by anyone. Since these days any major global organization will have operations -- therefore web hosting infrastructures -- in America, Europe and Asia, the findings will typically have to be remediated by respective organizations owning the particular hosting infrastructure. This is why remediating EH findings within an organizations is a very complex operation involving coordination among several groups.
The "Open" items need to be monitored to ensure that they are closed. Depending on their risk factor (high, medium, low), the stipulated time to fix issues will vary. Obviously, the high risk items ought to be addressed faster than the "low" risk items.
After finishing ethical hack tests for a site, it is necessary to implement remediations to the open findings to make sure that the site secure. Typically, in very large corporations there is a central Security or Vulnerability Assessment Team that organizes external EH testing for all sites and gathers EH reports. It then monitors the findings and coordinates remediations. Typically, the Security Team will contact the Development Manger of the site and ask them to remediate the findings and when they are remediated to the satisfaction of the Security Team, the site is cleared for Production deployment. The Development Team applies the technical solution to the findings, typically through its engineers and systems administrators.
The EH findings are extremely confidential from security perspective. They should not be divulged to anybody outside the team without proper verification and making sure that a proper procedure is in place.
de:EthicalHack (Informatik) it:EH Test