When I worked for Red Hat I joined AISA [1] (the Australian Information Security Association – formerly known as ISIG). Red Hat marketting paid for my membership so it was a good deal, I went to meetings (which often had free drinks), said good things about Red Hat security, and it cost me nothing.
I was recently asked why I chose not to renew my membership, I didn’t have time to give a full answer so I’ll blog it now.
AISA offers discounts on some conferences, books, and training related to computer security, if you plan to purchase such things then they do offer good deals. However I have little time to attend conferences at the moment, not enough time to read all the free Internet resources related to computer security, and feel no need to pay for such training. If at any time I plan to attend a conference where the discount for AISA members is equal or greater than the AISA membership fee then I can easily re-join.
AISA membership seems largely to consist of managers and consultants not technical people or people doing R&D type work. This isn’t a bad thing if you are a manager or consultant, but when attending AISA meetings I don’t meet the type of people I meet at events such as SecureCon [2], Linux Conf Au [3], RuxCon [4], and the SE Linux Symposium [5] (which I think is not going to be held again for a while). Meetings of my local LUG [6] typically have more people doing serious technical work related to computer security than the AISA meetings I’ve attended.
The AISA code of Ethics has as it’s second criteria “I will comply with all relevant laws“. Some laws can not be obeyed by decent people (study some German or Russian history or what is happening in China right now for examples). Many other laws should not be obeyed. Many countries (including Australia) have enacted many laws which should not be obeyed in the name of the “war on terror“.
A final thing that irked me about AISA is their professional membership system (click on this link and download the AISA_Professional_Membership_Requirements_Nov_2006 document for details). It seems that I don’t qualify because I don’t have one of the listed certifications, and a public credit on the NSA web site [7] doesn’t count (yes, I asked about this). I’m not overly worried about this, I figure that any clique that won’t accept me also won’t accept a significant portion of the people that I want to associate with – so we can hang out elsewhere. I don’t recall there being any great benefit to professional membership apart from the possibility of adding it to your business card if you are so inclined (I don’t recall ever putting B.Sc [8] on a business card and don’t plan on adding anything less).
There are some real benefits to AISA membership, but not for me.
While I don’t have one readily available to cite, I have seen a few codes of ethics which explicitly state something to the effect of “Comply with all applicable laws, to the extent they do not conflict with these standards of ethical behavior.” (Some extend this to other standards of ethical behavior as well.)
Anon: The possibility you suggest sounds reasonable. If it went a little further and specifically only applied to laws related to the industry in question then I wouldn’t have a problem with it.
Note that the AISA code of ethics has confidentiality listed after obeying laws. So if the law required me to provide the government with a list of Jews/Muslims/Homosexuals or whoever the target of the day is then the AISA code seems to suggest strongly that I should comply.
The IEEE Code of Ethics doesn’t talk about legality.
Without fair use under AU law, does being an AISA member imply no VCR, PVR, iPod, …?
rdb: According to what is written, I guess so. I believe that the typical use of a VCR is legal and most use of iPods etc is too – but in all those cases I believe that making reasonable actions legal came long after most people had the devices.
The IEEE code seems reasonable on a quick scan. I’ll have to think about this issue some more though. It’s much easier to point out problems than to design something that works well.
Also it’s just occurred to me to wonder whether someone who smokes dope on the weekends in Australia is any worse than someone who does so in the Netherlands. Probably the strongest case for saying that there is a difference is that doing so in Australia could result in unexpected absence from work due to being arrested – in which case hobbies such as parachuting would be a bad thing due to unexpected absence due to being in hospital. :-#