On Thu, May 09, 2013 at 04:23:07PM +1000, Trent W. Buck wrote:
Petros wrote:
a while ago I've got an e-mail asking me to fill out a report about IT assets. They claim to work for Microsoft, that Microsoft has the right to ask for this information and I have to do it.
I wouldn't be sending them anything until they can authenticate and authorize themselves as acting on MS's behalf.
me either. they're right about one thing - they do have the right to ask for the information. as a general rule, it's no crime to ask for information. whether they have the right to demand, or whether you have any obligation to answer is another matter entirely. without further details, it's impossible to say for sure. i'd guess not but take note that Microsoft and their front organisations like the BSA have been known to get special privileges (up to and including armed police-backed raids) when it comes to software license audits. i wouldn't be asking them to authenticate themselves, either. or respond to them directly. i'd be referring the whole thing to management who will likely refer it your company's lawyer (who will probably tell you that it was a mistake for you to reply to them at all). as sysadmin, it's not your responsibility to respond to every demand and request that comes along (you'd be vulnerable to social engineering attacks if you did). your responsibility is to refer such matters to management, to provide technical advice to them as required, and to follow any lawful instruction. that last bit about lawful instruction is important. if your boss tells you to, e.g., breach privacy law and give out customer details without a court order or otherwise contrary to what is allowed by privacy legislation, then you have a duty to refuse. you can be held liable for obeying illegal instructions. (and if they insist that you do it and that it's legal but you're unsure about the legality, ask them to put it in writing, preferably in the form of direct instruction including legal advice from a lawyer - even dodgy lawyers are averse to putting their name on written instructions to break the law. if you're still unsure, consult your own lawyer - your employer's lawyer works for them, not for you) NOTE: i am not a lawyer and this is not legal advice. if you want something resembling actual legal advice, then consult a laywer. craig -- craig sanders <cas@taz.net.au>