Slashdot Mirror
Before You Fire the Company Geek
An anonymous reader writes "A new 'insider threat' survey by the US Secret Service and Carnegie Mellon University finds that 82 percent of people who hack their company 'exhibited unusual behavior in the workplace prior to carrying out their activities.' A somewhat amusing writeup at washingtonpost.com points to a bunch of more interesting gems hidden deep in the study, including: 'Almost all - 96 pecent - of the insiders were men, and 30 percent of them had previously been arrested, including arrests for violent offenses (18 percent), alcohol or drug-related offenses (11 percent), and non-financial-fraud related theft offenses (11 percent).' The blog post also notes that 86 percent held technical positions at the companies: '...if you're going to fire someone (particularly company geeks who have the motive, means and access to inflict pain on your computer systems) make double sure you cut off their e-mail and network access at the same time you hand them their walking papers.'
The survey went on to say that the remaining 18 percent of people 'exhibited unusual behavior in the workplace while carrying out their normal daily activities.'
Don't cha know...
The NSA: The only part of the US government that actually listens.
Seriously, though, sabotaging your former or current network is just a plain dumb idea, especially if it is/was your job to keep this sort of thing from happening. In the final analysis, the only real thing an I.T. professional possesses is their reputation. Trash that, and you'll find it difficult to secure further employment.
____
~ |rip/\/\aster /\/\onkey
They're assuming we already haven't taken control of everything else... who needs email when you control the elevators and doors... :)
Don't anthropomorphize computers, they don't like it.
make sure they don't run the email system first.
The revolution will NOT be televised.
'exhibited unusual behavior in the workplace prior to carrying out their activities.'
Refering to management?
Kiss my bass.
- 96 pecent - of the insiders were men
:)
- The insiders ranged in age from 17 to 60 years (mean age = 32 years)
OSTG user statistics (Including Slashdot).
- 97% of OSTG readers are men
- average age is 29
Too bad OSTG doesn't have crime statstics for Slashdot readers
I think we should have this for our next poll!
Worst arrest of your lifetime:
1. Never. I'm a law abiding citizen.
2. Never. I run away.
3. A few misdemenors
4. Violent offense
5. Alcohol or drug-related offenses
6. Non-financial-fraud related theft offenses
7. I'm writing this from death row.
8. I stole the money, burned down the office and now live on a beach in Fiji with my red stapler.
94% of Repubs and 21% of Dems voted to renew the Patriot Act
.. remember to give him a wedgie, for old times sake.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Also, if you're going to fire an accountant, it's a good idea to audit the accounts they dealt with particularly carefully, and if you're going to fire a security guard it's a good idea to collect their pass and master keys as they leave.
Of course, not screwing staff so badly that they are prepared to risk retaliation is also a good move.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Hmm, statistics. I wonder how those numbers compare to people who simply work in IT and don't hack? I'd say 96% being men isn't all that unusual, and I would not be surprised if 11% of the general population has alcohol/drug offences already.
The problem with stats is that they generally never give you a baseline. Without that they are meaningless.
The smart geek will keep an emergency back up admin account around. While it may sound like he's planning something evil with it (AKA fuck with me and I fuck you over, which it could be used for). He could also be making sure theres always a back up if things goto hell and someone tries gains access and tries to take out all the admin accounts.
It's like keeping a spare house key hidden in the garden or getting a second set of keys cut for your car and keeping them in a safe place.
I like muppets.
...you don't even have to be capable of hacking anymore. Act strangely enough and you can subtlely extort your company for continued employment. What a great idea!
This is, after all, almost an order of magnitude more effective than screening for alcohol, drugs, or felony convictions.
-+-+-+-+-
Don't blame me for posting like a PHB. This is how they think, and the fact that it gives them a business excuse to play Charlie with his IT Angels probably won't hurt either.
Lacking <sarcasm> tags,
So you're saying that many of the people stupid enough to get caught, thus contributing to this survey's statistics, had been caught before doing other things? Can you say "self-selecting group"?
Nerd Rock In Progress
Now the good news: almost all of them got caught.
Well, no... almost all of the ones they know about got caught. How many incidents were simply covered up? How many of the really good ones made it look like a typical software-gone-bad-and-erased-the-data?
We all know that crime statistics are highly skewed by the reporting process...
500GB of disk, 5TB of transfer, $5.95/mo
I guess I get it as far as policy goes, but I experienced this a year ago from a large corporation when I got laid off... My manager came to my desk and did the perp walk with me to the office. Told me that in the interest of cutting cough costs the company was willing to offer me a one year severance package and let me go.
I said, "You're offering me a one year severance package???" He looked confused, but said, "yes".
I said, "Well then I respectfully decline your offer.... I would like to continue working for this company."
He said, "It's not optional."
I said, "Then you're not offering anything to me, you are doing something to me."
A couple of notes about the treatment therein:
In my career at this company I had received the highest award given by the company and was flown to a special ceremony to present my project and receive that award.
Bottom line here: you don't have to be a criminal, act like a criminal, or even be suspected of being a criminal to be treated like one....
"30 percent of them had previously been arrested, including arrests for violent offenses (18 percent), alcohol or drug-related offenses (11 percent), and non-financial-fraud related theft offenses (11 percent)."
These numbers also represent the population of the United states as a whole. Yes 30 percent of the US population has been arrested before. more than 20% have a felony on their record and so on. So to paint these people as anything other than ordinary citizens is silly. They simply represent the whole equally as the whole represents itself. Nothing unusual here.
So 41.16 were acting wierd, 41.65 had grievances?
And 100% researchers show signs of random rounding up or down based on mood even within a single study.
If programs would be read like poetry, most programmers would be Vogons.
Short of a felony conviction, that's hard to do. We're a migratory culture and the fact is that no ex-employer wants to do a competitor a favor by giving them information about a candidate -- especially when any negative comments could result in a lawsuit.
Lacking <sarcasm> tags,
If you're firing a administrator you really have to go through the entire network they had access to and check every system for things like email responders, cron jobs, scripts. Ugh it's a huge task. It's really fairly simple to add a difficult to find backdoor to someones network.
Deleted
That's quite coincidental. The company I work for fired a sys admin last week for drug abuse, and we are at this very second combatting a DoS attack from him. He's also using our servers to route spam to all over the place hoping to get our servers listed on spam blacklists so that we can't use corporate mail.
interesting....
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Here's what the survey doesn't say. That sometimes employers decide to retaliate against employees who point out problems or cause what management thinks is trouble. These employees often find themselves the targets of investigations.
All surveys like this do is give ammunition to corporate management to investigate who they want, when they want, expect even less privacy and create conditions of employment so egregrious that the IT worker becomes chattel.
As it is, there are systems to monitor web surfing, chat conversations, phone conversations, VOIP decoders for phone conversations that aren't analog, cameras, keystroke loggers, mail server agents that look for keywords, policies against the use of encryption, etc etc.
With blood tests and mandatory screenings for crime history, blood history, pretty soon genetic history of family disease (company insurance is expensive you know they don't need any cancer heads) there will be no part of a worker's life that isn't controlled by the corporation that employs them.
Surveys like this one cull fear in IT shops, fear of insider attacks, of competitive disadvantage brought about by unscrupulous employees. When, in fact, it's employers for the most part who engage in espionage and frame workers. It's easy and efficient. Want to get rid of that guy nearing his pension? Put some kiddie porn on his hard drive.
We don't need any more tools to spy. We need some fucking national legislation to curb the uncontrolled police state that exists inside the corporations of the world.
Higher capacity (more than ten) clips are now more available due to a recent law change. Hollow points aimed at chest and head should achieve a good kill count, while the limbs will just result in a lot of injuries. Ideally you should finish your spree with a suicide. Aim the barrel into your mouth pointing upwards. Obliterate the brainstem.
Using ear protection and even body armor is recommended. You don't want any discomfort before you kill yourself.
Transcend Humanity. Please.
'Uh, Ted, as our only IT guy, could you go ahead and disable your own e-mail and network access; we're firing you this afternoon.'
What if you are the ONLY one that controls the access to system?
:)
Scrap that. What if you are the ONLY one who knows how the system works? Ah, it feels great to be non-expendable
Don't fire Michael and Samir. Especially if they have a friend named Peter - who checks out that chick on channel 9. Whooo!
doesn't she look like anne?
The steps beyond walking him out should be done by another techie, and not just an MCSE.
ALL passwords should be obtained before he leaves, and ALL should be changed immediately to randomized strings.
All user accounts should be audited.. if its not supposed to be there, remove it or change its passwd.
Audit all incoming ports.
Force EVERYONE at the company to change their passwords to newer better ones. Any techie at a company remembers many others' passwords, especially if its like their last name etc.
Take immediate backups of important servers and keep em seperate.
Or you could simply give him a fat severance package.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
...if you're going to fire someone (particularly company geeks who have the motive, means and access to inflict pain on your computer systems) make double sure you cut off their e-mail and network access at the same time you hand them their walking papers.'
It seems to me the real way to address the problem is to do a background check when you hire these people.
If a company is above board and decent dealing with employees, it will seldom encounter insider attacks and will be fully justified prosecuting them. Notify an employee of an impending layoff when the decision is made. Don't give bogus performance reviews just so that you can fire someone without giving them the severance package. Don't expect people to work overtime training their overseas replacements.
:-)
On the other hand, companies that use underhanded tactics should be barred from suing ex-employees that are doing things just comparable in sleaziness. Don't expect to get back those nice gadgets that he took home
Huh. The trouble with that is, machine-gunning the HR department just kills a bunch of line employees and middle managers - it just makes your downsizing decisions easier. Sabotage actually hurts the bottom line.
-Hentai [in vita non pacem est]
It's not as simple as that. Most companies should run their systems with the mentality that everyone is out to get them. The goes double for bigger companies. Backups and security should be of great importance. Employees should not be given access to things that they should not have access to, especially if their activities are questionable. Passwords that that person had access to should be changed and memos should be issued informing everyone that person is no longer with the company. If access was gained through someone elses account that person must be disaplined. If there are known flaws in the system, fixing those flaws should be put as high priority. Never allow such a person to have a high level of access and never allow such a person to be the only person with root. Occassional check ups on what activities are going on and checking logs should be done.
The company should take some responsability to this as well, after all if the person has a history of violence, criminal activity and overall bad references, why the hell would the company hire them and think they would think about the best interest of the company?
These numbers also represent the population of the United states as a whole. Yes 30 percent of the US population has been arrested before. more than 20% have a felony on their record and so on.
I call BS on this one. Prove it.
I don't know what the actual numbers are, but I know you're way off. A good friend of mine was a police officer in an anti-gang unit in southern CA. Even within bad neighborhoods the statistics weren't this bad.
I think it's really important to differentiate "fire" -- hey, this guy is really bad for us and we need to get rid of him ASAP due to some actionable offense -- and "lay off" -- hey, we have a redundancy, or something.
When firing geeks (having had to do this once), I think you need to do so with extreme prejudice -- take away access while they're talking to HR, lock down, etc.
When laying off geeks, I prefer for the rules to be different. The person has done nothing wrong, we don't think they're an active threat and, until about five minutes ago, we trusted this person with our data -- because, presumably, we believed them to be honourable people. They've not stopped being honourable people because we've laid them off, and we shouldn't treat them as such.
Been laid off twice in my life:
First time was while I was responsible for a large group of geeks. We merged with another company and on the last day of the merger activities, I had the conversation with HR. New CIO had his own person and figured (accurately) we wouldn't get along. HR wanted to walk me out, I wanted to stay the evening because we were concluding a month of activity connecting the two companies. Ended up going up to the President of the company and saying "hey, I was responsible for this, I want to see this finished." He said "hey, no problem. Nothing personal." I stayed, we finished the connections, and then we went out and got stinking drunk.
Second time was at a financial services company which was, by far, the most paranoid, employee-hostile company I've ever worked in. Thankfully, the CIO was far more sane. When he was forced to let me go, and I packed my stuff, I offered him the opportunity to look through what I was taking to make sure nothing was inappropriately taken (they didn't watch me pack). he declined, for the "hey, we trusted you until ten minutes ago" reason above.
We don't need any more tools to spy. We need some fucking national legislation to curb the uncontrolled police state that exists inside the corporations of the world.
This is getting a bit off topic and political/philosophical, but this type of thing is why I've been advocating a system of law that holds all officially organized groups of people - government bodies, corporations, unions, same difference - to the same rules and standards. When we've got global corporations with as many people as some states or even nations, why shouldn't they be held to the same code of conduct as those states and nations? Give them the same benefits, require of them the same responsibilities. Historically, government bodies don't behave much differently than for-profit corporations anyway...
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
Well, just pop in a bootable linux cd, reboot from cd, become root, mount hard drive, edit
This has saved my butt a few times when I've forgotten my root password on a machine I need to administer.
What changed under Obama? Nothing Good
They collected the data but then jumped to a very wrong conclusion and issued a prescription that, IMHO, will cause MORE harm to companies than it will prevent.
The "geek" who has been a major player in running the show will be able to break in and do harm if he wants to. If he's of a criminal or revenge-prone he may already have installed a bunch of stuff - and if he's just doing his job he probably has emergency backdoors and the like in case the normal paths break.
And while ordinary users may not have this sort of access, many of them WILL have been able to accumulate other users' passwords and the like. They too can get in and do damage.
IF you motivate them.
The decision is between giving them notice and an opportunity to gracefully disengage from the company, versus pulling the plug and THEN telling them they're fired. The gentle departure versus the knife in the back.
As someone who has been in the business for decades, I have been laid off from time to time. The usuall procedure has been to give notice and allow the soon-to-be-ex employee to gracefully shut down or redirect his correspondence, clean out his virtual desk, and take advantage of the company email for the first phase of his job hunt. Doing this creates warm fuzzies all around - the social net is intact, mutual recommendations will be forthcoming at all opportunites, if the company ever had need for me again (eventually it did) I'd hire on with no qualms.
Exactly ONCE I've had the no-notice shutdown. By a PHB who did it that way "because that's how it's done". (No doubt he'd seen trade journal articles like the one above.)
I was furious.
I COULD have done major damage to the company's IT infrastructure - but for my scrupulous honesty in business dealings (even with scumbags).
As it was, when the PHB in question later did a startup and found himself in need of my talents, I didn't even bother to reply to his offer. How can you trust someone like that? You can imagine how I advised anyone considering hiring him or going to work for him.
Now imagine doing that to someone who is not just able, but willing, to take revenge for any slight. These people are NOT rare - if you have a hundred employees, chances are you have at LEAST one.
As a friend who was a union organizer once said to me: "The workers will give you what you ask them for. Ask for quantity and you get quantity. Ask for quality and you get quality. Ask for trouble and you get trouble."
The surprise plug-pull is asking for trouble.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
In the US this is not true, at least as a general statement. Under the doctrine of At-will employment you can be fired at any time for (almost) any reason.
My wife works for [insert biggest pharma company in the world here], and has for about 6 years. I used to work for them as well for 5-6 years myself. They were good when I was in, then things got "International", and I resigned quick before the walls started coming down.
In my wife's department (Cancer Biology), there are people who have been there for literally decades. They're so entrenched, they know every system, process, procedure ever made there. If you want to know an answer to some complicated question, these people will know it... and if they don't, they definately know who WILL know.
One person in particular had been there for 34 years, 11 months.. and they were going around looking for ways to "cut costs" in her department.
When you retire at 35-years or more into $PHARMA, you get a nice fat severance. Something like $100k/year for every year there + your stock earnings and benefits cashed out, which amounted to over $1M for this person. That's $100k * 35 + $1M (that's over $4.5M total to retire upon).
They fired him...
...30 days before his 35-year anniversary with the company. He got $60k total as a severance. They didn't want to have to pay out his retirement and severance, so they let him go 4 weeks before he would have earned it. If he had known, he probably could have used up 4 weeks of his vacation to eat up the time instead, but he never saw it coming. Nobody did.
... after putting in 35 years with the company .
This kind of stuff sickens me.
One of the remaining 4% was Chloe O'Brian from '24'. And now that she knows how to use a machine gun, nobody dare fire her!
You must think in Russian.
At a previous job, I was the only tech staff member who knew how to clear the transaction logs on MS SQL Server. It's not hard to do, but the network admin couldn't even be bothered to do backups more than once or twice a year, which was part of the SQL Transaction log problem.
When users started getting "transaction log is full" errors and they turned to me to have it fixed.
Once the error occurred while I was on vacation, and the server remained down for three days and a weekend until I got back. I was accused of hacking the system. I pointed out that I was in the Middle of New Mexico at the time, about a mile underground. Accusations of setting up a logic bomb (Not the phrases they used, but I'll skip the 20 minutes they needed to describe the concept) flew around for a while.
In the end, the company owner grudgingly admitted that it was probably a maintenance issue, and them reprimanded me for not "trunting the trees" before I left on vacation.
So for the remainder of my time there I just made sure to do a full backup and shrink the transaction logs every Friday. Automated backups were not an option, as there was never enough drive space for more than one or two backups, so I had to move the old ones to a USB 1.1 drive first.
And no, system level automation of such rudimentary tasks was not an option. Don't ask. It's a whole other story.
So I had no reason to hack the system. All I had to do was leave. Of course I documented everything, but I knew no one would bother reading any of it. This is the company that described programmers as "Glorified Typists."
I made sure to not even visit their web site after I quit.
I did however have social contact with a few of the non-it staff members. Seems there were a slew of problems with the servers, specifically with a cryptic error about a transaction log that no one in the company could understand.
In the end they paid a consulting firm to come in and fix the problem, which I'm assuming meant finally automating the backup process and transaction log shrinking.
"Live Free or Die." Don't like it? Then keep out of the USA
There is a sabotage that actualy works. It is legit, and it also helps your friends:
1)Go to a better place (in the same city if possible)
2) Hire away all productive people remaining in your former company.
There are 2 categories of employees. The sugary HR will eventualy find out that they now have only one.
I doubt that we will ever figure out - and I suspect that even if we did figure out we couldn't do much about it
There are many cron jobs, but at our little patch of heaven we always talked in hushed tones about "THE CRON JOB". This was the blood curdling revenge that would be automatically be invoked for an unhappy firing.
...Oh... by the way Bob...you should log on to ADMIN123 and delete foo.sh....before midnight Friday."
Cancel passwords, take computers away, have security guards escort us out; it doesn't matter. THE CRON JOB will still wreak its heinous vengeance!!
Of course, if they treat you decently when you go you can always warn them. Like - "The severance check just cleared at the bank and
None of them can see the clouds; The polished wings don't care.
Here's a really old chart with real statistics. It says that going to work is way more dangerous than flying in airplanes OR crashing your car.
I lived this one out, years ago.... The beauty of it for many large companies today is, there's this expectation of meeting various quality standards (ISO compliance, etc. etc.) - and your employer can use that as a convenient excuse for why he/she is demanding that you "Document, document, document!" everything that you do.
Sure, these standards rules might dictate that "every procedure you do needs to be documented somewhere" - but where do you draw the line? If all your job really required was following a set of written instructions for each situation that occurred, the only job qualifications H.R. should ever need to look for are people who can read and follow a set of directions.
The stark reality is, they want you documenting your work primarily so they have free training materials handy for your replacement. Other than that, the only sensible documentation they SHOULD have you doing is taking notes for YOURSELF, so you don't have to keep looking the same thing up over and over, if you need to refer back to it for future troubleshooting.
Just look at code and comments, and how often they don't match up after a lot of heavy editing ...
I'm not saying something as obvious as
Leave stuff like that hanging around, either with SOMEONE ELSE's NAME on it, or titled BOfH Systems Manual for DummiesAny IT professional should expect this type of treatment. It is not discourteous, it is professional and appropriate. People who get their feathers ruffled because of this type of thing should check their egos.
Since when is expecting courtesy having an ego?
Sure, if somebody threatens a coworker they should be escorted out by armed guards. Everybody expects that, and it is should be done for the safety of everybody else if for no other reason.
Otherwise, treating employees as if you don't trust them tells them that you don't trust them. It speaks volumes.
"Professional" does not mean impersonal, or treating employees as if they are nothing more than capital.
The funny thing is that companies could accomplish most of the security-related goals without destroying the morale of everybody who is left. How about this scenario:
1. Employee is called to his boss's office.
2. Boss explains that he has to be let go. Boss has HR present, but HR is presented as being present in case employee has questions, and generally lets the boss (who has a personal relationship) do the talking.
3. Boss takes employee back to desk for "emotional support" and to help him with anything he needs to carry out. Rest of group gets to say goodbye. It is a sad day, but there is some sense of closure. Everybody gets to say goodbye.
4. Atmosphere is designed to communicate that employee is not persona-non-grata, and that his coworkers shoud feel free to pass on job openings, and generally feel free to maintain contact. Boss can be a part of this as well.
5. Employee is walked to the gate, and helped with boxes to the car by boss for emotional support.
6. Boss tells employee to call him if he needs anything before waving goodbye.
The employee has been supervised the whole time, and doesn't have an opportunity to cause mischeif. Yet, the entire time he is treated personably, and would be somewhat inclined to accept an offer to rejoin the company.
Companies often underestimate the impacts that terminations have on the people who remain behind. Seeing their coworkers treated with dignity will go a long way towards discouraging people from jumping off the sinking ship.
Nobody expects to have free reign inside a company they have just been terminated from. On the other hand, you can at least be nice about it...