Slashdot Mirror
Before You Fire the Company Geek
An anonymous reader writes "A new 'insider threat' survey by the US Secret Service and Carnegie Mellon University finds that 82 percent of people who hack their company 'exhibited unusual behavior in the workplace prior to carrying out their activities.' A somewhat amusing writeup at washingtonpost.com points to a bunch of more interesting gems hidden deep in the study, including: 'Almost all - 96 pecent - of the insiders were men, and 30 percent of them had previously been arrested, including arrests for violent offenses (18 percent), alcohol or drug-related offenses (11 percent), and non-financial-fraud related theft offenses (11 percent).' The blog post also notes that 86 percent held technical positions at the companies: '...if you're going to fire someone (particularly company geeks who have the motive, means and access to inflict pain on your computer systems) make double sure you cut off their e-mail and network access at the same time you hand them their walking papers.'
The survey went on to say that the remaining 18 percent of people 'exhibited unusual behavior in the workplace while carrying out their normal daily activities.'
Don't cha know...
The NSA: The only part of the US government that actually listens.
Seriously, though, sabotaging your former or current network is just a plain dumb idea, especially if it is/was your job to keep this sort of thing from happening. In the final analysis, the only real thing an I.T. professional possesses is their reputation. Trash that, and you'll find it difficult to secure further employment.
____
~ |rip/\/\aster /\/\onkey
They're assuming we already haven't taken control of everything else... who needs email when you control the elevators and doors... :)
Don't anthropomorphize computers, they don't like it.
- 96 pecent - of the insiders were men
:)
- The insiders ranged in age from 17 to 60 years (mean age = 32 years)
OSTG user statistics (Including Slashdot).
- 97% of OSTG readers are men
- average age is 29
Too bad OSTG doesn't have crime statstics for Slashdot readers
I think we should have this for our next poll!
Worst arrest of your lifetime:
1. Never. I'm a law abiding citizen.
2. Never. I run away.
3. A few misdemenors
4. Violent offense
5. Alcohol or drug-related offenses
6. Non-financial-fraud related theft offenses
7. I'm writing this from death row.
8. I stole the money, burned down the office and now live on a beach in Fiji with my red stapler.
94% of Repubs and 21% of Dems voted to renew the Patriot Act
.. remember to give him a wedgie, for old times sake.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Hmm, statistics. I wonder how those numbers compare to people who simply work in IT and don't hack? I'd say 96% being men isn't all that unusual, and I would not be surprised if 11% of the general population has alcohol/drug offences already.
The problem with stats is that they generally never give you a baseline. Without that they are meaningless.
I guess I get it as far as policy goes, but I experienced this a year ago from a large corporation when I got laid off... My manager came to my desk and did the perp walk with me to the office. Told me that in the interest of cutting cough costs the company was willing to offer me a one year severance package and let me go.
I said, "You're offering me a one year severance package???" He looked confused, but said, "yes".
I said, "Well then I respectfully decline your offer.... I would like to continue working for this company."
He said, "It's not optional."
I said, "Then you're not offering anything to me, you are doing something to me."
A couple of notes about the treatment therein:
In my career at this company I had received the highest award given by the company and was flown to a special ceremony to present my project and receive that award.
Bottom line here: you don't have to be a criminal, act like a criminal, or even be suspected of being a criminal to be treated like one....
"30 percent of them had previously been arrested, including arrests for violent offenses (18 percent), alcohol or drug-related offenses (11 percent), and non-financial-fraud related theft offenses (11 percent)."
These numbers also represent the population of the United states as a whole. Yes 30 percent of the US population has been arrested before. more than 20% have a felony on their record and so on. So to paint these people as anything other than ordinary citizens is silly. They simply represent the whole equally as the whole represents itself. Nothing unusual here.
So 41.16 were acting wierd, 41.65 had grievances?
And 100% researchers show signs of random rounding up or down based on mood even within a single study.
If programs would be read like poetry, most programmers would be Vogons.
Short of a felony conviction, that's hard to do. We're a migratory culture and the fact is that no ex-employer wants to do a competitor a favor by giving them information about a candidate -- especially when any negative comments could result in a lawsuit.
Lacking <sarcasm> tags,
I've been doing that for years. It's easy. Just get a lot of assorted action figures and display them all around your work area. Then occasionally have disturbing conversations with them...making sure you are overheard.
____
~ |rip/\/\aster /\/\onkey
Here's what the survey doesn't say. That sometimes employers decide to retaliate against employees who point out problems or cause what management thinks is trouble. These employees often find themselves the targets of investigations.
All surveys like this do is give ammunition to corporate management to investigate who they want, when they want, expect even less privacy and create conditions of employment so egregrious that the IT worker becomes chattel.
As it is, there are systems to monitor web surfing, chat conversations, phone conversations, VOIP decoders for phone conversations that aren't analog, cameras, keystroke loggers, mail server agents that look for keywords, policies against the use of encryption, etc etc.
With blood tests and mandatory screenings for crime history, blood history, pretty soon genetic history of family disease (company insurance is expensive you know they don't need any cancer heads) there will be no part of a worker's life that isn't controlled by the corporation that employs them.
Surveys like this one cull fear in IT shops, fear of insider attacks, of competitive disadvantage brought about by unscrupulous employees. When, in fact, it's employers for the most part who engage in espionage and frame workers. It's easy and efficient. Want to get rid of that guy nearing his pension? Put some kiddie porn on his hard drive.
We don't need any more tools to spy. We need some fucking national legislation to curb the uncontrolled police state that exists inside the corporations of the world.
I think it's really important to differentiate "fire" -- hey, this guy is really bad for us and we need to get rid of him ASAP due to some actionable offense -- and "lay off" -- hey, we have a redundancy, or something.
When firing geeks (having had to do this once), I think you need to do so with extreme prejudice -- take away access while they're talking to HR, lock down, etc.
When laying off geeks, I prefer for the rules to be different. The person has done nothing wrong, we don't think they're an active threat and, until about five minutes ago, we trusted this person with our data -- because, presumably, we believed them to be honourable people. They've not stopped being honourable people because we've laid them off, and we shouldn't treat them as such.
Been laid off twice in my life:
First time was while I was responsible for a large group of geeks. We merged with another company and on the last day of the merger activities, I had the conversation with HR. New CIO had his own person and figured (accurately) we wouldn't get along. HR wanted to walk me out, I wanted to stay the evening because we were concluding a month of activity connecting the two companies. Ended up going up to the President of the company and saying "hey, I was responsible for this, I want to see this finished." He said "hey, no problem. Nothing personal." I stayed, we finished the connections, and then we went out and got stinking drunk.
Second time was at a financial services company which was, by far, the most paranoid, employee-hostile company I've ever worked in. Thankfully, the CIO was far more sane. When he was forced to let me go, and I packed my stuff, I offered him the opportunity to look through what I was taking to make sure nothing was inappropriately taken (they didn't watch me pack). he declined, for the "hey, we trusted you until ten minutes ago" reason above.
They collected the data but then jumped to a very wrong conclusion and issued a prescription that, IMHO, will cause MORE harm to companies than it will prevent.
The "geek" who has been a major player in running the show will be able to break in and do harm if he wants to. If he's of a criminal or revenge-prone he may already have installed a bunch of stuff - and if he's just doing his job he probably has emergency backdoors and the like in case the normal paths break.
And while ordinary users may not have this sort of access, many of them WILL have been able to accumulate other users' passwords and the like. They too can get in and do damage.
IF you motivate them.
The decision is between giving them notice and an opportunity to gracefully disengage from the company, versus pulling the plug and THEN telling them they're fired. The gentle departure versus the knife in the back.
As someone who has been in the business for decades, I have been laid off from time to time. The usuall procedure has been to give notice and allow the soon-to-be-ex employee to gracefully shut down or redirect his correspondence, clean out his virtual desk, and take advantage of the company email for the first phase of his job hunt. Doing this creates warm fuzzies all around - the social net is intact, mutual recommendations will be forthcoming at all opportunites, if the company ever had need for me again (eventually it did) I'd hire on with no qualms.
Exactly ONCE I've had the no-notice shutdown. By a PHB who did it that way "because that's how it's done". (No doubt he'd seen trade journal articles like the one above.)
I was furious.
I COULD have done major damage to the company's IT infrastructure - but for my scrupulous honesty in business dealings (even with scumbags).
As it was, when the PHB in question later did a startup and found himself in need of my talents, I didn't even bother to reply to his offer. How can you trust someone like that? You can imagine how I advised anyone considering hiring him or going to work for him.
Now imagine doing that to someone who is not just able, but willing, to take revenge for any slight. These people are NOT rare - if you have a hundred employees, chances are you have at LEAST one.
As a friend who was a union organizer once said to me: "The workers will give you what you ask them for. Ask for quantity and you get quantity. Ask for quality and you get quality. Ask for trouble and you get trouble."
The surprise plug-pull is asking for trouble.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
At a previous job, I was the only tech staff member who knew how to clear the transaction logs on MS SQL Server. It's not hard to do, but the network admin couldn't even be bothered to do backups more than once or twice a year, which was part of the SQL Transaction log problem.
When users started getting "transaction log is full" errors and they turned to me to have it fixed.
Once the error occurred while I was on vacation, and the server remained down for three days and a weekend until I got back. I was accused of hacking the system. I pointed out that I was in the Middle of New Mexico at the time, about a mile underground. Accusations of setting up a logic bomb (Not the phrases they used, but I'll skip the 20 minutes they needed to describe the concept) flew around for a while.
In the end, the company owner grudgingly admitted that it was probably a maintenance issue, and them reprimanded me for not "trunting the trees" before I left on vacation.
So for the remainder of my time there I just made sure to do a full backup and shrink the transaction logs every Friday. Automated backups were not an option, as there was never enough drive space for more than one or two backups, so I had to move the old ones to a USB 1.1 drive first.
And no, system level automation of such rudimentary tasks was not an option. Don't ask. It's a whole other story.
So I had no reason to hack the system. All I had to do was leave. Of course I documented everything, but I knew no one would bother reading any of it. This is the company that described programmers as "Glorified Typists."
I made sure to not even visit their web site after I quit.
I did however have social contact with a few of the non-it staff members. Seems there were a slew of problems with the servers, specifically with a cryptic error about a transaction log that no one in the company could understand.
In the end they paid a consulting firm to come in and fix the problem, which I'm assuming meant finally automating the backup process and transaction log shrinking.
"Live Free or Die." Don't like it? Then keep out of the USA