Slashdot Mirror
Security Fears Prod Firms to Limit Staff Web Use
Carl Bialik from WSJ writes "Companies are limiting employees' use of free Internet services, such as Skype and video downloading, to protect themselves from viruses, communications traffic jams and regulatory missteps, the Wall Street Journal reports. ABN Amro's global head of strategy and engineering tells the WSJ, 'I'm not allowing Skype because I don't know what it does.' Some colleges and departments at Cambridge University also ban Skype. The limits affect executives as well as the rank-and-file, the WSJ finds: ' "I used to think nothing of checking my Yahoo mail several times a day," says Global Crossing Chief Marketing Officer Anthony Christie. Now that he can't, his long workday makes it hard to avoid using his work email account for personal messages, he says.'"
What's next? Complaining that you can't use company funds to go on a vacation? Complaining that you can't use company computers to play games?
"Now that he can't, his long workday makes it hard to avoid using his work email account for personal messages, he says.'""
Cue the "But that's not fair" and "work is for work" arguments in 5..4..3..2..1.
This guy should write legal policy in Burma: ... tells the WSJ, 'I'm not allowing Skype because I don't know what it does.'
I mean, just, wow. And here I thought that the "anything I don't understand must be bad" school of management was going out of style.
"I used to think nothing of checking my Yahoo mail several times a day," says Global Crossing Chief Marketing Officer Anthony Christie. Now that he can't, his long workday makes it hard to avoid using his work email account for personal messages, he says.
Sometimes I wonder if this is exactly what companies *want*. They don't want people to use outside e-mail (especially ones running over https) because then they can't easily monitor what their staff is doing.
If people are using their work e-mail for their personal use, the company gets to see exactly what, where, how, and when their employees are spending their own time. If the employee opts to not use their work e-mail for anything personal, the company knows that they now have the other added benefit of possible added productivity.
I'm just glad I can use SSH and tunnel everything over that. If I can't do that, I have GPRS service on my mobile device and I *could* use that for AIM, e-mail, and browsing instead.
As a lowly government employee, I find the general lack of concern for "regulatory missteps" (and thus pretty much unlimited web freedom) a major perk in an otherwise mundane job environment.
Dear employee,
We hope you enjoy working here. Please work hard and do some great work for us!
Thanks,
Your employer.
P.S. WE DON'T TRUST YOU.
people use freemail or free voip software, there's no way to monitor communications, either for your own devious ends, or actual goverment mandated policies (Sarbanes oxley ..or something similar, and one that's similar to HIPPA) pretty much anything that says people with access to confidential info have to protect it.
That plus the standard, you're using company resources, blah blah.
My point?
Dunno, why did they write this story anyhow?
He tried to kill me with a forklift!
At my company we are getting some DSL wireless connections that are not connected to the internal network. That way, one could use their personal laptop for personal stuff. Not 100% safe, but a decent alternative.
"I don't think it's selfish, to eat defenseless shellfish." -NOFX
I'm not allowing X because I don't know what it does does not necessarily equate to X is bad
Banning an unknown service from a network is the more sensible default decision for a corporate network to take. Firewalls should block everything by default, corporate desktops should stop installations of anything not checked and cleared. Why should skype be any different?
You have to admit that honesty is a rare quality, even if he is a bad manager.
Oh that? That's just a day long connection to an https server.
Sounds like the heyday of Napster, when people were swapping files so liberally and often that servers were grinding to a halt with all the traffic. Still, a large corporation should be able to retard traffic or have enough server capacity to deal with the onslaught. As to whether or not all these services are security holes, sure they are, just as sure as the email attachment some unwitting dupe opens from his corporate email account.
I do see the point about communications logging though, especially in the Sarbanes-Oxley age. If a financial services corporation can't account for all its traffic, they run the risk of someone internally using proprietary information for personal gain and flying right under the radar.
GetOuttaMySpace - The Anti-Social Network
As long as it's not against company policy, you could try using SSH tunneling to hit a proxy at home. It might be a lot slower, but you can go anywhere. I've been using one written in Python for six months and haven't had a hitch.
Colin Dean Go a year without DRM
Another is an omission that these security breaches are predominately the fallout from design and production defects in MSIE and Windows. Time for a class action suit. If HP is eligable, then so is MS.
Another is an omission that the main reason no one knows what Skype really does is because both the code and the protocol are closed.
I've always prevented my users from downloading *any* program from the internet. There are a multitude of reasons: spyware, bandwidth issues, etc. I just think it makes good sense to limit the crud that can be put on machines. I don't have to wonder if the problem a user is having is due to something they downloaded. Being Healthcare, I'm also bound by HIPAA. My interpretation of it is what I just mentioned above. It actually gets me in a frizzle (word?) when I see the junk my father's company allows them to put on their machines. They aren't healthcare, but I would think the hassle of tech support would be magnified many times over...
I've heard THAT one before.
"No, you can't install Opera because I don't know what it does."
"No, you can't install ClamAV because I don't know what it does."
"No, you can't use 'a computer' because I don't know what it does." (Well... you get the idea.)
And of course, any (calm, polite) attempts to explain exactly what the software in question does is seen as blatant insubordination...
If your company isn't doing this, please let me know who you work for. I want to be extra careful with any of your products before I consider them for use.
I just started as IT manager for a small advertising agency. The systems were wide open before and it seems like every machine has Limewire, skype, five different IM programs... and lots and lots of problems.
When these items cause problems that reduce productivity they have to go. It's that simple.
Due to unrestrained (and uninformed) users I now have to go over all 50 machines with a fine-tooth comb to scrub off the bad stuff. Several of these machines are probably going to have to be wiped. This is 100% due to user loaded "personal" software.
As I fix each machine they are getting locked down. I've been directed by management to prevent users from pirating music on company machines or using filesharing to share pirated music. I don't see anything unreasonable at all about that.
Any app that is well-behaved and does not expose the company to liability is fine with me. Otherwise it has to go.
If your employees only need particular websites and particular applications to do their jobs, then why would you willingly open up additional attack vectors? It's a completely unnecessary business risk.
If you have employees complaining about needing to use personal email (what did they do before email in the workplace was common?), then simply set up a shared cheap PC in the coffee room for them to use on their lunch break. Firewall it off so that when all the inevitable crap gets onto the machine, it doesn't affect any important systems.
Bogtha Bogtha Bogtha
As a consultant based overseas, using my client's corporate internet for Skype actually SAVES them a fortune. They would normally pay for the POTS international phone calls we make (VERY $$$$$), but the fact that they allow Skype means that we make all of our calls Skype-Skype without it costing them (or us) anything in call costs. Bandwidth charges are negligible in comparison.
If firms continue to be ignorant about new or alternative technologies then they will continue to be left behind. These savings can be significant over the long term, financially as well as productivity wise. Companies in the future will be split into two categories - those that embrace new technology and those that struggle under malinformed regimes run by beaurocrats who prefer the trusted path, the path of least resistance, over the newer, technologically superior one. I've seen this too many times than I'd care to remember.
These days anyone with $50 in their pocket can get a domain name, host it somewhere with secure webmail access, and set it up with half an hour of clicking around a user-friendly Cpanel. It won't kill most slightly-able people to not have Yahoo. Now whether you want to continue to give the IT staff at your job a good look at your personal mail, that's a whole other issue altogether.
Slashdot Burying Stories About Slashdot Media Owned
About Skype, as it moves more and more in the direction of Napster in terms of commercialism, I trust it less and less, and halfway expect that sooner or later, network analysis will show evidence of spyware traits.
If you want news from today, you have to come back tomorrow.
The banning of Skype at some departments and colleges at Cambridge comes as no surprise to me.
I was at Cambridge during the late 90's-early Noughties, and I seem to recall a number of stern warnings to students about bandwidth usage from both College and University computing authorities. One of them even included a plea to use European or British mirrors as much as possible.
The shame is that while the Cambridge University Data Network had bandwidth to burn within Cambridge, it seems that the trouble was always further upstream on JANET.
Things got so bad that there were rumours at the time that the poorer colleges were going to start charging their students for bandwidth. I never heard anything of it, and it didn't stop the proliferation of p2p (both in the form of Napster and samba shares) in my time there.
I expect a few hundred flames of this statement, but it's a rock-solid security policy. Yes, this guy probably "should" know what Skype is in most people's opinions, but his default "deny" policy for anything he doesn't know is correct, and that attitude WILL prevent trouble. On a corporate network, especially one potentially carrying any kind of sensitive data, anything not specifically allowed should be denied. If employees can make a case about what any new service is and why they need it, it can be evaluated and perhaps allowed, but it should be denied by default.
-- http://frobnosticate.com
Skype is closed source, the binary is full of obfuscation, and you can't examine the network traffic. "Trust but verify" is replaced by "trust".
You could use Filemon to make sure Skype's not reading your disk, and other tools to check whether it's keylogging, but a busy paranoid could be excused for not taking the trouble.
I sure wouldn't want to pay a sysadmin who allowed things on the network without knowing what they did.
(I use Skype at home but I'm not risking someone else's network by doing so).
We're putting new cover sheets on all of our TPS reports now before they go out, didn't you get that memo?
Mass hysteria arises as workers realize they can no longer access the internet. Workers walk out in protest, Wall Street numbers plunge, productivity suffers huge shortfall.
News at 11.
He who knows best knows how little he knows. - Thomas Jefferson
Well, I can see why they would do this, but saying "I'm banning X software because I don't know what it does" really means "I'm banning X software because I'm too stupid and lazy to find out". Usually most companies have a policy where you can at least recommend that a software be "unblocked" and provide reasons to justify it. However, in the end, it will always come down to productivity.
At work, they block a bunch of ports. I would simply set up SSH tunnels through the HTTP proxy to my server back home, and then run stuff through there. A good way to get through the firewall. However, your average JoeUser or even decently computer literate user may not know that much about SSH tunnels. I let my friends (who work at the same place) use my server for ssh tunnels - I just give them very limited accounts on my FreeBSD machine that they can only use for tunneling. This could be a niche that can be exploited. You could perhaps provide a tunneling service similar to an anonymizing proxy on the internet, for a nominal fee.
Vivin Suresh Paliath
http://vivin.net
I like
TFA makes it seem like GE has just started blocking IM and external email systems. But in the GE division where I have been contracting it has been like that for at least the last 5 years.
And I can understand why. By only allowing communications through official chanels, the companies can better protect themselves by doing such things as applying corporate wide virus checking on emails. It also provides a log as to what communications occurred when. Though I do admit that flash drives and take home laptops can easily bypass any of these measures.
One downside to this is that the corporate policies also block VPN accesses, so I can not get to my offices servers while at the GE location.
One amusing anecdote relating to this is that where I work there is an analog phone line kept for the times when you really need to dial up a system. One lunch time I was using it to send some private email and also to chat with some friends (MSN messenger I think). When I was done I just picked my laptop up and walked back to my desk and plugged into the corporate lan without powering down. I was surprised when 20 minutes later one of my friends initiated a chat session with me. After the shock of chatting from my desk wore off, I realised that the chat program used two separate protocols/ports: 1 for logging into the chat system, and another for the actual chatting. The corporate IT people had only blocked one system and not the other, perhaps in the belief that that was all that was necessary. Combined with the chat system not timing out during the walk back to my desk, I had effectively bypassed their strong security.
I am Slashdot. Are you Slashdot as well?
This is what happens when the boss is a technological moron. He doesn't know a thing so he bans everything because of FEAR.
Instead, he should appoint a security expert, who in turn would take measures to protect the security of the company. Just switching to an alternate internet browser would rid them of tons of viruses.
I was stuck in a hotel all weekend and wanted to talk to my wife, so I installed it, and within 5 minutes I got a call from security saying that my machine was scanning the network. It was Skype trying to find a way out.
When I got back to work on Monday, my Thinkpad was taken away and reformatted, and handed back to me -- without local admin privileges.
Now I work for a University. It's a whole other world.
Users have proven themselves to be untrustworthy.
:P
Like this guy?
And for all of you people whining about your company not trusting you, they shouldn't. You shouldn't trust them either. I expect both parties to take advantage of each other to the fullest extent allowable by law. Where I come from they call that "business".
Note, he is not saying that he doesn't know what Skype is he is saying that he doesn't know what it does. That's fair enough; I've read a fair number of accounts by people who have attempted to work out exactly what Skype is up to on their networks, and very few people outside of skype know exactly what Skype does.
It uses a proprietary closed protocol, nicely encypted; is adept at getting through firewalls and most important can turn office PCs into high-traffic relays without warning and without the ability to stop the relaying behaviour from the client.
In related news, the submitter conflates the Internet and the Web. Which is pretty annoying.
Some companies see giving employees small perks as part of keeping a happy and productive work force... can anyone remember the stories of the environment at EA? Now, we have tin foil hat stories about companies that give their employees pens and paper, but warn them to only write in block letters because anything else is a waste of company resources, or could lead to dangerous events in the file cabinets.
Ummm, perhaps its just me, but it is about fscking time that both government and businesses learn the lessons that have been sitting in front of them since about 1991... computers are here to stay, and the advantages and disadvantages of computers are here to stay too.... Its not that hard to limit outside network connections to a specific bandwidth, or monitor all packets in and out... this is not rocket science. Using draconian measures to squeeze every drop out of the company resources is not good for business... see Boycott, Company Stores et al, slavery,
I guess my point is that anything that stifles free and unfettered flow of information and ideas is going to stifle business productivity and innovation. I don't have links, but I thought this was pretty much already scientifically proven... or at least proven in the advent of F/OSS and what it has done to the computer and software markets. Just as the *AA needs to wake up and find a new business model, most of the rest of the business world has some work to do... its just common sense. Anything else usually involves putting holes in your feed with lead ladden projectiles.
Support NYCountryLawyer RIAA vs People
I completely agree in that situation. I did the majority of my Everquest gaming while working help desk. There's just not nearly as much concern about security in those situations. At least doing tech support for a university there wasn't much to worry about. When you work an entire Saturday shift (12 hours) with only one call (wrong number), there's gotta be some "gimme".
/. break, obviously since I'm posting right now, but added distractions like checking all 10 email addresses, responding to your cybering friend on aim, while downloading a cracked game doesn't really help get the work done.
But when you've got a job that can and does take up all 8 hours of the day, it should be devoted to that. I'm all about the occasional
In many places I've worked, MP3 files are blocked at the firewall, but Ogg files are let through. http://www.mvine.com/ streams Ogg music direct to your desktop. And it's free.
Here is my take on what is happening. As network management tools become easier to use and more widely deployed, more and more people are starting to have a real understanding of their management and business networks. It used to be that the network engineers might or might not have a good idea about what kinds of traffic were flowing where. Now, a middle manager with only the most basic idea of how networks work can log into a Web interface and see what programs are being run by what people, connecting to what sites. As a result, they are more prone to hand down policy decisions based upon this new information.
At the same time, the workplace has become much more mercenary. Companies don't take care of their employees and employees just want to milk companies for as much as possible. No one trusts anyone. Managers want to get as much work out of their hirelings as possible and many don't care about the health, stress, happiness, etc. of those employees. In sociological terms, they are imposing physical barriers in an attempt to replace crumbling social ones. The problem for them, is they are usually way behind the technology curve. An employee who wants to play hardball can probably raid the company for all the info they want and carry it out on their cellphone or iPod. It's like moving from an honor system where captured soldiers swear they will stay until ransomed, to a military jail with as many bars as possible, except the prison is designed by a bureaucratic committee, each member of which is just trying to make as much money off of kickbacks and saved funds as possible. Time will tell which is more effective.
This is so overblown, I have absolutely no problems accessing Slashdot at wor[CONNECTION TERMINATED]
"Locking down" machines, which usually means preventing users from installing or running software that the admin hasn't "approved" is far more likely to reduce productivity than anything else. I can't tell you how many times I've been frustrated by the admins who have the idea that they know better than I do what tools I need to do my job... In fact, it's something that I ask non-manager employees when I interview: "Do you have admin privileges on your box" (working in software, I usually get a sensible response).
Listen, all you genius admins, I don't tell you what firewall software to use, you don't tell me what file conversion software I need to get the Windows line breaks out of text files, Ok? I don't what you're using for an anti-virus tool, and I don't expect you to know about my use of FrameScript to automate FrameMaker. The MicroType FM extensions make me about 10% more efficient in my work, and if I can't download and install them, I'll see if we can't backcharge IT for that extra hour a day.
A sensible policy is that "unapproved" applications are unsupported. This means that if something I install causes problems, I have to resolve them or have my box re-imaged. I'm fine with that. Don't "lock down" my machine, prevent me from doing my job efficiently, and then crow about how you've saved the company money.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
"Why should skype be any different?"
Because we're geeks and we like our technology unquestioned.
What I find fascinating is that in America these days people think that being an employee means you're a serf or slave, with your own identity/rights/privacy/humanity suspended during working hours, as though you suddenly cease to have a family or civic/religious obligations. In actual fact, if people are unable to perform at least minimal maintenance of those outside obligations during the day, then society and business break down even quicker than not. Because if you can't tell the delivery man to leave the package with the building superintendant, then you have to take a whole day off to receive a package and the business loses your work for the whole day instead of the 10 minutes you need to place the call.
Do what you can, with what you have, where you are.
"IT: Security Fears Prod Firms to Limit Staff Web Use"
Who else read that as "IT Security fears that product firms are to limit staff web use"? Meaning that vendors won't be Web-savvy any more? That their products will cut off from the Web the staff the IT Security team supports? Whichever, it's hard to see IT Security being afraid, rather than vindicated, at that news.
--
make install -not war
At my workplace, you are allowed to install any software you like on your workstation ..... as long as the IT department have seen the source code.
..... we probably are the exception rather than the rule.
But then, we do have a company policy actually preferring manual methods over closed-source software
Je fume. Tu fumes. Nous fûmes!
They allow Word, right? Even though its macro capability forms a known vector for viruses.
It sounds more like the "global head of strategy and engineering" is an MBA suit who has very little exposure to the technology he oversees.
Is it just my observation, or are there way too many stupid people in the world?
in the same way that MS Word is essentially a macro virus platform, but could also be used as a word processor.
Internet access at the places I've worked has been filtered to some degree since the early 90's. It just makes sense - you're in a business, not your living room. The systems and resources are intended for business use. If you employer decides to allow a certain amount of personal use as well (and the smart employers do), they still need to manage that since it introduces risk into the environment.
Who is reading this at work right now when they should be doing something else??
"But this one goes to 11!"
can help with a lot of these situations. I used to work for a company that had a overly restrictive proxy server that all employees passed through for accessing the internet. When the company blocked email sites like hotmail, gmail etc. I got fed up. I run my own domain on my own server at home. So i loaded CGI Proxy and through my own webserver was allowed to access any site that the proxy didn't like. Since my server ran https and the url's are scrambled via CGIProxy the company's proxy server had no idea what sites I was accessing. My domain was never banned or blocked.
Let's get Jerry on the horn asap!
What would Jerry do?
"Every decent man is ashamed of the government he lives under." - H.L. Mencken
What everyone here is missing, from what I was able to read, is that for some strange reason employees feel they have some inate rights/entitlements to company owned resources. This simply is not the case. People are paid to do work, not engage in a social event, regardless of what it is. This is no different from limiting phone use to business only calls, or preventing people from making copies for non-business related items. There is no difference. But, as the computer culture and pervasiveness of instant gratification continues to expand, people believe that the computer is exempt from these long standing ideas. Your work time is for work. Your social time is for other things and use of any equipment or resources, regardless of what it is, lies solely with the policy and discretion of the employer.
The "I can do X on my home computer" does not work, nor should it be allowed to work as some catchall for enabling and allowing those uses in the workplace. I have a saw at home. If I worked as a carpenter that doesn't give me the right, nor the expectation, to use a company provided saw as my own to work on personal projects. Try that on a job site and watch yourself fired in no time flat. Your at work....work. If your employer allows you to use company resources for other things, count yourself fortunate and be happy with what you can do while getting paid.
Dang! Complaints about no Skype at work? I have yet to work for any corporation that thinks there is "business value" in instant messaging. Actually, as far as that goes, Wi-Fi is still off limits at work.
If you want internet freedom at work, bring your home laptop to work and use one of the high-speed cell networks.
If you are a IT guy who gets a thrill out of locking down the computers so that the equipment is used for "work" only, then I want you to start monitoring all of my phone calls for personal use too.
There are two types of systems: secure and insecure. If they are secure against viruses and attacks, they won't get them regardless if it is work-related or not. It's just a way for admins to get out of doing their jobs. It's like running DOS 6 and DOS apps all around and not networking so you can't get viruses.
'I'm not allowing Skype because I don't know what it does.'
My mortgage was recently sold to ABN. Based on their website and online payment functionality, this comment doesn't surprise me.
Find coupons in Greeley
As for what to allow users to do, that's changed as well. Years ago the network access was a perk of the job. But that has been cut back over time. When a user's home directory is filled with a Gig of mp3s we have to quota or monitor disk usage.
For one company when setting up spam filters we had a lot of "false positives" in that people had genuinely subscribed to lists with daily horoscopes or the latest buzz from the music scene or for special deals on travel or the like. When faced with such things, it is hard to figure out what the user genuinely subscribed to or not. The boss (correctly in my view) said to treat those neither as "false positives" or as "true positives". That is, I should make no special effort to block those, but if I do block them, that is perfectly OK.
We can and do scan for malware that comes into the mailserver, but unless I set up an IMAP and POP proxy there is little I can do about malware that enters our network through those means. Having most desktops running Linux and absolutely banning Outhouse on the few MS machines helps. But if that were not the option, I'd think that blocking or proxying IMAP/POP is an option worth considering.
The simple fact of the matter is that "default deny" really is security model companies should be moving toward. If it means that network access is no longer the perk it once was, then business will have to find other ways to keep their employees happy.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
I'm one of the head network honchos at a Very Large Company... things like AIM, MSN Messenger, Skype, Limewire and BitTorrent are all banned and blocked. We monitor our employee web usage, block just about every outbound network port except for 80 and 443. Why? Because even though we know why Skype is, our policy forbids users from installing software that we don't provide. We certainly don't want users utilizing our 100Mbps lines for donwloading pr0n, MP3s and warez. We don't want support calls from users who have bolloxed up their machines by installing $UNAPPROVED_SOFTWARE_PACKAGE, diverting valuable resources to try to fix this. We don't want the worms, viruses, spyware and other crap that comes with some of these packages. Every employee that uses a computer reads and signs our usage agreement, so they know what we expect from them. Some of them try, and some get to see the man when they do.
Because of all the attack vectors, we have to spend many tens of thousands of dollars on antivirus, monitoring software, desktop security agents, intrusion detection, firewalls and what have you...
Things like SOX and HIPAA make it extremely hard for us to "just let users be". We can't allow unmanaged VoIP or instant messenging. FTP? Blocked. SSH? Blocked. Our data could easily walk out of here, which is why on top of the layer 3 blocks, we block USB access as well. Our users are given the tools they need to get their jobs done. And if data can walk out of here, there is certainly possiblity that something nasty could come in. We'd rather not have to deal with that possibility, so we make sure we don't have to.
It's the company's network, they can dictate how its used. Don't like it? Don't use our network. Go home, do whatever you want on your equipment, but when you're in my house, it's my rules.
"has very little exposure to the technology he oversees."
It's technology he's not overseeing... that's the entire reason why it's getting restricted in the first place. Seems plenty logical to me. I'm impressed by both your hypothetical boss's fashion sense and the fact that he's more sensible, apparently, than his employees.
...it's really a sad day for America when we require a goddamn ACT OF CONGRESS to make our DVD players work properly. ~
n/t
"The guy who spends all day browing google video will eventually get discovered when his productivity tanks. "
The problem that affects everyone is the space between 0 and "eventually". Eliminate the temptation and "eventually" is no longer an issue.
The "backcharging IT" thing was meant to be TIC, but that obviously didn't come across. :o) Forgot my emoticon--sorry.
...like 100 times...") and I understand that when a bonehead does the same thing over and over expecting different results, it can be maddening. But I think your point of a policy underscores my original post, which is that you have a policy that says that unsupported software is not supported by IT. Maybe there's a policy that says that if your box needs reimaging more than once every two months, IT charges your department. Beyond that, it's ITs job to help the rest of the company be productive.
:-)
/. ?) :-)
There's a fundamental disconnect between what (some) IT departments think is their job and what the rest of us believe is the function of IT. My view, which I don't think is unreasonable, the IT department has the job of helping support the rest of the company. That means helping ensure that the sales guy's laptop is virus free so he can sell product, keeping the network infrastructure running so the support folks can access the CRM software, and maintaining the servers that contain our documentation, for example. That also means allowing me to do what I need to do to get my job done efficiently, with a minimum of hassle.
IT is supposed to be a service organization. There are some IT department's I've had experience with where the admins acted like they're doing a huge personal favor by coming out of their cubes and doing the job they're paid to do. I hear your frustration ("...repeatedly reimage systems
By the way, I have a really good relationship with the IT department here. Sometimes I stop by just to give them a hard time, and they always give me the tools I need to do my job (they hand out KVMs and hubs like candy). I think they're willing to be helpful because I don't ask for support very often (maybe once or twice a year) and I've always done my homework before I ask.
I agree that VMs are a good solution, which I'd like to see it implmented more... and not just because I work for the big name in VMs
I guess to summarize, there are two side to this and both sides should try to see things from the other side's perspective (or is that too rational for
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
because I don't know what they do :)
Too bad most places find it easier to have a blanket policy than something rational like you suggest. Balance is key, but it is certainly difficult to find that point between security and flexibility that makes everyone happy (or everyone equally unhappy?)
:-)
I can see ITs side of things. I just wish more admins took the time to see things from the other point of view. I wonder how many IT guys have the same restrictions on the boxes they use on a daily basis as they place on their users?
Anyway, thanks for the sensbile, on-topic response. Don't see too many of those around here
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
And as I said in response to another post, it's too bad its easier to have a blanket policy than something more rational.
:-) If you score 100-90% you get admin rights. 70-90%, you get a user account. 50-70% you get a restricted account in a virtual machine. Less than 50%, an etch-a-sketch. :-)
I know it's impossible, but it would be nice if there was a way to figure out what level of permissions to give a particular user... is that too much like a license to operate a computer?
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
Why should not you block Skype?
For the same reason you let Sales and Marketing have most of their lunch on the Company credit cards.
Because you trust they will not abuse it.
Because its part of the perks that goes with the job.
If you cant trust them, why would you want them to work for you in the first place.
Off course trust has it limits, thats why credit card have limits too, and probably a open network policy should have its limits too. But gosh, setting up your IT like a High Security Prison, thats a bit too much...
People are allowed to use *SKYPE* at WORK? /.
Our PCs are so locked down that I can't install anything (not admin on my own PC). The only way I get to use Firefox is "illegally" in portable form.
I can't even look at gaming websites because Websense blocks them.
In fact, I'm surprised I can even post to
Anyone out there who feels indignant about not being able to use skype needs to stfu.
That said, I do think they are far to restrictive here. Why can't I read about CS or UT2K4 at lunch? There is a place to draw the line (i.e. porn should NOT be allowed), but I disagree with where it's been drawn here. It kind of ironic, actually. I can shop till I drop on the web, but can't see one game review. That logic makes no sense to me, but so it is.
I liked your original statement better. You must have creative fingertips!8-))
The lazy mans way to admin. Take the lockdown approach and don't let anything happen. End result a constant battle that you as the admin can NEVER win. You can't lock down the computer tight enough to make yourself happy and allow me to do work. Period. I've got to get my work done and if you are in the way of me keeping my job. Pow. You lose big time.
I've grown especially wearing of id10T's like the one from ABN. "I don't allow Skype because I don't know what it does." Well dumbass. The blackhats are no were near as lazy as you are. They do know the ins and outs of every piece of software you use. Unlike you they are willing to get up off their asses and put some effort into RTFM. They poke they prod and they know that there is a 50-50 chance that your passwords for the entire network are written under your keyboard.
Stop using passwords and move to pass phrases with ssh, phrases are easier for humans to memorize and harder for john the ripper and it's clones to guess. Start asking your users "What do you need to work" and then taking the time to grab a copy. Audit it and put that copy in a place where your users can grab it instead of one off of the net. (they will like it becaue it will be a lot faster and easier) Start actually reading all of the security newsletters you subscribe to. Better yet subscribe to some of the news letters the black hats use. Get off your butts and do your friggin jobs! for chrissakes.
If your only answer to protecting your net is to lock it down annally tight, then you need to change careeres. IMHO you are not capable of admining a network in the 21st century. If you are complaining that the boss won't let you, then find another career field, because you lack in the basic social skills needed to learn how to convince and persuade your co-workers and move your organization forward.
Sorry but if the jobs too big for you find a new job. BTW I maintain about 250 desktops and a small (100 systems) data center along with 3 others. All software installs done by the user come from an audited in house repository. We have a system for requesting software to be added. When something is rejected the requester is informed of exactly why it's rejected and we work with them if this inhibits their work flow. I treat my customers (the users of the systems) as if they are inteligent. In response they have started to act inteligently. Funny how that works. Now 2 years and counting without a breakin or virus attack. Oh yes one thing except for the people doing our website, IE is currently verbotten. Opera and Firefox and lynx are not.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
Like many corporates, we run internal AV and it's very interesting to note that the only viruses that have made it past our corporate filters in the last three years came in through one of two routes:
* POP3 / IMAP personal email
* Web-based email services
I know it sounds mean and cruel, but these are now blocked by rule at our business...after all, which is more important: checking your Hotmail, or maintaining secure systems...?
Typically, when they hand down draconian policies as to what is/isn't allowed, they also slavishly apply them to everything. When something new is needed for software, it's nigh impossible to get someone to sign off on it because of overall inertia. I've had to jump through flaming hoops to get things approved at prior employers- even though the tool was something we needed to improve productivity. Since it wasn't something that the IT people had to deal with, they just couldn't see why it was needed and couldn't be bothered with legitimate proof thereof.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Bah!
I come from the same ideology as you, but after doing this type of work for 10 years plus, I am afraid I have changed my stance.
It is not the ammount of years which has jaded me from my previously much more open policy, but rather the out and out war being waged for control of end-users PCs and the change from more of a naughty boy type hacking to one where there is real crime more and more often being the motivation.
On my current network with 4500+ end users, we lock everything down real tight. No local admin privs, a default deny policy, and if you feel you have a reason to need a port opened, you had better be willing to pitch your cause all the way up the chain of command (I have no problem with granting such things, but it is my ass that gets chewed out/looks bad when an incident occurs which I am being paid to prevent, so I want everyone in the chain to sign off as well).
And it is not just the overt things occurring, I think the rootkits are perhaps the most frightening, if they are well written, they could tunnel through an http proxy no problem, and likely transmit data through already open channels, and if not abused, they could go undetected for quite a long time (maybe years). I think it is incumbent on any security professional to be as vigilant as possible, as it is not just the end-users we are protecting, it is the customer, and partners data, and they deserve to have their personal data not be stolen.
Not Carl Bialik!!
(Hi Shawn, nice story)
Hillarious and frightenly accurate at the same time- thanks for the day brightening humor there!
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
is this: which is more expensive to your employer: a) your re-imaging plus the developer's downtime, or b) the time the developer wastes not being able to install software? In this case, probably a. But I'd argue that in some cases (mine, obviously :-> ) the time I save is worth the potential risk that an admin might have to re-image my box. Since I only ask for IT help once or twice a year, it seems like this is working out fine--in my particular case, anyway.
If you think about it, a discerning user is just as frustrated by being hobbled from making efficient use of his PC as an admin is by constant support of some guy getting his box owned. I know it goes against the zeitgeist, but it helps if you don't assume the worst about a different of a point of view. Heck, it can even help you to deal with stress if you try to see things from the other guy's perspective. I'm trying to.
From a rational/financial view, it's definintely complicated. There are larger risks (risk to the network outside of Joe's or Suzy's box) that have to be accounted for. I know that some IT folks assume that their time is more expensive than anyone else's (which isn't always the case) and of course they find doing something repetitive (re-imaging a machine) annoying. I can appreciate the idea that fixing the same problem multiple times is frustrating. Heck, it can make me bonkers when a developer reintroduces the same grammar mistake into an error message three times. But isn't that (fixing a problem) part of what I'm getting paid to do? And isn't fixing IT problems what IT staff gets paid to do?
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
If your company isn't using a browser other than IE, please let me know who you work for. I want to be extra careful with any of your products before I consider them for use.
Mmm, mmm mmm.
Unless you're being willfully dense because it makes insulting someone easier, it's clear that ABN Amro is not literally unaware of what Skype does or how it works. The guy in charge of keeping the network running just chose an unpretentious way of saying that he's proceeding with caution in a business where a lot of people's money is at stake and the main benefit seems to be employee enjoyment.
I worked for ABN Amro as a Server Admin until recently. The security guys in the UK and global Tech Risk Management departments were and still are extremely anal about security. However I usually agreed with them one hundred percent. Any outage caused by any form of malware causes major league losses for financial companies. VoIP, messaging, freemail and IM are all good fun until every user in the building starts to use them and your whole network collapses in a heap. Or worse a major security flaw gets discovered in a product like Skype. A big corporate network might have hundreds or thousands of unmanaged installs of Skype floating about. This constitutes a major headache for administrators, like me, who spend enough weekends patching stuff as it is. In addition there is the law of unintended consequences to consider. Take iTunes, a harmless fun application that all users should be able to enjoy. Nope. iTunes has a wonderful tendancy to store all downloaded music in the My Documents\My Music folder on every user's profile. As soon as that user logs off the entire contents of the users roaming profile including the My Documents\My Music folder gets copied to the network file store. I recently saw all the free space on a multi-terabyte file store vanish in the space of a morning becuase of itunes. Harmless. Yeah right. We now have a complete ban on iTunes for all staff, enforced by Group Policy restrictions.
SHIT, years ago I suggested to at least one IT department in which I worked that kiosks could be set up. Bolt/lock down the e-mail to company use ONLY, and set it to internal use only. Anything else can be done on an exposed kiosk-like PC. People will just have to discipline themselves to not waste time lining up more than once every 2 hours.
As much as I think it's NICE to be able to check our e-mail when we WANT, it's not a smart thing to have everybody's computer exposed to the increasingly dangerous nodes and zombies lurking on the Net.
Same goes for surfing. Need to check something? Go to the kiosk machine. A LOT of people (myself included) get *sucked* into the "fucking Internet" 2-3 times longer than we really would like because "one thing leads to another" somehow manages to kick in. It doesn't HELP that IT departments and managers who monitor don't say something sooner for some people. A meter or indicator could help a lot of people judiciously manage their habit or addiction to information. Hunt for your pages, then DOWNLOAD them, and then GET OFF, like in the days when surfing COST.
Unfortunately, for a lot of marketing types, it might be very painful to have millions upon millions of typical "surf drones" change their habits to slurp-and-download-to-read-later and then get OFF the Net from being a duped and dazzled click-monkey. I suppose a new form of bot-bugging will get written for that kind of surfing, though.
Alternatively, people can buy cell phones or if they are lucky enough to work in a city-funded municipal Wi-Fi zone, then they can (if permitted by employer) fire up their laptop in the company breakroom (where they're less likely to risk being caught illicitly transporting company documents while they pretend to) surf or check their e-mail on their break time.
(In some parts of this I assume that your work site is not a Faraday cage and that your employer or other external sources are not jamming or scrambling portions of the EM spectrum intentionally or as a byproduct of running heavy or powerful electronic machinery.)
Maybe that'll start showing up in company quarterly reports... how "productivity measures improved and reflect better employee attention, output, and increased return on investment..."
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
> Now I work for a University. It's a whole other world. ;)
More freedom. More time. and a lot less money
no taxation without representation!
I agree that it may be inconvenient to prevent users from installing whatever they want.
I also understand that business needs must be balanced against business risk.
If I have a company where the worst thing that can happen if my computers are compromised is I need to have my 6 employees re-install and it costs me a 1/2 day but doesn't impact my business. I can accept that risk.
If I am at a company where tens-of-thousands of employees use computers to handle confidential information for their customers, I need to operate at a higher standard and take steps to make sure that the policies & processes that exist provide protection for that data (That's called trust, not the "oohh -- my big bad employer won't let me install my favorite thingy -- they don't trust me" crap that is often used to rationalize employees who think they have the right to do whatever they want with company resources).
Believe me, I understand how "cool" it is to play with the latest technology. Do it on your own systems!
I applaud the company that takes its responsibility to its customers *and* employees seriously and looks at all aspects of a new technology before allowing into their environment.
"2 years and counting without a breakin or virus attack"
read: "la-la-la I'm not *listening*"
Bulls**t!!
Boy am I glad I don't work on *your* network...
bloody ostrich