Slashdot Mirror
Security Fears Prod Firms to Limit Staff Web Use
Carl Bialik from WSJ writes "Companies are limiting employees' use of free Internet services, such as Skype and video downloading, to protect themselves from viruses, communications traffic jams and regulatory missteps, the Wall Street Journal reports. ABN Amro's global head of strategy and engineering tells the WSJ, 'I'm not allowing Skype because I don't know what it does.' Some colleges and departments at Cambridge University also ban Skype. The limits affect executives as well as the rank-and-file, the WSJ finds: ' "I used to think nothing of checking my Yahoo mail several times a day," says Global Crossing Chief Marketing Officer Anthony Christie. Now that he can't, his long workday makes it hard to avoid using his work email account for personal messages, he says.'"
What's next? Complaining that you can't use company funds to go on a vacation? Complaining that you can't use company computers to play games?
This guy should write legal policy in Burma: ... tells the WSJ, 'I'm not allowing Skype because I don't know what it does.'
I mean, just, wow. And here I thought that the "anything I don't understand must be bad" school of management was going out of style.
"I used to think nothing of checking my Yahoo mail several times a day," says Global Crossing Chief Marketing Officer Anthony Christie. Now that he can't, his long workday makes it hard to avoid using his work email account for personal messages, he says.
Sometimes I wonder if this is exactly what companies *want*. They don't want people to use outside e-mail (especially ones running over https) because then they can't easily monitor what their staff is doing.
If people are using their work e-mail for their personal use, the company gets to see exactly what, where, how, and when their employees are spending their own time. If the employee opts to not use their work e-mail for anything personal, the company knows that they now have the other added benefit of possible added productivity.
I'm just glad I can use SSH and tunnel everything over that. If I can't do that, I have GPRS service on my mobile device and I *could* use that for AIM, e-mail, and browsing instead.
Dear employee,
We hope you enjoy working here. Please work hard and do some great work for us!
Thanks,
Your employer.
P.S. WE DON'T TRUST YOU.
I'm not allowing X because I don't know what it does does not necessarily equate to X is bad
Banning an unknown service from a network is the more sensible default decision for a corporate network to take. Firewalls should block everything by default, corporate desktops should stop installations of anything not checked and cleared. Why should skype be any different?
As long as it's not against company policy, you could try using SSH tunneling to hit a proxy at home. It might be a lot slower, but you can go anywhere. I've been using one written in Python for six months and haven't had a hitch.
Colin Dean Go a year without DRM
I've always prevented my users from downloading *any* program from the internet. There are a multitude of reasons: spyware, bandwidth issues, etc. I just think it makes good sense to limit the crud that can be put on machines. I don't have to wonder if the problem a user is having is due to something they downloaded. Being Healthcare, I'm also bound by HIPAA. My interpretation of it is what I just mentioned above. It actually gets me in a frizzle (word?) when I see the junk my father's company allows them to put on their machines. They aren't healthcare, but I would think the hassle of tech support would be magnified many times over...
I just started as IT manager for a small advertising agency. The systems were wide open before and it seems like every machine has Limewire, skype, five different IM programs... and lots and lots of problems.
When these items cause problems that reduce productivity they have to go. It's that simple.
Due to unrestrained (and uninformed) users I now have to go over all 50 machines with a fine-tooth comb to scrub off the bad stuff. Several of these machines are probably going to have to be wiped. This is 100% due to user loaded "personal" software.
As I fix each machine they are getting locked down. I've been directed by management to prevent users from pirating music on company machines or using filesharing to share pirated music. I don't see anything unreasonable at all about that.
Any app that is well-behaved and does not expose the company to liability is fine with me. Otherwise it has to go.
If your employees only need particular websites and particular applications to do their jobs, then why would you willingly open up additional attack vectors? It's a completely unnecessary business risk.
If you have employees complaining about needing to use personal email (what did they do before email in the workplace was common?), then simply set up a shared cheap PC in the coffee room for them to use on their lunch break. Firewall it off so that when all the inevitable crap gets onto the machine, it doesn't affect any important systems.
Bogtha Bogtha Bogtha
As a consultant based overseas, using my client's corporate internet for Skype actually SAVES them a fortune. They would normally pay for the POTS international phone calls we make (VERY $$$$$), but the fact that they allow Skype means that we make all of our calls Skype-Skype without it costing them (or us) anything in call costs. Bandwidth charges are negligible in comparison.
If firms continue to be ignorant about new or alternative technologies then they will continue to be left behind. These savings can be significant over the long term, financially as well as productivity wise. Companies in the future will be split into two categories - those that embrace new technology and those that struggle under malinformed regimes run by beaurocrats who prefer the trusted path, the path of least resistance, over the newer, technologically superior one. I've seen this too many times than I'd care to remember.
The banning of Skype at some departments and colleges at Cambridge comes as no surprise to me.
I was at Cambridge during the late 90's-early Noughties, and I seem to recall a number of stern warnings to students about bandwidth usage from both College and University computing authorities. One of them even included a plea to use European or British mirrors as much as possible.
The shame is that while the Cambridge University Data Network had bandwidth to burn within Cambridge, it seems that the trouble was always further upstream on JANET.
Things got so bad that there were rumours at the time that the poorer colleges were going to start charging their students for bandwidth. I never heard anything of it, and it didn't stop the proliferation of p2p (both in the form of Napster and samba shares) in my time there.
I expect a few hundred flames of this statement, but it's a rock-solid security policy. Yes, this guy probably "should" know what Skype is in most people's opinions, but his default "deny" policy for anything he doesn't know is correct, and that attitude WILL prevent trouble. On a corporate network, especially one potentially carrying any kind of sensitive data, anything not specifically allowed should be denied. If employees can make a case about what any new service is and why they need it, it can be evaluated and perhaps allowed, but it should be denied by default.
-- http://frobnosticate.com
Skype is closed source, the binary is full of obfuscation, and you can't examine the network traffic. "Trust but verify" is replaced by "trust".
You could use Filemon to make sure Skype's not reading your disk, and other tools to check whether it's keylogging, but a busy paranoid could be excused for not taking the trouble.
I sure wouldn't want to pay a sysadmin who allowed things on the network without knowing what they did.
(I use Skype at home but I'm not risking someone else's network by doing so).
TFA makes it seem like GE has just started blocking IM and external email systems. But in the GE division where I have been contracting it has been like that for at least the last 5 years.
And I can understand why. By only allowing communications through official chanels, the companies can better protect themselves by doing such things as applying corporate wide virus checking on emails. It also provides a log as to what communications occurred when. Though I do admit that flash drives and take home laptops can easily bypass any of these measures.
One downside to this is that the corporate policies also block VPN accesses, so I can not get to my offices servers while at the GE location.
One amusing anecdote relating to this is that where I work there is an analog phone line kept for the times when you really need to dial up a system. One lunch time I was using it to send some private email and also to chat with some friends (MSN messenger I think). When I was done I just picked my laptop up and walked back to my desk and plugged into the corporate lan without powering down. I was surprised when 20 minutes later one of my friends initiated a chat session with me. After the shock of chatting from my desk wore off, I realised that the chat program used two separate protocols/ports: 1 for logging into the chat system, and another for the actual chatting. The corporate IT people had only blocked one system and not the other, perhaps in the belief that that was all that was necessary. Combined with the chat system not timing out during the walk back to my desk, I had effectively bypassed their strong security.
I am Slashdot. Are you Slashdot as well?
I was stuck in a hotel all weekend and wanted to talk to my wife, so I installed it, and within 5 minutes I got a call from security saying that my machine was scanning the network. It was Skype trying to find a way out.
When I got back to work on Monday, my Thinkpad was taken away and reformatted, and handed back to me -- without local admin privileges.
Now I work for a University. It's a whole other world.
Users have proven themselves to be untrustworthy.
:P
Like this guy?
Note, he is not saying that he doesn't know what Skype is he is saying that he doesn't know what it does. That's fair enough; I've read a fair number of accounts by people who have attempted to work out exactly what Skype is up to on their networks, and very few people outside of skype know exactly what Skype does.
It uses a proprietary closed protocol, nicely encypted; is adept at getting through firewalls and most important can turn office PCs into high-traffic relays without warning and without the ability to stop the relaying behaviour from the client.
In related news, the submitter conflates the Internet and the Web. Which is pretty annoying.
Some companies see giving employees small perks as part of keeping a happy and productive work force... can anyone remember the stories of the environment at EA? Now, we have tin foil hat stories about companies that give their employees pens and paper, but warn them to only write in block letters because anything else is a waste of company resources, or could lead to dangerous events in the file cabinets.
Ummm, perhaps its just me, but it is about fscking time that both government and businesses learn the lessons that have been sitting in front of them since about 1991... computers are here to stay, and the advantages and disadvantages of computers are here to stay too.... Its not that hard to limit outside network connections to a specific bandwidth, or monitor all packets in and out... this is not rocket science. Using draconian measures to squeeze every drop out of the company resources is not good for business... see Boycott, Company Stores et al, slavery,
I guess my point is that anything that stifles free and unfettered flow of information and ideas is going to stifle business productivity and innovation. I don't have links, but I thought this was pretty much already scientifically proven... or at least proven in the advent of F/OSS and what it has done to the computer and software markets. Just as the *AA needs to wake up and find a new business model, most of the rest of the business world has some work to do... its just common sense. Anything else usually involves putting holes in your feed with lead ladden projectiles.
Support NYCountryLawyer RIAA vs People
In many places I've worked, MP3 files are blocked at the firewall, but Ogg files are let through. http://www.mvine.com/ streams Ogg music direct to your desktop. And it's free.
Here is my take on what is happening. As network management tools become easier to use and more widely deployed, more and more people are starting to have a real understanding of their management and business networks. It used to be that the network engineers might or might not have a good idea about what kinds of traffic were flowing where. Now, a middle manager with only the most basic idea of how networks work can log into a Web interface and see what programs are being run by what people, connecting to what sites. As a result, they are more prone to hand down policy decisions based upon this new information.
At the same time, the workplace has become much more mercenary. Companies don't take care of their employees and employees just want to milk companies for as much as possible. No one trusts anyone. Managers want to get as much work out of their hirelings as possible and many don't care about the health, stress, happiness, etc. of those employees. In sociological terms, they are imposing physical barriers in an attempt to replace crumbling social ones. The problem for them, is they are usually way behind the technology curve. An employee who wants to play hardball can probably raid the company for all the info they want and carry it out on their cellphone or iPod. It's like moving from an honor system where captured soldiers swear they will stay until ransomed, to a military jail with as many bars as possible, except the prison is designed by a bureaucratic committee, each member of which is just trying to make as much money off of kickbacks and saved funds as possible. Time will tell which is more effective.
"Locking down" machines, which usually means preventing users from installing or running software that the admin hasn't "approved" is far more likely to reduce productivity than anything else. I can't tell you how many times I've been frustrated by the admins who have the idea that they know better than I do what tools I need to do my job... In fact, it's something that I ask non-manager employees when I interview: "Do you have admin privileges on your box" (working in software, I usually get a sensible response).
Listen, all you genius admins, I don't tell you what firewall software to use, you don't tell me what file conversion software I need to get the Windows line breaks out of text files, Ok? I don't what you're using for an anti-virus tool, and I don't expect you to know about my use of FrameScript to automate FrameMaker. The MicroType FM extensions make me about 10% more efficient in my work, and if I can't download and install them, I'll see if we can't backcharge IT for that extra hour a day.
A sensible policy is that "unapproved" applications are unsupported. This means that if something I install causes problems, I have to resolve them or have my box re-imaged. I'm fine with that. Don't "lock down" my machine, prevent me from doing my job efficiently, and then crow about how you've saved the company money.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
I'm one of the head network honchos at a Very Large Company... things like AIM, MSN Messenger, Skype, Limewire and BitTorrent are all banned and blocked. We monitor our employee web usage, block just about every outbound network port except for 80 and 443. Why? Because even though we know why Skype is, our policy forbids users from installing software that we don't provide. We certainly don't want users utilizing our 100Mbps lines for donwloading pr0n, MP3s and warez. We don't want support calls from users who have bolloxed up their machines by installing $UNAPPROVED_SOFTWARE_PACKAGE, diverting valuable resources to try to fix this. We don't want the worms, viruses, spyware and other crap that comes with some of these packages. Every employee that uses a computer reads and signs our usage agreement, so they know what we expect from them. Some of them try, and some get to see the man when they do.
Because of all the attack vectors, we have to spend many tens of thousands of dollars on antivirus, monitoring software, desktop security agents, intrusion detection, firewalls and what have you...
Things like SOX and HIPAA make it extremely hard for us to "just let users be". We can't allow unmanaged VoIP or instant messenging. FTP? Blocked. SSH? Blocked. Our data could easily walk out of here, which is why on top of the layer 3 blocks, we block USB access as well. Our users are given the tools they need to get their jobs done. And if data can walk out of here, there is certainly possiblity that something nasty could come in. We'd rather not have to deal with that possibility, so we make sure we don't have to.
It's the company's network, they can dictate how its used. Don't like it? Don't use our network. Go home, do whatever you want on your equipment, but when you're in my house, it's my rules.
I worked for ABN Amro as a Server Admin until recently. The security guys in the UK and global Tech Risk Management departments were and still are extremely anal about security. However I usually agreed with them one hundred percent. Any outage caused by any form of malware causes major league losses for financial companies. VoIP, messaging, freemail and IM are all good fun until every user in the building starts to use them and your whole network collapses in a heap. Or worse a major security flaw gets discovered in a product like Skype. A big corporate network might have hundreds or thousands of unmanaged installs of Skype floating about. This constitutes a major headache for administrators, like me, who spend enough weekends patching stuff as it is. In addition there is the law of unintended consequences to consider. Take iTunes, a harmless fun application that all users should be able to enjoy. Nope. iTunes has a wonderful tendancy to store all downloaded music in the My Documents\My Music folder on every user's profile. As soon as that user logs off the entire contents of the users roaming profile including the My Documents\My Music folder gets copied to the network file store. I recently saw all the free space on a multi-terabyte file store vanish in the space of a morning becuase of itunes. Harmless. Yeah right. We now have a complete ban on iTunes for all staff, enforced by Group Policy restrictions.