Sys-Admins Reading the Bosses Mail?

← Back to Stories (view on slashdot.org)

Sys-Admins Reading the Bosses Mail?

Posted by ryuzaki0 on Wednesday October 25, 2006 @04:07AM from the well-of-course-they-are dept.

PetManimal writes "Computerworld has an article about IT staff who have access to corner-office email. Systems administrators, database administrators, storage administrators and higher level IT super users are the types who may access sensitive executive information; one source quoted in the article says that in a company with 1,500 employees, there might typically be five to 10 administrators who have this access. As for how many abuse these priviledges, it's hard to tell, but rogue admins out for workplace revenge or personal gain can wreak havoc: '... Experts agree that the severity of these occurrences generally makes them more harmful than external attacks. One of the biggest obstacles to eliminating unauthorized access is determining how many people have it. Access lists are particularly difficult to formulate in both mature companies, where the number and power of administrators have expanded over periods of years, and small companies, where rapid growth leads to undocumented tangles of administrators who are able to maintain their access because nobody has time to assess their status.'"

36 of 398 comments (clear)

Min score:

Reason:

Sort:

apparently they never read BOFH! by ezh · 2006-10-25 04:11 · Score: 5, Funny

http://en.wikipedia.org/wiki/BOFH
Clearance Control by Shadow+Wrought · 2006-10-25 04:12 · Score: 4, Insightful

A friend in the Government once told me that after the Pollard spy scandal the Government rethought the way it handled clearances. So now there is a discreet pool of clearances. There's no reason why a company, new, mature, huge, or small shouldn't be able to institute a similar policy in terms of access.

--
If brevity is the soul of wit, then how does one explain Twitter?
1. Re:Clearance Control by qwijibo · 2006-10-25 04:19 · Score: 4, Insightful
  
  Policies are the problem, not the solution. The policies grant access only to those who have a legitimate business need. The practical problem occurs when you consider system administration to be an annoying fact of life to be relegated to the lowest bidder. The administrator has a legitimate business need to have priviledged access to the system. That same access means the administrator can do whatever they want. You can implement more policies to make it harder for someone to abuse their position without collusion, but the reality is that all systems have one or more people that you trust implicitly. The problem is that very few people think of making that trust explicit and well known to everyone who relies on it.
2. Re:Clearance Control by Coffee+Warlord · 2006-10-25 04:22 · Score: 5, Interesting
  
  There's no reason why a company, new, mature, huge, or small shouldn't be able to institute a similar policy in terms of access.
  
  Frankly, I say it's a nightmare for a small company when a big boss reads shit like this, freaks out, and all of a sudden you have to spend the next week trying to implement some goofy policy that will either be totally ignored, or tossed aside when it becomes a hassle. For larger companies, yes, internal security is no laughing matter. For small companies, when there's one, maybe 2 admins running the show, it's a wasted expense. They don't need intricate security policies. They need nothing more than, "Okay, I can access everything, everyone else can access their own shit. Done."
3. Re:Clearance Control by petes_PoV · 2006-10-25 04:38 · Score: 5, Insightful
  
  The biggest problem with this is the way lazy exec's just reply to all for every comment they make. If a request for info is sent out to (say) 20 people, it's very possible that all 20 recipients will get all the traffic on this subject - whether it's "sorry I don't know" or "don't bother, we're closing that location" or anything in between.
  You can't back security into an organisation. Either the individuals are prepared to put up with the extra work it needs, or they aren't. Without some effort from everyone, your level of security drops to that of the weakest link (usually the boss)
  
  --
  politicians are like babies' nappies: they should both be changed regularly and for the same reasons
4. Re:Clearance Control by kabocox · 2006-10-25 05:06 · Score: 4, Insightful
  
  Frankly, I say it's a nightmare for a small company when a big boss reads shit like this, freaks out, and all of a sudden you have to spend the next week trying to implement some goofy policy that will either be totally ignored, or tossed aside when it becomes a hassle. For larger companies, yes, internal security is no laughing matter. For small companies, when there's one, maybe 2 admins running the show, it's a wasted expense. They don't need intricate security policies. They need nothing more than, "Okay, I can access everything, everyone else can access their own shit. Done."
  
  And this is what is really wrong with IT now. In 100-200 years maybe when the industry starts to get alittle mature things will change, but currently the one or two computer guys have access to everything school of thought is really what's wrong with the entire industry. I'll consider this industry to be growing up when any small business could hire/fire/transfer admins with complete confidence that the new guy has complete access and the old guy has zero access without carrying home backups or enough info to successfully compete with the company. We just aren't there, yet. I know that I'm trust worthy, but I wouldn't trust any other IT person. I wouldn't trust Bill Gates or Linus to be left with ulitmate unchecked power over all my machines. Why would I want a setup where just 1 guy may or may not have complete control/access to the small network? Of course you need to define "small business." If you are talking about 10 networked computers and one temp. computer contracter guy that comes in to set things up or do windows up dates every 3 months or so, then your reasoning makes sense, but is still off. That computer guy no matter how trusted shouldn't have complete control over the network. What happens when that trusted computer guy is killed by a drunk driver, and then you have to hire a new guy?
5. Re:Clearance Control by Maximum+Prophet · 2006-10-25 05:22 · Score: 5, Interesting
  
  Welcome to small business. Most usually have one or two key players that, if they die, the business dies with them. Usually, this is the founder, but not always. Sometimes, the president/founder/Grand Poobah doesn't realize who this key player is, and he fires that key player only to see his business fail, because he was too egotistical and arogant to notice that the company revolved around someone else.
  
  Many small businesses have several key player that would severly hurt the company if they left. I was working at a small database company many moons ago, and was offers a consulting gig in a far off state at twice my current salary and I jumped at the chance. I had no clue that there was a million dollar contract riding on the project I was working on. Once the customer heard I was leaving, the contract evaporated. If they had only let me know that what I was doing really mattered, I might have stayed. (at a higher rate)
  
  --
  All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
6. Re:Clearance Control by Dun+Malg · 2006-10-25 05:32 · Score: 5, Interesting
  
  A friend in the Government once told me that after the Pollard spy scandal the Government rethought the way it handled clearances. So now there is a discreet pool of clearances. There's no reason why a company, new, mature, huge, or small shouldn't be able to institute a similar policy in terms of access.
  As a holder of a TS clearance and former military intelligence goon, I can tell you that there are PLENTY of reasons why a private company shouldn't implement a similar policy. The primary problem is that it introduces a huge amount of bureaucratic "friction" to anything you do. By my estimate, I spent about 20% of my time as an analyst dealing with the various forms of "hoop jumping" required to get anything done with heavily classified and compartmentalized information. For example, I might want to ask a guy specializing in "compartment A" stuff about something, but if the material I'm working with contains "compartment B" intel, I have to try to either a) try to recompile the material to omit "B" intel while still making sense (tedious, takes time, might not even be possible); or b) get him signed off with "B" clearance (takes even longer, might not even be possible). Since the government is already produces nothing tangible and operates as a net drain on the economy anyway, this massive waste is just more of the same. In a corporate environment, though, a government-style security policy would be a monstrous drain on productivity and, in turn, profitability.
  
  --
  If a job's not worth doing, it's not worth doing right.
7. Re:Clearance Control by 1stpreacher · 2006-10-25 05:32 · Score: 5, Interesting
  
  I equate many of these positions to the janitor (and sometimes I've felt like a janitor) while he may not get paid much, and may not get much respect ... He's one of the few guys that has keys to the WHOLE building... You just have to trust some people. Or don't hire them...
8. Re:Clearance Control by chris_mahan · 2006-10-25 06:18 · Score: 5, Insightful
  
  Who keeps the systems where your private key is stored?
  On your desktop machine? Who keeps your desktop machine?
  On your USB? a) Are you violating a policy for using a USB device? and b) When then USB is plugged-in, it's part of the machine (see above)
  
  If it's passphrase encrypted, are you 100% sure that there isn't a software keylogger on your machine?
  
  Trust me, you can't hide anything from competent sysadmins.
  
  The only way to make sure you control your machine is to install it, secure it, and manage it yourself, but then you've become the sysadmin.
  
  And it may very well be that the company won't allow anyone but an experienced and trusted sysadmin to plug such a machine into the corporate network (for good reason I might add).
  
  So you might as well get used to the idea that sysadmins have access to everything on the network.
  
  [puts on sysadmin hat]
  Ad that is how it should be anyway if you want the network to even start down the path of better security.
  
  --
  "Piter, too, is dead."
9. Re:Clearance Control by Total_Wimp · 2006-10-25 06:41 · Score: 4, Insightful
  
  Insightful indead. Companies choose to trust CxOs, accountants, bookeepers and physical security personnel. These people can cause a tremendous amout of damage to a company, up to, and including, the complete collapse of the company (Enron, Worldcom, etc).
  
  The question isn't whether to trust, but under what conditions? Accountants and bookeepers often have checks, balances, licenses and bonding. CxOs have major positions of repsonsibilty with the salaries to match, and now they have Sarbanes-Oxley too. Physical security folks are often bonded, polygraphed, drug tested, etc.
  
  So which of these are most applicable to IT? Do we have checks, balances, licensing, bonding, major positions of responsibility with the salaries to match? Do we have polygraphs or drug tests? Do we have laws like SOX that put us in the hot seat if things go wrong?
  
  I'm not sugesting we should do any particular one of these things, but as IT continues to mature, and IT is seen, as it should be, as a single point of failure that could cause damage up to, and including, the complete collapse of the company, we're going to need to proffesionalize our practices to the point much greater than the blind faith that often exists today.
  
  TW
  
  (note: I know IT has a major role in SOX compliance, but we're not held responsible unless the company in question builds that into the system. Many companies aren't, at least not to the extent they should. If SOX causes more shops to know exactly who has access to email, and exactly how to go about making sure they're responsible and holding them accountable then, well, problem solved. I personally don't think SOX alone is enough.)
10. Re:Clearance Control by h4rm0ny · 2006-10-25 06:46 · Score: 4, Funny
  
  That's one good example. Another is secretaries. Everything confidential seems to go through them in a small business and they always seem to need access to all the sensitive areas of the network.
  
  Incidentally, I run the network at my current employers. Shortly after starting, I restructured all the groups to make it more secure. I then matter of factly told them that I'd removed my access to certain areas that I didn't have the right to access. On occasion, I've added myself back on to accomplish certain things for them. They always find that hugely amusing.
  
  --
  
  Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
11. Re:Clearance Control by gwayne · 2006-10-25 07:27 · Score: 5, Interesting
  
  Haha...that reminds me of a print shop I used to run. I was a part-time employee and college student, but I did all the quoting, typesetting, pre-press and some of the press work. The owner sold out to some guy who decided he needed a full-time office manager, and since I was only part-time, he hired some bimbo who didn't know dick about printing to run the place. I put up with her trying to tell me how to do my job for a few weeks. Then one day I needed $10 out of petty cash for supplies to finish a printing job. She refused to let me have it, so I quit right there on the spot. The next day the pressman quit. Less than a month later the business closed.
  
  BWAHAHAHAHAHAHAH! F*CKERZ!
Bah old news... by Lumpy · 2006-10-25 04:12 · Score: 5, Funny

I read this last week when my boss submitted the article to that magazine in his outgoing email.

Gotta go, he's sending an email now about outsourcing the IT department!

--
Do not look at laser with remaining good eye.
Clueless in the corner office by overshoot · 2006-10-25 04:15 · Score: 4, Interesting

The same executives wouldn't keep sensitive paper documents in an unlocked drawer, though.
I realize it's a business problem when the CxO doesn't have a clue about encryption, but who's going to demand he get some education?
FWIW, the legal profession actually has directives from the Bar Associations on when it's even permitted to use e-mail, and if so when encryption is required. Sometimes it's nice to actually have authority over you.

--
Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
It is all part of the job by cyanics · 2006-10-25 04:15 · Score: 5, Insightful

Would you be upset if your alergist (doctor) had access to your blood work? No. It is his job. Trust is a huge component of system administration, and any company, or corporation, who doesn't understand that the administrator has the keys to the system, needs to take a better look at their corporate layout.

Admins have access to everything. Or at least they should have access to virtually everything. Because who would you call if it was broken? certainly not the corner office.

Trust is necessary. You have to trust your admins. And if you have an admin that leaves under suspicious or grievious circumstances, you protect your corporations ass with a dismissal agreement.
1. Re:It is all part of the job by Orange+Crush · 2006-10-25 04:57 · Score: 5, Insightful
  
  The still do not need access to the text of the email. Sorry, but here are quite a number of methods by which the admin could track down an errant email or such without knowing its contents.
  
  That depends on who you work for/with. My boss likes to ask for things like:
  
  "Can you print me a copy of that e-mail I sent about our new sales strategy a few months ago? I think I deleted it."
  
  "Do you remember who you sent it to?
  
  "No."
  
  "Do you remember the date you sent it?"
  
  "Oh, a while ago."
  
  "What was it about?"
  
  "Sales."
  
  So anyway, when you work for people who routinely ask you questions that are about as specific as: "Hey, can you find me the thing I wrote about something just the other day?" it's helpful to be able to do fulltext searches and keep blunt throwable objects out of arm's reach.
Dog bites man. I by wwest4 · 2006-10-25 04:18 · Score: 5, Insightful

If you don't have a chain of trust in your IT department you're fucked... even if you do spend bank on "secure internal IT infrastructure."

The rest of the article is all over the place. There's some mention of rogue admins reading executive e-mail rolled into boilerplate security talk about how X% of security risks are insider threats, and then it finishes up with a vaguely related sales pitch for RSA products, owned by... yep, EMC. The guys providing ComputerWorld with ad revenue on that sidebar.

Hopefully those scared VPs will hire consultants and purchase EMC products to "secure" their infrastructure from "rogue admins" who are probably reading their e-mail RIGHT NOW.
Re:there is no procedural or techical solution by overshoot · 2006-10-25 04:19 · Score: 4, Insightful

sysadmins cannot do their jobs without full access to the systems they support.
Which isn't the same thing as having full access to the data on them.
There are, after all, fairly straightforward ways to secure data against the admins (assuming they don't actually install spyware, which is a separate subject.) There are also ways to arrange secure key recovery so that the records can be recovered if Something Happens to the exec, but no one person can do it (say, three board members and an outside law firm.)

--
Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
Re:And slashdot comments? by 99BottlesOfBeerInMyF · 2006-10-25 04:20 · Score: 5, Funny

What about the /. admins who can read our highly sensitive comments?

Comments? I'm not even sure they read the article summaries.
Re:there is no procedural or techical solution by Anonymous Coward · 2006-10-25 04:21 · Score: 5, Insightful

If you do not trust your staff, you have other problems.

In my consulting work I have worked with systems containing sensitive information. Outside the workplace and outside the context of my particular role the information was of no interest to me.
Re:there is no procedural or techical solution by jafiwam · 2006-10-25 04:22 · Score: 4, Insightful

Also, maybe access but _logged_ access. And then a process where someone views the logs to look for unauthorized browsing.

The DMV does it (every once in a while some bozo is fired from the state DMV for looking up minor celebrities information), I am sure many other less involved database systems can too.
This is normal and necessary by compunut · 2006-10-25 04:25 · Score: 5, Insightful

At least in small business, and probably in all business, it is completely necessary for upper IT staff to have complete access to everything. I've lost count of how many times upper level management has come to me with the 'I forgot my password, can you get my stuff back?' request. This is a normal occurrence. If we take away the privileges of IT to access upper management data, then upper management is very likely to lose that data.

As an anecdote, one of my customers (I am an IT consultant) lost the password to the video surveillance system. They immediately came to me, and were shocked and annoyed when I said 'Sorry, I wasn't involved in the installation of that system and was never informed of the passwords.' In the end, we found that a user had written down the password at one point and were able to get back in that way!

The point really should be that companies better find upper IT staff that they can TRUST! If they can't trust their IT staff, they have big problems.
1. Re:This is normal and necessary by snarlydwarf · 2006-10-25 04:43 · Score: 5, Interesting
  
  I have complete access to read (and even modify! w00t! that could be fun!) email for some 15,000 people.
  
  Unlogged.
  
  Do I?
  
  Hell, no.
  
  It would be nice to pretend it is all about ethics, but let's be realistic: it is really about "why would I -care- what they are jabbering about?" These are people who complain about getting "unbearable amounts of spam" when they get a total of a half dozen emails a day...
  
  Sorry: nethack, dinking around on forums and mailing lists, listening to music... all of them are much more important than the sort of nonsense people send in mail. I really don't care what people mail each other, how many porn sites they visit or whatever it is they actually do online as long as they leave me alone.
  
  It isnt ethics: it is pure and simple apathy about them.
Secretaries are a bigger issue by Salo2112 · 2006-10-25 04:25 · Score: 4, Informative

Odd people are concerned that IT types *might* be reading email when so many of the C*Os give their secretaries their passwords and other sensitive information. I am convinced that my Big Boss's secretary actually runs the place.
1. Re:Secretaries are a bigger issue by SpecBear · 2006-10-25 08:11 · Score: 5, Funny
  
  I was once trying to explain to an exec why his account would never be absolutely secure.
  
  Me: "If somebody wants your account information badly enough, he's going to get it. He doesn't have to hack the system, he can just get it from you."
  Exec: "That's crazy, I'd never give anyone my password."
  Me: "Imagine you come home and find someone's broken in. He's got a gun to your daughter's head, and he tells you he's going to shoot in ten seconds if you don't give him your password. What would you do?"
  Exec: [long pause] ... Which daughter?
  
  To this day I still don't know if he was joking. But I no longer use that example.
This is old news. by generic · 2006-10-25 04:26 · Score: 4, Funny

I already read it in cmdrtaco's inbox. Seriously I bet a good number of IT people own the T-Shirt, "I read your email". We aren't kidding.

--
Microsoft aggravates my tourettes syndrome.
And then of course... by skids · 2006-10-25 04:27 · Score: 4, Insightful

There are ways to run a business that limit the amount of information that has to be classified so that it can be relayed verbally or by sneakernet. Like not defrauding your workers or business associates is a good start, followed by not raking in huge undeserved stock options and bonuses, not downsizing and outsourcing just because it is the latest fad, and in general being competent to the point that the only people who care what's in your email are the rarer criminal element and not every damn single employee.

Ahh, driftnet on the switch monitor port. Never has there been such an artistically odd juxtaposition of shoes, porn, corporate logos, and vacation photos.

--
Someone had to do it.
Re:And slashdot comments? by Lehk228 · 2006-10-25 04:30 · Score: 4, Funny

i assure you the vast majority of slashdot comments are in fact, insensitive

--
Snowden and Manning are heroes.
Fucking Computerworld fear-mongering! by Robber+Baron · 2006-10-25 04:35 · Score: 4, Interesting

No shit Sherlock! Did you figure that out all by yourself?!? Of course I can read their e-mail! I'm a sysadmin and I set up the frigging mail system in the first place! Duh!
What they fail to grasp is I don't have time to be going through their shit!
Conversely PHBs don't have time to learn how to admin mail systems, which is what they'd have to do in order to keep me out.

Here's a novel concept: Why don't you simply try hiring people who are trustworthy?

--
You're using her as bait, Master!
bounces are better by Bigbutt · 2006-10-25 04:53 · Score: 5, Funny

As the e-mail admin receiving the bounces are even more enlightening. There was a torrid love exchange in e-mail going on but they'd put an extra, invalid e-mail address in so the thread kept bouncing down to us. We tried to let them know about the problem but they were ignoring our messages.

I created a t-shirt for work a couple of years back when I heard someone saying that we were reading their e-mails.

"I Read Your E-mail"
" It's Boring " :D

[John]

--
Shit better not happen!
Re:And slashdot comments? by cp.tar · 2006-10-25 04:54 · Score: 4, Funny

... and probably written by clods.

--
Ignore this signature. By order.
Malicious... or just plain crazy? by fractalus · 2006-10-25 05:14 · Score: 4, Interesting

At one small company I once worked at, my Windows box popped up a strange notice one day that someone else was using my IP. Since my IP was fixed (so that I could access various IP-restricted network devices) this immediately raised some red flags. We began looking for the culprit; something must've tipped off the hacker because we found ourselves locked out of our mail server. Since access to the mail server was only permitted from inside our network, we shut off our net access, hoping to block the hacker while we got back into our server.

We tracked the hacker down. It turned out it was another admin, who had gone some kind of crazy. He had three NICs in his desktop box all configured to impersonate different machines, he had re-routed the boss's email through his mailbox (and some clients' mail too), and had all kinds of other things going on. And he had sat there the whole time we were trying to ID the hacker, pretending nothing was going on, all the while trying to stay ahead of us. Strangest thing I ever saw.

Yes, he was fired. He really didn't seem to know why he'd done it (none of it made rational sense) and he'd really put his family in a bind. I think he was sick, but I'm not a psychiatrist.

--
People are never as simple as their stereotypes. This applies equally to Christians, Muslims, and Emacs-lovers.
Re:Funny but... by Kelbear · 2006-10-25 06:00 · Score: 4, Interesting

http://en.wikipedia.org/wiki/Efficiency_wage_hypot hesis

Reading the parent's post made me recall this footnote from my economics classes. It's a theory that when you pay your employees well(i.e, better than the average competitor), you'll find advantages in that employee's performance. If you're in a good job and know you're being treated like you're a good employee, the theory is that this serves to discourage you from being a bad employee since you're risking the loss of a good thing.

There's other reasons involved in this theory too though. If your compensation is that of a good employee, you're expected to be worthy of it, and your conscience may urge you to live up to such expectations.

Of course, there's diminishing returns from doing this, but the point is...

If an employee is important enough to possibly damage a company with negligence or malice, maybe that employee should be treated a little better to encourage them to put more effort in to avoid such things from happening. Economically, the additional compensation should reflect the chance of the damage times the cost of the damage if it were to occur, but it's not something easily measured.
postcard by martin · 2006-10-25 06:23 · Score: 4, Insightful

Let me think, when all this email started getting popular in the mid 1990's wasn't the advice to treat it as postcard....

ie it could be read during transmission buy the post-office worker (sys-admin)....

just a gentle reminder.
Re:And slashdot comments? by Anonymous Coward · 2006-10-25 08:06 · Score: 5, Funny

Yes, the title for an article about an admin reading the e-mail of a single boss would be:

English: "Sys-Admins Reading the Boss' Mail?"
Slashdot: "Sys-Admins Reading the Bosses Mail?"

For an admin reading the e-mail of more than one boss, the title would be:

English: "Sys-Admins Reading the Bosses' Mail?"
Slashdot: "Sys-Admins Reading the Bosseses Mail?"