Slashdot Mirror
Sys-Admins Reading the Bosses Mail?
PetManimal writes "Computerworld has an article about IT staff who have access to corner-office email. Systems administrators, database administrators, storage administrators and higher level IT super users are the types who may access sensitive executive information; one source quoted in the article says that in a company with 1,500 employees, there might typically be five to 10 administrators who have this access. As for how many abuse these priviledges, it's hard to tell, but rogue admins out for workplace revenge or personal gain can wreak havoc: '... Experts agree that the severity of these occurrences generally makes them more harmful than external attacks. One of the biggest obstacles to eliminating unauthorized access is determining how many people have it. Access lists are particularly difficult to formulate in both mature companies, where the number and power of administrators have expanded over periods of years, and small companies, where rapid growth leads to undocumented tangles of administrators who are able to maintain their access because nobody has time to assess their status.'"
http://en.wikipedia.org/wiki/BOFH
I read this last week when my boss submitted the article to that magazine in his outgoing email.
Gotta go, he's sending an email now about outsourcing the IT department!
Do not look at laser with remaining good eye.
Would you be upset if your alergist (doctor) had access to your blood work? No. It is his job. Trust is a huge component of system administration, and any company, or corporation, who doesn't understand that the administrator has the keys to the system, needs to take a better look at their corporate layout.
Admins have access to everything. Or at least they should have access to virtually everything. Because who would you call if it was broken? certainly not the corner office.
Trust is necessary. You have to trust your admins. And if you have an admin that leaves under suspicious or grievious circumstances, you protect your corporations ass with a dismissal agreement.
If you don't have a chain of trust in your IT department you're fucked... even if you do spend bank on "secure internal IT infrastructure."
The rest of the article is all over the place. There's some mention of rogue admins reading executive e-mail rolled into boilerplate security talk about how X% of security risks are insider threats, and then it finishes up with a vaguely related sales pitch for RSA products, owned by... yep, EMC. The guys providing ComputerWorld with ad revenue on that sidebar.
Hopefully those scared VPs will hire consultants and purchase EMC products to "secure" their infrastructure from "rogue admins" who are probably reading their e-mail RIGHT NOW.
What about the /. admins who can read our highly sensitive comments?
Comments? I'm not even sure they read the article summaries.
If you do not trust your staff, you have other problems.
In my consulting work I have worked with systems containing sensitive information. Outside the workplace and outside the context of my particular role the information was of no interest to me.
Frankly, I say it's a nightmare for a small company when a big boss reads shit like this, freaks out, and all of a sudden you have to spend the next week trying to implement some goofy policy that will either be totally ignored, or tossed aside when it becomes a hassle. For larger companies, yes, internal security is no laughing matter. For small companies, when there's one, maybe 2 admins running the show, it's a wasted expense. They don't need intricate security policies. They need nothing more than, "Okay, I can access everything, everyone else can access their own shit. Done."
At least in small business, and probably in all business, it is completely necessary for upper IT staff to have complete access to everything. I've lost count of how many times upper level management has come to me with the 'I forgot my password, can you get my stuff back?' request. This is a normal occurrence. If we take away the privileges of IT to access upper management data, then upper management is very likely to lose that data.
As an anecdote, one of my customers (I am an IT consultant) lost the password to the video surveillance system. They immediately came to me, and were shocked and annoyed when I said 'Sorry, I wasn't involved in the installation of that system and was never informed of the passwords.' In the end, we found that a user had written down the password at one point and were able to get back in that way!
The point really should be that companies better find upper IT staff that they can TRUST! If they can't trust their IT staff, they have big problems.
You can't back security into an organisation. Either the individuals are prepared to put up with the extra work it needs, or they aren't. Without some effort from everyone, your level of security drops to that of the weakest link (usually the boss)
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
As the e-mail admin receiving the bounces are even more enlightening. There was a torrid love exchange in e-mail going on but they'd put an extra, invalid e-mail address in so the thread kept bouncing down to us. We tried to let them know about the problem but they were ignoring our messages.
:D
I created a t-shirt for work a couple of years back when I heard someone saying that we were reading their e-mails.
"I Read Your E-mail"
" It's Boring "
[John]
Shit better not happen!
Welcome to small business. Most usually have one or two key players that, if they die, the business dies with them. Usually, this is the founder, but not always. Sometimes, the president/founder/Grand Poobah doesn't realize who this key player is, and he fires that key player only to see his business fail, because he was too egotistical and arogant to notice that the company revolved around someone else.
Many small businesses have several key player that would severly hurt the company if they left. I was working at a small database company many moons ago, and was offers a consulting gig in a far off state at twice my current salary and I jumped at the chance. I had no clue that there was a million dollar contract riding on the project I was working on. Once the customer heard I was leaving, the contract evaporated. If they had only let me know that what I was doing really mattered, I might have stayed. (at a higher rate)
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
If a job's not worth doing, it's not worth doing right.
I equate many of these positions to the janitor (and sometimes I've felt like a janitor) while he may not get paid much, and may not get much respect ... He's one of the few guys that has keys to the WHOLE building... You just have to trust some people. Or don't hire them...
Who keeps the systems where your private key is stored?
On your desktop machine? Who keeps your desktop machine?
On your USB? a) Are you violating a policy for using a USB device? and b) When then USB is plugged-in, it's part of the machine (see above)
If it's passphrase encrypted, are you 100% sure that there isn't a software keylogger on your machine?
Trust me, you can't hide anything from competent sysadmins.
The only way to make sure you control your machine is to install it, secure it, and manage it yourself, but then you've become the sysadmin.
And it may very well be that the company won't allow anyone but an experienced and trusted sysadmin to plug such a machine into the corporate network (for good reason I might add).
So you might as well get used to the idea that sysadmins have access to everything on the network.
[puts on sysadmin hat]
Ad that is how it should be anyway if you want the network to even start down the path of better security.
"Piter, too, is dead."
Haha...that reminds me of a print shop I used to run. I was a part-time employee and college student, but I did all the quoting, typesetting, pre-press and some of the press work. The owner sold out to some guy who decided he needed a full-time office manager, and since I was only part-time, he hired some bimbo who didn't know dick about printing to run the place. I put up with her trying to tell me how to do my job for a few weeks. Then one day I needed $10 out of petty cash for supplies to finish a printing job. She refused to let me have it, so I quit right there on the spot. The next day the pressman quit. Less than a month later the business closed.
BWAHAHAHAHAHAHAH! F*CKERZ!
Yes, the title for an article about an admin reading the e-mail of a single boss would be:
English: "Sys-Admins Reading the Boss' Mail?"
Slashdot: "Sys-Admins Reading the Bosses Mail?"
For an admin reading the e-mail of more than one boss, the title would be:
English: "Sys-Admins Reading the Bosses' Mail?"
Slashdot: "Sys-Admins Reading the Bosseses Mail?"
I was once trying to explain to an exec why his account would never be absolutely secure.
Me: "If somebody wants your account information badly enough, he's going to get it. He doesn't have to hack the system, he can just get it from you." ... Which daughter?
Exec: "That's crazy, I'd never give anyone my password."
Me: "Imagine you come home and find someone's broken in. He's got a gun to your daughter's head, and he tells you he's going to shoot in ten seconds if you don't give him your password. What would you do?"
Exec: [long pause]
To this day I still don't know if he was joking. But I no longer use that example.