Slashdot Mirror
The IT Department as Corporate Snoop?
coondoggie writes with a link to a NetworkWorld article about the dangers of IT department snoops. A study released today is likely to exacerbate the trend of failing trust in employees; it shows that one in three IT employees poke through systems and prod at confidential information while on the job. The survey was done by a firm specializing in password security, so some salt might be required for this particular article. "The survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job, with no one to stop them. More than 200 IT professionals participated in the survey with many revealing that although it wasn't corporate policy to allow IT workers to access systems after termination, still almost 25% of respondents knew of another IT staff member who still had access to sensitive networks even though they'd left the company long ago."
"The survey found that more than one-third of IT professionals admit..."
I find that hard to believe.
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
Your company should have a published policy regarding user privacy and IT, and all members of IT should abide by that policy at all times. (In our case, for files or email, we require the approval of the user themselves or of a department manager and human resources before we go off reading your stuff. We do reserve the right to monitor network traffic at any time, for any reason, but we also make sure your email access runs encrypted over the network...)
In any case, please encourage your local IT Professionals to behave like Professionals. How should they behave, you ask?
Like THIS.
Anyone who doesn't lock the accounts of ex-root-access employees and change the shared passwords that they had access to is lazy and negligent, bordering on criminally negligent. That's just inexcuseable...
From my perspective, this is true enough. There are places that I still have access to that, by all rights, I shouldn't. I log in about once a year to see if I still have access, and if I do, I email the owner/manager of the place to that effect. Last thing I want is for something to go legal and me have a finger in the pie.
Of course, for a few places around here, me still having access is a good thing. Seeing how they call me about once a week because they couldn't follow well laid out documentation on managing the system...but I digress.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
The same IT department that doesn't turn off a terminated employee's access would be the same one who doesn't turn off access for the employee's token.
These tokens don't magically fix broken IT security policies.
I like to think of myself as a Telegraph Operator. Sure I know peoples secrets, but it would be unprofessional for me to tell them to anyone.
It seems like there'd be more important security implications with disgruntled fired IT guys still having unbridled access to the company network.
Not all are fired/disgruntled. Some leave on good terms.
Which means 2/3rds of IT professionals don't familiarize themselves with the systems they're running.
If you're in IT, and you're an administrator, the company must be able to trust you with ALL DATA! That means ALL FUCKING DATA, not what the top people just think you should or shouldn't be familiar with. If your company is shit and fucks people over daily, IT will know, and IT Will find another job and leave you with some shitty guy who can't even turn a machine on doing your work. Then you get targeted, taken down, and goodbye and good riddance company.
The only alarming thing is that the asshats at the top who give life to the term "shit flows down hill" think "oh shit, my pants are down, my hand is in the cookie jar and I'm going to get caught".
I do not deploy Linux. Ever.
If your company is like the ones I've worked for (in the UK btw), then you are underpaid, undervalued and mistreated. The whole system stinks and you get paid far less than people who've a tenth of your brains. So you try to reclaim a little power over the bastards. You take their passwords and read their email and then use the information against this. You've the right to do this because you can do this. They themselves have adhered to this law by treating you like crap in the first place. What goes around...
> The survey found that more than one-third of IT professionals
> admit they could still access their company's network once
> they'd left their current job, with no one to stop them.
Does it seem that people are villainizing the IT guys that left?
Shouldn't the criticism be levied upon the IT guys who REMAIN?
And as for snooping, it's not the snooping that bugs me, but the disclosures that sometimes follow. I was really pissed off when my boss started publicly ripping on me for the quality of some code scraps he found in my documents folder.
I didn't mind that he looked -- I don't expect privacy on a corporate computer. But he used what he found in an attempt to humiliate me (which failed since the rest of the department knew that the code was something that I was reviewing from a new intern).
if i saw a problem i'd probably report it to my old boss with a suggested fix.
As one IT pro to another... if your former boss doesn't know this, don't do it. There's a strong chance you'll cause far more trouble for yourself than you ever dreamed possible.