One-Third of Employees Violate Company IT Policies

BaCa writes with a link indicating that a survey of white collar US workers shows that something like a third of all employees break IT policies. Of those, almost a sixth actually used P2P technologies from their work PCs. Overall, the survey indicates workers aren't overly concerned about any kind of security: "The telephone survey found that 65% of white-collar professionals are either not very concerned or not concerned at all about their privacy when using a workplace computer. A surprising 63% are not very concerned or are not concerned at all about the security of their information while at work. Additionally, most employees have the misconception that these behaviors pose little to no risk to their companies."

I don't believe it

[stoolpigeon]

I'm guessing a more accurate headline would be: One-Third of Employees Admit to Violating Company IT Policies
 
The rest just didn't let on - because there is no way the number is that low. Or they didn't outright lie, they just didn't even know they had violated company policies.

Re:I don't believe it

[jdoss]

That pretty much sums it up. My first thought to post here was "One-third my ass."

Re:I don't believe it

Hell, I'd be happy if 1/3 of our employees could even name all of the IT policies they were breaking.

Re:I don't believe it

[WiiVault]

Seriously, how many people don't realize that checking AIM or listening to web radio is prohibited? Few I would imagine.

Re:I don't believe it

[facon12]

Agreed, i work for an ISP and ive found that most people simply don't know what the policy is. How many people really read the entire employee handbook unless they have gotten in trouble. More than that how many can remember 5 things from it that don't have to do with getting paid?

Re:I don't believe it

[vertinox]

Or they didn't outright lie, they just didn't even know they had violated company policies.

I don't know how many times a conversation went like this:

Me: Whats your user name?
User: Its u2343 and my password is "bobspassword"!
Me: Wait! ARRRRRGH! Don't tell me that! I'm not supposed to know your password, I just wanted your user name!

Re:I don't believe it

[Otter]

Also, if I'd been surveyed as to whether checking webmail is "risky", I'd also have said that it isn't. It's certainly not "risky" on the level that downloading and running some P2P application is; it's not even dangerous on the level that requiring 20 different, complex, constantly changed passwords is.

Re:I don't believe it

[c_woolley]

I'd be happy if one-thrid of ours could spell IT...

Re:I don't believe it

Believe it. IT breaks the most policies because they don't get in trouble and then blame non-IT personnel for doing what they do. I know I used to do it as IT. So don't blame employees. I wouldn't be surprised to see numbers on IT employees and have it show 99% break those policies they themselves enforce!

Re:I don't believe it

Me: Wait! ARRRRRGH! Don't tell me that! I'm not supposed to know your password, I just wanted your user name!


Me: Sigh. Please change your password. Please don't share your password with anyone, including IT staff.
User: Ok, now I changed it to 'bobspassword2'.
Me: ARRRRG!

Re:I don't believe it

[dnormant]

What's sad where I work is it's the helpdesk and desktop administrators that are the worst. We have Websense to block the inappropriate web sites. Then they learned they could VPN in and that basically goes around Websense. Now they're tying up my firewall AND my VPN router.

I already block all p2p, now I'm going to have to block music and video sites too. I don't care what is appropriate or what isn't, I'm tired of my boss asking me why the Interweb is slow.

It sucks being the bad guy but I like my job.

Re:I don't believe it

I worked at a place that used a secret phrase to identify yourself:
Me: What's your user name? User: umm...SexyChick --- (male voice) Me: What's your secret phrase, please? User: My password? it's- Me: No, I mean the phrase you chose to identify yourself, it could be a cat's name or family name. User: Are you sure you don't want my password? Me: No, your secret phrase, just to verify your identity --- (I haven't looked up his account yet, but I'm bringing it up now....) User: Well, I didn't know, um.. 'I Love C*ck'

Re:I don't believe it

[33MHz]

Couldn't agree more. As part of a development team that works in the same room as the IT team, I sometimes think about what they are doing on a daily basis, and the rules they enforce for the rest of us mere mortals seem completely pointless.

I often need third-party libraries when I'm developing my software so I just get them off the Internet (sometimes virus checking them if I remember). If I followed the rules to the letter, I wouldn't download the libraries. But I don't follow them, so by using this software that nobody is "approving" I'm breaking the rules.

But when did our security manager review the source code for Windows XP to make sure it's OK?

Re:I don't believe it

[COMON$]

Because if you are a good admin, the use is incapable of violating your policies. Outbound port locks, packet monitoring, AD policies....ahhhh to be a natzi but who has that kind of time ;)

Re:I don't believe it

[COMON$]

Your firewall should allow for rule schedules, obviously there is no need for you "techs" to vpn during work hours unless they are in the field. Or just disable VPN from behind the NAT. From one natzi admin to another the IT staff will always be your worst customers at policy compliance.

Re:I don't believe it

[MikeDirnt69]

Well... considering that the fat guy on a big chair is the first one to break the rule (and this is a fact on most of the companies), the low-salary IT crowd don't get too motivated to follow the rule.

Re:I don't believe it

[thebear05]

The real question is why is it prohibited ! Bandwidth ? Security ?

Re:I don't believe it

[Atriqus]

Looks like our situation is much better; 3/3 of our department can name the IT policies we're breaking... but that's not completely fair of a comparison since we are the IT department. :)

Re:I don't believe it

[Fulcrum+of+Evil]

Because techs never work from home...

Re:I don't believe it

The rest just didn't let on - because there is no way the number is that low. Or they didn't outright lie, they just didn't even know they had violated company policies.

Some of us just cover our tracks very well.

Re:I don't believe it

[ewhenn]

it's not even dangerous on the level that requiring 20 different, complex, constantly changed passwords is.

Personally, I find that this constand password actually *lowers* security. I would like to present myself as an example. We have to change our passwords to something with 3 of 4 items (CAPS,lowercase,numbers, and Special characters). We are required to change our password monthly. So instead of having a nice secure password like "jd%2MdEP!7rqA" that I can remember say... once a year.. I just do something like "Aotepad1"..next month "Botepad1"...next month "Cotepad1" so I can remember the damn thing. Each application requires it's own password, so requireing the average user to constantly change them is going to make them go with poor password choices instead of strong ones.

Sometimes too much "security" is weaker security.

Re:I don't believe it

[Nefarious+Wheel]

"It's easier to apologise than to get permission"

-- From the late Rear Admiral Grace L. Hopper, founder of commercial computing and lead developer of the original COmmon Business-Oriented Language compiler.

Sometimes you have to lead.

Re:I don't believe it

[Sigma+7]

What's sad where I work is it's the helpdesk and desktop administrators that are the worst. We have Websense to block the inappropriate web sites. Speaking of blocked sites, instructions to perform a repair installation of Windows XP was blocked as "Computers/Internet". This page was used as a reference at least once for the helpdesk position that I work for.

The same filter at one time blocked troubleshooting resources on the Dell website - the filter reason was "Dell Allowed Sites". (At least this was fixed.)

While filters are required to prevent excessive bandwidth and distractions during work time, it should not prevent users from accessing resources essential for troubleshooting.

Re:I don't believe it

[Architect_sasyr]

Couldn't agree more. As part of a development team that works in the same room as the IT team, I sometimes think about what they are doing on a daily basis, and the rules they enforce for the rest of us mere mortals seem completely pointless.

That's because you are, as you say, mere mortals ;)

I often need third-party libraries when I'm developing my software so I just get them off the Internet (sometimes virus checking them if I remember).

And this is why I said you're a mere mortal. As a sysadmin it is imperitive that I not be forced to abide by the same restrictions as those underneath me. I must be able to run security audits against my network, I must be permitted to surf 'hacking' sites to be sure my anti virus scan's correctly and I must be able to download software as necessary. It is a part of my job, just like surfing pornography is the job of the digital market researcher I work with (now that's a cushy job, he's paid to stay on current trends - I'm an admin at a media and design company). However downloading libraries from some unknown source because they say they will do what you need is not necessarily safe, as you should well know. If your admin's are anything like mine they wouldn't care if you downloaded software from source forge, but if you download software from Mom's Friendly DLL Company that is a different story.

If I followed the rules to the letter, I wouldn't download the libraries. But I don't follow them, so by using this software that nobody is "approving" I'm breaking the rules.

Yes, technically you are, but that probably won't be a problem until you try and force that third party software onto production servers, which in my experience developers do after they have downloaded 3rd party libraries no one else has heard of. Yes this is why we have development machines, but it also falls to the IT team to be the ones to make the software work because of this library.

But when did our security manager review the source code for Windows XP to make sure it's OK?

Well hopefully he didn't implement XP as soon as it came out... at least waiting for a service pack and locking it down with Anti Virus and a decent firewall... if he didn't then that's probably a bad security manager you got there.

Just for the record, I've been a developer, a hell desker and a sysadmin, so I know what the battlefield is like on both sides. No doubt others do to.

Re:I don't believe it

[Architect_sasyr]

That's why I prefer the public humiliation method, fear will keep the local lusers in line...

Re:I don't believe it

Agreed. At an old workplace we were going to implement some policy regarding chain emails... but it turned out the upper management were the ones who did it most.

Re:I don't believe it

It's because of the 0.01% of people who would spend their entire day bullshitting on IM instead of working.

Re:I don't believe it

[RobertM1968]

Actually, many employees I've dealt with don't realize it until they get caught by a manager/supervisor. The last place I worked with had the relevant info in the employee manual/handbook - which was a rather large book. I can guarantee you that 1/10 of the employees (or less) actually read it before signing the page that says "I read it" - most companies just block whatever isn't permitted (MySpace, AIM, etc)... or block them when they realize that too many employees are accessing them against company policy. Especially since the HR Managers at those locations summarize the thing for you (dress code, benefits, etc) - but almost always skip that section (due to lack of knowledge in the area).

Some (many nowadays?) companies have a specific person who is responsible for instructing and enforcing that specific section of the employee rules just because of that. (And that person is usually responsible for securing the network and computer assets as well).

Since most HR Managers I've encountered are quite computer illiterate, they never seem to go over that section. They'll tell you when your first payday is, how much vacation time you get, when you accumulate it, when you are eligible for raises, dress code, etc... but dont even touch on the "technology" oriented section at all.

Both, when I was a technician, and when I was a tech manager at CompUSA, I became the guy who had to make sure our demo laptops were secure, and certain things were blocked on the client end... the notice would go to (and be addressed to) the HR manager (who is responsible for compliance issues), who would pass it off to the tech department (who is NOT responsible for compliance issues) with no understanding of what she was supposed to do with it [and (rightly) assumed we knew how/could take care of it for her].

Keep in mind that most people who use computers at work aren't very computer saavy... and don't understand the security risks involved with violating certain portions of such a policy - much less the business aspect of violating them ("wasting" company time, etc). Most people equate a MySpace break, or leaving AIM running to "occassionally" chat with a friend the same as their 15 minute breaks or coffee/cigarette breaks; so see nothing wrong with it (and have likely NOT read the section of the employee handbook that spells out the things they shouldnt do on the company machines/network).

Re:I don't believe it

[GreyyGuy]

Exactly. Between email retention policies, internet usage, and everything else, I would not be surprised if over 90% of people have violated them. Check your yahoo email at work? Violated company policy. Plugged in a USB drive or your iPod? Probably violated company policy. Installed non-approved software? Anything from IM software to Open Office to spyware checker to p2p software. Violated company policy. Sent your friend/spouse/significant other/family member and email from your work account? Violated company policy. Viewed something risque online at work? Even if not intended, that probably violated company policy.

Silly to think of things that trivial can count, but there are reasonable reasons for them. The problem is that they are all general and not focused on if the person intended to violate them. I would not be surprised if one third of people knowingly violated their company policy.

Re:I don't believe it

[mrchaotica]

I often need third-party libraries when I'm developing my software so I just get them off the Internet (sometimes virus checking them if I remember).

In this case, virus checking is the least of your worries. If you're including those third-party libraries in your software, you need to be getting them approved by your legal department to make sure you're not creating huge copyright violations.

Re:I don't believe it

[COMON$]

hmmm, what about a fear of the unknown, the place I used to work posted a message saying the administrator has been alerted of the activity, nothing breeds fear like 1984 :)

Re:I don't believe it

[COMON$]

If they were at home, why would they VPN to a network to get around the firewall? Said person would be allowed in, simple switch in the rules, would take less time than sipping coffee. Of course, what company has a tech that works from home? In my experience, techs are individuals that work hands on, I cannot think of any instance a tech would be allowed to work from home. A server admin, yes, developers, yes. Heck even an analyst applying patches could work from home if sick, but I cannot think of anyplace that would allow a tech to work from home.

Re:I don't believe it

[Andrew+Kismet]

She certainly didn't get permission to inflict COBOL, yet I hear no apology.

Re:I don't believe it

[digitalchinky]

It'd be excellent if staff would just use it to check up with friends and family, though what about when the disgruntled HR whore starts pumping out company documents through 3rd party email providers in hopes of taking down the corporate empire? I'd much rather spend my days dealing with viruses, spyware and all the other crud that worker drones get up to. How do you monitor the use of any 3rd party communication services, or better yet, what applications exist that allow the IT drone to reconstruct their non work related activities in a simple visual way - I know there are a hundred network sniffers, proxies, and logs, but who wants to sift through gigabytes of protocol stacks or text. Back when I was working for 'them' we had a nice little black box that would suck down the packet switchers and spit out reconstructed web pages, email, video, etc., I've yet to find any equivalents in the open source world.

Re:I don't believe it

Who will be fixing your machine when you break it by installing some random third party software: you, or IT?

That's what I thought. I can't imagine why IT might want to exercise some oversight over what you're installing.

Re:I don't believe it

[soapthgr8]

hell desker Was this intentional (I can understand!), a mistake, or a Freudian slip?

Re:I don't believe it

Considering they hire people that can't spell "third" ... ;-)

Re:I don't believe it

You raise an interesting point. I am astounded by all of this oversight and IT policy-making, while licensing gets virtually no attention. Worse, the IT policy-makers seem to think they understand the implications of all this legal gobbledy-gook. Since we all know they have no clue, everyone just clicks through -- accepting whatever terms are bundled into the EULA. Then again, you have to wonder about the ability of non-officer employees to enter contracts on behalf of a corporation. My authorization (and $1.75) gets you a medium coffee at Dunkin Donuts. Maybe it doesn't matter because the shrink-wrap click authorization is such a dubious concept in the first place.

You would think that the gods of IT would get a few standard EULAs reviewed in-depth, and ensure that nothing is installed with an unapproved license. Instead, they simply buy commercial products and assume that it's OK to install them. Where are the internal audit people? SOX? Helloooooo!

I can think of nothing that would accelerate the adoption of open source faster than mandatory legal review of license terms and conditions. The review process for GPL, BSD, etc. for internal development should be like rolling through a toll booth with a speed pass on your dashboard. Anything else, and it's like waiting for customs to ask a bunch of questions and search your luggage for non-conforming usage. The legal dept. should be sifting through every license (making sure the terms have not changed since the last upgrade) -- holding a series of meetings to compare the expected usage to the authorization granted by the license.

It reminds me of a Star Trek episode where a software glitch causes a space probe to kill anything that is not perfect. Capt. Kirk points out the space probe's own flaws and tells it to proceed with its programming. Luckily, he beams back to the ship before the thing self-destructs. Maybe it's time to tell legal and IT that if these policies are truly worth having, they are worth enforcing to the letter of the law. Let's see where that goes!

You know, if we threw the proprietary vendors out of corporate IT, there would be standardization. As an added bonus, the legal and finance departments would be no longer involved in the procurement process. There would also be fewer choices, but traditional corporate IT is sticking us with mostly bad choices anyway.

Re:I don't believe it

[Xiaran]

In pretty much all the large companies I've worked in Id rather I fix my machine than let IT get their greasy, incompetent mitts on it. I'm a software developer. The oversight Ive seen with regard to build integrity and security has *never* been competent.

Re:I don't believe it

Depending on the specific policy and the user's intended goals at the time, the humiliation game plan may not work out exactly as you expect.

It it any wonder when IT has an adversarial relationship with the users and the IT people bemoan the lack of respect for IT professionals? Could there be a connection here?

Re:I don't believe it

[BVis]

The trouble with your statement is that, with a few egregious exceptions (mostly centered around sexual harassment lawsuits or corporate espionage) nobody ever gets in trouble for violating IT policy. A policy that doesn't get enforced is no policy at all.

Sure, the employee handbook might say "violations of policy will result in punishment up to and including termination", but when was the last time you heard about someone repeatedly ignoring IT policy or instruction and getting fired for it? The most common example I can come up with is queue sizes on Outlook. Sure, the policy might say "your queue cannot exceed XX MB, after that transfer to a local .PST", but then when the Vice President In Charge Of Things That Begin With H On Alternate Tuesdays violates the policy, and steadfastly refuses to do anything about it despite causing multiple helpdesk calls/space problems on the Exchange server, what happens? IT gets told to ignore it. This precedent flows downhill, and soon everyone ignores the policy because they know it's toothless.

IT policies will be followed when the IT manager can go to an executive and say "You're fired for repeated violations of IT policy. No severance package for you, we're terminating you for cause." Until then, IT policies have all the teeth of an amoeba.

Re:I don't believe it

What did the black box spit out for SSH or RDP connections?

Re:I don't believe it

[Phisbut]

Sure, the employee handbook might say "violations of policy will result in punishment up to and including termination", but when was the last time you heard about someone repeatedly ignoring IT policy or instruction and getting fired for it?

It's happened. Just about every time a manager wants to fire someone either randomly or for reasons that are in a gray area in terms of legality, he'll start a file on that employee and log every policy violation to justify the termination.

Re:I don't believe it

[BVis]

That might be, but if I understand you right, the IT policy violations weren't the *primary* reason for the manager wanting to terminate someone.

Where are you that a manager needs a reason to fire someone? Here we're all 'at-will' employees and can be fired at any time for no reason.

Re:I don't believe it

The problem is that 1/3 of it policies are made by idiots whose mission in life is to restrict worker productivity. When questioned, the idiot response is blah blah security, virus blah blah, without any true understanding of either.

Re:I don't believe it

Two types of policies:

1. True policy. Impossible for a user to violate, enforced automatically, and applied with absolute consistency. There are limitations about how far you can go before preventing legitimate business activity. But the consistency and automated enforceability are two characteristics of true policy. If you envision something that is impossible to automate or apply consistently to everyone, it's time to rethink (or relegate to the netherworld of policy by edict -- see below).

2. Policy by edict. Generally meaningless; enforcement is manual and inconsistent. People can always be held responsible for their actions, but it is the net result of their action that triggers responsibility -- not mere violation of policy. For example: Install an unauthorized GPL-licensed utility, and it's a violation. Install a pirated utility that is exposed during a BSA audit and results in a whopper fine, and you are sitting at ground zero of a policy issue.

Re:I don't believe it

[Phisbut]

Where are you that a manager needs a reason to fire someone? Here we're all 'at-will' employees and can be fired at any time for no reason.

Where are *you* that a manager can fire someone for any arbitrary reason? What if your manager is a homophobe and just discovered your coworker is gay. Is he allowed to fire him for being gay?

Re:I don't believe it

[BVis]

I'm in Massachusetts, which, like lots of others, is an "at-will" employment state. An employee can be terminated for no reason whatsoever. If the ex-employee believes that he/she has been terminated for discriminatory reasons (ie your gay/homophobe scenario) the burden of proof is on them if they decide to file suit. Knowing why you've been fired and proving it are two very different things.

What it boils down to, is if someone wants you gone, you're gone. They don't need to give you or anyone else a reason for the termination.

Re:I don't believe it

[HKLD]

My question is which third? I know that sometimes the top third of people violate IT policy but I reckon the real issue is when people are violating policy using their middle third...

Re:I don't believe it

[dhanson865]

"Downloading personal software onto a work computer--74% of those who have done this believe it is not a risky behavior, even though they may unintentionally install spyware or malware on the work computer." I understand some users don't know the difference between downloading and installing but you'd like to see the writer at HNS CONSULTING LTD get that term right. Download all day long. Its installing it after you download it that is risky. I mean really if you download an ISO but don't have a CD burner or any way to get the ISO off the PC all you did was waste bandwidth. If you download an EXE or Zip and move it to a flash disk to take home you still didn't install software on the work computer. You can break a lot of policies by downloading files and still totally avoid this whole "unintentionally install" strawman/misnomer.

Re:I don't believe it

[COMON$]

And of course the time window is moot because someone could just set up the routes in their network to deny VPN from internal addresses.....

Re:I don't believe it

[jp10558]

AIM is mostly security - it has had several cracks, same old phishing links work with no scanning in place at all, open text can be sniffed easily etc.

Web Radio could be bandwidth related. Some places pay per GB transferred, and while one web radio stream is negligable, potentially hundereds costs add up, and use up limited network bandwidth. The best part is when users forget to stop the radio when they go home for the weekend, then you've spent money for 2 days of less than nothing, not even employee enjoyment.

Re:I don't believe it

[skintigh2]

It is exactly the same where I work: 2 upper, 2 lower, 2 number, 2 special, and varying length requirements up to 16 characters, and you need to change them every 2-4 weeks with no re-use, and I must have 10-15 different systems to log into each with it's own password.

I have a very busy sticky note in my desk drawer. Security accomplished.

And I'm a "security professional."

Re:I don't believe it

[Fulcrum+of+Evil]

If the vpn is set up properly, your internal connection to the vpn would just be a loop out to the firewall, then back inside. Cute, but not generally useful.

Re:I don't believe it

[Architect_sasyr]

Intentional... big fan of the BOFH and try to emulate at all times.

Re:I don't believe it

I work for a large IT organization - with over 40k servers of all types. We are **not** a hosting company, these are just to run the business. There are so many things that CAN'T be done by policy, that even checking my work email can violate corporate policy since I'm not allowed to know certain things that others may email to me. "Incidental internet use" isn't allowed.

Most of the rules seem to be to protect against legal concerns, then you come across really stupid security things that are still allowed - telnet, ftp - both allowed. Stupid.
Then others are almost impossible to follow because they conflict with other rules. Basically, they use them to be able to terminate you for cause any time they want. PCs are scanned for disallowed files.
Network access is monitored - don't try to remove your I.E. URL cache file - that's a violation. Also, don't load/use any software that isn't provided by the company - violation. Phone calls are recorded. Big Brother has cameras everywhere in the buildings and this isn't even the government watching. Just where I work and allowed in my employment contract updated years after being hired. Sign now or goodbye.

Then they have a PIN for intranet access - 4 character. Stupid.

Most development teams are completely clueless about security. They got certified in .Net or Java and think that's all they need to know. Stupid. You need to know networking and the OS too, but the Java programmers are the worst. The seem to think the OS is completely someone else's problem. Stupid.

I once saw an outside vendor provide their private SSL cert key to an idiot project manager who thought we needed it. They emailed it. Nice. Stupid.

The best C/C++ programmers are aware of the OS and tend to care at least a little about security.

The level of stupidity is completely astounding to me. I've done some bonehead stupid things over the years too. My selective memory doesn't remember any of them being this bad though.

Re:I don't believe it

[digitalchinky]

The answer depends entirely upon where the intercept is taking place, as well as how interesting the information might be. Traffic analysis can be just as important as the message conveyed, encrypted or otherwise. While some encryption schemes are expensive to reverse, people with power and money might simply move from man in the middle to a bit of door kicking and some force.

Re:I don't believe it

[lucifuge31337]

If your VPN were set up properly it would be split routing, so only internal IPs (and possibly remote site-to-site VPNs normally reachable through the internal network) are reachable through the VPN, and everything else goes out of the default route. Which, internally, ought to be the same websense-enabled box in this situation. It's not rocket science, but when server admins take care of network infrastructure, this is what one ends up with.

really?

[Dance_Dance_Karnov]

only a third?

Only one third?

[Reality+Master+201]

Bullshit. Maybe 1/3 are dumb enough to cop to it.

Perhaps you've got it backwards and only 1/3 don't violate IT policies. And even that sounds light.

Re:Only one third?

[ivan256]

1/3 admit to it.... The other 2/3rds don't even know what the policies are in the first place.

Re:Only one third?

[KillerCow]

Maybe 1/3 are dumb enough to cop to it.

No, 1/3 actually know that they are breaking policy. The other 2/3 don't realize that checking their personal email, reading a non-work-related site, or taking files home is a policy violation.

Re:Only one third?

[arivanov]

1/3 admit
1/3 lie
1/3 does not give a f**k

About right by the look of it.

Not that IT does not deserve it.

Any stupid, prudish, paranoid or sometimes outright insane request can become a policy item in a matter of minutes.

Example (happened to me). A new HR director comes in horrified wanting to talk to you how do you dare not having a content filter to stop inappropriate content from being viewed.

The usual IT professional goes and implements it straight away. The fact that nobody is viewing it in the first place and there is a stack of Daily Express and Sun in the dining room is ignored for some reason. Guess it is OK to download softporn from the newsagent, but not OK to do so from your PC. And so on.

Result - new policy item and new expense item on the IT budget sheet.

Re:Only one third?

[dbIII]

It really depends on how tight the policies are, how congested the link is, and if they are aware of how much logging is going on. Do to problems with communications infrastructure in Australia I can't get as fast a link at work as many users have at home. A side effect is they run their p2p stuff at home and if they do it at work they just get a polite visit and get told there isn't enough bandwidth. Multiple slow links only spread the pain they don't reduce it much. If there is just a resource based policy it makes it a lot easier than a social issue based policy, and the awareness that everything is being logged probably deters some from spending entire days looking at various non-work related images.

Re:Only one third?

[ivan256]

The fact that nobody is viewing it in the first place and there is a stack of Daily Express and Sun in the dining room is ignored for some reason.

That pisses me off for a whole other set of reasons.

Cosmo is allowed in the break-room, but not Maxim. One of those two magazines shows full female nudity, and it's *not* Maxim. At a previous company I worked for, it was the same woman bringing in the Cosmo and complaining about the Maxim...

How do we let people get so "sensitive" about harmless shit, and why do we appease them instead of telling them to grow the fuck up?

Re:Only one third?

[mrchaotica]

How do we let people get so "sensitive" about harmless shit, and why do we appease them instead of telling them to grow the fuck up?

Because if you tell them to grow the fuck up, they'll find a bunch of other "sensitive" dumbasses on a jury to award them a couple million dollars of your IT budget. Or your (former) salary.

Re:Only one third?

[drsmithy]

Not that IT does not deserve it.
Any stupid, prudish, paranoid or sometimes outright insane request can become a policy item in a matter of minutes.
Example (happened to me). A new HR director comes in horrified wanting to talk to you how do you dare not having a content filter to stop inappropriate content from being viewed.
The usual IT professional goes and implements it straight away. [...]

It is not the job of the IT department to create or enforce (from the HR perspective of enforce) policy, merely to implement it. Ergo, it's not IT's fault if people either a) don't follow policies or b) don't know about them.

Depending on the environment, you might be able to get away with technical and/or budgetary and/or business arguments against various forms of filtering (this is certainly how we avoid blocking all but the most high-profile and blatant timewasters like facebook and myspace), but those are the _only_ avenues IT has. "Because people are reading Cosmo in the breakout room" (ie: use common fucking sense) is, tragically, not a line of reasoning that will be paid attention to.

Re:Only one third?

[arivanov]

"Because people are reading Cosmo in the breakout room" (ie: use common fucking sense) is, tragically, not a line of reasoning that will be paid attention to.

Than do not be a wimp, put an IT line of reasoning on it. Ask the stupid b*** if she would allow you scan it and send it all employees in the company. Been there, done that. She never tried that one again.

Re:Only one third?

[ivan256]

The obvious solution there is to start telling them that before they're old enough to know what "sue" means.

Unfortunately, that is becoming much more difficult, as I suspect we've got a few kids around here who's first word was "lawsuit".

Re:Only one third?

[Ansonmont]

What's your problem? Read the one with more nudity! Really...or just bring in Vanity Fair...
-A

of course

[Vanden]

I think most of us could've told them that without all of the silly research.

Seriously though, for most people, unless they know there's a risk of being fired if they don't comply, chances are that they're not going to care about corporate IT policies. Most companies don't actual police them, so what benefit do they have in following them?

While people should be responsible enough to do what their job requires, it falls back on the corporate IT folks to make sure their policies are enforced.

Re:of course

where I work we routinely pass around images, figures, and datasets as email attachments.

Our IT group thinks 10MB is enough email space, and charges $1/MB if we go over.

GMail is free.

I routinely see people using gmail for government business . . . because the government rates for email storage have not kept pace with todays academic lifestyle.

Re:of course

[PitaBred]

They make network shares for a reason. Seriously... 30MB emails are stupid. Use appropriate tools for different jobs.

Re:of course

[Aetuneo]

So most people realize, on some level, that the purpose of many of these rules is to make the people administering the network feel safer? For example, if you a company is sued by the RIAA/MPAA on the basis of someone on their network downloading music/movies illegally, they would have the protection of that being against their policies, so they can either fire that person for violating the policies, or pass on the lawsuit (for example, suing that person in turn). Thus, if you know what you are doing, it doesn't matter if it is against the rules unless attention is drawn to it - and unless it is harmful, the worst that would happen is probably a slap on the wrist, and perhaps not even that.

Re:of course

[celardore]

They make network shares for a reason. Seriously... 30MB emails are stupid. Use appropriate tools for different jobs.

I work in accounts and some of the spreadsheets we work with are colossal, I'm talking 40MB without pivot tables etc. I had to educate the bosses that by zipping it, it was reduced to about 5MB and much more bearable to email.

Re:of course

[Felix+Da+Rat]

Seriously though, for most people, unless they know there's a risk of being fired if they don't comply, chances are that they're not going to care about corporate IT policies. Most companies don't actual police them, so what benefit do they have in following them?

I've seen a couple of people let go over their use of corporate resources. From talking with the network guys, it's always been a matter of management wanting to get rid of someone for whatever reason, and using the IT side of things as the stick. Most often it's folks keeping bankers hours, talking on the phone all day, not meeting deadlines, etc. Then it's a fairly simple matter to make a case of inappropriate use of resources.

I guess where I'm going with this is that most management knows staff is gonna slack online/over the phone. So they'll always give you some rope, but hanging yourself is up to you and your other performance. Do well, no problems. Milk them for money, and they'll have a stack of violations against ya so fast.

only 1/3? yeah right.

[twoboxen]

For every company that I've worked, there has always been a "proper use" policy for PC usage. None of them allow the web e-mail, StumbleUpon, Slashdot, Digg, and/or Reddit time that nearly ALL coworkers I've seen use (with me, I use all of them most of the day. They should give me work that I've been requesting. Small tasks do nothing to fill 8ish hours.)

Lol

[jayhawk88]

Of those, almost a sixth actually used P2P technologies from their work PCs.

In other news, one sixth of one third of all IT admins are stupid enough to not block P2P traffic on their networks.

Re:Lol

[QuantumRiff]

And what percentage of the people the called actually responded to the survey? I would kick my users if I found they took time out of the day to talk on the phone about how they break policy (and security) over the phone to a stranger doing a "survey".

Re:Lol

[thegrassyknowl]

In other news, one sixth of one third of all IT admins are stupid enough to not block P2P traffic on their networks.

It's quite hard to block p2p traffic explicitly while leaving other protocols open. P2P traffic moves in a number of arbitrary ports and uses a lot of protocols. New protocols are coming and going regularly. L7 packet filtering helps with the common protocols but if they are also using encryption you've got bugger all chance of blocking them totally.

I was playing cat and mouse for a while. Block Kazaa and they move to Emule. Block that and they move to torrent. Block that and they start using gnutella. The game goes on and on.

The only way I've found to reliably block all p2p and other things without major hassles in the firewall is to block everything, install a proxy server for HTTP, HTTPS and FTP and then only punch out ports from trusted machines and with good valid reasons from people (and a paper trail for those reasons). eg, the PBX can talk to our upstream SIP provider, the mail server can speak port 25 to the outside world but nobody else can and my desktop PC has rsync access to our ISPs file mirror.

I have procedures in place to get things like torrents because they occasionally have legitimate uses. I have one machine that only I have a user account on. If someone thinks a torrent is useful and related to work they can ask me to get that torrent for them. It keeps them from running clients on their own PCs and still allows them to get files if needed. Half the time they just want torrents of files like Linux distros that are available on our ISP's mirror at no data charge to us.

With all that security comes problems. The boss wants to violate his own Internet policy (bittorrent for movies and all that) and the new firewall stops him from doing it. He has a personal email account he insists on checking with pop3 but can't now because that's blocked. There are no end of complaints about how all these violating things that used to be possible now aren't. For many admins there is a lot of pressure from management to not block things because the managers want to have a free run. Not every IT person is gutsy enough to stand up and say "no fucking way".

Re:Lol

[goodtim]

I have to agree with you on this point. I work in IT, although not as a network security person. However, I do know that our corporate firewall's default policy is to block all traffic (incoming and outgoing). Anything to pass to or from the internet, must have an explicit rule created. For us, this pretty much axes P2P because P2P programs tend to use ports that have not been opened. That means that for the people in this survey to use P2P they must be behind a firewall who's default policy is to accept traffic (which is retarded), or b) those ports have been opened by someone. I also suppose they could be using some sort VPN tunnel. But that seems like a stretch.

Regardless, if someone is using P2P on your network and you don't want them to. You're an idiot.

Re:Lol

[Courageous]

Well. I mod you +1 intelligent. That might actually work. I can still send hidden data through your https proxy to a website I control. But never mind that. That actually takes work. :)

C//

Re:Lol

[thegrassyknowl]

I agree that there are ways of tunneling data through the HTTP and HTTPS proxies. You're never going to stop it happening. Best you can do is make it hard so that the technically inept can't abuse your system and then keep an eye on who's doing what.

Proxy logins let you keep track of who is sending how much data through the proxy at least. It's amazing how emailing everyone with the top 10 proxy users with their total usage each week cuts your Internet usage bill. Nobody wants to be in the top 10 because the top 10 get special attention to what they were doing.

Re:Lol

[Courageous]

Yup. That's the same way I manage shared storage.

I guess I'd have to be careful not to download those operating system .iso files with you around. *kidding*

My company currently implemented one of those "you can't go here" web thingies. I'm glad they did. Practical bandwidth for downloading things like .iso images went up literally a factor of 10X when they put the filter on. Hurrah.

C//

Re:Lol

[thegrassyknowl]

Depending on the operating system iso file you may or may not get the BOFH treatment from me.

Huge usage isn't a problem if it's justified. I don't record anything from our ISP's local mirror because it has terabytes of stuff and it's not metered (doesn't cost us). There's about every Linux distribution on there you could think of, a couple of BSDs, a Windows software archive (was Tucows, now I think it's Majorgeeks but I haven't checked).

Huge usage usually == youtube or pr0nz. If I have a copy on DVD on my desk within 20 minute then access_log might get a little forgetful about what you downloaded ;) I'm not a complete bastard (yet) but I am the point of blame if/when someone comes knocking with a complaint about something. It's nice to make sure the users know that they are accountable for their actions.

Now how do I get my shell script to sleep for a random time between loading pf.conf and pf_drop_boss_packets.conf in a loop? ;)

Re:Lol

[Billly+Gates]

Where my brother works they all use static IP addresses and not DHCP.

Reason being is to track down such users who open your business to liability and screw things up. It can sound complicated but its really quite simple and takes only a few mouse clicks and someone entering the machines mac with a new IP in excel.

No p2p traffic needs to be on any network and static IP makes finding things alot easier without expensive equipment.

Re:Lol

[vux984]

Not every IT person is gutsy enough to stand up and say "no fucking way".

Not every IT person should. IT is a service industry. They need to make sure they are providing the service that is actually desired.

Downloading torrents is a pig on bandwidth, but unless bandwidth is cramped. So what?

Downloading from external email accounts may carry greater virus risks, but they are going to pick up the messages when they get the laptop home anyway, so the machine comes in infected tomorrow instead of this afternoon. Or they'll pick it up through some webmail account somewhere that you haven't blocked. Or they'll hook up their laptop to their cellphone/pda.

Some IT departments should say "no fucking way". But in a lot of them IT is supposed to simply be providing a secure reliable functional network. That doesn't necessarily mean locking it it down so hard that its reliability reaches 5 9s, and its so secure even the users can't get in half the time, while functionality is at the bare minimum specified in an SLA, while IT pats itself on the back for a job well done.

Meanwhile half the staff have resorted to personal laptops/pdas and cellular data plans because they can't get email from important customers through the company mail server, and they can't access web content they need through the company network without jumping through stupid hoops each and every time... and IT just stands around saying "no fucking way".

For every PHB manager drawing up pointless re-org charts and misusing buzzwords, and marketing moron promsing perpetual motion machines and obsessing over what color they should be, there is an IT-admin somewhere very effectively ensuring his network is as hostile, unfriendly, and as unusable as possible to the people trying to use it.

Like I said, Some IT departments should say "no fucking way". Some environments and situations DO demand that. But many of them say that a hell of a lot more often than is remotely justifiable.

Re:Lol

[thegrassyknowl]

I won't quote your post, but I disagree with it.

IT is a service industry, yet. I am in the business of providing a reliable, stable network to the company I work for. That includes the Internet connection. There's a lot that passes over my Internet links. Email, WWW, some VoIP, and whatever else I need to allow. Email and the handful of calls that we do need to route over VoIP are of the highest priority.

I run a tight Internet policy so that I can guarantee that some clueless n00b won't come along and set up his torrent client to run flat out, effectively slowing down the connection for everyone else and breaking email or VoIP. Like most admins I don't have the budget to bring in a bigger or more links to handle general traffic separately.

I don't need worms on my internal network hammering at my servers. It's one thing to keep them patched and another to protect them from the very client machines that need to use them. I don't run firewalls on the internal machines because that would limit their utility, achieve no real effect and cause unnecessary restrictions.

Now, why wouldn't people be able to get web content or email through my network? The only good reason that content wouldn't be delivered to them is if it failed the virus or spam tests at the border. In either case the user is notified and the content is quarantined. If they really need the content they can follow the directions they are given when they are notified and one of the admins can run further tests to yay or nay it then pass it on if it's really safe.

Thus far, I have had no complaints except about access to external pop3 servers being blocked. I haven't (to date) blocked external webmail providers like Hotmail/Yahoo/Gmail. I don't see any need to, as most webmail services these days offer spam and virus filtering anyway. Sure, there's always the chance something will slip through but the protections running on each local machine should hopefully catch it.

I'd really like to block some of the streaming video sites because I see one user (unfortunately the only person above me) using a LOT of data from youtube (2G in aobut 8 hours) and he wasn't even in the office. He'd just set it up do download a stack of files so he could watch them later. So far I haven't blocked it yet. I am tempted because it is wasteful and while it only costs a little, it's still a cost that has to be covered.

There are a lot of things that you can do to protect your network and limit what your users can and cannot do without actually imposing restrictions that they will notice. The only major blockages I put on people is the external pipe.

I've really only talked about the Internet pipe here. That is the biggest place that I see problems with everyone expecting to do everything, regardless of how it might effect things. I have pretty strict rules on doing other things in my network too. Nothing changes are made without good reason. If it ain't broke don't fix it, so they say. It's important to keep the network running as the users expect it to. With changes comes the potential for breakages even if those breakages didn't occur in your test cases.

I've been asked to do some really dumb things in my time. The most blatantly offensive two I was asked to do was store passwords unencrypted or require users to store their passwords in a text file so the boss could access their accounts (why I don't know; the admins had enough access if it was ever needed). The other was to forward all email passing through the server to the director's mailbox so he could "keep abreast of company goings on" (read: snoop). That violated my sense of privacy - it's a reasonable expectation that if I send an email to a person only that person gets it, not that person and his boss. When the boss wouldn't back down I resigned.

So, when providing a service you have to impose restrictions to keep the quality of that service high and also protect your users. There is only so much budget for bandwidth, hardware

Re:Lol

[garwain]

At a previous job, after getting complaints from higher up, after locking everything down tight enough that even a fly's fart wouldn't make it though, I offered up a solution to the execs that were responsable for my employment... Get pricing per additional block of static IPs from our upstream provider, pricing from cabling contractor, prepare a quote to add a second data line in each $important_enough_to_bypass_rules office. $UberBoss shelled out the cash to have a dediicated line in each office, then when the execs wanted to bypass IT rules, they had to switch their ethernet cables. I knew it was asking for FUBAR machines, but hey, they all had laptops, and would do the exact same things at home.

Re:Lol

[R2.0]

"I was playing cat and mouse for a while. Block Kazaa and they move to Emule. Block that and they move to torrent. Block that and they start using gnutella. The game goes on and on. "

You are right - that is a sucker's game.

How about an email to the offending employee's boss? "Dear Random PHB: An employee in your section, one Jane P. Douchebag, is violating IT policy by allowing free access to her hard drive from the outside. Among the 6.7 gigabytes of music, movies, and porn she has made available are also documents detailing customer records, company strategy, and certain emails from her to a competitor. Just thought you might want to know. Very Truly Yours, BOFH."

Pass the popcorn.

Re:Lol

[Courageous]

WAN accelerators have been around for a while. These can be problematic if they are not completely transparent. Juniper is now selling one that is. They unfortunately require two end points to work. One at the ISP, and one where you are. And they are expensive. But I'm betting devices like this will drop in cost enormously over the next several years. This is like having an auto-mirror of sorts, for the most frequently demanded blocks of data in your organization. You can almost imagine being able to selectively turn on certain internet radio channels with one.

On the inappropriate downloads subject: we had this guy at my last company who downloaded so much porn, it got noticed by storage volume. Yeah, he put it onto *shared* storage. Thing is, that volume just so happened to be the same one that we spooled our mail onto, so the mail server croaked and we had to go looking.

He quit before we could terminate him. But. I, you know, transferred all his good labors to a CD and took it home. I did not, however, leave it on the mail spooler drive...

LOL.

C//

Re:Lol

[TemporalBeing]

The only way I've found to reliably block all p2p and other things without major hassles in the firewall is to block everything, install a proxy server for HTTP, HTTPS and FTP and then only punch out ports from trusted machines and with good valid reasons from people (and a paper trail for those reasons). eg, the PBX can talk to our upstream SIP provider, the mail server can speak port 25 to the outside world but nobody else can and my desktop PC has rsync access to our ISPs file mirror.

I have procedures in place to get things like torrents because they occasionally have legitimate uses. I have one machine that only I have a user account on. If someone thinks a torrent is useful and related to work they can ask me to get that torrent for them. It keeps them from running clients on their own PCs and still allows them to get files if needed. Half the time they just want torrents of files like Linux distros that are available on our ISP's mirror at no data charge to us.

Congradulations for killing the productivity of all your development teams, software engineers, and system admins.

Honestly - I wouldn't be able to either (a) do my job, or (b) do my job as efficiently if it weren't for a lot of the open source tools that I use. I also wouldn't be able to do the research and learn new tools that provide great productivity enhancements to my work and the projects I work on.

Furthermore, I wouldn't have been able to comply with other company policies. My company is very keen on version controlling stuff - stuff in general - and several projects I have been on did not provide a means (their method was simply copy the directory to a backup location, and name the copy a version, then move on) to do version control. I had to go out and get the tools myself - and we didn't have money to buy the tools either. So I installed Subversion, and have since become a Subversion admin and expert.

Sure, I could have probably have come to you for those downloads, but in a large organization (such as where I work) that really wouldn't work. Your solution doesn't scale as the company grows, and will eventually need to be replaced by something that does.

Additionally, your methods break my ability to keep systems I administer up to date and secure. The company put a firewall in place, similar to what you describe, and I was no longer able to get updates for my Gentoo server as a result - those authenticating firewalls typically have problems with Linux systems and work 50% to 75% of the time with the Windows systems they were designed to work with. So I went from being able to keep a system up-to-date and secure, to just keeping it running as is. (FYI - I chose Gentoo so that I could keep it up to date, and use the built in packaging system. IT managed to only break security. Oh - and I do have the paper work in to resolve it. It's been nearly 6 months, and no progress has been made. The system is still running, and still being used - but no updates.)

Thanks for foobar'ng your own network. I'm sure the crackers will love it.

Re:Lol

[TemporalBeing]

Few people actually notice the restrictions, and those that do are often seeking to abuse the system.

Or are in a job that is atypical of who you designed the restrictions for. Software Developers are typically in that atypical relationship with network policies.

Re:Lol

[AVee]

...install a proxy server for HTTP, HTTPS and FTP... I played that 'blocking' game with a sysadmin once, just for the fun of it. I still have my ssh server running on port 443 as well because of that. Are you actually checking the contents of these HTTPS connections, because if I were one of your employees I'd still be doing anything I want with your internet connection.

That, and I'd be looking for another job if the company would insist on not trusting me with an computer and an internet connection.

Re:Lol

Most of the time they just think they are because they know something about computers. In reality they're just as clueless about security as everyone else, and actively more dangerous because they think of more ways to break things.

Re:Lol

[Atti+K.]

They do the same only-HTTP(S)/FTP-proxy-to-the-outside-world where I work. (large multinational, btw, you probably know about it :)) BUT, the proxy (I don't know which one, since I go through a few until I reach out), cuts any HTTPS connection after a few minutes (around 5), regardless if it's active or not. E.g. Skype (whose usage, of course, is a violation of the IT policy :P, but the funny thing is, many are using it inside the company to cut down on phone costs) disconnects every few minutes and then reconnects again. That makes using it for SSH/VPN etc tunnels pretty annoying...

Re:Lol

[sasdrtx]

There are far too many restrictions placed on corporate networks and computers that are touted as "security", but are actually nothing but rules to make lazy sysadmins' jobs easier. I used to work as a mainframe systems programmer and the same mindset infected almost all my colleagues. For their pains, they came close to destroying the platform.

The current situation is as if auto mechanics were in charge of roads, licensing, and police. Where you'd have to have permission (and a "good reason") to go anywhere off your assigned route to and from your job. Where the car you got, how much gas you got, how fast you could drive, etc. were all controlled by a gang of nerds whose main skills consisted of knowing how to change the oil and filters, but were put in charge of all automotive concerns by virtue of few people knowing much about how they operate.

But eventually, people will realize that with more or less complete freedom at home, they really don't have all that many problems. Eventually, repressive administrators will be put in their place. So enjoy your unbridled freedom while you can. Sooner or later, you're going to have to work, rather than dictating that no one is allowed to cause you any problems.

Sorry for the sloppy grammar and syntax. Sorry for ignoring your side of the argument. Busy.

What they don't say

[kpainter]

There are a lot of really stupid IT policies out there that, in the name of security, in fact merely hinder getting work done. I am not talking about P2P. Giving a developer a workstation with a user account with no administrator privileges on Windows is among them.

Re:What they don't say

[ruewan]

I agree with you totally. There have been so many times that stupid policies made it difficult for me to get my work done. It is often easier to find ways around the security than to go through the proper channels. I had to do that a lot in my last job.

Re:What they don't say

[moderatorrater]

What I've noticed more of is that there's the "Company IT Policy" (tm) and the actual acceptable use policy. On paper you're not allowed to put any personal files on the computer, browse any non-work-related sites, or use a messenger client. In reality, you can bring in your own music or any work-related programs as long as you take the flak for illegal things, browse sites but only for a reasonable amount of time, and the same for messenger.

Re:What they don't say

[Volante3192]

Course, then there's the opposite extreme where the policy is 'just give them admin if they have a small issue.'

Then there's no issue...but then they start breaking things and downloading fun toys and as a consultant I have no authority over making policy (only suggesting and implementing) and they don't care enough to put in their own and I have to deal with retards whining about "WHY IS MY COMPUTER SLOW?" and have to spend 5 hours cleaning up MyWebSearchToolbar, New.Net and fuck all else...

Least it's job security to some extent.

Re:What they don't say

[CrazedWalrus]

That's the situation I'm in right now. IT Security where I work is very good at what they do, to the point of approaching "unplugged, in a box, encased in concrete, and in a locked vault" secure. Unfortunately, the machines are also about that useful.

Re:What they don't say

[Adambomb]

I'm not in the IT department of my current company, but I have seen situations in the past where devs were given complete control of their local machines. The number of devs who think they are specialists in everything because they're specialists in their fields was mind boggling.

Now, not having a resonable procedure for dev's to request additions to their image with short turnaround IS ridiculous for developers, but giving each individual dev admin locally will eventually end in disaster (especially if you have to have proven control over lines of communication in and out of the company and such).

Re:What they don't say

There are a lot of really stupid IT policies out there that, in the name of security, in fact merely hinder getting work done. I am not talking about P2P. Giving a developer a workstation with a user account with no administrator privileges on Windows is among them.

Depends on the kind of developing you are doing. There are many IDEs and testing suites that don't require local admin access.

On the other hand, if you're writing ethernet drivers, you can't test that on real hardware without admin access.

Re:What they don't say

How about you devs stop disabling virus checking, installing God knows what, and actually do your compiling? Half of these complaints are just a "my penis is bigger than yours" I need admin rights type of thing. gcc can build files without you having admin rights on the box, just fine.

When I first starting my job, I'd come across developer machines that were removed from the domain, not running virus scan, had antispyware turned off, not using our corporate image anymore. I'd spend hours cleaning this up, of course knowing my work would be undone as soon as I walked away. Now, I enjoy my job a lot more. I pretend like I didn't notice it (thats funny, our admin account doesn't work...) and report them to security. Nothing like watching a developer handed a box and told to get out to turn my frown upside down!

Re:What they don't say

[Some_Llama]

"Giving a developer a workstation with a user account with no administrator privileges on Windows is among them."

Why would you give a developer a domain system with administrative purposes?

Why not a domain system with a local account that has admin that he can use when testing.. or require development work to be done in a VM session where they control their own permissions?

Why subject the security of the whole network to one user's practices?

I don't want to have to continuously troubleshoot why a system is being knocked off the network because this developer decided to use a computer name that already exists, or knocks production systems off line because he happened to enable DHCP and is now accepting requests from test servers... (to name a couple of examples)

Re:What they don't say

[Ohio+Calvinist]

On the other hand (if I may play the devil's advocate), it might actually force Windows developers to code applications that flip out (under limited accounts) because they just "assume" you have full-unconstrained use of the system. :)

I can't list how many times when I was in desktop support/Active Directory admin gigs where I couldn't drop the boom on all kinds of asshattery because there is "this one (poorly written) business critical application." (Why a terminal emulator needs local admin is beyond me to begin with... thanks Datatel).

Re:What they don't say

Giving a developer a workstation with a user account with no administrator privileges on Windows is among them.

Sadly, sometimes Developers with 'admin privledges' are most likely to have a ton of malware on their system.

Last place I worked at, the Windows admin quit (Screaming "I don't do desktop support!" as he left)) and I had to step in for a few months.

All seven developers had several viruses on their systems, claimed to know nothing about the 'porn downloaders' on their system and would download tainted versions of Photoshop over Kazaa (They weren't aware of the retail box with the a legitimate copy of Photoshop sitting on a bookshelf 20 feet from their heads).

I don't want to get in the way of a developer's efficiency, and I strongly prefer a 'hands off' approach for corporate IT. However, their ignorance was simply amazing.

Re:What they don't say

[l0b0]

Even worse is that once you break one of the unreasonable policies (no admin logon on a developer machine, say), it's hard to keep any respect for the more reasonable ones. A bit of trust and leniency would go a long way toward respect. You could for example tell employees that they should avoid spending a lot of bandwidth during peak hours, and give people plenty warning if they're hogging all the gas.

Oh, and help them out a little by hinting about things like KeePass for passwords, TrueCrypt for sensitive data, and MD5 Password generator.

Re:What they don't say

[Tony+Hoyle]

nd I have to deal with retards whining about "WHY IS MY COMPUTER SLOW?" and have to spend 5 hours cleaning up MyWebSearchToolbar, New.Net and fuck all else...

No you don't.. we had a standing rule - fuck up your computer and we'll reimage it for you (takes about 5 minutes in norton ghost) and give it you back. Had work on it? Your fault for not making backups.

We actually had to do this about twice.. after that they learned.

Re:What they don't say

[Stamen]

It all depends on what kind of developer one is. If your doing Windows desktop development, not giving the developer Admin rights to their machine is more than silly. As in the real world, you have to have that in Windows to do most anything. Frankly, that's a question I would ask if I were interviewing for a job, and if I didn't have full control over my development workstation and development servers, I wouldn't take the job, period; I'm not interesting in being non-productive, or working in a dev team that doesn't know how to setup their servers.

If the network has mission critical apps, and developers are working on networking code, then you isolate the development team from that network, at least for those ports. If the network can't handle me accidentially causing problems with my workstation, it can hardly handle someone purposly causing problems.

Now, I'll put on my other hat, the one where I develop using a Unix workstation for Unix servers. In this environment, I'm perfectly happy having no rights but my home folder. As you can work just fine without full rights in Unix; installing your own apps, changing your own settings, etc. Even so, if you can't trust your very expensive professional devs, then perhaps you need new devs.

As for developers building apps that don't require Admin rights, this is a QA issue, not an IT issue.

I have no interest having domain rights, or rights to production systems, especially mission critical production servers. But I do insist on control over my development machines. You wouldn't hire a contractor to build your house, then have him ask permission each time he needed a new tool from his tool chest, sure he can ruin your plumbing with his hammer, but he's a professional, trust him or replace him.

Re:What they don't say

[Rakishi]

Oh? Every dev at my company, thousands of them, has admin/root access to their machines and dev servers (su to be exact for the servers). There are very few problems and everything works quite nicely.

I guess my company not hiring $5/hour retards who dropped out of middle school to do their dev work may explain why there are so few problems.

Re:What they don't say

[Stamen]

Amen brother. If you hire monkeys, I guess you need to build a lot of cages.

Re:What they don't say

[Kalriath]

That's nothing. Screw up your computer here and we reimage it (SMS Server) and invoice your manager $500 for it. That's one way to increase IT budget.

Re:What they don't say

[Volante3192]

I'm outsourced. I'm very limited in my abilities to be a BOFH. And by very limited, I mean castrated.

Re:What they don't say

[bcrowell]

There are a lot of really stupid IT policies out there that, in the name of security, in fact merely hinder getting work done.

I teach at a community college. Their current AUP is fairly reasonable, but Academic Computing has been trying to impose new rules that would make it a firing offense to (1) use a keychain drive on one of their machines, or (2) bring my laptop to work and plug it in to their network, or (3) do anything that might be interpreted as disparaging anyone based on a long list of things, including political opinions. #2 is kind of silly, since the science division has been telling us for years that they don't have money to provide computer systems in the classrooms, so if we want to do powerpoint or project web-based stuff on a screen, they expect us to bring in our own laptops. #3 would seem to prohibit students or faculty in political science classes from reading the wikipedia articles on Hitler and Stalin. Although my college so far seems to have decided not to implement the stricter policy, at least for the moment, a lot of it seems to be boilerplate language that is becoming more and more standard throughout the public education system. My kids' grade school has exactly the same overly broad language about disparagement in their AUP. I can't fathom how this kind of stuff can be reconciled with academic freedom, especially at the college level.

Re:What they don't say

[lgw]

The devs in my shop are mostly Windows kernel guys. They (and therefore we) have complete control of any system they have physical access to, regardless of what IT wants. The guy with the kernel-mode debugger wins every fight. It's kind of handy that way. :)

Actually, in 15 years of working at large companies, I've had local admin rights to my box 100% of the time, it's just not practical to do otherwise for development in my experience.

Re:What they don't say

[lgw]

Local admin privleges on your dev machine, but no domain admin rights is the norm everyplace I've been. You have domain admin rights over your test domain if you need them, never the production domain.

Re:What they don't say

[E-Rock]

Datatel doesn't need admin rights, it just needs rights to a couple of INI files in the Windows directory (at least at our site). A little bit of time with regmon and filemon have gotten us around all the apps that 'need' admin privlidges.

Re:What they don't say

[Adambomb]

Ever have to prove that no one communicated certain details outside of the company when half the dev crowd is always ssh'd into their boxes at home? Unless we had keylogged and STORED EVERY KEYSTROKE this would have never passed muster with legal (note: this was for travel health insurance and we had to make sure we could log and control the contents of any form of our outbound communication with the clients due to sensitive information and legal concerns conc invalid claims. Insurance companies tend to instantly be the bad guys in court, so anything we stated to the outside world had to be controllable).

Now if you're in a shop of close knit, well screened developers AND in an environment where such things arent an issue I could see admin-for-devs being the most efficient solution.

Re:What they don't say

You must be a developer. We are forced to give our developers admin access where I work. I am at one of their desks cleaning viruses weekly.

Re:What they don't say

As a Operations person who (trys to) maintain a fairly standard environment, with thousands of PC's, it's the very developers who are the least standard of the lot. Spot the problems with this common request - they ask for their normal account to be granted full system rights (policy enforced), to build custom images for "testing", ask not to be audited (or simply disable ZENWorks scanning), have copies of various versions of software on portable drives, and run in production because "it's more convenient". When you suggest that they be granted a standard development environment to do their job, say XP SP2 + JBuilder + .Net + SourceSafe etc pointed to dev servers running Oracle/SQL/etc, and prefer they are sandboxed/VLAN'd then it's suddenly impossible. As an administrator I have no issues running as a locked down user, running tools provided by the business to do my work - if I need additional then it needs to be considered. Why the difference for developers? The business have just about finished a deployment of 4000+ machines with a standard build, and guess the last 150 PC's that need to be upgraded... which should have been the first given the in-house application issues we've had

Re:What they don't say

And I bet they're happy to go. If there's one thing I hate at work, it's self righteous assholes preventing me from getting shit done.

Don't want me to install shit on my box? Then when I ask for tool xxx, I want it installed *now*. I don't give a shit if you don't know what it is. If I didn't need it, I wouldn't be asking for it. I don't want to sit on my thumb for three fucking days waiting for the service request to go through. Want me to leave the virus checker on? Try installing one that doesn't slow my machine to a crawl. Same with the spyware detecting shit. I don't install viruses and spyware, so stop wasting my fucking resources.

Now that I think about it, maybe I should stop complaining. I make a lot of money waiting around because of your incompetence.

Re:What they don't say

[Kjella]

It's really quite simple - a company is in it for the money. IT policies are there because they save money by not dealing with all sorts of crap. As long as you get your work done and don't create trouble for your coworkers, IT support, the legal department or anyone else most people are willing to overlook things. Note I said overlook, not back down. Don't challenge them or blatantly disregard them, or they have to come down hard on you to make sure everyone knows who has the final say. You have to convince them you're not what I'd call "dangerously competent" - skilled enough to mess around a lot, clueless enough to fuck it all up.

Re:What they don't say

[Rakishi]

Like I said, there are tons of companies (including mine) that have thousands of developers and this isn't a problem. The secure data is kept away from most devs and the ones who need it have to go through hoops and legal paperwork to get the data. We're also generally too busy to deal with crap like SSHing home or something.

After all you can't give devs laptops either in your company or let them telecommute. Contractors can't use their own system or software, so you need to provide both to them. Internet access should also not be allowed at all (on systems with sensitive data) to prevent trojans and viruses from being a concern. USB keys are also out as are all other such things, otherwise you can't be sure where the data is.

If you want to be paranoid or need to be paranoid then that's fine but if you believe that you're anything but a tiny minority or that there isn't a decent efficiency hit then you're deluding yourself.

Re:What they don't say

[Ph33r+th3+g(O)at]

No, he didn't get fired, because, unlike in your dystopian fantasy world, the eye-tee "security" shop doesn't control the organization and common sense prevails.

Re:What they don't say

[Ph33r+th3+g(O)at]

They're SSHd into their boxes at home because the power tripping network nazis at work are blocking things that are useful. Stop with the ridiculous lockdowns for technical people and it won't happen. If your technical people aren't technical enough to be trusted, get new ones. Problem solved.

Re:What they don't say

[Ph33r+th3+g(O)at]

Nothing like watching a developer handed a box and told to get out to turn my frown upside down!

Then you woke up and realized you worked in the real world, where the admin monkeys don't really rule the world. Cite a documented case where you got a dev fired for violating eye-tee security or shut up.

Re:What they don't say

[CCFreak2K]

My guess is that it would depend on what you're developing. With desktop computers powerful enough to run a virtual machine with a -complete- operating system inside of it, INCLUDING the benefits of things such as snapshots, requiring high-level privileges on a machine might not be required anymore.

Re:What they don't say

[Ticklemonster]

No, I(dio)T departments are in it for the money. Usually, the people who they work for think of their department as some voodoo witchdoctor shop, and believe anything they are told regarding security. Then you have these weekend wizards who couldn't figure out which side of a burger to flip, so they decided to take on getting a promising IT career at some tech school they saw advertised on TV, and now they follow the Microsoft line all the way to the hilt. Right... let's see, use Microsoft's instructions on how to keep their virus magnet hole riddled software safe. Pardon me while I retch. So these wonderful IT pros snow the bosses about what they do, and how they do it, and the bosses are none the brighter, and say sure, go for it. Meanwhile productivity is stifled, and the boss has got no clue in hell what is going on, but BY GOD, DON'T DARE ASK ME TO GET THE WITCH DOCTORS TO DO ANYTHING DIFFERENT!!!! Thus sayeth the boss. All hail the boss. Whee. Can you tell I have to deal with a first class I(dio)T department where I work?

Re:What they don't say

[Fryth]

The gist of it is that IT departments can't afford to give everyone administrator access to their PC. The support calls would double or triple with all the inane random problems people will start having. I'm not making excuses for Microsoft's crappy user security model, but it does a good job of making IT managers happy.

That being said, a good IT department, upon hearing from management that you can't do your work, would make an exception in your case.

Re:What they don't say

[xixax]

Taken at face value, our IT policy was at one point advocating that no useful software could be installed on a computer unless it was already included with MS Office. People are smart enough to recognise the intent even though the wording is overly broad. I was tempted to rigidly enforce a zero tolerance approach and watch the workplace grind to a halt.

Xix.

Re:What they don't say

[Billly+Gates]

It has been years since I administered Windows but isn't there a power users group that can have debugging privileges? You can put a custom policy not to install software with poledit or whatever the hell its called now in the mmc.

That way developers wont screw things up but they could at least add them as a seperate group with different privileges. Infact one of the strenths of NT/VMS over unix was ACL to allow such things.

Stupid IT departments.

Re:What they don't say

[TemporalBeing]

There are a lot of really stupid IT policies out there that, in the name of security, in fact merely hinder getting work done. I am not talking about P2P. Giving a developer a workstation with a user account with no administrator privileges on Windows is among them.

Depends on the kind of developing you are doing. There are many IDEs and testing suites that don't require local admin access.

Microsoft's IDE & compilers (Visual Studios) cannot debug software without local admin access. For Windows developers that is a big problem in itself - especially for those developing APIs as other compilers do not necessarily create binary compatible libraries to Microsoft's Windows Library format(s) - one of the reasons that GCC and friends don't do too well for Windows oriented development.

Re:What they don't say

There are a lot of really stupid IT policies out there that, in the name of security, in fact merely hinder getting work done. I am not talking about P2P. Giving a developer a workstation with a user account with no administrator privileges on Windows is among them.

This suggests that you are using a broken platform to do your programming work. It's no wonder Windows programs are so fucked up and cause no end of security holes. Why must a programmer have admin access to create a program? Most of the programs don't really need to access the kernel. No one in the unix world, except for kernel devs need root priveleges. There are many windows programs that can just run as a user, but we still have plenty of programs that seem to need administrator access just to run. Why is that? Broken design by Microsoft.

Because of the broken design, we still have numerous programmers and their broken programs that still run as if the system is a single user system. A unix system can easily support numerous users running on the same machine, but a windows system still can't figure out how to tunnel X through to the multiple remote desktop clients. There are programs that still can't spawn multiple instances because too many Windows Programmers still don't understand that more than one user may want to run the software at the same time. All these issues have been previously solved, just not on Windows.

It's broken to need administrator priveleges just to run a compiler. All the windows programmers rely too much on their IDE crutch that they don't even realize that you can compile everything via command line. You can run nmake.exe on Microsoft formatted makefiles to compile your code 10 times faster because you're not wasting flashy IDE GUI processing power to suck up your CPU time.

Rather than just complain to your IT department, complain to Microsoft for being so stupid to still require admin priveleges just to run a compiler.

When Policies are set by PHB's and you need to by.

[Joe+The+Dragon]

When Policies are set by PHB's and you need to bypass them to get work done then that is something that should be fixed. Also another thing is password rules that make people write there pass word down on paper are worse then passwords that don't have as many limits on them.

Unreasonable Policies

[bazald]

Some policies just aren't reasonable or well thought out. This article is clearly blowing the issue out of perspective by not separating out different behaviors.

Checking personal e-mail from a work computer-- 73% of those who have done this at work believe it is not risky, despite the fact that they could unknowingly download a virus that infects the corporate network. Wow, really? I'll stick to those corporate virus-free e-mail accounts from now on. Are they also completely free of spam? That would be nice too.

Re:Unreasonable Policies

[kpainter]

Of the major network screw-ups I can remember where I work, all of them were caused by IT pushing out a rule or utility over the network that exploded on the pad. When this happens, nobody seems be held accountable.

Re:Unreasonable Policies

[Maxo-Texas]

Virus's through Outlook in the last 5 years: over 20 (including 7 PDF's this week)
Virus's successfully deployed to my desktop over the last 5 years: 3 (apparently from laptops plugged into the network without being scanned). The PDF's would have deployed if I had been not been suspicous of getting a PDF from a stranger.
Virus's through hotmail in the last 7 years: 0
Virus's through gmail in the last 2 years: 0
Virus's through through Yahoo in the last 3 years: 0

---
Documents that were not documents BLOCKED by corporate virus scanners: At least a dozen.

Re:Unreasonable Policies

[Kjella]

Personally I think that one has about 99% to do with employees wasting time and 1% with to do with security. Most serious companies I know have a virus scanner running on downloaded files, which I assume is the same one running on e-mail attachments. It's just part of my job to download executables from time to time, and usually I'm allowed to even from companies blocking webmail...

Re:Unreasonable Policies

[UdoKeir]

A friend of mine who worked for a major bank had webmail blocked by her IT dept. They claimed it was for Y2K reasons. I couldn't begin to explain what was wrong with that excuse.

My company's IT dept blocks HTML attachments in email to "prevent viruses". They appear ignorant of the fact that email can be formatted with HTML, or indeed that I have a little program on my desktop designed specifically for downloading HTML files direct from the web.

Re:Unreasonable Policies

[WK2]

Some policies just aren't reasonable or well thought out.

Exactly. Most corporate policy lists are like U.S. laws. Excessively numerous and impossible to follow. If you tried, you might get fired not completing your work at the speed of your co-workers. When I was young and naive, a manager actually told me that I can't follow all the policies, and that I just had to do my best to obey what I could, and not get caught for the rest.

I've heard it said that corporate policy exists so that management can point blame wherever they want when something goes wrong, because everybody is breaking the rules. That would be in common with U.S. laws.

Re:Unreasonable Policies

[Bryansix]

Wow, really? I'll stick to those corporate virus-free e-mail accounts from now on. Are they also completely free of spam? That would be nice too.

Actually the email at the corporation I work at is. We run a Barracuda Spam Firewall in front of the email servers and nothing comes in without going through it. I tweaked the settings in the thing and now it filters out 75% of all email coming in. This doesn't take into account the emails the server never sees because it drops connections that are spamming it through rate control. In a year I think it's had like one false positive. It also filters out known viruses.

Re:Unreasonable Policies

[WombatDeath]

My old employer "mandated" (poorly) the use of the corporate logo as desktop wallpaper. That's the sort of policy I'll cheerfully bypass with a great big grin on my face.

Re:Unreasonable Policies

Checking personal e-mail from a work computer-- 73% of those who have done this at work believe it is not risky, despite the fact that they could unknowingly download a virus that infects the corporate network.

There's no way I'm going to worry about unknowingly downloading a virus onto a work machine, because the work machines all run AV software. Firstly, corporate security has to be asinine not to block external mail access. What I'd really worry about is corporate security keeping logs of IMAP and POP traffic. Then they can keep it for as long as they want, and if they ever want to fire you, they can pull up the logs as just cause.

Re:Unreasonable Policies

[bjohnson]

Jeebus, just 75%??? Our system (SpamAssasin/ Sophos AV) on the server is currently kicking 90% of all email delivered to our domain right to /dev/null...

Re:Unreasonable Policies

[Bryansix]

It was just an estimate. I just checked and today it blocked 90% and Quarantined another 5%.

Re:Unreasonable Policies

[p0tat03]

Wow, really? I'll stick to those corporate virus-free e-mail accounts from now on. Are they also completely free of spam? That would be nice too.

The difference is that if opening a work email infected your machine, your ass is more or less covered (blame it on the obviously incompetent IT department!), whereas if you were using your personal email at the time, you are totally boned.

Re:Unreasonable Policies

That is viruses (and not virii either). I don't normally correct spelling if it is just a typo, but you need help.

Re:Unreasonable Policies

[garwain]

Um... yeah... I am probably the only person in my workplace who can access outside email servers, but then I do all IT here, and my personal mail server is a hell of a lot more secure than the company one. Of course, it's hard to bring in a virus when you check your email over a SSH session using mutt...

Re:Unreasonable Policies

[stry_cat]

Some policies just aren't reasonable or well thought out. This article is clearly blowing the issue out of perspective by not separating out different behaviors.

Checking personal e-mail from a work computer-- 73% of those who have done this at work believe it is not risky, despite the fact that they could unknowingly download a virus that infects the corporate network.

Wow, really? I'll stick to those corporate virus-free e-mail accounts from now on. Are they also completely free of spam? That would be nice too.

Yeah you know. I've only been hit by one email virus ever. Where was that? At work b/c their virus checker missed it. Yahoo found and blocked the same thing. Gmail didn't exist at the time, but it hasn't let any viruses get me yet so I'm sure it would have caught it too.

Re:Unreasonable Policies

[TemporalBeing]

Some policies just aren't reasonable or well thought out. This article is clearly blowing the issue out of perspective by not separating out different behaviors.

Checking personal e-mail from a work computer-- 73% of those who have done this at work believe it is not risky, despite the fact that they could unknowingly download a virus that infects the corporate network.

Wow, really? I'll stick to those corporate virus-free e-mail accounts from now on. Are they also completely free of spam? That would be nice too.

I could understand a policy requiring checking personal e-mail through a webmail interface, and disallowing POP/SMTP access to personal e-mails. Why? B/c webmail not only goes through the providers A/V and Spam filters, but also goes through your own networks virus filters too. And it has the same level of risk as browsing the web any way - anything you can do in webmail, you can pretty much do on any web page.

The only reason to go beyond that is if your really worried about company info going out the wrong channels, which could happen - but if your employees are going to send it out via e-mail, then the people you'd be worried about would just as likely do it through their company e-mail account any way - or find another method if they are really intent on doing so. (They could even do so from home!)

Re:Unreasonable Policies

[Maxo-Texas]

Sorry you loosed your cool over it.
since missspelled words and incorrect garmmer are so rare on slashdot, I understand.

Re:Unreasonable Policies

[Proteus]

Apostrophes wrongly used in the parent: 7

The apostrophe should never be used to pluralize. I see some people do it with initialisms (like "PDF's"), but it's incorrect ("PDF files" or "PDF documents" would be the most correct, but if I were editing, I'd accept "PDFs" for informal text).

Apostrophes should only be used to indicate possession or contraction. A plural word ending in "s" (e.g. "friends") is made possessive by placing the apostrophe after the "s" -- "my freinds' phones" refers to the phones owned by several of my friends, while "my friend's phones" refers to several phones owned by one friend.

It's and its give some trouble. It's is always a contraction of "it is". One makes "it" possessive in the same way one makes "her" possessive. "Her" becomes "hers", so "it" becomes "its".

HTH, HAND.

And then there is 1/3 ordered to violate..

[Maxo-Texas]

by executives to make unrealistic deadlines which they decided without IT input.

Re:And then there is 1/3 ordered to violate..

[CopaceticOpus]

You misunderstood, we're not talking about those violated by company IT policy. That's a separate discussion! :)

I think it's more like...

[kabocox]

I think it's more like 1 out of 100 of employees actually obey company IT policies. The more management or IT that you are the more that you are liable to freely break IT policies as well.

Re:I think it's more like...

[tftp]

The sad part is that this one employee who does not do anything bad probably does not do anything good either. It is a completely bland person with no interests, no curiosity, and who is even afraid to do something minor and be responsible for that. This is the kind of person who warms his chair for 40 hours per week and collects a paycheck. There is place for those people - a security guard maybe, or a help desk operator, but not in positions that require open mind and power to make decisions.

It's a cat and mouse game with IT

[rrohbeck]

Blacklists=>Proxies
Traffic filters=>TOR
etc. etc.

But the real problems are still caused by moron employees who double click on an attachment they got via email. Just happened again last week. The problem isn't people who don't adhere to policies, it's employees who don't have a clue.

And what's wrong with reading Slashdot while you're slacking off with a coffee for a couple of minutes? I'd consider an employer a slave driver if they have a problem with that.

So much not said

[frovingslosh]

I would find it more interesting to know what policies are being broken, and what percentage of those are either extremely lame or actually downright dangerous to the company (I have a friend who is required to use IE and Outlook for example).

The other 2/3rds are not doing work

[sheepofblue]

Most policies are written for a very focused set of activities by a group of people that have no idea how others do their jobs. In many cases they also have no clue on how to do IT either as that layer is busy working. So like absurd laws they generally get the respect they deserve and compliance follows. For example I worked at a company that limited printing so bad that to print out work related documents one of our support people had to bring his laptop to our laser printer and jack in, his did not let him print from the partition he had the work on (it needed to be there because of the IT setup) Further he could have emailed it but they would bill his department by the KB. After that do you really think he cared about thier rules?

Re:The other 2/3rds are not doing work

[King_TJ]

Yep! I've always done system administration from the viewpoint that the computers are there as TOOLS for everyone to use. By the very nature of computing, you can't expect to make almost any specific, hard and fast rules that cover all scenarios. It's a constantly moving, evolving target.

You block a range of ports on the firewall because "bad app X uses them, and we don't want bad app X running!"? Next thing you know, it breaks 3 other legitimate apps people need to be more efficient in the workplace.

You THINK you understand when, where and how people need to do printing? I guarantee you missed something.

I think the best compromise between "security" and "usability" is to deploy the common sense measures everyone can agree offer benefits. Install a good anti-virus solution, centrally managed if possible. Set up some sensible security restrictions on some of the shared folders on the network. Run a decent web filtering solution that blocks known "not work safe/related" sites - but generally err on the side of accessibility, rather than locking it down TOO tightly. (If an employee is constantly surfing sites they shouldn't be on, that's a MANAGEMENT issue - not a technical one, ultimately.) In a Windows network, group policies are very useful too. Again, don't go crazy locking things down - but enforce a few things, like a reasonable default cache size for Internet Explorer and a screen saver that kicks off after, say, 10-15 minutes, password-protected. And lastly, I've had great luck using 3rd. party spam filtering services for email. (Why struggle and spend valuable system resources trying to do that yourself? Many ISPs and other services will offer it, site-wide, for maybe $40 a month or so.)

most employees...

[Threni]

> Additionally, most employees have the misconception that these behaviors pose little to no risk to their companies."

Most employees have the misconception that the highly paid tech guys who run the networks and administer the PCs are capable of ensuring the whole system is secure. The inconvenience many people encounter getting their work done, what with locked down PCs, blocked sites and patronizing policies, they imagine, surely means that any site I can visit, or email I send/receive, is ok. Otherwise, why bother?

Re:most employees...

[ivan256]

I've actually tried this little social experiment.

I run the network for my mother's company for free, so I'm allowed whatever liberties I'd like in deciding policy instead of having it dictated by a boss. They've got over 20 machines, and they aren't formally assigned, so if one goes down it's not the end of the world, the employee can use one at another desk for awhile. Usually they use the same one every day though.

The experiment was this:

Four new employees. Four new Windows XP Professional PCs. All use Firefox for a browser and Thunderbird for e-mail, along with the proprietary manufacturing/sales app that they run their business with. Two machines got Symantec anti-virus, and the other two got no anti-virus. They were told that since we don't have a copy for that machine, they'll just have to be extra careful about what documents they open, and how they use their e-mail. (We really were out of licenses/subscriptions, which is how this started)

After three months, both of the AV-free PCs were completely fine, and one of the machines that had the anti-virus was running a botnet spammer (the outgoing spam was being blocked by the firewall). The most amazing bit though, was that the fear of not having anti-virus protection had stopped users of those two machines from doing most of the non-viral bad stuff that average windows users do. There was no proliferation of toolbars, no weatherbug.... They didn't even have realPlayer.

It's amazing what a false sense of security people get from running anti-virus software. They don't even realize that they still have to be careful because 0-day threats aren't in the latest virus definitions yet. They think they can do whatever they want, because they are protected.

The whole company has since gone anti-virus free on the desktop, and problem reports and performance complaints have dropped way down. Education and a healthy dose of respect for the evils of the world work better than any anti-virus on the market. And the cost savings are nice too.

(There is still some basic protection in place. All internet access is through a secured web proxy. Non-http traffic isn't allowed. Intrusion detection on the firewall, etc... And the servers are still scanned, AVG on the windows servers, chkrootkit on the linux servers.)

Re:most employees...

[ydrol]

For scanning signatures AVG has a fairly low detection rate. (less than 90% IIRC) AntiVir and Avast have higher detection rates (at least last year they did)

Re:most employees...

[crabpeople]

"Two machines got Symantec anti-virus, and the other two got no anti-virus. They were told that since we don't have a copy for that machine, they'll just have to be extra careful"

Wow. An admin who cares more about licensing than actually protecting his network. I cant believe you actually wrote that, and it was modded up. MCSE's I guess...

"The whole company has since gone anti-virus free on the desktop, and problem reports and performance complaints have dropped way down"

In other news, new virus infections have increased elevenfold! Wow just wow. I cant tell if your trolling or not. How the hell are users going to tell if they have a virus without antivirus software? Magic? how the hell are you going to tell? Sure something obvious like a spam relay people are going to notice, but I see viruses being downloaded almost daily. Your experiment seems to imply that people care about their computers. Heck it implies that people are terrified of viruses and fucking up at work! They do not and are not. If a computer breaks, its in no way shape or form their problem or their fault. Just like if a car breaks its not your fault is it? Doesnt matter that you forgot to check the damn oil regularly, its the stupid cars fault! I would question if you have ever even worked in IT professionally with you making that statement.

users have no remorse.

Re:most employees...

[ivan256]

You really have no grasp on reality, do you?

You think virus protection protects your net work? You missed the entire point. Then you followed it up with a broken car analogy.

Perhaps you should try understanding what you do for a living instead of doing whatever some book and a whole bunch of marketing literature told you to do.

I check in on my machines and make sure they are working. I protect my networks, and make sure that if they *do* get infected they're not going to infect *your* network.

Judging by your comment, on the other hand, you merely install security-blanket style security software on your systems and think that makes you "responsible".

Users have no remorse because they are given zero responsibility. Why should they care if they fuck up your machines? You secured them. They're protected. They're both "safe" because of the protections, and completely disallowed from making any responsible decisions about their own machines, so they take zero responsibility.

You, sir, are the cause of your own user-troubles.

Re:most employees...

[phillips321]

just because i have an airbag it doesn't mean i drive like an idiot!

Re:most employees...

[CharmElCheikh]

Hi,

What kind of communication about security did you do with your users ? I'm wondering if the reason why this worked is because you have so little users (20+ workstations) and therefore you had enough time to make them VERY WELL aware of security risks, maybe by spending time discussing with the one people who did not quite get it.

Although I do believe false feeling of security is one of the greatest enemies of security and I find your approach interesting, i'm not convinced this would work in a much bigger organization, in which you don't have the time to go discuss with each user individually, and where the IT security guys seem to be so far away.

Oh and I can't imagine myself explaining this approach to some accreditation auditors (even after making them drunk and happy).

Re:most employees...

[drsmithy]

After three months, both of the AV-free PCs were completely fine, and one of the machines that had the anti-virus was running a botnet spammer (the outgoing spam was being blocked by the firewall). The most amazing bit though, was that the fear of not having anti-virus protection had stopped users of those two machines from doing most of the non-viral bad stuff that average windows users do. There was no proliferation of toolbars, no weatherbug.... They didn't even have realPlayer

Why aren't they running as non-Admin users ? It's not a difficult thing to do with a managed environment.

Re:most employees...

[syousef]

After three months, both of the AV-free PCs were completely fine, and one of the machines that had the anti-virus was running a botnet spammer (the outgoing spam was being blocked by the firewall). The most amazing bit though, was that the fear of not having anti-virus protection had stopped users of those two machines from doing most of the non-viral bad stuff that average windows users do. There was no proliferation of toolbars, no weatherbug.... They didn't even have realPlayer.

This is going to sound harsh but your science education really failed you. You have a hypothesis that you've decided is true without any compelling evidence, and then twisted the evidence to argue that it proves the hypothesis.

However there's a simpler explanation, and the clue's quite evident to me from your post. You gave the users a strong warning about the 2 machines having no virus protection. Meanwhile you gave them hotdesking access to machines that do have antivirus. If they know how to avoid a virus and they're about to do something risky, they'd just ask their buddy on the virus protected computer to do it, or move to a machine that's virus protected when it's avaiable and engage in the risky behaviour. That way it's not their usual machine that's been infected, so it's harder to trace, and there is some sort of a safety net.

If you wanted to conduct this experiment properly you'd need to do it double blind. ie. the person assigning users to PCs and admining can't know which is virus protected (the admin part is hard), and neither could the employees. That way neither the admin nor the group can influence the results. You'd actually need a 3rd party to divide people into 4 groups.

1. People on virus protected computers that know it
2. People on virus protected computers that are told they're not protected
3. People on virus unprotected computers that know it
4. People on virus unprotected computers that are told they are protected

When telling users about the AV software, you need to keep in mind that how strongly you word what you're telling them may also have an impact on what's being said. You might want to further divide the above groups into 2 - one strongly warned and the other weakly warned.

Oh and you need a sample size of more than 20-25 employees.

You can take this as me being obnoxious or you can choose to learn from it. If you were a paid admin at a larger company, this kind of assumption is exactly the sort of assumption that would get your company hosed and your backside canned. You need to be more scientific about things.

EVEN if you are proven correct in your assumption, that's based on a gut instinct not on any proof you've presented from your description.

Re:most employees...

[ivan256]

They *are* running as non-admin users.

You can still install a lot of things as a regular user.

Re:most employees...

[ivan256]

This is going to sound harsh but your science education really failed you. You have a hypothesis that you've decided is true without any compelling evidence, and then twisted the evidence to argue that it proves the hypothesis.

Everybody is so quick to be on the attack...

I'm under no delusions that this was a scientific study, or that I "proved" anything. It's an anecdote. I called it a "social" experiment. Hell, my sample size was only four.

I'm well aware that there are other factors. A big one here was this: Unlike most companies, when you break your computer there, you're still responsible for getting your work done on-time. "I'm waiting for IT to fix my PC" isn't a valid excuse. So there's huge incentive not to break anything. Additionally, because there are so few users, I can give them 1-on-1 training on how to use their system safely. Most places can't say that.

It's still an interesting story though, as it does demonstrate the undisputed truth that up-to-date antivirus software still can't catch the most common 0-day viruses.

Re:most employees...

[ivan256]

This is a good point, which I mentioned in one of my other responses in this thread. I do have "the security talk" with every new user, and I'm sure that does have an effect.

Re:most employees...

[distr0]

Very interesting experiment, but I think your results were only bacause of the fact that there were only 20 users Do you think this same logic could apply to a corporation of 8000+ people? Where ~3500 are regularly at a PC, and several thousand more just log in every week or two to check up on things and print their paystub?

Re:most employees...

[drsmithy]

You can still install a lot of things as a regular user.

Regular users don't have write privileges to system directories.

Unless you've got them in the "Power Users" group...

Re:most employees...

[TemporalBeing]

It's amazing what a false sense of security people get from running anti-virus software. They don't even realize that they still have to be careful because 0-day threats aren't in the latest virus definitions yet. They think they can do whatever they want, because they are protected.

The whole company has since gone anti-virus free on the desktop, and problem reports and performance complaints have dropped way down. Education and a healthy dose of respect for the evils of the world work better than any anti-virus on the market. And the cost savings are nice too.

I'd really recommend putting the free ClamAV for Windows on the PCs. While you were successful thus far, it won't last forever. So both of you are taking a lot of risk.

That said, as others have pointed out - you were successful because you made them responsible. Removing responsibility is not usually a good thing.

So, I'd recommend continue giving them the responsibility, and put ClamAV on the systems. Perhaps you can get the best of both worlds. (FYI - ClamAV was recently found to one of the top 3 AVs for detecting viruses.) This is also the path I take to my own home network.

Re:most employees...

[Billly+Gates]

I will give it a try.

I need a free virus scanner and tried AVG but it slows my laptop down like a dog

Re:When Policies are set by PHB's and you need to

[Gibble]

Pick something you can remember. The simplest way to have mixed case, alpha numeric password with punctuation, is a sentence that you can remember. "Today, a coffee cost $1.99 + TAX!" Secure, simple to remember, and passes all the validation you want to throw at it.

So what's the % for IT employees?

[suppo]

Since 1/3 is for all employees, I'm venturing the % is over 90% for IT employees behind the cypher locks. And anyone reading this from work sure is.

/Actually/?

[ivan256]

They say "actually" like it's so unbelievable.

I regularly use bittorrent to download work-related files at work. And it's not against IT policy at all. Imagine that.

Re:/Actually/?

[Xiaran]

What you said. I use bit torrent all the time at work to get linux isos for our test environments.

Re:Only One Federal Employee IS

[Pojut]

Kilgore Trout, is that patRIOTically you?

Re:When Policies are set by PHB's and you need to

[Joe+The+Dragon]

And what about the rules saying that you have to change your pass word and you can't use part of your last few passwords.

"Used P2P technologies"

[amorsen]

"Of those, almost a sixth actually used P2P technologies from their work PCs."

Ooohh scary. I guess I'll be testing Fedora 8 later than expected, since using bittorrent for fetching it is now completely out of the question. Except that the company policy luckily does not forbid using "P2P technologies" where I work.

Re:"Used P2P technologies"

Someone dope-smack the mod that marked this one as a troll. This guy is pointing out a very valid flaw in the "scientific" analysis of this subject.

If the question they asked these people on the phone was "do you use P2P at work?", then there's a huge problem with this study. Namely, not all businesses outlaw that sort of thing. The parent was pointing this out with his own work experience, where P2P is not disallowed, and where he is planning to download Fedora 8 via BitTorrent.

Re:"Used P2P technologies"

[amorsen]

Thanks for the support, but don't worry too much about the moderation. My experience is that even my most inane comments get moderated positively, so it's somewhat refreshing to be modded down. Anyway, your explanation of the problem is much better than my attempt at humor.

Hell, most companies aren't concerned...

[msauve]

with the privacy of their employees. Case in point, mine provides my Social Security number to third parties, against my express direction, with absolutely no business need, and in direct violation of their own written privacy policy.

Where I work...

[Toreo+asesino]

...there's a very relaxed IT policy.

Browse whenever you want, take whatever software you want home, check your email if you want, everyone's their own local admin, no audits.

However, if you get caught with illegal software, miss a deadline because of blatant time-wasting, then you get fired (for continuous abuse). People work not because of policy, but because they want to do well and enjoy what they're doing.

I happen to also work in one of the biggest names in IT too....not some small company. The policy works very well, as is evident from the company's success and the fact people rarely leave. That and brain-implants, anyhow.

In soviet Amerika, policy violates you!

[fred+fleenblat]

I get annoyed when a company violates MY policies.

* tracks my personal info, e.g. name, address, phone, email, shopping habits
* tries to limit my freedoms with invasive EULAs
* goes with cheap/easy IT choices that make them a prime target for bots, spam, and virus
* spreads FUD about competitors when the competitors are actually better
* tries to sell me a $2,000 product that I can do myself with a shell script
* tries to lock up my data in their proprietary format

If my installing linux or using an "unapproved" email client upsets someone in IT, that's because THEY are in the wrong not me. I'm not responsible for someone else's shortshighted policies, in fact I have a civic duty to violate them in the most flagrant and obvious way, to shed light on their stupidity.

Re:In soviet Amerika, policy violates you!

Exactly, Once, Firefox which was Installed on my computer by the IT staff got a Windows error that "The operation you have requested has been blocked" later it got removed, I can't stand IT staffs that are dumber then the average slashdot reader, most of the comments that are even marked troll are better then most IT staffs.

Re:In soviet Amerika, policy violates you!

[iknownuttin]

If my installing linux or using an "unapproved" email client upsets someone in IT, that's because THEY are in the wrong not me. I'm not responsible for someone else's shortshighted policies, in fact I have a civic duty to violate them in the most flagrant and obvious way, to shed light on their stupidity.

You still have a job?

Re:In soviet Amerika, policy violates you!

[bigstrat2003]

Wrong. Any company, no matter how retarded their IT policies are, has the right to run their company the way they wish. If you don't like it, you are, of course, well within your rights if you choose not to work there. If you want to get the policy changed, that's your right too.

What you do not have is a "civic duty" to break the rules set down by your employer. Go ahead and do so, I don't care, but don't make yourself out to be a hero because you're doing it. You aren't. And this isn't even getting into how some of the "violations" you list are ridiculous, and are also well within a company's rights.

Re:In soviet Amerika, policy violates you!

[Jhon]

If my installing linux or using an "unapproved" email client upsets someone in IT, that's because THEY are in the wrong not me.

There are countless examples available, but lets just focus on one you provided: your 'unapproved' email client.

*YOU* are in the wrong. This is true if *YOU* are not paying for the hardware. This is true if you do not pay the support staff. It is not up to an employee to dictate what services a companies IT department will support -- that's up to management (hopefully with IT input -- but certainly not final say-so).

We have limited budgets. I don't want to require that my staff knows eudora AND pine AND OE AND outlook AND thunderbird AND xyz AND abc AND fillintheblank. By making everyone use the same email client (or limited set of clients), you reduce training costs and quite frankly, you eliminate the user shooting themselves in the foot. YES there are some users who are quite able to troubleshoot for themselves. BUT, try telling Bob the luddite he can't use thunderbird (something he may have never used, but likes the way it looks) when Lennie The Linux Master two desks down is running pine!

Simple solutions for companies who don't want silly and frequent helpdesk calls: Keep the workstations as uniform as possible within the scope of work any given employee is required to complete. Feel free to start your own business if the company rules don't appeal to you.

Re:In soviet Amerika, policy violates you!

I work for a large corporation, and in this corporation we have a pretty strict policy. No Myspace, Youtube, or personal Internet browsing unless you are on a break or not on work time. No downloading apps to the machine (including dev's), no using alternate proxies or checking webmail of any kind. No using USB drives (the ports are disabled), and any unapproved access or usage results in termination of job...usually. We don't even let users change their wallpaper or the GUI interface colors. The wonderful admins setup a strict firewall that blocks almost everything but SSL or HTTP requests and have a cushion network for certain users needing to FTP or transfer files outside of our network. Users aren't even allowed to use speakers/mice/keyboards that arent approved. No one except for the chosen few have admin rights to their laptop/PC, and even little things like installing a java applet must go through an entire approval process in order to be allowed on a machine. I love it, but it still doesnt protect everything. We still get those people who (think that they) know enough about IT to try to work around things, and the morons who ask things like why they can't install winamp or why TMZ videos won't play, but its an education thing. We do our best to explain that when you are at work, you're expected to work. This is not a home PC, this is not "your" PC...it belongs to the company, and so does your time when you are at work. Plain and simple. Mess with your own PC on your own time, but while at work, you respect the security and safety guidelines.

Re:In soviet Amerika, policy violates you!

[fred+fleenblat]

I'm pretty damn sure you spend more time hand-holding middle-level executives using outlook than people like me with fetchmail and evolution. If you want to reduce helpdesk calls, get rid of the suits. Make all the policies you want, the suits will still muck everything up.

Re:In soviet Amerika, policy violates you!

[Jhon]

Actually, no. The 'suits' are quite used to outlook and have no problems with it at all. My guys rarely get calls from anyone but fresh meat (new suit's new position). Most of the 'staff' use an internal company webmail client -- nothing to set up for them. Just click the icon on the desktop and enter username/password.

In 8 years, I've had ONE suit give my staff problems outlook -- and it was a new AR exec who had zero experience in AR *AND*, quite frankly, I believe never used a computer in their life. But they didn't make it past their 3 months anyway...

I'm also the first to admit that *MY* staff uses whatever email clients they want. (pine, OE and Outlook (me -- sigh... I know, but calendar sync/BES is too damn important at my level)). Our policies read something to the effect:

"...cannot use, install, download, copy unapproved applications without prior written approval from the General Manager or the IT Director"

They aren't violating policies, because I approve it. Unfair? Perhaps -- in a communistic-everyone-is-the-same kind of way. But that doesn't sit well with my libertarian sensibilities.

Re:In soviet Amerika, policy violates you!

[teasea]

I'm of a mind that bureaucracy only functions when the majority find ways to circumvent it. Dumbing down computer usage to the lowest common denominator of mindless users is seen by most as an annoyance to be worked around. Though of course, this leads to the cycle of those finding ways around stricter and stricter policies which slows real work and communication to a crawl.

Some policies make sense. Others... not so much. Reading web mail? Not a big deal. Clicking on the 'You've received a card link?' 'ere's a bonehead for ya.

Just tell Bob the luddite that Thunderbird causes athletes foot.

Re:In soviet Amerika, policy violates you!

[fred+fleenblat]

>> You still have a job?

yes actually. they were losing out on a lot of enterprise level sales because their code was win32 only. I fixed that and several 5-digit deals later the VP's get the idea that hey maybe there is more to the computing world than windows.

i fondly recall witnessing a VP tell the IT department flat out "you will support VPN for mac and linux". that was awesome.

Re:In soviet Amerika, policy violates you!

[sniperu]

Mod parent up! First guy in the thread that knows what he's talking about ...

Re:In soviet Amerika, policy violates you!

I worked in a place that instituted policies like that (because the company was bought out, actually).

Within a few months, everybody had stuff like Treo smartphones or WinCE handhelds with a bazillion games, and web content batch-downloaded in the morning before going to work. And, people were taking astoundingly many coffee breaks.

In other words, so many people felt insulted by the company that they started going out of their way to "game the system".

So somebody who used to read slashdot for half an hour while eating lunch instead frittered away about two hours a day. But hey, at least the internet access bills went down. I guess.

Re:In soviet Amerika, policy violates you!

[fred+fleenblat]

no, i have a responsibility to the shareholders to point out everything that is wrong so that somebody has the opportunity to make it better. if i just shut my mouth and just let IT (or anyone else in the company) create arbitrary, self-serving policies that limit my performance, that's cowardly.

obviously i have to play ball, but this is what works for me:

1. identify the limiting factor of whatever project or task you are on. if it's something you can fix, do it. if you need IT co-operation, ask for it. if you don't get it, escalate to the nearest common VP. repeat until VP realizes that IT is a "blocker" or "gating our performance".

2. ask project management to track unix/linux sales growth. when they realize that 15% of their income is not beholden to windows they will gladly spend 15% of their time trying out LAMP, OoO, looking for opportunities, chatting with their fellow PM's at other companies about linux, etc.

3. you will never get a windows-centric IT department off of AD and exchange so don't even try. honestly that *is* their kingdom and respecting their decision about their tools makes it easier for them to respect your decisions in your kingdom.

4. sieze opportunities to show off the performance of unix/linux systems. obviously nfs isn't any better than cifs but apache can do things IIS can't. if you live in a geek-based company, show off that new iphone or ipod--guess what there is a mach kernel and a ton of posix code in there.

(This is just for dealing with anti-linux policies. If you surf for porn or download p2p music you're on your own. While such policies may be arbitrarily enforced, the root issue of their illegality is well-founded and should be respected by employees.)

Re:In soviet Amerika, policy violates you!

[fred+fleenblat]

I've seen that level at defense contractors. If you have any classified data you pretty much have to lock down everything to the point that nothing new/interesting can be accomplished.

Bizarre thing is that you get some of the managers drunk and they spill their guts about every detail, and guess how hard it is to get a manager at a defense contractor drunk...

Re:In soviet Amerika, policy violates you!

[IllForgetMyNickSoonA]

Now this is, what, the 5th time I read this question in this discussion?

My boss would NEVER, I repeat NEVER fire me for breaking companies IT policy! What kind of screwed up world are we living in here??? We are looking for additional developers CONSTANTLY and are just NOT ABLE TO FIND GOOD PEOPLE! We are a well respected company, currently counting some 700 employees, developing embedded software and hardware in a highly interesting and "sexy" field. Nevertheless, the vast majority of developers, who come to us for job interviews, are just plain WORTHLESS. I know it, because for the last 9 months, I've been involved in the hiring process. And we are not asking for that high a qualification either! You're intelligent? You have *some* experience or at least some kind of a degree? You show initiative? You don't stink? You're in! If you turn out to be too stupid to be a developer, there are always enough project manager/sales assistant/whatever positions in the company to get rid of you anyway (I'm 80% developer/20% project manager, I know what I'm talking about here :-) ).

If anybody would come even NEAR my boss with the idea to fire a good developer for breaking IT policies, he would be running away with his tail between his legs so fast that he wouldn't even know what hit him.

Of course breaking IT policy is not seen as good or acceptable behavior, and it is also being actively discouraged. However, it would NEVER, except in a case of an obviously intended malicious action, lead to a good developer being fired.

BTW, the company I'm talking about is a European one. Maybe that's the difference.

Re:In soviet Amerika, policy violates you!

[Tiny+Elvis]

God working at your company would suck ass. I would spend all my free time finding another job.

Re:In soviet Amerika, policy violates you!

[Stamen]

That would be wonderful if policies are created to be followed, they are not. I own a company, I've sat with my lawyers coming up with policies, they have very little to do with how I really want my employees to act, and a lot more to do with minimizing litigation risk. You have to actually fight to get your lawyer to allow your employees to use company equipment for appropriate personal activities. The bigger the company the more lawyers to fight.

Everyone knows this, thus why people really don't pay attention to such policies. When you get your oil changed, you sign a four page contract, do you read it? No, it's silly.

There is actually a protesting tactic used by truckers. It's a kind of strike. They start following all company and highway rules, precisely. They do this until their demands from the company are met. Strangely, companies yield fairly quickly; it's ironic that you can punish your employer by following their rules.

Re:In soviet Amerika, policy violates you!

[IllForgetMyNickSoonA]

If I have the luck to get Lennie The Linux Master, who has the know-how to install pine and to hook it to your exchange server, to work for my company, I'd sure as hell want to make him happy enough to stay with the company and do the good work. Frankly, whom does he get in the way? I'm sure your average lazy IT guy (who only seems to be able to support outlook, according to your own words, which makes him 100x less worth to the company than the Leenie) will never in his life get the support request from Lennie regarding pine.

Let's not forget why the companies have the IT departments: because they are the necessary evil. Not because they are some demi-gods in the need of a bunch of sheeps to guard through the rough waters of multiple e-Mail clients.

Sorry if I sound sarcastic, but your post really pissed me off. Let's just try to respect each other for a change, instead of forcing our beliefs down the collective throats of the "other side". BOFH was kind of funny at the time it was written, but it's just plain outdated nowadays.

Re:In soviet Amerika, policy violates you!

[tx_kanuck]

and that's the problem. Lets say your non-technical boss sees you using Thunderbird and asked you about it. You tell him that it's better then Outlook, faster, more secure, etc (and yes, I think it is for home use). He knows how good you are, and he trusts you so he installs it. He breaks it, or he can't get to the Global Address Book, or something.

Explain to me why I am now holding his hand troubleshooting Thunderbird? You convinced him, you support him. But I'm sure you have better things to do then train your boss on the software you sold him on. And who is going to explain to his boss why your boss didn't get an email in time since his client was down? Oh wait, that's me because it's my job to support the machines we have in place. So now my ass just got chewed out by a VP because you felt that following the company standard was just not good enough for you.

Hey, you may be right. You may be able to support yourself and not have to call helpdesk when something goes wrong. But who supports all the people that you influenced to follow you that are not as able to support themselves? Who is going to pay for the extra training to get the helpdesk up to speed with all the installed software? It will have to come out of the IT budget, but that means that other training gets sacrificed since we do have a limited budget. Hmmm...train on Thunderbird, or train on disaster recovery???? Obviously train on disaster recovery, but now we can't support Thunderbird and the idiot executive that listened to you and installed it. So now we look bad.

Do you see the problem now? It's not you. It who listens to you and the unforeseen consequences.

Re:In soviet Amerika, policy violates you!

you will never get a windows-centric IT department off of AD

Why would you want too? AD is actually one of the very few Microsoft technologies that are good. There is nothing like AD in the *nix universe: the individual components are (LDAP, Kerberos, Samba etc.) but the integration and management is absent.

If you don't like AD because you don't know how to integrate a *nix system to authenticate against it, you're not half as clever as you appear to be. I can think of three different ways to do it, and I've personally used two of them myself.

Re:In soviet Amerika, policy violates you!

Its not bad...I just have respect for the rules my employer sets. I know that if I have a preferential browser (Opera is mine), I cannot expect to use it while im using a work pc/laptop. I respect that they have their standards and they test all of the machines we use to be as uniform as possible to lower the cost of troubleshooting and errors that can arise. I also respect their policy of firing those who "game the system" or try to circumvent these policies. They didn't have to give me a job, and they don't have to pay my bills or provide for my way of life, but they do, and I am glad about that.

I would never go to someone else's house and start telling them that their network is bad, and their software sucks, and demand they let me do whatever I want while using their equipment, so why should I act that way while at work? Its a little thing called "manners". Its not my property, its not my equipment, and its not my right to do so.

Re:In soviet Amerika, policy violates you!

[Just+Some+Guy]

BUT, try telling Bob the luddite he can't use thunderbird (something he may have never used, but likes the way it looks) when Lennie The Linux Master two desks down is running pine!

You tell Bob that Lennie was hired because he knows how to do these things and to mind his own business from now on. You tell Lennie that you officially support Outlook or whatever and that you can't and won't help him with anything else. Grow a spine and let Bob and Lennie know what's expected of them and leave it at that.

If you can't do that, then the problem is that you suck at management and compensate by inflicting a uniform mediocrity. If you read Harrison Bergeron as a kid, did you find it scary or exciting?

Re:In soviet Amerika, policy violates you!

The difference here is that someone else's house and crappy infrastructure is none of your concern.

Your job is to get things done. Things that help you do that are good; things that stop you or slow you down are bad. Reasonable employers want to facilitate your success. After all, that is WHY they pay you.

To a great extent, your goals and your employer's goals are the same. Does policy work towards those common goals, or has it taken on a life of its own?

Re:In soviet Amerika, policy violates you!

[Jhon]

You tell Bob that Lennie was hired because he knows how to do these things and to mind his own business from now on. You tell Lennie that you officially support Outlook or whatever and that you can't and won't help him with anything else. Grow a spine and let Bob and Lennie know what's expected of them and leave it at that.

Start your own business and tell him your self.

If you can't do that, then the problem is that you suck at management and compensate by inflicting a uniform mediocrity. If you read Harrison Bergeron as a kid, did you find it scary or exciting?

Yeah... that's it. It has nothing to do with limited resources available to a given company. Or that the scope of work for company X doesn't REQUIRE anything but basic email for the majority of users. Or that systems are locked down because of State and/or government regulations and require DOCUMENTATION for everything installed on them AND if/how it interacts with previously installed software, AND documented validation checking AFTER software was installed (which again is a huge increases in cost overhead).

You nailed it buddy. I suck at management because we don't want to spend the time/resources required to let anybody install/use whatever fits their fancy. I'll nip off and shoot myself now. Don't worry. I'll be very humane.

*OR*, I've got a better idea: STFU on speaking authoritatively on topics you know next to nothing about. It's not about USER ABILITY. It's about USER NEEDS with regards to their JOB FUNCTION with COSTS calculated in. That's the companys call. Not mine. Absolutely not yours.

If you read Harrison Bergeron as a kid, did you find it scary or exciting?

Because businesses are the same as society... yeah, right. Or that you have the right to do what ever you want with and/or to your employer's hardware, money, and co-workers? What a GREAT Bergeron analogy you made!

Re:In soviet Amerika, policy violates you!

[Just+Some+Guy]

*OR*, I've got a better idea: STFU on speaking authoritatively on topics you know next to nothing about. It's not about USER ABILITY. It's about USER NEEDS with regards to their JOB FUNCTION with COSTS calculated in. That's the companys call. Not mine. Absolutely not yours.

I'm an IT advisor. Our company is growing by leaps and bounds and our employees are happy and productive. The company's call seems to be that I'm better at the job than you are.

Re:In soviet Amerika, policy violates you!

[fred+fleenblat]

Thunderbird is an exclusive alternative to training for disaster recovery?
You're not making any sense.

I'm sorry your department has limited resources, but it may surprise you to realize that so does mine.

Re:In soviet Amerika, policy violates you!

[Jhon]

I'm an IT advisor. Our company is growing by leaps and bounds and our employees are happy and productive. The company's call seems to be that I'm better at the job than you are.

You are better at your job for YOUR company that *I* am at doing the same job for YOUR company -- perhaps. If they let your users install whatever they want, great. Either they don't care about the increase in costs are they haven't sat down and calculated it. Perhaps your company doesn't have such restrictive rules/procedures such as CAP/CLIA. Or perhaps your company does but enjoys having staff spend all their time (and money) testing and retesting software, results produced, compairing to instrumentation results -- etc etc etc. AND then documenting all that. Signing off on it -- making sure all the material is reviewed semi-annually by your medical director. All so that the user can drop in and use whatever software they want.

I bet if you ran our company the way you describe you would be fired after your first CAP inspection. That's if you place was still in business and wasn't forced to shut it's doors before your pink-slip could be printed.

Again, I will state: It's not about USER ABILITY. It's about USER NEEDS with regards to their JOB FUNCTION with COSTS calculated in. That's the companys call. Not mine. Absolutely not yours.

At our shop, it was ruled that IT will keep base images as uniform as possible to reduce costs -- in support, risk management, and ensuring compliance. And my job is to run our IT department the way the COMPANY wants -- not yours. I just happen to completely agree with our GM in this case.

Since our company has grown by more than 10x over the last 5 years, we've had articles written about our process managment (many of which I authored myself) and never scored less than a 98.9 on any inspection, I'd have to say that I'm pretty damn good at my job, your snide remarks notwithstanding.

Re:In soviet Amerika, policy violates you!

[Billly+Gates]

Lawsuits are expensive.

I just finished a business law class where I had a mute court presentation on Ellerth vs Burlington industries. The case involves alleged sexual harrasement with no proof or complaints when Ellerth quit work. She won on the lawsuit?? Why? It was a hostile work environment and the fact that she did not need proof to sue and win is scary.

THe point is the lawyers know this and yes browsing on myspace with sexual preferences listed is creating a hostile work environment. Its the new thing lawyers love because they hardly need any proof to win. My example was just one but its good to have lawyers on your side as you grow big so does your pockets that people want to pick via litigation. Banning third party software to be in compliance with Oxley if your dont have a license and p2p mixed with non business websites can save millions in lost court costs.

I hate lawyers too by the way but we can't fight the system and we need to follow it.

Re:In soviet Amerika, policy violates you!

[Billly+Gates]

Novel Edirectory is supperior and takes far less bandwith with hardly any replication issues.

Sadly once your in AD your stuck.

Re:In soviet Amerika, policy violates you!

But as a company, I cannot expect them to single me out of a staff of a few hundred thousand. If I am the person who requires "special" software, or "Special" hardware, I become easy to replace with someone who doesn't, or someone who gets the job done without bitching about what tools I have. I worked for AT&T and at times, we had to share tool bags because they couldn't afford to get every tech all of the tools they needed. Seriously. I worked for another company who "couldn't afford" to move its employees off of Novell 4 and Windows 95 and token ring, even though it was 2002 and they were doing 3 billion dollars in business each year (not profit mind you...just in business).

IT for alot of companies is a hard spot to manage, because we are a "for cost" business unit. Most companies think that because we cost them money, we are easily replaced (which in some circumstances is true), but they don't realize that we also provide the methods and efficiencies that help the profit makers do their jobs.

Personally I use Linux at home on all but one PC (my kids), and I love what it offers. At work however, I am stuck using xp (Vista now...dont get me started). As long as MS gives massive discounts on software, or companies like Dell, IBM and others are giving massive discounts on hardware, I really cannot do much complaining. So, I respect the choices I cannot make, the equipment they give me, and until it is my decision or chance to make the rules, I don't violate any rules set out before me.

Re:When Policies are set by PHB's and you need to

Easy. Add inflation to his sentence.

Leverage

[Jonny+290]

In my experience, the "IT policies" of a company are generally so restrictively worded that they'll catch almost any individual at some point in time for a "policy violation." They are rarely enforced as a matter of practice or true benefit to the company's security and IT performance, but provide excellent leverage against employees who are under the hot lights for unfireable offenses. Simply whip out that pattern of browsing Myspace, whip out the IT policy, and have them sign their resignation letter right there.

How is it so "risky"

[webmaster404]

How is checking your e-mail, downloading software or using P2P software "risky"? The number 1 rule for all corporate networks is that you lock down your network, at home the most someone could really do is install a bot and make you send out spam messages. At work, your machine should at least have a network-wide firewall, up-to-date antivirus if its a Windows machine, and an under-privileged account if its Windows or Linux. But if everyone switched to Linux, none of it would really be a problem. But seriously, it poses little to no risk to a properly configured machine, nearly non-existent if your not using Windows. Because checking your E-Mail, web based through Firefox or Through POP with Thunderbird (or anything thats not outlook) as long as you don't download any binaries, your safe. As for spyware, just use Firefox, that takes care of most "drive-by-downloads" that IE has and those are the number 1 cause of malware. As for P2P as long as you have a decent firewall and don't download anything of questionable legality, the most it does is use up bandwidth which most ordinary workers won't even feel and most smaller ISPs allow you infinite bandwidth.

Re:How is it so "risky"

[logicassasin]

Checking personal email from sites like yahoo, hotmail, etc can all allow virii to get onto the network and allow proprietary company or customer information to leak unchecked. That last point is the driving force behind our rules. My employer, and pretty much every other company in this particular industry, does not allow the use of personal web mail. The sites are actively blocked, and attempts to access them are noted and stored.

Re:How is it so "risky"

[webmaster404]

Ok, so how is a binary (executable code) going to get on the network? If your using Firefox, Opera, Safari or just about any browser other then IE, they block the attempts. If you never download the binary how is it going to infect the network? Its not like HTML has any code that can be run and Python, Perl and PHP are safe as long as you don't download anything. And so how is proprietary info going to get "leaked" unless you use insecure methods such as ActiveX to be run? And if you are worried about your IP address being sent out, use Tor or a tight firewall.

Correct me if I'm wrong but there seems to be almost no possible way, other then exploits in the browsers themselves, to leak info by checking web based E-Mail.

Re:How is it so "risky"

[logicassasin]

Without divulging the industry I work in, let's just say that the company has to keep a tight lid on things. Company and customer info can leave by someone simply emailing it out via personal email. Since all corespondance is monitored, the likelyhood of someone getting away with emailing information out through our exchange servers is slim (note - I said getting away with it, not that you can't do it, but you would be flagged and caught). It's also a monumental waste of time and with everyone on tight deadlines, we don't need wasted time.

IT/Customer regulation does not allow USB drives of any sort unless company issued AND those drives may never leave the campus. Thsi helps to prevent people from bringing a virus in from their home pc's.

We have areas where pagers, cellphones, and any other communications devices are prohibited.

For the longest, cellphones with cameras were not permitted anywhere inside the buildings. Once it became nearly impossible to buy a phone without a camera, we had to get that condition lifted.

OpenVPN...

OpenVPN + Colo'd Linux Server with SQUID Proxy = The Awesome

Re:OpenVPN...

I was canned for a similar setup (SSH tunnel + colo'd linux with squid).

Pro tip: Don't try this from any place which has even a single person working network security full time. They will notice.

Re:OpenVPN...

[PitaBred]

You know you don't even need Squid to do that? OpenSSH will do a SOCKS5 tunnel quite happily.

This is bad for a surprising reason

[zappepcs]

It is bad, first because as mentioned, that number is low. Second because they violate them because they CAN. IT security is nearly as futile as the war on drugs. Its current incarnation does nothing to reduce the demand, nor does it adequately address the problem.

In the workplace, the employer (owner of the IT infrastructure) has a duty to inform employees how the tool(s) are to be used and what is mis-use. Additionally, the stick and carrot method is not appropriate. If you catch your child using your favorite pair of pliers to hammer a nail to hang a picture, you do not scold them and tell them to not hang pictures. You provide them with a proper hammer and some education on how to use it properly as well as assistance in hanging the picture, along with perhaps a discussion of what is appropriate kind of picture to hang on the wall of their room.

Employers are faced with a new world regarding these IT tools, and to ignore the natural desires of people is to ignore their own security. I fully endorse the policy of allowing some things, such as Internet radio, or checking news sites. If that uses too much bandwidth, funnel such traffic through a proxy to a bandwidth limited connection. Separate your company traffic from benefit traffic. Lock all connections down with security and virus scanning etc. but do not use the stick and carrot... it does NOT work, will not work, cannot work.

Firefox violated IT Policies

[hansamurai]

Two years ago I received an email from IT informing me that I was using the application Firefox and that a "major security vulnerability" had been discovered. They told me I had to use Internet Explorer as it was "much more secure".

Whether or not IE was actually more secure on our network isn't really the point, but I still had a great laugh out of it. I simply updated Firefox and that took care of that, never heard from them again about it.

Re:Firefox violated IT Policies

[TheDrewbert]

I was told by my PHB that I wasn't allowed to use Firefox because a security vulnerability had been found and handed me a printout of the article. I forget which one it was, but it had something to do with phishing scams. I told him that I wasn't dumb enough to fall for phishing scams and if I did it wouldn't be hurting the company anyway. This is the same guy who went ballistic because my iTunes library file (not the actual,legal, MP3s, those were on my C drive) was on the network and taking up 4megs of space. He actually went to the president of the company about this. He was just looking for a reason to fire me because I reported his sexual harassment of a co-worker. I let them, then took them to the cleaners.

Re:Firefox violated IT Policies

[ErikZ]

How would you take them to the cleaners over a 4 meg file on the network?

Re:Firefox violated IT Policies

[Meorah]

Yeah, I use that excuse with end users all the time. The majority of the time it works because users are dumb. The real reason is because I can control their IE settings via group policy and know perfectly well that they are set to a reasonably secure configuration, and can make changes to the IE policy on the fly without trekking around 100 desktops to manually confirm a setting change.

That being said, it's a rule (not a RULE) that you are only supposed to use IE at work. I don't enforce it, don't make users uninstall it if they argue the first time (just tell them I don't support their firefox errors if it doesn't also appear in IE), don't remotely uninstall it for them, don't get flak from my boss about it, and actually use it myself (along with Opera) when I need to troubleshoot browser issues.

Re:Firefox violated IT Policies

[TheDrewbert]

I didn't. He was looking for excuses to fire me because I reported him for sexually harassing a co-worker. My performance reviews had been exemplary until that incident, then a few months later suddenly I got the worst possible grade across all categories in the review. I kept a paper trail because I could tell what he was up to. He fired me by saying that my performance had degraded , and I was no longer a fit for the company. I qualified for whistleblower status over the sexual harassment issue. Sued for wrongful termination, won.

Skewed sample

[DoofusOfDeath]

Shouldn't the headline be (in fewer words):

"Consider the employees stupid enough about security that they describe, to a stranger on the phone, the ways that they make their company networks less secure. 1/3 of them also violate corporate IT policy."

The real WTF is that *anyone* answered those questions on the phone.

So,

[no-body]

what is wrong here? Rules or people?

Whenever rules are broken, something of the two is off.

Remedies are not always adequate and can lead to more trouble.

Re:So,

[webmaster404]

Generally its the rules, sure you should be able to block "inappropriate" sites, but theres no need to block "time wasting" sites such as Myspace, Facebook, Digg, Slashdot or YouTube. If an employee can finish their work in 3 hours and no one can give him/her more work for say an hour, theres nothing wrong with them watching a few Youtube movies. The fact is most of these "content filters" end up being more harm then good because most of the IT staff doesn't even know how they work. And all it does is annoy the average employee. So simply if businesses would just switch to Linux, put up a simple content filter, and a firewall all would be good.

Re:So,

[Meorah]

If you want to save bandwidth on your corporate network, you better believe that I'm blocking social networking sites and streaming media sites. Digg and Slashdot would get a pass only because they have business value to the IT department attempting to stay up to date on their job (and use minimal bandwidth). I have yet to encounter anybody who has a legitimate business reason to use Myspace or Youtube while at work.

There's a whole internet out information out there. Go waste time on a static page and expand your horizons. You can get your crack from home.

And yes, I also block content filter bypass sites, proxy bypass sites, and the majority of remote access sites and programs (VNC, RDP, and LogMeIn are the only 3 I created exceptions for).

Re:So,

[Ernesto+Alvarez]

I'd say people.

Usually the rules are the ones that are off, but because somebody screwed up while making them. The most common cases being a manager choosing overly restrictive rules while wanting an exception for himself, or not counting on a business need that is interfered by the new rule.

The problem with IT is that they (we?) try to solve "social" problems with technology, thus making a hostile environment (like those block-evade arms races), instead of having a chat with the user (which usually yields better results). Of course, there are times when you should stand firm and even cut his net access if necessary, but they should be very few occasions, and usually as not only a punishment/enforcement to the user in question and a message to others. Blocking and other such actions are like a weapon, and should be used only when necessary, and not at the first available occasion because it's easier (which is not in the long run).

The same thing happens with managers: instead of trying to find out why people read their own personal mail at work, they simply make an unenforceable rule that forbids them from doing so. They try to solve a "social" problems with rules.

In practice, when there are a lot of rules, they are more like "I'd rather you didn't do..." things. Either that fact needs to be cleared or few rules should be in place (and the really important ones marked as such).

Re:So,

[Billly+Gates]

From a geek turned into a suit I have to agree with clamping down as well.

Time is money in economic and accounting terms. I would reward good employees by sending them home early if they did a ton of work and the companies objectives for the day have been met. Good job enjoy some time to relax at home.

If you can save an employee 15 minutes of productivity a day times a whole month you get almost a whole day of lost productivity! Infact some companies like UPS even ban coffee makers and water coolers outside the cafeteria because they can cost hundreds of thousands a dollars in lost work a year.

Its a business and you are there to make the CEO or shareholders more money. Thats it and fooling around at myspace is better at home anyway on your own time.

Not to mention someone with a myspace with sexual or inappropriate things could open your employer for liability by creating a hostile work environment. Lawyers love that term.

Re:When Policies are set by PHB's and you need to

[Otter]

"Today, a coffee cost $1.99 + TAX!"

And is that the phrase for the for the dental plan password, the diversity training registration password, or the office supply purchasing password? Or an older phrase for one of them, as each one needs to be changed (out of sync!) 6 times a year.

policy?

[bigdavex]

I'm not supposed to post on internet forums.

"That's your job..."

[B5_geek]

One of the places that I worked as a contractor was rife with this type of abuse. I mentioned to one of the users that they were the cause of the problems; the response staggered me;

"Its your job to keep the computers safe, not mine."

Alas logic held no sway on their minds.

Re:"That's your job..."

[rossz]

The user is absolutely 100% correct. Keep in mind this same person jumps in his car, hauls ass down the freeway at 90 MPH yapping on a cell phone, sipping his coffee, completely oblivious to his surroundings. Do you really expect that person to follow "policy" when he has already shown a complete disregard for the law and common safety principles?

No, you can't shoot him in the head with a shotgun. The momentary feeling of satisfaction is followed by a serious downside.

Re:"That's your job..."

[AceCaseOR]

No, you can't shoot him in the head with a shotgun. The momentary feeling of satisfaction is followed by a serious downside. Of course you can't. Why would you want to anyway? That's so easily tracible. What you do is put them in dummy mode, and then have them check the voltage on their power outlet using a pair of paper clips (among many other means of removing security risks against the system. What's that, you ask? You might get arrested for this too? Of course not, it's a matter of national security! If users can be permitted to let viruses and spyware run on their systems, possibly turning the entire company network into a massive botnet, then the terrorists have run. Thus, logically, the biggest hazard and network security risk must be removed - the (l)users.

Re:"That's your job..."

[Actually,+I+do+RTFA]

Its your job to keep the computers safe, not mine.

That is true, it is your job not his. Like a mother's (typical gender role assignment coming up) job is to take care of a child. So when the child is playing in the street, she drags him inside and punishes him.

So, keep the computers safe. He requested that you protect his web access with a whitelist and make him come to you everytime he wanted to open an e-mail attachment. Or that he not have the ability to change the C: drive (there is some software that crushes it ever night). Or that he have no privledges and run in a custom shell you pull off the web.

The possibilities are endless...

Re:"That's your job..."

[tcdk]

You should have turned of his computer and remove the powercable, keyboard, network cable, etc, with the words. "Congratulations: you now have the most secure PC in the house".

Less legal mumbo-jumbo in employee agreements

[failedlogic]

I recall before a lot of companies had terms of network use, a few employees where I worked had been downloading games from warez servers because the company network was significantly faster than anything available at the time. I knew even the network admin was violating this. I very much felt like reporting it, but as an entry-level employee on their first job, 1) I would feel guilty with getting someone fired; 2) I didn't feel like testing management by reporting this and see myself get fired; 3) I didn't really understand the policy and didn't know what to do.

I'll make clear that I wouldn't let this go today.

My point in all this is, some people starting at the company may be aware of activities the admins themselves or other staff are performing which management may not be. My first job was relatively simple and well paid, I have had no beefs with the company. But our Acceptable-use policy book was some 20-30 pages long. This was about 10 years ago. I would rather have had a 1 page document, sign at bottom: I will not download virsues or warez, share company information or NDAs to outsiders, etc on company time. If I know another employee is doing so, please report anonymously to. Violators will be disciplined or fired.

Really, does it really need to be any longer than this or more complicated? It simplifies reporting and makes the issue and repercussions clear. Get the 20 page document too if you must. But the one-pager should be clear to *all* employees regardless of law degree. But help make it clear too, that if you mistype a domain and get a porn site, you shouldn't have to hide it and feel like someone is about to can you (e.g. whitehouse.com vs whitehouse.gov).

You must be kidding...

[TheBrutalTruth]

I can't believe it. Next someone will say that 65% of Slashdot users like p0rn. Insane!

Talking to an stranger on the phone about security

[joeflies]

Seems like a violation of security policy to take an unsolicited call asking questions about security for a purported "Survey". Did any participant actually check the credentials of the person conducting the survey before giving answers about the security of their enterprise?

So anyone who answers to the survey (not just the 1/3 who said yes) is in violation of policy.

Astonishingly enough...

[Wazukkithemaster]

One third of IT employees were fired this week... which third? well... any third will do.

Admit it

[blueZ3]

you'd be happy if 1/3 of your company's employees knew that there was an IT policy. Heck, if they even knew what the IT department WAS.

Community Forums Blocked

[lymond01]

My company policy doesn't allow posting on community forums.

NO

I am Donald Trump.

Re:When Policies are set by PHB's and you need to

[CBravo]

Oh come on. I have to type it every 20 minutes because I cannot get putty to save things in the registry to aid automated login. I keep it short and stupid, like the security regime.

Passwords like ASDF12#$ and Welcome22@@ are easy on my wrists.

Bullshit!

[radiumhahn]

Bullshit! Way more than two thirds of companies don't have IT policies to violate!

Bing... Bing... Bing...

[Belial6]

And that is the answer that most people miss. I would say that frequently, even if an employee wanted to follow policy, they could not because their jobs actually require them to violate the policies.

This is not limited to IT policy though. At 2 of the last 3 jobs my wife had, she would be told by her manager that they didn't care how she got a new copy of documents dated three days early, but that she better do it. It was obviously an instruction to not only violate policy, but the law. Of course the firings for following policy generally could be described as "encouraging to quit". These kinds of instructions are common outside of IT, so I can't understand why anyone would expect IT to be any different. Oh, that's right, it's on a computer. ;)

Re:Bing... Bing... Bing...

[Mattintosh]

For your wife, the correct answer is:

"I won't lie to you, but I also won't lie for you. I will not violate company policy. I will not violate the law. And, no, I will not resign."

The manger, and possibly the entire company, is up the proverbial creek if your wife is let go for that statement and the stand it represents. Plus, you'd have grounds for a lawsuit. It's called "wrongful termination" in most places, and there are several variants of it. In this case, it would probably hinge on either the policy violation (employer self-contradiction) or the violation of law (crime).

Re:Bing... Bing... Bing...

[Belial6]

You are correct that refusing to forge documents is the correct answer, and that is what she did. Unfortunately, they don't fire you for it. They just make sure that you get all of the crappiest work, no longer receive any kind of raise, and transfer you the department that is being downsized. If necessary, they will create a brand new department for you to work in so that in 3 to 6 months, they can simply claim that the department didn't work out and lay off everybody in the department. You. I have seen this happen to many people. It is a common practice.

"Wrongful Termination" only applies to those that make a very large amount of money, people who were fired by companies to stupid to realize that you don't have to give the real reason for firing someone, or people who fall into very narrow categories of popular to protect groups.

Re:Bing... Bing... Bing...

[Mattintosh]

Document everything. The employer in this situation wants nothing on paper. Get it all on paper.

If you can document a pattern of abuse, the payout can be huge. So huge, in fact, that you may not need to work ever again. I don't normally condone litigation, but when something so obviously unjust is perpetrated, I think it's warranted.

Re:Bing... Bing... Bing...

[Belial6]

Maybe the lawyers in your area are just more hungry than in mine. My wife was fired for filing a sexual harassment complaint when her boss started harassing her for having gotten pregnant. She had an email that was cc'd to her from the head of HR that said they were hoping the problem would go away by getting her to just quit. They had gone around the office asking each and every person if they had heard her using racial slurs, which was an attempt to smear her reputation. She never had, so obviously they didn't find anyone who had, but that doesn't change the fact that they were trying to convince people that she was a racist. Finally when they couldn't find anything to fire her over, they just fired her with the reason of "Hostile towards the company". This was in writing.

Both lawyers that would even bother talking to her, both told her that she didn't make nearly enough money to make it worth going after.

The pathetic thing is that she didn't even want to file a complaint. She just wanted her boss to be told to stop giving her a hard time about being pregnant. They told her that they wouldn't even discuss it without a formal complaint.

Re:Bing... Bing... Bing...

[Mattintosh]

If you're in the USA (and, by the description of your local lawyers, you're probably not), file a complaint with the EEOC and the state attorney general's office. They don't care how little your wife made as a salary, they're the government. They don't have to care.

Re:When Policies are set by PHB's and you need to

[Some_Llama]

"And what about the rules saying that you have to change your pass word and you can't use part of your last few passwords."

typically to stop people from using "password1, password12, password123" or "password1, password2, password3"?

slashdot

[antdude]

Hmm, I think reading /. violates my employer's IT Policies. :P

Re:When Policies are set by PHB's and you need to

[Gibble]

You can't remember more than one password? And honestly, isn't it easier to remember several phrase than several cryptic password like "41!ap*17ARK"?

I'm just suggesting, a simple solution to strong passwords that are also easy to remember.

As a side note, if there are three systems, keep the passwords the same, while they may get out of sync, you should only need to remember a couple at a time.

If IT hasn't bothered to integrate the systems to use a single login, they aren't going to bother checking that each system uses a different password.

let me guess

[biscon]

you work for Microsoft? ;)

Re:let me guess

[BrianGKUAC]

Google. I simply can't imagine Microsoft allowing its employees to take home software for free.

Re:let me guess

I simply can't imagine Microsoft allowing its employees to take home software for free.

http://en.wikipedia.org/wiki/Eat_one's_own_dog_food

I know this is Slashdot, but Microsoft does do some things right

The reason for IT policies

[EmbeddedJanitor]

I think it fair to say that IT policies are not there no be enforced all the time. They are there to give IT staff the tools to manage the system effectively and prevent excesses.

For example the last place I worked at, the official line was "no personal use" but it was deemed OK to download a few mp3s or a Fedora ISO image here and there, thansfer your photos to flickr etc, but they stomped down hard on the guy who used approx 1/3 of the network bandwidth to download DVDs for his home viewing (and to give to his buddies etc). Printing a few tens of pages here and there for personal use was OK, but they stomped the the person who did a 5000 page print run for their club newsletter.

It comes down to "reasonable force".

100%

[sw155kn1f3]

100% breaking IT policy is more accurate estimate ;-)
Never set stupid policy and none want to break it!

I Think the title is wrong...

[zukinux]

The title now is : "One-Third of Employees Violate Company IT Policies"
I think it should be instead : "Only One-Third of Employees Admitted of Violating Company IT Policies, The Rest Wants to Keep Their Job by Lying to Them-selfs"

They're more like guidelines

[WillAffleckUW]

Not so much a code per se.

Arrr!

Re:only 1/3? yeah right.

[QuasiEvil]

We have such policies, too, but ours is "reasonable personal use is permitted", provided it doesn't interfere with your job performance, network security, etc. Basically I keep an SSH session open to home all day and check my mail every hour or two, pay bills over lunch, etc. Oh yeah, and Slashdot...

P2P is OK

[c_g_hills]

I am not sure what is wrong with P2P. I use it to distribute the VMware images on my site with the blessing of my employer, since it actually saves bandwidth.

Developers...

[Kazoo+the+Clown]

The problem is, companies are cheap. Developers should have their own network that they can do whatever they bloody like with (IT dept. hands-off), and it should be isolated from the corporate network. But that means they need two machines, one with their corp email & IM and office tools & the like, and one that they actually develop on in their own sandbox...

There are rules and there are RULES

[davidwr]

There are rules, like the 70mph speed limit or no surfing Slashdot, which are usually ignored unless someone needs a reason to fire you.

Then there are RULES, like not killing people and not using office computers to plot the overthrow of corporate executives, that will get you fired no matter what.

Most people are smart enough to know rules from RULES. Those that don't get the corporate Darwin award.

Re:When Policies are set by PHB's and you need to

[dbIII]

Some people forget their username even if it is their first name a space and their surname. You really can't blame password policy on the people that write it down, in these days of ATM cards people should be able to remember short passwords. What annoys me the most in this area is people that choose long complex passwords and stick a bit of paper with that password to their laptop.

Only a third?

[Toonol]

I would have thought it was much higher. IT policies everywhere I've seen are regarded like speeding limits; absolutely meaningless, except when somebody official is watching you.

The typical response by IT is to make the policies more restrictive and impractical, which, of course, makes adherence to them even less likely.

What about IT staff...

[rongage]

And in other news

And while they won't admit it, 74% of all IT staff routinely violate the rules they force the rest of the staff to live under

Not that I would do such a thing, but....I've heard stories... :)

Recursive irony!

[graviplana]

The amusing thing is one third of all of us are probably reading and commenting on this article from work. Oh the recursive irony!

Re:Recursive irony!

[neminem]

And the rest are probably reading from class (like me).

Re:When Policies are set by PHB's and you need to

[Toonol]

What annoys me the most in this area is people that choose long complex passwords and stick a bit of paper with that password to their laptop

That's why "Dinner at 8 - Call Janice" is such a great password. Hidden in plain sight.

Re:When Policies are set by PHB's and you need to

[PitaBred]

That's what PSK's are for. Look into using PuttyGen (or whatever it is) and make a key that your remote systems recognize.

Let people browse!

[$criptah]

If you are reading this thread at work, you're probably violating the policy as well. Has anybody actually read the employee handbooks given out on your first day of work? I have never worked for a company where IT stuff did not violate policies to a greater degree. Sure, soccer mom / accountant Jane may look at the news site or shop at gap.com during work hours, but Billy, the director or IT, can run as many P2P applications from the QA lab. I have constantly heard IT engineers bragging about yet another wonderful Quake 3 lunch. It is nothing wrong to have some fun at work, but ordering extra-beefy hardware only for specific individuals so they can play Quake may not sit right with a CFO. What about all that licensed software that magically ends up being installed at home? The about box reads that it is licensed to Some Company while it is being used for personal purposes. Things like this happen all the time. Hell, I had a co-worker who did not mind browsing pr0n and personals online at work. He even bragged about it. Noticed how I stated things in the past tense :) Stupid policies make people break the laws. Just like teenagers love liquoring up despite the fact that it is illegal, white collar professionals like their news sites and forums. There is nothing you can do about it. In fact, if I were a boss, I would encourage people to relax and take breaks once in a while. I seriously see no harm if Johnny-work-all-night-to-meet-deadline takes 10 minutes and reads his Slashdot. As long as work is getting done, who gives a shit about what people do when they have a spare minute.

Educate them!

[stormeru]

Educate the employees instead of creating more rules and restrictions. Force them a few Intertubes security lessons and even scare them by telling some horror stories about phishing, their anonymity loss and how easy it is for everyone to find something about them if they keep using social networks. There are a lot of things you can do to make them change some of their bad habits if not all.
Most of them probably also have a computer at home so this will be a winning situation on the long term for everyone.

Re:When Policies are set by PHB's and you need to

[lgw]

I *won't* remember more than one password for work! The IT guys get 1 secure password, all the rest get written down in an obvious place. If they can't figure out how to sync passwords, it's not my problem (and if my current IT dept can manage password sync, retarded monkeys can do it).

IT policy of our company

[xebecv]

Working for a big company with huge IT department. Our policy: 1. Workstations don't have internet access by default. There is separate cybercafe for internet access. 2. No administrative privileges are given unless you are software engineer or clearly explained why you need it and was given a permission. 3. Email is the only thing that can get to workstations from the internet, but its use is strictly work-related. Very helpful if you need some doc from internet. The policy is pretty strict, but it's fine with me since cybercafe use is unrestricted to reasonable extent. On the good side, I don't recall anybody having infected machine since I started working for the company. Moreover, less than 10% of people get any junk mail - punishment for abusing corporate email accounts. I am admin on my machine, but it was never infected and I have never had any junk mail.

Re:only 1/3? yeah right.

[aflag]

For every company that I've worked, there has always been a "proper use" policy for PC usage. None of them allow the web e-mail, StumbleUpon, Slashdot, Digg, and/or Reddit time that nearly ALL coworkers I've seen use (with me, I use all of them most of the day. They should give me work that I've been requesting. Small tasks do nothing to fill 8ish hours.) So you're saying you're useless and your company might as well fire you? Anyway, I feel that if policies are not being respected anyway, the need to be reviewed. I think it's fair enough to rely on the employees common sense and have real, doable policies. Telling someone he can't log on digg for the whole time he's at work is silly, most people have a little time now and then to access a non-work related site. Some people even need the break in order to be more productive. Policies against use of msn, aim, webmail and irc are also really silly. Sometimes talking to a friend will even help the guy at work. Or even if he's just chatting, as long as in the end of the week he gets everything you expect from him done, what's the point of not letting the guy have a little fun while at work? Take the time you were a student as an example, when you would study a subject at home, would you work on it for 8 hours straight, or would you take a break every now and then? Most people need those breaks, in my experience. Policies against e-mail attachments are also very silly, because if people don't know of the dangers and how to filter it, there's no way you'll ever avoid them from open an attachment from a friend every now and then. I think the companies should try to educate people, instead of simple denying stuff to them. That probably doesn't happen because most of the geeks are too proud to admit that someone else that's not a geek is a moron. Probably because he had his head flushed too many times by non-geeks ;). It looks to me that it's more of a policy problem than a problem with people who don't follow them.

Firewall?

[dawhippersnapper]

I knew there was a reason for inbound and outbound NAT rules and packet filters!

Come on admins!!!!!! If they can't do it then they won't do it :)

Re:Firewall?

[evilmike1310]

>Come on admins!!!!!! If they can't do it then they won't do it :) No, they'll just break 100 other policies (and system configs) trying to make it work.

1/3rd of Which Policies?

[ewhac]

Are we talking about "real" IT policies which further a tangible goal -- such as don't download your personal email to the company machine? Or are we talking about stupid, lame-brained policies -- such as, you're allowed only two network drops in your cube, and posession of an Ethernet hub/switch is grounds for disciplinary action?

Schwab

YOU FUCKING LIBERAL

Sieg Heil fur der Reichsfuehrer! HEIL HITLER!

Silly IT policies violated

[LaissezFaire]

In other news, some users violate silly IT polices. I've seen passwords that had to be 8 characters or more, have at least two numbers, two capital letters, and two special characters. Rotate your passwords every 45 days, and no repeating. No real words in your password. Now, have close to a dozen accounts, and no two passwords can be the same. How many people do you think didn't write down their passwords?

Nerdcore Halloween 2.0

http://slashdot.org/articles/06/10/28/2149259.shtml http://inadequizzy.net/hosting/RT/halloween2/ THIS YEAR'S

Simple Solution

[PPH]

Back when I worked for an outfit that had a real constricted sphincter IT policy, the solution was simple: telecommute.

The company imposed some really screwed up policies on desktop configuration but they had a liberal telecommuting policy. So everyone did their serious work at home. They shoved their (IT mandated) Windows systems aside, used Linux and other FOSS applications, surfed the web, downloaded tunes, played WoW or whatever. As long as they got their work done, management was happy.

Strangely enough, the company was also heavily into a process standardization kick. I don;t think they ever confronted the fact that the work that was getting done could never have been accomplished with the 'IT Standard' tool suite. Too bad. A more open policy at work would allow them to capture best practices.

Here is our problem...

[GlobalMind]

Our IT staff takes the "one size fits all" mentality. They have no idea what we do, they pick a box for everyone and say here you go with really no way to get anything different without insanely difficult processes.

Our team for example is a bunch of systems architects. We design and put the specs together for customer hardware & software solutions. We are all "IT people" who's role at our company isn't in IT. Thus we get the blow off. Nevermind we could do many of the jobs our IT folks do. We aren't in that role and are reminded of that all the time.

Well there happens to be a number of tools we need that aren't part of the standard image. So we load them. IT have an issue? Tough. I don't personally care, nor does the rest of the team. Even better when they try to blame us for the systems being slow. LOL Yea that's right. Nevermind the load of monitoring code they run. A full machine inventory EVERY DAY?!? WTF is that?

But hey that's what you get with an IT department full of Windoze geeks who don't know squat about enterprise IT. They do however know they're totally cool because they know how to deploy yet another useless policy. It comes down to IT being a service entity or a policy governance body. I ran my IT shop as a service, and I think that is how it should be.

These admins that talk about "my system" "my network" should be smacked. It is "the company's system" and "the company's network" you idiot.

Now, thankfully we're starting to make some progress whereby we actually get systems that can handle what we need to throw at them, IT be damned.

Ok rant off, time for bed.

Re:I don't believe it - bofh handbook reply

[cumin]

User: Ok, now I changed it to 'bobspassword2'.

Me: Sorry, we can't both know your password, so I changed it.
User: To what?
Me: If I told you, then we'd both know it wouldn't we? yuk yuk yuk
User: [grumbling] Okay, I'll change it, but I won't tell you this time.
Me: Okay, it's temporary though, and will force you to change it when you log in, ready?
User: *sigh* ready.
Me: [mumble: random, okay] a;@#aslkdfQQQ$@$#%faWerrr@!!a;lskd1.

Nobody, but nobody leaves their password as the one I give them. Few tell me twice.

My point

[madbawa]

Don't have any IT policies at all. The tighter you grip, the faster the sand will slip through from between your fingers.

Free your mind.

Wow.

[Meorah]

These comments make me realize just how much I deserve a raise.

Probably a good 3 policies from IT management, HR, and Executives combined. I implement the rest of them as I see fit and as time permits since I do all the desktop support, helpdesk, phones, systems admin, and network admin. Its not that hard to turn on a nice webmail scanner at the perimeter, start new users off as PC admins and slowly restrict access as they do stupid things, implement layered spam controls, filter HTTP content a variety of ways, use centrally admin'd AV and prevent users from changing the pre-defined settings on their desktop.

Heck, this is just from browsing at +5... I'd hate to read what the unmodded comments say.

Re:When Policies are set by PHB's and you need to

[Meorah]

And that, my friend, is why any new "collaborative" network authenticated software must pass the "security integrates with LDAP" or "integrated single sign-on available" test before I recommend/buy it. In 6 months, I reduced end user passwords from 6 to 3, and if anybody had bothered to ask me before buying some lame package, it would still be at 3 instead of back up to 4. I want it down to 2 within another year. (LDAP and ACD phone system)

As for synching passwords, that doesn't work so well when one password is on a 42 day reset, one is on a 90 day reset, and one is on a 60 day reset.

Re:Lol 'No Fucking Way'

[badman99]

'No Fucking Way' I had a similar situation at my work where my boss has been putting pressure on me to unblock ports and lax security. No way you could reason with him or say 'No Fucking Way', so I wrote him a Memo outlining the dangers of what he wanted me to do. He still wouldn't back down and told me it's his business and I'm paid by him to do as I'm told. I now start exactly on time not earlier and I leave exactly on time regardless if the network is down....

It's a cat and mouse game with career moves.

"And what's wrong with reading Slashdot while you're slacking off with a coffee for a couple of minutes? I'd consider an employer a slave driver if they have a problem with that."

You may let it accidently slip that your employer is a dick.

100% use P2P technology

[hadaso]

About 100$ of employees using networked computers at work use an old P2P protocol called TCP/IP ...

However, in most cases doing so is not in violation of IT policy, except perhaps technically if the people who recorded the policy in documents did not realize that the company's network infrastructure is actually based on P2P protocols.

Webmail less risky than company mail

[hadaso]

I have a copy of my work email redirected to my fastmail.fm account.
I only access it using webmail/firefox.

The usual way people do it is using Outlook that is of course running over a Windows admin account. So what's safer: using a webmail service that defangs html before displaying it or using a client that's happy to do anything requested by an email message in an environment that allows it to alter the OS (and set so by the IT staff)? Not to mention that the usual mode of work is to receive MS Office documents from outside and open them (in an admin account, of course).

Re:Webmail less risky than company mail

You are technically correct, although the meaning of "risk" has been changed. Instead of the dictionary definition, risk is now defined as "That which is not controlled by the people we have empowered to make decisions." Anything that is outside the control of the controllers is described as "risky", even when these people are ignorant of the inherent risk of their own decisions.

There is a culture of "risk management" and "proper controls" that leaves in it's path a set of risks and evasion tactics that is every bit as problematic as what we would have in a world that lacks such oversight.

If I was in IT...

[psychicsword]

If I was in IT I would "call" all the users and perform the "survey" noting who it was that says they violate the policies.

Re:When Policies are set by PHB's and you need to

[CBravo]

I know. But you need an extra executable and that is not allowed. I cannot even see the c: drive. I tried really hard.

I call shinanigans on that survey

[RaigetheFury]

I really want to see where they got their data and what their sample size. I could believe a lot violate IT Policies, but I have SERIOUS doubts that 1/6th uses P2P services. I don't buy it. In fact I've never worked with a client or for a company/university etc that had that problem. I call Shinanigans!

I don't care?

[DeanFox]

I wonder how much of this is: "I don't care".

I expect employees give their employer in equal measure. Companies seem totally out of touch with customer satisfaction (cough Comcast). Something as simple as answering the phone or giving the customer what they paid for is beyond their comprehension. I can't believe these same companies suddenly get it when it comes to treating their employees with dignity.

They see executives getting multiple millions in bonuses but their raise is capped at 1.6%. Then this same company wants their employee to be vigilant, always keeping the companies best interests at heart? Protect us and keep us from harm? Not likely.

Sure, some of it is ignorance on the part of the employee. But, what I see most is employee interference. Or, better stated, employees seem to care about the company's network in equal measure with how the company treats them.

I see both extremes. I can directly correlate how much network damage there's going to be that's caused by employees with how my client treats them. The worse my client treats their employees, the more money I make.

-[d]-

Slightly Deceptive

"Additionally, most employees have the misconception that these behaviors pose little to no risk to their companies."

The way that's written in the article is deceptive - they seem to imply that anyone who's breaking the rules by, say, checking their personal mail is likely to download a virus onto the network.
But if you know what you're doing, there should be little risk to the company.

At some companies, IT is clueless

[sgholt]

I work in a state government office (less details the better). We unfortunately have very poor IT. Most of it is outsourced to someone else, but we still have some in house IT staff. * IT problems must be run through the typical uneducated phone staff, who rummage through a notebook with common errors and solutions. Needless to say this just a delay in getting real help. * I have Admin rights to my WinXP machine, as I suspect most of the workers here do as well. * We have been infected statewide by viri on a couple occassions, and it seems most attacks originate within the main state office through e-mails and not with the majority of the peons out in the field.(that would be me). * I have violated the IT polices since I started 9 years ago. I have done this to make my machine more secure. I run firefox with script block and adblock for all browsing (except for state online apps that will only accept IE.(we still use IE 6). * I regulary run Spybot S&D(against IT policy) to remove anything that gets through.(which has been virtually reduced to nothing since I started using Firefox). * I run firefox, thunderbird and other applications from a USB key to insure that damage will be contained and that my history (browsing /. and the like will not be known). * I have found that e-mail will not allow sending of exe, com, bat and zip files, however, simply changing the extension will allow it to be sent. Yet they ban us from using webmail ( I do so anyway). There is more things to list, but I need to get back to work...:p *

Simple solution

[auroran]

I don't use the company computer to read /. or check my email.
That's what I bring in my personal laptop for. :P
I also don't hook it up to the corporate network but to a spare ADSL link via Wi-Fi.

Ya it's a way bigger breach of the company policy but the company network is no less safe than people taking their work laptops home.

Slashdot is approved reading

[orgelspieler]

When we were embroiled in a patent dispute a while back, I convinced my boss that Slashdot was a forum for discussing patent issues. So now I can read it whenever I want. Oddly, I still tend to do my Slashdotting during lunch.

but IT can be really dumb....

[vuffi_raa]

some of this though, has a lot to do with a non-enlightened IT dept.- a company that I previously worked for actually had it's entire IT dept on the other side of the country, so if there was a problem they literally would call a contractor to come out for the day and fix things- if there was a quarterly shortfall they wouldn't hire the contractor and boom- office is effectively shut down for a month or two. Also all of our network traffic was soo filtered that we couldn't update any of our software, and the IT was so stupid that they would only allow updates by the hired contractor, as well as reformatting/reimaging machines (they couldn't be added to the domain)- after about 6 months of outages and following the rules, we just put a keylogger on one of the laptops to get the admin password when the contractor came in and got the passcode (from a disgruntled former site manager) to the server room where we could go in and set up a proxy machine to directly download our software updates and use network admin to deploy it.
6 months after I quit the company it was absorbed by a competitor and the first thing they did was dump the entire IT staff.

The only safe PC is a dead PC

[He+Who+Waits]

My company's IT Security dept. has what must amount to thousands of policies. But by far their favorite policy is the one that says "We can make up any policies we want, even after the fact". Really, the only secure system is the one that is completely unusable. Clever IT security folk know that, and create policies to implement unusability.

Bingo!

The primary purpose of IT policy has been misunderstood. The most amusing post in this entire discussion is the guy who enjoys finding violations of IT policy and getting corporate security to terminate a developer every now and then. What an idiot.

IT policy exists for 5 reasons:

1. Reduce corporate liability for copyright infringement and other torts
2. Reduce damages caused by viruses and malware
3. Facilitate security of data
4. Ensure consistency of data and access to it across the enterprise
5. Reduce cost of support and help desk by maintaining a consistent platform

On the surface, just about every corporate IT policy can be traced back to one or more of the above goals. But the implementation can be much different. IT is turning into the preventers of information services, the helpless desk, etc. These derrogatory nicknames are symptomatic of the brave new world of IT facism.

Although the goals are noble, many of us have seen a world where the 5 goals of IT policy are just a facade to enable a service organization that exists mainly to please itself. Allow me to run the 5 principles in reverse. I claim that if I do something that:

• does NOT increase corporate liability for copyright and other torts
  
• does NOT increase our risk of virus infection or malware
  
• does NOT create a new security risk
  
• does NOT duplicate existing data or interfaces
  
• and does NOT result in additional work for the helpdesk
  

THEN WHATEVER I DID SHOULD BE IGNORED (IF NOT REWARDED) BECAUSE THERE IS NOTHING TO BE GAINED BY STOPPING ME.