Slashdot Mirror
88% of IT Admins Would Steal Passwords If Laid Off
narramissic writes "According to identity management firm Cyber-Ark's annual 'Trust, Security & Passwords' survey, a whopping 88% of IT administrators would steal CEO passwords, customer database, research and development plans, financial reports, M&A plans and the company's list of privileged passwords if they were suddenly laid off. The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details and people's personal emails."
Big brother is always watching...
99% of men masturbate. The other 1% are lying.
Sounds like an unreasonable estimate to me. If people were that vindicative and dishonest then IT (and similar) systems wouldn't ever keep working.
Yea, and I'm training to be a cage fighter.
More like 88% of IT Admins like to say they would steal CEO passwords if laid off, but something tells me when the time came to break the law they would let the opportunity slide.
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
people need more integrity.
...with great power comes great responsibility.
12% of all admins were laid off today in order to clear up resources for paying ransom on old passwords...
This sig isn't original enough, it's time to come up with something witty...
88% of IT Admins Would Steal Anything to get Laid
Don't lay off the IT guys.
right... here http://www.itworld.com/print/54579
Let me guess...
Deleted
Better go the pre-emptive way: make offside backups before the shit hits the fan.
So, 88% of IT administrators are antisocial clowns?
Well, you could knock me over with a feather. I'm shocked.
(Honestly, I think that number is ridiculously high and inaccurate. But I work for a college, so maybe I'm just underestimating the evil of corporate IT.)
--saint
I'm actually surprised at this claim. It would be nice if they posted some additional info, like their sample size, etc. Sorry, I just seriously can't believe that 9 out of 10 people would maliciously act in this manner. Snooping over the network out of curiosity, I'll buy that one.
How many of them are just saying that to sound cool?
I hate these sensationalist statistics. How many people did they ask? What's the report's definition of 'admin'? etc etc
95% of statistics are made up on the spot.
ilovegeorgebush
What ever happened to sysadmins being known for having strong/good morals and ethics?
"According to identity management firm Cyber-Ark's annual 'Trust, Security & Passwords'"
Making the IT folk out to be bogeymen is great business for security pros. I'm sure there are some idiots out there, but most IT people are normal honest people like anybody in any other profession. I don't buy that we are so far off the curve, 81% is bullcrap and makes me question everything about that company and it's motivations and methods for the survey.
The rock, the vulture, and the chain
A firm selling data security products claims that people with access to sensitive information can't be trusted. News at 10.
I haven't, I wouldn't. At best you encounter some of those things during ordinary work or even unproductive boredom.. but I totally see no value in having such details of a place you no longer work.
(Of course here in Europe there's a due notice so you have plenty of paid time to find a new job, but still..)
Maybe I'm just daft or weak?
.. I have a 120dpi scanned transparent GIF of the CEO's signature.
There is a war going on for your mind.
Yeah I "Stole" all the admin / management passwords when I quit my last IT job, by virtue of a thing called long-term memory. this "memory" is usually accounted for by the remaining IT pros, and the passwords are often changed anyway. Big deal. My last instruction was to change all the passwords, as was the last instruction of my predecessor. Lay-offs have even more notice than quits, so 88% might steal, but if they can use it for anything, then more layoffs should promptly follow.
Just because we are talking about technology workers does not imply that they are a more virtuous bunch. Unethical behavior has existed as long as man, and if anything a scumbag is helped immensely by the power of technology to do immense damage.
88% of IT Admins are unethical dirtbags.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
....you take a survey saying something like "Have you in your work had access to..." or "Have you known company information after leaving..." which you often have then tweak it into "IT admins spy on you and will steal your IP" in order to make FUD and sell your product? I think I know enough people in the IT business to tell that these numbers are horribly off.
Live today, because you never know what tomorrow brings
It could be just me, but I honestly don't care enough about what other employees or coworkers are doing to bother sneaking about their crap. If it's anything like their desktops, I'm probably going to see hundreds of cute kitten photos, pictures of family and a bunch of music hidden under folders named things like, "NotMP3s".
When I was an admin (short stint so I could pay bills, 3 years) I usually didn't give a rat's ass about what the users stored on their system unless it showed up in my virus scan reports or I was told to investigate someone due to "suspicious behavior". (BTW folks, before you get off on the 'evil spying on users' tangent for me, it was only twice and it was two girls working in tandem selling info to another company on how much certain people were paid.) I never could understand the whole "I have the power!" attitude some people showed when it came to passwords or how they'd screw the company if they were laid off. If I felt I was unfairly fired or downsize or funsized, whatever, that's what my lawyer is for (he works for cheap cause I fix his laptop, heh). Why complicate issues by fudging with the network access?
Maybe I'm just too young to understand yet. Now if you'll excuse me, I have to play with my army men, we're planning an attack on the tan army on the coffee table and I gotta move equipment for em.
"Quote me as saying I was mis-quoted." -Groucho Marx
Typically, (at least in companies with some sense) the decision to remove an IT worker is made in advance, with steps taken to drastically reduce that individual's ability to do damage.
Rarely, is an IT worker told about their demise until steps are in place to have someone watch that person pack their belongings, upon which they are escorted to the door. They would be lucky to steal their favorite coffee mug is such cases.
Stupid is the company that gives notice to someone with keys to the kingdom, except in cases where the person is needed to stick around to train their own replacement.
But then, anyone who would agree to do that without MASSIVE compensation, is a pussy.
That said, I do know a guy who kept a series of special GPOs at the ready when he figured he was on his way out of HP back in the day...
Cool, glad I am not alone. I don't feel so bad about reading the hot receptionists email.
A new study shows 88% of all IT workers are employed by hosting companies running adult websites.
80% of people talk big about all kinds of hypothetical situations and then turn tail when push comes to shove.
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
I thought all passwords were hashed now instead of just stored as plain-text. If those IT admins store passwords like that, they deserve to be laid off.
As long as there are slaughterhouses, there will be battlefields.
Seriously? You'd steal passwords just because you were laid off?
Remember that layoffs aren't the same as being fired. If you're laid off, you're likely to get a good recommendation from your boss for new jobs you apply for. Why would you want to burn that bridge?
Now, if you were fired because your boss was incompetent and used you as a scapegoat I could sympathize, not condone, but sympathize.
100% of douchebag security companies will manipulate data to sell you something!
We offer a solution to this for the mere price of ...
I know I wouldn't steal company info if laid off. I guess I've always realizes that I'm in a position of high responsibilty and need to act accordingly. Plus, if I ever got caught doing such a thing, I'd never have that type of position again. Snooping though... Well I do get bored sometimes.
We all understand how figures never lie, but liers figure. So it all depends on the wording. Personally, I'm an IT admin, and I've gotten dumped before (employer got sued, but instead of admitting financial problems he claimed I lacked project management skills so as not to scare other employees... whatever, I was mad). But even so, I didn't steal any passwords, and yes, I had full admin passwords to everything (even if they changed those, they didn't know all the passwords I DID have. at least I could've purchased stuff from their TechData account or whatever). That's a little off-topic, but the point is that I didn't steal anything and most IT admins I've worked with would not steal anything either. As for snooping... well, I've never done it on purpose, but in the process of helping people they often leave e-mails and stuff in an open window on their screen after they ask me over to help them... so, ok, whatever, I'm guilty of reading it.
If I'm ever show to the door, I would insist on my ability to operate on the system being terminated at that moment. I don't want VPN access. I don't want an email account. I don't want SSH keys. I sure don't want the boss's password. Why? Because I don't want to be accountable for anything that goes wrong afterward.
Think about it, people. If the IDS catches you SSHing in a couple of weeks after you've left, then they have carte blanche to hold you responsible for whatever breaks, even if it's totally unrelated. Good luck convincing a jury that Oracle coincidentally just happened to explode an hour after you logged into your old workstation. Seriously, what good can possibly come from putting yourself in that situation?
Dewey, what part of this looks like authorities should be involved?
Who watches the watchmen?
http ://www.itworld.com/security/54579/survey-it-staff-would-steal-secrets-if-laid
by the fact that Cyber Ark's business is privledged account management, would it?
The article and survey do not seem to realize the difference between IT staff and IT Admins. Also, from the article:
"The survey found that one third of IT staff still keep passwords on post-it notes. And 35 percent admitted to sending highly confidential information via email or couriers."
There is no distinction made between secure emails or transporting information via couriers on encrypted drives. The credibility of the survey is highly in question if they can not even define the questions they ask with some specivity.
How may slashdotters would help a coworker open an excel file? What if they are not supposed to have access to that file? According to my own survey, 87% of all survey results are bullshit.
Posted as a coward to circumvent our IT security policy.
Takes second best right after penicillin! lol Kidding, I believe it's the normal side-effect of any "power", small or big.
Kudos.
It was also discovered that 12% of IT Admins lie on surveys.
TFA was very vauge in how they frame "stealing." When I have left (of my own accord) a job, there is invariably a certain amount of information written in my notebooks when I pakc up my cube that probably contain some user/password items, hostnames, door codes, etc. If you call that "stealing" i'd say the statistic is right.
When I am leaving a job, I'm not actively concerned in making sure every piece of knowledge about my tenure is forgotten and every napkin I may have scribbled something on is returned or destroyed, and every backup I've made is destroyed because I use a lot of the scripts/docs/etc... as part of my new job hiring interview. Conversely, most firms I've worked at haven't changed their admin passwords or door codes when I left, so they don't seem particularly concerned either. (Which may or may not be normative.)
I would say that the time when most IT folks are going out of their way to collect information is if they feel like they're being setup for the fall guy. At my last gig my project lead liked to broadcast the whole group when a server went down (blaming me) so I was maticulous to keep a copy of every log, logon time, email from her, so when I was accused, I could defend myself to our supervisor. If you're being laid off for some straight-up BS; and you're acute enough to see it coming, you better bet I'm going to collect as much as I can to clear my name. Beit to that firm or my new employer should I get a bad reference.
Forgive my spelling from time to time. I'm often posting during short breaks.
When someone is laid of for no apparent reason, they often feel hurt and betrayed. A natural reaction is that the trust between them has already been destroyed.
At one company I was with, a sysadmin was on a conference call, and had his hands full when the call ended. The CEO never hung up the phone, and started talking to his assistant about people loosing their jobs and how much severance would be paid. The sysadmin, who probably should have hung up when he was first able to, couldn't resist listening for a short time. After a couple of minutes, the CEO finally realized that his phone was still on, and hung up the line. By that time, the sysadmin knew that several people would be laid off soon, but not how soon, or which people.
He informed a couple of his friends that the company was in worse shape than he had realized, and discretely began updating his resume. Within a month, the company was bought out and closed down by another company and everyone lost their jobs. He was asked to stay on as part of the transition team and that the new company would pay him, but after a couple of days, it was clear that he had been working for free and the new company was not going to honor the agreement.
At that time, he still had sysadmin access, and began to look through emails of the former employees. Some, including the CEO, were still getting and sending emails through web access through the old company server. He learned that although the board of directors did not want to spend the money to make sure that the fired employees could still have health insurance for a couple of months, they were willing to give the former CEO $25,000 for his efforts.
I have always said that a good sysadmin knows all the secrets of a company, but a great sysadmin knows when not to look. In this case, was the sysadmin justified in looking after he had been promised to be paid and then told he was not being paid? (Yes, his access should have been cut off, but he was the one who would have had to cut himself off and he was never told to do so.)
Although this situation may be unique, I think that many sysadmins may feel the same way. Once they are betrayed, they no longer feel the need to stay loyal to those that betray them.
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
I've watched three IT admins get escorted out of the building in the past 5 years due to my sending of emails carefully salted with bogus salacious information about our department. If the fake information doesn't make it to a certain vice-president, then their job is safe. If it does, then there's only one person who could have known it (besides me of course), and out the door they go.
This little collateral duty of mine has been quite lucrative - I receive a percentage of whatever money the company saved by firing the dirtbag admins who couldn't keep their noses out of other people's data. And if they were willing to pass on what essentially is inter-office gossip, then who is to say that they wouldn't be just as willing to pass our trade secrets to outsiders?
No mod points, no meta-moderating/Firehose/all the other free work Slashdot wants me to do.
Why would any IT admin admit in a survey that they would steal passwords? I could only think that they were tricked into saying that they would do that: Q1: Do you like Candy? yes/no *note by selecting yes you admit that you would steal company secrets if given the chance* Q2: Is the Sky Blue? yes/no *See above*
IMHO, even a 10% chance* of these sort of breach justifies the dickish practice of immediately cutting off all access to laid-off/fired employees and having security walk them out. For the 90% that don't deserve to be treated that way (and will be justifiably bitter), it's a shitty thing to do. That 10%, however, represents such a huge security risk that I don't really see a better option.
* I make no statement whatsoever on what the actual fraction of admins would do such a thing. I don't think TFA is particularly credible, considering the company. *
How many IT Sysadmins would steal passwords/accounts for no reason whatsoever? I don't know about you folks, but I'm a good sysadmin because I remember IP's and l/p's. In fact I remember all of it from 3 jobs ago- all of it private and all of it confidential.
"Stealing" aka "Knowing" these things doesn't mean that you will use it to do harm. If a sysadmin wanted to harm you, he could fuck you so hard that you would question if there really was a God. That's the truth ladies, and you all know it. If a sysadmin gets pissed ala the San Francisco IT Guy- he could fucking own you all. 80% my ass. 80% know it. The other 20% are retards.
I work as an IT Admin, if I was let go or hell even fired, I would like to keep tabs on my network. I might make an account in the background with admin rights so I can see how the new guy did...See if the exchange store is still mounted, check the SAN and so on...
Sorry I might be straying slightly off topic. It's just...being replaced you feel like part of your territory was taken over, and you want to check in on your baby (network) and see how it's doing.
The greatest revenge in life is massive success.
Maybe this is an explanation for all the HUGE leaks of customer information from large Corporations.
Simply a way of "getting back at the man" for being laid off. Steal the data, then release it to the web, or specifically, to people that would put the info to nefarious use.
Another good reason to make it these companies financially responsible for damages incurred by the loss of such private data. Put the onus of security firmly in their hands, and maybe, just maybe, the losses will begin to decrease.
I remember a story from back in Santa Cruz many years ago about a Taco Bell restaurant that fired an employee, then made him finish his shift. He went in the back of the store, SHIT in the huge pot of simmering refrieds, finished his shift then left. The result was dozens of seriously ill customers (due to some intestinal parasite the guy had). Taco Bell got the pants sued off of them. I am sure they do not make employees finish their shifts after firing them now.
This doesn't surprise me a bit to be honest. Sure maybe not all of the 88% will end up stealing the data when it comes down to it but I think you will find a majority will.
If I leave my current employer (regardless if I am fired or quit) you can bet that I will bring the contact details of people I have gotten to know through the years which can be handy to know in the future.
I bet that most of the people who said they would steal it in that survey said yes not because they are going to steal a database with 10 000 customers but to keep the important ones you have a close relationship with.
You've never seen my personal IT Bible, the Archives of the BOFH.
He exemplifies keeping a system running smooth THROUGH vindictive and dishonest means.
He's my Hero.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Hell I am stealing passwords right now!
Seriously though, if you wait until you are laid off, it might be a bit late. Of course if you are stealing passwords just in the off chance you may get laid off you are probably a bit cynical and perhaps defeatist enough that you will unwittingly construct that reality for yourself anwyay. Irony would dictate that you be laid off for stealing passwords I suppose...
I know it's a bunch of marketing drivel to scare the CTO into buying the security scare of the week tool.
Honestly they can go ahead and give me a layoff notice.. Hell last time around I was looking forward to it.. 26 weeks pay and the summer off.. Hell yeah.. why risk that to get a look at what the CIO's wife found on craigslist that week..
Most people are boing and the ones who do have something worth hiding are hopefully smart enough to use an outside email service.
There's no need to "hack" in to the system.. They will be calling in 3 weeks asking for help anyway.
I hope they like my consulting rates $$$
If you think it's expensive to hire a professional to do the job, wait until you hire an amateur. --Red Adair
if i get laid off, i would walk away with a lot of passwords, but, not necessarily because I'm stealing them...
i know the local admin passwords on all the edge networking gear and all the servers on the dmz at work.
and, if i get laid off, i'll still know the passwords. it's not like I'll forget them magically when I'm laid off.
and, like most places, no one will even bother to change those passwords ever.
Let me guess, it's an elective?
Although, I realize some universities are teaching their Commerce students that whistleblowing is despicable.
Gotta get 'em when they're young!
Admin is the root directory who wants to delete root without a backup? The new admin should be knowledgable enough to secure everything.
These just seem way off. If this was the case security would be non existent. IT admins would be stealing stuff all the time and no one could take a helpdesk position without signing a contract saying they are staying for life. Admitting they've snooped at people's email and files? How much of that was as part of the job? With the keys comes the job of checking on the dishonest. Hell sometimes troubleshooting you end up seeing some of their email while working with them etc. I know for myself I only want what access I need to do my job and no more. Since this is a security company sounds like trying to scare idiot CIO's into buying their crap. Wouldn't be the first time, won't be the last. Are there some dishonest crappy admins in the world? Sure. But any decent sys admin knows better. Reputations follow you around. In the age of the internet an employer can find out a fair amount just by a simple web search. Especially when they have your resume so they know where you went to school and worked.
Sometimes I think we really need a medieval style guild (NOT a union) that punishes companies that habitually abuse IT workers.
The problem is not limited to IT workers. Every business has a direct (and obvious) financial incentive to cut costs as much as possible. The skill with which they do that varies, but in general people tend to do what you incite them to do (NOT what you ask them nicely to do....nor what you threaten or attempt to force them to do).
You will not solve this problem by forming a club. The incentive will remain despite your punishment. If the club (union, guild, or what-have-you) gets powerful enough to disallow businesses from just working with non-club members, it will become a business unto itself which winds up having the same problems.
You also will not solve this problem by converting to communism or socialism. You will merely change the symptom of this problem.
I am convinced that humanity is as incapable of solving this problem as monkeys are incapable of building airplanes. It is simply beyond us. Maybe our evolutionary descendents will, with their superior intellectual capacities, figure out an effective and sustainable solution.
But we won't. All we can do is continue to react to the symptoms as they arise...continue the cyclic battle between the classes...more-or-less indefinitely.
i always thought i was in the minority when i did this, turns out pretty much everyone does it.
portfolio
...74.3% of slashdot editors will post sensational BS in an attempt to get a rise out of sysadmins. It works 94% of the time.
12% of IT Admins would lie about stealing passwords if they were laid off?
I probably already had them, no need to steal them on the way out the door.
Seriously, I'm kinda glad to not be doing sysadmin stuff any more, except for my own systems. I was called in pretty regular in the old days to 'secure' the system just in advance of the incumbent being dismissed. Always a nasty business, both because the incumbent was usually capable of great harm, and because their boss was invariably 'difficult', and often wanted guarantees that the fired employee would never get back into their systems. I told one CFO that you could only be sure if you cut off both hands, put out both eyes, and seal him in a grave. Funny, the CFO took more than a moment to tell me that wasn't an option. I know he was wondering if the lawyers could be more effective.
deleting the extra space after periods so i can stay relevant, yeah.
This survey brought to you by "Stone Tablets, Inc." in affiliation with "Carrier Pigeon Corp".
Seriously, that is some major FUD of which IT just became a victim.
Or freelance for a while? I mean, what's the payoff here? So you've got the data? Who buys it, and for what? And if you're caught, you're doubly-screwed (running from authorities AND out of work). This whole thing sounds very unlikely to me.
I routinely gave my superviser written memoranda with my passwords written on it, the last time I worked in the shrinkwrap software industry. When the inevitable (and somewhat volatile) parting of the ways finally came, I got even by doing absolutely nothing. Information entropy had miraculously lost, hidden or evaporated every memo of mine, along with every trace of me in my spotlessly clean cubicle, so when my work (plastered with non-disclosure agreements in effect for two more years) suddenly became unavailable in plain sight -- Microsoft Windows 2000 was one thing they did VERY well -- I'll be doggoned if I could recall my password! Struth, too. I always picked 32 character secure passwords, just like Best Practice, and those things are darned hard to reconstruct after a week or so of cooling off. They didn't offer hypnotherapy. They fired my super, too. Moral: Never, ever call a damn fine programmer analyst a "coder."
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
I've worked a couple of places where fired admins sabotaged their network on the way out.
Lesson: Lock them out before you send them out the door.
-- Slashdot: When Public Access TV Says "No"
Where did they run the poll? India?
If you run a business, don't give any one person full control of any business-critical resources. Have encryption practices and multiple backups/mirrors of critical information, and multiple trusted users such that compromise of accounts held or accessible by one person have minimal effect on the security of data.
Now I know why I.T. personnel are goose-stepped out of the facility a millisecond after they're notified of their firing.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
And the horse's patoots at Cyber-Ark magically sell stuff to protect against such theft. Phooey. I know dozens of sysadmins and not a single one of them would steal passwords or look at something that they were not authorized to observe. Did I suggest that the survey takers have an axe to grind?
Yawn yawn, more PR from a security solutions firm no doubt out to spread fear and uncertainty with this 'useful' and 'convenient' survey. These folks need to get creative because these surveys are lame now when media has lots its power and any tom dick and harry can see through their intentions.
Making a blanket statement like this only seeks to infuriate the less-informed. I wonder, if the same study was done, for those individuals who hold a security clearance, would the same hold true? ABSOLUTELY NOT! Integrity is one of the big assets you can carry with you in life, and even if you are dealt shit, it doesn't mean you have to compromise your integrity or ethics. The time will come when you perhaps have the ability to even the scales, but do it within the scope of keeping your own respectability and integrity high. All it takes is one random comment to start a ball rolling that will soon destroy you. Then again, if you are just a poser in a job, then you deserve everything that happens to you.
Moral issues aside, some companies are so lax in their security policies that they make it easy for those so inclined to take revenge. On my first day at a drug and alcohol rehab place where I used to work, I found a floppy disk (remember those?) in one of my desk drawers with everyone's salary, social security numbers, etc. I turned it in to management with a suggestion they be more careful, but I could just as easily been a dick about it. I found out later that a previous sysadmin had done just that, locking them out of the network when they fired him. You'd think people would learn. Just more proof that you don't have to be particularly smart to be in charge.
4/5 women are easily impressed by statistics.
Try that one as a pick up line. It'll let you know if they're smart enough (or dumb enough, depends on what you're looking for, I suppose)
This sig isn't original enough, it's time to come up with something witty...
That is why personal security is an important aspect of any security policy.
In Poland where live if you have a nontrivial IT job as admin it almost certainly requires you to have government certificiates. Such certificates allow you to handle secret information. Without it you basically cannot do any serious job. So I would think twice before geting information I am not intended to.
Also it should be a part of security policy that accounts and passwords are not shared and so on. So even if I would need to sack an admin and resulting conflict I would probably first lock all his access and then fire him. Not the other way around.
But to be able to do that you need strong and mature policies (which IMO is 80% of success) and technological support such as identity management system (which IMO is 20% of success).
It's still a relatively high number. Do you think that movie, mp3, pirating is a slippery slope, and thus leads to a relaxation or contempt with boundaries? Or is it just a feeling of contempt, since they are a "super user", and thus get used to doing what they want. Not unlike cops parking where ever the hell they want, and not getting in trouble for it.
The high number is still somewhat surprising to me, since that is a behavior that I would never even contemplate.
..........FULL STOP.
IT admin workforce drops by 88%.
"...Sleep comes like a drug in God's country Sad eyes, crooked crosses in God's country..."
88% of the slashdot reader would steal their boss password of they were promised to get laid.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
English is not my native language, and at first, for a few secs I understood the title as "88% of IT Admins Would Steal Passwords If (given the possibility to get) Laid"...
And then I thought "88% only" ?
This happened at my town of about 30k citizens this was before i was their as an intern. The previous person was replaced since she stayed on even after a new person came as head of IT. The other had passed away a few years before this and she was essentially the head of IT. Well the they got a new head of IT my boss and she was replaced as she tried to get out of the job and she deleted all records and she had to be sued to get the passwords. Never mind all our servers were a mess at the time and since then we have fixed everything new servers on vmware new switches as all the stuff was out of date. This is a 3 man team by the way or 5 if you count use interns might as well as we get paid and do the same stuff as the regular guys.
I wouldn't go out of my way to steal the passwords, but I keep the passwords I use in a password database type application. I had copies of that database at home for work-at-home use.
I still have them from my previous employer, and have never used them, but I don't have any intention of getting rid of them either. You never know when they might be useful for non-malicious purposes.
My local export of the Subversion repository (mostly stuff I wrote) is also a useful reference on occasion.
If the company considers salary information "highly confidential", they have bigger problems than their IT staff.
Heh, that is why you take them to lunch and give them "the news." All the while your other sysadmins are disabling their accounts and removing access to company resources...
"misinformation", oh and "layers". ;)
I take it you're not a fan of open source software?
I was with you all the way up to "nice chunk of change". *grumble*
Still, the idea of TFA is ridiculous.
<script>alert("I never liked JavaScript, really; it just seemed a bad idea.");</script>
My /. RSS feed truncates for a more interesting title: ...
88% of IT Admins Would Steal Passwords If Laid
Gotta fire my admin for snooping on monday. Suddenly.
Hmm, maybe it was just that the width of my browser was just right so that the last word in the headline appeared separately on a second line.
So when I parsed that headline, it seemed to say 88% of IT Admins Would Steal Passwords in exchange for sex.
WTF? How could it be less than 100%?
Oh wait. I guess 12% of IT Admins are women.
there was this article on slashdot that said he would steal my password!!!
thats why after i fired our it staff and outsourced it to india, who subcontracted it to the phillipines, our network started to have problems and we cant find the data for the deloitte audit!
obviously he's stolen my password that windows requires i change.
Good people go to bed earlier.
In information security there is one simple rule: Need to know vs. Nice to know. And that is basically it.
Because sysadmins always give 110%?
Well , i'm a fan of open source , but that doesn't necessarily make it safer.
I *can* be safer , if it's significantly reviewed by security experts , but there aren't that many who would spend their time in it , compared to the amount of people with bad intentions.
security trough obscurity should never be the main part of security. But it definitly helps.
It certainly helps when it comes down te server side scripting , like php. If you create your own site , no one else knows how's it's made , what database you are using , etc.
When you use a ready made open source application , you put your fate in their hands. And if an attacker finds it , he will be able to take on every site using the open source software.
So security trough obscurity does stop the large amount of would-be hackers using some ready made exploit script.
Slipping shoelaces ?
That's It *can* , not I can . I'm not a security system. Why doesn't Slashdot have an edit button.
Slipping shoelaces ?
The last thing I wanted was to be in a position where someone hacked the systems and I got blamed because I "knew the passwords"....
I even handed over my personal notes on the network and had my boss shred the ones he didn't need before I left.
I can't believe there are that many admins who have that little respect for themselves that they'd be willing to steal passwords.
-merlyn
I think that is really high and not reality.
Sure there are crooks everywhere but 88% does not sound right to me.
---- Booth was a patriot ----
"The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details and people's personal emails.""
A thought just occurred to me. Remember the Slashdot story awhile back about changing the nature of the information in such a way that only the absolute essentials would be released and it would be in a form that would protect the users privacy? I would think the same relationship would apply to an internal network. The admin would only have access to the essential information in a form that would protect internal privacy AND allow the admin to do his/her work.
in such grand MS style
i'd be much more concerned about the trade secrets that roll out of management offices when overpaid idiots redeploy... And insofar as real "damage" has been done, it was NOT sys admins who loaded laptops with highly sensitive data and then LOST the damn things. Put some eyes on some of the idiots hired into non-IT MANAGEMENT positions. Jeesh. -- btw, I'm not anon -- I'm the "ITG"
To some extent, security through obscurity is absolutely necessary.
The San Diego Supercomputer Centre does not have have any firewalls and keeps their network secure for four years (as of 2003):
http://www.usenix.org/publications/login/2003-12/pdfs/singer.pdf
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1191993,00.html
Not sure if things have changed now.
Don't try to profit, just put it out there for all to see and let what happens happen? Revenge of a sort?
I wouldn't do it myself, I'd rather get revenge in other means that wouldn't compromise my career.
But that seems like a relatively safe way to get your revenge.
...government employees? ...Oracle employees? ...Spartans?
Guess we'll never know.
I'm not surprised to see such high figures. Information is power. I'm less surprised to read that highly confidential information is being snooped by them. It's a boring job! Gotta have something juicy to read :P
As they say "most security threats are from within".
Just take the security of personal freedoms in the USA. Those in charge of the government at this time have stolen much freedom in the double speak name of freedom. Having passwords "stolen" or "remembered off site" is potentially just the same. Much damage could be inflicted upon companies depending on the range access that the admins have that are laid off. Identity theft can occur, etc...
Escorting people out is one way. I've been "let go" a number of times. Usually it's simply two weeks notice and all works out. Other times it's two hours and they have someone watching you the whole time and escorting you out with your two weeks severance. One time it was after I arrived home on a Friday night with a phone call and stuff sent to me via courier. It all depends upon their paranoia factors. Often the reasons are not even told to us. In many ways employees and even contractors and consultants are modern day indentured servants.
Of course finding out that the system admins stole passwords or used them afterwords generally means it was wise for the company to let them go as those kinds of admins are dishonest (maybe more honest than whom they used to work for but still).
Systems really are brittle with many ways to subvert them. Rather than subvert your past employers systems I'd recommend building your own path to financial independence so that you don't need to work for companies that have the power to fire you!
I spent four years working as a school sysadmin--one for an elementary school and three for a high school.
Unhappy with an incompetent and micromanaging elementary-school principal, I interviewed for the sysadmin job at another school. That principal called my principal to facilitate handing me over, and I subsequently received the third degree for being "disrespectful and underhanded", along with "I could say things about you to make sure you never work in the school district again." Said principal then twisted my new principal's arm enough to get me split part-time each between the two schools.
Fortunately, I got a post as the sysadmin for a high school--one full-time job instead of two part-timers.
After two years and two micromanaging, incompetent principals, the principal threatened to not reappoint me for a third year. Among other reasons, he received hearsay that I had applied for another job.
So what did I learn working for a public school district? Four years of long hours and low pay, three supervisors who shouldn't even have been working at McDonald's, and two threats to get rid of me for something legal I did while off the clock.
I didn't sabotage anything, but I could have. Thank God for my personal ethics. And they wonder why they can't hold onto IT staff...
I'm a huge fan of open source, and from a macro-perspective, it has done wonders to help the security community.
That still doesn't mean you should publish the details on what software you are running. From an individual perspective, that is absolutely stupid.
As a penetration tester and web app auditor, I have broken into countless sites by looking at the badge at the bottom of the site ("Powered by WeakTemplates 1.2.4"), downloading a copy of that specific version, and finding an unpublished hole in it.
"The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
League of Professional System Administrators Code of Ethics. I have a copy hanging on the wall by my desk and I refer to it regularly to keep me honest. Integrity is the biggest asset for any system administrator.
... Is being missed.
I was vindictively fired by a total idiot. I made sure that everyone I knew at the company knew the hows and whys of my dispute (including where I _was_ at fault). I also always start grooming my replacement the first day I take a job or can identify the best guy to replace me, because who wants to be stuck in the same job forever.
In the days following my firing I took several opportunities to talk the guy who replaced me (my friend Dan) how to lock me out of various machines and such.
For almost eighteen months people at that job were forced to say "is a good thing (my name) made sure we had extra capacity laid in while the trench down the block was opened", or thing-x was purchased, or policy-y was in place.
By the end of that eighteen months, the guy who had fired me had been shown to be the kind of person who he was, and he was invited to leave the company. (I was long gone and made no attempt to return.)
If you have to "do something" to your company to make them feel the pain of your absence when you are gone, you weren't previously doing your job.
Competence, and never looking back except to laugh, is the best revenge ever.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
"88% of IT Admins Would Steal Passwords If Lai..." Laid? Yeah, that figures. So who is this cyber Mata Hari?
I'd take those fractions of a pennies from accounting that get rounded down and slide them into a bank account.
88% though?!? That's staggering, I have a hard time believing that ethics in the IT industry are so poor to validate a number that large? I want to know details about who they surveyed to qualify that number.
I know that the sociopath mentality is the way of the road at the top of some parts of corporate American (especially in the energy industry it would seem), and I wouldn't be surprised to see this number if it related to executives based on the nightly news, but in my IT circles we look on that behavior with scorn rather than having envy to aspire to it. And frankly I just don't see this type of thinking any place within the company I currently work for, top to bottom.
This is really an amazing report. Frankly it makes me fearful at what type of reprise knee jerk reaction management types are going to take based on this story.
Sigh...
This is a press release after all. A sales tool which provides none of the security questions, nothing about the sample group or methodology and none of the responses for you the reader to review.
I'd guess that they probably used a lot of leading or misleading questions in a poorly defined sample group simply to release some press kit.
Which makes them sales people and that's a much lower rung in the IT world.
Quack, quack.
stand behind your article. Bet if we look further the survey consisted of the same idiots at their local pub after a few too many pints...
What a crock, who are these IT Admins working for? Are they right out college? Did they read some BS hacking book off of amazon? SO LAME, when did slashdot become the national enquirer?
people get canned, people get laid off, if you don't want to have it to happen to you know more about the business than anyone else. Yes know more than just IT, be able to justify and defend IT objectives to the business folks. Yes those individuals that read some airline magazine or talk to their kids friends and then think they know it all.
Don't be afraid to point out the error of their ways, just make sure if it is the CEO or CFO that you give them an out. OR YOU WILL BE OUT...
If only there was a way to preview before submitting.
"I can't believe there are that many admins who have that little respect for themselves that they'd be willing to steal passwords."
Why? People who illegally download content eventually grow up and take the same ethics with them.
:) dhdhdhdhgff
davecb5620@gmail.com
Fucking DOH !
davecb5620@gmail.com
"the boss asked me to set up her e-mail account to forward a copy of all her e-mail to him"
The CEO actually talks it the IT staff, now that is unbelievable
davecb5620@gmail.com
Why would they need to steal the CEO's password, when there is any number of ways to get access. Especially as letting the CEO have admin access is highly dangerous as he keeps his excel documents in the C:\Recycler folder to save space .:)
davecb5620@gmail.com
I can tell you all about any properly secured machine and reasonably expect most people will be unable to launch any successful attack.
Most security problems arise from insiders, clued up companies have procedures in place to make sure an insider stops being one pretty much the moment a working relationship ends.
IANAL but write like a drunk one.
... all those problems are easily solvable by clued up people without lots of extra spending.
Firewalls, SSH, VPNs and other tools (often available for free) can mitigate very effectively all the problems you just described.
IANAL but write like a drunk one.
"IT people are usually of higher than average IQ... "
don't understand how averages work.
Which makes the above sentence doubly ironic.
IANAL but write like a drunk one.
Quelle surprise.
Pardon my Swahili.
IANAL but write like a drunk one.
Having been in the field now for 20 years, I've met all manner of IT people, and interviewed thousands. Several of my interview questions were designed to try and test the interviewee's character and drew on hypothetical situations that I have been faced with in the IT field.
I know that 88% of my coworkers, mentors and affiliates do not bother to violate the trust of the environments that I have worked in.
This is FUD - intended to generate an environment of fear to motivate potential clients. It's destabilizing propaganda and dishonest.
I take personal offense at this, being that this is my field and this encompasses most of the people I call my friends and have known and admired in my professional life.
Considering the difficulties and often long hours of the job, it's a serious injury on top of insult to have some vendor-slash-consultant-slash-propagandist snake oil peddlers call us criminals too.
I'll make a counter assertion. 88% of all consultants whose assessments determine if you need their services are lying assholes.
"No good deed goes unpunished"
I find it amazing how much time and energy goes into blocking "inappropriate" content at work. Because while it is admittedly a waste of paid worktime, blocking it will still leave tons of semi-legitimate sites to goof off on. Like Slashdot, been guilty of that myself at times ;-)
So I think a lot of energy goes to waste there.
C - the footgun of programming languages
Small business with no full-time IT staff.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
When I as the IT administrator already know what all of them are! That's one of the benefits of being the IT admin... you already know what all of the root/administrator/dba passwords are because you did a lot of the original product installation and configuration.
Sure, they may change many of those passwords eventually, but they'll probably never change ALL of them. There is always that one stupid legacy app with a hard coded password in it somewhere... which blows up every time someone tries to change the password for a reason that nobody bothered to investigate it throughly. It only takes one of those accounts with admin rights to reek some havoc... or more likely bail out a buddy six months down the road when they ask you for a favor at your new job.
Having worked in the field for a looong time, and been in Unix most of the time since '91, and being one of two sysadmins under my manager now, let me say that the admins I've worked with have been a hell of a lot more ethical than some of the developers, and way more so than most of upper management.
I can't think of one I've worked with who would pull that kind of crap.
Of course, when I call tech support for things like my cable modem, I get a *lot* of support staff that are M$ oriented, and ask for my password, so that's why the subject line.
mark
You're not sure what to do about it? But, you gave the answer already. You don't break the ethics guidelines because you get paid well at your job. This implies that you could lose your job if you were to deviate from ethic guidelines. Now, about how you took the high road to discredit your team mates on slashdot...grow up.
what % of Cyber-Ark IT admins would steal passwords if laid off?