Slashdot Mirror
88% of IT Admins Would Steal Passwords If Laid Off
narramissic writes "According to identity management firm Cyber-Ark's annual 'Trust, Security & Passwords' survey, a whopping 88% of IT administrators would steal CEO passwords, customer database, research and development plans, financial reports, M&A plans and the company's list of privileged passwords if they were suddenly laid off. The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details and people's personal emails."
99% of men masturbate. The other 1% are lying.
Sounds like an unreasonable estimate to me. If people were that vindicative and dishonest then IT (and similar) systems wouldn't ever keep working.
Yea, and I'm training to be a cage fighter.
More like 88% of IT Admins like to say they would steal CEO passwords if laid off, but something tells me when the time came to break the law they would let the opportunity slide.
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
12% of all admins were laid off today in order to clear up resources for paying ransom on old passwords...
This sig isn't original enough, it's time to come up with something witty...
88% of IT Admins Would Steal Anything to get Laid
Let me guess...
Deleted
I'm actually surprised at this claim. It would be nice if they posted some additional info, like their sample size, etc. Sorry, I just seriously can't believe that 9 out of 10 people would maliciously act in this manner. Snooping over the network out of curiosity, I'll buy that one.
How many of them are just saying that to sound cool?
What ever happened to sysadmins being known for having strong/good morals and ethics?
"According to identity management firm Cyber-Ark's annual 'Trust, Security & Passwords'"
Making the IT folk out to be bogeymen is great business for security pros. I'm sure there are some idiots out there, but most IT people are normal honest people like anybody in any other profession. I don't buy that we are so far off the curve, 81% is bullcrap and makes me question everything about that company and it's motivations and methods for the survey.
The rock, the vulture, and the chain
A firm selling data security products claims that people with access to sensitive information can't be trusted. News at 10.
I haven't, I wouldn't. At best you encounter some of those things during ordinary work or even unproductive boredom.. but I totally see no value in having such details of a place you no longer work.
(Of course here in Europe there's a due notice so you have plenty of paid time to find a new job, but still..)
Maybe I'm just daft or weak?
.. I have a 120dpi scanned transparent GIF of the CEO's signature.
There is a war going on for your mind.
....you take a survey saying something like "Have you in your work had access to..." or "Have you known company information after leaving..." which you often have then tweak it into "IT admins spy on you and will steal your IP" in order to make FUD and sell your product? I think I know enough people in the IT business to tell that these numbers are horribly off.
Live today, because you never know what tomorrow brings
It could be just me, but I honestly don't care enough about what other employees or coworkers are doing to bother sneaking about their crap. If it's anything like their desktops, I'm probably going to see hundreds of cute kitten photos, pictures of family and a bunch of music hidden under folders named things like, "NotMP3s".
When I was an admin (short stint so I could pay bills, 3 years) I usually didn't give a rat's ass about what the users stored on their system unless it showed up in my virus scan reports or I was told to investigate someone due to "suspicious behavior". (BTW folks, before you get off on the 'evil spying on users' tangent for me, it was only twice and it was two girls working in tandem selling info to another company on how much certain people were paid.) I never could understand the whole "I have the power!" attitude some people showed when it came to passwords or how they'd screw the company if they were laid off. If I felt I was unfairly fired or downsize or funsized, whatever, that's what my lawyer is for (he works for cheap cause I fix his laptop, heh). Why complicate issues by fudging with the network access?
Maybe I'm just too young to understand yet. Now if you'll excuse me, I have to play with my army men, we're planning an attack on the tan army on the coffee table and I gotta move equipment for em.
"Quote me as saying I was mis-quoted." -Groucho Marx
Typically, (at least in companies with some sense) the decision to remove an IT worker is made in advance, with steps taken to drastically reduce that individual's ability to do damage.
Rarely, is an IT worker told about their demise until steps are in place to have someone watch that person pack their belongings, upon which they are escorted to the door. They would be lucky to steal their favorite coffee mug is such cases.
Stupid is the company that gives notice to someone with keys to the kingdom, except in cases where the person is needed to stick around to train their own replacement.
But then, anyone who would agree to do that without MASSIVE compensation, is a pussy.
That said, I do know a guy who kept a series of special GPOs at the ready when he figured he was on his way out of HP back in the day...
Better go the pre-emptive way: make offside backups before the shit hits the fan.
Bad idea. You'd get a 5 yard penalty on the play.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
If I'm ever show to the door, I would insist on my ability to operate on the system being terminated at that moment. I don't want VPN access. I don't want an email account. I don't want SSH keys. I sure don't want the boss's password. Why? Because I don't want to be accountable for anything that goes wrong afterward.
Think about it, people. If the IDS catches you SSHing in a couple of weeks after you've left, then they have carte blanche to hold you responsible for whatever breaks, even if it's totally unrelated. Good luck convincing a jury that Oracle coincidentally just happened to explode an hour after you logged into your old workstation. Seriously, what good can possibly come from putting yourself in that situation?
Dewey, what part of this looks like authorities should be involved?
It was also discovered that 12% of IT Admins lie on surveys.
TFA was very vauge in how they frame "stealing." When I have left (of my own accord) a job, there is invariably a certain amount of information written in my notebooks when I pakc up my cube that probably contain some user/password items, hostnames, door codes, etc. If you call that "stealing" i'd say the statistic is right.
When I am leaving a job, I'm not actively concerned in making sure every piece of knowledge about my tenure is forgotten and every napkin I may have scribbled something on is returned or destroyed, and every backup I've made is destroyed because I use a lot of the scripts/docs/etc... as part of my new job hiring interview. Conversely, most firms I've worked at haven't changed their admin passwords or door codes when I left, so they don't seem particularly concerned either. (Which may or may not be normative.)
I would say that the time when most IT folks are going out of their way to collect information is if they feel like they're being setup for the fall guy. At my last gig my project lead liked to broadcast the whole group when a server went down (blaming me) so I was maticulous to keep a copy of every log, logon time, email from her, so when I was accused, I could defend myself to our supervisor. If you're being laid off for some straight-up BS; and you're acute enough to see it coming, you better bet I'm going to collect as much as I can to clear my name. Beit to that firm or my new employer should I get a bad reference.
Forgive my spelling from time to time. I'm often posting during short breaks.
When someone is laid of for no apparent reason, they often feel hurt and betrayed. A natural reaction is that the trust between them has already been destroyed.
At one company I was with, a sysadmin was on a conference call, and had his hands full when the call ended. The CEO never hung up the phone, and started talking to his assistant about people loosing their jobs and how much severance would be paid. The sysadmin, who probably should have hung up when he was first able to, couldn't resist listening for a short time. After a couple of minutes, the CEO finally realized that his phone was still on, and hung up the line. By that time, the sysadmin knew that several people would be laid off soon, but not how soon, or which people.
He informed a couple of his friends that the company was in worse shape than he had realized, and discretely began updating his resume. Within a month, the company was bought out and closed down by another company and everyone lost their jobs. He was asked to stay on as part of the transition team and that the new company would pay him, but after a couple of days, it was clear that he had been working for free and the new company was not going to honor the agreement.
At that time, he still had sysadmin access, and began to look through emails of the former employees. Some, including the CEO, were still getting and sending emails through web access through the old company server. He learned that although the board of directors did not want to spend the money to make sure that the fired employees could still have health insurance for a couple of months, they were willing to give the former CEO $25,000 for his efforts.
I have always said that a good sysadmin knows all the secrets of a company, but a great sysadmin knows when not to look. In this case, was the sysadmin justified in looking after he had been promised to be paid and then told he was not being paid? (Yes, his access should have been cut off, but he was the one who would have had to cut himself off and he was never told to do so.)
Although this situation may be unique, I think that many sysadmins may feel the same way. Once they are betrayed, they no longer feel the need to stay loyal to those that betray them.
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
I've watched three IT admins get escorted out of the building in the past 5 years due to my sending of emails carefully salted with bogus salacious information about our department. If the fake information doesn't make it to a certain vice-president, then their job is safe. If it does, then there's only one person who could have known it (besides me of course), and out the door they go.
This little collateral duty of mine has been quite lucrative - I receive a percentage of whatever money the company saved by firing the dirtbag admins who couldn't keep their noses out of other people's data. And if they were willing to pass on what essentially is inter-office gossip, then who is to say that they wouldn't be just as willing to pass our trade secrets to outsiders?
No mod points, no meta-moderating/Firehose/all the other free work Slashdot wants me to do.
You've never seen my personal IT Bible, the Archives of the BOFH.
He exemplifies keeping a system running smooth THROUGH vindictive and dishonest means.
He's my Hero.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
as for who they actually ... who knows?
300 felons recently paroled for computer and technology related crimes.
I probably already had them, no need to steal them on the way out the door.
Seriously, I'm kinda glad to not be doing sysadmin stuff any more, except for my own systems. I was called in pretty regular in the old days to 'secure' the system just in advance of the incumbent being dismissed. Always a nasty business, both because the incumbent was usually capable of great harm, and because their boss was invariably 'difficult', and often wanted guarantees that the fired employee would never get back into their systems. I told one CFO that you could only be sure if you cut off both hands, put out both eyes, and seal him in a grave. Funny, the CFO took more than a moment to tell me that wasn't an option. I know he was wondering if the lawyers could be more effective.
deleting the extra space after periods so i can stay relevant, yeah.
I routinely gave my superviser written memoranda with my passwords written on it, the last time I worked in the shrinkwrap software industry. When the inevitable (and somewhat volatile) parting of the ways finally came, I got even by doing absolutely nothing. Information entropy had miraculously lost, hidden or evaporated every memo of mine, along with every trace of me in my spotlessly clean cubicle, so when my work (plastered with non-disclosure agreements in effect for two more years) suddenly became unavailable in plain sight -- Microsoft Windows 2000 was one thing they did VERY well -- I'll be doggoned if I could recall my password! Struth, too. I always picked 32 character secure passwords, just like Best Practice, and those things are darned hard to reconstruct after a week or so of cooling off. They didn't offer hypnotherapy. They fired my super, too. Moral: Never, ever call a damn fine programmer analyst a "coder."
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
Making a blanket statement like this only seeks to infuriate the less-informed. I wonder, if the same study was done, for those individuals who hold a security clearance, would the same hold true? ABSOLUTELY NOT! Integrity is one of the big assets you can carry with you in life, and even if you are dealt shit, it doesn't mean you have to compromise your integrity or ethics. The time will come when you perhaps have the ability to even the scales, but do it within the scope of keeping your own respectability and integrity high. All it takes is one random comment to start a ball rolling that will soon destroy you. Then again, if you are just a poser in a job, then you deserve everything that happens to you.
Moral issues aside, some companies are so lax in their security policies that they make it easy for those so inclined to take revenge. On my first day at a drug and alcohol rehab place where I used to work, I found a floppy disk (remember those?) in one of my desk drawers with everyone's salary, social security numbers, etc. I turned it in to management with a suggestion they be more careful, but I could just as easily been a dick about it. I found out later that a previous sysadmin had done just that, locking them out of the network when they fired him. You'd think people would learn. Just more proof that you don't have to be particularly smart to be in charge.
That is why personal security is an important aspect of any security policy.
In Poland where live if you have a nontrivial IT job as admin it almost certainly requires you to have government certificiates. Such certificates allow you to handle secret information. Without it you basically cannot do any serious job. So I would think twice before geting information I am not intended to.
Also it should be a part of security policy that accounts and passwords are not shared and so on. So even if I would need to sack an admin and resulting conflict I would probably first lock all his access and then fire him. Not the other way around.
But to be able to do that you need strong and mature policies (which IMO is 80% of success) and technological support such as identity management system (which IMO is 20% of success).
Another reason to hire older admins, younger ones get bored easily and as a result commit more mischief, I remember the last few years I worked, it seemed that the younger people were always trying to find out how to bypass Squid to go look at porn sites, etc.
It just made my job harder and more annoying. Short attention spans and an inability to function without continuous entertainment seems to be a common failing among millennials.
I killed da wabbit -Elmer Fudd
Sabotaging a network is no different than setting fire to the building.
B-b-but, but but, they they took my stapler. It's the - the red swingline model.
Any plan which depends on a fundamental change in human behavior is doomed from the start.
If the company considers salary information "highly confidential", they have bigger problems than their IT staff.
I've been through a couple of layoffs. In one, the company was concerned about stealing, sabotage, and other vindictive behaviours. So they surprised everyone with two week severance packages and an escort out the door one morning. They brought in people at the butt crack of dawn to turn off every computer in the building. Later, "core" people started deserting the company, taking whatever they wanted with them.
In the other one, there was an announcement, something like, "The 20 people in this room are being laid off. Starting in two weeks we're going to lay off 4 people per week for 5 weeks. We expect you all to continue to do your jobs as well as you can *while* you look for work. Let your supervisor know of any scheduled interviews, they will be considered paid time off. As you find work report your start date so each week we can try to lay off people who already have new jobs."
The second layoff went without a hitch. The people laid off kept relations with the company, some came back later.
I know it's not the same as firing someone, but it does seem to me some companies treat laid off employees as if they've been fired.
Samsung took back my unlocked bootloader because Google wants me to rent movies. They're both evil.
there was this article on slashdot that said he would steal my password!!!
thats why after i fired our it staff and outsourced it to india, who subcontracted it to the phillipines, our network started to have problems and we cant find the data for the deloitte audit!
obviously he's stolen my password that windows requires i change.
Good people go to bed earlier.
And, of course, check every server for cron jobs...like the one that just exits if the last login time of "joeuser" was within the past day/week/month/whatever, but otherwise does very nasty stuff as root.
Seriously, as others have said, treat them like you would want to be treated, and you won't have any problems, and might be able to continue to find people that want to work for your company.
This is one of the things that I love about proxy firewalls. I have colleagues that try to run connections over port 80, and then get stopped because it's not HTTP. They come complain to me, and find a very unsympathetic ear.
I am bothered by the poor ethics of those around me. They think nothing of talking in the aisles about which BitTorrent sites get them the best movies, or how they only watch screeners or play cracked games because only stupid people pay for entertainment. They get frustrated when they run into refusals when trying to get the discs or keys for Microsoft software for which they have no clear need, and try to talk me or the other two people who do have access to them into giving it to them. I tell them that if they need it cheaply that bad they should get a TechNet subscription. They usually just wander off at that point, or sometimes storm off, as if they were somehow entitled to it.
I used to grab everything that I could off of various sites, pulling things down over Kazaa or eDonkey at the time, but I've left that in the past. I've got a job that pays well, and I know they're not underpaid.
I think that ethics in IT have slid dramatically downhill, so that the norm seems to be that people don't want to get caught, rather than not wanting to break the ethics guidelines in the first place. I'm not sure what exactly to do about it, other than try to set a good example. But even then, I've heard some suggesting quietly to others that I'm just hiding my own sins (hint to those people: make sure I'm not in the cubicle next to you when you talk about me). I'm at a loss at that point.
You can never go home again... but I guess you can shop there.
The last thing I wanted was to be in a position where someone hacked the systems and I got blamed because I "knew the passwords"....
I even handed over my personal notes on the network and had my boss shred the ones he didn't need before I left.
I can't believe there are that many admins who have that little respect for themselves that they'd be willing to steal passwords.
-merlyn
As they say "most security threats are from within".
Just take the security of personal freedoms in the USA. Those in charge of the government at this time have stolen much freedom in the double speak name of freedom. Having passwords "stolen" or "remembered off site" is potentially just the same. Much damage could be inflicted upon companies depending on the range access that the admins have that are laid off. Identity theft can occur, etc...
Escorting people out is one way. I've been "let go" a number of times. Usually it's simply two weeks notice and all works out. Other times it's two hours and they have someone watching you the whole time and escorting you out with your two weeks severance. One time it was after I arrived home on a Friday night with a phone call and stuff sent to me via courier. It all depends upon their paranoia factors. Often the reasons are not even told to us. In many ways employees and even contractors and consultants are modern day indentured servants.
Of course finding out that the system admins stole passwords or used them afterwords generally means it was wise for the company to let them go as those kinds of admins are dishonest (maybe more honest than whom they used to work for but still).
Systems really are brittle with many ways to subvert them. Rather than subvert your past employers systems I'd recommend building your own path to financial independence so that you don't need to work for companies that have the power to fire you!
I spent four years working as a school sysadmin--one for an elementary school and three for a high school.
Unhappy with an incompetent and micromanaging elementary-school principal, I interviewed for the sysadmin job at another school. That principal called my principal to facilitate handing me over, and I subsequently received the third degree for being "disrespectful and underhanded", along with "I could say things about you to make sure you never work in the school district again." Said principal then twisted my new principal's arm enough to get me split part-time each between the two schools.
Fortunately, I got a post as the sysadmin for a high school--one full-time job instead of two part-timers.
After two years and two micromanaging, incompetent principals, the principal threatened to not reappoint me for a third year. Among other reasons, he received hearsay that I had applied for another job.
So what did I learn working for a public school district? Four years of long hours and low pay, three supervisors who shouldn't even have been working at McDonald's, and two threats to get rid of me for something legal I did while off the clock.
I didn't sabotage anything, but I could have. Thank God for my personal ethics. And they wonder why they can't hold onto IT staff...
League of Professional System Administrators Code of Ethics. I have a copy hanging on the wall by my desk and I refer to it regularly to keep me honest. Integrity is the biggest asset for any system administrator.
... Is being missed.
I was vindictively fired by a total idiot. I made sure that everyone I knew at the company knew the hows and whys of my dispute (including where I _was_ at fault). I also always start grooming my replacement the first day I take a job or can identify the best guy to replace me, because who wants to be stuck in the same job forever.
In the days following my firing I took several opportunities to talk the guy who replaced me (my friend Dan) how to lock me out of various machines and such.
For almost eighteen months people at that job were forced to say "is a good thing (my name) made sure we had extra capacity laid in while the trench down the block was opened", or thing-x was purchased, or policy-y was in place.
By the end of that eighteen months, the guy who had fired me had been shown to be the kind of person who he was, and he was invited to leave the company. (I was long gone and made no attempt to return.)
If you have to "do something" to your company to make them feel the pain of your absence when you are gone, you weren't previously doing your job.
Competence, and never looking back except to laugh, is the best revenge ever.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
88% though?!? That's staggering, I have a hard time believing that ethics in the IT industry are so poor to validate a number that large? I want to know details about who they surveyed to qualify that number.
I know that the sociopath mentality is the way of the road at the top of some parts of corporate American (especially in the energy industry it would seem), and I wouldn't be surprised to see this number if it related to executives based on the nightly news, but in my IT circles we look on that behavior with scorn rather than having envy to aspire to it. And frankly I just don't see this type of thinking any place within the company I currently work for, top to bottom.
This is really an amazing report. Frankly it makes me fearful at what type of reprise knee jerk reaction management types are going to take based on this story.
Sigh...
This is a press release after all. A sales tool which provides none of the security questions, nothing about the sample group or methodology and none of the responses for you the reader to review.
I'd guess that they probably used a lot of leading or misleading questions in a poorly defined sample group simply to release some press kit.
Which makes them sales people and that's a much lower rung in the IT world.
Quack, quack.
In other words, now that you've had your fun you're going to go criticizing the young whippersnappers having theirs.
What if a company decides to make you "redundant" with zero warning (illegal in the uk) and zero severance package (also illegal in the uk)
You're being fired on the spot without being paid for the last few weeks work, but they call it a layoff, so you're fine, right? You'll get your severance in 6-12 months through a tribunal. Well, half of it after the no-win-no-fee solicitor's had his share...
Your potential employer wants a reference. Do they get it? Do they hell. Legal recourse? None. You want to pay your rent but even working 24/7 at minimum wage doesn't cover it, but that's ok because you were "laid off" not sacked. Sure the landlord will agree... And of course the local convenience store will give you credit on food so you can feed your self because you were "laid off"... yeahright
At the end of the day taking information is essential to a sysadmins survival outside the workplace. Sysadmins get special treatment because there's the perceived threat that once sacked we can and will do whatever we like, so getting rid of us is a quick process, usually involving the cutting of all ties such as the company's contractual obligations in regards to pay, even pay that we've already worked for
Having a little ammunition to "motivate" them in pre-tribunal discussions is essential
Of course, if companies behaved responsibly like my last redundancy, there'd be no need for any of this childishness, and you'd be laid off with the understanding that yes, you know all the root passwords but you promise not to use them. An industry-standard severance package, clear reference procedure and an honest handshake means I'll uphold my end of that bargain with no problem, but god help any company that ever tries to fuck me over again...
Sysadmins generally don't go looking for ways to fuck companies, they just know how to protect themselves, and not forgetting passwords is one way to achieve that
Most of them aren't young. I'm 33, and the majority are about my age or older. With one exception, the youngest is 30.
Even when I was 'having my fun,' I was smart enough not to talk about it out loud at work. Keys were sometimes passed along quietly, but that usually happened when walking between buildings. Bursting into a room announcing that you've found a download site for the movie being released this weekend is bad form, but it's happened a few times this year alone.
You can never go home again... but I guess you can shop there.
stand behind your article. Bet if we look further the survey consisted of the same idiots at their local pub after a few too many pints...
What a crock, who are these IT Admins working for? Are they right out college? Did they read some BS hacking book off of amazon? SO LAME, when did slashdot become the national enquirer?
people get canned, people get laid off, if you don't want to have it to happen to you know more about the business than anyone else. Yes know more than just IT, be able to justify and defend IT objectives to the business folks. Yes those individuals that read some airline magazine or talk to their kids friends and then think they know it all.
Don't be afraid to point out the error of their ways, just make sure if it is the CEO or CFO that you give them an out. OR YOU WILL BE OUT...
Why would they need to steal the CEO's password, when there is any number of ways to get access. Especially as letting the CEO have admin access is highly dangerous as he keeps his excel documents in the C:\Recycler folder to save space .:)
davecb5620@gmail.com
Having been in the field now for 20 years, I've met all manner of IT people, and interviewed thousands. Several of my interview questions were designed to try and test the interviewee's character and drew on hypothetical situations that I have been faced with in the IT field.
I know that 88% of my coworkers, mentors and affiliates do not bother to violate the trust of the environments that I have worked in.
This is FUD - intended to generate an environment of fear to motivate potential clients. It's destabilizing propaganda and dishonest.
I take personal offense at this, being that this is my field and this encompasses most of the people I call my friends and have known and admired in my professional life.
Considering the difficulties and often long hours of the job, it's a serious injury on top of insult to have some vendor-slash-consultant-slash-propagandist snake oil peddlers call us criminals too.
I'll make a counter assertion. 88% of all consultants whose assessments determine if you need their services are lying assholes.
"No good deed goes unpunished"