Slashdot Mirror
Do IT Pros Abuse Their Power?
An anonymous reader writes "I have noticed that many airports and hospitals I've visited have some kind of internet usage policy in place. Some use software similar to Websense, which effectively blocks sites based on blacklisting them by category. A commonly used blacklist prevents users from accessing 'forums or discussion boards,' yet I find that often these networks allow users to access sites like Fark, Slashdot, Digg and other message boards that appeal to the technical culture one might find in the IT world. In your experience, do IT administrators abuse their supervisory powers? Has there ever been a backlash from users or management for doing so?"
You must be new here. All members of /. are (or want to be) a BOFH!
Of course we do. Get over it.
It comes with the work.
...are Fark and Digg considered 'technical culture' sites. Seriously, this isn't 2001. Last time I checked, the Internet had sort of entered the mainstream and 'slacking off at work' isn't really considered exclusively IT.
This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
Absolute power, is even more fun!</bofh>
Yes, we did have something like this happen where I work. Our IT group ended up blocking all social networking sites. Our marketing department raised a fit because they use Facebook for business purposes.
How many people here get around their workplace's blocking software by running an SSH tunnel to a proxy server on their home network?
People in every line of work take advantage however they can. Janitors, mailmen, military personnel, police, teachers, principals, street sweepers, CEOs, mechanics, and on and on. Its human nature.
(1) Yes, of course. Whenever humans get power, many of them will abuse it.
(2) Users, all the time. Management, hardly ever. What else would you expect?
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
The people who put these filtering policies in place are usually morbidly obsessed with how other people jack off, in a sort of proxy-voyeur kind of way. They don't want to admit that they look at porn, but they are 100% focused on what other people *do* want to look at in their spare time.
I often felt like saying, "If you want some good links, just ask me". You really don't need to monitor / block my URLs, while keeping a copy of the log file for your own pleasure later".
Policy is made by management. I don't care if you watch gay furry porn for all the three hours you spend in the Office.
I do care about the security of the network - so if you plug your private Laptop into the Office LAN, you won't get any connection because your machine won't authenticate. But i'll know exactly that you did so. And i'll call you out for it.
In all the places i've worked, WebSense etc. only worked in the VLANs for the office workers. All IT networks (as did the Exec's networks) had unrestricted internet access (they still went through a malware filtering proxy, but not content filtering). This might be different in larger organizations.
In the place i work right now, we only have a malware filter. No content filtering at all. I think it's pointless. If someone does not do his job properly, fire him. If someone does his job properly, but uses 10 minutes a day for masturbating to gay furry porn, he's still more productive than someone who takes a 10 minute smoke break every 20 minutes.
Digg has tech news? I thought it was all libertarianism and marijuana.
IT professionals would never abuse the position of responsibility with which they are entrusted. They would never use their positions to retaliate against the unthinking, uncaring, ungrateful wretches that make their lives a living, seething hell each and every day those worthless pieces of crap continue to suck air.
He can go to slashdot but myspace is blocked? I can spend all day listing reasons why someone might want to block myspace. I could also spend all day listing reasons why people at work should be allowed to browser slashdot.
The submitter places _all_ interactive websites into a single category, and then complains that IT Admins are abusing their powers when some are allowed and some are not.
They are _not_ all the same and the submitter is just looking for someone here to validate the idea that he(she?) is being picked on by IT bullies. This is so obvious I can't help but wonder why it made it to the front page.
Samsung took back my unlocked bootloader because Google wants me to rent movies. They're both evil.
Employees from posting on random forums might expose their companies to liability for fraud ("Company X's products are pieces of junk assembled by slave labor in the Far East"), sexual predation, etc. What the do on their home computers is their own business.
In my experience most draconian restrictions are imposed by Management. The technical staff is simply more empowered to work around them or ignore them.
Generally, they'll whitelist any site that a user can come defend as needed for work.
If there is abuse of "IT power", it's that IT passes judgment on their own staff's claim that tech-sites are needed for asking questions and finding tech solutions. But, frankly, even a very lame claim that "I need access to localchat.com to check on how other local accountants are handling the new sales tax" will get a pass, too. IT staff aren't exactly Sam Spade. So any extra blind-eyes they get to their favourite sites is pretty marginal.
The big difference is that IT staff aren't shy of asking. Other users imagine some omniscient IT that will just know they really want to chat about their cats.
Whats the point of having all that power if you can't abuse it?
Greetings and Salutations.
Perhaps the better questions are "why ARE some websites blocked? and WHO makes that decision?" I administer web access for a client or two, and, the decision to block given websites comes from upper level management, usually NOT the IT command structure. In a business, there is an almost paranoid fear that the employees are sitting around surfing the Net instead of doing work to make money for the company. Any blocking seems focused at keeping that from happening.
Alternatively, I go and sit at Panera Bread (a great place for good pastries, and excellent, light lunch sandwiches and such by the by...) on occasion, and have found a few websites that would not come up because they were blocked. However, it appeared that this was because the company providing the blocking had mis-catagorized them, and, once I sent a note in about the site, they ended up being unblocked. But then, If I were going to surf porn sites I would NOT be doing it in a public place like that....
So, I suppose there are cases where IT admins abuse their powers and block sites that should be available...but I have not run into them. Amazingly enough BOFHs are human too, and, some of them ARE little Herberts....control freaks and generally annoying people. The rest of us are all genial and fun folks with a slightly twisted sense of humor.
Regards
Dave Mundt
YAB - http://blog.beemandave.com/
What typically happens is some muppet somewhere in some department spends most of his day on facebook or whatever. Their manager who is pissed off with them already complains to HR that they're slacking, HR wanting a quiet life has a chat with a director who tells I.T to block the site and while they're at it block everything else that's like it too. The director, who has never used facebook or any site like it doesn't know anything has changed, the I.T department will have long ago setup private proxies/gateways to the net so that a) their usage can't be logged and b) they don't have to worry about sites being blocked. For the rest of the users it's tough luck talk to directors.
If your I.T dept has left sites like fark and digg open then they're doing it wrong basically. Is this an abuse of power? Perhaps, but that's the way it works.
Any admin worth their pay can run rings around a net-blocker. So why piss-off the talent?
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
an interesting blog describing why blocking websites is actually more expensive than letting people browse them freely.
http://uiorean.ro/world/security/why-blocking-websites-is-bad-for-your-company/
Try explaining people using his razor, changes a lot how you see the world.
Does it matter, as long as they get their work done?
Really, some people are too uptight about things. The only metric should be if an employee does their job. If they do their job and do it well, who cares if they visit an amusing website for a laugh to break up an otherwise dull day?
Is it just the eggnog making you do crazy shit or are you people who replied really too dumb to recognize astroturfing on /.?
yes
Of course they do, and network people are the worse of the lot. I have yet to be in a network shop where they did not have their computer configured so the corporate site blocker was ignored or they had another easy method of surfing any site.
Better question is how many people use that root/admin permissions to install unauthorized software or ignored corporate policy and installed software themselves.
This is not an evil perpetrated by IT to make it hard to do your job, we have much more subtle ways of doing that (Using Windows, Exchange, "Network Outages", outsourcing, etc). If you don't like this, go talk to your HR department who block all of this to protect your brand and shoe due diligence in preventing hostile work environment issues. Or complain to your politicians about our over litigious world.
> Any admin worth their pay can run rings around a net-blocker.
What Admin? Oracle admin? AIX admin? SharePoint admin? SAP admin? There is a lot of different types of admins now and what makes them worth their pay is that they help you run your business and earn money. The ability to run rings around a net-blocker is not something you put on your resume.
Also in well implemented network it is not as easy to run around it *undetected*.
Also by doing so you are clearly breaking the rules that your supervisor set for you - what for? So they can fire you easly if they wish? Mobile broadband internet is like 10 bucks a month (at least here in Poland). Just get your own netbook or laptop and use it for unauthorized Internet access.
Um, most IT pros are too busy to abuse their power.
since recently there was someone posting on facebook photos of hospital patients without any consent ...I start understanding some limitations
IT guys typically don't abuse their authority. I've found, in the networks I've administered, management asks me to balance functionality with security. It's a very nebulous request, and typically it means that IT staff must use their best judgment when creating IT policies.
I've found the strictest policies are in place in financial firms, and the loosest policies are in place in education, and weirdly enough, law firms.
-ted
In your experience, do IT administrators abuse their supervisory powers?
No. I want to be able to read about the latest threats, vulnerabilities, and news applicable to my job. I don't want an end user seeing that there is a new hack or proxy available for making my job harder. Likewise, at the college I work at, law enforcement students are provided classes on online threats, sexual predators, and human trafficing - they require access to websites and services that we would normally block - having a web proxy/web scanning solution that allows for group based access lists is an absolute requirement.
Has there ever been a backlash from users or management for doing so?
No. Typically if an IT admin is in charge of the web proxy, he's white listed his laptop/workstation's static IP (or DHCP reserved IP) so that the relaxed rules are only applicable to him/her.
Do not mess with Slashdot Crowd!
We are watching...
Go back to your MBA friends..
Second is a matter of information. IT lives on information. Much of the information is useful, if only in a peripheral manner. Right now we see a bug that has hit payment processing, a law suit for uclaimed minutes, an review of the nexus one, a article on censorship,amd an article on plant gene mutation. First we see that there is not a whole lot here for people who just want to waste an hour with mindless junk. Even the stuff that is not directly related to work does help a person become educated. IT staff should be educated, as their purpose shoudl be problem solving, not just working through an algorithm to solve common issues. And the education is not what is happening on One Life to Live, or who did well in a sports event, or what star is sleeping with who. All these things are vital entertainment to be sure, but not to the employer who is paying for 8 hours of paper pushing or answering the phone or direct customer service.
Third is the nature of power. Just because one applies rightfully acquired power does not mean one is abusing the power. As long as we have an hierarchal management system, those at certain levels with certain job responsibilities are going to be assumed to be the best at managing the related resources. On can imagine in an IT department of one person significant abuse going on, but in larger departments, such as stated in the example, it is likely just a management issue. For instance, I block many sites because these sites encourage the installation of software that will break the machine. The user will not fix the machine, but will use it as an excuse to take the day off. Other sites are blocked as the users have shown a lack of discipline when using the sites. It is all a matter of productivity. I imagine that if the IT staff starting spending all their time on fark, it might get blocked.
And fourth is simple exposure. Everyone knows what facebook it and therefore it is a target. How many people really know what fark or digg or /. is. If the PHB don't know what something is, then they won't know to do anything about it.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
... and if you don't believe me I will delete your account
do IT employees do anything they aren't supposed to, like playing Halo when they're supposed to be working for instance. Geez, how insulting.
Promote true freedom - support standards and interoperability.
Do you allow DNS on your network? OpenVPN-over-UDP-over-IP-over-DNS isn't lightning fast but it does the job most of the time. It's a neat way to (ab)use commercial WiFi hotspots too. You can't stop a determined power user except maybe with a whitelist of a small set of whitelisted remote hosts.
IT blocks users from things that cause more IT work. Consider the user who goes to a forum, gets hit by some malware, doesn't know, it causes problems, and then IT has to fix it.
The IT guy doesn't have that problem. It's his responsibility so if it happens to him, he just fixes it.
It's not illegal to go to those sites. It just causes work for someone else. The "else" part is key. It's the opposite of "at your own risk".
yeah
I have seen that "lockdown" so many times, and it never works. There are no technical solutions to personnel problems. I always use this analogy; "You can make a car very secure by removing the battery and putting it up on blocks. It just doesn't make for a very good car."
"Car on blocks" is a good description. Our PHBs have included a "books and literature" prohibition that blocks all on-line books and magazines, including the archives from the big technical publishers. It makes it hard so satisfy the PHB command "Technical lackey, find out everything about this 20-year old technology and give me a one paragraph summary on how it will be our 'next big thing.'" Especially after PHB burned the technical library to expand his office.
This usually results on having to go home and work it our there, outside IT/PHB control. Then have a long lunch and take the rest of the day off. The productivity improvements are stunning.
In my experience the IT dept generally has rules for other people and rules for themselves. They "know what they are doing" while everybody else "can't be trusted". Their login for general usage is full administrator and bypasses websense, while I am barred from sites "listed as general business" (only sites pre-approved by IT are allowed, which they make very clear they do not do because they don't want people asking them all the time). Our email attachment limits are 2mb ("it takes up space on the server") and FTP is outright barred - even though one time it was the only way for a client to send me files IT wouldn't do it, so I went home and put it onto a USB stick.
They install whatever they like, including such productivity tools as BBC news sports tickers. Despite pretty much being able to do everything on their work-paid cell phone, not having to multi-task or whatever they have brand-new machines. When another member of staff requires a new PC, they get an IT staff's PC and IT get a new PC. Despite the general staff doing work where screen real estate is highly productive, their monitors are 15" and 17" while IT and managers have 19" (although they were quite savvy and gave the partners 21"; monitors are the new bigger desk and chair). In my job where we do quite a lot of printing, speed and quality are important, IT also have the best printer - yet it took a week for them to notice when I unplugged it one Friday night.
IT is all about convenience for IT. All our productivity stuff, which at any given moment 99% of staff is running at any given moment, is quite server intensive. They're all on the same server, while low-intensity stuff rarely used has three idle servers all to itself. I spend a significant portion of my time waiting for the server to respond. It's quite embarrassing when a client turns up asking for a simple copy of a report in a hurry and it takes me 10 minutes, they think I must have forgotten so they ask reception to call up and remind me they're late for their meeting. I pointed out once that the servers could be rebalanced to distribute the load but was told "that would be too much hassle".
All the procedures are laughable. Despite almost completely phasing paper filing out, all staff's basic logins can delete data files and all the backups are kept on a shelf on site. I could obliterate the lot in one minute of madness (probably induced by dealing with IT). It would take me longer to copy it all to a couple of USB sticks, but nobody would notice until they got the blackmail letters or it was on the news.
But let's not get all confused and think I'm bashing IT here. I can say pretty much the same thing about every single department. Like how the time it takes me to obtain new propellant pencil leads costs the firm 16x the price of the leads. If I kept one carton for work then stole the rest of the box it would be cheaper for the firm than following procedure.
As regards other managers, few have the slightest clue about IT. Those that do just work it to their advantage - they get preferential treatment so it makes them look good.
I wouldn't restrict the "abuse of power" to only IT personnel... As a consultant I've noticed that the trend is to grant "exceptions" to senior management in quite a large number of environments. The watchers often don't like to be watched themselves. It's very much a "do as I say not as I do" attitude.
The admins have to read something.
Besides, how else are they going to keep informed of important IT news, if not for /.? :)
Need help treating your acne? Come here!
If anyone says yes I will post all your emails online and will lock you out of your accounts.
Yeah, right.. this question is so stupid, I would be surprised if anyone in their right mind would attach their name to it. The answer: Yes, of course, but no more so than most any other legitimate profession (and by legitimate I rule out the predominant abundance of power abuse in American politics).
Down with the career politician! SUPPORT TERM LIMITS
but not 4chan.
We have standards.
Everyone abuses their power, that's the point in acquiring power in the first place.
In companies where I was responsible for IT management, rules applied across the board. Period. There was no going around proxy servers, firewalls, nothing, even by the IT/Network guys. I reviewed every firewall rule and quarterly dumped them all for a formal review.
OTOH, I have worked at places where the network guys would place specific firewall reverse forward rules so they could RDP into their work systems from home without VPN. The VPN was robust. Even after they left positions in the company where day-to-day control of those resources wasn't part of their jobs, somehow, they still had the login to the DMZ, DMZ routers, firewalls and switches. Scary. We're talking months to over 1 yr later.
That company needed thousands of specialized firewall and port forwarding rules to enable selected communications with our vendors and partners. I doubt a complete review of all the firewall rules would be possible. Hundreds of entry points into the internal network, perhaps thousands world-wide. It is one of the largest networks in the world, but not at large as milnet.
speaking as "the IT guy" - it always depends on the companies policies and the usage of the sites/services
Let's take Facebook as an example: While it can be [used as] a powerfull business network/tool it's also a major distraction and waste of time.
Even if 90% of your FB friends are [your] business contacts it doesn't make it "legit". It's private like Gmail, Twitter, Skype and everything else
unless you're instructed to use it.
Also it's a question of productivity. You might think "Hey, I always finish projects within the dead line! Why do they care if I 'skype' with friends??"
Well, simply because you might be able to do 2 projects within the same time frame without all the distractions. (time equals money)
And from the IT's eyes it can be a pain for the network and hardware (P2P, streaming video like Youtube, and so on).
Some banks for example only forward emails up to a few 100kb. Everything above is stored locally and send at a specific time (outside business hours)
so it won't interfere with the usual business.
As for not blocking technical sites - working in the IT it's part of the job to be up to date with the latest tech, gadgets and everything related to your job.
So it doesn't really make sense blocking those resources, right? Of course there are situations where it seems unfair in your eyes but if you have a good
point about why you should be allowed to use something take the shot, talk to your supervisor and see if it get's through.
Smartphones and netbooks are getting more capable by the day. Before long, employees will be surfing whatever they want on them without involving the company network. That will relieve the pressure on IT and put it back on managers.
org.slashdot.post.SignatureNotFoundException: ewg
..and if you don't like it I will delete your mailbox. Don't make me do it! You know I will!
Gods cannot "abuse" their power since they make the rules.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
............to idly browse forums when you should be working, IT staff or not, then you are not being managed effectively and not giving your employer value for money.
Stop arsing around on the internet and get some work done you lazy sods, i'd fire you all....
Right, but what you forget is that "clueless management" don't impose these sort of things on a whim. They were a response to the tighter regulations imposed by the federal government in the wake of the early 00's accounting scandals (Enron, WorldCom). The companies were forced to "do something" and they did. Nevermind that it is trivially easy to bypass these sort of things. If something does happen, the company can say "we took every technical measure available to us". And the fact that you encrypted the message before you sent it shows premeditation and an understanding that what you were doing was against the rules and potentially illegal.
I know that the folks on /. like to blame the government for everything but honestly... That makes no sense. The companies should employ reasonable policies to secure some types of information but that certainly doesn't force them to block private e-mails.
There are plenty of logical things to do: force occasional password changes, require good passwords, encrypt storage of mobile devices, block access to the classified data from employees that shouldn't have access to it, limit access from outside the network... etc. so they certainly can do those and have answers when they are asked "Did you do anything to prevent this stuff?". Then, if regulators ask "Why didn't you do [illogical thing]?", the correct answer is "If you can't state why we should have done that but hold us responsible for not doing that, expect a lawsuit".
It is very far fetched to claim that government is at fault for that sort of stuff.
...In IT, of course.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Well, taking some chances here, certainly in a crowd that does read sites like slashdot:
I think there is another reason: Slashdot isn't well known enough.
I know that Slashdot ís a popular site (I read it myself!), but perhaps "slightly more" with "geeks-with-a-crush-on-linux/apple/BSD/fill-in-other-non-M$ OS", and less with IT managers.
Put another way: in Microsoft-office-support-environments (with operators that manage Windows machines), the fraction of IT-managers (and other people that determine which sites should be BLACKlisted) that know Slashdot may be marginally small.
When a blacklist is put together, sites like Facebook & Youtube would therefore be mentioned much earlier in that 'blacklisting brainstormsession', than would be Slashdot or Digg... (Besides, blocking Youtube would mean more in freeing resources than blocking Slashdot would). So nobody even thinks about blocking Slashdot.
Now, when sites like Slashdot were to appear on WHITElists, now, THAT would be a reason to think of something like 'misuse of power'.
But not putting it on a BLACKlist...
Kind regards (and no insult intended),
Roel
I manage a large network of computers and servers. I have never even considered blocking access except where it make sense from a technical standpoint. Its really QOS i want but since i have never gotten it to work reliably id rather throttle specific sites like youtube, snotr, facebook and the like because thats the real bandwidth hogs.
All of the demands for power has come from upstairs. The management likes to be ontop of everything but since security (real security) is so hard to grasp they go for something they almost understand instead. Like crazy policies that nor add anything nor kills any real problems.
HTTP/1.1 400
I worked at a place where the system administrator blocked only liberal websites, like the Daily Kos, and marked them as propaganda. I told one of the VPs that I would bitch about the war with, and the block was gone in about five minutes.
The categories that are blocked should come from the "Business" side and not from IT except maybe sites that cause operational impact. What we do is assign owners for the block categories and act as the liaison to them when someone wants something unblocked. For example:
Pornography - Human Resources
Social Networking - Human Resources
Guns and Violence - Corporate Security
etc...
In our case IT only owns the sites flagged as malware and excessive bandwidth.
So when someone sends in an email asking for access to Facebook we ask them to complete a form, we then take this form to HR for review. The reason we take it and don't tell them to take it to HR is to allow the block owner to make the decision outside of the scope of politics and without the anger many employees sling. You have NO IDEA how angry people get when something they want to get to is blocked even if the block is completely reasonable.
IT is there to enable the business to operate so they need to tell us what they want to give people access to.
Ahh, users. Would you care to be a little more passive aggressive?
Most of the sites you are mentioning that were not blocked were unblocked for work related uses. In IT, a good 80-90% of the job is keeping up with the technology that is out there and the uses others may have found for it. The sites you mentioned have a lot of related information about new technology and how others are trying to use it, so, for IT, that is directly relevant to their job and they have made the business case to management to unblock those sites.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
People like to whine about "big government" when it comes to stuff like Sarbanes Oxley but
forget that SOX is simply a reaction a clearly inappropriate level of apathy on the part of
government to begin with. SOX is the inevitable backlash to the mess caused when this sort
of "government can do no right and corporations can do no wrong" nonsense was tried the last
time.
A Pirate and a Puritan look the same on a balance sheet.
It's largely just laziness. If you plug in a dumb robot, then you don't have to manage things one by one. My company blocks entire websites. Once I found a promising link to fix a graphics problem we were having with our PCs, but it was blocked because it belonged to a forum on gamer site. Just because it was a gamer site doesn't mean it has no useful info. I complained, but the complaint went into a black hole.
Table-ized A.I.
Power Corrupts.... What was the question?
... they blocked blogs. All blogs, of any sort. All the developers hit the roof - 'cos guess where developers learn new tricks and find solutions to tricky problems?
Things came to a head when we trumpeted our new advances in outreach, getting our content in several prominent newspaper site blogs! Which were then blocked.
Q. Could you please explain the business case for blocking us from reviewing our own content?
A. Blogs have now been unblocked for the technology team.
I can see the point - keeping the workers from being F5-pressing robots is the sort of thing management considers a good idea. It just needs a modicum of sanity applied. This mostly requires time, patience and a solid business case.
http://rocknerd.co.uk
I am the only one who was imediately reminded of the Jenny Holzer truism?
Law firms doesn't surprise me. The management structure ofmany law firms is such that the lawyers own the company and hire the support staff (though I have seen an Office Managing Partner). Which means if the lawyers don't want restrictions, the lawyers get no restrictions.
For linux tips: http://www.linuxtipsblog.com
Q1: Are IT pros, in general, humans?
Q2: Do humans, in general, abuse power when they have it?
Q3: Is there some reason to believe IT pros different from most humans in this regard?
I'm kinda curious why this question even got asked. Unless the answer to any of the above questions is anything less than as patently obvious as I think they all are, ("Yes", "Yes", and "No", for the record), simple logic would make the answer to the posted question obvious. Q1 & Q2 fall to the same simple "Socrates is mortal" syllogism, unless Q3 is assumed to also be "Yes", but why on earth would anyone think that?
"Convictions are more dangerous enemies of truth than lies."
Comment removed based on user account deletion
I just submitted a Helpdesk ticket to get it whitelisted, since this is one of many news sources I read to stay current. It was available in a day. Most companies with halfway decent management want their nerds to read about technology, but don't want us chatting about Pokemon.
If you don't like the internet policy given freely by the airport or hospital...then don't use it.
Mean what you say...say what you mean.
... email will not allow you to send any substantial amount of data out of the firm.
Any attachments that could not be inspected on their way out would be dropped, or worst, passed to specific approvers to ensure you are not stealing data.
More and more clued up companies are taking full ownership of their IT resources, people should frankly get used to it.
Any company trusting employees is deluded, not because more employees are untrustworthy, but because you can guarantee that all are, which means restrictions for everybody.
IANAL but write like a drunk one.
Once when presenting a web based product to the senior management the IT people at a huge company tried to block the IP address of the server in the middle of the presentation. Without missing a beat I switched over to a copy of the product that was hosted on the laptop itself. The IT guy typed furiously and then interrupted and asked what port/ IP address I was using. I told him that I had switched from TCP to UDP as something was blocking the TCP packets. He typed even more furiously trying to figure out why blocking a single IP wouldn't also block UDP. I am not sure he ever figured out what went wrong. For weeks after the presentation the IT group threw up roadblock after roadblock. We weren't compatible with their PKI, etc (we didn't use anything that would work with PKI). Even though the top people(CEO, CFO, President, and the VP of Marketing) really wanted what we were offering they simply admitted that a battle with their IT department wasn't something they could handle at this time. This was not the first IT department that tried to crap all over our product for "Technical" reasons. Even if our product were to have sucked crap that was never the reason given. It was always "bandwidth" or something not relating at all to any possible problem that our product had. I think it all boils down to IT departments being driven by fear. If all goes well the IT department risks downsizing. If anything goes wrong the IT department gets the blame. Then to top it all off the typical IT head might be around 50 years old in the average large organization and they fear the new guy who just was hired who could single handedly bring the entire department out of the depths of Novell and into the 21st century. I would recommend that any large company regularly get an outside organization to audit their IT departments and make sure that the technologies and practices are up to a reasonable standard. Best to learn now that your backups suck instead of when the good data still exists. I would be willing to venture that most organizations have a head of IT who should be replaced by one of his far younger underlings.
The rest of the hacks which shame our profession might, but I'd like to think they are becoming the minority by this point.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
You can lock down pretty well any network, the "clever" people stand out immediately in security logs and can be scrutinized further.
IANAL but write like a drunk one.
they all give me diarrhea.
You can simply log suspicious IPs and if you can't find them in a white list, block them.
People relying on their home network will find very soon that they run out of IP addresses.
IANAL but write like a drunk one.
I doubt it very much. Not if they're any good. I have found one way of bypassing Websense however - simply work for Websense's development team, we require unfiltered access in order to test new releases of our software so our customers can block all your porn/facebook etc. Stop slacking and do some work.
I have seen many networks that have proper policies in place with effective walls between support teams and people that would benefit from breaking those policies. In many instances nowadays they don't even know each other and may not even speak the same language, so it is impossible for somebody to beg for exceptions to the rules.
IANAL but write like a drunk one.
There is no chance whatsoever that such request would have being honoured in the sites where I have worked, at least not requisting things in such a casual manner.
IANAL but write like a drunk one.
It comes as surprise to me that serious companies are not auditing what IT people do.
Network and Sys Admin managers should be heavily audited and constrained, precisely because they have so much power and *will* eventually abuse the power that has been conveyed to them (this is not an "if" but "when" situation).
So any properly run company will set policies in place, will ask the different IT teams to implement them and then will ask a 3rd team, without administrative rights, to check that the IT teams are adhering to the policies and procedures as requested.
Any company in which IT people can abuse their privileges has to look again at how they are organizing their support.
IANAL but write like a drunk one.
Of course they don't abuse their power, you foolish little man. These are not the Droids you seek.
An important site is being blocked that could earn my company $40,000,000 million dollars (thats fourty million dollars) from the crown prince of Nigeria. We only need to send a small processing fee, to help him transfer the money to us, and all out financial worries would be over. But no, those stupic IT jerks will not remove their stupid ban on nigerian web sites.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
I would honestly say it depends what kind of work environment you are in. Case in point, I worked in one retail store that had I would estimate about 20-25 terminals throughout the store, and each of them ran from Windows Server 2003. Internet Explorer was of course locked down hardcore to a Symantic Proxy that only allowed you to browse the company website.
However, apparantly this must have annoyed someone because I had noticed Mozilla Firefox was also installed, and the way it was configured to block access like Internet Explorer? Through proxy settings, a simple clearing out of all the proxy fields in Firefox options enabled FULL internet browsing.
Overall it just depends how determined they are to block internet access, and how "tech saavy" they think people will be to get past it.
You must master your joystick like a fisherman masters bait! - Gimpy
I can see why this type of question would come up. If I cannot view something why can the governing team view something similar. A few explanations are: IT and support related people are not massive centers of knowledge on technical issues to often complex technical issues, access to other tech resources (even slashdot) are searchable resources. Allot of sites that are blocked at companies I support, are due to an abuse of them or common fear of them. Sites such as Facebook, or even Google Groups might have already been abused by others within your environment and made it on the list of blocked sites. Some services use automated complaint metrics to determine the eligibility of a site to be blocked or unblocked. A boss or coworker complains to an email address or web site that keeps a tally of what sites are causing the most issues and blocks them based on the level of complaint. As an example, someone in the office likes to listen to Andrew Dice Clay on You Toober and do so loudly. This individual might have been above reproach (specialized hard to find skill set) so a number of complaints are made to the automated system and soon You Toober becomes unavailable. These are just possibilities and not the exact reasons. I thought it best since I do not have any measure of control over your environment. hesperant
Worked in banking, insurance, telecomms, government, (all the nice people,) and I have never abused my power except (1) where tedious restrictions were in place and (2) to actually do my job (like setting up accounts for automated processes and the like because the outsource provider would take forever and charge a lot). So not for the gain of anyone except my employer.
Even when NDAs and secrecy agreements were not signed, but implied, I would never betray that confidence. And not just until the money ran out and then jump to a competitor: my skills and experiences would make me profitable to a new employer - not a collection of trade secrets.
Google cache?
Considering that it is the IT dept that sets the policies and managed the network they can do what they want. At the IT dept. I work for we have all of our machines running dual NIC’s with one on a separate subnet from the rest of the infrastructure. We have that subnet set as a DMZ so we have full access. No firewall, filtering, or monitoring. As the tech support for the whole company if they don’t like it we can slow down our support and lower our quality of service. For now management doesn’t bother us because we are very good at what we do.
there are 10 types of people in this world, those who read binary and those who don't. which are you!
only if theyre good.
is this a long enough text for me to press preview and publish? sure hope so.
Of the many problems with the fascist approach to "internet use", "impossible" isn't one of them.
The many problems do include not insignificant costs (software, systems, and people required to implement & maintain), lost legitimate productivity (motivated employees + information = successful innovation) and cultivating a hostile work environment by making people feel as if they're working under total surveillance.
Altogether it assumes you want the smart, motivated and talented people to get jobs where the rules on internet use are more relaxed and you want to keep the losers with no other options, who, by the way, are the ones that do the absolute least amount of work they can get away with without getting fired.
Of course there are exceptions and variations depending on the place of work -- obviously, NSA jobs come with different standards than people selling packaged food, and some regulatory environments such as law and securities also come with baggage.
However, you may be right that this is the future in our long emergency-style world of economic shortage where people will accept work under any conditions to escape poverty.
Has there ever been a backlash from users or management for doing so?
The head of our former IT manager is still on a pike outside the front door as a warning to others.
When you work for our company, and have everyone use Exceed On Demand with a fixed IP address, and then change the IP address over the holiday shutdown without informing anyone, it *will* be noticed, and steps *will* be taken.
Because, unlike the rest of the employees I don't visit Anime sites during business hours, saturating the T1 on a deadline, install 'codecs' which are actually viruses, and then lie to the boss and IT that I got a malware virus while using juno webmail and that I was just checking during my lunch hour.
Nothing impresses the boss more then lying to his face when he's got the logs of your web browsing from the past month sitting in front of him and he knows about your interests in tentacle porn.
That, my friend, is the difference between IT and regular employees.
Brielle
You only need internet filtering in the workplace if you have bad hiring practices that allow time wasting B league players on your team. If you build an A league team then they will self manage their use of a wide open network.
Its not usually the IT admins that cause what others see as abuse...IT admins seldome determine policy. It the upper management that sets the perceived abuse. I say perceived abuse, because you are there to use the computer to get your work done. You are not there to surf the internet. If you need internet access to do your job, you should have it. If not you should only have access to the internal company email.
And yes, I subscribe to the philosophy of giving people the minimum access needed to get their job done effectively. That means that ONLY the IT folks get to install software, and to decide what software will be installed. Obviously, there would be a procedure to ask for increased privileges/access, but the IT person has the final say as to whether that person really needs increased privileges/access or not (or needs a particular program or not)..
.
Of the correct answers required, one was http://slashdot.org./
Make of that what you may, but even on the off days this little 'blog of CowboyNeal's is still considered by many to be less a water cooler for Geeks and more of a IT information resource.
"You cannot have a General Will unless you have shared experiences. You cannot be fair to people you don't know."
Certificates don't verify who traffic is coming from. All you need to do is move a certificate from one machine to another, hack a few routing/DNS issues, light off a web server, and the traffic is now coming from someone else, and the certificate still works fine.
Certificates (well, SSL, more to the point) see to it that your data is encrypted such that third parties can't get at it. They also ensure that the name the certificate is issued to (plunderthenet.com) is the one you connect to. This, however, only confuses the surfer into thinking that they must be connected to the people who registered plunderthenet.com, which may or may not be the case.
Certificate authorities are a scam; they have always been a scam. They do nothing actually useful, they simply perpetrate an illusion for profit.
I've fallen off your lawn, and I can't get up.
Most furs are straight or bi, after all, so there's a market for plenty of other types of porn.
Technical sites such as Slashdot and Digg help IT workers do their jobs, by keeping them up-to-date in respect to matters of concern to their field, and may contain information they are looking for with Google.
There is a good business case for allowing technical access to these forums. So I don't think it's an "abuse of power" that they may have been whitelisted.
A common IT tool to solve a technical problem is a google search, and a Technical forum often contains the answer.
When other workers in the Enterprise can make a similar case, then forums in regards to that subject should be open as well.
For example, there could be a business case that medical workers should be allowed to access professional medicine-related forums in a Hospital.
Airports could have a business case for allowing their workers to access news/airline professional-related forums.
As a guest at the airport/hotel, you may be restricted in other ways, for other security reasons.
I disagree to a small extent, but I think you're ultimately correct.
If taken to extremes, sure - it becomes ineffective, because users find ways around broken environments. If they want to visit web sites X,Y, and Z and find they're constantly blocked, they'll get frustrated and start looking for ways around it (web proxies or setting up a VPN tunnel to a PC back home that has full net access, or??).
On the other hand, there are legitimate liability issues an employer probably wants to take some basic steps to prevent, and it really shouldn't be a problem for 99.9% of the people trying to use the Internet at work. For example, where I work now, I put a web proxy filter in place (running Squidguard and using a free blacklist provided by shalla.de). Since they break everything down by category, I simply enforce only blocks on categories of primary concern (such as "porn" or "spyware"). They offer the ability to block things like "social networking sites", "travel sites" and all sorts of other options -- but I leave most of those untouched.
I find that if users generally can't even tell a filter is in place, they're more likely to respect a block when they finally come across it (probably trying to do something they know is "off limits" for the workplace anyway). They're not motivated to employ complicated work-arounds like they would be if they felt it was necessary for MANY sites they wanted to view.
I can see doing this for your kids, where you're trying to build a safe environment for them to web surf in. (The kidzui plug-in for Firefox is a good example.) But in a corporate environment, whitelisting seems extreme to me. I'd not only be an employee who complained, but one who would quit and seek employment elsewhere, if I was treated that way, (Do you happen to only allow outgoing phone calls to whitelisted numbers, to make sure they aren't spending time talking to someone who doesn't directly benefit the company? I recommend screening the books and newspapers they bring in, as well. Wouldn't want them to read something on their lunch break that doesn't benefit the business, would you?)
There are ways to protect a PC reasonably well from malware attacks without resorting to this.... That's just laziness on the part of I.T., really. I've done this stuff for close to 20 years, and I can only remember a total of about 3 virus infections anyone had on a PC, at any of the places I worked. Honestly, in all cases, they were easy to eradicate too. A properly configured router that blocks access on all ports except specific ones stops a lot of that junk from spreading or downloading "helper apps" that result it in completely taking over and embedding itself in a PC. Beyond that, you run good anti-virus software AND a package providing real-time malware detection and removal (commercial version of Malware Bytes might be a good recommendation here ... NOT junk like Symantec or McAfee want to sell you as an "add-on" to their main product). Lastly, you run things through a web proxy that does know how to block known IPs of sites that distribute the stuff.
As I said in another post, I'm all for blocking SOME web sites. Filter out as much porn as possible, because you really don't want a sexual harassment lawsuit over some co-worker stupidly downloading porn and making it into Windows wallpaper and offending someone, or what-not. You may want to filter known sites promoting violence and racism too. Again, it has no conceivable useful purpose in the workplace. But all in all, people DO expect to be able to use the Internet for a little bit of socializing, checking personal emails, and keeping up with news throughout the day. A happy employee is more productive, and all of this encourages them to be content.
Why are they blocking sites in the first place? Is it about IT power and control? Is it an HR issue? Typically IT is concerned about blocking sites that are likely to be harmful. But the reality is, IT started being concerned with stuff other groups should be concerned with and Web blocking software became an IT-tool rather than a line of business tool. I could care less for example that an employee spends all day at Slashdot, ESPN, Facebook, etc... are they getting their work done? IT is not a substitute for HR or management. What is the IT-related reason for blocking a Web site? Bandwidth reasons; security reasons? The idea of blocking a bunch of sites, that really shouldn't be blocked is typically a result of default-policies, and not based upon sound judgement.
Well, that sucks when you are trying to find legit work related info. I suppose all the newsgroups are out then as well....
Oh well, every job I ever had working for other people has similar. Goes with the turf, only alternative is completely self employed.
Law firms are also likely less risk-adverse when it comes to employee lawsuits.
When you can defend yourself for 'free' why bother with a bureaucracy of HR and IT nannies?
Blacklists are useless in security.
Even if a user collects malicious JPGs or malware non Windows Administrator can't infect the machine.
Global Blocked filters for everyone INCLUDING IT Administrators
Binary Attachments, Scripting attachments, Compressed Attachments. Office Document Files, exe files
Block Ports other than 80 or 443
Whitelist sites for specific say download.microsoft.com Compressed Attachments. Office Document Files, exe files
The further divided the better
The windows SYSTEM or NETWORK SERVICE in most cases does not need internet access Block it.
Allow authenticated user accounts to pass through web filter.
If for whatever reason a computer does become vulnerable to MS sloppy services the malicious code cannot deploy without SYSTEM or NETWORK SERVICE internet access
Yes.
Next question.
(Please don't ask "Do cops speed?" "Do restaurant workers get free food?" "Do Real Estate Agents get cheaper houses?" etc...)
Shit! Its one of the few perks I have left.
Dilbert: Do you think you might be abusing your power?
Wally: Would would be the other reasons to have power?
At the company I work for, the users had unrestricted access to the internet. Then they started abusing that freedom by going to porn sites, soaking up all the bandwidth with streaming music and YouTube, and happily going to every malware website possible. We got fed up with blocking IP ranges at the firewall, having to tell a user not to stream media, and finding out how creative a user can get with getting malware. I campaigned for and got a content filter. Not everyone gets a "no internets" policy. We start off with restricting the really malicious sites first, then allow full access to those that need it (e.g. underwriting), then make category blocks like porn, and then granular as each department head sees fit. So far everyone has gotten use to it. Sites do get miscategorized from time to time, but we can unblock them and recategorize them as needed. Really we should have had something like this when I first started since there is a possibility for unrestricted access to become a liability. OP, if you want a website unblocked, put a request to the netadmin to have it unblocked. Otherwise appreciate that you do have some level of an internet connection that you're not paying for, get some means of a VPN that wont restrict internet access, or pay a hefty sum for an aircard.
I work at a medium sized software company (500 employees) and was not aware that IT had any power to abuse.
They can be passive-aggressive and take their sweet time to fix my constantly messed up Active Directory, but other than that, they wield no real power.
Where I work, sites like eBay get blocked, but Slashdot, thinkgeek and Battle.Net are open?
Gee, how very impartial...
Non-supporter of Online Activation and any other draconian DRM
I remember installing Mcafee on my wife's computer and having it trash the operating system. Thankfully I had backed it up before the installation.
After restoring the system I tried it again, thinking that it might have been a fluke.
I had to restore everything a second time. I went with Symantec and have avoided Mcafee ever since.
I work in outsourced IT, which pretty much makes me system admin for... say, 30 different companies?
We've only got blacklists set up at a few of our customers, and generally we're forced to because - here's a shocker - 90% of end users are dribbling morons.
If you're blacklisted at work, or don't have administrative rights, there's a good chance that IT did it because the person at the desk next to you (or you yourself) downloaded viruses on facebook 5 days in a row. I can't do my job if I spend every waking hour removing "Internet Security 2009!" from your PC over and over.
Get over it.
for all cockmast users. Running something is better than nothing. I like how it manages in/out bound conn. There are things that do it better. But lately, I question there abililty to keep up definition files though, as I too have seen a few machines get pegged recently.
How much is your data worth? Back it up now.
I've never seen the list of sites that are blocked in a corporate environment originate with IT. Generally we just get dictated to about what gets blocked. Would we then go "Hmmm, the Information Security nazis want facebook blocked. Well, to be fair let's block /. as well." Yeah right.
My pet peeve on this subject is I've never heard of anybody thinking it's a good idea to block sites like the Wall Street Journal or stock market sites.
... Programmers Research Institute for Code Kracking Security
maybe there's a connection.
I fear it is a common occurrence. The problem is not so much risk, as the IT professionals are generally safer about where they go on the web. The problem is one of perception, and of policy. When IT professionals ignore stated policy and do what they like, it tends to do several things. One is resentment, and it helps degenerate the relationships between It and the users, which hurts the company. The second problem is it creates problems amonst policy. If IT doesn't follow policy, then users may feel free to ignore or go around policy as well. In addition it makes policy harder to enforce, when some people get away with ignoring policy while others are punished for the same. If you have a good security department, they will make sure policy is enforced equally for all users, otherwise your policy is as bad as never haven been written at all. I am sure I will get slammed by some here for saying it, but it is true. IT needs to foster better relationships with its users. One way to do that is not to ignore policy, and pretend it doesn't apply to you. Your security is at stake here, and the bottom line of the company.
Open Source: Eroding the Digital Divide
Running something is better than nothing...
Yes, but wouldn't "running something better be better than simply running something?"
Just a thought... ;-)
StarTrekPhase2 - The Five Year Mission Continues!
Here you go.
Oh, you're not stuck, you're just unable to let go of the onion rings.
Does it really matter if these sites are blocked or not blocked by the IT guys? Most of the time, they can get around it anyway.
I used to browse the net on a junk Windows FTP server all the time because it fell in a different DMZ without the restrictions. This was sometimes legit, because we block a lot of file downloads that I needed for work anyway... but I might've snuck in some Penny Arcade.. MAYBE.
~Mekkah
the masses that works better than Mc A eh?
I'm sure together we can get comcast to switch "security providers" if we show them what works better, and cheaper.
How much is your data worth? Back it up now.
people who don't punctuate or spell might seem retarted!
well at least i am willing to admit to being retarded.