Slashdot Mirror
Do IT Pros Abuse Their Power?
An anonymous reader writes "I have noticed that many airports and hospitals I've visited have some kind of internet usage policy in place. Some use software similar to Websense, which effectively blocks sites based on blacklisting them by category. A commonly used blacklist prevents users from accessing 'forums or discussion boards,' yet I find that often these networks allow users to access sites like Fark, Slashdot, Digg and other message boards that appeal to the technical culture one might find in the IT world. In your experience, do IT administrators abuse their supervisory powers? Has there ever been a backlash from users or management for doing so?"
Of course we do. Get over it.
Policy is made by management. I don't care if you watch gay furry porn for all the three hours you spend in the Office.
I do care about the security of the network - so if you plug your private Laptop into the Office LAN, you won't get any connection because your machine won't authenticate. But i'll know exactly that you did so. And i'll call you out for it.
In all the places i've worked, WebSense etc. only worked in the VLANs for the office workers. All IT networks (as did the Exec's networks) had unrestricted internet access (they still went through a malware filtering proxy, but not content filtering). This might be different in larger organizations.
In the place i work right now, we only have a malware filter. No content filtering at all. I think it's pointless. If someone does not do his job properly, fire him. If someone does his job properly, but uses 10 minutes a day for masturbating to gay furry porn, he's still more productive than someone who takes a 10 minute smoke break every 20 minutes.
In my experience most draconian restrictions are imposed by Management. The technical staff is simply more empowered to work around them or ignore them.
I always figured my employer would be really, really pissed off if they found out I did that. At best you're pointing out a massive security hole in the network. They'd just assume I'd be running ANYTHING (kiddie porn) over the tunnel, and if anything accidentally happened, and I'd been using a "hole", I'd get in huge trouble.
I have seen that "lockdown" so many times, and it never works. There are no technical solutions to personnel problems. I always use this analogy; "You can make a car very secure by removing the battery and putting it up on blocks. It just doesn't make for a very good car."
Even assuming you mean "reject certificates not signed by an authority I trust", as opposed to "reject self-signed certificates", it's pretty trivial to get a certificate you'd accept. I also wonder if you allow plain HTTP connections, given your stance on certificate management. HTTP connections are less secure than HTTPS with self-signed certificates, and they don't even generate a warning in the browser -- at least a self-signed certificate would let users know their connection is unauthenticated, but plain HTTP happily transmits in the clear, without encryption or authentication, with no warnings at all. That seems like a much more likely source of false security to me.
In general, your tunnel users aren't very persistent, or you haven't noticed the ones that are -- it's not terribly difficult to setup an plain-old HTTP server and send SSH data in the body of apparently-valid HTML pages. A bit of base-64 encoding, a bit of a random real web page from the browser cache, and you'd have an awfully hard time getting a machine to determine that the web page was actually a proxy connection. It's a bit inefficient and there are TCP over TCP resend issues, but it's perfectly usable for web browsing and the like. Or assuming you just check the SSL setup but otherwise allow HTTPS traffic unchallenged through the proxy (the most typical setup for non-forging, non-plaintext proxies) you could negotiate a standard SSL session and then send raw PPP data through it, without even pretending to be a web page, or using SSH.
Or if you're really pressed for access, you can setup a DNS-based proxy and smuggle data through in perfectly valid DNS requests and responses. The size of packets is limited, but it's running over UDP so you eliminate the TCP issues, and it's virtually unmonitored at most locations, even those that consider themselves "locked down" -- when was the last time you checked your outbound DNS logs? Do you even have outbound DNS request logging? And domains are cheap -- what if I registered a few hundred and spread out my requests across those?
Or if you're willing to put up with a little latency you can use just about any messaging/discussion board to post data to a totally legitimate web page, which a remote proxy could then read and reply to, again on a legitimate web page. And of course there's email.
While it's maybe worth some effort to make data smuggling more difficult, don't fool yourself into thinking you're preventing it from happening. Adding noise to the channel only limits transfer speeds -- so long as there is any way for users to inject and retrieve data to/from the Internet, even through proxies and filters, tunneling will be possible.
we currently have an anti-internet micromanager.
While the corporate policy is covered by an 'acceptable use' that is fairly liberal this guy equates having an idle page open equivalent to not working. To that end he's having our IT dept. provide him usage data from all employees. As a counter I developed an http over e-mail application that seems to be working quite nicely.
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
You work at a college and block certain "websites and services?" From the context I'm guessing it's more than simply blocking known phishing sites and the like...
If you are censoring the internet for the students of your college, then frankly I find that abhorrent. It's one thing for a company to filter the internet for their employees at work, but it's completely another to do it to students who-- besides being in an environment which should encourage exploration and allow for the making of mistakes-- may very likely live there and only have access to the internet through the school. As a college IT department, for all internets and purposes you're an ISP and with respect to student internet access you should be held to the same standards of openness and neutrality to which Comcast, Verizon and their likes are.
You aught to, especially if your previous "fix" was to block the website used for business purposes in the first place.
The role of IT is not to control information technology, metering it out to the users as the IT gods see fit. The role of IT is to support the business. That means facilitating their work as much as possible, and protecting them from the dangers they are unaware of.
Frankly, if I were your manager and you took that attitude toward your customers on a daily basis, I'd fire you.
IT departments don't make a company money. They either help them make more money by increasing productivity, or they help prevent them from losing money by protecting their information-related assets. If you are doing neither, you don't belong there.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
> I have seen that "lockdown" so many times, and it never works.
It works quite well for demonstrating compliance with regulations, which is what it is for.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Ummm... IANAL, but even I know that's not a real charge. If you threatened him with that, you guys are probably in the wrong...you know... "hostile work environment" and all those little things. You could have gone after him for unauthorized access... but you'd be hard pressed to claim it was unauthorized access to his home network. And given that he was an employee, you'd be pretty hard pressed to argue he exceeded access on his own desktop or your network. At best, you've got evidence that he used a data processing system in a manner violating policy--and you've already admitted it wasn't malicious and did no damage. Assuming you're using the computer fraud & abuse act--you've already eliminated most of the necessary criteria... which makes anyone accusing him under it guilty of... oh--filing a false report, and possibly perjury depending on how far you take it! Not that you'd ever be prosecuted as that's one of the most abused laws in the country.
While there are states where access in violation of policy *has* been held as unauthorized access, to my knowledge there's really only been one conviction of that so far--and last I'd checked in, it was about due to be thrown out on appeal. Quite simply--you can't open the door of your house to somebody, and then accuse them of trespass when they wander off the yellow brick road you defined in a convoluted fashion.
I don't blame you for looking for that type of traffic--it's a good way to hide botnet. But going after somebody for trying to listen to music... and using that as the excuse to fire him--that's just cowardly and dishonorable. Your users deserve someone more professional than that, even if they themselves are not the most professional based upon their actions.
And management gets fancy catered lunches, and warehouse gets free shipping, Marketing gets free swag, Sales gets to wine and dine people on the company credit card, etc so on and so forth
Good-bye
And this is why "direct benefit" is a completely useless metric, and in fact isn't applied to most of the rest of a business's operations. A/C and heating, for example, don't provide a direct benefit except for industrial controls, yet most businesses see the value in providing a comfortable work environment to employees.
By the same token, the studies are now old news that have shown that employees who take "mental breaks" with Facebook and friends are more productive and that external communications channels are becoming increasingly valuable to businesses.
It's the same old story: Centralized policymaking suffers from a chronic lack of both information and imagination, and policies like global whitelists essentially kill off many useful innovations.