Slashdot Mirror

← Back to Stories (view on slashdot.org)

Do IT Pros Abuse Their Power?

Posted by Soulskill on from the hahahaha-yes dept.

An anonymous reader writes "I have noticed that many airports and hospitals I've visited have some kind of internet usage policy in place. Some use software similar to Websense, which effectively blocks sites based on blacklisting them by category. A commonly used blacklist prevents users from accessing 'forums or discussion boards,' yet I find that often these networks allow users to access sites like Fark, Slashdot, Digg and other message boards that appeal to the technical culture one might find in the IT world. In your experience, do IT administrators abuse their supervisory powers? Has there ever been a backlash from users or management for doing so?"

11 of 460 comments (clear)

  1. Since when.. by dr_strang · · Score: 5, Interesting

    ...are Fark and Digg considered 'technical culture' sites. Seriously, this isn't 2001. Last time I checked, the Internet had sort of entered the mainstream and 'slacking off at work' isn't really considered exclusively IT.

    --
    This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
  2. Power Corrupts... by PCGod · · Score: 5, Interesting

    Absolute power, is even more fun!</bofh>

    Yes, we did have something like this happen where I work. Our IT group ended up blocking all social networking sites. Our marketing department raised a fit because they use Facebook for business purposes.

    1. Re:Power Corrupts... by 2stein · · Score: 5, Interesting

      Yes, we did have something like this happen where I work. Our IT group ended up blocking all social networking sites. Our marketing department raised a fit because they use Facebook for business purposes.

      At the place were I currently work we have kind of a "feel free to use the internet as you wish" policy. This actually works out quite well. Sites are not filtered specifically. They basically say "hey, if you end up doing illegal stuff, you're screwed, otherwise we don't care as long as you get to do your work."

      I used to work for a financial institution before that. And they had sort of a lockdown-mania. Filtering proxies (no checking your private web mail - could be used for stealing information), read-only USB mass storage, scanning outgoing e-mail attachments etc. I guess, these rules came in place because of management being scared to death by compliance requirements, not because of IT admins abusing their power.

      And BTW: Had I wished to steal massive amounts of data, I could have still simply sent them via e-mail in a password-encrypted archive. It's a matter of trust, not only of making it difficult. So basically powerful and clueless management are equally effective as power-abusing admins.

    2. Re:Power Corrupts... by dkf · · Score: 3, Interesting

      Take SSL/TLS for example. It is basically protection against a problem that would never happen in reality. What are the chances of someone intercepting your communications link to a website and capturing your credit card numbers? Out of the billions of packets that are flowing through the networks, the chances of someone managing to find the one packet with the 25 bytes of data comprising your credit card number are vanishingly small. The level of access you'd need would mean it'd be easier to just compromise the person's PC directly rather than sorting through all that noise.

      Once someone's trapping the message flow, it's trivial to search for particular triggers. The biggest defence is current generations of routers not sending every message to every machine on the local net, but that's not really much of a defence at all. Encryption stops these trivial attacks.

      There are problems with SSL as usually deployed:

      1. Most users don't verify that who they've connected to is who they wanted to connect to.
      2. Some CAs are grasping idiots who will sign any old shit if it gets them another dollar.

      Mind you, the alternatives are mostly much worse. And in fact SSL can be very good indeed (e.g., when the client has to present a certificate to the server and a private CA that everyone knows about beforehand is the only trust root). It's just that deployment on the scale of the internet is hard; there's just no way to get everyone to know about everyone else before communications start.

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
    3. Re:Power Corrupts... by CastrTroy · · Score: 3, Interesting

      CA's aren't supposed to guarantee that their customers are trustworthy. The only thing a certificate is for is to verify that internet traffic is coming from who it says it's coming from. That's it. Nothing more, nothing less. Nothing says you can't get a virus from only going to SSL sites. You can get an ssl cert for as little as $15 these days. Basically it's just a big cash grabs by the CAs. They don't actually have to verify that the site in question is using their cert for good, but just that they are who they say they are.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    4. Re:Power Corrupts... by Cederic · · Score: 4, Interesting

      And everybody in my extended team have web browsers on the mobile phones anyway, so if we do want to look something up we don't even need to use company resources to do so.

      Of course, it'll be quicker to use a proper browser on a proper monitor with a proper keyboard, but that just highlights the fallacy of locking things down to promote productivity.

  3. Do power users abuse their IT knowledge? by Wonko+the+Sane · · Score: 5, Interesting

    How many people here get around their workplace's blocking software by running an SSH tunnel to a proxy server on their home network?

    1. Re:Do power users abuse their IT knowledge? by iangoldby · · Score: 5, Interesting

      I don't understand why people always try to "get around" these restrictions. If there is a legitimate business need, then get it approved.

      I suppose it depends on the size of the business. Where I work, it is usually impossible even to find out who is responsible for a particular policy. As for actually getting a policy changed, you'd be better off pissing into the wind.

      Whenever I need information from a blocked site (I'm talking about work-related information here), I just keep trying Google results until I find one that isn't blocked. Sometimes it can take fifteen or twenty minutes, when I know that the top result would have answered my question immediately. On occasions I send myself an email at home so that I can look it up after work, but why should I have to do this?

    2. Re:Do power users abuse their IT knowledge? by lukas84 · · Score: 3, Interesting

      Get a separate ADSL line for the IT pros. A friend of mine did exactly that. He works in a large bureaucracy and in the end their installed a separate, unfiltered ADSL line that's not under the administrative control from over-the-pond.

      Of course, being in IT, they were smart enough to keep this all on a separate network.

    3. Re:Do power users abuse their IT knowledge? by Compholio · · Score: 3, Interesting

      Sure. Proxy intercepts DNS requests and forwards them to our Internal DNS servers. Firewall has a rule to block outbound DNS requests except those by our internal servers. The internal servers are only allowed outbound requests to our ISPs DNS servers.

      Except that's not how SSH over DNS works. On the server end someone installs a custom DNS server on a machine and sets that machine as authoritative for a domain. On the client end the PC sends a seemingly benign request through your local DNS servers, which forward that request to the authoritative domain (running the custom DNS server). The custom DNS server then decodes the "benign" request, passes it off to the SSH server, retrieves the reply, then encodes it so that it can be sent back to the client PC.

    4. Re:Do power users abuse their IT knowledge? by linuxrocks123 · · Score: 4, Interesting

      There's no reason you can't actually talk HTTP. See http://www.sensepost.com/research/reDuh/ for one of many examples on how to do this. And, once you have an arbitrary TCP connection, there's no reason you can't perform a public key exchange for SSH as usual, defeating your proxy's man-in-the-middle attack.

      Nice try, man, but you'll never be clever enough to accomplish what you intend.

      ---linuxrocks123

      --
      vi ~/.emacs # I'm probably going to Hell for this.