Slashdot Mirror

← Back to Stories (view on slashdot.org)

Do IT Pros Abuse Their Power?

Posted by Soulskill on from the hahahaha-yes dept.

An anonymous reader writes "I have noticed that many airports and hospitals I've visited have some kind of internet usage policy in place. Some use software similar to Websense, which effectively blocks sites based on blacklisting them by category. A commonly used blacklist prevents users from accessing 'forums or discussion boards,' yet I find that often these networks allow users to access sites like Fark, Slashdot, Digg and other message boards that appeal to the technical culture one might find in the IT world. In your experience, do IT administrators abuse their supervisory powers? Has there ever been a backlash from users or management for doing so?"

32 of 460 comments (clear)

  1. New around here? by hedronist · · Score: 5, Funny

    You must be new here. All members of /. are (or want to be) a BOFH!

    1. Re:New around here? by TheLink · · Score: 5, Informative

      A BOFH might find it more fun to manipulate data from certain websites, rather than block sites.

      e.g. the BOFH substitutes some images, and/or inserts a rather loud audioclip.

      Go figure out the details yourself.

      Even if you use SSL, the BOFH probably controls what CA certs are installed in your browser ;).

      --
    2. Re:New around here? by noidentity · · Score: 5, Funny

      A BOFH might find it more fun to manipulate data from certain websites, rather than block sites.

      Oh, you mean something like blurring or mirroring images on websites viewed over an open WiFi access point?

  2. Of course by Guiness+Boy · · Score: 5, Insightful

    Of course we do. Get over it.

    1. Re:Of course by digitig · · Score: 5, Funny

      Don't be silly. It would only be "abuse" if it were a bad thing!

      --
      Quidnam Latine loqui modo coepi?
  3. Since when.. by dr_strang · · Score: 5, Interesting

    ...are Fark and Digg considered 'technical culture' sites. Seriously, this isn't 2001. Last time I checked, the Internet had sort of entered the mainstream and 'slacking off at work' isn't really considered exclusively IT.

    --
    This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
    1. Re:Since when.. by Akira+Kogami · · Score: 4, Funny

      Nah, eating junk food is enjoyable.

    2. Re:Since when.. by poetmatt · · Score: 5, Informative

      you can blame the fact that the websense ceo is the same guy who was ceo of Mcafee during the time when Mcafee was known to be a piece of shit software that wasn't complete or accurate. Is it any more surprising that he's equally badly mismanaging websense, and is selling to the same crowd with both basically?

      The issue is a man named gene hodges , the guy is a horrible ceo (and cause for many tech issues relying on anything he is a part of) .

    3. Re:Since when.. by GrumblyStuff · · Score: 4, Funny

      The McAfee infection is annoying. Popping up all the time, asking for money....

  4. Power Corrupts... by PCGod · · Score: 5, Interesting

    Absolute power, is even more fun!</bofh>

    Yes, we did have something like this happen where I work. Our IT group ended up blocking all social networking sites. Our marketing department raised a fit because they use Facebook for business purposes.

    1. Re:Power Corrupts... by 2stein · · Score: 5, Interesting

      Yes, we did have something like this happen where I work. Our IT group ended up blocking all social networking sites. Our marketing department raised a fit because they use Facebook for business purposes.

      At the place were I currently work we have kind of a "feel free to use the internet as you wish" policy. This actually works out quite well. Sites are not filtered specifically. They basically say "hey, if you end up doing illegal stuff, you're screwed, otherwise we don't care as long as you get to do your work."

      I used to work for a financial institution before that. And they had sort of a lockdown-mania. Filtering proxies (no checking your private web mail - could be used for stealing information), read-only USB mass storage, scanning outgoing e-mail attachments etc. I guess, these rules came in place because of management being scared to death by compliance requirements, not because of IT admins abusing their power.

      And BTW: Had I wished to steal massive amounts of data, I could have still simply sent them via e-mail in a password-encrypted archive. It's a matter of trust, not only of making it difficult. So basically powerful and clueless management are equally effective as power-abusing admins.

    2. Re:Power Corrupts... by houstonbofh · · Score: 5, Insightful

      I have seen that "lockdown" so many times, and it never works. There are no technical solutions to personnel problems. I always use this analogy; "You can make a car very secure by removing the battery and putting it up on blocks. It just doesn't make for a very good car."

    3. Re:Power Corrupts... by networkBoy · · Score: 5, Insightful

      we currently have an anti-internet micromanager.
      While the corporate policy is covered by an 'acceptable use' that is fairly liberal this guy equates having an idle page open equivalent to not working. To that end he's having our IT dept. provide him usage data from all employees. As a counter I developed an http over e-mail application that seems to be working quite nicely.
      -nB

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    4. Re:Power Corrupts... by John+Hasler · · Score: 4, Insightful

      > I have seen that "lockdown" so many times, and it never works.

      It works quite well for demonstrating compliance with regulations, which is what it is for.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    5. Re:Power Corrupts... by chrylis · · Score: 4, Insightful

      And this is why "direct benefit" is a completely useless metric, and in fact isn't applied to most of the rest of a business's operations. A/C and heating, for example, don't provide a direct benefit except for industrial controls, yet most businesses see the value in providing a comfortable work environment to employees.

      By the same token, the studies are now old news that have shown that employees who take "mental breaks" with Facebook and friends are more productive and that external communications channels are becoming increasingly valuable to businesses.

      It's the same old story: Centralized policymaking suffers from a chronic lack of both information and imagination, and policies like global whitelists essentially kill off many useful innovations.

    6. Re:Power Corrupts... by Cederic · · Score: 4, Interesting

      And everybody in my extended team have web browsers on the mobile phones anyway, so if we do want to look something up we don't even need to use company resources to do so.

      Of course, it'll be quicker to use a proper browser on a proper monitor with a proper keyboard, but that just highlights the fallacy of locking things down to promote productivity.

  5. Do power users abuse their IT knowledge? by Wonko+the+Sane · · Score: 5, Interesting

    How many people here get around their workplace's blocking software by running an SSH tunnel to a proxy server on their home network?

    1. Re:Do power users abuse their IT knowledge? by Saint+Stephen · · Score: 5, Insightful

      I always figured my employer would be really, really pissed off if they found out I did that. At best you're pointing out a massive security hole in the network. They'd just assume I'd be running ANYTHING (kiddie porn) over the tunnel, and if anything accidentally happened, and I'd been using a "hole", I'd get in huge trouble.

    2. Re:Do power users abuse their IT knowledge? by iangoldby · · Score: 5, Interesting

      I don't understand why people always try to "get around" these restrictions. If there is a legitimate business need, then get it approved.

      I suppose it depends on the size of the business. Where I work, it is usually impossible even to find out who is responsible for a particular policy. As for actually getting a policy changed, you'd be better off pissing into the wind.

      Whenever I need information from a blocked site (I'm talking about work-related information here), I just keep trying Google results until I find one that isn't blocked. Sometimes it can take fifteen or twenty minutes, when I know that the top result would have answered my question immediately. On occasions I send myself an email at home so that I can look it up after work, but why should I have to do this?

    3. Re:Do power users abuse their IT knowledge? by Anonymous Coward · · Score: 5, Insightful

      Even assuming you mean "reject certificates not signed by an authority I trust", as opposed to "reject self-signed certificates", it's pretty trivial to get a certificate you'd accept. I also wonder if you allow plain HTTP connections, given your stance on certificate management. HTTP connections are less secure than HTTPS with self-signed certificates, and they don't even generate a warning in the browser -- at least a self-signed certificate would let users know their connection is unauthenticated, but plain HTTP happily transmits in the clear, without encryption or authentication, with no warnings at all. That seems like a much more likely source of false security to me.

      In general, your tunnel users aren't very persistent, or you haven't noticed the ones that are -- it's not terribly difficult to setup an plain-old HTTP server and send SSH data in the body of apparently-valid HTML pages. A bit of base-64 encoding, a bit of a random real web page from the browser cache, and you'd have an awfully hard time getting a machine to determine that the web page was actually a proxy connection. It's a bit inefficient and there are TCP over TCP resend issues, but it's perfectly usable for web browsing and the like. Or assuming you just check the SSL setup but otherwise allow HTTPS traffic unchallenged through the proxy (the most typical setup for non-forging, non-plaintext proxies) you could negotiate a standard SSL session and then send raw PPP data through it, without even pretending to be a web page, or using SSH.

      Or if you're really pressed for access, you can setup a DNS-based proxy and smuggle data through in perfectly valid DNS requests and responses. The size of packets is limited, but it's running over UDP so you eliminate the TCP issues, and it's virtually unmonitored at most locations, even those that consider themselves "locked down" -- when was the last time you checked your outbound DNS logs? Do you even have outbound DNS request logging? And domains are cheap -- what if I registered a few hundred and spread out my requests across those?

      Or if you're willing to put up with a little latency you can use just about any messaging/discussion board to post data to a totally legitimate web page, which a remote proxy could then read and reply to, again on a legitimate web page. And of course there's email.

      While it's maybe worth some effort to make data smuggling more difficult, don't fool yourself into thinking you're preventing it from happening. Adding noise to the channel only limits transfer speeds -- so long as there is any way for users to inject and retrieve data to/from the Internet, even through proxies and filters, tunneling will be possible.

    4. Re:Do power users abuse their IT knowledge? by Bigjeff5 · · Score: 4, Insightful

      You aught to, especially if your previous "fix" was to block the website used for business purposes in the first place.

      The role of IT is not to control information technology, metering it out to the users as the IT gods see fit. The role of IT is to support the business. That means facilitating their work as much as possible, and protecting them from the dangers they are unaware of.

      Frankly, if I were your manager and you took that attitude toward your customers on a daily basis, I'd fire you.

      IT departments don't make a company money. They either help them make more money by increasing productivity, or they help prevent them from losing money by protecting their information-related assets. If you are doing neither, you don't belong there.

      --
      Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
    5. Re:Do power users abuse their IT knowledge? by linuxrocks123 · · Score: 4, Interesting

      There's no reason you can't actually talk HTTP. See http://www.sensepost.com/research/reDuh/ for one of many examples on how to do this. And, once you have an arbitrary TCP connection, there's no reason you can't perform a public key exchange for SSH as usual, defeating your proxy's man-in-the-middle attack.

      Nice try, man, but you'll never be clever enough to accomplish what you intend.

      ---linuxrocks123

      --
      vi ~/.emacs # I'm probably going to Hell for this.
    6. Re:Do power users abuse their IT knowledge? by Anonymous Coward · · Score: 5, Insightful

      Ummm... IANAL, but even I know that's not a real charge. If you threatened him with that, you guys are probably in the wrong...you know... "hostile work environment" and all those little things. You could have gone after him for unauthorized access... but you'd be hard pressed to claim it was unauthorized access to his home network. And given that he was an employee, you'd be pretty hard pressed to argue he exceeded access on his own desktop or your network. At best, you've got evidence that he used a data processing system in a manner violating policy--and you've already admitted it wasn't malicious and did no damage. Assuming you're using the computer fraud & abuse act--you've already eliminated most of the necessary criteria... which makes anyone accusing him under it guilty of... oh--filing a false report, and possibly perjury depending on how far you take it! Not that you'd ever be prosecuted as that's one of the most abused laws in the country.

      While there are states where access in violation of policy *has* been held as unauthorized access, to my knowledge there's really only been one conviction of that so far--and last I'd checked in, it was about due to be thrown out on appeal. Quite simply--you can't open the door of your house to somebody, and then accuse them of trespass when they wander off the yellow brick road you defined in a convoluted fashion.

      I don't blame you for looking for that type of traffic--it's a good way to hide botnet. But going after somebody for trying to listen to music... and using that as the excuse to fire him--that's just cowardly and dishonorable. Your users deserve someone more professional than that, even if they themselves are not the most professional based upon their actions.

  6. IT Pros don't make policy. by lukas84 · · Score: 5, Insightful

    Policy is made by management. I don't care if you watch gay furry porn for all the three hours you spend in the Office.

    I do care about the security of the network - so if you plug your private Laptop into the Office LAN, you won't get any connection because your machine won't authenticate. But i'll know exactly that you did so. And i'll call you out for it.

    In all the places i've worked, WebSense etc. only worked in the VLANs for the office workers. All IT networks (as did the Exec's networks) had unrestricted internet access (they still went through a malware filtering proxy, but not content filtering). This might be different in larger organizations.

    In the place i work right now, we only have a malware filter. No content filtering at all. I think it's pointless. If someone does not do his job properly, fire him. If someone does his job properly, but uses 10 minutes a day for masturbating to gay furry porn, he's still more productive than someone who takes a 10 minute smoke break every 20 minutes.

  7. Digg? by Akira+Kogami · · Score: 4, Funny

    Digg has tech news? I thought it was all libertarianism and marijuana.

  8. IT Pros - Never! by Anonymous Coward · · Score: 5, Funny

    IT professionals would never abuse the position of responsibility with which they are entrusted. They would never use their positions to retaliate against the unthinking, uncaring, ungrateful wretches that make their lives a living, seething hell each and every day those worthless pieces of crap continue to suck air.

  9. I blame the boss. by wheelema · · Score: 5, Insightful

    In my experience most draconian restrictions are imposed by Management. The technical staff is simply more empowered to work around them or ignore them.

  10. OpenVPN-over-UDP-over-IP-over-DNS by xororand · · Score: 4, Informative

    Do you allow DNS on your network? OpenVPN-over-UDP-over-IP-over-DNS isn't lightning fast but it does the job most of the time. It's a neat way to (ab)use commercial WiFi hotspots too. You can't stop a determined power user except maybe with a whitelist of a small set of whitelisted remote hosts.

  11. Re:Answer by Asmor · · Score: 5, Insightful

    You work at a college and block certain "websites and services?" From the context I'm guessing it's more than simply blocking known phishing sites and the like...

    If you are censoring the internet for the students of your college, then frankly I find that abhorrent. It's one thing for a company to filter the internet for their employees at work, but it's completely another to do it to students who-- besides being in an environment which should encourage exploration and allow for the making of mistakes-- may very likely live there and only have access to the internet through the school. As a college IT department, for all internets and purposes you're an ISP and with respect to student internet access you should be held to the same standards of openness and neutrality to which Comcast, Verizon and their likes are.

  12. thats business by DaveGod · · Score: 4, Informative

    In my experience the IT dept generally has rules for other people and rules for themselves. They "know what they are doing" while everybody else "can't be trusted". Their login for general usage is full administrator and bypasses websense, while I am barred from sites "listed as general business" (only sites pre-approved by IT are allowed, which they make very clear they do not do because they don't want people asking them all the time). Our email attachment limits are 2mb ("it takes up space on the server") and FTP is outright barred - even though one time it was the only way for a client to send me files IT wouldn't do it, so I went home and put it onto a USB stick.

    They install whatever they like, including such productivity tools as BBC news sports tickers. Despite pretty much being able to do everything on their work-paid cell phone, not having to multi-task or whatever they have brand-new machines. When another member of staff requires a new PC, they get an IT staff's PC and IT get a new PC. Despite the general staff doing work where screen real estate is highly productive, their monitors are 15" and 17" while IT and managers have 19" (although they were quite savvy and gave the partners 21"; monitors are the new bigger desk and chair). In my job where we do quite a lot of printing, speed and quality are important, IT also have the best printer - yet it took a week for them to notice when I unplugged it one Friday night.

    IT is all about convenience for IT. All our productivity stuff, which at any given moment 99% of staff is running at any given moment, is quite server intensive. They're all on the same server, while low-intensity stuff rarely used has three idle servers all to itself. I spend a significant portion of my time waiting for the server to respond. It's quite embarrassing when a client turns up asking for a simple copy of a report in a hurry and it takes me 10 minutes, they think I must have forgotten so they ask reception to call up and remind me they're late for their meeting. I pointed out once that the servers could be rebalanced to distribute the load but was told "that would be too much hassle".

    All the procedures are laughable. Despite almost completely phasing paper filing out, all staff's basic logins can delete data files and all the backups are kept on a shelf on site. I could obliterate the lot in one minute of madness (probably induced by dealing with IT). It would take me longer to copy it all to a couple of USB sticks, but nobody would notice until they got the blackmail letters or it was on the news.

    But let's not get all confused and think I'm bashing IT here. I can say pretty much the same thing about every single department. Like how the time it takes me to obtain new propellant pencil leads costs the firm 16x the price of the leads. If I kept one carton for work then stole the rest of the box it would be cheaper for the firm than following procedure.

    As regards other managers, few have the slightest clue about IT. Those that do just work it to their advantage - they get preferential treatment so it makes them look good.

    1. Re:thats business by ModernGeek · · Score: 5, Funny

      So on a scale of 1 to 10, how would you rate your satisfaction with your IT Department? 1 being extremely satisfied, 10 being extraordinarily satisfied.

      --
      Sig: I stole this sig.
    2. Re:thats business by spire3661 · · Score: 5, Insightful

      And management gets fancy catered lunches, and warehouse gets free shipping, Marketing gets free swag, Sales gets to wine and dine people on the company credit card, etc so on and so forth

      --
      Good-bye