Slashdot Mirror
IT Pros Can't Resist Peeking At Privileged Info
Orome1 writes "IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people's Christmas bonus details."
It's not limited only to your company - this means employees in other services can snoop all they want too. This is why you should never trust cloud services. Hell, even Google employees are secretly snooping your personal emails, XMPP chat logs, Google Voice calls and search queries. And yet even most Slashdotters think it's perfectly fine to trust everything you have with Google - your search queries, your personal emails, your calls, your contacts, your social network, what you watch on YouTube, what you listen to, where you walk and go (Android) and everything else. Screw the law enforcement requests for info, they can't even keep their own personnel from snooping your personal stuff.
It's why I will never trust my personal files on the likes of Dropbox and other backup services. People misuse their privileges whenever they can, that's human nature.
Oh come on, let he who hasn't gotten a massive data rager throw the first stone. So you're telling me that when you're doing a database dump of all your employee's payroll data and you see those beautiful digits paired with a sensual home address and foxy expiration date that you don't pitch a tent right there on the spot? I'm man enough to admit that I've had to walk around cubeland holding a notebook in front of me after taking a selfish glance at a naughty excel spreadsheet filled with transaction after hawt transaction of coffee mugs and pens. As if you've never had to spend your lunch break firing off a few knuckle children in the handi stall of the men's room when you stumbled across every customer's wishlist of your office supply products! Someone actually got to see everyone's Christmas bonus details? Pass the Kleenexes!
The United States' cultural suppression of natural and healthy sexuality just makes me ill sometimes.
My work here is dung.
I've never looked at confidential information. I'm not sure which IT pros you surveyed, but they must have a lot of time on their hands. Maybe they should find something more constructive to do with their time.
I find that hard to believe. I would have put it well above 50. Years back I ran an MDaemon mail server and let users have the IM client. Was pretty interesting reading, to say the least.
As a consultant who works for a managed service provider, this tells me one thing. If you're snooping around other peoples crap, firstly, you're punk. Second, you have too much time on your hands. Even if you stumble upon data you shouldn't be aware of, it's best to not make it a priority to remember it. And if by chance you have a photographic memory, don't say shit about it to anyone. It's none of your damn business really! You're supposed to be a professional in the industry. Act the part please.
Life is not for the lazy.
If your IT/Security staff can rifle through your sensitive data, you're doing it wrong.
I have no ability to access the data in our HR or Financial systems. Only the HR and Financial folks do. *MAYBE* the DBAs could look at that data, but even if so they'd have to sift through the raw data or come up with their own queries. And I'm pretty sure a lot of that information is encrypted.
Nothing to see here
I recall reading an article that said that all of Facebook's (then) hundreds of programmers all have full access to the live system data. Especially on top of the announcement that they want to double their employees in the next year or whatever, it sort of makes it hopeless to expect any sort of privacy there if anyone actually gets interested in you.
G.
They see you when you're sleeping...they know when you've been bad or good...and when you've been sleeping around...and with whom.
I find a common problem with companies that have large IT departments is that too many users in those departments have "admin" level rights, which increases temptation and curiosity exponentially. Tighter controls on who needs elevated privileges and specifically where those privileges are needed are a way to help minimize exposure of sensitive data. On the other end of the problem, education is also helpful because most people who would go peeking likely don't understand the ramifications of that action should it be discovered. Have I ever done it as a professional? No. I'll admit, it was very tempting in a past firm since I had access to everything and I knew there were layoffs, salary changes and such going on. Curiosity does not get the better of me though when it means crossing ethical lines, and even if that were not true, I was well aware of the legal fallout that could happen where I to be aware of that information. The same could not be said though for other IT employees with the same access. In this situation, the access we had was certainly not necessary.
don't forget there are IT guys outside the corporate world:
http://xkcd.com/898/
It seems like the majority of the people could actually be trusted. So the solution to a problem like this is to restrict the access of the other 26%, reassign them, or fire them. (That's not precisely what the survey in TFA said about the percentages, but the point is still the same.)
I have to admit I've looked and have often regretted it lol
If you don't need access to the information, you shouldn't have it. If you have access to the information and don't have business need to look a it, you look at it until you have business need. If you can't handle this, you should be fired and perhaps prosecuted depending on how you used the information.
All our salary data is public knowledge anyway:
http://www.tbs-sct.gc.ca/pubs_pol/hrpubs/coll_agre/pa/pa08-eng.asp
50% Informative
30% Overrated
20% Funny
Where a joke post about masturbating to scads of personal data results in your peers moderating you "informative."
My work here is dung.
However, what they don't count on is that the hapless H-1b IT guy is actually part of a tight-knit ethnic network that, back in the old country, can use that information in, oh, let's just say "jurisdictional arbitrage".
Seastead this.
Geeks are scum
Hash but a fair point. It's true because geeks are people and people often behave like scum.
In the first maybe two months of my IT career I did just a little bit of poking around. From what I found, people are either way to boring or disgusting. 6 years later and have never done it again, except when requested to by a manager.
It's one thing to peek, which is bad...
It's quite another to share it, through gossip, careless revelation or horrors passing on to nefarious individuals with criminal intent in their black hearts.
A feeling of having made the same mistake before: Deja Foobar
Lieberman Software, a security and identification software vendor.
Yeah. Sounds like a completely scientific report with no bias to me.
I've never had the interest + time to go snooping. But early in my career I used my "privileged" position as the company PC tech, to look at a document that one of the executive admin assistants had neglected to put away when I came to install some software on her computer. As I swapped disks my eyes wandered and I saw this list of people, all of whom had recently been laid off, except for a few names at the bottom that had a line through them. Mine was one of those. I started looking for a new job at that point.
http://alternatives.rzero.com/
I work in healthcare IT, and my mother was an X-Ray tech for years, until about 15 years ago.
Even back when she was in the hospital, she saw people getting slapped and fired for it. Whenever someone famous came in, Princess Di was one of the big ones that I heard of, someone would go look up that persons info who shouldn't have, and of course, for famous people they would audit, and people got caught.
Now? Now you get flagged for all manner of things (I don't know exactly what, but it is well known that it includes looking up family members or people living on your own street etc) and its automatic. We have training on "Ethical Standards" every year, which talks about all of these records access issues. Still... I hear the single most common reason for anyone at the hospital getting fired is.... you guessed it.... inappropriate records access.
Here in MA they have the "CORI" system for doing criminal records checks. You are supposed to need consent to search it for someones info...unless you are a police officer doing his job or that sort of thing. Some auditing was done a while back and they found absolutely RAMPANT abuse. Police looking up their neighbors, looking up spouses, ex-girlfriends etc. (this was several years back... no idea if anything came of it...can't find any articles on it anymore)
The problem is a very human one.
"I opened my eyes, and everything went dark again"
..gets a lot easier if you DONT care about people little problems and annoying secrets at all.
The people "peeking" at info are by definition Not Professional.
I like music
"There's a whole bunch of trust involved. There's a lot of data inside Google, and I'm willing to bet some of it is really valuable. But for me and the people I worked with, it was never worth looking at."
People joke with me that I must be reading their email. I tell them I have enough trouble keeping up with my own email, and besides that, we NEVER read user's mail unless it's specifically necessary to troubleshoot something relating to their account.
What the hell is with Slashdot lately? Did the sysadmin for FSDN piss in everyone's coffee, and that's why the editors have such a hardon for anti-IT-worker stories?
Please help metamoderate.
It is tempting to know what others in my company make, but it's just not worth the risk of getting caught & losing a good job.
and they lie on surveys and in interviews!
Seriously though - I've got plenty of chances. I could get so much infomation from some places that I could likely walk into a very confertable position else where, but I have no want to. This company treats me well, they gave me a job when no one else would, and I'm happy here.
- http://www.milkme.co.uk
Just follow management's leadership, as in many other things.
If you work for a place where morals and ethics are #1 above all else, then follow their lead.
If you work for a place where the almighty dollar is #1 and morals and ethics are for suckers and fools (most corporations), then follow their lead.
Whatever you do, don't get caught doing something you'd not want to be on the evening news.
Note that its a lot like having a police scanner or listening to mobile phone calls, or intercept pocsag digital pagers. Sounds technologically fascinating. It, in fact, IS technologically fascinating. Then you get the ability to do so, and it is boring beyond belief. Gossip monger types are always going to be gossip monger types and the addition or removal of technology will not change them. "Golly, person A is having an affair with person B, using some high tech pager or whatever". Ditto the non gossip monger types are not going to be very interested, beyond the interesting nature of the new technology itself. "Golly, this 8 bit A/D decoder sure works a heck of a lot better on noisy signals than a 1-bit data slicer for pocsag decoding, look at the borderline SNR on this page about some dork's affair or whatever."
I worked at a place decades ago where part of the job was to monitor old fashioned PCM T1 analog phone lines on occasion. Signed lots of secrecy papers to do it. Sounded cool, before I had to do it. It was boring as hell, trust me. I kind of miss listening for slips and echo can malfunctions in this VOIP era. Another funny one was listening for ulaw vs alaw encoding malfunctions on international ckts. And verbal fighting with vendors who couldn't understand the 80 different type of E+M signalling. Good times, I guess, but not from listening to boring phone calls.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
You have no choice but to trust us. we have admin rights which means we have more power than you do.
Why do we have more power? Because you will screw things up badly as you know nothing about computers, servers, or networks.
If you paid us what we were worth, you would be able to hire more trustworthy people, you get what you pay for.
Do not look at laser with remaining good eye.
I'm pretty sure a lot of that information is encrypted.
Given the popularity of identity-based encryption, it is possible that IT staff have access to data that was encrypted, since they probably control the key generation service. Where I am now, secret keys are issued by IT staff and we do not even use IBE. It is unfortunate, but for most people setting up, maintaining, and using decentralized cryptosystems is beyond what they are technically capable of or willing to do.
Palm trees and 8
I don't have time to read my own damn e-mail let alone yours.
I tried to avoid looking at that kind of information when I had that kind of access. Firstly, I was usually too busy. I had plenty of authorized work to deal with, and if I had free time I had plenty of personal projects that didn't involve digging through the data. Second, it usually wasn't worth it. I've had to do plenty of company-ordered digging through people's accounts, and the interesting stuff just isn't worth digging through the weapons-grade "I did not need to know that..." material. And thirdly, it again wasn't worth it. I don't like to lie to conceal what I know, and for every useful item that directly affected me there were dozens of things that either weren't useful (I already knew my manager made twice what I did, knowing he makes exactly 2.13x as much... pfffft) or didn't affect me. It was easier overall if I honestly didn't know those things in the first place.
The dirty little secret is that most of the time everyone knows who's doing the unauthorized snooping. But management won't order an investigation because they're under the delusion that what they don't officially know about can't hurt the company. And besides the inevitable need to bleach their brains afterwards, all the front-line admins know that if they go initiating an investigation management will come down on them if they find anything. Even if the investigation was fully justified. Whatever it is needs to be pretty major to be worth the drama, angst and pain that'll result. And I don't see management's attitudes changing any time soon.
I'm not saying that what you say is impossible, but it is not very feasible unless you have a very special setup which few companies actually have. In most cases, someone ultimately has the keys to the kingdom. The best most can do is restrict this to as few as possible.
Encrypted DB's won't stop a DBA. The reason is that if you fire an employee, someone has to revoke keys and assign new ones. Someone with the authority to revoke and assign keys can view anything they want, anytime they want.
The only method that is possible is where 2 or more people are needed to use their key to access the information. If you have 3 security IT people, you need to create a situation where at least 2 are needed to unlock something.
And let's not overlook the fact that such systems are not usually set up and audited by a 3rd party.
It's not that they are doing it wrong, it's that without a 3rd party setting up the system you can't have that kind of security at all. The best setup would even require that a 3rd party become the key authority, yet have no direct access to company data whatsoever, and only hand over keys directly to the personnel they are assigned to.
Still, does this stop a determined administrator who disabled AV and installs a key logger on a workstation? No. Granted, that's probably criminal, and at least the 3rd party + dual key authentication system stops casual data breaches.
Most businesses don't have a budget for such things. They take the view, and I'm inclined to agree, that if you don't trust staff who have high level access, you shouldn't have hired them in the first place. As someone who people bring in personal laptops in to fix on occasion, most users are aware that I can see everything on their machine. It's not that I can look that worries them, but that I'll keep my mouth shut if I do happen to see something. I was told in no uncertain terms recently, that a laptop was brimming with porn. But, they trusted that I would not be sending out a company memo entitled, "Looky what I found on X's laptop!"
Businesses often feel the same way. Casual breaches do happen as part of authorized work. For instance, if a payroll file becomes corrupted, I'd have to look at the file. They just want you to shut up about what you see and/or forget what you saw. That's what they mean by trusted. Like any trusted friend, it's not about what secrets you know, but what secrets you can be relied upon to keep.
I8-D
That's why I think nuclear armageddon won't be started by heads of state and their military advisors, but by some disrespected IT guy who constantly has to reset the passwords to the launch codes.
This space intentionally left blank.
Lieberman Software is in the business of selling IT security products. Is it really that hard to believe that they've sufficient incentive to "creatively restate" the parameters of the their testing in order to sell more product? Bias matters, and that study is not unbiased.
...and since the one written down was now "compromised", I then made up another password and changed it in the system again. I was unamused to find out later that someone was doing this as a "survey".
Net-security.org, for their part, are only inflaming matters further by restating things an even more inflammatory manner.
Basically, you need to ask something that this article neglects to question: Did 26% of the respondents merely say they were aware of other employees *using* the shared passwords, or did it specifically detail abuse of a shared password to gain unauthorized access to information that ethically-speaking, they shouldn't be going anywhere near. Both of those are cases are considered felonies, by the way. It's very easy for someone to argue that *any* shared password use is an "abuse" and that any information access from that point is "illicit"--but without knowing specifically what question was asked, these "results" are more likely just a distortion of fact in order to sell products and services.
I am personally aware of shared passwords in many organizations. I am also occasionally privy to information I shouldn't be--specifically, people's emails. The key difference being, I *don't want to know*. I, and thousands of admins like me, wind up seeing your boring little emails while trying to figure out why they didn't arrive in your inbox already. Over time, we develop the ability to be self-redacting and immediately forget what was just on our screens--because not being able to do that means being burdened with other people's secrets that you'd feel better not knowing. This is a far, far cry from the sort of "abuse" this report pretends to show, but vendors loooove to construe one as the other in order to sell service contracts.
Frankly, this doesn't sound any more realistic than the old one about employees giving up their passwords for a candy bar. What you don't get told about those is that the employees are usually being told they have to give their password up to their immediate supervisor, and not being given any guidance as to why they're being directly ordered to violate company policy. In most offices, people who ignore direct orders being given by a live person over something written on a policy paper tend to suffer bouts of sudden and chronic unemployment--so... plenty of reason to "violate policy" there, normally "secure" employees are going to capitulate for that kind of request. Then the people doing the "analysis" stand around later and say "oh my gosh people give up their passwords for no reason!". I've personally, been given such a request in the past, and frankly since I was being directly instructed to do so, I turned over a hand-written copy of my password on the form provided...or at least, what my password was at that specific moment in time. Since I'm a twisted bastard I made up a new password just for them, set it in the system and then filled in the blank.
Don't be a gullible noob. Trust no "survey" coming from a vendor selling a related product unless you are being shown the exact details of the survey--because they're going to lie about it. Of that you can be sure.
"IT security staff will NOT be some of the most informed people at the office Christmas party this year. A full 74 per cent of them admit to NOT using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has NOT proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people's Christmas bonus details."
Seriously, I bet the numbers are in line with other areas of a business with access to information they may or may not need.
Keep the Classic Slashdot.
The most informed peeps in any office are the secretaries. Namely, the old timers who have been with the company forever. There's at least one in every group of any significant size. The underpaid underlying that no one pays attention to except when they have a clerical need. They always know EVERYTHING about an organization.
IT may be a close second, although I, myself, refuse to abuse my authority/position.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Years - decades - ago, I looked at the mail file of a woman in my group whose husband had been in the group, but transferred out. She was getting really chummy with another guy in the group and I found incriminating messages. I showed them to her husband, who was a buddy of mine, and it led to their divorce. I'm sure they would have divorced, anyway - she was hardly keeping things secret - but with what he learned from me, the process went very smoothly, from his standpoint. I'm not proud of violating ethics and it wasn't any fun at all to tell him, but I think I'd do it again, under the same circumstances.
Beyond that, I never really found it worth the risk. Companies got more sophisticated about tracking who looks at what, and then lots of it was just not interesting anyway.
Now if only the media would select news stories so as to encourage good behaviour, instead of encouraging notoriety.
The switchboard was listening in to calls 100 years ago. The mail room was looking at letters 150 years ago. Heck, I'm sure the equivalent was going on in ancient Sumer (sneaking a peak in those sealed clay tablets). "The help" is always going to eavesdrop. Not all of them, not all the time, but it happens.
It is not ethical that things like compensation for labor should be secret. That practice perpetuates unjustifiable inequalities. The only thing unethical about accessing such information is your breach of prior agreement to perpetuate that unethical situation. While that _is_ subjectively unethical, accessing such information is not objectively unethical. There is a concept of "Open Books" management wherein not only is such information freely available to all employees, their frequent viewing of it is encouraged.
I used to work in a business admin office where as a necessary component of everyone's jobs, we had to deal with salary information, yet there was a running joke that the fastest way to ensure your termination was to walk into the hallway and holler your salary -- even though every last person in the room would have known it already. That really put the absurdity of this secrecy practice into crystal clarity.
I bet those who deny it are just afraid they'll get into trouble. I've certainly peered at the salaries and bonus info, along with a few other things. But I keep it to myself. I certainly don't have any actual use for the information other than just my own personal curiosity. One time I learned that a lady was about to be fired. Then later that day I had to sit right next to her at the Christmas party. She was talking about how she'd just finished her Christmas shopping and I remember thinking, "Good thing too, because you'll be out of a job at the end of the day." Unfortunately, I couldn't say anything to her at all about it.
I also find it fascinating to read the personal emails that go around. There are clicks of people that hate other clicks of people and talk about other people behind their backs through email. It is a fascinating web of lies and two-facedness. As I walk through the isles of cubicles I know who hates who, who is in love with who, and people who think others like them when in reality others hate them. Of course, I treat them all neutrally and pretend not to know anything. Obviously if I ever mentioned anything I'd blow my cover. It is really fascinating like a social experiment. In many ways it is like having a super-power like reading minds or something.
I figure it is normal for I.T. people to see that information and I would suspect the people who run the company know it. The difference is the IT person must be trustworthy of that information. If an I.T. person were to use it for blackmail, or start spreading that info around to other staff, or insider trading, or a whole list of nefarious uses.... THAT is where the line is crossed. I think knowledge of the data in and of itself is harmless as long as the person is trustworthy.
In a lot of companies, IT knows who's getting fired before they do (to cut off account access). It kind of sucks especially if you see them on the walk of shame.
In my personal experience, people in IT Depts. are the least ethical in a corporate environment. My (minor) horror story was that I was working for a small family-owned company, and once made the mistake of buying something off the Web, using my credit card. A few months later, checking my credit card statements in more detail, I noticed monthly recurring charges that were not mine. Although I was able to get the credit card company to reverse these fraudulent charges, the only way that my credit card info could have been "captured" was by the (sole) IT employee at this company. "Power corrupts..., as they say, and I know this is true for the IT Dept. I think it would be better to have corporations outsource their IT functions overseas. Someone in India isn't going to care that you surf for porn during lunch, or steal your credit card info. Sorry, but if you can't get people to do the right thing (it's called "character", and it['s what you do when there is no one watching you), and you can't or refuse to take steps to monitor them, then outsourcing to a country far far away is really the only possible option. Very sad. John V. Karavitis
You know what is more interesting than knowing how much someone makes? Finding that the hot blonde down the hall was the 2nd act in "Sexy Book Worms 19"
4 years ago....
A true gentleman would escort a lady to the ball along with her chaperone. His slave would drive the carriage.
Monitoring the use of some systems is required to ensure the end user is abiding by the Acceptable Use Policy. Examples I can think of right off the top of my head:
* Keeping personal use of company resources to a minimum
* Not being used for fraud or embezzlement
* Not being used for illegal or illicit activities
* Evaluating and scanning for security threats and vulnerabilities
You are bound to stumble upon some sensitive information in the performance of some of these duties. There are probably plenty more examples. Anyone else want to chime in here?
-- Stu
/. ID under 2,000. I feel old now.
...clearly underestimates how tediously boring people and their "secrets" actually are.
Please do not read this sig. Thank you.
From the article: "Philip Lieberman, President and Chief Executive Officer of Lieberman Software said: âoeOur survey shows that senior management at some of the largest organisations are still not taking the management of privileged access to their most sensitive information seriously. [... blah blah blah ...] These organisations have to learn from the example of their peers who have taken this situation seriously and introduced Privileged Identity Management software to add a layer of automated security that dishonest staff cannot bypass."
From Lieberman Software's website (http://www.liebsoft.com/Products/): "Lieberman Software's privileged identity management and security management products help large organizations mitigate complex IT security, reporting and auditing operations."
Think there might be an ulterior motive here? Maybe we should ask how the survey was worded. Or how many different surveys they had to run before they got the results they wanted.
Why obtain knowledge that when used will only cause grief/harm, if not to you then others?
What good does knowing someone else's salary (where I work) do me?
What do I gain from looking at the X-Ray's of some famour celbrity? Gossip/bragging rights? How utterly empty is that as a reason?
Working at a small company where *everyone* had super user access rights really taught me a lot about privacy and what we should/shouldn't do because anything that I could look at, others could too. And who did? Nobody. It just wasn't interesting compared to what we did (work.) There were always other, more interesting things, to think about or look into.
I can resist because, quite frankly, I like being employed.
On top of getting fired, good luck getting another IT slot ever again if you're caught.
What do I know, I'm just an idiot, right?
Fucking amateurs
Seriously. You do NOT DO THAT. How hard is this to understand?
What company allows open access to payroll data, even to IT? I know I don't want to work there...
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Years ago when our company first implemented our anti-spam software, we weren't 100% sure how good it would work, so everything that was marked as spam was re-routed to a special email account instead of being deleted. It was my job to weed through 25-30k a day of emails that had been marked as spam to find which ones had been incorrectly marked as spam, and then to route them on to the correct person.
I can't tell you how much that job sucked.
I found out SOOOOOO many things about my fellow employees that I did NOT want to know. It's hard to walk by straighlaced Bob in the office and know that he is having an affair with a lady in accounting and not say something about it. Or that Sue, (who looks and acts like a librarian), is into some seriously hard core sex games. There was sooooo much more crap like that that I asked my boss if if he could hire a temp to do it because I got tired of looking at it.
There were many emails that I never forwarded on to the intended recipient because I didn't want them to know that someone in IS had read their email. I just deleted it and moved on.
I can't tell you how many times I've told people that you shouldn't put anything in your corporate email messages that you wouldn't go down and post on the bulletin board in the cafeteria. Email is only a little more private than that.
Joe
P.S. The one good thing about doing that was that I got TONS of good jokes, spoofs, etc because they all seemed to get marked as spam. I forwarded all of those to my special gmail account :-)
As an IT professional for over 30 years, I've had access to all manner of confidential information. I'm proud to say I have never abused that access. My job is to ensure the data is accessible yet properly secured. Beyond that I'm disinterested in the value stored in any data field. I consider this a matter of professionalism. Those IT workers who abuse their access to sensitive information demonstrate an appalling lack of professionalism and should find another line of work - voluntarily or otherwise.
Information naturally wants to be freed.
I've done two things that are a bit sketchy: 1) I went through a co-workers email after he had quit. Although I didn't have explicit permission to do so, it was vital to obtain information to keep the business going. I came across his resignation email. It was a beaut. And so very cathartic. (We had the same manager.) 2) I have altered payroll. Now this might seem like I'm shooting myself in the foot here. But considering that they were paying minimum wage to the 'grunt' employees, firing them every two weeks on a project by project basis, not paying them their full hours worked, and extending their lunch and breaks by 12 minutes each instance (every minute counts) each break, I think I'm safe. This was a systemic problem. I would try to minimize the companies theft from their employees whenever possible. I looked at it as minimizing the companies culpability. The above mentioned manager would spend so much time altering these timesheets that his hourly wage times time doing so was often more than the total payroll savings. (All so that he could get a $20 to $50 bonus each month.)
For me personally, I would NEVER look at data, files, confidential memos, email, etc. even if I can. It may sound old-fashioned but then I really don't care what others think. All it takes is one single instance of you breaking the trust and you risk being black-balled not only by your employer but in IT in general. While employers would probably never say, outright, that a former employee did something specific (unless they fired them under formal terms with full documentation) anyone who is employed knows full well there are other ways for former employers/colleagues to disclose to other prospective employers exactly how a person works. HR people have told me as much. If you never need references and no prospective employer asks for one (doubtful) then I guess you could get away with being dishonest and untrustworthy but to what end?
It's simply not worth it even if you can. I cannot work like that nor would I-----that's not how I was raised. I am loyal to every employer I ever work for and even when I leave for new jobs I never disclose anything sensitive or even company-specific except as they relate to job skills and such. After all, they gave you a job and the least any of us can do is not break that trust. The bottom line: you weren't hired to snoop, you were hired to manage and to protect the company resources so why not just do your job and stop worrying about what others get paid or who is getting fired and such...otherwise, you might read your name on one of those confidential documents one day and won't like what you see....
I consider it a matter of personal professional pride that I have never gone snooping, aside from the occasional accidental "Firing of So and So for Making Sexual Advances at So and so.doc" file name.
Especially at my last job where I had access to all financials, exchange boxes, etc.
Here I manage the Document Management System, and even though I have all the keys, and can even avoid the audit trail of the app, I still don't.
Some of it is the 'don't care' aspect of it as well. Because I have (had) total access, it makes it less alluring.
Karma: Can only be portioned out by the Cosmos.
"the only way that my credit card info could have been "captured" was by the (sole) IT employee at this company."
Yeah, there's no way it was because somebody installed some new pretty mouse pointers on your machine that you have to have admin access to for "important business related functions".
"I think it would be better to have corporations outsource their IT functions overseas."
You just going to throw out your systems whenever they go out of warranty and have a remotely complicated hardware problem?
"Someone in India isn't going to care that you surf for porn during lunch, or steal your credit card info."
Yeah, because Visa totally doesn't work for people in India. Good luck the next time your card gets compromised and used to buy a bunch of expensive shoes off Amazon and get them shipped to a foreign country.
I think you have a very blinkered, and quite probably completely false, opinion based on a single example/incident. The chances of someone in IT *bothering* to monitor your credit card like that are virtually zero anyway (that's what SSL is for, you know) and I've known dozens of people who SWEAR there's no way anyone could have got their info that have been charged fraudulently. Anyone with brain enough to intercept your card number in any way (whether by scraping it en-route via an intermediate SSL certificate, or giving history from your computer) wouldn't be stupid enough to put monthly recurring charges on it, or in such a way that your first suspicion is them.
In general, I think IT is one of the most reputable of all the self-governed industries out there. Stories of rogue admins make the news, for heaven's sake, whereas stories of rogue police officers, nurses, etc. looking up people's data are too common to even be news any more. It's hardly ever the admin themselves (and the only example that comes to mind is the guy who held a city IT department to ransom by changing all the switch and server passwords as protest against new IT arrangements - hardly a genius).
And outsourcing doesn't save you. Your credit card is actually more likely to be scammed - for a start, the reason most companies outsource is because the average wage in those places is significantly less than here and they probably care *more* about your porn browsing habits because in a lot of religious countries in the world it's completely illegal. They would have no incentive, morally, to protect you if you're into something that in their country/religion is completely abhorrent.
I have never known an IT admin (of any rank) do anything illicit with the information at their disposal. Since leaving uni I have controlled the IT for schools *exclusively* while I worked for them - and had full admin access on servers containing everything from payroll to contracts to letters (including resignation letters, disciplinary details etc.). Hell, even instant messaging logs between the head and their deputies. I know this data is there because I see the filenames zip past on backups and I'm occasionally asked to retrieve files from old archives.
It's not at all unusual to have children in schools who are part of witness protection programs, subject to child protection investigations (i.e. dad's beating them up or worse), etc. and the school *MUST* have stored documentation on that, kept for X amount of years, and nowadays that means electronic files.
I take my job extremely seriously and I've never even looked, wouldn't contemplate looking, and actually am surprised at just how much access can be obtained just by being seen as "skilled" in IT. Schools have repeatedly given me their top-level domain administrator passwords in the past, even their backup encryption passwords (those few that have them!), etc. and it's almost too easy to obtain complete permissions to an SQL Server backing any of their school management software. That's not an IT problem as such because they didn't HAVE IT guys (which is why I was brought in) but the IT guys I would hand off to upon leaving, I was trusting with that same class of information.
Hell, I refused to give passwords to a deputy headteacher (about three levels above my boss) once because he wanted to use them for himself and I FORCED him to get the data from the head (principal?) directly. He chased me for weeks after I'd left to get that password, and I never knew if he did get it because only myself and the head (his boss) had it at that point, for handover purposes, and I was leaving/left but he sure as hell didn't get it from me.
And I'm not exactly "in the system" - I was a self-employed, employed-on-word-of-mouth, IT guy not long out of uni, making a living by terminating the school's contract with their borough's IT department (who were universally worthless) and taking over their IT for a year to bring it up to spec so they could handover to *any* IT guy. U
I considered the whole thing subject to the same confidentiality restrictions as a doctor
And this is probably the sort of attitude we should be adopting. IT sort of has the back door keys to everything, since we are the people who write the code and maintain the servers.
On the flip side, one could also assume that the boss's secretary now has less access to this same privileged information, so the number of peeking eyes hasn't increased, but simply changed departments.
HA! I just wasted some of your bandwidth with a frivolous sig!
I know at least two people who have done this. Both were fired as soon as the event was found out.
And all companies that serve clients can't resist tracking every detail about their customers. I guess it's human nature. Personally though I don't care what other people do, but when I walk home I notice a bunch of people in my neighborhood peeking out of windows or standing on their porch and watching everyone else's every move. I don't understand the obsession.
I am in IT Security and I don't peek at anything. Why you ask? Because I just don't give a fuck what anyone else makes, or what the salary range is for some position, or what the CEO makes. They tell me where the important shit (important to them) is and I protect it. Morals are over-rated, they keep you from doing things that would otherwise get you way ahead of the competition, if you say you don't look because you have morals, honor or any other bible belt generated bullshit, what it really means is, you don't have the balls to do what you would like to in order to get ahead.
This might sound a little naive, but if I don't have any interaction with the people looking at my stuff, I don't care that much. Obviously the amount I care will slide depending on what the material is, but in general, I don't really care.
That said, if they look intentionally, they should be fired. There is no excuse, they are breaking a code of trust, and are obviously too immature to handle the position they are in.
Casca
... was combing through the new server-side SPAM filter to look for false positives and forward "legitimate" email to the rightful owners. I saw racist jokes sent between executives and their buddies, wives & girlfriends talking dirty and scheduling "play dates", job hunting employees, back-stabbing gossip and internal/external confidential information. Payroll information would have been the least of the issues...
to anything "interesting". Not to cow-orker salaries, or who's going to get fired, or anything like that. I do have access to some private info of people I don't know, and don't give a bleep about. Whatever I see, I forget as soon as I don't need it, simply because it's not even remotely interesting.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Maybe because I worked in both hospitals and schools with laws and very strict confidentiality that I find this appauling! If anyone dared looked up a record on a student or patient they would be fired right on the spot. They are HIPPA documents.
I guess once you are conditioned into what is normal and not you think differently but to me looking at someone's records is no different than showing up for work naked. You just do not do that. Fired and maybe arrested if someone else finds out about it. If you work in a publically traded company you can open your employer to liabilities like insider trading and sexual harrasement and other issues. If you worked under me I would fire you for doing this.
http://saveie6.com/
Management has access to this information as well and no one can complain.
Hey don't blame me, IANAB
I find it interesting that the "blurb" says that 26% "admit to" accessing privileged data, while the body of the article only says that 26% say they are aware that someone in their IT department has done so. Which is it? The first statement is a very different thing than the second.
From my own experience, the latter seems more likely -- I've been a sysadmin since I was in college, and I've run into a couple of people who would abuse their access, but like many of the people here are posting, most just didn't care to go looking around at other people's data on a regular basis. Thus, I'd be in that 26%, if it's merely "being aware that others do so".
The second statement is further muddied because it could involve surmises on the part of the reporter. If Admin A hears Admin B talking about a file they found in User C's folder, they may assume that Admin B abused their privileges... but it could be that Admin B saw the file in the legitimate course of their duties, or that User C put the file into a public folder, not realizing that the folder in question was public. In my experience, the last scenario there is depressingly common.
(Or it may be that someone else -- let's call them Admin D -- made the folder world readable. At my last job, our help desk managed to successfully argue that Systems was "too slow" in responding to requests to give people access to files. Part of that was because Systems actually bothered to check whether those people should have access, and tried to give the minimum amount of access needed. The help desk, on the other hand, was a firm believer in simply setting everything to "Everyone: Full Control". It didn't help that the metrics the help desk were evaluated on measured them by how fast the problem was resolved, ignoring correctness of the resolution.)
Thus, that 26% may be inflated by cases where the respondent simply assumed that improper use of a privileged account was involved, when what was really happening was poor security practices resulting in "confidential" data being accessible without use of a privileged account.
is this compulsion to pry into other peoples' business...I have access to a metric butt-load of private information yet I am not interested in the least in looking at it...
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
you are not an "IT Pro". Snooping around where you shouldn't be is totally unprofessional.
I personally have access to everything at work. For various reasons I have had to deal with large amounts of confidential information of every kind, I've even seen things like internal HR records on co-workers I know. Of course I have felt the temptation to look, but even though I know I would never get caught if I never have done it. This is not a difficult temptation to resist; there is right and wrong, and snooping is wrong. Anyone who can't resist peeking at privileged info should not be working in IT.
but i really don't care.
26% of IT Pros don't have enough work to keep them busy. In their spare time, the snoop confidential information. Fire half of that 26% and see what happens.
make imaginary.friends COUNT=100 VISIBLE=false
Yet more evidence that people in authority will abuse that authority.
That's why politicians and law-enforcement personnel should always be closely monitored.
26% of them warants judging all IT staff ? good thing you're not in politics , we'd call you our dear leader numero 1 , not to mention your minuscule sample.
you could also say that all white man 40 don't wear underwear , because i can confirm you that i don't
You never know what the IT guy is worth until you replace him. Preferably with someone new on the job.
And then you go and complain about schools, and ask for more H1B visa ;-)
It is also very hard for the IT guy to know what he is worth.
For the sales guy it is easy because he just adds up all money he has raked in. Probably he will even have a tendency to overestimate because he doesn't know at what cost the company is producing its goods and services.
A manager with access to financial data, knows when the company is doing well financially, and knows when his pay is tiny in comparison to the turnover of his department.
Both are obviously in a better position to negotiate, unless the IT guy analyzes the company's data, for which most IT guys neither have the time nor the desire.
75% didn't look at confidential data, and of the 25% who admitted to peeking, you don't know how much they strayed from their tasks.
Hey don't blame me, IANAB
Kudos to you for having an ounce of professionalism, but you are the exception by a long shot.
I believe this
You have never known an IT admin who will admit to snooping, but just reading through this thread you'll find plenty who think it's their god-given right as a sysadmin to snoop. And if you watch the news, every once in a while you'll hear about somebody getting busted for reading through hospital or police records that, although they had access to, they shouldn't be looking at. The thing is, when these stories break, it's never just one person, it's endemic throughout an entire department. And then, for some reason, people think that it's just that one department, or just that one company. Right.
People, in general, snoop, not the other way around.
<xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
One time I was working on someone's PC at a country club and there was a paper list tacked onto the wall next to the desk of all the deadbeats who still owed back money and wouldn't be allowed to attend any events or go golfing until they paid up. Printed on paper, plain as day. I didn't mean to look at it, but the computer was rebooting after a software upgrade and when a PC is merely rebooting my instinct is to glance at the BIOS and then let Windows do its thing. My eyes wandered and just happened to look at the list.
Occasionally living proof of the Ballmer peak.
Can't resist peeking into it. Kids into parents bedroom, neighbors into neighbors stuff, coworkers into other coworkers desks, boss into HR files, girl/boyfriend into your phone logs, wife/husband into your email, governments into anything they like, yada yada blah blah.
Vote monkeys into Congress. They are cheaper and more trustworthy.
study: http://www.liebsoft.com/Password_Security_Survey/
A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place
This is first misquoted in the net-security.org
According to the paper:
26 percent of respondents are aware of an IT staff member abusing a privileged login to illicitly access sensitive information
26% are aware of somebody misusing their login credentials. For all we know every single person interviewed was talking about the very same person, which would put the % of IT staff members actually abusing their privileges around 0.000001%. If the survey was asking people "Have YOU abused your login credentials?" the response I'm sure would have been around 1-2% affirmative.
Even if you took them all at their word, only 300 people, 62% of which work for large (10,000+ employee) businesses, were interviewed. Since businesses with less than 500 employees employ 50% of the population, the pool is obviously skewed towards the big college/fortune500/Enron/Lehman Bros. style IT worker, not the local guys. And with the environment the way it is now, I'll just throw in the politicized jibe that really... is anybody surprised that the big businesses have a problem with ethics? I think there are some people protesting that kind of garbage right now in fact.
I worked at a company where I had access to everyone's e-mail. Of course I read the CEO's, the finance department's and so forth. I mean, they had a round of layoffs when I was there. You think I would willfully blind myself to if and when a layoff was coming, and if I would be getting the ax?
I'm a wage slave. You think I'm going to not read my boss's e-mail? You're out of your fucking mind.
After you find something illegal and report it to the FBI. You will be interrogated every which way and feel like a criminal yourself before it's done. Between that experience(at the behest of a concerned parent) and a brief glimpse into the world of amplovesyou, I am completely cured of any curiosity about others' secrets.Trust me, I don't want to know.
I manage/troubleshoot systems for two law offices, local and county guvs, half a dozen local small businesses and a dozen+ privates. They put their trust in me not because of what I say or type, but because of how I act and what I do. Without that trust I have nothing. The last thing I'm going to do is jeopardize my HONOR and welfare by sneaking peaks at your private data. Passe' attitude, I know, but it works for me and I can sleep at night. Like a baby. Seriously.
Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
1. This "study" is courtesy of the marketing department of a IT security vendor.
2. Even with the likely bogus numbers 74% don;t peek.
3. There is a huge difference between peeking at data you are not supposed to see and legitimate coincidental viewing during the course of legitimate activities.
4. After 20 years I have never peeked, nor had any desire to do so. Furthermore, if I found anyone peeking, they would be dismissed or up on charges, depending on the circumstance.
5. After 20 years I have see tons of personal and confidential data from salaries and financials to the resignation letter and resume in seemingly everyone's home directory. But, I have never ever made note or use of any of it, shared it, leveraged it or anything else. Yes, I saw it. No, I won't disclose or discuss it. Not even with the CEO, unless proper procedure is adhered to.
It's called professionalism.
I dont think so. it may be more like "don't want to resist". Getting additional information helps you in a lot of ways. it may be reasonable to look at it, and egoistic, but this does not mean that you are compulsed to do it.
that's better than the general population would give.
I have been in the position to access payroll records of my company. I've never looked, never been tempted. I'm a professional. It is my *job* not to look at it.
It is also my job to report and correct that I suspect I could look at something if I wanted to, and make it impossible for me (or anyone) to see it unless they need to. I take great pleasure in pointing out to developers when they are trying to deploy something that would be visible to about a hundred different people who should not have access to it.
One of our systems has a great motd, something like:
"This system contains sensitive and critical information. Unauthorized access can result in termination.
1. Think before you type.
2. Don't look at anything that you don't need to."
Those should be a "professional"'s habits on any system, not just those that are heavily scrutinized.
The source of that quote, just happens to sell a solution to this horrible, dangerous threat. (scans article) Yup! Lieberman Software conveniently provides "Privileged Identity Management Solutions." But quis ipsos custodes custodiet? Who manages the privileged identity management solution manager? Or will they take that arduous task off the company's hands, too? Fscking charlatans.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
When I was about 8 yrs old, I peeked inside a present under the tree. I was disappointed with that gift, but still had to act like I loved it on Xmas morning. I never looked inside any present again.
About 20 yrs later I was working as an sysadmin, dev, lead and had access to everything on the network at work. I saw salaries, bonuses, stock options, **everything**. I grabbed a copy of the spreadsheet summary with all this data inside and took it home to view at my leisure. I knew this was wrong.
As I looked through the salaries and stock option grants, I was encouraged. It appeared to me that the salaries and options were relatively fair. Only the sales guys seemed out of whack in their compensation. When most of the developers building the company's products got 10K options and the VP of sales had 300K, that didn't seem fair. OTOH, the sales guys were paid a minimal salary -- less than half what I earned -- but they got a piece of every sale they made, about $50K in commission. 1 sale each quarter and they'd have a nice living. Basically, if they didn't sell, they couldn't afford a house and after 2 quarters, they'd be fired. If they lasted, a company provided lease car was common.
Anyway, I was encouraged with the corporate management. They appeared to treat everyone fairly. Some of the guys on my team had 2x the stock options that I did - they deserved it, so I didn't have an issue. I worked hard there, but I think everyone did. We also had lots of fun.
Now I have completely unlimited access to everything at the company where I work. I'm part owner and CFO, so that makes complete sense. I hope we treat our employees as fairly. I know we have locked down access to sensitive materials better. I have a spreadsheet with all the salaries, options, bonuses for everyone summarized. I think we are fair. I hope we are fair.
Some companies ago I ran all the infrastructure and was paid less than the janitor. How I know? What I'll do if ever I get my hands on the brass? I'm not telling. But I will tell that the CFO instructed me to take the magic data file on the financial server and pop it off to the accounting package vendor (borged by micros~1) so they could have a look at it. Without encryption or anything. I balked and told him that would include all the accounting data in the company. As probably a gesture to me he got them to promise in email not to fool around; good luck with enforcing that. Heck, the CEO of that same outfit once told me outright he didn't care for "all that security crap". Well, maybe that's why we had so many laptops stolen. Oh well.
At least 26% of people don't do their job properly and should be fired. Pretty much irrespective of industry.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
For obvious reasons, posted as AC.
A few years back, I accepted a call center position. This position handled incoming credit card disputes. During training, while we were still familiarizing ourselves with the system (which, on a whole other topic, is a mish-mash of a terminal-based tool driven by a buggy, POS Windows GUI tool that constantly crashed or froze), we had a "training" login to use. While we were still in training and while others were being assisted, I had some free time and checked out my own credit card for shiggles (complete with the "notes" and all). Of course, I didn't want to get in any real trouble so I did not change anything, merely looked around. So, I'm one of a minority of consumers who have actually seen their credit card account from the inside. It's boring as hell too, unless you've had a lot of abnormal activity going on (possible fraud, shyster companies who are nonetheless operating within their own terms and conditions, etc).
This same call center company had some fairly scandalous problems (in collections, so different department) regarding collection agents and racism, so much so that the financial institution severed all ties with said call center (the scandal did not occur at the location I was employed, however).
Stories like this only justify the distrust HR has for us IT guys. It's disappointing, really, and I bet the numbers would be much higher than 26% if they were all honest.
I was with you on most of those right up until the last one. Admittedly they could all fall under the rubric of "right wing litmus tests", but really? I can understand committed vegetarians who object to animal butchery for human consumption, or for any other reason (though I find that hard to reconcile with the fact that our own immune systems slaughter millions of bacteria, not to mention our own cells, every day). But I really cannot think of a sane rationale proscribing ritually prepared food, other than xenophobia, in a country where eating meat is legal.
-- "Quis custodiet ipsos custodes?" -- Juvenal
The more you know thew worse off you are - cause it keeps you thinking about other things than the things you should be doing.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
Wander into an office nearly anywhere and you'll find a lot of people that don't have a clue what is and isn't accessable. They are not incompetant. They just don't care and typically don't need to care.
While I understand your point, I don't quite think you're right.
In my opinion there are two types of "good" salespeople. :-)
1. An annoying "good" salesperson, who will do everything and anything in order to sell you that final leftover piece of stock that they have. I've known a guy like that. Some people were making jokes about him that one of his customers died to get rid of him
2. A properly good salesperson which actually manages to recognize what a specific customer requires and provides proper product/tool/solution to them.
This second version is usually more successful in the long run as customers will actually come back on their own when they need another thing to help them out.
I'm not a salesman. Never will be. But I do appreciate a skilled, well informed salesperson as I can make a good team with them. Without a salesperson I don't have anything to do and without me salespeople have nothing to sell.
And trust me: if it happens to often that salesperson sells something that is clearly ludicrous and expect me to deliver it, they will soon find out that I have "no time" for them.
What's that?
~Syberz
Yep and for these reasons looking at sensitive data is easy to resist if you have the right attitude. What might happen if I found out the company was downsizing or might fail? I just invite more stress and worry into my life.
www.Migrainesoft.com - Computer giving you a headache? We can fix that!
I used to do sysadmin work professionally, and I still do it personally (I have a Linode VPS) where I host my personal e-mail, website, jabber server, and personal e-mail of family members. It's just one of those things that as a geek a lot of us end up doing.
One of the unspoken golden rules of trust was this: don't fucking read other people's e-mail. Period.
Now I do information security, where I keep my employer's network safe. This includes both external, and internal threats - such as domain admins going rogue, and abusing their powers (I've seen it happen, and wrote up the incident). It really bothers me that 1 out of 4 "IT Professionals" are unprofessional enough to violate the trust that has been granted them.
da w00t. mtfnpy?
Instead of "IT Pros Can't Resist Peeking At Privileged Info"
how about
"75% of IT Pros Can Resist Peeking At Privileged Info"
Manolo Blahnik Blue Suede Pointed Toe Pump are alwatys show the high sociaty in the past,because the price is too high,and now you have the chioce to own it ,we provide the Manolo Blahnik shoes with high quality and the lower price.You will get what you see in the picture,it is your turn now.manolo blahnik something blue satin pump,made of blue suede with a high heel approximately 10cm,it has blue inside lining.
Pop element:with black suede and a pointed-toe pump
Height:10cm covered heel
Material:suede
Color:blue
Weight:0.5kg
Toe:pointed
manolo blahnik shoes
manolo shoes
christian louboutin shoes
christian louboutin shoes on sale
cheap christian louboutin shoes