Slashdot Mirror
IT Pros Can't Resist Peeking At Privileged Info
Orome1 writes "IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people's Christmas bonus details."
It's not limited only to your company - this means employees in other services can snoop all they want too. This is why you should never trust cloud services. Hell, even Google employees are secretly snooping your personal emails, XMPP chat logs, Google Voice calls and search queries. And yet even most Slashdotters think it's perfectly fine to trust everything you have with Google - your search queries, your personal emails, your calls, your contacts, your social network, what you watch on YouTube, what you listen to, where you walk and go (Android) and everything else. Screw the law enforcement requests for info, they can't even keep their own personnel from snooping your personal stuff.
It's why I will never trust my personal files on the likes of Dropbox and other backup services. People misuse their privileges whenever they can, that's human nature.
Oh come on, let he who hasn't gotten a massive data rager throw the first stone. So you're telling me that when you're doing a database dump of all your employee's payroll data and you see those beautiful digits paired with a sensual home address and foxy expiration date that you don't pitch a tent right there on the spot? I'm man enough to admit that I've had to walk around cubeland holding a notebook in front of me after taking a selfish glance at a naughty excel spreadsheet filled with transaction after hawt transaction of coffee mugs and pens. As if you've never had to spend your lunch break firing off a few knuckle children in the handi stall of the men's room when you stumbled across every customer's wishlist of your office supply products! Someone actually got to see everyone's Christmas bonus details? Pass the Kleenexes!
The United States' cultural suppression of natural and healthy sexuality just makes me ill sometimes.
My work here is dung.
I find that hard to believe. I would have put it well above 50. Years back I ran an MDaemon mail server and let users have the IM client. Was pretty interesting reading, to say the least.
As a consultant who works for a managed service provider, this tells me one thing. If you're snooping around other peoples crap, firstly, you're punk. Second, you have too much time on your hands. Even if you stumble upon data you shouldn't be aware of, it's best to not make it a priority to remember it. And if by chance you have a photographic memory, don't say shit about it to anyone. It's none of your damn business really! You're supposed to be a professional in the industry. Act the part please.
Life is not for the lazy.
If your IT/Security staff can rifle through your sensitive data, you're doing it wrong.
I have no ability to access the data in our HR or Financial systems. Only the HR and Financial folks do. *MAYBE* the DBAs could look at that data, but even if so they'd have to sift through the raw data or come up with their own queries. And I'm pretty sure a lot of that information is encrypted.
Nothing to see here
I recall reading an article that said that all of Facebook's (then) hundreds of programmers all have full access to the live system data. Especially on top of the announcement that they want to double their employees in the next year or whatever, it sort of makes it hopeless to expect any sort of privacy there if anyone actually gets interested in you.
G.
I find a common problem with companies that have large IT departments is that too many users in those departments have "admin" level rights, which increases temptation and curiosity exponentially. Tighter controls on who needs elevated privileges and specifically where those privileges are needed are a way to help minimize exposure of sensitive data. On the other end of the problem, education is also helpful because most people who would go peeking likely don't understand the ramifications of that action should it be discovered. Have I ever done it as a professional? No. I'll admit, it was very tempting in a past firm since I had access to everything and I knew there were layoffs, salary changes and such going on. Curiosity does not get the better of me though when it means crossing ethical lines, and even if that were not true, I was well aware of the legal fallout that could happen where I to be aware of that information. The same could not be said though for other IT employees with the same access. In this situation, the access we had was certainly not necessary.
don't forget there are IT guys outside the corporate world:
http://xkcd.com/898/
Then you haven't done anything past helpdesk. From about a month after I started doing desktop support back in the 90s I'd come across confidential information, I signed confidentiality forms and as far as I'm concerned it's a done deal. Now that I'm in a job where I'm the desktop, network and database administrator I see and have to deal with confidential data every day.
I just don't care, it's all data to be backed up, moved, restored, whatever.
50% Informative
30% Overrated
20% Funny
Where a joke post about masturbating to scads of personal data results in your peers moderating you "informative."
My work here is dung.
It's one thing to peek, which is bad...
It's quite another to share it, through gossip, careless revelation or horrors passing on to nefarious individuals with criminal intent in their black hearts.
A feeling of having made the same mistake before: Deja Foobar
Lieberman Software, a security and identification software vendor.
Yeah. Sounds like a completely scientific report with no bias to me.
I've never had the interest + time to go snooping. But early in my career I used my "privileged" position as the company PC tech, to look at a document that one of the executive admin assistants had neglected to put away when I came to install some software on her computer. As I swapped disks my eyes wandered and I saw this list of people, all of whom had recently been laid off, except for a few names at the bottom that had a line through them. Mine was one of those. I started looking for a new job at that point.
http://alternatives.rzero.com/
I work in healthcare IT, and my mother was an X-Ray tech for years, until about 15 years ago.
Even back when she was in the hospital, she saw people getting slapped and fired for it. Whenever someone famous came in, Princess Di was one of the big ones that I heard of, someone would go look up that persons info who shouldn't have, and of course, for famous people they would audit, and people got caught.
Now? Now you get flagged for all manner of things (I don't know exactly what, but it is well known that it includes looking up family members or people living on your own street etc) and its automatic. We have training on "Ethical Standards" every year, which talks about all of these records access issues. Still... I hear the single most common reason for anyone at the hospital getting fired is.... you guessed it.... inappropriate records access.
Here in MA they have the "CORI" system for doing criminal records checks. You are supposed to need consent to search it for someones info...unless you are a police officer doing his job or that sort of thing. Some auditing was done a while back and they found absolutely RAMPANT abuse. Police looking up their neighbors, looking up spouses, ex-girlfriends etc. (this was several years back... no idea if anything came of it...can't find any articles on it anymore)
The problem is a very human one.
"I opened my eyes, and everything went dark again"
"There's a whole bunch of trust involved. There's a lot of data inside Google, and I'm willing to bet some of it is really valuable. But for me and the people I worked with, it was never worth looking at."
People joke with me that I must be reading their email. I tell them I have enough trouble keeping up with my own email, and besides that, we NEVER read user's mail unless it's specifically necessary to troubleshoot something relating to their account.
What the hell is with Slashdot lately? Did the sysadmin for FSDN piss in everyone's coffee, and that's why the editors have such a hardon for anti-IT-worker stories?
Please help metamoderate.
Just follow management's leadership, as in many other things.
If you work for a place where morals and ethics are #1 above all else, then follow their lead.
If you work for a place where the almighty dollar is #1 and morals and ethics are for suckers and fools (most corporations), then follow their lead.
Whatever you do, don't get caught doing something you'd not want to be on the evening news.
Note that its a lot like having a police scanner or listening to mobile phone calls, or intercept pocsag digital pagers. Sounds technologically fascinating. It, in fact, IS technologically fascinating. Then you get the ability to do so, and it is boring beyond belief. Gossip monger types are always going to be gossip monger types and the addition or removal of technology will not change them. "Golly, person A is having an affair with person B, using some high tech pager or whatever". Ditto the non gossip monger types are not going to be very interested, beyond the interesting nature of the new technology itself. "Golly, this 8 bit A/D decoder sure works a heck of a lot better on noisy signals than a 1-bit data slicer for pocsag decoding, look at the borderline SNR on this page about some dork's affair or whatever."
I worked at a place decades ago where part of the job was to monitor old fashioned PCM T1 analog phone lines on occasion. Signed lots of secrecy papers to do it. Sounded cool, before I had to do it. It was boring as hell, trust me. I kind of miss listening for slips and echo can malfunctions in this VOIP era. Another funny one was listening for ulaw vs alaw encoding malfunctions on international ckts. And verbal fighting with vendors who couldn't understand the 80 different type of E+M signalling. Good times, I guess, but not from listening to boring phone calls.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
I'm pretty sure a lot of that information is encrypted.
Given the popularity of identity-based encryption, it is possible that IT staff have access to data that was encrypted, since they probably control the key generation service. Where I am now, secret keys are issued by IT staff and we do not even use IBE. It is unfortunate, but for most people setting up, maintaining, and using decentralized cryptosystems is beyond what they are technically capable of or willing to do.
Palm trees and 8
I tried to avoid looking at that kind of information when I had that kind of access. Firstly, I was usually too busy. I had plenty of authorized work to deal with, and if I had free time I had plenty of personal projects that didn't involve digging through the data. Second, it usually wasn't worth it. I've had to do plenty of company-ordered digging through people's accounts, and the interesting stuff just isn't worth digging through the weapons-grade "I did not need to know that..." material. And thirdly, it again wasn't worth it. I don't like to lie to conceal what I know, and for every useful item that directly affected me there were dozens of things that either weren't useful (I already knew my manager made twice what I did, knowing he makes exactly 2.13x as much... pfffft) or didn't affect me. It was easier overall if I honestly didn't know those things in the first place.
The dirty little secret is that most of the time everyone knows who's doing the unauthorized snooping. But management won't order an investigation because they're under the delusion that what they don't officially know about can't hurt the company. And besides the inevitable need to bleach their brains afterwards, all the front-line admins know that if they go initiating an investigation management will come down on them if they find anything. Even if the investigation was fully justified. Whatever it is needs to be pretty major to be worth the drama, angst and pain that'll result. And I don't see management's attitudes changing any time soon.
I'm not saying that what you say is impossible, but it is not very feasible unless you have a very special setup which few companies actually have. In most cases, someone ultimately has the keys to the kingdom. The best most can do is restrict this to as few as possible.
Encrypted DB's won't stop a DBA. The reason is that if you fire an employee, someone has to revoke keys and assign new ones. Someone with the authority to revoke and assign keys can view anything they want, anytime they want.
The only method that is possible is where 2 or more people are needed to use their key to access the information. If you have 3 security IT people, you need to create a situation where at least 2 are needed to unlock something.
And let's not overlook the fact that such systems are not usually set up and audited by a 3rd party.
It's not that they are doing it wrong, it's that without a 3rd party setting up the system you can't have that kind of security at all. The best setup would even require that a 3rd party become the key authority, yet have no direct access to company data whatsoever, and only hand over keys directly to the personnel they are assigned to.
Still, does this stop a determined administrator who disabled AV and installs a key logger on a workstation? No. Granted, that's probably criminal, and at least the 3rd party + dual key authentication system stops casual data breaches.
Most businesses don't have a budget for such things. They take the view, and I'm inclined to agree, that if you don't trust staff who have high level access, you shouldn't have hired them in the first place. As someone who people bring in personal laptops in to fix on occasion, most users are aware that I can see everything on their machine. It's not that I can look that worries them, but that I'll keep my mouth shut if I do happen to see something. I was told in no uncertain terms recently, that a laptop was brimming with porn. But, they trusted that I would not be sending out a company memo entitled, "Looky what I found on X's laptop!"
Businesses often feel the same way. Casual breaches do happen as part of authorized work. For instance, if a payroll file becomes corrupted, I'd have to look at the file. They just want you to shut up about what you see and/or forget what you saw. That's what they mean by trusted. Like any trusted friend, it's not about what secrets you know, but what secrets you can be relied upon to keep.
I8-D
That's why I think nuclear armageddon won't be started by heads of state and their military advisors, but by some disrespected IT guy who constantly has to reset the passwords to the launch codes.
This space intentionally left blank.
Lieberman Software is in the business of selling IT security products. Is it really that hard to believe that they've sufficient incentive to "creatively restate" the parameters of the their testing in order to sell more product? Bias matters, and that study is not unbiased.
...and since the one written down was now "compromised", I then made up another password and changed it in the system again. I was unamused to find out later that someone was doing this as a "survey".
Net-security.org, for their part, are only inflaming matters further by restating things an even more inflammatory manner.
Basically, you need to ask something that this article neglects to question: Did 26% of the respondents merely say they were aware of other employees *using* the shared passwords, or did it specifically detail abuse of a shared password to gain unauthorized access to information that ethically-speaking, they shouldn't be going anywhere near. Both of those are cases are considered felonies, by the way. It's very easy for someone to argue that *any* shared password use is an "abuse" and that any information access from that point is "illicit"--but without knowing specifically what question was asked, these "results" are more likely just a distortion of fact in order to sell products and services.
I am personally aware of shared passwords in many organizations. I am also occasionally privy to information I shouldn't be--specifically, people's emails. The key difference being, I *don't want to know*. I, and thousands of admins like me, wind up seeing your boring little emails while trying to figure out why they didn't arrive in your inbox already. Over time, we develop the ability to be self-redacting and immediately forget what was just on our screens--because not being able to do that means being burdened with other people's secrets that you'd feel better not knowing. This is a far, far cry from the sort of "abuse" this report pretends to show, but vendors loooove to construe one as the other in order to sell service contracts.
Frankly, this doesn't sound any more realistic than the old one about employees giving up their passwords for a candy bar. What you don't get told about those is that the employees are usually being told they have to give their password up to their immediate supervisor, and not being given any guidance as to why they're being directly ordered to violate company policy. In most offices, people who ignore direct orders being given by a live person over something written on a policy paper tend to suffer bouts of sudden and chronic unemployment--so... plenty of reason to "violate policy" there, normally "secure" employees are going to capitulate for that kind of request. Then the people doing the "analysis" stand around later and say "oh my gosh people give up their passwords for no reason!". I've personally, been given such a request in the past, and frankly since I was being directly instructed to do so, I turned over a hand-written copy of my password on the form provided...or at least, what my password was at that specific moment in time. Since I'm a twisted bastard I made up a new password just for them, set it in the system and then filled in the blank.
Don't be a gullible noob. Trust no "survey" coming from a vendor selling a related product unless you are being shown the exact details of the survey--because they're going to lie about it. Of that you can be sure.
When I worked for my college's CompSci department, my coworkers and I were responsible for the incremental backups.
One day, we got a call from a professor who accidentally deleted a bunch of data, totally several gigs. When we restored the data, it turned out it was his pr0n folder. We never let him forget that we can see his data.
I got A's in my programming classes after that...
We don't live in Shouldland.
I have NEVER met a CTO/CIO at a large corperation that knew anything at all about computers, the last one I Observed needed help in launching a Power point presentation... I turned to the guy sitting next to me and asked.... really? this is your CTO?
Maybe a 3 person shop that incorporated and they decided to make the IT guy CTO... they would actually know something. Just read CTO magazine, if that is how those guys think and if any of them take any of the BS in that rag seriously, the average CTO is pretty useless as far as IT is concerned... They might be goot at sales and negotiating with a vendor but useless at Operations.
Do not look at laser with remaining good eye.
You want to fire the ones who told the truth?
Remember, this was a survey. 26% admitted they snooped. The other 74% denied it.
The switchboard was listening in to calls 100 years ago. The mail room was looking at letters 150 years ago. Heck, I'm sure the equivalent was going on in ancient Sumer (sneaking a peak in those sealed clay tablets). "The help" is always going to eavesdrop. Not all of them, not all the time, but it happens.
It is not ethical that things like compensation for labor should be secret. That practice perpetuates unjustifiable inequalities. The only thing unethical about accessing such information is your breach of prior agreement to perpetuate that unethical situation. While that _is_ subjectively unethical, accessing such information is not objectively unethical. There is a concept of "Open Books" management wherein not only is such information freely available to all employees, their frequent viewing of it is encouraged.
I used to work in a business admin office where as a necessary component of everyone's jobs, we had to deal with salary information, yet there was a running joke that the fastest way to ensure your termination was to walk into the hallway and holler your salary -- even though every last person in the room would have known it already. That really put the absurdity of this secrecy practice into crystal clarity.
You know what is more interesting than knowing how much someone makes? Finding that the hot blonde down the hall was the 2nd act in "Sexy Book Worms 19"
4 years ago....
Fucking amateurs
Seriously. You do NOT DO THAT. How hard is this to understand?
If that story is true, then your college sucked. I realize that CompSci is not "software development", but the crossover is large enough that there is no excuse what so ever for a professor to not already know that you could see his data. Your story would require that the professor be incompetent.
I'm not saying your story isn't true. I'm not even saying that it isn't likely. Just that if it is true, that college has bigger problems on it's hands than a professor that likes internet porn.
I think you have a very blinkered, and quite probably completely false, opinion based on a single example/incident. The chances of someone in IT *bothering* to monitor your credit card like that are virtually zero anyway (that's what SSL is for, you know) and I've known dozens of people who SWEAR there's no way anyone could have got their info that have been charged fraudulently. Anyone with brain enough to intercept your card number in any way (whether by scraping it en-route via an intermediate SSL certificate, or giving history from your computer) wouldn't be stupid enough to put monthly recurring charges on it, or in such a way that your first suspicion is them.
In general, I think IT is one of the most reputable of all the self-governed industries out there. Stories of rogue admins make the news, for heaven's sake, whereas stories of rogue police officers, nurses, etc. looking up people's data are too common to even be news any more. It's hardly ever the admin themselves (and the only example that comes to mind is the guy who held a city IT department to ransom by changing all the switch and server passwords as protest against new IT arrangements - hardly a genius).
And outsourcing doesn't save you. Your credit card is actually more likely to be scammed - for a start, the reason most companies outsource is because the average wage in those places is significantly less than here and they probably care *more* about your porn browsing habits because in a lot of religious countries in the world it's completely illegal. They would have no incentive, morally, to protect you if you're into something that in their country/religion is completely abhorrent.
I have never known an IT admin (of any rank) do anything illicit with the information at their disposal. Since leaving uni I have controlled the IT for schools *exclusively* while I worked for them - and had full admin access on servers containing everything from payroll to contracts to letters (including resignation letters, disciplinary details etc.). Hell, even instant messaging logs between the head and their deputies. I know this data is there because I see the filenames zip past on backups and I'm occasionally asked to retrieve files from old archives.
It's not at all unusual to have children in schools who are part of witness protection programs, subject to child protection investigations (i.e. dad's beating them up or worse), etc. and the school *MUST* have stored documentation on that, kept for X amount of years, and nowadays that means electronic files.
I take my job extremely seriously and I've never even looked, wouldn't contemplate looking, and actually am surprised at just how much access can be obtained just by being seen as "skilled" in IT. Schools have repeatedly given me their top-level domain administrator passwords in the past, even their backup encryption passwords (those few that have them!), etc. and it's almost too easy to obtain complete permissions to an SQL Server backing any of their school management software. That's not an IT problem as such because they didn't HAVE IT guys (which is why I was brought in) but the IT guys I would hand off to upon leaving, I was trusting with that same class of information.
Hell, I refused to give passwords to a deputy headteacher (about three levels above my boss) once because he wanted to use them for himself and I FORCED him to get the data from the head (principal?) directly. He chased me for weeks after I'd left to get that password, and I never knew if he did get it because only myself and the head (his boss) had it at that point, for handover purposes, and I was leaving/left but he sure as hell didn't get it from me.
And I'm not exactly "in the system" - I was a self-employed, employed-on-word-of-mouth, IT guy not long out of uni, making a living by terminating the school's contract with their borough's IT department (who were universally worthless) and taking over their IT for a year to bring it up to spec so they could handover to *any* IT guy. U
I considered the whole thing subject to the same confidentiality restrictions as a doctor
And this is probably the sort of attitude we should be adopting. IT sort of has the back door keys to everything, since we are the people who write the code and maintain the servers.
On the flip side, one could also assume that the boss's secretary now has less access to this same privileged information, so the number of peeking eyes hasn't increased, but simply changed departments.
HA! I just wasted some of your bandwidth with a frivolous sig!
This might sound a little naive, but if I don't have any interaction with the people looking at my stuff, I don't care that much. Obviously the amount I care will slide depending on what the material is, but in general, I don't really care.
That said, if they look intentionally, they should be fired. There is no excuse, they are breaking a code of trust, and are obviously too immature to handle the position they are in.
Casca
... was combing through the new server-side SPAM filter to look for false positives and forward "legitimate" email to the rightful owners. I saw racist jokes sent between executives and their buddies, wives & girlfriends talking dirty and scheduling "play dates", job hunting employees, back-stabbing gossip and internal/external confidential information. Payroll information would have been the least of the issues...
Management has access to this information as well and no one can complain.
Hey don't blame me, IANAB
You never know what the IT guy is worth until you replace him. Preferably with someone new on the job.
And then you go and complain about schools, and ask for more H1B visa ;-)
It is also very hard for the IT guy to know what he is worth.
For the sales guy it is easy because he just adds up all money he has raked in. Probably he will even have a tendency to overestimate because he doesn't know at what cost the company is producing its goods and services.
A manager with access to financial data, knows when the company is doing well financially, and knows when his pay is tiny in comparison to the turnover of his department.
Both are obviously in a better position to negotiate, unless the IT guy analyzes the company's data, for which most IT guys neither have the time nor the desire.
75% didn't look at confidential data, and of the 25% who admitted to peeking, you don't know how much they strayed from their tasks.
Hey don't blame me, IANAB
One time I was working on someone's PC at a country club and there was a paper list tacked onto the wall next to the desk of all the deadbeats who still owed back money and wouldn't be allowed to attend any events or go golfing until they paid up. Printed on paper, plain as day. I didn't mean to look at it, but the computer was rebooting after a software upgrade and when a PC is merely rebooting my instinct is to glance at the BIOS and then let Windows do its thing. My eyes wandered and just happened to look at the list.
Occasionally living proof of the Ballmer peak.