Slashdot Mirror

← Back to Stories (view on slashdot.org)

IT Pros Can't Resist Peeking At Privileged Info

Posted by samzenpus on from the pandora's-email dept.

Orome1 writes "IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people's Christmas bonus details."

40 of 388 comments (clear)

  1. This is why I will never trust cloud services by InsightIn140Bytes · · Score: 5, Informative

    It's not limited only to your company - this means employees in other services can snoop all they want too. This is why you should never trust cloud services. Hell, even Google employees are secretly snooping your personal emails, XMPP chat logs, Google Voice calls and search queries. And yet even most Slashdotters think it's perfectly fine to trust everything you have with Google - your search queries, your personal emails, your calls, your contacts, your social network, what you watch on YouTube, what you listen to, where you walk and go (Android) and everything else. Screw the law enforcement requests for info, they can't even keep their own personnel from snooping your personal stuff.

    It's why I will never trust my personal files on the likes of Dropbox and other backup services. People misuse their privileges whenever they can, that's human nature.

    1. Re:This is why I will never trust cloud services by masternerdguy · · Score: 5, Insightful

      Not true. I have had plenty of access to such information and have always avoided looking at it. It's immoral.

      --
      To offset political mods, replace Flamebait with Insightful.
    2. Re:This is why I will never trust cloud services by oh-dark-thirty · · Score: 5, Funny

      Nor do I, it would probably just piss me off anyway.

    3. Re:This is why I will never trust cloud services by 1s44c · · Score: 5, Insightful

      Not true. I have had plenty of access to such information and have always avoided looking at it. It's immoral.

      Strongly agree. Plus if caught is destroys the trust that keeps them paying you, and it won't bring you happiness on any level anyway.

      Anytime a person tells another person how much they get paid one of them gets very pissed off. You are better off not knowing.

    4. Re:This is why I will never trust cloud services by DarKnyht · · Score: 5, Insightful

      We are quickly finding ourselves in a society where we lack an absolute morality authority. Therefore what is immoral for you may or may not be immoral to others. In other words, we are reaping the fruits of a society where all ideas are given equal worth. Where we are not to condemn someone because what they do is right from their point of view.

      --
      Voting them all out of office, now that's change I can believe in.
    5. Re:This is why I will never trust cloud services by CapnStank · · Score: 4, Insightful

      I disagree.... a person lacking confidence would probably be pissed no matter what and was just looking for validation. My friends and I in the same field openly discuss our wages/benefits only to know what's available out there. Am I getting screwed? Why is my pay lower? Is the grass *really* greener? No one openly gets upset with it.

    6. Re:This is why I will never trust cloud services by Anonymous Coward · · Score: 5, Insightful

      have always avoided looking at it. It's immoral.

      Luckily most agree with you.. but it only takes one to steal your personal information.

    7. Re:This is why I will never trust cloud services by oh-dark-thirty · · Score: 4, Insightful

      Sure, in the same field I can understand, I do that too....I just don't want to know that the lazy sales guy down the hall makes double what I do for taking a few phone calls. Even though I already know intuitively, and by the fact his car cost half as much as my house.

    8. Re:This is why I will never trust cloud services by Anonymous Coward · · Score: 5, Insightful

      I admin that I have snooped through the financial information... And your right, it does piss you off. Company saying their in financial crises so they have to freeze all raises, but the executives all get their christmas bonuses that equal 1/2 my year salary.. Not sure why I couldn't control myself.. probably I was younger and more immature.. I have full access at my current job to all data, and haven't accessed anything I wasn't suppose to.

    9. Re:This is why I will never trust cloud services by StikyPad · · Score: 4, Insightful

      I disagree. I don't think the problem is a lack of moral authority, but that people's decision making is based on risk/reward, of which morality is but one aspect. The risk of dying will usually outweigh the intrinsic reward of being moral, for example. So when there's little or no risk of being caught, it boils down to whether it's more intrinsically rewarding to adhere to your morals or to satisfy your curiosity, or even to leverage your ill-gotten knowledge for your advantage. To solve that problem, you have to either entrust the people with access to the information (which makes sense to me), or somehow shift the risk/reward balance.

      --
      https://www.eff.org/https-everywhere
    10. Re:This is why I will never trust cloud services by Anonymous Coward · · Score: 5, Interesting

      It's not limited to IT either. A friend of mine, who works in HR, as a Temp, basically gets work handed to her that other people don't have time to do. This includes expenses, and occasionally allows her to view peoples salaries, and, scarily, who's getting made redundant. She's a Temp, paid about £16k/y (having been made redundant a few years ago having been making ~22k, she took anything she could get) and has access to her superiors and co-workers salaries, expenses and even their original interview records.
      Some would say that's just rubbing her nose in it.
      But the reality is that some companies just circumvent internal rules in order to get things done.

      and all this she freely shares with me as idle chatter.

    11. Re:This is why I will never trust cloud services by somersault · · Score: 4, Insightful

      Yeah I think the headline is a bit lame. It should read "most IT pros don't look at confidential info". I don't really have any interest in looking at confidential files when it's not required for the job. I also just have a personal sense of morality and honour that makes me want to live up to the responsibility that I have being able to do anything I want on the network.

      Let some "normal" users know that they have full admin access for the whole network for the day and see if 75% of them can resist having a peek around.

      --
      which is totally what she said
    12. Re:This is why I will never trust cloud services by SecurityGuy · · Score: 4, Insightful

      +1.

      The only time I've looked at such information was when it was in a database I was required to work on and seeing it was simply unavoidable. It was one of those prepackaged deals where you can't select just the fields you want, you see it all. In other words, not what most of you would call a database, but a non-IT pro friendly consumer package. Not my choice. Anyway, I saw the data and never breathed a word of it to anyone.

      It's simple ethics. It's also worth noting that 26% of people doing it means 74% aren't. Ethics aren't dead.

    13. Re:This is why I will never trust cloud services by SecurityGuy · · Score: 4, Insightful

      You might be better off not knowing what the guy in the next cube gets paid, but you're probably much better off knowing what the reasonable salary range for the job you do is. If you're towards the top and getting tiny raises, you can be comforted knowing it's not because you're not respected, but because you're already well compensated. If you're towards the bottom and are actually good at what you do, perhaps you should be pushing for that raise or looking for an exit.

    14. Re:This is why I will never trust cloud services by Pieroxy · · Score: 4, Interesting

      Right. You should come home to your wife and tell her "I quit my job because my boss wanted me to do something unethical. I know you're pregnant and we just bought a house, but you know, ethics is everything. Now pack your bags, there's a nice bridge down the highway under which there is a patch of grass that'll be nice for us."

      --
      Write boring code, not shiny code!
    15. Re:This is why I will never trust cloud services by Anonymous Coward · · Score: 5, Insightful

      If sales is so easy why don't you do it? The answer to that question is the reason why he makes more than you.

    16. Re:This is why I will never trust cloud services by erroneus · · Score: 4, Insightful

      Indeed. What's more, it is easily demonstrated that those who are least inhibited by their morals get the farthest, the most, the biggest, the best of whatever.

      I'm with all the moralists out there personally. I know there are things I'm better off not knowing and prefer to leave it at that. But I also see who gets 'more' or 'better' and why. And those are the very same people with morality issues and are more capable than I am of doing immoral things. Another commenter on this general thread points out there are lying company leaders cutting back and capping salary increases while they continue to pay themselves increasing amounts and tell the company personnel they are in "hard times." These *ARE* immoral people and are shining examples of what I am talking about.

      But you have to be more than immoral to get ahead... you also have to be clever enough not to let anyone know what you know and how to put that knowledge to good use. You have to be a really good sociopath to really get ahead in a meaningful way.

    17. Re:This is why I will never trust cloud services by Penguinisto · · Score: 5, Interesting

      Agreed, and would like to add spam filtering to the pile. Training the filters effectively (to weed out false positives, catch the sneakier spam, etc) means seeing practically everyone's inbound emails until the initial tuning is done, and once in a great while after that for maintenance and upkeep. You just maintain the confidentiality required to know that yeah it's ugly and it's in there, but it's nobody's business. I only interacted with these mails enough to make my job more effective, and after that it all got forgotten and ignored.

      Doing this helped me better tune the filters to block the political crap (DU, Limbaugh, etc) while at the same time allowing exceptions for a couple of execs in the company who actually did lobby in Washington DC, the state capital, etc. It allowed me to block the dating site and sex site emails (you'd be amazed unless you're an email admin, in which case you'd probably know already) while at the same time allowing the usual spousal romantic emails.

      I didn't give a damn about the messages - I was in there to analyze content in order to catch spammers. The result was a happier group of employees who rarely if ever saw any spam, but at the same time could do most things within reason and company policy (it was fairly loose) and not lose any email.

      I considered the whole thing subject to the same confidentiality restrictions as a doctor - yeah, you see the naughty bits in the full glory, but so what? You've got a job to do, so there's no real time or cause for you to be titillated, angry, outraged, or whatever. If you are, there'd better be a cause to inform the corp legal department and then the cops, because otherwise you're obviously not doing your job.

      All said and done, at least in this aspect the AUP covers it perfectly - expect the contents of any email or data on the company wires to be seen by anyone. Of course that doesn't mean you get to go snooping around - violating trust is a great way to obliterate a career. OTOH, don't expect it to remain a perfect secret, either, because not all of us are going to be as professional about it.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    18. Re:This is why I will never trust cloud services by DeadCatX2 · · Score: 4, Insightful

      If sales is so easy why don't you do it? The answer to that question is the reason why he makes more than you.

      Because I have a soul that I'm not willing to compromise in order to treat other human beings as a source of revenue?

      --
      :(){ :|:& };:
    19. Re:This is why I will never trust cloud services by kiwimate · · Score: 4, Insightful

      I just don't want to know that the lazy sales guy down the hall makes double what I do for taking a few phone calls

      If sales is so easy why don't you do it? The answer to that question is the reason why he makes more than you.

      This seconded. If he makes so much money, it's either because he's raking it in on commission, in which case he's certainly earning it, or someone thinks he's worth a large retainer. If he's still there after six months or a year and still getting paid that much, guess what - apparently he is worth it.

      The GP's post is just as asinine as a sales guy who wonders why IT guys make so much money "just for clicking the next button every so often when they have to install software". Or "web site design? Pfft, my kid can do web site design, that's not worth $50k a year."

    20. Re:This is why I will never trust cloud services by u38cg · · Score: 4, Insightful

      She works in HR. That is the kind of thing HR people know about. Hardly a surprise. How do you think the right amount arrives in your bank every month? And you should suggest to her that it is a good thing for her to keep her mouth shut about it. No, she's not likely to be caught, but if she doesn't have her own internal boundaries, then she will get herself into more trouble somewhere down the line.

      --
      [FUCK BETA]
    21. Re:This is why I will never trust cloud services by Anonymous Coward · · Score: 5, Funny

      It all seems fair to me.
      You have your soul.
      He has his Bugatti Veyron.

    22. Re:This is why I will never trust cloud services by scot4875 · · Score: 4, Insightful

      The whole fucking point of the free market is informed actors making rational decisions.

      --Jeremy

      --
      Jesus was a liberal
    23. Re:This is why I will never trust cloud services by Anonymous Coward · · Score: 5, Funny

      The problem with sales commissions is that sales guys never get their commissions reduced by the cost of additional support needed to fix the customer problems caused because they sales guys sold them features that don't exist. Commissions are usually based on the size of the deal, so the bigger deal is always preferable, and the aftermath becomes someone else's problem. (Usually those guys "just clicking buttons").

      If software sales techniques were applied elsewhere:

      Customer: I want a car.
      Salesguy: Sure. We've got cars.
      C: It must be fast.
      S: We have one with a 600HP motor and awesome aerodynamics.
      C: It must go round corners like it's on rails.
      S: We have sports suspension.
      C: I need to carry my large family around.
      S: Yeah, we know how to make minivans.
      C: I really enjoy off-roading.
      S: So you need 4WD, big wheels and high suspension. No problem.
      C: I care about the environment.
      S: Our engineers have made a car that gets 45mpg. No problem.
      C: It must be really comfortable
      S: Leather and Luxury are what we're known for.
      C: I need a lot of cargo space because I'm in construction.
      S: We have pick-up trucks.
      C: Oh, six vehicles? I really don't have room for six.
      S: Our engineers could easily make all of that into one vehicle.
      C: Really? That would be awesome. I'll take one. (Opens wallet, picture of family falls out)
      S: You'll never get to drive it though - your wife will love it!
      C: Good point, I'll take 2. Make hers a convertible.
      S: Hey, that's a good looking family you've got there.
      C: That's my daughter Kate, she's just started driving. Oh, make it 3 cars. Can I get them before her birthday next week?
      S: No problem!
      -------------------
      Later:
      S: Engineering!!!!

    24. Re:This is why I will never trust cloud services by DeadCatX2 · · Score: 4, Insightful

      Oh come on, you know what I meant.

      A good salesman has no concern for your wants or needs. His only concern is convincing you that you need something which he has for sale, often something that you never even knew you "needed" before the salesman began talking to you. They exploit weaknesses of the human condition in order to benefit themselves.

      That is quite different from my paycheck. My employer has a need, and had that need before I was hired. I do not exploit my employer's weaknesses to convince them that they need to pay me.

      --
      :(){ :|:& };:
    25. Re:This is why I will never trust cloud services by gstrickler · · Score: 4, Interesting

      And right there is the fundamental flaw. Most people don't make rational decisions, even if they have all the necessary information (which they almost never do). It is for that reason that "free markets" as espoused by most proponents of free markets are unrealistic. Free markets are an ideal that should guide your regulation of the markets, but the markets can never really be free.

      --
      make imaginary.friends COUNT=100 VISIBLE=false
    26. Re:This is why I will never trust cloud services by DeadCatX2 · · Score: 4, Insightful

      LOL, for what it's worth, most of my salary comes from small business research grants. But I still don't see what you're trying to get at. I'm not the salesman, because I can't tell people they need something when they don't.

      I actually worked at a brick-and-mortar retail store for a while, and my managers hated me, because even though I had a great deal of knowledge about all of the products, I would only ever sell the customer exactly what they asked me for nothing more. My hours were eventually reduced to one day per week, in effect forcing me to quit as there was no way I could make what I needed to make.

      Perhaps you're claiming that my soul is compromised anyway, because I might collect paychecks that are somehow derived from soul-less sales associates? That still seems like a red herring, though. My job is to make things that people might want. Sales' job is to get those products into customers' hands. And I don't care if someone in sales makes more than me, because I don't have to treat people like they aren't human beings in order to do my job.

      --
      :(){ :|:& };:
  2. I Am a Sick Sick Man by eldavojohn · · Score: 5, Funny

    Oh come on, let he who hasn't gotten a massive data rager throw the first stone. So you're telling me that when you're doing a database dump of all your employee's payroll data and you see those beautiful digits paired with a sensual home address and foxy expiration date that you don't pitch a tent right there on the spot? I'm man enough to admit that I've had to walk around cubeland holding a notebook in front of me after taking a selfish glance at a naughty excel spreadsheet filled with transaction after hawt transaction of coffee mugs and pens. As if you've never had to spend your lunch break firing off a few knuckle children in the handi stall of the men's room when you stumbled across every customer's wishlist of your office supply products! Someone actually got to see everyone's Christmas bonus details? Pass the Kleenexes!

    The United States' cultural suppression of natural and healthy sexuality just makes me ill sometimes.

    --
    My work here is dung.
  3. Bad setup by ender- · · Score: 5, Insightful

    If your IT/Security staff can rifle through your sensitive data, you're doing it wrong.

    I have no ability to access the data in our HR or Financial systems. Only the HR and Financial folks do. *MAYBE* the DBAs could look at that data, but even if so they'd have to sift through the raw data or come up with their own queries. And I'm pretty sure a lot of that information is encrypted.

    --
    Nothing to see here
    1. Re:Bad setup by HogGeek · · Score: 4, Informative

      ^This

      The security team should be setting policy and doing audits, not being "the privileged ones"!

  4. Facebook by Gavin+Scott · · Score: 5, Interesting

    I recall reading an article that said that all of Facebook's (then) hundreds of programmers all have full access to the live system data. Especially on top of the announcement that they want to double their employees in the next year or whatever, it sort of makes it hopeless to expect any sort of privacy there if anyone actually gets interested in you.

    G.

    1. Re:Facebook by 1s44c · · Score: 4, Insightful

      I recall reading an article that said that all of Facebook's (then) hundreds of programmers all have full access to the live system data. Especially on top of the announcement that they want to double their employees in the next year or whatever, it sort of makes it hopeless to expect any sort of privacy there if anyone actually gets interested in you.

      Facebook is and always has been a privacy disaster.

  5. Loose Controls and too many admins by Dakiraun · · Score: 5, Insightful

    I find a common problem with companies that have large IT departments is that too many users in those departments have "admin" level rights, which increases temptation and curiosity exponentially. Tighter controls on who needs elevated privileges and specifically where those privileges are needed are a way to help minimize exposure of sensitive data. On the other end of the problem, education is also helpful because most people who would go peeking likely don't understand the ramifications of that action should it be discovered. Have I ever done it as a professional? No. I'll admit, it was very tempting in a past firm since I had access to everything and I knew there were layoffs, salary changes and such going on. Curiosity does not get the better of me though when it means crossing ethical lines, and even if that were not true, I was well aware of the legal fallout that could happen where I to be aware of that information. The same could not be said though for other IT employees with the same access. In this situation, the access we had was certainly not necessary.

  6. Only on Slashdot by eldavojohn · · Score: 5, Funny

    50% Informative
    30% Overrated
    20% Funny

    Where a joke post about masturbating to scads of personal data results in your peers moderating you "informative."

    --
    My work here is dung.
  7. This report brought to you by... by synthesizerpatel · · Score: 4, Insightful

    Lieberman Software, a security and identification software vendor.

    Yeah. Sounds like a completely scientific report with no bias to me.

  8. Not socked by TheCarp · · Score: 5, Insightful

    I work in healthcare IT, and my mother was an X-Ray tech for years, until about 15 years ago.

    Even back when she was in the hospital, she saw people getting slapped and fired for it. Whenever someone famous came in, Princess Di was one of the big ones that I heard of, someone would go look up that persons info who shouldn't have, and of course, for famous people they would audit, and people got caught.

    Now? Now you get flagged for all manner of things (I don't know exactly what, but it is well known that it includes looking up family members or people living on your own street etc) and its automatic. We have training on "Ethical Standards" every year, which talks about all of these records access issues. Still... I hear the single most common reason for anyone at the hospital getting fired is.... you guessed it.... inappropriate records access.

    Here in MA they have the "CORI" system for doing criminal records checks. You are supposed to need consent to search it for someones info...unless you are a police officer doing his job or that sort of thing. Some auditing was done a while back and they found absolutely RAMPANT abuse. Police looking up their neighbors, looking up spouses, ex-girlfriends etc. (this was several years back... no idea if anything came of it...can't find any articles on it anymore)

    The problem is a very human one.

    --
    "I opened my eyes, and everything went dark again"
  9. Not feasible for most businesses. by Kamiza+Ikioi · · Score: 4, Insightful

    I'm not saying that what you say is impossible, but it is not very feasible unless you have a very special setup which few companies actually have. In most cases, someone ultimately has the keys to the kingdom. The best most can do is restrict this to as few as possible.

    Encrypted DB's won't stop a DBA. The reason is that if you fire an employee, someone has to revoke keys and assign new ones. Someone with the authority to revoke and assign keys can view anything they want, anytime they want.

    The only method that is possible is where 2 or more people are needed to use their key to access the information. If you have 3 security IT people, you need to create a situation where at least 2 are needed to unlock something.

    And let's not overlook the fact that such systems are not usually set up and audited by a 3rd party.

    It's not that they are doing it wrong, it's that without a 3rd party setting up the system you can't have that kind of security at all. The best setup would even require that a 3rd party become the key authority, yet have no direct access to company data whatsoever, and only hand over keys directly to the personnel they are assigned to.

    Still, does this stop a determined administrator who disabled AV and installs a key logger on a workstation? No. Granted, that's probably criminal, and at least the 3rd party + dual key authentication system stops casual data breaches.

    Most businesses don't have a budget for such things. They take the view, and I'm inclined to agree, that if you don't trust staff who have high level access, you shouldn't have hired them in the first place. As someone who people bring in personal laptops in to fix on occasion, most users are aware that I can see everything on their machine. It's not that I can look that worries them, but that I'll keep my mouth shut if I do happen to see something. I was told in no uncertain terms recently, that a laptop was brimming with porn. But, they trusted that I would not be sending out a company memo entitled, "Looky what I found on X's laptop!"

    Businesses often feel the same way. Casual breaches do happen as part of authorized work. For instance, if a payroll file becomes corrupted, I'd have to look at the file. They just want you to shut up about what you see and/or forget what you saw. That's what they mean by trusted. Like any trusted friend, it's not about what secrets you know, but what secrets you can be relied upon to keep.

    --
    I8-D
  10. Nuclear War by kbielefe · · Score: 4, Funny

    That's why I think nuclear armageddon won't be started by heads of state and their military advisors, but by some disrespected IT guy who constantly has to reset the passwords to the launch codes.

    --
    This space intentionally left blank.
  11. Re:Been a IT Pro for 15 Years by sohmc · · Score: 4, Funny

    When I worked for my college's CompSci department, my coworkers and I were responsible for the incremental backups.

    One day, we got a call from a professor who accidentally deleted a bunch of data, totally several gigs. When we restored the data, it turned out it was his pr0n folder. We never let him forget that we can see his data.

    I got A's in my programming classes after that...

    --
    We don't live in Shouldland.
  12. This is news ? by mbone · · Score: 5, Interesting

    The switchboard was listening in to calls 100 years ago. The mail room was looking at letters 150 years ago. Heck, I'm sure the equivalent was going on in ancient Sumer (sneaking a peak in those sealed clay tablets). "The help" is always going to eavesdrop. Not all of them, not all the time, but it happens.