IT Pros Can't Resist Peeking At Privileged Info

Orome1 writes "IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people's Christmas bonus details."

This is why I will never trust cloud services

[InsightIn140Bytes]

It's not limited only to your company - this means employees in other services can snoop all they want too. This is why you should never trust cloud services. Hell, even Google employees are secretly snooping your personal emails, XMPP chat logs, Google Voice calls and search queries. And yet even most Slashdotters think it's perfectly fine to trust everything you have with Google - your search queries, your personal emails, your calls, your contacts, your social network, what you watch on YouTube, what you listen to, where you walk and go (Android) and everything else. Screw the law enforcement requests for info, they can't even keep their own personnel from snooping your personal stuff.

It's why I will never trust my personal files on the likes of Dropbox and other backup services. People misuse their privileges whenever they can, that's human nature.

Re:This is why I will never trust cloud services

[masternerdguy]

Not true. I have had plenty of access to such information and have always avoided looking at it. It's immoral.

Re:This is why I will never trust cloud services

[oh-dark-thirty]

Nor do I, it would probably just piss me off anyway.

Re:This is why I will never trust cloud services

[1s44c]

Not true. I have had plenty of access to such information and have always avoided looking at it. It's immoral.

Strongly agree. Plus if caught is destroys the trust that keeps them paying you, and it won't bring you happiness on any level anyway.

Anytime a person tells another person how much they get paid one of them gets very pissed off. You are better off not knowing.

Re:This is why I will never trust cloud services

[DarKnyht]

We are quickly finding ourselves in a society where we lack an absolute morality authority. Therefore what is immoral for you may or may not be immoral to others. In other words, we are reaping the fruits of a society where all ideas are given equal worth. Where we are not to condemn someone because what they do is right from their point of view.

Re:This is why I will never trust cloud services

have always avoided looking at it. It's immoral.

Luckily most agree with you.. but it only takes one to steal your personal information.

Re:This is why I will never trust cloud services

I admin that I have snooped through the financial information... And your right, it does piss you off. Company saying their in financial crises so they have to freeze all raises, but the executives all get their christmas bonuses that equal 1/2 my year salary.. Not sure why I couldn't control myself.. probably I was younger and more immature.. I have full access at my current job to all data, and haven't accessed anything I wasn't suppose to.

Re:This is why I will never trust cloud services

It's not limited to IT either. A friend of mine, who works in HR, as a Temp, basically gets work handed to her that other people don't have time to do. This includes expenses, and occasionally allows her to view peoples salaries, and, scarily, who's getting made redundant. She's a Temp, paid about £16k/y (having been made redundant a few years ago having been making ~22k, she took anything she could get) and has access to her superiors and co-workers salaries, expenses and even their original interview records.
Some would say that's just rubbing her nose in it.
But the reality is that some companies just circumvent internal rules in order to get things done.

and all this she freely shares with me as idle chatter.

Re:This is why I will never trust cloud services

If sales is so easy why don't you do it? The answer to that question is the reason why he makes more than you.

Re:This is why I will never trust cloud services

[Penguinisto]

Agreed, and would like to add spam filtering to the pile. Training the filters effectively (to weed out false positives, catch the sneakier spam, etc) means seeing practically everyone's inbound emails until the initial tuning is done, and once in a great while after that for maintenance and upkeep. You just maintain the confidentiality required to know that yeah it's ugly and it's in there, but it's nobody's business. I only interacted with these mails enough to make my job more effective, and after that it all got forgotten and ignored.

Doing this helped me better tune the filters to block the political crap (DU, Limbaugh, etc) while at the same time allowing exceptions for a couple of execs in the company who actually did lobby in Washington DC, the state capital, etc. It allowed me to block the dating site and sex site emails (you'd be amazed unless you're an email admin, in which case you'd probably know already) while at the same time allowing the usual spousal romantic emails.

I didn't give a damn about the messages - I was in there to analyze content in order to catch spammers. The result was a happier group of employees who rarely if ever saw any spam, but at the same time could do most things within reason and company policy (it was fairly loose) and not lose any email.

I considered the whole thing subject to the same confidentiality restrictions as a doctor - yeah, you see the naughty bits in the full glory, but so what? You've got a job to do, so there's no real time or cause for you to be titillated, angry, outraged, or whatever. If you are, there'd better be a cause to inform the corp legal department and then the cops, because otherwise you're obviously not doing your job.

All said and done, at least in this aspect the AUP covers it perfectly - expect the contents of any email or data on the company wires to be seen by anyone. Of course that doesn't mean you get to go snooping around - violating trust is a great way to obliterate a career. OTOH, don't expect it to remain a perfect secret, either, because not all of us are going to be as professional about it.

Re:This is why I will never trust cloud services

It all seems fair to me.
You have your soul.
He has his Bugatti Veyron.

Re:This is why I will never trust cloud services

The problem with sales commissions is that sales guys never get their commissions reduced by the cost of additional support needed to fix the customer problems caused because they sales guys sold them features that don't exist. Commissions are usually based on the size of the deal, so the bigger deal is always preferable, and the aftermath becomes someone else's problem. (Usually those guys "just clicking buttons").

If software sales techniques were applied elsewhere:

Customer: I want a car.
Salesguy: Sure. We've got cars.
C: It must be fast.
S: We have one with a 600HP motor and awesome aerodynamics.
C: It must go round corners like it's on rails.
S: We have sports suspension.
C: I need to carry my large family around.
S: Yeah, we know how to make minivans.
C: I really enjoy off-roading.
S: So you need 4WD, big wheels and high suspension. No problem.
C: I care about the environment.
S: Our engineers have made a car that gets 45mpg. No problem.
C: It must be really comfortable
S: Leather and Luxury are what we're known for.
C: I need a lot of cargo space because I'm in construction.
S: We have pick-up trucks.
C: Oh, six vehicles? I really don't have room for six.
S: Our engineers could easily make all of that into one vehicle.
C: Really? That would be awesome. I'll take one. (Opens wallet, picture of family falls out)
S: You'll never get to drive it though - your wife will love it!
C: Good point, I'll take 2. Make hers a convertible.
S: Hey, that's a good looking family you've got there.
C: That's my daughter Kate, she's just started driving. Oh, make it 3 cars. Can I get them before her birthday next week?
S: No problem!
-------------------
Later:
S: Engineering!!!!

I Am a Sick Sick Man

[eldavojohn]

Oh come on, let he who hasn't gotten a massive data rager throw the first stone. So you're telling me that when you're doing a database dump of all your employee's payroll data and you see those beautiful digits paired with a sensual home address and foxy expiration date that you don't pitch a tent right there on the spot? I'm man enough to admit that I've had to walk around cubeland holding a notebook in front of me after taking a selfish glance at a naughty excel spreadsheet filled with transaction after hawt transaction of coffee mugs and pens. As if you've never had to spend your lunch break firing off a few knuckle children in the handi stall of the men's room when you stumbled across every customer's wishlist of your office supply products! Someone actually got to see everyone's Christmas bonus details? Pass the Kleenexes!

The United States' cultural suppression of natural and healthy sexuality just makes me ill sometimes.

Bad setup

[ender-]

If your IT/Security staff can rifle through your sensitive data, you're doing it wrong.

I have no ability to access the data in our HR or Financial systems. Only the HR and Financial folks do. *MAYBE* the DBAs could look at that data, but even if so they'd have to sift through the raw data or come up with their own queries. And I'm pretty sure a lot of that information is encrypted.

Facebook

[Gavin+Scott]

I recall reading an article that said that all of Facebook's (then) hundreds of programmers all have full access to the live system data. Especially on top of the announcement that they want to double their employees in the next year or whatever, it sort of makes it hopeless to expect any sort of privacy there if anyone actually gets interested in you.

G.

Loose Controls and too many admins

[Dakiraun]

I find a common problem with companies that have large IT departments is that too many users in those departments have "admin" level rights, which increases temptation and curiosity exponentially. Tighter controls on who needs elevated privileges and specifically where those privileges are needed are a way to help minimize exposure of sensitive data. On the other end of the problem, education is also helpful because most people who would go peeking likely don't understand the ramifications of that action should it be discovered. Have I ever done it as a professional? No. I'll admit, it was very tempting in a past firm since I had access to everything and I knew there were layoffs, salary changes and such going on. Curiosity does not get the better of me though when it means crossing ethical lines, and even if that were not true, I was well aware of the legal fallout that could happen where I to be aware of that information. The same could not be said though for other IT employees with the same access. In this situation, the access we had was certainly not necessary.

Only on Slashdot

[eldavojohn]

50% Informative
30% Overrated
20% Funny

Where a joke post about masturbating to scads of personal data results in your peers moderating you "informative."

Not socked

[TheCarp]

I work in healthcare IT, and my mother was an X-Ray tech for years, until about 15 years ago.

Even back when she was in the hospital, she saw people getting slapped and fired for it. Whenever someone famous came in, Princess Di was one of the big ones that I heard of, someone would go look up that persons info who shouldn't have, and of course, for famous people they would audit, and people got caught.

Now? Now you get flagged for all manner of things (I don't know exactly what, but it is well known that it includes looking up family members or people living on your own street etc) and its automatic. We have training on "Ethical Standards" every year, which talks about all of these records access issues. Still... I hear the single most common reason for anyone at the hospital getting fired is.... you guessed it.... inappropriate records access.

Here in MA they have the "CORI" system for doing criminal records checks. You are supposed to need consent to search it for someones info...unless you are a police officer doing his job or that sort of thing. Some auditing was done a while back and they found absolutely RAMPANT abuse. Police looking up their neighbors, looking up spouses, ex-girlfriends etc. (this was several years back... no idea if anything came of it...can't find any articles on it anymore)

The problem is a very human one.

This is news ?

[mbone]

The switchboard was listening in to calls 100 years ago. The mail room was looking at letters 150 years ago. Heck, I'm sure the equivalent was going on in ancient Sumer (sneaking a peak in those sealed clay tablets). "The help" is always going to eavesdrop. Not all of them, not all the time, but it happens.