Slashdot Mirror
Ask Slashdot: IT Personnel As Ostriches?
MonOptIt writes: I'm a new IT professional, having recently switched from a different sci/tech field. My first gig is with a mid-size (50ish) nonprofit which includes a wide variety of departments and functions. I'm the sole on-site IT support, which means that I'm working with every employee/department regularly both at HQ and off-site locations. My questions for the seasoned pros are: Do you find yourself deliberately ignoring office politics, overheard conversations, open documents or emails, etc as you go about your work? If not, how do you preserve the impartiality/neutrality which seems (to my novice mind) necessary to be effective in this position? In either case: how do you deal with the possibility of accidentally learning something you're not supposed to know? E.g. troubleshooting a user's email program when they've left sensitive/eyes-only emails open on their workstation. Are there protections or policies that are standard, or is this a legal and professional gray-area?
Yes
IT has access to everything and should read nothing. The content is just that, content. It doesn't matter
why the fuck are you asking here, of all places, about office etiquette? haven't you noticed that over half of the people here are bitter, miserable burnouts and misfits?
are you also asking on the christian abstinence forums about finding prostitutes?
"They were pure niggers." – Noam Chomsky
Then you will be surprised when the players of office politics conspire to fire you. And they will. It's what they do. Because you're IT. You're the scum of the office by definition.
I treat everyone's email the same: I don't read it. I may see subject lines but I don't see the technical reason requiring you to read them. If it's a temptation, might want to re-evaluate your own professionalism.
The same with politics and gossip: keep it to yourself; do not participate. If asked a question, smile and decline to comment. Be polite and cordial but trust no one.
Basically: do your job and stfu.
Just keep the guy who does your yearly reviews happy and make him look good. Also, make his boss look good. If you're like me and have multiple bosses, develop your relationship with the one you think will hold that position longest. Don't burn any bridges unless you have to in order to keep your job. Every company has different standards of security, and an even wider variation of enforcement. Don't intentionally be a butt-head to anyone, and if you see anything that's off policy or could get someone fired, just politely point it out to the individual so they can correct it.
As for dealing with sensitive information, I usually ignore it. You'll see lots of stuff you probably shouldn't as the only IT guy. Just file it away and don't bring it up again--even if it seems like a good idea or a neutral situation to do so. You don't want upper management finding out the IT guy knows more about the company than they do, or they'll (often unintentionally) make your life miserable.
IT can be likable, but there will be a lot of people who will make your job harder because of their ignorance. Just do you best to educate them in a friendly way so you can work on more important things than dealing with office dunce's all the time.
Always remember that you are dealing, in your case where your internal customers are not IT savvy, that there is a reason why we refer to them as lusers:
1) They have no idea how to do what you do, and need you to help them perform even the simplest of tasks
2) What you do is so simple any moron can do it
3) Their son / brother-in-law / uncle, etc. is much more of an expert then you. They re-install Windows for them every six months, and made their system much faster by upgrading from a 512GB drive to a Terabyte drive as well as much safer by installing three, count them three different Antivirus products!
4)You are some kind of idiot, because you haven't done what their expert relative has done
I wish I was kidding. The reality regarding your question is that as an IT professional you will have access to said sensitive information. It will only make you jaded if there is good reason to be jaded. If there is good reason to be jaded, run don't walk to a better gig.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
You can't be liable for having knowledge of information that people couldn't be bothered to encrypt. Executives can be lazy with their data and you can't be expected to do special efforts when they didn't do any to begin with. That being said, I would chose to ignore. I have been there, with information very sensible for a very big company, and just ignored that. A colleagues acted upon that same knowledge in not so subtle way and we almost got troubles for it; it was harmless so they pretended they did not realise we had access to the documents and left it at that. It could get you fired though, so you might want to just stfu. Now there would be two exception to that rule: I you were in a position where you could blow the whistle on some important information for the public good, or if you could get personal gains in the process. It's a moral decision q:
I agree - unless something floats up that is outright criminal to the extent of prison time just leave it alone.
If you find something that's severely incriminating, look for a new job.
Being a sysadmin means that you have extreme rights and abilities to do stuff, but you shall also have the ability to keep your mouth shut. It's better to keep a distance than to end up on the wrong side in a conflict or legal proceeding.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Read the System Administrators' Code of Ethics and take it to heart. Even if your job title doesn't include the words "system" or "administrator."
It's actually pretty easy to ignore the content of an email if you're focused on the email delivery process (mail server logs, the headers of forged/spam mails, things like that). Similarly, if you're doing FTP hosting or file drops for customers, you rarely need to dig into the content of the files themselves to troubleshoot upload/download problems. There are rarely reasons to dig into the content of whatever you're working on. It does come up, if (for instance) some piece of email has wacky malformed content that keep crashing the mail client, but IME those situations are uncommon.
I used to work at a mom-and-pop ISP, in a small town. Our customers included the local police and fire departments, City Hall, and most of the larger law offices and accountants' offices. Since we provided email and Web hosting (among other services), I certainly could have made some locals' lives very interesting. Hell, I had access to the email of everyone in my company, including that of the owners to whom I reported. I'll admit to having been tempted once or twice, but I'm proud to say I never abused my privilege.
Whether I'm working in IT or another area, I try to ignore what is on people's screens. I consider this a simple matter of manners, not an IT issue. You don't read over other people's sholders, do you? Do you feel the need to act on every piece of overheard gossip or twitter/facebook post? Dealing with other people's computers should be treated much the same way you treat overheard snippets of conversation on the street. Ignore it and move on.
You can never ignore office politics. You don't have to play the game actively, but you do need to be aware of what's going on around you, who is in what camp, what the major conflicts are. You have to cross battle lines regularly to do your job; you can't afford to be seen as a member of the 'enemy camp' by *anyone*.
As an IT guy you need people to trust you, which means you need to be ethical. If you see something you shouldn't know, don't go chattering about it.That kind of thing does get around, and you'll lose trust instantly.
Nothing's stopping you from making personal career decisions based on the information that you come across in your daily work. For instance, if you see that the company is about to be liquidated and you don't want to be around for the mess, by all means polish your resume and start interviewing. Just don't assume that just because you saw something you have the whole picture. You could end up feeling stupid when the private email you saw turns out to be a deliberate test of your trustworthiness. It does happen.
Keep your mouth shut about the things you see. Look after your career and reputation. Be aware of politics, but abstain from participating wherever possible. After a few years when you have trust and credibility, you can consider climbing the ladder a bit and playing the game - you'll have capital to spend.
Regrettably, it seems you have no one to show you what a "professional" is or how to do "excellent" work. I pity you.
Your job is to do IT work. The person, the persons attitude, the person's opinions and beliefs do not preclude their need for good-to-excellent IT work. Do the work and you will please most people. Do, as a previous poster stated, please your boss and the one who signs your check.
If you do a good-to-excellence job, you may have earned the right to answer questions about your person, your opinions and beliefs IF YOU WANT. Even Democrats and Republicans can wholeheartedly agree about things like the local sports teams or colleges. You don't have to talk about everything that enters your head to every other person.
You don't need to be impartial or neutral to do your job.
A sysadmin has a code of ethics. Check SAGA for the official organization's code. The information you receive through actual IT work is not yours. For example, it may be necessary to see stuff that is confidential but it is not your right to disclose it. Keep your mouth shut. It also means that when the manager wants to look at all his employees files, you refuse unless it is a bona fide emergency (and provable). You have to protect the privacy of all the people on your network.
God help you because nobody else is.
Snowden found a different job more important than the one he was doing. It was also his duty to report illegal activity. I think he did a great job.
You always need to look at the risk vs reward aspect when determing whether or not you should pay attention or stick your head in the dirt. If the potential consequences are high, but reward is little, then stick your head in the dirt. If the consequences are low, but the reward is high, then I would pay attention.
The hard part for you, is determining what really matters to you and what risks are unnaceptable. And this is also highly dependant on what normative ethical system you subscribe to.
As an IT professional, you will have access to data that regular employees don't. You keep your mouth shut and you don't snoop. Period. You only look at as much as you have to diagnose and fix problems; the details are irrelevant.
It's called "being professional."
Think of it as the equivalent of lawyer-client or doctor-patient relationships.
I do not fail; I succeed at finding out what does not work.
I see nothing ... I hear nothing ...
Never get involved with reading others' emails, documents, etc., that you are not required to be privy to.
Never ever let the temptation allow you to see others' performance reviews, salaries, politics. I've seen how it leads to telling someone else and then they become the go to person for information. And if the information is bad and they didn't share it, even though they had no idea, well, they didnt' say that there was a problem, the @$$#013! Hell, I've seen someone with access to the HR database pull up salaries of EVERYONE and share it out. "Oh, can you tell me how much Jason Mcboogerhead is making? What?!? I'm making $1k less?! WTF, time to march off to the manager!!!" [A manager who was stunned at the level of knowledge! AFAIK, no info was given out about how the salary info was found. I found out later when it was offered to me.]
Ignore any overheard conversations, it'll only be a couple of people talking, who knows the truth and what really is going on? You must throw out any info you "accidentally" pick up too. The obvious is the missing context of the info. As a manager, I've had other directors and managers openly talk about staffing, budget, bonuses, performance or lack thereof, in front of me. In all cases I threw away what I heard, after all, all I'm hearing is a snippet of a longer discussion. It's not my business to try to save John's job if he's pissed someone off, so I'm better off not worrying about it.
Sometimes I received a list of users to be locked out of their accounts. The only reasons to receive such a list is that they are being laid-off/let-go or in a heap of trouble. I never shared such a list with anyone. It was given to me, as a manager, in confidence. Keep that confidence. Even after the firing, I still didn't tell anyone, there's no point or net positive to be gained.
In another instance I was at a company that changed their HR such that you logged into a page, and it told you your salary, OT rates, etc. You could print your confirmation of employment for loans and such there too. But there was a bug. This bug allowed me to view everyone's salary, their bank account info and some other stuff in a nice neat chart. I immediately picked up the phone and called head office IT Security and talked them through the bug. They fixed it, phoned me back to test with me on the phone, thanked me and sent off a thank you cc'd to my manager, director, etc., praising my immediate response and "help" in fixing it.
What I didn't do was say, "Hey everybody, look at this!" and print it off, etc. Nor did I read further than a few lines and then remove it from my screen. To this day, I run into some of the higher-ups from then from time to time, they still remember me, who I was, only because of that email and that to them I was trustworthy.
It's not up to you to solve office politics, who said what to whom, or anything else. You are there to do IT. So do it and maintain your dignity and professionalism and just don't even think of looking.
You, and hopefully everyone else, will hopefully see that you are in a position of trust. You are trusted by many to keep secrets. If you can do that, it only helps your reputation. If someone can actually say you are trustworthy in your IT job then you've accomplished a lot and it only helps down the road when you want to switch jobs.
Vip
In either case: how do you deal with the possibility of accidentally learning something you're not supposed to know? E.g. troubleshooting a user's email program when they've left sensitive/eyes-only emails open on their workstation.
Pretty simple really. To do your job professionally and ethically, you avoid discovering sensitive information to the greatest extent. If the situation truly needs exposing you to private information or, you do it accidentally, you keep your mouth shut about it.
Unless, of course, you are someone eating fish tacos inside an NSA control room and delightfully reading all the data that passes through.
Just for fun, answer this question and quickly move on to reading the rest of my post. Explanation at the end.
"HOW MANY animals of EACH KIND did Moses take on the Ark?"
The mind is a dangerous thing when presented with incomplete information -- it just extrapolates it, sometimes even substituting the incomplete original version with the extrapolated raw version. You might *think* you saw something noteworthy, but it was only your mind showing you a rabbit on the moon.
This is one of the chief values of privacy - to be able to keep information that was meant for your perspective, and is not ready to show to the outside world, to yourself.
So I would say ask yourself this question: Is there any ambiguity in your mind about your anticipation of the needless loss of life or property based on what you have seen. If there is, then the benefit of doubt goes to the person you spied on. Consider what you saw as an aberration... mangled data that cannot be trusted.
As for that question - Did you answer two? It was Noah, not Moses who gathered animals on an Ark.
this is a good guideline, but it's worth keeping an eye open for someone weak, yet brash enough to engage in criminal conspiracy. it's rare and i wouldn't plan on it, but it's an excellent opportunity to make a sideline income and develop a skillset suitable for a lucrative management position. i won't go into detail on the tactics, but they're pretty obvious. keep in mind, you want hush money and an intimidating rep; you don't actually want a confrontation. start with a moderate offer, on the lines of maybe 5% of their salary, and crank that up as time goes by.
btw, start going to the gym now; yes, you can always kill the motherfucker, but it's much, much more effective to passively intimidate them.
"They were pure niggers." – Noam Chomsky
If you were not officially told then ignore it.
Don't backstab anyone. Don't read anything without permission. Don't get involved in anyone's infighting. Do your best to help all your customers, even if they are trying to undermine you. Play politics only as much as you have to, people will try to play you. You have to be aware of it and respond tactfully.
Your duty to report serious criminality overrides these rules. Your duty to report gross immorality may override these rules, you have to decide that one based on what you believe in.
Fix that before it happens. Tell everyone to never use a work email for personal mail. Tell them to get a free webmail account for personal stuff instead.
Other animals that IT personnel may impersonate include canaries and guinea pigs.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
First, I wouldn't say a "50ish" people company is "mid-sized" :) But that isn't really your question.
I can only speak for myself- I can and do see things that are confidential. It is pretty much impossible for me not to. I deal with it by focusing only on my work. Most of the time I don't even really "see" what it is I am looking at... intentionally glancing away or closing things that are not part of the scope of my assistance. Unfortunately that doesn't always work and am exposed to things that get "registered" in my mind. Sometimes I see things that are disappointing or disturbing... but it is my job to retain confidentiality; that is part of being a professional.
The hard parts come when/if I see something that is:
1) Against our IT policies (mostly security practices)
2) Against company policy
3) Against the law
4) Immoral
Thankfully, after doing this for 27+ years, I have yet to consciously run into anything illegal or immoral. I have run into things against policy and there have been times I had to report it or deal with it... just depends on how severe it was.
Think of it this way- it could be MUCH worse... you could be a defense lawyer.
Well most of us are introverts, maybe thats why we end up with these roles. So yes.
- http://www.milkme.co.uk
Don't read it even if you inadvertently see it. Don't repeat things you may have overheard or seen. Testicles, Spectacles, Wallet and Watch all apply.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
So tell us, what's it like working there at the NSA?
Table-ized A.I.
There is a lot of good advice here, so let me add a cautionary tale. I used to work for a local government as their “computer guy”. I got a call from a user who was unable to watch some video he had on a thumb drive. As part of diagnosing the problem, I logged in to his computer using my own account, copied the contents of the thumb drive to the hard disk, and played it from there. It turned out that playing the video worked from the hard drive and the rear USB connector, but not from the front. I told him this and closed the call, but didn't delete the video from his hard drive. I noted the call in my log, but didn't mention that the video was pornographic.
Much later, about a year after I my employment had been terminated, I got a call from the town's police. One of the detectives wanted to talk to me, and asked me to drop by the police station. It seems that someone had discovered that this user had been watching porn on his computer, and when they examined his computer they found that same porn on his hard drive, under my name. They gave me the third degree, wanting me to admit that I had been the source of the porm. I suspect they wanted me to be the scapegoat, since I was no longer an employee.
I acted calm, pleasant, truthful and stupid. They told me that I could be in big trouble if I didn't cooperate, and I responded by saying if I lied in order to tell them what they wanted to hear, in the long run I would get confused about what lies I had told, and get caught in a contradiction. Of course, it helped that they all knew me, so I had credibility when it came to being stupid. It also helped that these were small-town cops; I probably wouldn't last five minutes in an NYPD interrogation room.
This happened more than five years ago, and I haven't heard anything about it since.
Welcome to the club, it's such a strange position and one that gives us much more de facto power than one would think at first glance. As the systems grew over time from fancy calculators to automating all business processes this issue creeped in and many organizations haven't addressed it directly. Yes you should attempt to be as impartial as possible. However you should consider a serious discussion with your direct supervisor about the reality of having access to all company data. I would go into that meeting with some options you find palatable like: I won't involve myself or notify you unless it's a violation of the organization's fair use policy (which I hope you have). That policy should eliminate any possible crime or directly harmful behavior from a grey area. It is a delicate area but everyone in the organization should be made aware that the systems don't belong to them (likely in the non-profit sector they belong the public with the board as decision makers) and may be actively monitored at any time. This has nothing to do with you directly it's a reality of all modern networks and email. The policy should be clear enough to communicate to all employees so they are aware of your duty. All of this is especially difficult in dysfunctional political environments but I've never had a problem letting them establish the rules and applying them fairly. These matters should be communicated with all the top management and board President if applicable. What they choose to do with their careers isn't our affair unless they misuse the systems or break rules we are responsible for monitoring. I've been primary IT for several non-profits and served many small and medium sized organizations in a similar capacity since 1994.
The problem with reading an e-mail that's incriminating is that it may be out of context. If you do not have the knowledge required to fully understand the implications of the data, then there really is nothing you can do.
For example, at one job I have access to medical files, but I am not the doctor treating the patient and I am not in a position to judge anything about a patient no matter what information I might see. A man could be prescribed Viagra because of a heart condition, or a woman the pill because of the uterine condition.
If something does unambiguously require some initiative from you, you'll know. And when that happens pay for a consultation with your own lawyer before doing anything.
This would be a good time to subtly remind your users, or at least the higher up ones that they should never put something in an email they would be afraid to see in court, or directly read to the recipient, face to face. In the same conversation, you would mention that due to your job, you have access to everyone's email account (as you must) because SOMEONE has to administer it.
You cannot evade office politics, ever. Just don't do stupid things like buy a new hire a 27" Dell Ultrasharp while your bosses son in accounting is using a 19" Chinese knockoff. Common sense.
Don't take sides, remain neutral when Sally tells you what an asshole Bill is. DO NOT run over to Bill and tell him. That is what Sally wants.Eventually the peons will stop and perhaps your boss will realize he can share something with you, without the entire company knowing 5 minutes later. Common sense.
Dont play favorites. If the biggest dick head in the company needs a new workstation, get it for him. If you dont, you are only hurting your company, not the dick head.
I could continue, but you probably get the drift by now.
We have an awfully lot of boy-scouts in this discussion, and while I only believe about 10% of them, they do actually give the right answer if for the wrong reasons.
The real problem with knowing things you shouldn't comes from your (in)ability to act on them, and the risk of accidentally letting something slip at the worst possible time.
Consider the best possible case - You find out about a major organizational change, and have some ability to position yourself to exploit it. That happens once a decade, at best, and a lot can go wrong (while you position yourself to take over as the regional director of IT after a merger, you later learn that the buying company plans to 100% centralize their IT infrastructure and you don't even have a job - Or the exact opposite, you start looking for a new job and later learn that those employees who stuck it out through the merger got some insane multi-year severance package).
Now consider the worst case - You company's stage four drug looks awesome, highly effective with low side effects, and the FDA will rule on approving it next week. You buy a shitload of stock. Option 1) The FDA approves it, you make a fortune, and the SEC immediately starts breathing down your neck. Option 2) the FDA rejects it for unknown reasons, and you take a bath.
Basically, your FP has the right idea - Play ostrich. Every time you visit Joe's computer, he has facebook/youtube/a game up and you have to clean out hundreds of porn-related spyware sites? You see nothing. Who cares about Joe - Best for your sanity.
In my field, education, it's quite common for the IT guy to be the one with absolute access to more things than anyone else. Nobody else, not even the data-protection officer, or the people on the senior management team, or the people ultimately in charge of the school (the heads and governors) has as much access to information as the IT guy.
Senior-management team files, HR databases, etc. are part and parcel of the job. The web filter logs are generally very revealing and, hence, why I anonymise them by default (Usually squid logs - which only contain source IP addresses, which can only be correlated to a machine using the DHCP logs, which can only be correlated to a user using the Windows event logs on the AD servers - NOT something you can do accidentally, but also allows you to analyse, spot trends and find dodgy things without immediately revealing the source. When I come upon something that worries me, I go to my boss, ask permission to de-anonymise those records, provide them with my results. I've had to do it a couple of times and it turned out to be nothing, but I've also worked with colleagues who've spotted a paedophile on the staff that way and got them prosecuted).
Despite all that data access, tou don't look. It's that simple. If I'm asked to work on a confidential file or database, that's what you do. It's just data. What you see is just numbers and letters and then forgotten. You do not dig. Not only are there alerts and warnings for digging into certain things (and I don't want to KNOW what triggers those alerts or warnings necessarily, but I know that they are in place on the MIS databases, for example - I only trigger them when it's been part of my job to go into that part of the databases), but it's a matter of professionalism.
If I become "exposed" to salary details, or witness protection details (children in schools rarely have as simple a home life as they might at first appear to have), or that some child's father is a Colonel in the Army who's asked for his address details to be maintained private, or whatever... that's what you do. You're not there to suck up data, you just treat it like anything else and move on.
If I suspect illegal activity - there's a lot of activity you CANNOT ignore in a school - I'd go through the proper channels and report it however I'm supposed to. It came up as part of my job, it's not like I was snooping for it.
I *STILL*, fifteen years into my career, look away when I ask people to set their passwords. I don't WANT to know. I want the deniability if someone gets into their account to say "There is no way I could know their password, without triggering a reset of their account, which would lock them out and inform them immediately anyway". My boss keeps trying to tell me his password "to save time". I don't want it. With it, I could - in theory - change my own salary, or modify any amount of details. Chances are it would get picked up eventually but if you were clever enough, you could get away with an awful lot very quickly, or very discretely.
Hence, I don't WANT to know those things. I choose to forget them, unless there is a reason to immediately report them. I suggest you get into the habit of doing the same.
Long, long ago, early in my career, I spent about fifteen years in the non-profit sector.
You don't ignore office politics, but you don't take sides either unless there is a crisis brewing -- something illegal, highly unethical, or financially dangerous. When you work in IT, you're in a "support" position, rather than a "line" position. Your job is to support. So when there's a big pissing match between two line functions, your job is to support *both* sides.
Often this means documenting business processes that sort of evolved via the lava flow antipattern; 50ish is the size where things start to get out of hand, because it's the size where the amateurishly hacked-together processes that keep the organization running start to break down because everyone can't be aware of everything that's going on in detail, in real-time. Make it your business to understand what business systems (not necessarily computer systems) *accomplish*. That puts you in a position to offer a third way, the one that emerges as obvious to everyone once somebody has figured out what's actually going on.
It's supposedly hard to implement changes in non-profits because of the consensus-driven decision making processes, but I found that I could make that process work for me. Lack of understanding is a vacuum; presented with a clear picture people usually line up behind the obvious solution quickly. But you do have to do your homework. Never surprise anyone with anything in a meeting. Bring people up to speed with things you're going to say about their work *before* the meeting so they don't feel blind-sided.
In a crisis be prepared to do the right thing. If you're in a non-profit they're paying you below market rates, so you can do better elsewhere. There is no call for getting yourself sucked into something that offends your self-respect. I resigned one job because my superior (the COO) was doing things that were financially reckless and improper (spending without proper authorization). I informed the CEO in my exit interview. That was my solution to the problem of not getting drawn into a persistent pattern of dysfunction.
When you handle sensitive information, just ask yourself what is the professional thing to do? Be discreet. Resist the temptation to peek at data, and when you *do* accidentally learn something you're not supposed to know, disclose that to the responsible parties. Be trustworthy, and present a trustworthy face.
Finally, don't let them pay you far below the market rate for your services, and expect a really good benefits package, including 1.5x to 2x the vacation you'd get in a for-profit. Insist on the respect due a professional. Non-profits are full of young people who haven't learned that the IT guy isn't there to be kicked around when they're frustrated, and the fact that you're in a support position rather than a more glamorous line position doesn't make your work any less important.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Snowden found a different job more important than the one he was doing. It was also his duty to report illegal activity. I think he did a great job.
Sure, but in the private sector, you don't have the luxury of exiling yourself to another country for the rest of your life and being seen as a hero.
Chas - The one, the only.
THANK GOD!!!
As an IT worker, your job is to see that the company assets you are assigned are functional and delivering proper service to end users.
It is NOT your job to audit the company's books.
It is NOT your job to Big Brother company e-mail (unless it is).
It is NOT your job to run the company.
It is NOT your job to set business policy for the company.
This is what they have financial wonks, sales wonks and managerial types for.
You never know when something you see "accidentally" is:
A) Blown out of proportion
B) A test
C) Misleading
D) Legit
So going all "I've locked myself into the server room and am calling the police!" could be both wildly inappropriate AND career-ending.
Sure, you don't want to aid, nor abet immoral/criminal activity.
But it isn't your job to arbitrarily decide what that is!
Now, if the feds come knocking on your door, asking for data, go ahead! At that point, you're pretty much safe.
Until then, you're simply a disruptive influence to the company that needs to be let go.
Chas - The one, the only.
THANK GOD!!!
If a secretary with no professional qualifications can take minutes in a senior management meeting and maintain confidentiality about what was said there's no reason you, as a theoretically highly-educated IT worker, can't do the same about the content of emails you happen to read in the course of doing your job.
I started out all full of piss and vinegar and eventually learned to relax.
You will only make enemies if you play politics. Only play in politics that involve you directly. Let everything else go. It's not your job to know it though you have the ability to. You won't be faulted for not disclosing something that your privileges allowed you to know, but declined to know.
Be everyone's friend. I made friends and gained people's trust by being fair. They told me even more. I could go around uninstalling their games and stuff... But I didn't because it's just piss them off. So I just told them I saw the game and if something starts behaving weirdly, I'm going to blame the game first, and that they should uninstall it before I came back. That seemed to be enough to cover my ass in the event someone else found it and reported it to the head of IT. It kept me from making enemies. Exercising restraint is the key to success. If no one likes you, they won't put in the good word.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
I spent about twelve years as an IT director. I had access to every email account and every document created including financials. I discovered that most of my co-workers where doing their absolute best to stab each other in the back. The lies were rampant. Management was also lying to the employees (leading from the top down?) about company finances. It made me very unhappy to know about all the horrible things they were doing to each other. I think I would have been much happier not knowing all of those things. So my recommendation is to ignore all of that information you could "see" and just do what's necessary for your job.
I was the IT manager of a hospital. The HIPAA rules apply. You can't repeat what you hear and you can't read what you weren't supposed to see. Seriously, learn to not even focus your eyes on private information. However, there is nothing wrong with using what you hear to help you make decisions about what you should do, such as leaving a business that is in financial trouble or setting aside some server space for that expansion someone is planning but didn't think to consult with IT about.
Sure, good luck with that one.
After all, you're talking about playing with the big boys here. They got where they are because they're good at it, not because they lucked into some useful information.
Make just the slightest mistake when you make your moves and you'll be obliterated. And lets face it: if you're in IT it's probably not because you have great people skills, political acumen, charisma or connections.
To be honest for ano n profit the worst they might be ding is being naughty with donations - unless its a front for really naughty people in that case talk to you countries security service.
...it stops with you. I saw many embarrassing/absurd/job threatening/demeaning things while servicing employee computers. One of them belonged to the company president. None ever appeared to be criminally illegal and did not go beyond me. Part of the job.
"Computers are useless. They can only give you answers."
-- Pablo Picasso
You are in an excellent position to learn, you are forced to as you are alone. Stay away from politics, learn a lot, prioritize your work, study a lot on your free time. In 1.5 or 2 years, leave this job for a better place.
Anything you learn during the course of your duties should never be discussed. What you learn around the coffee machine should be not talked about either lest people jump to the wrong conclusion.
You can pretty much ignore everything around you that doesn't violate company policies. Except child pornography. I did a PC refresh project at a local hospital when my coworker came across child pornography on a workstation. He reported it to our supervisor. Together they reported it security. They each had separate meetings with the security chief and the hospital attorney.
The worker -- a high-level administrator -- freaked out when he didn't get a new computer and his old computer sat on his desk without the hard drive. We stonewalled him on what happened to the hard drive, as security confiscated the hard drive as evidence. He spent a whole day running around like a chicken with his head cut off, unable to do any work and no one saying anything to him. Police were waiting for him the next morning. Because this was a hospital that had a reputation to protect, the news media didn't report on the case.
Well at least you've managed to get a sense of superiority out of replying to these comments even though you do not seem to have grasped the context of the discussion.
Calling an IT person a janitor as an insult shows a lack of respect for both and is as stupid as calling a marketing person a hooker or a finance person a thief.
I remember the first time an employer realized that I had access to everything . She froze for a few seconds while she processed the idea, shrugged, and went on with her request.
You're going to learn things you don't want to know and see things people don't expect you to see. My least favorite experience was someone who had an email stuck in their outbox. "Subject Re: Re: Re: Re: Re: My widdle wuvvy bear From: Not His Wife" And thank you so much, preview line, for confirming the content. So, with a straight face and chipper tone, "Next time a message gets stuck, you can just select it and hit delete." I didn't add, "And you, of all people, should know better than to use company email to conduct that sort of activity because we archive everything. I just did an archive search for you last month."
My most favorite was when I was helping someone with some simple thing and minimized her browser to discover that her desktop wallpaper was a picture of her frolicking in a bikini. Again, just go on like it's nothing out of the ordinary. Heck, if I looked like that, I'd want to look at me all day, too. Oh, and there was an intern who, when she finished her assignment, cleared everything off her desktop except a topless pic of herself.
If I'd seen evidence of blatant criminal activity or harassment, I would have reported it to the person's manager and my boss and let them deal with it. But politics and gossip and salaciousness were ignored. I was employed to keep the equipment running, not be the morality police.
We have the same job and I've been at it 18 years.
The first thing to bring up to management is a Technology Administration Policy.
In there provide the expectations of the Firm, and include any prohibitions regarding use of social media, games, personal email accounts, and other productivity-related issues.
State that all of the Firm's technology, and the products of that technology (documents, spreadsheets, emails, etc.) are owned by the Firm and WILL be inspected as management directs.
In the Policy inform all employees that they are to report violations, or suspected violations of the Technology Administration Policy to you.
There are other issues you can cover in there like password rules, prohibitions for using business email for personal use. Get management to work with you so everybody's on board.
Here's some other stuff:
Don't snoop. Ever. Tell management point blank that you are not snooping, and will not snoop unless management tells you to. When they tell you to take a look-see, especially if they are concerned about abuse of one person, snoop and report on several others. This covers you and management later, if questioned.
For some systems like financials, payroll, time card, etc. tell management you don't want entry passwords. You'll work with the individuals responsible for those systems and have those operators log in for you and THEN do your work.
If something odd happens in there, you want to be the first eliminated.
I see stuff I shouldn't a lot. If it's a violation on the part of a co-worker, I work it out with them. You want to have a good working relationship with all of your people. If they fight you, remind them that they are actually fighting the Firm. If things get nasty, take them to management.
When I see stuff I'm not supposed to on management computers, I just keep my mouth shut. NEVER gossip about that stuff. It WILL get back to the wrong people.
Your job and mine are atypical in that everyone is our boss. Make recommendations via email so you have a trail and let management do informed risk assessment. Remember that you are on the wrong side of the ledger. You are a cost center. Most times when you meet with management, it will be about spending money. That means everyone in the Firm will have to swim a little harder.
Make life easier for yourself by adopting the right attitude BEFORE you make contact with a coworker: They are absolutely right, and you agree with them. You are on their side, always. It's not you vs them. It's you and them vs the problem.
Last tip: You're gonna get yelled at. People have apologized to me afterwards. I tell them it's OK. I understand. I'm the guy to yell at because I'm the only one who will fix it, " ... and thanks for the apology. It means a lot to me that you want to clear things up."
If you and I are professional, we will get past each incident without anyone getting pissed.
Good luck.
It little behooves the best of us to comment on the rest of us.
Well that appears to be one workplace that sucks.
To mangle a phrase, just because you take no interest in office politics doesn't mean that office politics won't take an interest in you.
Pay attention to little things. Watch the comings and goings of those who think they're players. Listen to everything that people try to tell you and never take sides out loud.
"Yeah, really?" is pretty much all I say when people try to drag me into their battles.
I hate the games of office politics but I'm a realist and I understand that I have to know the game to avoid it.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Think three times before talking about, or using, anything that you learn accidentally in the course of doing your job.
You'll undoubtedly take note of office politics (although you don't necessarily talk to others about the detail, or how you came about it); office politics may well affect how you go about your job anyway, and it often helps to know where the potential traps and difficulties are, so that you can attempt to step around them.
You never, under (almost) any circumstances, discuss anything confidential that you came upon by accident and weren't entitled to know, if you do so, you are likely to find yourself looking for a new job very quickly - and quite right, too. The only exception I can think of to that would be if you were to come across something that the law or your employer would expect you to bring to an appropriate person's attention, where not doing so could land you in serious trouble if it subsequently came out that you hadn't done so. If unsure, consider covering yourself by questioning it, confidentially but in writing. Escalate, with care and tact, if not happy with the reply. And understand that, in doing so, you're not so much doing so doing so out of duty, as covering your own position.
(Putting things in writing is a good policy anyway, for almost all aspects of almost any job - NEVER assume that people will choose to remember things the way that you do, or that "nice" people won't attempt to hang you out to dry at a later date, if it serves their purpose. When you agree something verbally with someone, if it's even remotely important, drop them a note confirming YOUR understanding of what was agreed.)
The perv probably didn't have enough money to pay for damages to his victims and you? In some countries the government will actually make sure you get a reasonable compensation for the financial and social losses you had, even if the perpetrator didn't have any.
I was promised a flying car. Where is my flying car?
Obligatory Uncle Ben quote here.. As someone who has access to everything, you need to exercise a certain level of discretion. However, at the same time you need to have some common sense.
Yes Francis, the world has gone crazy.
Simple rule: I don't (physically) touch computers where someone's logged in. ssh is okay. If in the process of troubleshooting an issue I need to look into someone's data, they are asked for permission beforehands. If some sort of maintenance on an office computer requires some sort of physical/local access, and there's someone currently logged in on the box, I ask them to log out. Finally, if a user seeks assistance with something where physical presence is required (say, KDE misbehaving (does it ever well-behave?)), then it's the user's responsibility not to make me see sensitive information in the okay-just-show-me-what-you-did step.
CLI paste? paste.pr0.tips!
I have designed, built, tested, audited, and supported security compliant environments for over 2 decades. A decade at a DOD site, and about the same time afterwards with PCI and HIPPA compliance. In many cases, you need to report seeing things you are not supposed to see. "Forget" is illegal in many cases, so claiming it's a viable answer is dangerous.
That said, from TFA it does not appear to be a legal issue here. Just warning that it's not good advice in general.
The biggest single thing to put into your debugging arsenal is test data. Need to debug mail, send test mail. Need to test encryption/decryption, make dummy files to encrypt and test. A user can't do something, provide them test data to work with that you know is clean. A user has a display problem, have them bring up the application with NO data loaded. These are extra steps, but worthwhile steps. If users complain about loading test data explain it to them.
The second biggest thing for you to have handy is a big dose of honesty. If you open something confidential, make sure that someone knows you saw it (you report to someone as an IT professional, even if it's the CEO directly). If you have to access a users desktop, ask them to watch and make sure you don't open a file that they may not want you to see. If you have to open something you know is sensitive, get permission first (preferably in writing).
There are surely exceptions (Edward Snowden), but that's a much longer discussion. Sysadmins by nature have access to more than any single person in the company. Good sysadmins don't flaunt or take advantage of that fact.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
I work for a small police department, about 50 people and one of the 3 civilian full time staff. In the 13 years I've been in this job, I've learned several things, first of which is my subject line: "What has been seen can not be unseen". I learned this the hard way after someone asked me to assist in ghosting the hard drive of someone who was, in the local parlance, a potential "Diddler", child pornographer. As asked, I ghosted the drive, then when staff found no illegal images, I dug through the drive searching for hidden directories.
... a... SHEET. Not missing a beat, I move the installer to the C: drive and set to. Finish install, enter registration keys, configure, done. As I'm getting up to go, I turned and said "I trust I'll receive no further complaints from this office, right?" He looked, nodded vigorously, and I walked out.
Yes. I found them, all right. Now, I have a daughter, 15 today but only 4 at the time, and some of the images I saw, frankly, haunt me to this day. Back then we had no direct resource for digital discovery / evidence collection, and after seeing those images.... I wrote our discovery and extraction policy and worked out a deal with another law enforcement agency to have their people take care of that. I'm well paid, but there is not enough money on this planet to get me to again see what I saw.
Over the course of day to day IT stuff, I have seen emails or documents which yeah, maybe I shouldn't see. Sure, I'm CJIS (Criminal Justice Information Services) certified, etc, but I don't need to see some things. But my boss, the Chief, and my coworkers know that all I'm interested in is making sure we're secure, that the officers and staff can perform their jobs, get email, track cases, track safe keeping, evidence, etc and it's going to work. That's it. I'm not the moral compass. Of course, if I saw someone was up to something illegal with my babies (computers) I would gather evidence and present it immediately! And I'm a very vocal advocate for privacy AND freedom of civilians to record police activity, something my coworkers now agree with me on. But if I, for example, read that one officer gets paid more than another officer for his hourly construction detail, that's none of my business. I mostly stay in my office, work on the things I need to work on, study, and do my job.
IMO that's what we do. We fix things, we keep the show running. That said, you may find yourself with perhaps some leverage. For example, I had one troublesome user who asked my help on installing a piece of software. I went to his desk, asked where the installer was, and he had no idea. So, first thing I did was check the "Downloads" directory. Sure enough, there was the installer, as well as a metric crapton of video files with titles like "Pegging" and "Tranny". He went white... as
These are traditional issues for the corporate sysadmin. Perhaps less now as corporations are segmenting services more.
Early on, I realized that as an admin I had access to everything, and I had to adopt some sort of moral code in order to function. So things I inadvertently learned I kept to myself, and tried to forget, and even under pressure, consistently refused to use my access to, for instance, allow a manger to spy on another manager (a real example).
It takes a long time to build trust, and only a single incident to blow it. After awhile, employees would come to me with serious private issues, like a potentially damaging email inadvertently sent to the wrong person, secure in the knowledge that if the need was legitimate I would fix it and not talk about it afterwards.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Some people are in sensitive positions due to the nature of their jobs. Janitors have keys for every office, including the CEO. Security personnel are in the position to spy on the entire plant. Sysadmins potentially have access to all communications, data, perhaps even HR records. What you do or don't do with this access is a test of your character. And should, in a perfect world, have bearing on whether your career continues. (Example: TSA personnel saving naked photos for later viewing.)
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
In IT we have access to info that is usually reserved for C level execs. Either accidental reading when troubleshooting or shared in meetings. I have always looked at IT work as a sort of priesthood. What people do on their computer is their business. I don't share it with others. All data is kept confidential. Sometimes knowing when someone is going to be terminated that is sometimes a little awkward. But you just do your job like you always do and try to avoid office politics.
Your the watcher now. Ignore what does risk human life. Speak up if it does. Snowden is a good example.
Before I work on someone's machine, I ask that person to close all windows that may have sensitive content s/he may not want me to see. This policy establishes a certain amount of trust with the user. Put the onus on the user to determine what s/he considers private and sensitive. Easy-peasy, and it only takes 30 seconds.
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
After 20 years in the business I find that very few people will leave sensitive documents open on their screens when they know you are going to be there so it seldomly happens.
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
Thanks to everyone for your responses. The mean response is, frankly, what I expected: be professional & trustworthy, because it's not our job to be otherwise. This is both heartening and worrying; some of the examples above from admins who did "the right thing" set my teeth on edge. I like to think that I'm an honest, open person. However, as Feynman famously said: "The easiest person to fool is yourself". Thanks to the folks who shared the USENIX/SAGE links above. I've now got a copy of the sysadmin code posted right above my KVM/WIP stack, so I'll see it regularly. Optics was easier: photons don't concern themselves overly much with morality and ethics.
I'd say that home-user support is often worse than corporate support. Rarely have I had to delve deeply into the guts of somebody machine. Usually email is either just some headers floating by on a mailserver, or a list of message as I'm doing a transfer/restore on somebody's machine.
If a user's machine is somehow infected, you dump an image and restore a fairly well-known list of applications from scratch. Documents are on the network (also to be double-scanned by AV as necessary).
Home users though. Files can be anywhere. Documents can be anywhere. Going through an infected machine to clean out nastiness that came in deity-knows-when by deity-knows-how can involve sifting through a lot of crap. Copying to a fresh re-image still involves going through old accounts/files and trying to find what should be copied over. People have copious amounts of downloaded crap from the internet. Person documents. Personal finance info. Saved passwords. Very "personal" videos/pictures, etc
The first question I usually ask before digging in is "is there any location you DON'T want me looking on your computer while I do a backup/restore". I also generally get clients to log in themselves rather than providing me with a password (or just reset the password with an admin disk/account) since many people use the same login for a lot of stuff.