IT takes abuse that accounting, HR, marketing, etc would NEVER accept. Just this morning I had some douchebag POUND on the door to the storage room I work in, get in my face and DEMAND that I fix a problem with a laptop I'd worked on last week. The fact that the problem wasn't one I could do anything about didn't make the slightest bit of difference; when I gave him the name of the person he would need to talk to, he looked at me like I'd shot his dog. I asked him if there was something else I could help him with, and he proceeded to shut the door in my face while ranting about how I hadn't done anything to help him. He then went and complained about me to my boss's boss's boss's boss (I wish I were exaggerating.) If I'd been in marketing, he'd have been escorted out of the building by security. But since I work in IT, there will be no consequences for an action that meets the legal definition of assault.
If you went to accounting and said "Pay all our payables but don't spend any money" they'd laugh until they figured out you were serious, and then they'd quit. If you went to HR and said "Hire us some world class employees, but don't interview anyone" they'd do the same. If you went to marketing and said "Get our name out there but don't use any advertising", same result.
Yet people regularly go to IT and say "Fix this problem, but don't do anything that would affect anyone in any way". IT is no more or less important than other departments, but it gets far far less respect in most companies, because the average employee's knowledge of IT matters is far lower than the average employee's knowledge of, say, accounting. The perception is, "I don't understand it, so it can't be important" and thus we get the problems we're discussing.
I'd get off my high horse if I could get said horse and myself out of the trench that the executives have dug for us. Equal treatment would be welcome; we might even be able to fix some of the things you've broken.
They need to explain the risks to management in a manner that management can understand.
Most network vulnerabilities can't be described in monosyllabic words.
Also, here's something to consider.
Clueless Manager Type: "The consultant says we have insecure passwords! Fix it!" IT: "OK, I'll fix it by the end of the week"
Time passes...
CMT: "Hey! It's making me change my password and it won't let me add a digit to my current one! Fix it!" IT: "That's part of the solution to the password problem you asked me to fix" CMT: "I didn't tell you to change how we choose passwords! I told you to fix the password security problem!"
In other words, I want you to lock the door, but I don't want to have to use a key to get in. Repeat the above scenario for any aspect of security you can think of. Managers don't get "Security or convenience, pick ONE."
The real question we should be asking here is why the consultant is even allowed to speak to the executives. All he or she will do is alarm them by using words they don't understand until "set $dummymode=='ON'" and then telling them they better fix it or Bad Things will happen. If the same presentation is made to IT, where the workers might understand more than every third word, real solutions could be found. But that will never happen, because IT can't so much as turn around without executive approval.
Memo to executives: Leave IT the fuck alone. Don't try to make yourself feel important by requiring useless reports and approval. You'll just make yourself look stupid and lose any respect IT might have had for you.
It's rare that an AC leaves a comment that can even see insightful, let alone actually contribute something. At least here in the US the phrase "We reserve the right to refuse service to anyone" would apply. Their network, their rules. If you go into a nightclub and start spewing feces on the other patrons, they don't refund your cover charge when they throw you out.
So, what use are 'security features' if most people cannot understand them, let alone use them?
Security features built into OSs have become less and less relevant in real-world applications. More significant is the fact that most people cannot understand "security features" because your average user is a screaming moron. Like the man said, make something idiot-proof and they'll invent a better idiot.
The real trouble is when security is dumbed down (by order of some executive chair moistener) so that the idiots don't sprain the two or three brain cells they've got (which have long since atrophied due to non-use). You can have all the system-level security you want, but if your users get to have passwords like "password1" and never have to change them, it doesn't really matter WHAT OS you have. Seriously, how hard is it to memorize an 8 character password?
Oh, wait, I'm speaking chiefly of Americans. What was I thinking, most of them can't remember "password1" without writing it down.
The problem is that other ISPs exist that do not care, and that we are all connected to one single Internet.
This is true, but technology exists to filter harmful content at the borders of a given ISPs network (known exploits, spam, virii, etc.). It's implemented with varying degrees of intelligence among ISPs.
So even when you are at a ISP that cares about these things (I am), you still suffer from the million PCs of users at ISPs that don't care, and there is nothing you can do about that.
I disagree. There are many steps you can take to minimize your systems' exposure to harmful content, such as an updated antivirus, spam filtering (on the server and the client), and a correctly configured firewall. I agree that these steps shouldn't be necessary, the problem should be prevented before it's created, but that's like saying you shouldn't have to carry an umbrella because it shouldn't rain.
So an ISP should be required by law to care about this.
In a perfect world, a law could be created and enforced that would acheive this. We don't live in a perfect world. The government tried to do something about one aspect of this problem with the CAN-SPAM act, which has been loudly criticized as a deeply flawed piece of legislation that not only doesn't accomplish what its writers intended, it in fact makes the problem WORSE by giving spammers the right to email anyone once with any campaign they choose, with the only condition that they give you the option to not receive any more messages related to that campaign. Expecting spammers to be discouraged because they're doing something illegal is like expecting your dog not to pee on your rug if you don't let him out.
Don't say it can't be done, my ISP does it and others do.
Yay for your ISP. I'm glad someone in the business world gives a damn about the quality of the product or service they're producing. They're in the drastic minority; most businesses (including ISPs) only care that the money keeps coming in faster than it goes out.
The facts of life in this case are these: Millions of vulnerable machines are connected to the Internet, through a combination of Microsoft's "swiss cheese" approach to security and user ignorance/stupidity. ISPs are unwilling or unable to do anything about zombie machines, either because of resource limitations or incompetent management. To say government is incompetent in this area is like calling water wet. All you can do (until the ISPs figure out a way that curing the situation could make them money) is protect yourself as best you can.
That's a good idea in theory. Unfortunately, where technology is concerned, I don't trust the government to know what an ISP is, let alone realize that people can do illegal things with it.
Plus enforcement would be all but impossible. The tax revenue consumed by such a (IMHO) futile effort could be put to much better use.
The underlying cause of ISPs' apathy towards compromised PCs is that consumer culture in this country (posting from the USA) is broken. The way IMHO that consumerism is supposed to work is if you don't like the way someone is providing a service or product, you'll vote with your pocketbook and go to the competition. In this case, if the ISP that you're on allows compromised PCs on its network, then you get the heck off their network and switch to a provider that gives a damn about security. But the average USian is either too lazy, too stupid, or too cheap to do anything about it, and when you compound those factors with the average USian's complete stupidity regarding technology (see this post for my definition of stupidity vs. ignorance), you have the problem we're discussing.
Re:Why arent governments proacting agaisnt these n
on
Over a Million Zombie PCs
·
· Score: 3, Insightful
why dont governments form a unit to identify and at least notifiy the owners of these machines?
To paraphrase the late great Jerry Orbach playing Lenny Briscoe, "Sure, let's get the government involved. That'll solve everything."
And as far as the ISPs go, I've worked for ISPs that wouldn't even cut someone off for non-payment for fear of their subscriber numbers going down. Do you really think they have the manpower, resources, or interest in doing anything about this until they're forced to by business pressures? (eg, never.)
The only way to fix this problem is user education. And because most users refuse to be educated, or accept any form of responsibility for their own machines, I don't see this problem getting fixed. Ever.
That's an oversimplification, IMHO. Spam works because the spammers can make money on it; in other words, their income from the morons who actually buy things off of spamvertisements is greater than their expenses in sending it out.
The only solution to spam IMHO is to punish or otherwise discourage the people who buy from spam. This isn't as easy as just saying that, to be sure, but if the logistical problems can be overcome, and the courts and legislators can be sufficiently educated and motivated, spammers' sources of income can be reduced, thus reducing their motivation to send the crap in the first place.
Spam is everyone's problem, not just the people on the technical side of the equation. Everyone will need to play a part in eliminating it.
Your Sally example is so stretched as to be pathetic.
Pathetic, yes. Stretched? Hardly. I have first hand experience of multiple employers that treat their employees this way. I know several people who have similar experiences.
If you offer a truly horrible work place then you are not likely to be able to recruit and keep quality people.
Your job market must be different than mine. Around here, the cost of living is so high that people are desperate for a job, ANY job, that keeps the mortgage paid. It's also difficult to interview when unexplained absences or changes in dress reflect negatively on your perceived quality of work, because they KNOW you're looking elsewhere. I know lots of places that have fired people on the spot once they found out they were looking elsewhere.
Every time a real business has to replace a skilled worker it costs them a serious amount of money. Time is spent reviewing candidates and interviewing. More time and expense is spent training the person.
Training. That's a laugh. "Here, sink or swim." And a skilled worker only costs money to replace if they hire another skilled worker to replace him/her. It's more incentive to hire some moron who'll work for an insulting salary just to fill the position.
Note, Sally didn't write in her public blog (where it could be verified) that she didn't like working at Evil Corporation. She simply steered a friend away from accepting a job offer. When pressed about the issue she could easily deny that she said anything negative, because she didn't make the suggestion to her friend in a public manner.
I think you'll find lots of workplaces won't split that hair. Sally got in the way of Evil Corporation's attempts to hire their chosen candidate. The fact that she didn't do it publicly ultimately only matters if the Powers That Be decide that it matters. I've seen people fired for far less.
Life is too short to work at a place like that.
Life is also too short to be homeless.
This isn't about controlling what a person thinks, it is about controlling what a person says in public.
And what I was trying to say in my previous post was that controlling what people say and do in private is a likely next step, if people can be fired for what they say in blogs that is neither slanderous nor libelous nor violates confidentiality agreements. You might think that it's ridiculous to imagine that an employer could have that much power over an employee's off-work activities, but they can already demand evidence of what's in your body (urine test). If they can claim rights to one of your bodily fluids, IMHO this isn't so far fetched.
All I'm saying is, "Enough." Just because you pay me to work for you doesn't mean you own me.
As an employee your job is to please your employer.
And as an employer, their responsibility is to reward and encourage hard work by sharing their success with their employees, who have made it possible. The norm, unfortunately, these days appears to be to reward hard work with more hard work, and to spend the least money and effort they can on keeping their employees happy, or even sane. Why should a good employee stay at a company like that? Because nearly all cases their financial situation is controlled by the employer, and big business knows it, and uses it as leverage in getting the employee to make more profit for the company by any means possible. The playing field isn't level. Big business is trying to tilt it further by making examples of people who comment negatively about their employer in blogs by firing them. The message is, "Toe the line at all times or your ass is on the curb. We don't care if this is on your own time, all your opinion are belong to us."
However, your point is well taken. A smart employee will at least refrain from badmouthing their employer publicly until they at least have another job lined up. But it should be the employee's choice, not the employer's.
That's not really too much for an employer to ask. They are, after all, paying you a salary.
That doesn't give them the right to control what you do and think 24/7. They might think it does, and to varying degrees they can get away with it, but it's something that should be fought against.
What I'm concerned about is the possible slippery slope that could exist here. Today you can be fired for public speech against your company, which may seem logical to most reasonable people. But let's take a hypothetical next step: employers censuring employees for private conversations they may have. Let's say Sally works for Company A. Sally doesn't like the company, for what most people would consider to be valid reasons, and is keeping quiet publicly while looking for another job. A classmate/former roommate/cousin/whatever calls her up and says, "Hey, Sally, I have a job offer from Company A, I was calling to get your opinion of them as an employee." Sally, being asked for her opinion, gives it honestly, and as a result the classmate/former roommate/cousin/whatever does not take the job. Company A gets mad, because they were already having trouble recruiting/hiring new employees due to their reputation as a lousy place to work, and determines that Sally is the one who influenced the decision, in a private conversation between Sally and their candidate. Company A, being the short-sighted profit-grubbing employee-hating company that they are, either fires Sally outright on some flimsy pretense, or makes her job so miserable that she has to choose between quitting and going crazy.
Is the next step after being able to fire an employee for blogging (public speech) requiring an employee to present a false opinion of the company (e.g. as a place to work) in private conversation? This is coming dangerously close to allowing employers to dictate what their employees think, not just what they say. Even if Sally were to say, "Sorry, I can't discuss my working conditions," that could be interpreted as negative feedback and could be used against her.
There's toeing the company line and then there's controlling what an employee thinks. I'm of the opinion that if your employees have (legitimate) problems with their company as a place to work, then that company should IMHO work on improving their employee relations instead of being able to legally shoot the messenger.
Yes, and how long do you think that your average numbskull that is badmouthing his employers on a blog is likely to last once his employers found out. Especially when you consider that the employer has complete access to the employee's computer, proxy logs, and whatever else they need.
So you give your employer unfettered access to your home computer? Do you let them read your mail, too? At least one person this article is talking about (on CNN, not the slashdot summary) had their blog hosted on web space that they paid for out of their own pocket, and presumably they were using their own machine to post to it, not their employer's equipment.
If you don't like your employers and your morale is so bad that you are mouthing off on a public blog then chances are good that you are doing a piss-poor job.
Way to blame the victim. Isn't it just possible that someone who works hard and produces well and gets great performance reviews, etc etc, doesn't like their employers and has terrible morale, but has too much personal pride to let it affect the quality of their work? I know dozens of people in this situation; they work hard, they continually get screwed by their employers, but continue to work hard in the hopes that they can at least acheive some measure of personal satisfaction while they scour the job listings for a job that sucks less.
As far as I can tell, this is just another way for big business to control what their employees do every minute of their lives. Unsatisfied with monitoring their web access, reading their email, testing their urine, and requiring many to carry a pager 24/7 without additional compensation, companies are starting to screen their employees for legal activities during off-work hours, such as tobacco usage(http://query.nytimes.com/gst/abstract.html?r es=F60613FF345F0C7B8CDDAB0894DD404482). What's next? Filtering employees' TV signals for competitors' advertising? Requiring spyware on employees' home personal computers that forwards all email to HR for evaluation? GPS transmitters implanted under the skin?
Granted, this is bordering on tinfoil-hat territory, but seriously, where does it end?
Which probably brings up another way to save money - train the users!
What color is the sky on your planet?
This assumes that there is anyone in IT that has the time, skill set, and/or management support to do any sort of training. I have been in IT departments where anyone who mentioned mandatory training for users quickly found themselves being escorted to the door by security. The mindset is that it's IT's main job function to keep the computers running at all times independent of any other circumstance - which means that anytime a system is down, it's completely IT's fault, even if the system is down because some useless douchebag from marketing spilled their latte in the power supply.
This actually can work in a company where IT is allowed to enforce sane usage/security policies. But when your usage policy is "do whatever the fuck you want with the computers, and if IT tries to correct you, have them fired" it tends to #1 drive up your support costs/workload and #2 drive your IT staff out of their minds and/or out of the company, whichever comes first.
So to keep this comment on topic, I would suggest the original submitter that one way they can reduce costs is by developing acceptable usage policies that are enforceable, have REAL CONSEQUENCES for violations, and have management support. In other words, if the same useless douchebag from marketing loads Bonzi Buddy on their machine and it crashes, losing documents that represent hundreds of man-hours of effort, then they get fired for wasting company resources. These policies, if properly designed and implemented, will lower the number of trouble tickets generated, and free up IT personnel to work on improving efficiency and other important business-growth-enhancing tasks. (Of course, a reduction in trouble tickets will most likely be seen as an opportunity to lay off workers, because as we all know, eliminating the salaries of people who do actual work is the easiest way to cut costs. And keep those seven-figure bonuses for the board in the process.)
This is about as likely to happen as frogs falling from the sky. A few reasons why:
1) Few parents (being a reasonably representative subset of the general population) have the slightest clue how to find out what programs are installed on a computer.
2) If they do find something that little Johnny put on there, they're not likely to know what it is.
3) If they do know what it is, they won't have the slightest idea how to remove it.
4) Didn't you get the memo? Parent's aren't responsible for their kids' behavior anymore. (Video game developers | MTV | Teachers | Homosexuals | The government | The schools | Movies) are responsible for little Johnny not knowing right from wrong.
I'm not saying it's right, I'm saying expecting parents to fix this problem is completely unrealistic in the current environment.
So basically you just made the argument for geeks to go into managment. So why aren't you?
Because I do actual work. Geeks aren't "shunning" management. The reason most geeks don't go into management is because they lack the skill set needed to manage, or indeed to get the opportunity to do so. When HR is hiring for a management position, they look for business or management courses in one's degree, or previous business or management experience. The set of people who have these people management skills AND technical knowledge is extremely small. Even if a geek were to obtain a management or executive position they would soon find themselves alienated from the group if they tried to change the culture towards selecting technology based on its merits rather than the process by which it's selected now (politics, expense, who you play golf with, etc). Managers/executives who don't play the game find themselves on the bench very quickly.
Upper management finds themselves threatened by what they don't understand. In their own self-interest they will prevent people whose practical knowledge exceeds theirs from moving up the corporate ladder. Ultimately a lot of these decisions are made by the beancounters. Try as you might, it's nearly impossible to move from IT to accounting, nor would you want to.
Until the establishment finally wakes up and realizes that they CAN'T run their business without IT, these decisions will continue to be made by those least qualified to do so. IT managers and CIOs can argue until they're blue in the face in favor of one strategy or policy, and more often than not their recommendations are completely ignored. As a consequence, we have the current prevailing business computing environment: entire enterprises taken down by 30 lines of VB code, spyware infesting 95% of business machines, Microsoft holding multi-billion dollar companies virtually hostage to their bugfixes, and IT departments blamed for all of it, when their recommendations would have prevented the majority of the problems.
The situation is this: IT: "We should do A, because if we do B, problem C will happen." Management: "But I don't understand A, so we'll do B." Time passes.. Management: "Problem C is happening! It's your fault! Fix it!" IT: "It's not our fault, you ignored our advice and bought B instead of A" Management; "You're fired."
I was looking for an appropriate post to reply to to state this observation, and this one will serve as well as any.
We can all sit behind our keyboards and debate the merits of COTS vs FLOSS vs whatever.. but at the end of the day, it's all moot. The problem is that when an enterprise is in a position to make a decision of buy (and customize) vs. develop, the people making the decisions will be the ones least qualified to do so. Selecting critical business tools is not a trivial undertaking, and it involves non-trivial amounts of money. And ultimately, fixed initial and recurring costs (in addition to politics and personal connections) are what make these decisions, not the merits of one approach vs. another.
And IMHO this is where FLOSS is at a disadvantage. Your average CEO (and, sad to say, most CIOs) don't even know about open source. You say "open source" and they'll ask you how a computer thingy can have an open sore. Even if (hypothetically) there are significant advantages to an open source strategy, the effort required to get the people who sign the checks to understand the concept of "free" software is frequently far above the ability of most IT people to make. (If they're even given the chance; most executives cannot think in terms of value, they can only think in terms of cost. And if it's free, it can't possibly be any good.)
As an example, let's say Acme WidgetCo needs an inventory program. Vendor A has a solution that meets 80% of the company's needs, and the product costs $100,000. Vendor B has a solution that meets 90% of the company's needs, and the product costs $150,000. Vendor C has a solution that meets 50% of the company's needs, and costs $200,000. Developing the software in-house to meet 100% of the company's needs would necesitate the hiring of additional staff and consultants, at a cost of $125,000 over the development cycle of the product.
Vendor C will get the contract, in defiance of all logic, because Vendor C's CEO plays golf with Acme's CEO.
Merit has nothing to do with this decision. Politics and connections make these decisions. The people who do the actual work just have to clean up the mess, and the company rewards their hard work with poor performance reviews because the software is complete crap, even though no amount of effort could make it otherwise. Sadly, this is considered a benefit because it keeps salaries down.
I'd like to put a plug in for avast! antivirus as well. Updated often, unobtrusive, scans peer to peer and AIM traffic (if you're so inclined), just works. Finds stuff Norton doesn't even look for. http://www.avast.com/ .
Which is exactly the sort of arrogant geek centric approach that has led to bad security.
It isn't arrogance if you're right. Geeks saying "You need to use better security practices" doesn't lead to bad security, the average user's ignorance and stupidity has led to bad security. That's like saying using directional signals when you're driving causes more accidents; you might shock someone into an accident by actually using them, instead of cutting them off, but used properly they make driving safer for everyone.
The access points could have been designed to be secure without anyone ever needing to RTFM. Print the serial number of the device on the case of the box, use it as the default password.
1) Security 2) Convenience
Pick one, please.
Same thing goes for these idiotic WEP keys which I keep having to type into one machine after another. Build the system so that I don't keep having to enter long strings of digits into each new machine I buy.
Yup, having a more secure network is such a pain in the ass. WEP isn't perfect but it's better than nothing.
Oh and while we're at it, would you like some cheese with that whine? Laziness IMHO is one of the chief causes of poor security. If it's such a pain, save the key to a text file and put it on a thumb drive, or available on a share on a wired network, or a floppy disk, etc.
Go over their house and ask them nicely to stop downloading all that porn during the day.
And get subpoenaed in the divorce proceeding.
And/or get sued for invasion of privacy.
And/or get your car keyed.
And/or get your house burned down.
Why any sane person would want to do this is beyond me. I don't want my neighbors knowing what I do online, nor do I want to know what they do. There's way too much exposure here from a legal and liability point of view to be worth it to anyone, IMHO. The sentiment is admirable, but naive.
The odds are that someone on the 'customer' end of this arrangement is going to be sharing/downloading questionable content at some point after the arrangement is made. The way I see it, one of two things is likely to happen at that point:
1) The "provider" party will notice the traffic somehow, and take steps to prevent it. No matter how this is done, it's likely to ruffle some feathers, if not cause an all out neighbor war. Remember, you have to live next to these people.
2) The "provider" party will not notice the traffic, and $randomlargecompanywithexpensivelawyers will sue them. The MPAA/RIAA/Thought police/etc won't make the effort to determine if it's actually the "provider" user or the "customer" user in this arrangement that is infringing on their copyrights/whatever, their SOP is to sue the user who has paid the ISP for the access. The fact that you've essentially become an ISP will more than likely come out in the proceedings if a lawsuit goes forward, but by that time they've already bankrupted you with legal fees and taken your house.
Folks, whipping the spammers isn't effective if you can't find the bastards in the first place. Most spammers have 2 primary skills, 1) duping ISPs into thinking they're legit businesses long enough to dump their email into the stream and 2) vanishing when they're found out.
The solution to spam is to find the idiots who buy the spammer's stuff, and fining them $1000 per transaction. The only way to resolve the spam problem once and for all is to take away the profit motive. This is different than blaming the victim; this is analogous to prosecuting someone who buys obviously stolen merchandise (receiving stolen property). The "reasonable person" test would apply. A "reasonable person" would not believe that you could get Viagra without a prescription legally, get a mortgage at a rate 3 points below the going rate, etc.
We regularly prosecute people whose actions cause harm to the general public, such as drunk drivers. By their actions the people who buy merchandise from spammers are enabling behavior that causes harm to the public, and should be prosecuted.
Clearly my definition is simplified, and these definitions are not black and white. In my view, "stupid" has no correlation with IQ, level of education or material success. I'm thinking more of the case where someone runs into a challenge in the course of living their lives (however they choose to live them, eg what interests they pursue, what vocation/avocation they choose, etc) and instead of meeting that challenge with effort and a willingness to grow, takes the position that they shouldn't have to learn anything further and refuses to consider any other course of action; indeed, they are insulted by the insinuation that there's another option.
I don't know anything about line dancing because it doesn't interest me; if it were in my interest to become familiar with this topic, I would make an effort to learn the necessary information. It might take me a long time to become familiar with it because of my low level of interest and/or motivation to learn anything about it. I disagree that the rate at which one acquires knowlege is an indication of how "stupid" someone is. I would never call someone who puts forth effort into learning new skills and acquiring new information stupid, no matter if they learn quickly or not.
Slashdot Mirror
High horse?
IT takes abuse that accounting, HR, marketing, etc would NEVER accept. Just this morning I had some douchebag POUND on the door to the storage room I work in, get in my face and DEMAND that I fix a problem with a laptop I'd worked on last week. The fact that the problem wasn't one I could do anything about didn't make the slightest bit of difference; when I gave him the name of the person he would need to talk to, he looked at me like I'd shot his dog. I asked him if there was something else I could help him with, and he proceeded to shut the door in my face while ranting about how I hadn't done anything to help him. He then went and complained about me to my boss's boss's boss's boss (I wish I were exaggerating.) If I'd been in marketing, he'd have been escorted out of the building by security. But since I work in IT, there will be no consequences for an action that meets the legal definition of assault.
If you went to accounting and said "Pay all our payables but don't spend any money" they'd laugh until they figured out you were serious, and then they'd quit. If you went to HR and said "Hire us some world class employees, but don't interview anyone" they'd do the same. If you went to marketing and said "Get our name out there but don't use any advertising", same result.
Yet people regularly go to IT and say "Fix this problem, but don't do anything that would affect anyone in any way". IT is no more or less important than other departments, but it gets far far less respect in most companies, because the average employee's knowledge of IT matters is far lower than the average employee's knowledge of, say, accounting. The perception is, "I don't understand it, so it can't be important" and thus we get the problems we're discussing.
I'd get off my high horse if I could get said horse and myself out of the trench that the executives have dug for us. Equal treatment would be welcome; we might even be able to fix some of the things you've broken.
They need to explain the risks to management in a manner that management can understand.
Most network vulnerabilities can't be described in monosyllabic words.
Also, here's something to consider.
Clueless Manager Type: "The consultant says we have insecure passwords! Fix it!"
IT: "OK, I'll fix it by the end of the week"
Time passes...
CMT: "Hey! It's making me change my password and it won't let me add a digit to my current one! Fix it!"
IT: "That's part of the solution to the password problem you asked me to fix"
CMT: "I didn't tell you to change how we choose passwords! I told you to fix the password security problem!"
In other words, I want you to lock the door, but I don't want to have to use a key to get in. Repeat the above scenario for any aspect of security you can think of. Managers don't get "Security or convenience, pick ONE."
The real question we should be asking here is why the consultant is even allowed to speak to the executives. All he or she will do is alarm them by using words they don't understand until "set $dummymode=='ON'" and then telling them they better fix it or Bad Things will happen. If the same presentation is made to IT, where the workers might understand more than every third word, real solutions could be found. But that will never happen, because IT can't so much as turn around without executive approval.
Memo to executives: Leave IT the fuck alone. Don't try to make yourself feel important by requiring useless reports and approval. You'll just make yourself look stupid and lose any respect IT might have had for you.
It's rare that an AC leaves a comment that can even see insightful, let alone actually contribute something. At least here in the US the phrase "We reserve the right to refuse service to anyone" would apply. Their network, their rules. If you go into a nightclub and start spewing feces on the other patrons, they don't refund your cover charge when they throw you out.
Deal with it, and clean up your fucking computer.
So, what use are 'security features' if most
people cannot understand them, let alone use them?
Security features built into OSs have become less and less relevant in real-world applications. More significant is the fact that most people cannot understand "security features" because your average user is a screaming moron. Like the man said, make something idiot-proof and they'll invent a better idiot.
The real trouble is when security is dumbed down (by order of some executive chair moistener) so that the idiots don't sprain the two or three brain cells they've got (which have long since atrophied due to non-use). You can have all the system-level security you want, but if your users get to have passwords like "password1" and never have to change them, it doesn't really matter WHAT OS you have. Seriously, how hard is it to memorize an 8 character password?
Oh, wait, I'm speaking chiefly of Americans. What was I thinking, most of them can't remember "password1" without writing it down.
A company which has clearly lost is moral compass.
...
BVis@universe:# Attempting to parse "company" && "moral compass"
BVis@universe:# Segmentation fault: core dumped
The problem is that other ISPs exist that do not care, and that we are all connected to one single Internet.
This is true, but technology exists to filter harmful content at the borders of a given ISPs network (known exploits, spam, virii, etc.). It's implemented with varying degrees of intelligence among ISPs.
So even when you are at a ISP that cares about these things (I am), you still suffer from the million PCs of users at ISPs that don't care, and there is nothing you can do about that.
I disagree. There are many steps you can take to minimize your systems' exposure to harmful content, such as an updated antivirus, spam filtering (on the server and the client), and a correctly configured firewall. I agree that these steps shouldn't be necessary, the problem should be prevented before it's created, but that's like saying you shouldn't have to carry an umbrella because it shouldn't rain.
So an ISP should be required by law to care about this.
In a perfect world, a law could be created and enforced that would acheive this. We don't live in a perfect world. The government tried to do something about one aspect of this problem with the CAN-SPAM act, which has been loudly criticized as a deeply flawed piece of legislation that not only doesn't accomplish what its writers intended, it in fact makes the problem WORSE by giving spammers the right to email anyone once with any campaign they choose, with the only condition that they give you the option to not receive any more messages related to that campaign. Expecting spammers to be discouraged because they're doing something illegal is like expecting your dog not to pee on your rug if you don't let him out.
Don't say it can't be done, my ISP does it and others do.
Yay for your ISP. I'm glad someone in the business world gives a damn about the quality of the product or service they're producing. They're in the drastic minority; most businesses (including ISPs) only care that the money keeps coming in faster than it goes out.
The facts of life in this case are these: Millions of vulnerable machines are connected to the Internet, through a combination of Microsoft's "swiss cheese" approach to security and user ignorance/stupidity. ISPs are unwilling or unable to do anything about zombie machines, either because of resource limitations or incompetent management. To say government is incompetent in this area is like calling water wet. All you can do (until the ISPs figure out a way that curing the situation could make them money) is protect yourself as best you can.
That's a good idea in theory. Unfortunately, where technology is concerned, I don't trust the government to know what an ISP is, let alone realize that people can do illegal things with it.
Plus enforcement would be all but impossible. The tax revenue consumed by such a (IMHO) futile effort could be put to much better use.
The underlying cause of ISPs' apathy towards compromised PCs is that consumer culture in this country (posting from the USA) is broken. The way IMHO that consumerism is supposed to work is if you don't like the way someone is providing a service or product, you'll vote with your pocketbook and go to the competition. In this case, if the ISP that you're on allows compromised PCs on its network, then you get the heck off their network and switch to a provider that gives a damn about security. But the average USian is either too lazy, too stupid, or too cheap to do anything about it, and when you compound those factors with the average USian's complete stupidity regarding technology (see this post for my definition of stupidity vs. ignorance), you have the problem we're discussing.
why dont governments form a unit to identify and at least notifiy the owners of these machines?
To paraphrase the late great Jerry Orbach playing Lenny Briscoe, "Sure, let's get the government involved. That'll solve everything."
And as far as the ISPs go, I've worked for ISPs that wouldn't even cut someone off for non-payment for fear of their subscriber numbers going down. Do you really think they have the manpower, resources, or interest in doing anything about this until they're forced to by business pressures? (eg, never.)
The only way to fix this problem is user education. And because most users refuse to be educated, or accept any form of responsibility for their own machines, I don't see this problem getting fixed. Ever.
Spam works because e-mail costs almost nothing.
That's an oversimplification, IMHO. Spam works because the spammers can make money on it; in other words, their income from the morons who actually buy things off of spamvertisements is greater than their expenses in sending it out.
The only solution to spam IMHO is to punish or otherwise discourage the people who buy from spam. This isn't as easy as just saying that, to be sure, but if the logistical problems can be overcome, and the courts and legislators can be sufficiently educated and motivated, spammers' sources of income can be reduced, thus reducing their motivation to send the crap in the first place.
Spam is everyone's problem, not just the people on the technical side of the equation. Everyone will need to play a part in eliminating it.
So it's not the number of women that declines, but the number of male boneheads that increases.
This phenomenon isn't just limited to IT. Scott Adams said it best: Management is nature's way of removing morons from the productive flow.
Your Sally example is so stretched as to be pathetic.
Pathetic, yes. Stretched? Hardly. I have first hand experience of multiple employers that treat their employees this way. I know several people who have similar experiences.
If you offer a truly horrible work place then you are not likely to be able to recruit and keep quality people.
Your job market must be different than mine. Around here, the cost of living is so high that people are desperate for a job, ANY job, that keeps the mortgage paid. It's also difficult to interview when unexplained absences or changes in dress reflect negatively on your perceived quality of work, because they KNOW you're looking elsewhere. I know lots of places that have fired people on the spot once they found out they were looking elsewhere.
Every time a real business has to replace a skilled worker it costs them a serious amount of money. Time is spent reviewing candidates and interviewing. More time and expense is spent training the person.
Training. That's a laugh. "Here, sink or swim." And a skilled worker only costs money to replace if they hire another skilled worker to replace him/her. It's more incentive to hire some moron who'll work for an insulting salary just to fill the position.
Note, Sally didn't write in her public blog (where it could be verified) that she didn't like working at Evil Corporation. She simply steered a friend away from accepting a job offer. When pressed about the issue she could easily deny that she said anything negative, because she didn't make the suggestion to her friend in a public manner.
I think you'll find lots of workplaces won't split that hair. Sally got in the way of Evil Corporation's attempts to hire their chosen candidate. The fact that she didn't do it publicly ultimately only matters if the Powers That Be decide that it matters. I've seen people fired for far less.
Life is too short to work at a place like that.
Life is also too short to be homeless.
This isn't about controlling what a person thinks, it is about controlling what a person says in public.
And what I was trying to say in my previous post was that controlling what people say and do in private is a likely next step, if people can be fired for what they say in blogs that is neither slanderous nor libelous nor violates confidentiality agreements. You might think that it's ridiculous to imagine that an employer could have that much power over an employee's off-work activities, but they can already demand evidence of what's in your body (urine test). If they can claim rights to one of your bodily fluids, IMHO this isn't so far fetched.
All I'm saying is, "Enough." Just because you pay me to work for you doesn't mean you own me.
As an employee your job is to please your employer.
And as an employer, their responsibility is to reward and encourage hard work by sharing their success with their employees, who have made it possible. The norm, unfortunately, these days appears to be to reward hard work with more hard work, and to spend the least money and effort they can on keeping their employees happy, or even sane. Why should a good employee stay at a company like that? Because nearly all cases their financial situation is controlled by the employer, and big business knows it, and uses it as leverage in getting the employee to make more profit for the company by any means possible. The playing field isn't level. Big business is trying to tilt it further by making examples of people who comment negatively about their employer in blogs by firing them. The message is, "Toe the line at all times or your ass is on the curb. We don't care if this is on your own time, all your opinion are belong to us."
However, your point is well taken. A smart employee will at least refrain from badmouthing their employer publicly until they at least have another job lined up. But it should be the employee's choice, not the employer's.
That's not really too much for an employer to ask. They are, after all, paying you a salary.
That doesn't give them the right to control what you do and think 24/7. They might think it does, and to varying degrees they can get away with it, but it's something that should be fought against.
What I'm concerned about is the possible slippery slope that could exist here. Today you can be fired for public speech against your company, which may seem logical to most reasonable people. But let's take a hypothetical next step: employers censuring employees for private conversations they may have. Let's say Sally works for Company A. Sally doesn't like the company, for what most people would consider to be valid reasons, and is keeping quiet publicly while looking for another job. A classmate/former roommate/cousin/whatever calls her up and says, "Hey, Sally, I have a job offer from Company A, I was calling to get your opinion of them as an employee." Sally, being asked for her opinion, gives it honestly, and as a result the classmate/former roommate/cousin/whatever does not take the job. Company A gets mad, because they were already having trouble recruiting/hiring new employees due to their reputation as a lousy place to work, and determines that Sally is the one who influenced the decision, in a private conversation between Sally and their candidate. Company A, being the short-sighted profit-grubbing employee-hating company that they are, either fires Sally outright on some flimsy pretense, or makes her job so miserable that she has to choose between quitting and going crazy.
Is the next step after being able to fire an employee for blogging (public speech) requiring an employee to present a false opinion of the company (e.g. as a place to work) in private conversation? This is coming dangerously close to allowing employers to dictate what their employees think, not just what they say. Even if Sally were to say, "Sorry, I can't discuss my working conditions," that could be interpreted as negative feedback and could be used against her.
There's toeing the company line and then there's controlling what an employee thinks. I'm of the opinion that if your employees have (legitimate) problems with their company as a place to work, then that company should IMHO work on improving their employee relations instead of being able to legally shoot the messenger.
Yes, and how long do you think that your average numbskull that is badmouthing his employers on a blog is likely to last once his employers found out. Especially when you consider that the employer has complete access to the employee's computer, proxy logs, and whatever else they need.
r es=F60613FF345F0C7B8CDDAB0894DD404482). What's next? Filtering employees' TV signals for competitors' advertising? Requiring spyware on employees' home personal computers that forwards all email to HR for evaluation? GPS transmitters implanted under the skin?
So you give your employer unfettered access to your home computer? Do you let them read your mail, too? At least one person this article is talking about (on CNN, not the slashdot summary) had their blog hosted on web space that they paid for out of their own pocket, and presumably they were using their own machine to post to it, not their employer's equipment.
If you don't like your employers and your morale is so bad that you are mouthing off on a public blog then chances are good that you are doing a piss-poor job.
Way to blame the victim. Isn't it just possible that someone who works hard and produces well and gets great performance reviews, etc etc, doesn't like their employers and has terrible morale, but has too much personal pride to let it affect the quality of their work? I know dozens of people in this situation; they work hard, they continually get screwed by their employers, but continue to work hard in the hopes that they can at least acheive some measure of personal satisfaction while they scour the job listings for a job that sucks less.
As far as I can tell, this is just another way for big business to control what their employees do every minute of their lives. Unsatisfied with monitoring their web access, reading their email, testing their urine, and requiring many to carry a pager 24/7 without additional compensation, companies are starting to screen their employees for legal activities during off-work hours, such as tobacco usage(http://query.nytimes.com/gst/abstract.html?
Granted, this is bordering on tinfoil-hat territory, but seriously, where does it end?
*plonk*
Which probably brings up another way to save money - train the users!
What color is the sky on your planet?
This assumes that there is anyone in IT that has the time, skill set, and/or management support to do any sort of training. I have been in IT departments where anyone who mentioned mandatory training for users quickly found themselves being escorted to the door by security. The mindset is that it's IT's main job function to keep the computers running at all times independent of any other circumstance - which means that anytime a system is down, it's completely IT's fault, even if the system is down because some useless douchebag from marketing spilled their latte in the power supply.
This actually can work in a company where IT is allowed to enforce sane usage/security policies. But when your usage policy is "do whatever the fuck you want with the computers, and if IT tries to correct you, have them fired" it tends to #1 drive up your support costs/workload and #2 drive your IT staff out of their minds and/or out of the company, whichever comes first.
So to keep this comment on topic, I would suggest the original submitter that one way they can reduce costs is by developing acceptable usage policies that are enforceable, have REAL CONSEQUENCES for violations, and have management support. In other words, if the same useless douchebag from marketing loads Bonzi Buddy on their machine and it crashes, losing documents that represent hundreds of man-hours of effort, then they get fired for wasting company resources. These policies, if properly designed and implemented, will lower the number of trouble tickets generated, and free up IT personnel to work on improving efficiency and other important business-growth-enhancing tasks. (Of course, a reduction in trouble tickets will most likely be seen as an opportunity to lay off workers, because as we all know, eliminating the salaries of people who do actual work is the easiest way to cut costs. And keep those seven-figure bonuses for the board in the process.)
Insightful? Please!
This is about as likely to happen as frogs falling from the sky. A few reasons why:
1) Few parents (being a reasonably representative subset of the general population) have the slightest clue how to find out what programs are installed on a computer.
2) If they do find something that little Johnny put on there, they're not likely to know what it is.
3) If they do know what it is, they won't have the slightest idea how to remove it.
4) Didn't you get the memo? Parent's aren't responsible for their kids' behavior anymore. (Video game developers | MTV | Teachers | Homosexuals | The government | The schools | Movies) are responsible for little Johnny not knowing right from wrong.
I'm not saying it's right, I'm saying expecting parents to fix this problem is completely unrealistic in the current environment.
So basically you just made the argument for geeks to go into managment. So why aren't you?
Because I do actual work. Geeks aren't "shunning" management. The reason most geeks don't go into management is because they lack the skill set needed to manage, or indeed to get the opportunity to do so. When HR is hiring for a management position, they look for business or management courses in one's degree, or previous business or management experience. The set of people who have these people management skills AND technical knowledge is extremely small. Even if a geek were to obtain a management or executive position they would soon find themselves alienated from the group if they tried to change the culture towards selecting technology based on its merits rather than the process by which it's selected now (politics, expense, who you play golf with, etc). Managers/executives who don't play the game find themselves on the bench very quickly.
Upper management finds themselves threatened by what they don't understand. In their own self-interest they will prevent people whose practical knowledge exceeds theirs from moving up the corporate ladder. Ultimately a lot of these decisions are made by the beancounters. Try as you might, it's nearly impossible to move from IT to accounting, nor would you want to.
Until the establishment finally wakes up and realizes that they CAN'T run their business without IT, these decisions will continue to be made by those least qualified to do so. IT managers and CIOs can argue until they're blue in the face in favor of one strategy or policy, and more often than not their recommendations are completely ignored. As a consequence, we have the current prevailing business computing environment: entire enterprises taken down by 30 lines of VB code, spyware infesting 95% of business machines, Microsoft holding multi-billion dollar companies virtually hostage to their bugfixes, and IT departments blamed for all of it, when their recommendations would have prevented the majority of the problems.
The situation is this:
IT: "We should do A, because if we do B, problem C will happen."
Management: "But I don't understand A, so we'll do B."
Time passes..
Management: "Problem C is happening! It's your fault! Fix it!"
IT: "It's not our fault, you ignored our advice and bought B instead of A"
Management; "You're fired."
I was looking for an appropriate post to reply to to state this observation, and this one will serve as well as any.
We can all sit behind our keyboards and debate the merits of COTS vs FLOSS vs whatever.. but at the end of the day, it's all moot. The problem is that when an enterprise is in a position to make a decision of buy (and customize) vs. develop, the people making the decisions will be the ones least qualified to do so. Selecting critical business tools is not a trivial undertaking, and it involves non-trivial amounts of money. And ultimately, fixed initial and recurring costs (in addition to politics and personal connections) are what make these decisions, not the merits of one approach vs. another.
And IMHO this is where FLOSS is at a disadvantage. Your average CEO (and, sad to say, most CIOs) don't even know about open source. You say "open source" and they'll ask you how a computer thingy can have an open sore. Even if (hypothetically) there are significant advantages to an open source strategy, the effort required to get the people who sign the checks to understand the concept of "free" software is frequently far above the ability of most IT people to make. (If they're even given the chance; most executives cannot think in terms of value, they can only think in terms of cost. And if it's free, it can't possibly be any good.)
As an example, let's say Acme WidgetCo needs an inventory program. Vendor A has a solution that meets 80% of the company's needs, and the product costs $100,000. Vendor B has a solution that meets 90% of the company's needs, and the product costs $150,000. Vendor C has a solution that meets 50% of the company's needs, and costs $200,000. Developing the software in-house to meet 100% of the company's needs would necesitate the hiring of additional staff and consultants, at a cost of $125,000 over the development cycle of the product.
Vendor C will get the contract, in defiance of all logic, because Vendor C's CEO plays golf with Acme's CEO.
Merit has nothing to do with this decision. Politics and connections make these decisions. The people who do the actual work just have to clean up the mess, and the company rewards their hard work with poor performance reviews because the software is complete crap, even though no amount of effort could make it otherwise. Sadly, this is considered a benefit because it keeps salaries down.
Wow, you're right... getting a brutal dictatorship to torture and kill people who send you unwanted emails is *awesome!*
You say that like it's a bad thing.
I'd like to put a plug in for avast! antivirus as well. Updated often, unobtrusive, scans peer to peer and AIM traffic (if you're so inclined), just works. Finds stuff Norton doesn't even look for. http://www.avast.com/ .
Which is exactly the sort of arrogant geek centric approach that has led to bad security.
It isn't arrogance if you're right. Geeks saying "You need to use better security practices" doesn't lead to bad security, the average user's ignorance and stupidity has led to bad security. That's like saying using directional signals when you're driving causes more accidents; you might shock someone into an accident by actually using them, instead of cutting them off, but used properly they make driving safer for everyone.
The access points could have been designed to be secure without anyone ever needing to RTFM. Print the serial number of the device on the case of the box, use it as the default password.
1) Security 2) Convenience
Pick one, please.
Same thing goes for these idiotic WEP keys which I keep having to type into one machine after another. Build the system so that I don't keep having to enter long strings of digits into each new machine I buy.
Yup, having a more secure network is such a pain in the ass. WEP isn't perfect but it's better than nothing.
Oh and while we're at it, would you like some cheese with that whine? Laziness IMHO is one of the chief causes of poor security. If it's such a pain, save the key to a text file and put it on a thumb drive, or available on a share on a wired network, or a floppy disk, etc.
Go over their house and ask them nicely to stop downloading all that porn during the day.
And get subpoenaed in the divorce proceeding.
And/or get sued for invasion of privacy.
And/or get your car keyed.
And/or get your house burned down.
Why any sane person would want to do this is beyond me. I don't want my neighbors knowing what I do online, nor do I want to know what they do. There's way too much exposure here from a legal and liability point of view to be worth it to anyone, IMHO. The sentiment is admirable, but naive.
The odds are that someone on the 'customer' end of this arrangement is going to be sharing/downloading questionable content at some point after the arrangement is made. The way I see it, one of two things is likely to happen at that point:
1) The "provider" party will notice the traffic somehow, and take steps to prevent it. No matter how this is done, it's likely to ruffle some feathers, if not cause an all out neighbor war. Remember, you have to live next to these people.
2) The "provider" party will not notice the traffic, and $randomlargecompanywithexpensivelawyers will sue them. The MPAA/RIAA/Thought police/etc won't make the effort to determine if it's actually the "provider" user or the "customer" user in this arrangement that is infringing on their copyrights/whatever, their SOP is to sue the user who has paid the ISP for the access. The fact that you've essentially become an ISP will more than likely come out in the proceedings if a lawsuit goes forward, but by that time they've already bankrupted you with legal fees and taken your house.
It's just not worth it.
Folks, whipping the spammers isn't effective if you can't find the bastards in the first place. Most spammers have 2 primary skills, 1) duping ISPs into thinking they're legit businesses long enough to dump their email into the stream and 2) vanishing when they're found out.
The solution to spam is to find the idiots who buy the spammer's stuff, and fining them $1000 per transaction. The only way to resolve the spam problem once and for all is to take away the profit motive. This is different than blaming the victim; this is analogous to prosecuting someone who buys obviously stolen merchandise (receiving stolen property). The "reasonable person" test would apply. A "reasonable person" would not believe that you could get Viagra without a prescription legally, get a mortgage at a rate 3 points below the going rate, etc.
We regularly prosecute people whose actions cause harm to the general public, such as drunk drivers. By their actions the people who buy merchandise from spammers are enabling behavior that causes harm to the public, and should be prosecuted.
Clearly my definition is simplified, and these definitions are not black and white. In my view, "stupid" has no correlation with IQ, level of education or material success. I'm thinking more of the case where someone runs into a challenge in the course of living their lives (however they choose to live them, eg what interests they pursue, what vocation/avocation they choose, etc) and instead of meeting that challenge with effort and a willingness to grow, takes the position that they shouldn't have to learn anything further and refuses to consider any other course of action; indeed, they are insulted by the insinuation that there's another option.
I don't know anything about line dancing because it doesn't interest me; if it were in my interest to become familiar with this topic, I would make an effort to learn the necessary information. It might take me a long time to become familiar with it because of my low level of interest and/or motivation to learn anything about it. I disagree that the rate at which one acquires knowlege is an indication of how "stupid" someone is. I would never call someone who puts forth effort into learning new skills and acquiring new information stupid, no matter if they learn quickly or not.
But then you can't charge them each time they mess up their machine.