1 In 3 Sysadmins Snoop On Colleagues

klubar writes "According to a a recent survey, one in three IT staff snoops on colleagues. U.S. information security company Cyber-Ark surveyed 300 senior IT professionals, and found that one-third admitted to secretly snooping, while 47 percent said they had accessed information that was not relevant to their role. Makes you wonder about the other 2 out of 3. Did they lie on the survey or really don't snoop?"

And?

[mpapet]

Maybe I'm missing the point but I don't see where there is an issue.

In nearly all IT environments, either you trust your IT staff, or you have some killer PKI. Reality suggests management in the typical company wouldn't pay for or be bothered to use, so we're back to IT having super-snooping powers.

Which is worse?

[IronWilliamCash]

Given the nature of a sysadmin's job, I think I'd be more worried about the other 2 out of 3 that don't snoop around. A curious sysadmin will find more problems and more possible solutions than one who doesn't care.

Only 300?

[djones101]

That's an extremely small survey sample to try and draw relevant conclusions on. 30,000 might be a better indicator. Otherwise, you're talking too wide of a margin for error.

Re:And?

[gstoddart]

Maybe I'm missing the point but I don't see where there is an issue.

Because, some people aren't supposed to be seeing certain things. If you're charged with protecting everyone else's crap, it's nice to develop a bit of indifference to what's in it -- I'll guard it, but I won't look in it.

Think of it this way ... if your admin is reading your financials, they could be using it to do a little insider trading or taking the information for other purposes.

It really is a huge breach of trust for an admin to be doing that, and I bet it could open up some interesting (though, likely non-obvious) legal risks for companies.

Cheers

Don't believe the hype

[Anonymous Coward]

Come on people, for 'computer nerds' it's amazing how little logic you collectively display.

The company that sponsored the "poll" makes products for encrypting information and compliance with SOX..

Do you think they'd release a study that DIDN'T imply your information was in jeapordy?

This is simply marketing hype, don't fall for it -- it's positioned to get executives to suspect their IT staff (in my company's case, very respectable and honest IT staff) --

1 in 3 is a completely made up number for the benefit of the company trying to SELL PRODUCT

What's the major malfunction?

[mandark1967]

of those SysAdmins who feel it necessary to snoop on people? If you're bored, get out of Admin Pack and head over to /. or Technet (if you are of the MS persuasion) and learn something new. I don't care who you are or how good you are, you don't know EVERYTHING...

Maybe it's just me, but I just don't get it...

I probably have access to more account information and networked shared space than most people, but I have no urge, need, or desire to see what's in their accounts or shares. (Beyond making sure private data is secured and there isn't pornography or other bad files out there using up all our networked drives. That's one of my monthly chores)

Only reason I'm here right now posting is because I'm in the middle of a scan. Our scans take 6-7 hours to run (with the process set to realtime priority) so about the only thing my computer is able to do is browse the web (slowly, I might add)

"Could" I snoop? Sure. "Would" I? Never. That's one of the reasons why I have this job.

The other 2 out of 3

[192939495969798999]

The other 2 know better than to out themselves as snoops on any kind of survey... I mean what is the guarantee that the survey wasn't a snoop by the employer to catch "honest spies"?

Never again

[citylivin]

I made the mistake of looking at a co workers pay who I thought was equal in status to me. BIG MISTAKE. After finding out he was paid several hundred dollars more than me a paycheque for doing basically the same job, I never looked at him or the company the same way again. I left that company not too long after, partly because I felt ripped off. Its very hard to unsee things sometimes.

As for internet history or watching peoples screens while their back is turned, I would never do that *TO A PEER*. Its just a respect thing. I have definitely been told to monitor subordinates internet accesses as well as various people throughout the companies I have worked for. Ive gotten people fired for looking at facebook on work hours, but thats part of the job in some corporations. I wonder if the article is talking about peers (in the IT department) or extra-departmental persons whom you could legitimately be instructed to snoop on.

Surveys...

[mulvane]

Of those 2 out of 3 left, 4 out of 5 were found to have lied on the survey. Of those that lied, it was found that 2 out of 3 only snoop on those they think they have a romantic connection with and considered it not snooping but pre-mutual love investigation. Of those that act and are rejected, 50% continue to snoop to plan murderous intentions that later end in the woman of said attraction kicking said admins ass. Makes you wonder where all these stats come from really though doesn't it..

Re:Scary

[Bandman]

Which really brings up another question to me.

Suppose you have a high level IT staff member quit.

You go through the normal password rotation, and call it a day, but they still had access to the private keys of every server. Do you generate all new keys for every server? How do you reconcile that with the authorized_keys and known_hosts files across the network? That's a large infrastructure change.

Are there SSH key servers that allow this?

Re:Which is worse?

[Bandman]

I think you're confusing the word "curious" with the term my grandma used. "Nibshit".

It's great to be curious. Wondering how things work will definitely teach you.

Being a nibshit will only get you into things you shouldn't.

Of course, at one of my old jobs at an ISP, another admin (who was a nibshit) found a stash of kiddie porn in a users folder. I suppose it's a positive story, since the guy ended up going to jail.

Re:Which is worse?

[mandark1967]

Curiosity for certain aspects of network management is far different than "snooping" on employees.

As has been stated, Reading their email or watching them surf does nothing to increase the security of the network.

(on a windows network)

You wanna be curious? Fine. Go pull a listing of the 8000+ databases on the network share and check their properties to see if they are secured correctly so the HR data contained in some of them isn't available to be seen by the "everyone" group.

Go search for old, out dated data files that haven't been accessed in 5 years, or personal multimedia files sitting on your shared space because the users want to listen to music all day long but are too cheap to bring in a $6 radio.

These are some of the things a decent Admin would and should look for (among others) but that power does not justify snooping on people because you're too bored to crack open a tech manual of some sort or read a tech-site online

Only Their Sysadmins Know For Sure?

[Doc Ruby]

Did they lie on the survey or really don't snoop?

There's surely one way to know. But who watches their sysadmin's sysadmin?

Re:And?

[Bob-taro]

In nearly all IT environments, either you trust your IT staff, or you have some killer PKI.

The Sarbanes Oxley Act [wikipedia.org] makes trusting your employees illegal.

Where's the survey?

[statemachine]

It's not linked in the article, and it doesn't appear on Cyber-Ark's website, at least not in the PR or white paper sections.

They are not talking about sysadmins

[John Jamieson]

Alright, TFA says "IT Professionals" of which I bet only 1/3 has access to such info. That would imply all snoop that can.

I don't buy that.

Re:No Ethics

[CastrTroy]

Get fired for reading the email of other employees? No way. Some companies even hire people to read employee email [wired.com].

Re:No Ethics

[Anonymous Coward]

funny because at my last job, my boss stole my identity and to cover up his crime he accused me of breaking into executive email accounts and deleting emails I had all ready sent them over the several days previous...

I was also told that there were logs that proved this but I was not allowed to see these logs because it was an ongoing investigation, after I had been fired on the spot...

being a fairly intelligent person that I happened to also design the logging and security systems I would like to think I am smart enough to not get caught by the very systems I put in place.

I can in this instance come up with a few different ways to break into someone's mailbox and not have it logged, or at least make it look like someone else did it. My boss apparently knew how to make it look like some one else did it too. It wouldn't be hard considering I was forced to have keyloggers installed on my machine that reported back to my boss....

ethics indeed.

Re:And?

[Actually, I do RTFA]

The Sarbanes Oxley Act makes trusting your employees illegal.

Kind of. It only applys to financial records, and is for the benefit of the shareholders. Basically, it's a complex, but theoretically hard to fake, audit trail for a companies books and other publically released financials.

Re:Bad sysadmin!

[ehrichweiss]

Funny story that. I was hired because I am a sysadmin with the morals of a mercenary(I actually provide complete security protection for hardware, software and even physical security for wetware if needed) and the head of the company accidentally CC'ed someone in the company whom she had badmouthed in the email. The very next thing heard when she realized it was an announcement over our intercom system "All staff please step away from your computers, I think we have a virus; Eric, please report to my office". I got the detail of removing the email, while he was watching no less, and making sure he couldn't retrieve it. Funny thing is, this was on Mac OS 9 and there were almost zero viruses. Other times the owner would have me forward email from the sales staff to her. Now as for outright snooping, nope I never felt the need but I was more than willing to do it for pay.

Compared to Your Coworkers Personal Machines

[twmcneil]

What's on your corp. servers is nothing compared to whats on your coworkers home machines. Try fixing a few of those for a while and you'll quickly develop an intense desire for eye bleach.

In 20 years of working on corp. machines I never encountered what practically jumps out at you when you work on home machines. Now I just tell people my employer won't allow me to work on coworkers home machines.

Re:No Ethics

[dark-nl]

I think the problem is that the sysadmins at school are terrible role models. On every school or university computer lab I've seen, the sysadmins were actually tasked with snooping through the students' email. For the sake of detecting plagiarism, of course! But it teaches students that this kind of snooping is ok and expected. In fact, it seems to be what university sysadmins are for. They certainly weren't spending any time on making sure the backups worked, for instance.

Re:And another thing...

[vux984]

At least those, including cashiers and bank tellers, who have to balance the drawer at the end of the day...

Only the truly stupid pilfer straight up. The smart simply ring in a return. Or ring in a transaction, collect, and then void it, etc, etc.

Then the discrepencies don't show up in drawers cash balance but rather show up in month end inventory reconciliation which is virtually impossible to trace back to the cashier.

With more complex businesses there are more complex schemes... coupon tricks, currency rate exchange tricks (living near the Canada/US border had all sorts of games to profit from currency exchange), and so on.

Or they simply shortchange customers and then pilfer a bill. This is shockingly easy to do. Of course it requires that you work in a high volume cash transaction scene like fast food. I was in entry level management in fast-food putting myself through university and in that time I knew of cashiers who'd take 20-40 bucks a night, and their drawers would balance to within a dime simply by shortchanging and keeping track. Say a bill for a combo is 5.17 after tax, change owed from a 20 is 14.83. Hand back 13.53 or 14.58 taking 1$ or .25c respectively. Do that to a 100 customers over an 8 hour shift (in an industry where a lunch/dinner rush might see you do 100+ transactions an hour.)

In the odd case where you get caught by the customer, they'd apologize and cheerfully fix the error.

All that remains is to pilfer a $5 or $10 whenever you've accumulated it. (And this can be stealthed too by getting a partner (conspiring coworker going off shift or going on break maybe) to come in and order a $1 coffee, and then give them 29$ change insted $19 for their $20, and then pick up your cash from them after shift.

$20-40 bucks a night might not seem like much, but it amounts to a $2.50 to $5.00/hour raise (assuming an 8 hour shift) in an industry famous for 5 and 10 cent raises, and ends up amounting to stealing $4k-8k per year.

Worse the effects of this are invisible, because you are stealing from the customers not the employer and is very hard to isolate. And your only shot at catching them is if you are specifically watching for it, and doing random drawer audits midshift and looking for OVERAGES -- something which is very difficult in a busy fast food environment.

Plus its hard to fire someone when you audit their till and find it up $3.00.

Well now that I've educated a whole new generation of crooks... I'll get back to work.

Re:No Ethics

[Vancorps]

Well said, and this has always been my personal philosophy as a syadmin. If you can't trust me with your data you can't trust anybody. It's that simple. The only time I'll go into another account is to backup files in which case I'm not reading the content.

There is one more instance when I'll go into an account, when there is a legitimate need for specific content and the account owner isn't available to provide it to the employee. Again, I don't go looking at other stuff, I have something specific I'm searching for.

I've always taken my position pretty seriously, I can't believe that number is that high. Every sysadmin I know is either too busy to snoop or doesn't care enough to snoop. I can admit I was once tempted to snoop because I was dating a coworker but my damned personal ethics got in the way and I decided to trust her instead. Yeah it turns out she was lying through her teeth but there are other ways to tell if someone is lying that are far better than snooping through email which may or may not be out of context.

Re:No Ethics

[Technician]

It's a damned poor state of affairs that so many people put in that situation of trust betray it.

Let me guess, you never check unknown files before deleting them?

Instead of a car example, I'll use the Photocopier example.

In clearing the photocopier, it's no business of yours that the thing has a jammed copy another employee's payrole, medical record, drug screen result, employee evaluation, or of a centerfold, but you see it. Is this an ethics violation?

Snooping and being exposed to data outside your job role may be what the survey is all about.

I have worked with highly classified stuff. Access is on a need to know basis. I have been exposed to other classified material that I had no need to know, and wasn't cleard for, but, I wasn't snooping. I saw just enough to identify it. With my security clearance, I treated the matter properly.

Have you ever opened an unidentified file to identify it? Was it snooping, or system maitenance?

how to find these people?

[Danny Rathjens]

When I'm interviewing people for a sysadmin position one of my primary concerns is honesty and integrity. The problem is that everyone asked to their face will claim to have high integrity. I try to approach the issue indirectly with neutral questions as, "Where do you draw the line on observing user activity?" Several times I've had them answer very vaguely or ask me questions about the question - apparently in an attempt to ferret out what kind of answer I am looking for. This type of error-prone and subtle indication seems the only way to find out.
The human API is very poorly documented. Is there a better way? ;)

Re:No Ethics

[goose-incarnated]

I can admit I was once tempted to snoop because I was dating a coworker but my damned personal ethics got in the way and I decided to trust her instead. Yeah it turns out she was lying through her teeth but there are other ways to tell if someone is lying that are far better than snooping through email which may or may not be out of context.

You're an idiot (I mean it in a good way - I'm an idiot in the middle of a divorce right now :-). When it comes to matters of the heart, you must assume a variation of the "trust but verify" policy. Someone/Something tells you he/she is cheating? Check it out without letting them know.

If you *ever* get the chance to check up on your partner without going out of your way or letting them know about it, do it. Nothing makes you feel better than finding that your suspicions were unfounded without them having to deny wrongdoing. It also leads to *more* trust in them.

However, if you find out that they've been less than honest with you, then it's time to leave. Either outcome is desirable and preferable to the new-age "If I check up on them it must mean that I don't trust them, so I will pretend to trust them by not checking up" crap.

Simple Solution: Keep Private stuff at home

[MBGMorden]

While 1 out of 3 does seem a bit high, the simple solution to this is to do your personal websurfing and emailing when at home. This is doubly applicable to where I work, because being a government institution, a huge chunk of our data (specifically, email) is subject to FOIA requests and as such not only the system admin can read your messages, but if they get a hankering to any random guy on the street can too.

For this reason specifically, we actually setup "flags" that would set aside messages if they contained image attachments or certain keywords, and we had a person delegated to sort through all the flagged messages to make sure that nothing was passing through that would result in negative publicity if it turned up in our email. I was assigned this task for a while, and when it first went into effect we caught several instances of pornographic joke messages and such going through the system.

Since I was (at the time) tasked with the IT orientation session for all incoming employees, the best advice I gave to them was that we can and do monitor email communications, as well as what web sites they visit, and as a good practice, don't write anything in email or browse any website that you wouldn't want to show up in the local newspaper, because in our situation it very well could end up there.