1 In 3 Sysadmins Snoop On Colleagues 392
klubar writes "According to a a recent survey, one in three IT staff snoops on colleagues. U.S. information security company Cyber-Ark surveyed 300 senior IT professionals, and found that one-third admitted to secretly snooping, while 47 percent said they had accessed information that was not relevant to their role. Makes you wonder about the other 2 out of 3. Did they lie on the survey or really don't snoop?"
And? (Score:5, Interesting)
In nearly all IT environments, either you trust your IT staff, or you have some killer PKI. Reality suggests management in the typical company wouldn't pay for or be bothered to use, so we're back to IT having super-snooping powers.
Which is worse? (Score:5, Interesting)
Only 300? (Score:2, Interesting)
Re:And? (Score:3, Interesting)
Because, some people aren't supposed to be seeing certain things. If you're charged with protecting everyone else's crap, it's nice to develop a bit of indifference to what's in it -- I'll guard it, but I won't look in it.
Think of it this way
It really is a huge breach of trust for an admin to be doing that, and I bet it could open up some interesting (though, likely non-obvious) legal risks for companies.
Cheers
Don't believe the hype (Score:5, Interesting)
The company that sponsored the "poll" makes products for encrypting information and compliance with SOX..
Do you think they'd release a study that DIDN'T imply your information was in jeapordy?
This is simply marketing hype, don't fall for it -- it's positioned to get executives to suspect their IT staff (in my company's case, very respectable and honest IT staff) --
1 in 3 is a completely made up number for the benefit of the company trying to SELL PRODUCT
What's the major malfunction? (Score:3, Interesting)
Maybe it's just me, but I just don't get it...
I probably have access to more account information and networked shared space than most people, but I have no urge, need, or desire to see what's in their accounts or shares. (Beyond making sure private data is secured and there isn't pornography or other bad files out there using up all our networked drives. That's one of my monthly chores)
Only reason I'm here right now posting is because I'm in the middle of a scan. Our scans take 6-7 hours to run (with the process set to realtime priority) so about the only thing my computer is able to do is browse the web (slowly, I might add)
"Could" I snoop? Sure. "Would" I? Never. That's one of the reasons why I have this job.
The other 2 out of 3 (Score:3, Interesting)
Never again (Score:5, Interesting)
As for internet history or watching peoples screens while their back is turned, I would never do that *TO A PEER*. Its just a respect thing. I have definitely been told to monitor subordinates internet accesses as well as various people throughout the companies I have worked for. Ive gotten people fired for looking at facebook on work hours, but thats part of the job in some corporations. I wonder if the article is talking about peers (in the IT department) or extra-departmental persons whom you could legitimately be instructed to snoop on.
Surveys... (Score:5, Interesting)
Re:Scary (Score:5, Interesting)
Suppose you have a high level IT staff member quit.
You go through the normal password rotation, and call it a day, but they still had access to the private keys of every server. Do you generate all new keys for every server? How do you reconcile that with the authorized_keys and known_hosts files across the network? That's a large infrastructure change.
Are there SSH key servers that allow this?
Re:Which is worse? (Score:5, Interesting)
It's great to be curious. Wondering how things work will definitely teach you.
Being a nibshit will only get you into things you shouldn't.
Of course, at one of my old jobs at an ISP, another admin (who was a nibshit) found a stash of kiddie porn in a users folder. I suppose it's a positive story, since the guy ended up going to jail.
Re:Which is worse? (Score:5, Interesting)
As has been stated, Reading their email or watching them surf does nothing to increase the security of the network.
(on a windows network)
You wanna be curious? Fine. Go pull a listing of the 8000+ databases on the network share and check their properties to see if they are secured correctly so the HR data contained in some of them isn't available to be seen by the "everyone" group.
Go search for old, out dated data files that haven't been accessed in 5 years, or personal multimedia files sitting on your shared space because the users want to listen to music all day long but are too cheap to bring in a $6 radio.
These are some of the things a decent Admin would and should look for (among others) but that power does not justify snooping on people because you're too bored to crack open a tech manual of some sort or read a tech-site online
Only Their Sysadmins Know For Sure? (Score:3, Interesting)
There's surely one way to know. But who watches their sysadmin's sysadmin?
Re:And? (Score:5, Interesting)
The Sarbanes Oxley Act [wikipedia.org] makes trusting your employees illegal.
Where's the survey? (Score:3, Interesting)
They are not talking about sysadmins (Score:3, Interesting)
I don't buy that.
Re:No Ethics (Score:5, Interesting)
Re:No Ethics (Score:1, Interesting)
I was also told that there were logs that proved this but I was not allowed to see these logs because it was an ongoing investigation, after I had been fired on the spot...
being a fairly intelligent person that I happened to also design the logging and security systems I would like to think I am smart enough to not get caught by the very systems I put in place.
I can in this instance come up with a few different ways to break into someone's mailbox and not have it logged, or at least make it look like someone else did it. My boss apparently knew how to make it look like some one else did it too. It wouldn't be hard considering I was forced to have keyloggers installed on my machine that reported back to my boss....
ethics indeed.
Re:And? (Score:3, Interesting)
Kind of. It only applys to financial records, and is for the benefit of the shareholders. Basically, it's a complex, but theoretically hard to fake, audit trail for a companies books and other publically released financials.
Re:Bad sysadmin! (Score:5, Interesting)
Compared to Your Coworkers Personal Machines (Score:2, Interesting)
In 20 years of working on corp. machines I never encountered what practically jumps out at you when you work on home machines. Now I just tell people my employer won't allow me to work on coworkers home machines.
Re:No Ethics (Score:4, Interesting)
Re:And another thing... (Score:3, Interesting)
Only the truly stupid pilfer straight up. The smart simply ring in a return. Or ring in a transaction, collect, and then void it, etc, etc.
Then the discrepencies don't show up in drawers cash balance but rather show up in month end inventory reconciliation which is virtually impossible to trace back to the cashier.
With more complex businesses there are more complex schemes... coupon tricks, currency rate exchange tricks (living near the Canada/US border had all sorts of games to profit from currency exchange), and so on.
Or they simply shortchange customers and then pilfer a bill. This is shockingly easy to do. Of course it requires that you work in a high volume cash transaction scene like fast food. I was in entry level management in fast-food putting myself through university and in that time I knew of cashiers who'd take 20-40 bucks a night, and their drawers would balance to within a dime simply by shortchanging and keeping track. Say a bill for a combo is 5.17 after tax, change owed from a 20 is 14.83. Hand back 13.53 or 14.58 taking 1$ or
In the odd case where you get caught by the customer, they'd apologize and cheerfully fix the error.
All that remains is to pilfer a $5 or $10 whenever you've accumulated it. (And this can be stealthed too by getting a partner (conspiring coworker going off shift or going on break maybe) to come in and order a $1 coffee, and then give them 29$ change insted $19 for their $20, and then pick up your cash from them after shift.
$20-40 bucks a night might not seem like much, but it amounts to a $2.50 to $5.00/hour raise (assuming an 8 hour shift) in an industry famous for 5 and 10 cent raises, and ends up amounting to stealing $4k-8k per year.
Worse the effects of this are invisible, because you are stealing from the customers not the employer and is very hard to isolate. And your only shot at catching them is if you are specifically watching for it, and doing random drawer audits midshift and looking for OVERAGES -- something which is very difficult in a busy fast food environment.
Plus its hard to fire someone when you audit their till and find it up $3.00.
Well now that I've educated a whole new generation of crooks... I'll get back to work.
Re:No Ethics (Score:5, Interesting)
Well said, and this has always been my personal philosophy as a syadmin. If you can't trust me with your data you can't trust anybody. It's that simple. The only time I'll go into another account is to backup files in which case I'm not reading the content.
There is one more instance when I'll go into an account, when there is a legitimate need for specific content and the account owner isn't available to provide it to the employee. Again, I don't go looking at other stuff, I have something specific I'm searching for.
I've always taken my position pretty seriously, I can't believe that number is that high. Every sysadmin I know is either too busy to snoop or doesn't care enough to snoop. I can admit I was once tempted to snoop because I was dating a coworker but my damned personal ethics got in the way and I decided to trust her instead. Yeah it turns out she was lying through her teeth but there are other ways to tell if someone is lying that are far better than snooping through email which may or may not be out of context.
Re:No Ethics (Score:5, Interesting)
Let me guess, you never check unknown files before deleting them?
Instead of a car example, I'll use the Photocopier example.
In clearing the photocopier, it's no business of yours that the thing has a jammed copy another employee's payrole, medical record, drug screen result, employee evaluation, or of a centerfold, but you see it. Is this an ethics violation?
Snooping and being exposed to data outside your job role may be what the survey is all about.
I have worked with highly classified stuff. Access is on a need to know basis. I have been exposed to other classified material that I had no need to know, and wasn't cleard for, but, I wasn't snooping. I saw just enough to identify it. With my security clearance, I treated the matter properly.
Have you ever opened an unidentified file to identify it? Was it snooping, or system maitenance?
how to find these people? (Score:4, Interesting)
The human API is very poorly documented. Is there a better way?
Re:No Ethics (Score:2, Interesting)
You're an idiot (I mean it in a good way - I'm an idiot in the middle of a divorce right now :-). When it comes to matters of the heart, you must assume a variation of the "trust but verify" policy. Someone/Something tells you he/she is cheating? Check it out without letting them know.
If you *ever* get the chance to check up on your partner without going out of your way or letting them know about it, do it. Nothing makes you feel better than finding that your suspicions were unfounded without them having to deny wrongdoing. It also leads to *more* trust in them.
However, if you find out that they've been less than honest with you, then it's time to leave. Either outcome is desirable and preferable to the new-age "If I check up on them it must mean that I don't trust them, so I will pretend to trust them by not checking up" crap.
Simple Solution: Keep Private stuff at home (Score:3, Interesting)
While 1 out of 3 does seem a bit high, the simple solution to this is to do your personal websurfing and emailing when at home. This is doubly applicable to where I work, because being a government institution, a huge chunk of our data (specifically, email) is subject to FOIA requests and as such not only the system admin can read your messages, but if they get a hankering to any random guy on the street can too.
For this reason specifically, we actually setup "flags" that would set aside messages if they contained image attachments or certain keywords, and we had a person delegated to sort through all the flagged messages to make sure that nothing was passing through that would result in negative publicity if it turned up in our email. I was assigned this task for a while, and when it first went into effect we caught several instances of pornographic joke messages and such going through the system.
Since I was (at the time) tasked with the IT orientation session for all incoming employees, the best advice I gave to them was that we can and do monitor email communications, as well as what web sites they visit, and as a good practice, don't write anything in email or browse any website that you wouldn't want to show up in the local newspaper, because in our situation it very well could end up there.