The IT Department as Corporate Snoop?

coondoggie writes with a link to a NetworkWorld article about the dangers of IT department snoops. A study released today is likely to exacerbate the trend of failing trust in employees; it shows that one in three IT employees poke through systems and prod at confidential information while on the job. The survey was done by a firm specializing in password security, so some salt might be required for this particular article. "The survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job, with no one to stop them. More than 200 IT professionals participated in the survey with many revealing that although it wasn't corporate policy to allow IT workers to access systems after termination, still almost 25% of respondents knew of another IT staff member who still had access to sensitive networks even though they'd left the company long ago."

Only 1/3rd?

[Skyshadow]

1/3rd of IT professionals poke through other employee's files? What are the other 2/3rds up to all day long?

Never hire an IT guy who couldn't pass the BOFH test.

Re:

[AaxelB]

What are the other 2/3rds up to all day long?

They lie on surveys, of course!

But I think the more notable lie/damned lie is that 1/3 can still access their previous company's network after termination. It seems like there'd be more important security implications with disgruntled fired IT guys still having unbridled access to the company network.

Re:

[YrWrstNtmr]

It seems like there'd be more important security implications with disgruntled fired IT guys still having unbridled access to the company network.

Not all are fired/disgruntled. Some leave on good terms.

Re:

[timmarhy]

i've never been fired from a single job in my life, and i've always left on good terms. that's how most people i know leave a job, purely because they simply had a better offer.

i have however had some managers who were pissed off i was leaving purely because i was leaving to make more money then them, and that i wouldn't be there to do their work all the time. that's their problem not mine though.

Re:

[Anarke_Incarnate]

I have been fired a couple of times (only once in IT, the rest were in BS jobs in/before college. The IT one was because the company couldn't afford to keep paying me). As for the other part of what you said, one of my bosses was pissed that I was leaving because they just assumed I would be there forever. They felt cheated that they would not have me around 24/7 for when emergencies came up. Now I am contracting with them for when they need me, for training, and on retainer :)

Well that makes me Occupationally Inferior

[trippeh]

Cool!

I wash dishes for a living.

- - - - - {sotto voce} - - - - -
It's okay, I'm still in tertiary education. Plenty of time for a long-term career in data-entry.

Re:

[qzulla]

I was a kind of disgruntled/gruntled discharged employee once. I just walked away from it. Jail time is not my bag.

qz

Re:

[tubapro12]

Ya isn't it pretty much in the job description that these are the people with the know-how to do this kind of stuff. After terminating the first they need a new one to start snooping for the old admins "easter eggs".

Re:

[ajanp]

1/3 of them are simply too busy reading /. to trouble themselves with old files.

The other 1/3... well... when I read their thoughts all that was coming through was "deny, deny, deny."

Re:

[grassy_knoll]

1/3rd of IT professionals poke through other employee's files? What are the other 2/3rds up to all day long?

Pr0n?

[badum-ching]

Re:

[dodobh]

1/3rd of IT professionals merely pretend to be real BOFHs. The rest are in your files, compromising your identity.

Re:

[jrockway]

> The rest AR N YUR FLIES, COMPRMISIN UR ID LOL.

Fixed that for you.

Lameness filter encountered. Post aborted!
Reason: Don't use so many caps. It's like YELLING.

Re:

[winnabago]

If someone had asked you a while back if you would ever make a cat macro joke, would you have answered yes? You should feel dirty. I CAN HAS PRVW BTN?

This wouldn't happen at Slashdot's IT, would it?

[buswolley]

Would it?

Re:This wouldn't happen at Slashdot's IT, would it

[drinkypoo]

Well, that could explain what the editors do with their time...

me!

[Anonymous Coward]

I've been hosting http://www.encyclopediadramatica.com/ [encycloped...matica.com] through my old job. They're going under and the server is falling apart.

Re:me!

[Anon-Admin]

The company I work for has a firewall is your site is blocked. It tells me "This site belongs to the XXXXXXXXXXXX defined Internet category "Tasteless" which has restrictions."

I guess Ill have to look at it when I get home. :)

Re:

[Chabo]

Eh... looks like a link-farming site right now. Nothing special.

Re:

[Chabo]

Umm... hmm... it seems that I thought he was replying to a different comment than he actually was. I thought that the site in question was http://www.martianfrontier.com/ [martianfrontier.com], which is the website listed a few comments above under someone's name. I think the comment made by the AC was probably hidden at the time I replied.

Whoops.

Hmmm

[Anon-Admin]

"The survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job,"

This is kind of funny, When the layoffs hit back in 2001 I know of lots of instances where this happened. They lay off the IT staff and expect the systems to magically run them selfs, or expect the janitor to be able to run it all.

But to see that today is a little of a surprise. Maybe they have not hired new IT staff and the equipment is just running on autopilot.

Re:

[dwarfsoft]

I had quite a lot of logins for sites that were active up to 4 months after I left my last job. I could basically log into the website and log a job with them, or log on to an affiliates website and order parts :D. I left on good terms so I never abused this power (although I did log into the accounts every month or so just to check if they were still active).

For all the remote sites that they supported? I have access to their servers still. I haven't logged in to them but I can connect to their session, an

All the more reason....

[Chabo]

All the more reason to put make sure nobody else is snooping on you before you install your backdoor program!

Seperation of powers

[tubapro12]

Like in government (cough cough cough), powers should be divided amongst a number of people i.e. hardware admins, web server admins, database admins, 'maintenance admins', et cetera. But for the majority of places this could easily be too many people. Of course, this is pretty impractical too, and I for one know most admins don't like having obstacles; but after all that's the root of the problem at hand.

default passwords

[grassy_knoll]

From TFA:

Eight percent of respondents noted that they still use the manufacturer's default admin password on critical systems.

Some people are blockheads.
News at 11.

Re:

[Courageous]

I really can't count the number of times I've seen oracle:oracle accounts.

C//

Re:

[grassy_knoll]

What's really bad about username==password is that some protocols, while being relatively open, will still take steps to obscure the password.

So, anyone running a sniffer will see the username, but not the password... unless they're the same damn thing, of course.

Why?

[Hoi Polloi]

The last thing I want to do after spending 8 hours on my company's network is spend my personal time trying to get back onto my company's network.

Thinkgeek knows it too

[Weaselmancer]

They even sell the T-shirt. [thinkgeek.com]

Bad security, even without snooping

[L. VeGas]

In the mid 90's, I switched employers. My former employer was a fairly large medical / toxicology (drug testing) laboratory, and the records were fully searchable by name, SS#, and so on. Around this time, I got a new PC, and left the old one pretty much untouched for several years. About five years later, I fired it up out of curiosity. The terminal emulator shortcut was still there, so I plugged in the modem and was on the laboratory's network within minutes. Full access.

The company has since been bought out and shut down, but that incident has always bugged me.

old work still accessable

[timmarhy]

the private files thing is total bullshit - we don't CARE abotu your dirty emails to your wife.

accessing old work system is true i think... i know i still have access to places i setup 7 years ago, i login once a year to look at the up time on the system. it's nothing more then me checking on how my creation is going, if i saw a problem i'd probably report it to my old boss with a suggested fix.

by the way, it's linux 2.4... 7 years up time on old salvaged hardware.

Re:old work still accessable

[Compholio]

it's nothing more then me checking on how my creation is going, if i saw a problem i'd probably report it to my old boss with a suggested fix.

I would imagine that a lot of employers have actually made the conscious choice to keep people like you online after "termination". After all, who knows when they may need you to fix your creation?

Re:

[timmarhy]

er, it was lastest 2.4 version when i left. can't vouch for it right now though

Re:

[akeyes]

er, it was lastest 2.4 version when i left. can't vouch for it right now though

I'll tell you what... we will wait while you check. (You did say that you still have access.)

Re:

[Miguelito]

the private files thing is total bullshit - we don't CARE abotu your dirty emails to your wife.

Maybe to you and me, but there are people out there that get off on that kind of thing.

There were legendary tales of an employee long ago that used to spend a big part of his/her time reading other people's emails. He/She was never reprimanded in any way (that I ever heard of anyway). The fact that his/her family was supposedly a holder of a LOT of stock probably had something to do with that. :-/

I barely knew said employee, but from the few small interactions I had with him/her.. I believe the stories.

Re:

[timmarhy]

your probably right there are wierdo's like that out there, but TFA quotes 1/3 of IT people read private email... it's just crap there's no way it's that high.

Re:

[jimicus]

if i saw a problem i'd probably report it to my old boss with a suggested fix.

As one IT pro to another... if your former boss doesn't know this, don't do it. There's a strong chance you'll cause far more trouble for yourself than you ever dreamed possible.

Who writes this stuff?

[canada_dry]

"it wasn't corporate policy to allow IT workers to access systems after termination" LOL My organization is implementing RSA two factor authentication http://www.rsa.com/node.aspx?id=1156 [rsa.com] to ensure that network admins can't get access once they leave the company. Without controls like this you just need one digruntled admin to cause you some big headaches.

Re:

[Anonymous Coward]

The same IT department that doesn't turn off a terminated employee's access would be the same one who doesn't turn off access for the employee's token.

These tokens don't magically fix broken IT security policies.

Re:

[Nonesuch]

One nice thing about physical access tokens is you can add them to the security guard's checklist for terminations, just like a laptop, badge/keycard, and company car. You don't turn it in, you don't get your final paycheck.

The same IT department that doesn't turn off a terminated employee's access would be the same one who doesn't turn off access for the employee's token. These tokens don't magically fix broken IT security policies.

But these tokens do have a built-in expiration date, the server doesn'

Re:

[OnlineAlias]

Curiously, Microsoft AD has no such ability. Password policies are set domain wide and there are no exceptions for anyone even with a GPO, a well known limitation of AD.

Let me correct your statement. You have "never seen an AD deployment where a GPO's were making exceptions..."

Re:

[jaseuk]

Grandparent is correct Cannot change password, password never expires etc. are user account properties and can be set on a per-user basis.

Jason.

Re:

[Acer500]

Seconded. You can also set a second Group Policy that overrides the default Group Policy that overrides the default Group Policy for a child domain or OU (I'm not certain if the password policy in particular can be overriden, which might be what the GP was talking about).

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jombeewoof]

easy enough to set that token to "lost" with a passcode that doesn't expire.
If you're an admin you would certainly have access to the RSA ACE server that allows this.

Re:

[Nonesuch]

easy enough to set that token to "lost" with a passcode that doesn't expire.

I believe that the account will still go dead when the original lost token goes to "expired" state. I've seen event messages to this effect in the audit trail. Not sure about the exact behavior in the latest release.

If you're an admin you would certainly have access to the RSA ACE server that allows this.

Depends on how the ACE/Server is configured. RSA has done a pretty good job with granular permissions (aka "task lists"

Re:

[jombeewoof]

you know what, you're right. I had forgotten that you certain accounts could not be set to lost status. If the token was unavailable you simply could not get in.

Shenanigans!

[laron]

"The survey found that more than one-third of IT professionals admit..."

I find that hard to believe.

Can't be called professional without ethics

[erroneus]

It's just my opinion but I'm sure many will agree with me on that. In every case where a person has privileged access to information as part of their job, there is usually some sort of ethical standard of non-disclosure in place. As an IT manager, I thrust my ethics upon people on a regular basis citing that I do not EVER want to know anything I don't need to know. Usually, it's passwords, but wouldn't that just be the start?

I can't imagine how anyone could consider themselves "professional" without professional standards of behavior to go along with it. Do professionals in all fields get tempted "by the dark side?" Oh yeah... we see it on the news every day.

But at a rate of 33% of IT professionals breeching company trust? That's pretty frightening... it's probably untrue.

Re:

[erroneus]

...that and the closest thing IT has to a "shingle" to hang are certs. I have NO certs. After seeing the kinds of people who chase after and collect certs, I lost all belief that they represent skill or ability.

But you know, for a long long time, "doctors" required no credentials and "dentists" were often the same people that cut your hair. Hell, even electricians have varying levels of certifications that are generally agreed upon. So for as long as people have been pushing for reliable IT credentials,

Re:

[Torvaun]

It said that 33% accessed confidential information while on the job. In some places, it is part of the Admin's job to snoop. No, I don't care about what you want to do to your wife when you get home, or what you want to do to your secret girlfriend while your wife's out of town. I do care that you're spending up to 20% of your time on various porn sites. First and foremost, that is a leading cause of spyware, and that's cause for distress on my network. Then there's the fact that that's not what you're

Re:

[qzulla]

It said that 33% accessed confidential information while on the job. In some places, it is part of the Admin's job to snoop.

Whaoa there, cowboy. It is not our job to snoop. It is managements job to tell us when to snoop. Paper trail in email.

As an admin I don't snoop. I only do what management wants. I keep my systems running. This is my admin role.

I keep the servers up. I keep things rolling. I don't care about what it is I keep rolling. I just keep it going.

If management has issues then I deal wi

Re:

[Torvaun]

...You haven't actually disagreed with anything I said. If management tells you to snoop, you're still going to snoop, and you're going to fall within that 33%. At some places, the IT department is told to always be snooping, because it's just too difficult to try and catch everyone ahead of time, and they were told that their computer use might be monitored when they signed on to this job. Here, it might be a necessary duty to periodically pull router logs, and see who's going where. At some particular

This seems to keep coming up lately...

[Yobgod Ababua]

Your company should have a published policy regarding user privacy and IT, and all members of IT should abide by that policy at all times. (In our case, for files or email, we require the approval of the user themselves or of a department manager and human resources before we go off reading your stuff. We do reserve the right to monitor network traffic at any time, for any reason, but we also make sure your email access runs encrypted over the network...)

In any case, please encourage your local IT Professionals to behave like Professionals. How should they behave, you ask?

Like THIS [lopsa.org].

Anyone who doesn't lock the accounts of ex-root-access employees and change the shared passwords that they had access to is lazy and negligent, bordering on criminally negligent. That's just inexcuseable...

Re:

[sys_mast]

You bring up a good point. Should Email be considered different than say files on a hard drive? Considering that Email could easily and commonly contain personal information, medical or other stuff not work related but private. Or Email could even contain sensitive communications with HR, which would be work related but could easily be personal/sensitive stuff.

Just my $0.02

True enough

[grasshoppa]

From my perspective, this is true enough. There are places that I still have access to that, by all rights, I shouldn't. I log in about once a year to see if I still have access, and if I do, I email the owner/manager of the place to that effect. Last thing I want is for something to go legal and me have a finger in the pie.

Of course, for a few places around here, me still having access is a good thing. Seeing how they call me about once a week because they couldn't follow well laid out documentation on managing the system...but I digress.

Re:

[qzulla]

This is not wise. Go legal? Heh. Once the first thing goes wrong who will be holding the bag?

On every job I have left that is it. I have never tried to log on.

Case closed. Move on.

Emailing the owner/manager of a flaw in the system? Not wise.

It is best to cut the cord and go away.

So you emailed the owner/manager you still had access?

Good luck in court.

qz

Re:

[grasshoppa]

So you emailed the owner/manager you still had access?


Any decent forensic work will turn up that I still have access; From there it's a short hop into believing that I logged in and covered my tracks ( assuming for a moment that I didn't log in at all ). While I agree not logging in is a good idea, they're lack of diligence puts me at risk. Therefore, I chose the course that will provide me with the greatest level of information and legal protection.

It isn't perfect, but it serves.

Re:

[TeraCo]

One of the last things I do when I leave a job is send a mail to my manager listing all of my administrative access and advising that as per security best practices these accounts should be immediately revoked.

A bit of CYA goes a long way.

Wot no exit procedures?

[Colin Smith]

It's almost impossible not to occasionally catch sight of something sensitive when you work in IT; Employee databases, email folders/logs, web browser histories, chat logs etc etc.

More than any other reason, this is why your IT team should be well paid and why duties should be segregated.

Course there should be documented exit procedures for HR and IT when people leave.
 

Re:Wot no exit procedures?

[nine-times]

More than any other reason, this is why your IT team should be well paid and why duties should be segregated.

And also "trustworthiness" really has to be high on your priority list of job-qualifications for IT people. I always tell people, if you can't trust your IT people, you're in trouble.

You might ask why. "Why can't you put security in place that prevents your IT people from accessing the information you don't want them to see?" Well, I'll answer that with another question: who will put that security in place? Inevitably, there will have to be people who put security in place, and whoever that is could leave back-doors for themselves. There will be people who maintain the systems and security, people with powerful logins and passwords, and those people can override your security.

And ultimately, there are accidents. At one company, we can a common spam database for the whole company (years ago). Every piece of spam went into the same place. While looking for false positives in order to see whether the filter needed adjusting, you'd see every e-mail that had a swear word in it. If someone wrote about "f*%king", it was in the spam filter. Every mention of "penis" went in the spam filter. A lot of it was spam, but there was plenty of employee e-mail going around, talking about things they probably didn't want anyone to see.

Also, there were plenty of times where someone invited me to look at their desktop or e-mail in order to help them with something. Like, "hey, can you help me find this e-mail I'm looking for?" I say "yeah," and the e-mail up on the screen is an e-mail about having an affair and an Excel file containing everyone's salaries. It happens!

My point is, even if your IT personnel are honest, they'll probably see sensitive information somehow, even if by accident. Trustworthiness is an important trait. My advice: If you're hiring IT people, it might be good to hire the person you'd feel most comfortable telling all your dirty secrets. If you're just another employee, keep any information on your work computer or pass information through your work systems unless you'd be comfortable with your IT people seeing it. If you must send information from work that you don't want your IT people to see, use a Gmail account, and don't leave your browser open while you're away from your computer.

Re:

[turbidostato]

"who will put that security in place?"

Why, indian engineers we get on green cards, of course. After the job is done, we bury them alive within the datacenter.

We already used that trick on our pyramids.

See it all the time

[phorm]

As the IT guy, I am constantly exposed to data that, personally, I'd rather not see.

A big one is emails. Got an administrative staff member moving to a new computer, one of the things that I have to do is move all his/her email settings to the new machine, and ensure that her mailbox (if it's POP3) and address book make it over. Even if it's something like an IMAP account, I still need to test that the username/password and settings are correct.

Generally in most cases I just catch a glimpse of the mail

Re:

[Phantom Gremlin]

And also "trustworthiness" really has to be high on your priority list of job-qualifications for IT people. I always tell people, if you can't trust your IT people, you're in trouble.

I know it's late to comment on this discussion, but anyway ...

Just how do you measure trustworthiness?

I can discuss things like real vs effective UIDs with people. I can ask them the derivative of x^2. I can even ask them to estimate how many gas stations are in the state of Texas.

But are there reliable ways of measuring how tr

Re:

[nine-times]

Well i guess that's why you have an interview rather than a standardized test. A good manager or HR person should be able to get some kind of a read on people, even if it's not always 100% correct. You know, you see their response to different sorts of questions, check whether they know as much as they claim, and check to see if their resume/cover letter is accurate. You talk to them and hopefully you'll have some sense.

However, I'm not really talking about how you tell people are trustworthy. That's m

Re:

[DragonWriter]

Course there should be documented exit procedures for HR and IT when people leave.

And, a critical step that many places I've seen with "documented procedures" for all kinds of important thing seem to miss: those procedures need to be (1) communicated to those responsible for implementing them, and (2) actually followed consistently.

Document Requests

[bill_mcgonigle]

It's almost impossible not to occasionally catch sight of something sensitive when you work in IT; Employee databases, email folders/logs, web browser histories, chat logs etc etc.

This one is thorny. I actually had a former boss accuse me of snooping through his e-mail after he asked me to look at his e-mail to figure out why he was getting so many spam messages (SpamAssassin was just out at the time and I was writing custom procmail rules for him).

Of course, this was before he turned into a complete ass,

IT people could go to jail

[Anonymous Coward]

The Air Canada vs. Westjet case involved computer espionage and a former employee who kept access to Air Canada's computer system. The result cost Westjet millions. The settlement left no doubt that what Westjet and its employees did was illegal. Illegal, as in someone could end up in jail, that kind of illegal. http://www.lockergnome.com/nexus/news/2006/05/29/w estjet-accepts-blame-settles-with-air-canada-in-es pionage-case/ [lockergnome.com]

Re:

[Anonymous Coward]

The Air Canada vs. Westjet case involved computer espionage and a former employee who kept access to Air Canada's computer system.

Not quite. The former employee was an executive at Air Canada and one of his perks (despite the fact he was leaving Air Canada - quite a golden parachute) was a very large number of free flights on Air Canada for a very long time.

To book his free flights, he was authorized and given access to an internal booking system at Air Canada.

To book his free flights, obviously the system

My solution...

[__aaclcg7560]

I had a supervisor at one company pop up in my cube saying that I was wasting company time by looking at Amazon (which was up on my web browser) and threaten to write me up. With breakfast burrito in hand, I told him I was on my break and to bugger off as I was within policy. After that, I browsed the Internet on my PDA by going through the open wireless access point for the company next door. The virtual keyboard was a pain in the butt for Slashdot posts. :P

Poor Statistics

[Toonol]

almost 25% of respondents knew of another IT staff member who still had access to sensitive networks even though they'd left the company long ago.

That's absolutely meaningless, and including that as a 'result' means that the pollsters are either ignorant or deceptive.

I bet 95% of slashdot readers know a homosexual. What does that say about the frequency of homosexuality? Pretty much nothing. There's overlap (two responders thinking of the same person) and selection bias (25% know of one case of a t

Beyond the files

[Average]

I always found that sysadmins (myself included) tend to acquire keys whenever possible. I don't care if it's just a broom closet, I want to know what's in there. There's a mix of paranoia, extreme curiosity, and helpfulness that come with the profile.

Curiousity herded the cat

[Nonesuch]

I've found as I've gotten older and now have more to lose, I go out of my way to not acquire keys, to not know users passwords, to not have accounts on systems where I don't need them -- I'm just as curious, yet more risk-adverse.

Average wrote: I always found that sysadmins (myself included) tend to acquire keys whenever possible. I don't care if it's just a broom closet, I want to know what's in there. There's a mix of paranoia, extreme curiosity, and helpfulness that come with the profile.

When I want to

Re:

[swb]

My technique for getting keys was to come up with a legitimate need to get into a space and then bug whoever had keys continuously to open the door until they got around to getting me my own set.

For those doors where no key would ever be issued (electrical vaults, restricted building spaces) we would occasionally put a thin metal sheet over the part of the doorjam where the lock went in. Door looked locked from the outside, but actually wasn't. It usually kept the doors available for a while.

The ONE door

Having access after you leave

[nurb432]

And doing someting bad with it are 2 different things.

Passwords

[Otter]

The study also showed that over 50% of workers still keep their passwords on a Post-It note, in spite of all the education the IT security industry to do it differently. And in the don't do-as-I do-dept., more than 50% of respondents admitted to using Post-It notes to store passwords to administrator accounts. One-fifth of all organizations admitted that they rarely changed their administrative passwords with seven percent saying they never change administrative passwords.

I'm skeptical about the snooping (much as I bitch about admins, they're actually remarkably ethical about privacy given the access they have, IME) but that password thing sounds dead on. Whenever they give us the lecture about how keeping track of the login/password combos for 25 different accounts, each rotated every 60-90 days, with mandatory mixed case, numbers and punctuation is easy -- why all you do is make up a little story -- "Mary went to the store to buy milk" becomes h7^Y8U0bs# -- I always ask them for the story to their previous password to the office furniture request page. They splutter about how no, that's a security risk to part with one of their expired stories but I can see the Post-It with the root password in their minds, like I'm Professor Snape.

Re:

[drinkypoo]

They splutter about how no, that's a security risk to part with one of their expired stories but I can see the Post-It with the root password in their minds, like I'm Professor Snape.

I've always written down my new passwords until I memorize them. Then I burn the paper.

If you lose it while you're still memorizing it, you change it quickly :)

But you don't write down what it's for, either...

Re:

[Torvaun]

I have every password needed on the system written down. That piece of paper is in a fireproof safe accessible by me and the head honcho. Now, if I should get hit by a bus while crossing the street, the company is not utterly screwed. I also choose strong passwords, 'e=2.71828', 'answer:42' and other things that are easy to remember, but hard to brute-force. Biggest issue for me is remembering what password goes to which log-in, but that's on the paper if they need it.

Re:

[Acer500]

I have every password needed on the system written down. That piece of paper is in a fireproof safe accessible by me and the head honcho.

Ditto. That's company policy where I work for, we have to change the critical passwords every 6 months - and that's quite lenient, but reasonable considering it's a day of work just changing every badly programmed system that has sensitive passwords hardcoded, and that's AFTER we documented where they have to be changed.

Re:

[mojine]

Good music ...

Telegraph Operators

[Frogbert]

I like to think of myself as a Telegraph Operator. Sure I know peoples secrets, but it would be unprofessional for me to tell them to anyone.

ethics and sociopathy

[obtuse]

Two separate problems here.
Some people are just scum. There are too many of these people in any group.
Some people need rudimentary ethics education. These are the interesting ones.

It's hard to imagine that people just don't think about ethics, but from what I've seen, much of the problem is exactly that. I've seen people who act badly but later with a little education, they actually work hard to behave well. Working with High School students and junior IT staff I found them ethically naive (to be generous)

Maybe this explains Ameritrade spamming

[Equuleus42]

Maybe this explains how so many Ameritrade customers are getting spammed [slashdot.org] with pump-and-dump stock spams... An ex-employee (or hell, even a current employee) could be pocketing quite a bit by selling off their email addresses. This is assuming, of course, that the company isn't doing this itself.

It's called exploration.

[Anonymous Coward]

Which means 2/3rds of IT professionals don't familiarize themselves with the systems they're running.

If you're in IT, and you're an administrator, the company must be able to trust you with ALL DATA! That means ALL FUCKING DATA, not what the top people just think you should or shouldn't be familiar with. If your company is shit and fucks people over daily, IT will know, and IT Will find another job and leave you with some shitty guy who can't even turn a machine on doing your work. Then you get targeted,

It's a problem

[Phil Wherry]

In the security business, a lot of the danger from IT employees comes from a class of attack known as "abuse of authority." It's near-impossible to prevent through technical measures, since the people in question need the elevated privileges in order to do their jobs. A careful program of auditing can often detect these abuses after they've occurred, however.

I had a situation occur a few years ago in which I had to fire a trusted and valuable staff member for snooping through a senior manager's email. Another staff member actually detected this when he printed a copy of the email, and it came out of the printer in his home office even though he was on travel. This came to my attention very quickly, and we reviewed audit logs that we'd put in place earlier and found plenty of evidence of his snooping. It pained me to fire the guy--he was smart, ambitious, and held up really well under pressure. But in the end, I concluded that a slap on the wrist would just send the message to other team members that it was OK to cheat until caught for the first time. I suspect that it was the right move for him, too; our sudden, decisive response to his lapse in judgment doubtless made an impression.

So, some advice to IT managers: ensure that there's an audit trail for all privileged activity. You'll detect and stop abuse if it's going in, and will deter staffers from being tempted to misuse their rights.

Phil

Once upon a time

[bl8n8r]

There was something called integrity. I don't think there is as much of a focus on it anymore as there should be. The focus has shifted into mostly monetary interest; on both the part of the employee and the employer.

Salt for passwords too

[omnirealm]

Not only should the article written by the firm specializing in password security be taken with some salt, but it is also a good idea to add salt [wikipedia.org] to passwords.

Okay, that was a stretch.

Exit Procedures?

[weeble1]

Isn't the Late Friday Afternoon Stealth S***can Ambush Maneuver(tm) still the standard in IT to prevent this kind of thing? You know, where you log off and head out towards the car after a hard week at work when the boss grabs you and takes you into the Tiny Conference Room of Doom(tm), makes you wait ten minutes while he goes and kills your accounts, and THEN comes back in with the empty Office Depot copier paper box? Because that's been SOP at every IT department I've ever worked for. If the exit boots

Its all fair

[Anonymous Coward]

If your company is like the ones I've worked for (in the UK btw), then you are underpaid, undervalued and mistreated. The whole system stinks and you get paid far less than people who've a tenth of your brains. So you try to reclaim a little power over the bastards. You take their passwords and read their email and then use the information against this. You've the right to do this because you can do this. They themselves have adhered to this law by treating you like crap in the first place. What goes around

Re:

[Prog_Burner]

Maybe if you're willing to do that, then you are getting the fair treatment from your company? If you want to be respected and treated as a professonial, act like one. It does go around, good as well as bad.

Why...?

[Telephone Sanitizer]

> The survey found that more than one-third of IT professionals
> admit they could still access their company's network once
> they'd left their current job, with no one to stop them.

Does it seem that people are villainizing the IT guys that left?

Shouldn't the criticism be levied upon the IT guys who REMAIN?

And as for snooping, it's not the snooping that bugs me, but the disclosures that sometimes follow. I was really pissed off when my boss started publicly ripping on me for the quality of some code scraps he found in my documents folder.

I didn't mind that he looked -- I don't expect privacy on a corporate computer. But he used what he found in an attempt to humiliate me (which failed since the rest of the department knew that the code was something that I was reviewing from a new intern).

Oblig. Thompson hack

[Organic User]

I am sure Ken Thompson still has access to Bell Labs' information.

I guess a few of us may be a bit young to remember this one [acm.org].

This has happened too many times...

[SirKron]

I agree with many of the people before me. I do not accept keys to client locations unless I am onsite more than a month. I do not accept domain administrator passwords, I ask for a unique admin account with delegated rights. And I do not snoop into files.

Just recently I went to my boss and told him that our ex-HR person's home directory was wide open. I pointed out to him his hire letter and more from my other collegues. I almost did not approach him about it for fear of repricussions. However, I di

Yes, but why?

[jonadab]

> The survey found that more than one-third of IT professionals admit they could still access their
> company's network once they'd left their current job

Did they say why, or was it a yes-or-no question?

If it were a yes-or-no question, stated along the lines of "If you left your job, would you subsequently still have the ability to access your employer's network?", then I would have to answer "yes", but this has nothing to do with my being a snoop and everything to do with my employer not having anyone

Corporate Snoop? Wearing a tie with cornrows?

[jsolan]

fo shizzle

User sheep

[techpawn]

As a DBA part of what I do is actively monitor outside query executions to relation to server performance. Really wicked looking monitors display this information constantly of the external system, internal users come by asking if I'm able to see what they're doing and I give them the honest answer of "Yes... But you guys aren't that interesting." They automatically assume that because I can be big brother that I AM big brother.
I only monitor specific user activity if they complain of performance problems.

oh duh

[WeeBit]

Cyber-Ark Software, a company that, naturally specializes in password protection.

Maybe they proved their point about access to the departments data. But they didn't prove to me that they accessed the data in order to commit harm to the business. There is maybe a slight number of ex employees that still have access that you probably need to worry about more. Those will be the ones, that would never admit to being able to access the data.

Cyber-Ark Software has a lot to gain by inflating the risk.

Unpatched holes

[billcopc]

It would be interesting to see just how many security holes go unpatched because the new IT guy takes an interest in the vulnerability. For example, let's pretend I'm the big cheese admin leaving the company, and I have a nice little backdoor that I leave open for my own dirty uses. My replacement finds my backdoor, and is faced with a few options:

1. Close the vulnerability and stool me
2. Close the vulnerability and keep quiet (to keep management from panicking)
3. Leave it open and ignore it (unlikely)
4.

For a fast climb up the IT corporate ladder....

[bodland]

Be the security Nazi...watch how fast you get promoted and lavished with praise and money. Here is a template.
In still fear by over promoting the risk.
Hire a aduiting firm to tell you what to do.
Install keyloggers on each workstation and create the corporation's largest database. Then implement a sexy program to find "bad thoughts"
Fire a few people and put the fear in your employees.

Who cares if it has nothing to do with the business...we at war.