Forgot your password?
typodupeerror
Privacy Security IT Your Rights Online

IT Pros Can't Resist Peeking At Privileged Info 388

Posted by samzenpus
from the pandora's-email dept.
Orome1 writes "IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people's Christmas bonus details."
This discussion has been archived. No new comments can be posted.

IT Pros Can't Resist Peeking At Privileged Info

Comments Filter:
  • by masternerdguy (2468142) on Monday December 05, 2011 @11:40AM (#38267152)
    Not true. I have had plenty of access to such information and have always avoided looking at it. It's immoral.
  • by DigiShaman (671371) on Monday December 05, 2011 @11:47AM (#38267260) Homepage

    As a consultant who works for a managed service provider, this tells me one thing. If you're snooping around other peoples crap, firstly, you're punk. Second, you have too much time on your hands. Even if you stumble upon data you shouldn't be aware of, it's best to not make it a priority to remember it. And if by chance you have a photographic memory, don't say shit about it to anyone. It's none of your damn business really! You're supposed to be a professional in the industry. Act the part please.

  • by 1s44c (552956) on Monday December 05, 2011 @11:47AM (#38267262)

    Not true. I have had plenty of access to such information and have always avoided looking at it. It's immoral.

    Strongly agree. Plus if caught is destroys the trust that keeps them paying you, and it won't bring you happiness on any level anyway.

    Anytime a person tells another person how much they get paid one of them gets very pissed off. You are better off not knowing.

  • Bad setup (Score:5, Insightful)

    by ender- (42944) <doubletwist@@@fearthepenguin...net> on Monday December 05, 2011 @11:48AM (#38267268) Homepage Journal

    If your IT/Security staff can rifle through your sensitive data, you're doing it wrong.

    I have no ability to access the data in our HR or Financial systems. Only the HR and Financial folks do. *MAYBE* the DBAs could look at that data, but even if so they'd have to sift through the raw data or come up with their own queries. And I'm pretty sure a lot of that information is encrypted.

  • by DarKnyht (671407) on Monday December 05, 2011 @11:48AM (#38267286)

    We are quickly finding ourselves in a society where we lack an absolute morality authority. Therefore what is immoral for you may or may not be immoral to others. In other words, we are reaping the fruits of a society where all ideas are given equal worth. Where we are not to condemn someone because what they do is right from their point of view.

  • I find a common problem with companies that have large IT departments is that too many users in those departments have "admin" level rights, which increases temptation and curiosity exponentially. Tighter controls on who needs elevated privileges and specifically where those privileges are needed are a way to help minimize exposure of sensitive data. On the other end of the problem, education is also helpful because most people who would go peeking likely don't understand the ramifications of that action should it be discovered. Have I ever done it as a professional? No. I'll admit, it was very tempting in a past firm since I had access to everything and I knew there were layoffs, salary changes and such going on. Curiosity does not get the better of me though when it means crossing ethical lines, and even if that were not true, I was well aware of the legal fallout that could happen where I to be aware of that information. The same could not be said though for other IT employees with the same access. In this situation, the access we had was certainly not necessary.
  • by CapnStank (1283176) on Monday December 05, 2011 @11:50AM (#38267324) Homepage
    I disagree.... a person lacking confidence would probably be pissed no matter what and was just looking for validation. My friends and I in the same field openly discuss our wages/benefits only to know what's available out there. Am I getting screwed? Why is my pay lower? Is the grass *really* greener? No one openly gets upset with it.
  • by Anonymous Coward on Monday December 05, 2011 @11:51AM (#38267346)

    have always avoided looking at it. It's immoral.

    Luckily most agree with you.. but it only takes one to steal your personal information.

  • by oh-dark-thirty (1648133) on Monday December 05, 2011 @11:54AM (#38267420)

    Sure, in the same field I can understand, I do that too....I just don't want to know that the lazy sales guy down the hall makes double what I do for taking a few phone calls. Even though I already know intuitively, and by the fact his car cost half as much as my house.

  • by Anonymous Coward on Monday December 05, 2011 @12:02PM (#38267556)
    I admin that I have snooped through the financial information... And your right, it does piss you off. Company saying their in financial crises so they have to freeze all raises, but the executives all get their christmas bonuses that equal 1/2 my year salary.. Not sure why I couldn't control myself.. probably I was younger and more immature.. I have full access at my current job to all data, and haven't accessed anything I wasn't suppose to.
  • Re:Facebook (Score:5, Insightful)

    by 1s44c (552956) on Monday December 05, 2011 @12:04PM (#38267584)

    I recall reading an article that said that all of Facebook's (then) hundreds of programmers all have full access to the live system data. Especially on top of the announcement that they want to double their employees in the next year or whatever, it sort of makes it hopeless to expect any sort of privacy there if anyone actually gets interested in you.

    Facebook is and always has been a privacy disaster.

  • by ackthpt (218170) on Monday December 05, 2011 @12:05PM (#38267592) Homepage Journal

    It's one thing to peek, which is bad...

    It's quite another to share it, through gossip, careless revelation or horrors passing on to nefarious individuals with criminal intent in their black hearts.

  • by synthesizerpatel (1210598) on Monday December 05, 2011 @12:06PM (#38267598)

    Lieberman Software, a security and identification software vendor.

    Yeah. Sounds like a completely scientific report with no bias to me.

  • by StikyPad (445176) on Monday December 05, 2011 @12:07PM (#38267618) Homepage

    I disagree. I don't think the problem is a lack of moral authority, but that people's decision making is based on risk/reward, of which morality is but one aspect. The risk of dying will usually outweigh the intrinsic reward of being moral, for example. So when there's little or no risk of being caught, it boils down to whether it's more intrinsically rewarding to adhere to your morals or to satisfy your curiosity, or even to leverage your ill-gotten knowledge for your advantage. To solve that problem, you have to either entrust the people with access to the information (which makes sense to me), or somehow shift the risk/reward balance.

  • Not socked (Score:5, Insightful)

    by TheCarp (96830) <sjc@nospAm.carpanet.net> on Monday December 05, 2011 @12:08PM (#38267634) Homepage

    I work in healthcare IT, and my mother was an X-Ray tech for years, until about 15 years ago.

    Even back when she was in the hospital, she saw people getting slapped and fired for it. Whenever someone famous came in, Princess Di was one of the big ones that I heard of, someone would go look up that persons info who shouldn't have, and of course, for famous people they would audit, and people got caught.

    Now? Now you get flagged for all manner of things (I don't know exactly what, but it is well known that it includes looking up family members or people living on your own street etc) and its automatic. We have training on "Ethical Standards" every year, which talks about all of these records access issues. Still... I hear the single most common reason for anyone at the hospital getting fired is.... you guessed it.... inappropriate records access.

    Here in MA they have the "CORI" system for doing criminal records checks. You are supposed to need consent to search it for someones info...unless you are a police officer doing his job or that sort of thing. Some auditing was done a while back and they found absolutely RAMPANT abuse. Police looking up their neighbors, looking up spouses, ex-girlfriends etc. (this was several years back... no idea if anything came of it...can't find any articles on it anymore)

    The problem is a very human one.

  • by somersault (912633) on Monday December 05, 2011 @12:17PM (#38267768) Homepage Journal

    Yeah I think the headline is a bit lame. It should read "most IT pros don't look at confidential info". I don't really have any interest in looking at confidential files when it's not required for the job. I also just have a personal sense of morality and honour that makes me want to live up to the responsibility that I have being able to do anything I want on the network.

    Let some "normal" users know that they have full admin access for the whole network for the day and see if 75% of them can resist having a peek around.

  • by SecurityGuy (217807) on Monday December 05, 2011 @12:18PM (#38267784)

    +1.

    The only time I've looked at such information was when it was in a database I was required to work on and seeing it was simply unavoidable. It was one of those prepackaged deals where you can't select just the fields you want, you see it all. In other words, not what most of you would call a database, but a non-IT pro friendly consumer package. Not my choice. Anyway, I saw the data and never breathed a word of it to anyone.

    It's simple ethics. It's also worth noting that 26% of people doing it means 74% aren't. Ethics aren't dead.

  • by SecurityGuy (217807) on Monday December 05, 2011 @12:20PM (#38267818)

    You might be better off not knowing what the guy in the next cube gets paid, but you're probably much better off knowing what the reasonable salary range for the job you do is. If you're towards the top and getting tiny raises, you can be comforted knowing it's not because you're not respected, but because you're already well compensated. If you're towards the bottom and are actually good at what you do, perhaps you should be pushing for that raise or looking for an exit.

  • by Kamiza Ikioi (893310) on Monday December 05, 2011 @12:22PM (#38267858) Homepage

    I'm not saying that what you say is impossible, but it is not very feasible unless you have a very special setup which few companies actually have. In most cases, someone ultimately has the keys to the kingdom. The best most can do is restrict this to as few as possible.

    Encrypted DB's won't stop a DBA. The reason is that if you fire an employee, someone has to revoke keys and assign new ones. Someone with the authority to revoke and assign keys can view anything they want, anytime they want.

    The only method that is possible is where 2 or more people are needed to use their key to access the information. If you have 3 security IT people, you need to create a situation where at least 2 are needed to unlock something.

    And let's not overlook the fact that such systems are not usually set up and audited by a 3rd party.

    It's not that they are doing it wrong, it's that without a 3rd party setting up the system you can't have that kind of security at all. The best setup would even require that a 3rd party become the key authority, yet have no direct access to company data whatsoever, and only hand over keys directly to the personnel they are assigned to.

    Still, does this stop a determined administrator who disabled AV and installs a key logger on a workstation? No. Granted, that's probably criminal, and at least the 3rd party + dual key authentication system stops casual data breaches.

    Most businesses don't have a budget for such things. They take the view, and I'm inclined to agree, that if you don't trust staff who have high level access, you shouldn't have hired them in the first place. As someone who people bring in personal laptops in to fix on occasion, most users are aware that I can see everything on their machine. It's not that I can look that worries them, but that I'll keep my mouth shut if I do happen to see something. I was told in no uncertain terms recently, that a laptop was brimming with porn. But, they trusted that I would not be sending out a company memo entitled, "Looky what I found on X's laptop!"

    Businesses often feel the same way. Casual breaches do happen as part of authorized work. For instance, if a payroll file becomes corrupted, I'd have to look at the file. They just want you to shut up about what you see and/or forget what you saw. That's what they mean by trusted. Like any trusted friend, it's not about what secrets you know, but what secrets you can be relied upon to keep.

  • by Anonymous Coward on Monday December 05, 2011 @12:30PM (#38267992)
    If sales is so easy why don't you do it? The answer to that question is the reason why he makes more than you.
  • by Anonymous Coward on Monday December 05, 2011 @12:33PM (#38268026)
    Where are the free market capitalists to jump all over this? A free market assumes a system of free information with regard to pricing. Having rules against discussing wages is just another way to try to manipulate the job market.

    Oh, I forgot. It's the worst thing ever when the government regulates the economy, but when individual corporations screw with their employees, it is totally cool.
  • by erroneus (253617) on Monday December 05, 2011 @12:42PM (#38268156) Homepage

    Indeed. What's more, it is easily demonstrated that those who are least inhibited by their morals get the farthest, the most, the biggest, the best of whatever.

    I'm with all the moralists out there personally. I know there are things I'm better off not knowing and prefer to leave it at that. But I also see who gets 'more' or 'better' and why. And those are the very same people with morality issues and are more capable than I am of doing immoral things. Another commenter on this general thread points out there are lying company leaders cutting back and capping salary increases while they continue to pay themselves increasing amounts and tell the company personnel they are in "hard times." These *ARE* immoral people and are shining examples of what I am talking about.

    But you have to be more than immoral to get ahead... you also have to be clever enough not to let anyone know what you know and how to put that knowledge to good use. You have to be a really good sociopath to really get ahead in a meaningful way.

  • by Anonymous Coward on Monday December 05, 2011 @12:43PM (#38268162)

    It is not ethical that things like compensation for labor should be secret. That practice perpetuates unjustifiable inequalities. The only thing unethical about accessing such information is your breach of prior agreement to perpetuate that unethical situation. While that _is_ subjectively unethical, accessing such information is not objectively unethical. There is a concept of "Open Books" management wherein not only is such information freely available to all employees, their frequent viewing of it is encouraged.

    I used to work in a business admin office where as a necessary component of everyone's jobs, we had to deal with salary information, yet there was a running joke that the fastest way to ensure your termination was to walk into the hallway and holler your salary -- even though every last person in the room would have known it already. That really put the absurdity of this secrecy practice into crystal clarity.

  • by DeadCatX2 (950953) on Monday December 05, 2011 @12:48PM (#38268246) Journal

    If sales is so easy why don't you do it? The answer to that question is the reason why he makes more than you.

    Because I have a soul that I'm not willing to compromise in order to treat other human beings as a source of revenue?

  • by kiwimate (458274) on Monday December 05, 2011 @12:52PM (#38268304) Journal

    I just don't want to know that the lazy sales guy down the hall makes double what I do for taking a few phone calls

    If sales is so easy why don't you do it? The answer to that question is the reason why he makes more than you.

    This seconded. If he makes so much money, it's either because he's raking it in on commission, in which case he's certainly earning it, or someone thinks he's worth a large retainer. If he's still there after six months or a year and still getting paid that much, guess what - apparently he is worth it.

    The GP's post is just as asinine as a sales guy who wonders why IT guys make so much money "just for clicking the next button every so often when they have to install software". Or "web site design? Pfft, my kid can do web site design, that's not worth $50k a year."

  • by u38cg (607297) <calum@callingthetune.co.uk> on Monday December 05, 2011 @01:44PM (#38269114) Homepage
    She works in HR. That is the kind of thing HR people know about. Hardly a surprise. How do you think the right amount arrives in your bank every month? And you should suggest to her that it is a good thing for her to keep her mouth shut about it. No, she's not likely to be caught, but if she doesn't have her own internal boundaries, then she will get herself into more trouble somewhere down the line.
  • by scot4875 (542869) on Monday December 05, 2011 @02:04PM (#38269420) Homepage

    The whole fucking point of the free market is informed actors making rational decisions.

    --Jeremy

  • by Mister Whirly (964219) on Monday December 05, 2011 @02:26PM (#38269792) Homepage
    So you don't get a paycheck from any other human beings?
  • by DeadCatX2 (950953) on Monday December 05, 2011 @02:38PM (#38270094) Journal

    Oh come on, you know what I meant.

    A good salesman has no concern for your wants or needs. His only concern is convincing you that you need something which he has for sale, often something that you never even knew you "needed" before the salesman began talking to you. They exploit weaknesses of the human condition in order to benefit themselves.

    That is quite different from my paycheck. My employer has a need, and had that need before I was hired. I do not exploit my employer's weaknesses to convince them that they need to pay me.

  • by Mister Whirly (964219) on Monday December 05, 2011 @02:49PM (#38270352) Homepage
    Does the company you work for produce goods or services? If so , does your company have a salesperson to sell the goods/services to customers?

    Where do you think the money that pays your paycheck comes from?
  • by DeadCatX2 (950953) on Monday December 05, 2011 @03:13PM (#38270786) Journal

    LOL, for what it's worth, most of my salary comes from small business research grants. But I still don't see what you're trying to get at. I'm not the salesman, because I can't tell people they need something when they don't.

    I actually worked at a brick-and-mortar retail store for a while, and my managers hated me, because even though I had a great deal of knowledge about all of the products, I would only ever sell the customer exactly what they asked me for nothing more. My hours were eventually reduced to one day per week, in effect forcing me to quit as there was no way I could make what I needed to make.

    Perhaps you're claiming that my soul is compromised anyway, because I might collect paychecks that are somehow derived from soul-less sales associates? That still seems like a red herring, though. My job is to make things that people might want. Sales' job is to get those products into customers' hands. And I don't care if someone in sales makes more than me, because I don't have to treat people like they aren't human beings in order to do my job.

The use of anthropomorphic terminology when dealing with computing systems is a symptom of professional immaturity. -- Edsger Dijkstra

Working...