Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Privacy Security IT Your Rights Online

IT Pros Can't Resist Peeking At Privileged Info 388

Posted by samzenpus
from the pandora's-email dept.
Orome1 writes "IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people's Christmas bonus details."
This discussion has been archived. No new comments can be posted.

IT Pros Can't Resist Peeking At Privileged Info

Comments Filter:
  • by InsightIn140Bytes (2522112) on Monday December 05, 2011 @11:38AM (#38267128)
    It's not limited only to your company - this means employees in other services can snoop all they want too. This is why you should never trust cloud services. Hell, even Google employees are secretly snooping your personal emails, XMPP chat logs, Google Voice calls and search queries [gawker.com]. And yet even most Slashdotters think it's perfectly fine to trust everything you have with Google - your search queries, your personal emails, your calls, your contacts, your social network, what you watch on YouTube, what you listen to, where you walk and go (Android) and everything else. Screw the law enforcement requests for info, they can't even keep their own personnel from snooping your personal stuff.

    It's why I will never trust my personal files on the likes of Dropbox and other backup services. People misuse their privileges whenever they can, that's human nature.
    • by masternerdguy (2468142) on Monday December 05, 2011 @11:40AM (#38267152)
      Not true. I have had plenty of access to such information and have always avoided looking at it. It's immoral.
      • by oh-dark-thirty (1648133) on Monday December 05, 2011 @11:44AM (#38267200)

        Nor do I, it would probably just piss me off anyway.

        • by Anonymous Coward on Monday December 05, 2011 @12:02PM (#38267556)
          I admin that I have snooped through the financial information... And your right, it does piss you off. Company saying their in financial crises so they have to freeze all raises, but the executives all get their christmas bonuses that equal 1/2 my year salary.. Not sure why I couldn't control myself.. probably I was younger and more immature.. I have full access at my current job to all data, and haven't accessed anything I wasn't suppose to.
          • by Anonymous Coward on Monday December 05, 2011 @12:16PM (#38267742)

            It's not limited to IT either. A friend of mine, who works in HR, as a Temp, basically gets work handed to her that other people don't have time to do. This includes expenses, and occasionally allows her to view peoples salaries, and, scarily, who's getting made redundant. She's a Temp, paid about £16k/y (having been made redundant a few years ago having been making ~22k, she took anything she could get) and has access to her superiors and co-workers salaries, expenses and even their original interview records.
            Some would say that's just rubbing her nose in it.
            But the reality is that some companies just circumvent internal rules in order to get things done.

            and all this she freely shares with me as idle chatter.

            • by u38cg (607297) <calum@callingthetune.co.uk> on Monday December 05, 2011 @01:44PM (#38269114) Homepage
              She works in HR. That is the kind of thing HR people know about. Hardly a surprise. How do you think the right amount arrives in your bank every month? And you should suggest to her that it is a good thing for her to keep her mouth shut about it. No, she's not likely to be caught, but if she doesn't have her own internal boundaries, then she will get herself into more trouble somewhere down the line.
              • by DutchSter (150891)

                Even working in HR is not carte blanche to access to everything. A payroll clerk has no need to access my annual performance reviews, job application or disciplinary history. Furthermore once my pay information has been entered into the system the payroll clerk has no need to look it up absent a change request, processing error or a complaint.

                At my employer audit, HR, and security are held to much higher standards than everyone else. HR clerks have been fired for transgressions that might only result in

      • by 1s44c (552956) on Monday December 05, 2011 @11:47AM (#38267262)

        Not true. I have had plenty of access to such information and have always avoided looking at it. It's immoral.

        Strongly agree. Plus if caught is destroys the trust that keeps them paying you, and it won't bring you happiness on any level anyway.

        Anytime a person tells another person how much they get paid one of them gets very pissed off. You are better off not knowing.

        • by CapnStank (1283176) on Monday December 05, 2011 @11:50AM (#38267324) Homepage
          I disagree.... a person lacking confidence would probably be pissed no matter what and was just looking for validation. My friends and I in the same field openly discuss our wages/benefits only to know what's available out there. Am I getting screwed? Why is my pay lower? Is the grass *really* greener? No one openly gets upset with it.
          • by oh-dark-thirty (1648133) on Monday December 05, 2011 @11:54AM (#38267420)

            Sure, in the same field I can understand, I do that too....I just don't want to know that the lazy sales guy down the hall makes double what I do for taking a few phone calls. Even though I already know intuitively, and by the fact his car cost half as much as my house.

            • by Anonymous Coward on Monday December 05, 2011 @12:30PM (#38267992)
              If sales is so easy why don't you do it? The answer to that question is the reason why he makes more than you.
              • by DeadCatX2 (950953) on Monday December 05, 2011 @12:48PM (#38268246) Journal

                If sales is so easy why don't you do it? The answer to that question is the reason why he makes more than you.

                Because I have a soul that I'm not willing to compromise in order to treat other human beings as a source of revenue?

                • by Anonymous Coward on Monday December 05, 2011 @01:57PM (#38269312)

                  It all seems fair to me.
                  You have your soul.
                  He has his Bugatti Veyron.

                • Re: (Score:3, Insightful)

                  by Mister Whirly (964219)
                  So you don't get a paycheck from any other human beings?
                  • by DeadCatX2 (950953) on Monday December 05, 2011 @02:38PM (#38270094) Journal

                    Oh come on, you know what I meant.

                    A good salesman has no concern for your wants or needs. His only concern is convincing you that you need something which he has for sale, often something that you never even knew you "needed" before the salesman began talking to you. They exploit weaknesses of the human condition in order to benefit themselves.

                    That is quite different from my paycheck. My employer has a need, and had that need before I was hired. I do not exploit my employer's weaknesses to convince them that they need to pay me.

                    • by Mister Whirly (964219) on Monday December 05, 2011 @02:49PM (#38270352) Homepage
                      Does the company you work for produce goods or services? If so , does your company have a salesperson to sell the goods/services to customers?

                      Where do you think the money that pays your paycheck comes from?
                    • by laparel (930257)

                      A good salesman builds relationships.

                      That's done by addressing your client's needs and wants while providing solid service. A salesman's only true asset are the relationships he has forged.

                      If you think sales is all about exploiting people, you won't last long.

                    • by DeadCatX2 (950953) on Monday December 05, 2011 @03:13PM (#38270786) Journal

                      LOL, for what it's worth, most of my salary comes from small business research grants. But I still don't see what you're trying to get at. I'm not the salesman, because I can't tell people they need something when they don't.

                      I actually worked at a brick-and-mortar retail store for a while, and my managers hated me, because even though I had a great deal of knowledge about all of the products, I would only ever sell the customer exactly what they asked me for nothing more. My hours were eventually reduced to one day per week, in effect forcing me to quit as there was no way I could make what I needed to make.

                      Perhaps you're claiming that my soul is compromised anyway, because I might collect paychecks that are somehow derived from soul-less sales associates? That still seems like a red herring, though. My job is to make things that people might want. Sales' job is to get those products into customers' hands. And I don't care if someone in sales makes more than me, because I don't have to treat people like they aren't human beings in order to do my job.

              • by kiwimate (458274) on Monday December 05, 2011 @12:52PM (#38268304) Journal

                I just don't want to know that the lazy sales guy down the hall makes double what I do for taking a few phone calls

                If sales is so easy why don't you do it? The answer to that question is the reason why he makes more than you.

                This seconded. If he makes so much money, it's either because he's raking it in on commission, in which case he's certainly earning it, or someone thinks he's worth a large retainer. If he's still there after six months or a year and still getting paid that much, guess what - apparently he is worth it.

                The GP's post is just as asinine as a sales guy who wonders why IT guys make so much money "just for clicking the next button every so often when they have to install software". Or "web site design? Pfft, my kid can do web site design, that's not worth $50k a year."

                • by Anonymous Coward on Monday December 05, 2011 @02:12PM (#38269532)

                  The problem with sales commissions is that sales guys never get their commissions reduced by the cost of additional support needed to fix the customer problems caused because they sales guys sold them features that don't exist. Commissions are usually based on the size of the deal, so the bigger deal is always preferable, and the aftermath becomes someone else's problem. (Usually those guys "just clicking buttons").

                  If software sales techniques were applied elsewhere:

                  Customer: I want a car.
                  Salesguy: Sure. We've got cars.
                  C: It must be fast.
                  S: We have one with a 600HP motor and awesome aerodynamics.
                  C: It must go round corners like it's on rails.
                  S: We have sports suspension.
                  C: I need to carry my large family around.
                  S: Yeah, we know how to make minivans.
                  C: I really enjoy off-roading.
                  S: So you need 4WD, big wheels and high suspension. No problem.
                  C: I care about the environment.
                  S: Our engineers have made a car that gets 45mpg. No problem.
                  C: It must be really comfortable
                  S: Leather and Luxury are what we're known for.
                  C: I need a lot of cargo space because I'm in construction.
                  S: We have pick-up trucks.
                  C: Oh, six vehicles? I really don't have room for six.
                  S: Our engineers could easily make all of that into one vehicle.
                  C: Really? That would be awesome. I'll take one. (Opens wallet, picture of family falls out)
                  S: You'll never get to drive it though - your wife will love it!
                  C: Good point, I'll take 2. Make hers a convertible.
                  S: Hey, that's a good looking family you've got there.
                  C: That's my daughter Kate, she's just started driving. Oh, make it 3 cars. Can I get them before her birthday next week?
                  S: No problem!
                  -------------------
                  Later:
                  S: Engineering!!!!

                • by roguegramma (982660) on Monday December 05, 2011 @03:25PM (#38271004) Journal

                  You never know what the IT guy is worth until you replace him. Preferably with someone new on the job.

                  And then you go and complain about schools, and ask for more H1B visa ;-)

                  It is also very hard for the IT guy to know what he is worth.

                  For the sales guy it is easy because he just adds up all money he has raked in. Probably he will even have a tendency to overestimate because he doesn't know at what cost the company is producing its goods and services.

                  A manager with access to financial data, knows when the company is doing well financially, and knows when his pay is tiny in comparison to the turnover of his department.

                  Both are obviously in a better position to negotiate, unless the IT guy analyzes the company's data, for which most IT guys neither have the time nor the desire.

                  75% didn't look at confidential data, and of the 25% who admitted to peeking, you don't know how much they strayed from their tasks.

          • by 1s44c (552956) on Monday December 05, 2011 @11:59AM (#38267508)

            I disagree.... a person lacking confidence would probably be pissed no matter what and was just looking for validation. My friends and I in the same field openly discuss our wages/benefits only to know what's available out there. Am I getting screwed? Why is my pay lower? Is the grass *really* greener? No one openly gets upset with it.

            You have a point. I was thinking about talking about pay with people who do a similar job in the same company. Everywhere I've ever worked pay had nothing to do with skills or work throughput but only how much you demanded when they interviewed you and how old you are. I'm really glad I became a contractor because permanent staff are just abused.

        • by somersault (912633) on Monday December 05, 2011 @12:17PM (#38267768) Homepage Journal

          Yeah I think the headline is a bit lame. It should read "most IT pros don't look at confidential info". I don't really have any interest in looking at confidential files when it's not required for the job. I also just have a personal sense of morality and honour that makes me want to live up to the responsibility that I have being able to do anything I want on the network.

          Let some "normal" users know that they have full admin access for the whole network for the day and see if 75% of them can resist having a peek around.

        • by SecurityGuy (217807) on Monday December 05, 2011 @12:20PM (#38267818)

          You might be better off not knowing what the guy in the next cube gets paid, but you're probably much better off knowing what the reasonable salary range for the job you do is. If you're towards the top and getting tiny raises, you can be comforted knowing it's not because you're not respected, but because you're already well compensated. If you're towards the bottom and are actually good at what you do, perhaps you should be pushing for that raise or looking for an exit.

          • by nblender (741424) on Monday December 05, 2011 @04:54PM (#38272482)

            The guy in the cube next to me made substantially more than me. We did the same job, worked on the same code, similar education, probably equally valued by the company... After the office was closed down by head office, I asked my ex-manager, wtfup with the salary inequity? His response was "You were paid less because Corporate deemed you less of a flight-risk."

            It's not about value, talent, experience, etc. It's about how little can they pay you and still keep you around.

      • by DarKnyht (671407) on Monday December 05, 2011 @11:48AM (#38267286)

        We are quickly finding ourselves in a society where we lack an absolute morality authority. Therefore what is immoral for you may or may not be immoral to others. In other words, we are reaping the fruits of a society where all ideas are given equal worth. Where we are not to condemn someone because what they do is right from their point of view.

        • by StikyPad (445176) on Monday December 05, 2011 @12:07PM (#38267618) Homepage

          I disagree. I don't think the problem is a lack of moral authority, but that people's decision making is based on risk/reward, of which morality is but one aspect. The risk of dying will usually outweigh the intrinsic reward of being moral, for example. So when there's little or no risk of being caught, it boils down to whether it's more intrinsically rewarding to adhere to your morals or to satisfy your curiosity, or even to leverage your ill-gotten knowledge for your advantage. To solve that problem, you have to either entrust the people with access to the information (which makes sense to me), or somehow shift the risk/reward balance.

        • by erroneus (253617) on Monday December 05, 2011 @12:42PM (#38268156) Homepage

          Indeed. What's more, it is easily demonstrated that those who are least inhibited by their morals get the farthest, the most, the biggest, the best of whatever.

          I'm with all the moralists out there personally. I know there are things I'm better off not knowing and prefer to leave it at that. But I also see who gets 'more' or 'better' and why. And those are the very same people with morality issues and are more capable than I am of doing immoral things. Another commenter on this general thread points out there are lying company leaders cutting back and capping salary increases while they continue to pay themselves increasing amounts and tell the company personnel they are in "hard times." These *ARE* immoral people and are shining examples of what I am talking about.

          But you have to be more than immoral to get ahead... you also have to be clever enough not to let anyone know what you know and how to put that knowledge to good use. You have to be a really good sociopath to really get ahead in a meaningful way.

      • by Anonymous Coward on Monday December 05, 2011 @11:51AM (#38267346)

        have always avoided looking at it. It's immoral.

        Luckily most agree with you.. but it only takes one to steal your personal information.

      • Not true. I have had plenty of access to such information and have always avoided looking at it. It's immoral.

        I'm in the same situation. I dunno about immoral, but it's definitely unethical, not to mention, snooping could land me in serious legal trouble to boot.
        I'm sure there are people who do this though, probably those of the "gossip" mindset who just have to nose into everything and everyone's business. That's just not my thing, don't care.

      • by SecurityGuy (217807) on Monday December 05, 2011 @12:18PM (#38267784)

        +1.

        The only time I've looked at such information was when it was in a database I was required to work on and seeing it was simply unavoidable. It was one of those prepackaged deals where you can't select just the fields you want, you see it all. In other words, not what most of you would call a database, but a non-IT pro friendly consumer package. Not my choice. Anyway, I saw the data and never breathed a word of it to anyone.

        It's simple ethics. It's also worth noting that 26% of people doing it means 74% aren't. Ethics aren't dead.

        • by Penguinisto (415985) on Monday December 05, 2011 @12:43PM (#38268166) Journal

          Agreed, and would like to add spam filtering to the pile. Training the filters effectively (to weed out false positives, catch the sneakier spam, etc) means seeing practically everyone's inbound emails until the initial tuning is done, and once in a great while after that for maintenance and upkeep. You just maintain the confidentiality required to know that yeah it's ugly and it's in there, but it's nobody's business. I only interacted with these mails enough to make my job more effective, and after that it all got forgotten and ignored.

          Doing this helped me better tune the filters to block the political crap (DU, Limbaugh, etc) while at the same time allowing exceptions for a couple of execs in the company who actually did lobby in Washington DC, the state capital, etc. It allowed me to block the dating site and sex site emails (you'd be amazed unless you're an email admin, in which case you'd probably know already) while at the same time allowing the usual spousal romantic emails.

          I didn't give a damn about the messages - I was in there to analyze content in order to catch spammers. The result was a happier group of employees who rarely if ever saw any spam, but at the same time could do most things within reason and company policy (it was fairly loose) and not lose any email.

          I considered the whole thing subject to the same confidentiality restrictions as a doctor - yeah, you see the naughty bits in the full glory, but so what? You've got a job to do, so there's no real time or cause for you to be titillated, angry, outraged, or whatever. If you are, there'd better be a cause to inform the corp legal department and then the cops, because otherwise you're obviously not doing your job.

          All said and done, at least in this aspect the AUP covers it perfectly - expect the contents of any email or data on the company wires to be seen by anyone. Of course that doesn't mean you get to go snooping around - violating trust is a great way to obliterate a career. OTOH, don't expect it to remain a perfect secret, either, because not all of us are going to be as professional about it.

          • I considered the whole thing subject to the same confidentiality restrictions as a doctor

            And this is probably the sort of attitude we should be adopting. IT sort of has the back door keys to everything, since we are the people who write the code and maintain the servers.

            On the flip side, one could also assume that the boss's secretary now has less access to this same privileged information, so the number of peeking eyes hasn't increased, but simply changed departments.
      • You may not, but it only takes one person to leak information. As the adage says, information wants to be free: the natural state of something that is trivial to copy is widely dispersed. If you want something to remain confidential, restrict who has access to it. Or, to put it more simply, the best way to keep a secret is not to tell people...
    • by sgbett (739519)

      Some don't. Doesn;t make for much of a story though that.

    • Re: (Score:2, Interesting)

      by Anonymous Coward
      That's a bit of an overgeneralization though. My boss at my last job used to do this all the time. Blatantly. He'd call me over to look at an e-mail someone had sent. I explained to him that it made me uncomfortable, but he'd still try to get me to join in the invasion of privacy with him time-after-time. However, I always refused and never went any further than I needed to to get the job done. The article says about 1 in 4 admins do this, so it would seem only a minority abuse their privileges whenever the
      • by b0bby (201198)

        That's a bit different; if the owner or boss wants you to look at an email on *their system* it's authorized. I have had to do this & while I told them I wasn't comfortable doing it, I did it anyway. What I haven't done is do that without authorization - as others have said, it's not right.

        • by 1s44c (552956)

          That's a bit different; if the owner or boss wants you to look at an email on *their system* it's authorized. I have had to do this & while I told them I wasn't comfortable doing it, I did it anyway. What I haven't done is do that without authorization - as others have said, it's not right.

          That is highly questionable. You don't ignore your duty to the law or to what you know to be right just because your boss tells you to. Or rather you shoudn't.

    • by Anrego (830717) *

      And yet even most Slashdotters think it's perfectly fine to trust everything you have with Google - your search queries, your personal emails, your calls, your contacts, your social network, what you watch on YouTube, what you listen to, where you walk and go (Android) and everything else.

      I know I do! At least up until that "and everything else".

      I agree more people need to be aware of this and make a decision as to whether they are fine with it. Personally I assume everything you list can be observed by any number of people and have made a mostly informed decision that I really don't care. Anything I _don't_ want people snooping into stays on my encrypted drives in my local machines.. or if it does out on the net, is in an encrypted container.

    • This same argument applies to your own IT department though. I'm really not sure which is a greater abuse.

      The local IT admin can snoop your data. I suppose the Google employees can do it too. However, I'd imagine the local IT admin would probably have more incentive to look me up. To Google employees, I'm anonymous.

      Then there's the issue of trust and security and process. Most of the 'cloud' companies have the money to spend on security and process and guarantees. They also fear potential lawsuits.

      Whi

    • "There's a whole bunch of trust involved. There's a lot of data inside Google, and I'm willing to bet some of it is really valuable. But for me and the people I worked with, it was never worth looking at."

      People joke with me that I must be reading their email. I tell them I have enough trouble keeping up with my own email, and besides that, we NEVER read user's mail unless it's specifically necessary to troubleshoot something relating to their account.

      What the hell is with Slashdot lately? Did the sy

      • by Pieroxy (222434)

        What the hell is with Slashdot lately?

        The thing is that everything in the story is true. Yes, there are admins abusing their privileges. Do you really doubt it? I mean, come on, look around.

        And those guys do taint the perception of the population toward us. And that's life, and there is nothing anyone can do about it.

        Being aware helps explain this perception, and it's a good thing to keep in mind.

    • by sloth jr (88200)
      Working at a cloud vendor, I can tell you that using privileged access to view information outside of one's job duties is a firing offense in our shop. We take it very seriously.
      • I'd be more interested to learn if your company has any controls regarding access to privileged data. Is admin access logged (in immutable logs)? Are those logs reviewed by someone outside the sysadmin group? Is there a work order / trouble ticket / other reason logged against each instance of admins accessing client data?
    • by i.r.id10t (595143)

      You should read "Scroogled" by Cory Doctorow ... http://blogoscoped.com/archive/2007-09-17-n72.html [blogoscoped.com]

  • by eldavojohn (898314) * <eldavojohnNO@SPAMgmail.com> on Monday December 05, 2011 @11:40AM (#38267154) Journal
    Oh come on, let he who hasn't gotten a massive data rager throw the first stone. So you're telling me that when you're doing a database dump of all your employee's payroll data and you see those beautiful digits paired with a sensual home address and foxy expiration date that you don't pitch a tent right there on the spot? I'm man enough to admit that I've had to walk around cubeland holding a notebook in front of me after taking a selfish glance at a naughty excel spreadsheet filled with transaction after hawt transaction of coffee mugs and pens. As if you've never had to spend your lunch break firing off a few knuckle children in the handi stall of the men's room when you stumbled across every customer's wishlist of your office supply products! Someone actually got to see everyone's Christmas bonus details? Pass the Kleenexes!

    The United States' cultural suppression of natural and healthy sexuality just makes me ill sometimes.
  • Only 26%? (Score:3, Interesting)

    by netwarerip (2221204) on Monday December 05, 2011 @11:42AM (#38267174)
    I find that hard to believe. I would have put it well above 50. Years back I ran an MDaemon mail server and let users have the IM client. Was pretty interesting reading, to say the least.
    • Re: (Score:3, Funny)

      by Anonymous Coward

      Read the full sentence: Only 26% admit. The other 74% deny everything :)

      • by ackthpt (218170)

        Read the full sentence: Only 26% admit. The other 74% deny everything :)

        Fair point. I know people who I know have peeked. I once put a (I'm such an awful stinker) hook into a program where a certain person was looked up on a certain workstation and it flashed an alarming notice, effectively the user was caught and authorities were being notified. It scared the heck out of the perpetrator (she had a crush on someone and keep bringing up his personal record) and put an end to the behavior. Nobody was harmed or fired over this, ounce of prevention was effective enough.

    • by 1s44c (552956)

      I find that hard to believe. I would have put it well above 50. Years back I ran an MDaemon mail server and let users have the IM client. Was pretty interesting reading, to say the least.

      You sir, are a sleazebag.

      If you want to know who is having an affair with whom just look for correlation in holidays and sickleave, you don't need to abuse the IT systems. You should be spending your time doing your job though, or trolling /. obviously.

  • by DigiShaman (671371) on Monday December 05, 2011 @11:47AM (#38267260) Homepage

    As a consultant who works for a managed service provider, this tells me one thing. If you're snooping around other peoples crap, firstly, you're punk. Second, you have too much time on your hands. Even if you stumble upon data you shouldn't be aware of, it's best to not make it a priority to remember it. And if by chance you have a photographic memory, don't say shit about it to anyone. It's none of your damn business really! You're supposed to be a professional in the industry. Act the part please.

  • Bad setup (Score:5, Insightful)

    by ender- (42944) <doubletwist&fearthepenguin,net> on Monday December 05, 2011 @11:48AM (#38267268) Homepage Journal

    If your IT/Security staff can rifle through your sensitive data, you're doing it wrong.

    I have no ability to access the data in our HR or Financial systems. Only the HR and Financial folks do. *MAYBE* the DBAs could look at that data, but even if so they'd have to sift through the raw data or come up with their own queries. And I'm pretty sure a lot of that information is encrypted.

    • Re:Bad setup (Score:5, Informative)

      by HogGeek (456673) on Monday December 05, 2011 @11:56AM (#38267450)

      ^This

      The security team should be setting policy and doing audits, not being "the privileged ones"!

    • by Njovich (553857)

      If you are in security and serious about it, then you probably can get access to most systems in your company that you care about. Probably also know how not to get caught. Especially for smaller or less technical organizations.

      But, paraphrasing from the BOFH, we have the internet with all the knowledge, pornography, movies, music in the world. Do you really think I'd spend my time going through some accountant's email?

    • I'm pretty sure a lot of that information is encrypted.

      Given the popularity of identity-based encryption, it is possible that IT staff have access to data that was encrypted, since they probably control the key generation service. Where I am now, secret keys are issued by IT staff and we do not even use IBE. It is unfortunate, but for most people setting up, maintaining, and using decentralized cryptosystems is beyond what they are technically capable of or willing to do.

    • by Kamiza Ikioi (893310) on Monday December 05, 2011 @12:22PM (#38267858) Homepage

      I'm not saying that what you say is impossible, but it is not very feasible unless you have a very special setup which few companies actually have. In most cases, someone ultimately has the keys to the kingdom. The best most can do is restrict this to as few as possible.

      Encrypted DB's won't stop a DBA. The reason is that if you fire an employee, someone has to revoke keys and assign new ones. Someone with the authority to revoke and assign keys can view anything they want, anytime they want.

      The only method that is possible is where 2 or more people are needed to use their key to access the information. If you have 3 security IT people, you need to create a situation where at least 2 are needed to unlock something.

      And let's not overlook the fact that such systems are not usually set up and audited by a 3rd party.

      It's not that they are doing it wrong, it's that without a 3rd party setting up the system you can't have that kind of security at all. The best setup would even require that a 3rd party become the key authority, yet have no direct access to company data whatsoever, and only hand over keys directly to the personnel they are assigned to.

      Still, does this stop a determined administrator who disabled AV and installs a key logger on a workstation? No. Granted, that's probably criminal, and at least the 3rd party + dual key authentication system stops casual data breaches.

      Most businesses don't have a budget for such things. They take the view, and I'm inclined to agree, that if you don't trust staff who have high level access, you shouldn't have hired them in the first place. As someone who people bring in personal laptops in to fix on occasion, most users are aware that I can see everything on their machine. It's not that I can look that worries them, but that I'll keep my mouth shut if I do happen to see something. I was told in no uncertain terms recently, that a laptop was brimming with porn. But, they trusted that I would not be sending out a company memo entitled, "Looky what I found on X's laptop!"

      Businesses often feel the same way. Casual breaches do happen as part of authorized work. For instance, if a payroll file becomes corrupted, I'd have to look at the file. They just want you to shut up about what you see and/or forget what you saw. That's what they mean by trusted. Like any trusted friend, it's not about what secrets you know, but what secrets you can be relied upon to keep.

    • Security , always makes me laugh ...

      Is your building secure? Well I suspect you have these people who can wander in any time, even when no-one else is around, and have complete access and keys to all parts of the building, .... they are called cleaners and probably are on minimum wage

      The company who runs your security system can probably bypass it anytime they want to, and enter the building undetected

      and you worry about your own vetted employees ...?

  • Facebook (Score:5, Interesting)

    by Gavin Scott (15916) on Monday December 05, 2011 @11:48AM (#38267274)

    I recall reading an article that said that all of Facebook's (then) hundreds of programmers all have full access to the live system data. Especially on top of the announcement that they want to double their employees in the next year or whatever, it sort of makes it hopeless to expect any sort of privacy there if anyone actually gets interested in you.

    G.

    • Re:Facebook (Score:5, Insightful)

      by 1s44c (552956) on Monday December 05, 2011 @12:04PM (#38267584)

      I recall reading an article that said that all of Facebook's (then) hundreds of programmers all have full access to the live system data. Especially on top of the announcement that they want to double their employees in the next year or whatever, it sort of makes it hopeless to expect any sort of privacy there if anyone actually gets interested in you.

      Facebook is and always has been a privacy disaster.

  • They see you when you're sleeping...they know when you've been bad or good...and when you've been sleeping around...and with whom.
  • by Dakiraun (1633747) <dakiraun@ya[ ].com ['hoo' in gap]> on Monday December 05, 2011 @11:49AM (#38267300) Homepage
    I find a common problem with companies that have large IT departments is that too many users in those departments have "admin" level rights, which increases temptation and curiosity exponentially. Tighter controls on who needs elevated privileges and specifically where those privileges are needed are a way to help minimize exposure of sensitive data. On the other end of the problem, education is also helpful because most people who would go peeking likely don't understand the ramifications of that action should it be discovered. Have I ever done it as a professional? No. I'll admit, it was very tempting in a past firm since I had access to everything and I knew there were layoffs, salary changes and such going on. Curiosity does not get the better of me though when it means crossing ethical lines, and even if that were not true, I was well aware of the legal fallout that could happen where I to be aware of that information. The same could not be said though for other IT employees with the same access. In this situation, the access we had was certainly not necessary.
  • red button (Score:3, Funny)

    by Anonymous Coward on Monday December 05, 2011 @11:51AM (#38267340)

    don't forget there are IT guys outside the corporate world:

    http://xkcd.com/898/

  • It seems like the majority of the people could actually be trusted. So the solution to a problem like this is to restrict the access of the other 26%, reassign them, or fire them. (That's not precisely what the survey in TFA said about the percentages, but the point is still the same.)

    • by ceoyoyo (59147)

      You want to fire the ones who told the truth?

      Remember, this was a survey. 26% admitted they snooped. The other 74% denied it.

  • One of the cons pulled by the Fortune 1000 over the last decade or so has been to employ H-1bs in positions where the company is testing the limits of the law and they don't want that information sopenad -- and simply repatriating the H-1b when time comes to "shred". They do this by pretending to reduce IT salaries, knowing full well that that kind of fraud (using the H-1b provision to lower labor costs) is winked at by the FBI.

    However, what they don't count on is that the hapless H-1b IT guy is actually

  • by ackthpt (218170) on Monday December 05, 2011 @12:05PM (#38267592) Homepage Journal

    It's one thing to peek, which is bad...

    It's quite another to share it, through gossip, careless revelation or horrors passing on to nefarious individuals with criminal intent in their black hearts.

  • by synthesizerpatel (1210598) on Monday December 05, 2011 @12:06PM (#38267598)

    Lieberman Software, a security and identification software vendor.

    Yeah. Sounds like a completely scientific report with no bias to me.

  • by tverbeek (457094) on Monday December 05, 2011 @12:06PM (#38267614) Homepage

    I've never had the interest + time to go snooping. But early in my career I used my "privileged" position as the company PC tech, to look at a document that one of the executive admin assistants had neglected to put away when I came to install some software on her computer. As I swapped disks my eyes wandered and I saw this list of people, all of whom had recently been laid off, except for a few names at the bottom that had a line through them. Mine was one of those. I started looking for a new job at that point.

  • Not socked (Score:5, Insightful)

    by TheCarp (96830) <sjc AT carpanet DOT net> on Monday December 05, 2011 @12:08PM (#38267634) Homepage

    I work in healthcare IT, and my mother was an X-Ray tech for years, until about 15 years ago.

    Even back when she was in the hospital, she saw people getting slapped and fired for it. Whenever someone famous came in, Princess Di was one of the big ones that I heard of, someone would go look up that persons info who shouldn't have, and of course, for famous people they would audit, and people got caught.

    Now? Now you get flagged for all manner of things (I don't know exactly what, but it is well known that it includes looking up family members or people living on your own street etc) and its automatic. We have training on "Ethical Standards" every year, which talks about all of these records access issues. Still... I hear the single most common reason for anyone at the hospital getting fired is.... you guessed it.... inappropriate records access.

    Here in MA they have the "CORI" system for doing criminal records checks. You are supposed to need consent to search it for someones info...unless you are a police officer doing his job or that sort of thing. Some auditing was done a while back and they found absolutely RAMPANT abuse. Police looking up their neighbors, looking up spouses, ex-girlfriends etc. (this was several years back... no idea if anything came of it...can't find any articles on it anymore)

    The problem is a very human one.

  • The people "peeking" at info are by definition Not Professional.
  • It is tempting to know what others in my company make, but it's just not worth the risk of getting caught & losing a good job.
  • and they lie on surveys and in interviews!

    Seriously though - I've got plenty of chances. I could get so much infomation from some places that I could likely walk into a very confertable position else where, but I have no want to. This company treats me well, they gave me a job when no one else would, and I'm happy here.

  • by vlm (69642) on Monday December 05, 2011 @12:14PM (#38267720)

    Just follow management's leadership, as in many other things.
    If you work for a place where morals and ethics are #1 above all else, then follow their lead.
    If you work for a place where the almighty dollar is #1 and morals and ethics are for suckers and fools (most corporations), then follow their lead.

    Whatever you do, don't get caught doing something you'd not want to be on the evening news.

    Note that its a lot like having a police scanner or listening to mobile phone calls, or intercept pocsag digital pagers. Sounds technologically fascinating. It, in fact, IS technologically fascinating. Then you get the ability to do so, and it is boring beyond belief. Gossip monger types are always going to be gossip monger types and the addition or removal of technology will not change them. "Golly, person A is having an affair with person B, using some high tech pager or whatever". Ditto the non gossip monger types are not going to be very interested, beyond the interesting nature of the new technology itself. "Golly, this 8 bit A/D decoder sure works a heck of a lot better on noisy signals than a 1-bit data slicer for pocsag decoding, look at the borderline SNR on this page about some dork's affair or whatever."

    I worked at a place decades ago where part of the job was to monitor old fashioned PCM T1 analog phone lines on occasion. Signed lots of secrecy papers to do it. Sounded cool, before I had to do it. It was boring as hell, trust me. I kind of miss listening for slips and echo can malfunctions in this VOIP era. Another funny one was listening for ulaw vs alaw encoding malfunctions on international ckts. And verbal fighting with vendors who couldn't understand the 80 different type of E+M signalling. Good times, I guess, but not from listening to boring phone calls.

  • by Todd Knarr (15451) on Monday December 05, 2011 @12:22PM (#38267850) Homepage

    I tried to avoid looking at that kind of information when I had that kind of access. Firstly, I was usually too busy. I had plenty of authorized work to deal with, and if I had free time I had plenty of personal projects that didn't involve digging through the data. Second, it usually wasn't worth it. I've had to do plenty of company-ordered digging through people's accounts, and the interesting stuff just isn't worth digging through the weapons-grade "I did not need to know that..." material. And thirdly, it again wasn't worth it. I don't like to lie to conceal what I know, and for every useful item that directly affected me there were dozens of things that either weren't useful (I already knew my manager made twice what I did, knowing he makes exactly 2.13x as much... pfffft) or didn't affect me. It was easier overall if I honestly didn't know those things in the first place.

    The dirty little secret is that most of the time everyone knows who's doing the unauthorized snooping. But management won't order an investigation because they're under the delusion that what they don't officially know about can't hurt the company. And besides the inevitable need to bleach their brains afterwards, all the front-line admins know that if they go initiating an investigation management will come down on them if they find anything. Even if the investigation was fully justified. Whatever it is needs to be pretty major to be worth the drama, angst and pain that'll result. And I don't see management's attitudes changing any time soon.

  • Nuclear War (Score:5, Funny)

    by kbielefe (606566) <karl.bielefeldt+ ... noSpAM.gmail.com> on Monday December 05, 2011 @12:23PM (#38267868)

    That's why I think nuclear armageddon won't be started by heads of state and their military advisors, but by some disrespected IT guy who constantly has to reset the passwords to the launch codes.

  • I call "bullshit". (Score:4, Interesting)

    by Dagmar d'Surreal (5939) on Monday December 05, 2011 @12:23PM (#38267872) Journal
    Lieberman Software is in the business of selling IT security products. Is it really that hard to believe that they've sufficient incentive to "creatively restate" the parameters of the their testing in order to sell more product? Bias matters, and that study is not unbiased.

    Net-security.org, for their part, are only inflaming matters further by restating things an even more inflammatory manner.

    Basically, you need to ask something that this article neglects to question: Did 26% of the respondents merely say they were aware of other employees *using* the shared passwords, or did it specifically detail abuse of a shared password to gain unauthorized access to information that ethically-speaking, they shouldn't be going anywhere near. Both of those are cases are considered felonies, by the way. It's very easy for someone to argue that *any* shared password use is an "abuse" and that any information access from that point is "illicit"--but without knowing specifically what question was asked, these "results" are more likely just a distortion of fact in order to sell products and services.

    I am personally aware of shared passwords in many organizations. I am also occasionally privy to information I shouldn't be--specifically, people's emails. The key difference being, I *don't want to know*. I, and thousands of admins like me, wind up seeing your boring little emails while trying to figure out why they didn't arrive in your inbox already. Over time, we develop the ability to be self-redacting and immediately forget what was just on our screens--because not being able to do that means being burdened with other people's secrets that you'd feel better not knowing. This is a far, far cry from the sort of "abuse" this report pretends to show, but vendors loooove to construe one as the other in order to sell service contracts.

    Frankly, this doesn't sound any more realistic than the old one about employees giving up their passwords for a candy bar. What you don't get told about those is that the employees are usually being told they have to give their password up to their immediate supervisor, and not being given any guidance as to why they're being directly ordered to violate company policy. In most offices, people who ignore direct orders being given by a live person over something written on a policy paper tend to suffer bouts of sudden and chronic unemployment--so... plenty of reason to "violate policy" there, normally "secure" employees are going to capitulate for that kind of request. Then the people doing the "analysis" stand around later and say "oh my gosh people give up their passwords for no reason!". I've personally, been given such a request in the past, and frankly since I was being directly instructed to do so, I turned over a hand-written copy of my password on the form provided...or at least, what my password was at that specific moment in time. Since I'm a twisted bastard I made up a new password just for them, set it in the system and then filled in the blank. ...and since the one written down was now "compromised", I then made up another password and changed it in the system again. I was unamused to find out later that someone was doing this as a "survey".

    Don't be a gullible noob. Trust no "survey" coming from a vendor selling a related product unless you are being shown the exact details of the survey--because they're going to lie about it. Of that you can be sure.
  • This is news ? (Score:5, Interesting)

    by mbone (558574) on Monday December 05, 2011 @12:41PM (#38268138)

    The switchboard was listening in to calls 100 years ago. The mail room was looking at letters 150 years ago. Heck, I'm sure the equivalent was going on in ancient Sumer (sneaking a peak in those sealed clay tablets). "The help" is always going to eavesdrop. Not all of them, not all the time, but it happens.

  • by Casca (4032) on Monday December 05, 2011 @01:51PM (#38269222) Journal

    This might sound a little naive, but if I don't have any interaction with the people looking at my stuff, I don't care that much. Obviously the amount I care will slide depending on what the material is, but in general, I don't really care.

    That said, if they look intentionally, they should be fired. There is no excuse, they are breaking a code of trust, and are obviously too immature to handle the position they are in.

  • by billybob_jcv (967047) on Monday December 05, 2011 @02:06PM (#38269458)

    ... was combing through the new server-side SPAM filter to look for false positives and forward "legitimate" email to the rightful owners. I saw racist jokes sent between executives and their buddies, wives & girlfriends talking dirty and scheduling "play dates", job hunting employees, back-stabbing gossip and internal/external confidential information. Payroll information would have been the least of the issues...
       

  • by roguegramma (982660) on Monday December 05, 2011 @02:44PM (#38270244) Journal

    Management has access to this information as well and no one can complain.

  • by sandytaru (1158959) on Monday December 05, 2011 @03:54PM (#38271478) Journal
    One time I was working on someone's PC at a country club and there was a paper list tacked onto the wall next to the desk of all the deadbeats who still owed back money and wouldn't be allowed to attend any events or go golfing until they paid up. Printed on paper, plain as day. I didn't mean to look at it, but the computer was rebooting after a software upgrade and when a PC is merely rebooting my instinct is to glance at the BIOS and then let Windows do its thing. My eyes wandered and just happened to look at the list.

Economists state their GNP growth projections to the nearest tenth of a percentage point to prove they have a sense of humor. -- Edgar R. Fiedler

Working...