IT Pros Can't Resist Peeking At Privileged Info 388
Orome1 writes "IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people's Christmas bonus details."
Re:This is why I will never trust cloud services (Score:5, Insightful)
Comment removed (Score:4, Insightful)
Re:This is why I will never trust cloud services (Score:5, Insightful)
Not true. I have had plenty of access to such information and have always avoided looking at it. It's immoral.
Strongly agree. Plus if caught is destroys the trust that keeps them paying you, and it won't bring you happiness on any level anyway.
Anytime a person tells another person how much they get paid one of them gets very pissed off. You are better off not knowing.
Bad setup (Score:5, Insightful)
If your IT/Security staff can rifle through your sensitive data, you're doing it wrong.
I have no ability to access the data in our HR or Financial systems. Only the HR and Financial folks do. *MAYBE* the DBAs could look at that data, but even if so they'd have to sift through the raw data or come up with their own queries. And I'm pretty sure a lot of that information is encrypted.
Re:This is why I will never trust cloud services (Score:5, Insightful)
We are quickly finding ourselves in a society where we lack an absolute morality authority. Therefore what is immoral for you may or may not be immoral to others. In other words, we are reaping the fruits of a society where all ideas are given equal worth. Where we are not to condemn someone because what they do is right from their point of view.
Loose Controls and too many admins (Score:5, Insightful)
Re:This is why I will never trust cloud services (Score:5, Insightful)
Re:This is why I will never trust cloud services (Score:5, Insightful)
have always avoided looking at it. It's immoral.
Luckily most agree with you.. but it only takes one to steal your personal information.
Re:This is why I will never trust cloud services (Score:5, Insightful)
Sure, in the same field I can understand, I do that too....I just don't want to know that the lazy sales guy down the hall makes double what I do for taking a few phone calls. Even though I already know intuitively, and by the fact his car cost half as much as my house.
Re:This is why I will never trust cloud services (Score:5, Insightful)
Re:Facebook (Score:5, Insightful)
I recall reading an article that said that all of Facebook's (then) hundreds of programmers all have full access to the live system data. Especially on top of the announcement that they want to double their employees in the next year or whatever, it sort of makes it hopeless to expect any sort of privacy there if anyone actually gets interested in you.
Facebook is and always has been a privacy disaster.
One thing to look... (Score:4, Insightful)
It's one thing to peek, which is bad...
It's quite another to share it, through gossip, careless revelation or horrors passing on to nefarious individuals with criminal intent in their black hearts.
This report brought to you by... (Score:5, Insightful)
Lieberman Software, a security and identification software vendor.
Yeah. Sounds like a completely scientific report with no bias to me.
Re:This is why I will never trust cloud services (Score:5, Insightful)
I disagree. I don't think the problem is a lack of moral authority, but that people's decision making is based on risk/reward, of which morality is but one aspect. The risk of dying will usually outweigh the intrinsic reward of being moral, for example. So when there's little or no risk of being caught, it boils down to whether it's more intrinsically rewarding to adhere to your morals or to satisfy your curiosity, or even to leverage your ill-gotten knowledge for your advantage. To solve that problem, you have to either entrust the people with access to the information (which makes sense to me), or somehow shift the risk/reward balance.
Not socked (Score:5, Insightful)
I work in healthcare IT, and my mother was an X-Ray tech for years, until about 15 years ago.
Even back when she was in the hospital, she saw people getting slapped and fired for it. Whenever someone famous came in, Princess Di was one of the big ones that I heard of, someone would go look up that persons info who shouldn't have, and of course, for famous people they would audit, and people got caught.
Now? Now you get flagged for all manner of things (I don't know exactly what, but it is well known that it includes looking up family members or people living on your own street etc) and its automatic. We have training on "Ethical Standards" every year, which talks about all of these records access issues. Still... I hear the single most common reason for anyone at the hospital getting fired is.... you guessed it.... inappropriate records access.
Here in MA they have the "CORI" system for doing criminal records checks. You are supposed to need consent to search it for someones info...unless you are a police officer doing his job or that sort of thing. Some auditing was done a while back and they found absolutely RAMPANT abuse. Police looking up their neighbors, looking up spouses, ex-girlfriends etc. (this was several years back... no idea if anything came of it...can't find any articles on it anymore)
The problem is a very human one.
Re:This is why I will never trust cloud services (Score:5, Insightful)
Yeah I think the headline is a bit lame. It should read "most IT pros don't look at confidential info". I don't really have any interest in looking at confidential files when it's not required for the job. I also just have a personal sense of morality and honour that makes me want to live up to the responsibility that I have being able to do anything I want on the network.
Let some "normal" users know that they have full admin access for the whole network for the day and see if 75% of them can resist having a peek around.
Re:This is why I will never trust cloud services (Score:5, Insightful)
+1.
The only time I've looked at such information was when it was in a database I was required to work on and seeing it was simply unavoidable. It was one of those prepackaged deals where you can't select just the fields you want, you see it all. In other words, not what most of you would call a database, but a non-IT pro friendly consumer package. Not my choice. Anyway, I saw the data and never breathed a word of it to anyone.
It's simple ethics. It's also worth noting that 26% of people doing it means 74% aren't. Ethics aren't dead.
Re:This is why I will never trust cloud services (Score:5, Insightful)
You might be better off not knowing what the guy in the next cube gets paid, but you're probably much better off knowing what the reasonable salary range for the job you do is. If you're towards the top and getting tiny raises, you can be comforted knowing it's not because you're not respected, but because you're already well compensated. If you're towards the bottom and are actually good at what you do, perhaps you should be pushing for that raise or looking for an exit.
Not feasible for most businesses. (Score:5, Insightful)
I'm not saying that what you say is impossible, but it is not very feasible unless you have a very special setup which few companies actually have. In most cases, someone ultimately has the keys to the kingdom. The best most can do is restrict this to as few as possible.
Encrypted DB's won't stop a DBA. The reason is that if you fire an employee, someone has to revoke keys and assign new ones. Someone with the authority to revoke and assign keys can view anything they want, anytime they want.
The only method that is possible is where 2 or more people are needed to use their key to access the information. If you have 3 security IT people, you need to create a situation where at least 2 are needed to unlock something.
And let's not overlook the fact that such systems are not usually set up and audited by a 3rd party.
It's not that they are doing it wrong, it's that without a 3rd party setting up the system you can't have that kind of security at all. The best setup would even require that a 3rd party become the key authority, yet have no direct access to company data whatsoever, and only hand over keys directly to the personnel they are assigned to.
Still, does this stop a determined administrator who disabled AV and installs a key logger on a workstation? No. Granted, that's probably criminal, and at least the 3rd party + dual key authentication system stops casual data breaches.
Most businesses don't have a budget for such things. They take the view, and I'm inclined to agree, that if you don't trust staff who have high level access, you shouldn't have hired them in the first place. As someone who people bring in personal laptops in to fix on occasion, most users are aware that I can see everything on their machine. It's not that I can look that worries them, but that I'll keep my mouth shut if I do happen to see something. I was told in no uncertain terms recently, that a laptop was brimming with porn. But, they trusted that I would not be sending out a company memo entitled, "Looky what I found on X's laptop!"
Businesses often feel the same way. Casual breaches do happen as part of authorized work. For instance, if a payroll file becomes corrupted, I'd have to look at the file. They just want you to shut up about what you see and/or forget what you saw. That's what they mean by trusted. Like any trusted friend, it's not about what secrets you know, but what secrets you can be relied upon to keep.
Re:This is why I will never trust cloud services (Score:5, Insightful)
Re:This is why I will never trust cloud services (Score:0, Insightful)
Oh, I forgot. It's the worst thing ever when the government regulates the economy, but when individual corporations screw with their employees, it is totally cool.
Re:This is why I will never trust cloud services (Score:5, Insightful)
Indeed. What's more, it is easily demonstrated that those who are least inhibited by their morals get the farthest, the most, the biggest, the best of whatever.
I'm with all the moralists out there personally. I know there are things I'm better off not knowing and prefer to leave it at that. But I also see who gets 'more' or 'better' and why. And those are the very same people with morality issues and are more capable than I am of doing immoral things. Another commenter on this general thread points out there are lying company leaders cutting back and capping salary increases while they continue to pay themselves increasing amounts and tell the company personnel they are in "hard times." These *ARE* immoral people and are shining examples of what I am talking about.
But you have to be more than immoral to get ahead... you also have to be clever enough not to let anyone know what you know and how to put that knowledge to good use. You have to be a really good sociopath to really get ahead in a meaningful way.
Morality vs. Secrecy (Score:2, Insightful)
It is not ethical that things like compensation for labor should be secret. That practice perpetuates unjustifiable inequalities. The only thing unethical about accessing such information is your breach of prior agreement to perpetuate that unethical situation. While that _is_ subjectively unethical, accessing such information is not objectively unethical. There is a concept of "Open Books" management wherein not only is such information freely available to all employees, their frequent viewing of it is encouraged.
I used to work in a business admin office where as a necessary component of everyone's jobs, we had to deal with salary information, yet there was a running joke that the fastest way to ensure your termination was to walk into the hallway and holler your salary -- even though every last person in the room would have known it already. That really put the absurdity of this secrecy practice into crystal clarity.
Re:This is why I will never trust cloud services (Score:4, Insightful)
If sales is so easy why don't you do it? The answer to that question is the reason why he makes more than you.
Because I have a soul that I'm not willing to compromise in order to treat other human beings as a source of revenue?
Re:This is why I will never trust cloud services (Score:5, Insightful)
I just don't want to know that the lazy sales guy down the hall makes double what I do for taking a few phone calls
If sales is so easy why don't you do it? The answer to that question is the reason why he makes more than you.
This seconded. If he makes so much money, it's either because he's raking it in on commission, in which case he's certainly earning it, or someone thinks he's worth a large retainer. If he's still there after six months or a year and still getting paid that much, guess what - apparently he is worth it.
The GP's post is just as asinine as a sales guy who wonders why IT guys make so much money "just for clicking the next button every so often when they have to install software". Or "web site design? Pfft, my kid can do web site design, that's not worth $50k a year."
Re:This is why I will never trust cloud services (Score:5, Insightful)
Re:This is why I will never trust cloud services (Score:4, Insightful)
The whole fucking point of the free market is informed actors making rational decisions.
--Jeremy
Re:This is why I will never trust cloud services (Score:3, Insightful)
Re:This is why I will never trust cloud services (Score:5, Insightful)
Oh come on, you know what I meant.
A good salesman has no concern for your wants or needs. His only concern is convincing you that you need something which he has for sale, often something that you never even knew you "needed" before the salesman began talking to you. They exploit weaknesses of the human condition in order to benefit themselves.
That is quite different from my paycheck. My employer has a need, and had that need before I was hired. I do not exploit my employer's weaknesses to convince them that they need to pay me.
Re:This is why I will never trust cloud services (Score:4, Insightful)
Where do you think the money that pays your paycheck comes from?
Re:This is why I will never trust cloud services (Score:5, Insightful)
LOL, for what it's worth, most of my salary comes from small business research grants. But I still don't see what you're trying to get at. I'm not the salesman, because I can't tell people they need something when they don't.
I actually worked at a brick-and-mortar retail store for a while, and my managers hated me, because even though I had a great deal of knowledge about all of the products, I would only ever sell the customer exactly what they asked me for nothing more. My hours were eventually reduced to one day per week, in effect forcing me to quit as there was no way I could make what I needed to make.
Perhaps you're claiming that my soul is compromised anyway, because I might collect paychecks that are somehow derived from soul-less sales associates? That still seems like a red herring, though. My job is to make things that people might want. Sales' job is to get those products into customers' hands. And I don't care if someone in sales makes more than me, because I don't have to treat people like they aren't human beings in order to do my job.