IT Pros Can't Resist Peeking At Privileged Info 388
Orome1 writes "IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people's Christmas bonus details."
This is why I will never trust cloud services (Score:5, Informative)
It's why I will never trust my personal files on the likes of Dropbox and other backup services. People misuse their privileges whenever they can, that's human nature.
Re:This is why I will never trust cloud services (Score:5, Insightful)
Re:This is why I will never trust cloud services (Score:5, Funny)
Nor do I, it would probably just piss me off anyway.
Re:This is why I will never trust cloud services (Score:5, Insightful)
Re:This is why I will never trust cloud services (Score:5, Interesting)
It's not limited to IT either. A friend of mine, who works in HR, as a Temp, basically gets work handed to her that other people don't have time to do. This includes expenses, and occasionally allows her to view peoples salaries, and, scarily, who's getting made redundant. She's a Temp, paid about £16k/y (having been made redundant a few years ago having been making ~22k, she took anything she could get) and has access to her superiors and co-workers salaries, expenses and even their original interview records.
Some would say that's just rubbing her nose in it.
But the reality is that some companies just circumvent internal rules in order to get things done.
and all this she freely shares with me as idle chatter.
Re:This is why I will never trust cloud services (Score:5, Insightful)
Re: (Score:3)
Re:This is why I will never trust cloud services (Score:5, Insightful)
Not true. I have had plenty of access to such information and have always avoided looking at it. It's immoral.
Strongly agree. Plus if caught is destroys the trust that keeps them paying you, and it won't bring you happiness on any level anyway.
Anytime a person tells another person how much they get paid one of them gets very pissed off. You are better off not knowing.
Re:This is why I will never trust cloud services (Score:5, Insightful)
Re:This is why I will never trust cloud services (Score:5, Insightful)
Sure, in the same field I can understand, I do that too....I just don't want to know that the lazy sales guy down the hall makes double what I do for taking a few phone calls. Even though I already know intuitively, and by the fact his car cost half as much as my house.
Re:This is why I will never trust cloud services (Score:5, Insightful)
Re:This is why I will never trust cloud services (Score:4, Insightful)
If sales is so easy why don't you do it? The answer to that question is the reason why he makes more than you.
Because I have a soul that I'm not willing to compromise in order to treat other human beings as a source of revenue?
Re:This is why I will never trust cloud services (Score:5, Funny)
It all seems fair to me.
You have your soul.
He has his Bugatti Veyron.
Re: (Score:3, Insightful)
Re:This is why I will never trust cloud services (Score:5, Insightful)
Oh come on, you know what I meant.
A good salesman has no concern for your wants or needs. His only concern is convincing you that you need something which he has for sale, often something that you never even knew you "needed" before the salesman began talking to you. They exploit weaknesses of the human condition in order to benefit themselves.
That is quite different from my paycheck. My employer has a need, and had that need before I was hired. I do not exploit my employer's weaknesses to convince them that they need to pay me.
Re:This is why I will never trust cloud services (Score:4, Insightful)
Where do you think the money that pays your paycheck comes from?
Re: (Score:3)
A good salesman builds relationships.
That's done by addressing your client's needs and wants while providing solid service. A salesman's only true asset are the relationships he has forged.
If you think sales is all about exploiting people, you won't last long.
Re:This is why I will never trust cloud services (Score:5, Insightful)
LOL, for what it's worth, most of my salary comes from small business research grants. But I still don't see what you're trying to get at. I'm not the salesman, because I can't tell people they need something when they don't.
I actually worked at a brick-and-mortar retail store for a while, and my managers hated me, because even though I had a great deal of knowledge about all of the products, I would only ever sell the customer exactly what they asked me for nothing more. My hours were eventually reduced to one day per week, in effect forcing me to quit as there was no way I could make what I needed to make.
Perhaps you're claiming that my soul is compromised anyway, because I might collect paychecks that are somehow derived from soul-less sales associates? That still seems like a red herring, though. My job is to make things that people might want. Sales' job is to get those products into customers' hands. And I don't care if someone in sales makes more than me, because I don't have to treat people like they aren't human beings in order to do my job.
Re:This is why I will never trust cloud services (Score:5, Insightful)
I just don't want to know that the lazy sales guy down the hall makes double what I do for taking a few phone calls
If sales is so easy why don't you do it? The answer to that question is the reason why he makes more than you.
This seconded. If he makes so much money, it's either because he's raking it in on commission, in which case he's certainly earning it, or someone thinks he's worth a large retainer. If he's still there after six months or a year and still getting paid that much, guess what - apparently he is worth it.
The GP's post is just as asinine as a sales guy who wonders why IT guys make so much money "just for clicking the next button every so often when they have to install software". Or "web site design? Pfft, my kid can do web site design, that's not worth $50k a year."
Re:This is why I will never trust cloud services (Score:5, Funny)
The problem with sales commissions is that sales guys never get their commissions reduced by the cost of additional support needed to fix the customer problems caused because they sales guys sold them features that don't exist. Commissions are usually based on the size of the deal, so the bigger deal is always preferable, and the aftermath becomes someone else's problem. (Usually those guys "just clicking buttons").
If software sales techniques were applied elsewhere:
Customer: I want a car.
Salesguy: Sure. We've got cars.
C: It must be fast.
S: We have one with a 600HP motor and awesome aerodynamics.
C: It must go round corners like it's on rails.
S: We have sports suspension.
C: I need to carry my large family around.
S: Yeah, we know how to make minivans.
C: I really enjoy off-roading.
S: So you need 4WD, big wheels and high suspension. No problem.
C: I care about the environment.
S: Our engineers have made a car that gets 45mpg. No problem.
C: It must be really comfortable
S: Leather and Luxury are what we're known for.
C: I need a lot of cargo space because I'm in construction.
S: We have pick-up trucks.
C: Oh, six vehicles? I really don't have room for six.
S: Our engineers could easily make all of that into one vehicle.
C: Really? That would be awesome. I'll take one. (Opens wallet, picture of family falls out)
S: You'll never get to drive it though - your wife will love it!
C: Good point, I'll take 2. Make hers a convertible.
S: Hey, that's a good looking family you've got there.
C: That's my daughter Kate, she's just started driving. Oh, make it 3 cars. Can I get them before her birthday next week?
S: No problem!
-------------------
Later:
S: Engineering!!!!
You never know what the IT guy is worth until you (Score:4, Interesting)
You never know what the IT guy is worth until you replace him. Preferably with someone new on the job.
And then you go and complain about schools, and ask for more H1B visa ;-)
It is also very hard for the IT guy to know what he is worth.
For the sales guy it is easy because he just adds up all money he has raked in. Probably he will even have a tendency to overestimate because he doesn't know at what cost the company is producing its goods and services.
A manager with access to financial data, knows when the company is doing well financially, and knows when his pay is tiny in comparison to the turnover of his department.
Both are obviously in a better position to negotiate, unless the IT guy analyzes the company's data, for which most IT guys neither have the time nor the desire.
75% didn't look at confidential data, and of the 25% who admitted to peeking, you don't know how much they strayed from their tasks.
Re:This is why I will never trust cloud services (Score:4, Interesting)
I disagree.... a person lacking confidence would probably be pissed no matter what and was just looking for validation. My friends and I in the same field openly discuss our wages/benefits only to know what's available out there. Am I getting screwed? Why is my pay lower? Is the grass *really* greener? No one openly gets upset with it.
You have a point. I was thinking about talking about pay with people who do a similar job in the same company. Everywhere I've ever worked pay had nothing to do with skills or work throughput but only how much you demanded when they interviewed you and how old you are. I'm really glad I became a contractor because permanent staff are just abused.
Re:This is why I will never trust cloud services (Score:5, Insightful)
Yeah I think the headline is a bit lame. It should read "most IT pros don't look at confidential info". I don't really have any interest in looking at confidential files when it's not required for the job. I also just have a personal sense of morality and honour that makes me want to live up to the responsibility that I have being able to do anything I want on the network.
Let some "normal" users know that they have full admin access for the whole network for the day and see if 75% of them can resist having a peek around.
Re: (Score:3)
This from the land where everyone wears their pants on the outside.
Re:This is why I will never trust cloud services (Score:5, Insightful)
You might be better off not knowing what the guy in the next cube gets paid, but you're probably much better off knowing what the reasonable salary range for the job you do is. If you're towards the top and getting tiny raises, you can be comforted knowing it's not because you're not respected, but because you're already well compensated. If you're towards the bottom and are actually good at what you do, perhaps you should be pushing for that raise or looking for an exit.
Re:This is why I will never trust cloud services (Score:4, Informative)
The guy in the cube next to me made substantially more than me. We did the same job, worked on the same code, similar education, probably equally valued by the company... After the office was closed down by head office, I asked my ex-manager, wtfup with the salary inequity? His response was "You were paid less because Corporate deemed you less of a flight-risk."
It's not about value, talent, experience, etc. It's about how little can they pay you and still keep you around.
Re: (Score:3)
Re:This is why I will never trust cloud services (Score:4, Insightful)
The whole fucking point of the free market is informed actors making rational decisions.
--Jeremy
Re:This is why I will never trust cloud services (Score:5, Interesting)
And right there is the fundamental flaw. Most people don't make rational decisions, even if they have all the necessary information (which they almost never do). It is for that reason that "free markets" as espoused by most proponents of free markets are unrealistic. Free markets are an ideal that should guide your regulation of the markets, but the markets can never really be free.
Re:This is why I will never trust cloud services (Score:5, Insightful)
We are quickly finding ourselves in a society where we lack an absolute morality authority. Therefore what is immoral for you may or may not be immoral to others. In other words, we are reaping the fruits of a society where all ideas are given equal worth. Where we are not to condemn someone because what they do is right from their point of view.
Re:This is why I will never trust cloud services (Score:5, Insightful)
I disagree. I don't think the problem is a lack of moral authority, but that people's decision making is based on risk/reward, of which morality is but one aspect. The risk of dying will usually outweigh the intrinsic reward of being moral, for example. So when there's little or no risk of being caught, it boils down to whether it's more intrinsically rewarding to adhere to your morals or to satisfy your curiosity, or even to leverage your ill-gotten knowledge for your advantage. To solve that problem, you have to either entrust the people with access to the information (which makes sense to me), or somehow shift the risk/reward balance.
Re:This is why I will never trust cloud services (Score:5, Insightful)
Indeed. What's more, it is easily demonstrated that those who are least inhibited by their morals get the farthest, the most, the biggest, the best of whatever.
I'm with all the moralists out there personally. I know there are things I'm better off not knowing and prefer to leave it at that. But I also see who gets 'more' or 'better' and why. And those are the very same people with morality issues and are more capable than I am of doing immoral things. Another commenter on this general thread points out there are lying company leaders cutting back and capping salary increases while they continue to pay themselves increasing amounts and tell the company personnel they are in "hard times." These *ARE* immoral people and are shining examples of what I am talking about.
But you have to be more than immoral to get ahead... you also have to be clever enough not to let anyone know what you know and how to put that knowledge to good use. You have to be a really good sociopath to really get ahead in a meaningful way.
Re: (Score:3)
The rules of acquisition are the only rational moral system. Because I say so.
Re: (Score:3)
Well, I would argue that we are genetically coded with morals built in. But you are correct it is not a question with a simple answer. But to offer my own personal opinion.
- No, all life is sacred and all people have the chance of redemption. Whether they accept it or not is part of their free will, but I shouldn't make that choice for them.
- Yes and No. Should the government prevent the such a union between consenting adults? No. Should the government be interfering in someone's religious beliefs of m
Re:This is why I will never trust cloud services (Score:5, Insightful)
have always avoided looking at it. It's immoral.
Luckily most agree with you.. but it only takes one to steal your personal information.
Re: (Score:3)
Not true. I have had plenty of access to such information and have always avoided looking at it. It's immoral.
I'm in the same situation. I dunno about immoral, but it's definitely unethical, not to mention, snooping could land me in serious legal trouble to boot.
I'm sure there are people who do this though, probably those of the "gossip" mindset who just have to nose into everything and everyone's business. That's just not my thing, don't care.
Re:This is why I will never trust cloud services (Score:5, Insightful)
+1.
The only time I've looked at such information was when it was in a database I was required to work on and seeing it was simply unavoidable. It was one of those prepackaged deals where you can't select just the fields you want, you see it all. In other words, not what most of you would call a database, but a non-IT pro friendly consumer package. Not my choice. Anyway, I saw the data and never breathed a word of it to anyone.
It's simple ethics. It's also worth noting that 26% of people doing it means 74% aren't. Ethics aren't dead.
Re:This is why I will never trust cloud services (Score:5, Interesting)
Agreed, and would like to add spam filtering to the pile. Training the filters effectively (to weed out false positives, catch the sneakier spam, etc) means seeing practically everyone's inbound emails until the initial tuning is done, and once in a great while after that for maintenance and upkeep. You just maintain the confidentiality required to know that yeah it's ugly and it's in there, but it's nobody's business. I only interacted with these mails enough to make my job more effective, and after that it all got forgotten and ignored.
Doing this helped me better tune the filters to block the political crap (DU, Limbaugh, etc) while at the same time allowing exceptions for a couple of execs in the company who actually did lobby in Washington DC, the state capital, etc. It allowed me to block the dating site and sex site emails (you'd be amazed unless you're an email admin, in which case you'd probably know already) while at the same time allowing the usual spousal romantic emails.
I didn't give a damn about the messages - I was in there to analyze content in order to catch spammers. The result was a happier group of employees who rarely if ever saw any spam, but at the same time could do most things within reason and company policy (it was fairly loose) and not lose any email.
I considered the whole thing subject to the same confidentiality restrictions as a doctor - yeah, you see the naughty bits in the full glory, but so what? You've got a job to do, so there's no real time or cause for you to be titillated, angry, outraged, or whatever. If you are, there'd better be a cause to inform the corp legal department and then the cops, because otherwise you're obviously not doing your job.
All said and done, at least in this aspect the AUP covers it perfectly - expect the contents of any email or data on the company wires to be seen by anyone. Of course that doesn't mean you get to go snooping around - violating trust is a great way to obliterate a career. OTOH, don't expect it to remain a perfect secret, either, because not all of us are going to be as professional about it.
Cloud services are a fad (Score:3)
And this is probably the sort of attitude we should be adopting. IT sort of has the back door keys to everything, since we are the people who write the code and maintain the servers.
On the flip side, one could also assume that the boss's secretary now has less access to this same privileged information, so the number of peeking eyes hasn't increased, but simply changed departments.
Re: (Score:3)
Re: (Score:3)
Some don't. Doesn;t make for much of a story though that.
Re: (Score:2, Interesting)
Re: (Score:2)
That's a bit different; if the owner or boss wants you to look at an email on *their system* it's authorized. I have had to do this & while I told them I wasn't comfortable doing it, I did it anyway. What I haven't done is do that without authorization - as others have said, it's not right.
Re: (Score:2)
That's a bit different; if the owner or boss wants you to look at an email on *their system* it's authorized. I have had to do this & while I told them I wasn't comfortable doing it, I did it anyway. What I haven't done is do that without authorization - as others have said, it's not right.
That is highly questionable. You don't ignore your duty to the law or to what you know to be right just because your boss tells you to. Or rather you shoudn't.
Re:This is why I will never trust cloud services (Score:5, Interesting)
Right. You should come home to your wife and tell her "I quit my job because my boss wanted me to do something unethical. I know you're pregnant and we just bought a house, but you know, ethics is everything. Now pack your bags, there's a nice bridge down the highway under which there is a patch of grass that'll be nice for us."
Re: (Score:2)
And yet even most Slashdotters think it's perfectly fine to trust everything you have with Google - your search queries, your personal emails, your calls, your contacts, your social network, what you watch on YouTube, what you listen to, where you walk and go (Android) and everything else.
I know I do! At least up until that "and everything else".
I agree more people need to be aware of this and make a decision as to whether they are fine with it. Personally I assume everything you list can be observed by any number of people and have made a mostly informed decision that I really don't care. Anything I _don't_ want people snooping into stays on my encrypted drives in my local machines.. or if it does out on the net, is in an encrypted container.
Re: (Score:3)
This same argument applies to your own IT department though. I'm really not sure which is a greater abuse.
The local IT admin can snoop your data. I suppose the Google employees can do it too. However, I'd imagine the local IT admin would probably have more incentive to look me up. To Google employees, I'm anonymous.
Then there's the issue of trust and security and process. Most of the 'cloud' companies have the money to spend on security and process and guarantees. They also fear potential lawsuits.
Whi
"not interested" (Score:3)
"There's a whole bunch of trust involved. There's a lot of data inside Google, and I'm willing to bet some of it is really valuable. But for me and the people I worked with, it was never worth looking at."
People joke with me that I must be reading their email. I tell them I have enough trouble keeping up with my own email, and besides that, we NEVER read user's mail unless it's specifically necessary to troubleshoot something relating to their account.
What the hell is with Slashdot lately? Did the sy
Re: (Score:3)
What the hell is with Slashdot lately?
The thing is that everything in the story is true. Yes, there are admins abusing their privileges. Do you really doubt it? I mean, come on, look around.
And those guys do taint the perception of the population toward us. And that's life, and there is nothing anyone can do about it.
Being aware helps explain this perception, and it's a good thing to keep in mind.
Re: (Score:3)
Re: (Score:3)
Re: (Score:3)
You should read "Scroogled" by Cory Doctorow ... http://blogoscoped.com/archive/2007-09-17-n72.html [blogoscoped.com]
I Am a Sick Sick Man (Score:5, Funny)
The United States' cultural suppression of natural and healthy sexuality just makes me ill sometimes.
Only on Slashdot (Score:5, Funny)
50% Informative
30% Overrated
20% Funny
Where a joke post about masturbating to scads of personal data results in your peers moderating you "informative."
Re:Only on Slashdot (Score:4, Funny)
It was "informative". Perhaps a little too informative, granted, but the slashdot moderation system only had a small set of choices...
Only 26%? (Score:3, Interesting)
Re: (Score:3, Funny)
Read the full sentence: Only 26% admit. The other 74% deny everything :)
Re: (Score:3)
Read the full sentence: Only 26% admit. The other 74% deny everything :)
Fair point. I know people who I know have peeked. I once put a (I'm such an awful stinker) hook into a program where a certain person was looked up on a certain workstation and it flashed an alarming notice, effectively the user was caught and authorities were being notified. It scared the heck out of the perpetrator (she had a crush on someone and keep bringing up his personal record) and put an end to the behavior. Nobody was harmed or fired over this, ounce of prevention was effective enough.
Re: (Score:3)
I find that hard to believe. I would have put it well above 50. Years back I ran an MDaemon mail server and let users have the IM client. Was pretty interesting reading, to say the least.
You sir, are a sleazebag.
If you want to know who is having an affair with whom just look for correlation in holidays and sickleave, you don't need to abuse the IT systems. You should be spending your time doing your job though, or trolling /. obviously.
Comment removed (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
Bad setup (Score:5, Insightful)
If your IT/Security staff can rifle through your sensitive data, you're doing it wrong.
I have no ability to access the data in our HR or Financial systems. Only the HR and Financial folks do. *MAYBE* the DBAs could look at that data, but even if so they'd have to sift through the raw data or come up with their own queries. And I'm pretty sure a lot of that information is encrypted.
Re:Bad setup (Score:5, Informative)
^This
The security team should be setting policy and doing audits, not being "the privileged ones"!
Re: (Score:2)
If you are in security and serious about it, then you probably can get access to most systems in your company that you care about. Probably also know how not to get caught. Especially for smaller or less technical organizations.
But, paraphrasing from the BOFH, we have the internet with all the knowledge, pornography, movies, music in the world. Do you really think I'd spend my time going through some accountant's email?
Encryption... (Score:3)
I'm pretty sure a lot of that information is encrypted.
Given the popularity of identity-based encryption, it is possible that IT staff have access to data that was encrypted, since they probably control the key generation service. Where I am now, secret keys are issued by IT staff and we do not even use IBE. It is unfortunate, but for most people setting up, maintaining, and using decentralized cryptosystems is beyond what they are technically capable of or willing to do.
Not feasible for most businesses. (Score:5, Insightful)
I'm not saying that what you say is impossible, but it is not very feasible unless you have a very special setup which few companies actually have. In most cases, someone ultimately has the keys to the kingdom. The best most can do is restrict this to as few as possible.
Encrypted DB's won't stop a DBA. The reason is that if you fire an employee, someone has to revoke keys and assign new ones. Someone with the authority to revoke and assign keys can view anything they want, anytime they want.
The only method that is possible is where 2 or more people are needed to use their key to access the information. If you have 3 security IT people, you need to create a situation where at least 2 are needed to unlock something.
And let's not overlook the fact that such systems are not usually set up and audited by a 3rd party.
It's not that they are doing it wrong, it's that without a 3rd party setting up the system you can't have that kind of security at all. The best setup would even require that a 3rd party become the key authority, yet have no direct access to company data whatsoever, and only hand over keys directly to the personnel they are assigned to.
Still, does this stop a determined administrator who disabled AV and installs a key logger on a workstation? No. Granted, that's probably criminal, and at least the 3rd party + dual key authentication system stops casual data breaches.
Most businesses don't have a budget for such things. They take the view, and I'm inclined to agree, that if you don't trust staff who have high level access, you shouldn't have hired them in the first place. As someone who people bring in personal laptops in to fix on occasion, most users are aware that I can see everything on their machine. It's not that I can look that worries them, but that I'll keep my mouth shut if I do happen to see something. I was told in no uncertain terms recently, that a laptop was brimming with porn. But, they trusted that I would not be sending out a company memo entitled, "Looky what I found on X's laptop!"
Businesses often feel the same way. Casual breaches do happen as part of authorized work. For instance, if a payroll file becomes corrupted, I'd have to look at the file. They just want you to shut up about what you see and/or forget what you saw. That's what they mean by trusted. Like any trusted friend, it's not about what secrets you know, but what secrets you can be relied upon to keep.
Re: (Score:3)
Security , always makes me laugh ...
Is your building secure? Well I suspect you have these people who can wander in any time, even when no-one else is around, and have complete access and keys to all parts of the building, .... they are called cleaners and probably are on minimum wage
The company who runs your security system can probably bypass it anytime they want to, and enter the building undetected
and you worry about your own vetted employees ...?
Facebook (Score:5, Interesting)
I recall reading an article that said that all of Facebook's (then) hundreds of programmers all have full access to the live system data. Especially on top of the announcement that they want to double their employees in the next year or whatever, it sort of makes it hopeless to expect any sort of privacy there if anyone actually gets interested in you.
G.
Re:Facebook (Score:5, Insightful)
I recall reading an article that said that all of Facebook's (then) hundreds of programmers all have full access to the live system data. Especially on top of the announcement that they want to double their employees in the next year or whatever, it sort of makes it hopeless to expect any sort of privacy there if anyone actually gets interested in you.
Facebook is and always has been a privacy disaster.
Kinda like Santa, then... (Score:2)
Loose Controls and too many admins (Score:5, Insightful)
red button (Score:3, Funny)
don't forget there are IT guys outside the corporate world:
http://xkcd.com/898/
3 out of 4 were trustworthy (Score:2)
It seems like the majority of the people could actually be trusted. So the solution to a problem like this is to restrict the access of the other 26%, reassign them, or fire them. (That's not precisely what the survey in TFA said about the percentages, but the point is still the same.)
Re: (Score:3)
You want to fire the ones who told the truth?
Remember, this was a survey. 26% admitted they snooped. The other 74% denied it.
Conning the conmen (Score:2)
However, what they don't count on is that the hapless H-1b IT guy is actually
One thing to look... (Score:4, Insightful)
It's one thing to peek, which is bad...
It's quite another to share it, through gossip, careless revelation or horrors passing on to nefarious individuals with criminal intent in their black hearts.
This report brought to you by... (Score:5, Insightful)
Lieberman Software, a security and identification software vendor.
Yeah. Sounds like a completely scientific report with no bias to me.
analog example (Score:3)
I've never had the interest + time to go snooping. But early in my career I used my "privileged" position as the company PC tech, to look at a document that one of the executive admin assistants had neglected to put away when I came to install some software on her computer. As I swapped disks my eyes wandered and I saw this list of people, all of whom had recently been laid off, except for a few names at the bottom that had a line through them. Mine was one of those. I started looking for a new job at that point.
Not socked (Score:5, Insightful)
I work in healthcare IT, and my mother was an X-Ray tech for years, until about 15 years ago.
Even back when she was in the hospital, she saw people getting slapped and fired for it. Whenever someone famous came in, Princess Di was one of the big ones that I heard of, someone would go look up that persons info who shouldn't have, and of course, for famous people they would audit, and people got caught.
Now? Now you get flagged for all manner of things (I don't know exactly what, but it is well known that it includes looking up family members or people living on your own street etc) and its automatic. We have training on "Ethical Standards" every year, which talks about all of these records access issues. Still... I hear the single most common reason for anyone at the hospital getting fired is.... you guessed it.... inappropriate records access.
Here in MA they have the "CORI" system for doing criminal records checks. You are supposed to need consent to search it for someones info...unless you are a police officer doing his job or that sort of thing. Some auditing was done a while back and they found absolutely RAMPANT abuse. Police looking up their neighbors, looking up spouses, ex-girlfriends etc. (this was several years back... no idea if anything came of it...can't find any articles on it anymore)
The problem is a very human one.
Yes we can (Score:2)
I don't snoop (Score:2)
News just in 1 in 4 IT people knows no IT (Score:2)
and they lie on surveys and in interviews!
Seriously though - I've got plenty of chances. I could get so much infomation from some places that I could likely walk into a very confertable position else where, but I have no want to. This company treats me well, they gave me a job when no one else would, and I'm happy here.
Just follow management's leadership (Score:3)
Just follow management's leadership, as in many other things.
If you work for a place where morals and ethics are #1 above all else, then follow their lead.
If you work for a place where the almighty dollar is #1 and morals and ethics are for suckers and fools (most corporations), then follow their lead.
Whatever you do, don't get caught doing something you'd not want to be on the evening news.
Note that its a lot like having a police scanner or listening to mobile phone calls, or intercept pocsag digital pagers. Sounds technologically fascinating. It, in fact, IS technologically fascinating. Then you get the ability to do so, and it is boring beyond belief. Gossip monger types are always going to be gossip monger types and the addition or removal of technology will not change them. "Golly, person A is having an affair with person B, using some high tech pager or whatever". Ditto the non gossip monger types are not going to be very interested, beyond the interesting nature of the new technology itself. "Golly, this 8 bit A/D decoder sure works a heck of a lot better on noisy signals than a 1-bit data slicer for pocsag decoding, look at the borderline SNR on this page about some dork's affair or whatever."
I worked at a place decades ago where part of the job was to monitor old fashioned PCM T1 analog phone lines on occasion. Signed lots of secrecy papers to do it. Sounded cool, before I had to do it. It was boring as hell, trust me. I kind of miss listening for slips and echo can malfunctions in this VOIP era. Another funny one was listening for ulaw vs alaw encoding malfunctions on international ckts. And verbal fighting with vendors who couldn't understand the 80 different type of E+M signalling. Good times, I guess, but not from listening to boring phone calls.
I tried to avoid it (Score:3)
I tried to avoid looking at that kind of information when I had that kind of access. Firstly, I was usually too busy. I had plenty of authorized work to deal with, and if I had free time I had plenty of personal projects that didn't involve digging through the data. Second, it usually wasn't worth it. I've had to do plenty of company-ordered digging through people's accounts, and the interesting stuff just isn't worth digging through the weapons-grade "I did not need to know that..." material. And thirdly, it again wasn't worth it. I don't like to lie to conceal what I know, and for every useful item that directly affected me there were dozens of things that either weren't useful (I already knew my manager made twice what I did, knowing he makes exactly 2.13x as much... pfffft) or didn't affect me. It was easier overall if I honestly didn't know those things in the first place.
The dirty little secret is that most of the time everyone knows who's doing the unauthorized snooping. But management won't order an investigation because they're under the delusion that what they don't officially know about can't hurt the company. And besides the inevitable need to bleach their brains afterwards, all the front-line admins know that if they go initiating an investigation management will come down on them if they find anything. Even if the investigation was fully justified. Whatever it is needs to be pretty major to be worth the drama, angst and pain that'll result. And I don't see management's attitudes changing any time soon.
Nuclear War (Score:5, Funny)
That's why I think nuclear armageddon won't be started by heads of state and their military advisors, but by some disrespected IT guy who constantly has to reset the passwords to the launch codes.
I call "bullshit". (Score:4, Interesting)
Net-security.org, for their part, are only inflaming matters further by restating things an even more inflammatory manner.
Basically, you need to ask something that this article neglects to question: Did 26% of the respondents merely say they were aware of other employees *using* the shared passwords, or did it specifically detail abuse of a shared password to gain unauthorized access to information that ethically-speaking, they shouldn't be going anywhere near. Both of those are cases are considered felonies, by the way. It's very easy for someone to argue that *any* shared password use is an "abuse" and that any information access from that point is "illicit"--but without knowing specifically what question was asked, these "results" are more likely just a distortion of fact in order to sell products and services.
I am personally aware of shared passwords in many organizations. I am also occasionally privy to information I shouldn't be--specifically, people's emails. The key difference being, I *don't want to know*. I, and thousands of admins like me, wind up seeing your boring little emails while trying to figure out why they didn't arrive in your inbox already. Over time, we develop the ability to be self-redacting and immediately forget what was just on our screens--because not being able to do that means being burdened with other people's secrets that you'd feel better not knowing. This is a far, far cry from the sort of "abuse" this report pretends to show, but vendors loooove to construe one as the other in order to sell service contracts.
Frankly, this doesn't sound any more realistic than the old one about employees giving up their passwords for a candy bar. What you don't get told about those is that the employees are usually being told they have to give their password up to their immediate supervisor, and not being given any guidance as to why they're being directly ordered to violate company policy. In most offices, people who ignore direct orders being given by a live person over something written on a policy paper tend to suffer bouts of sudden and chronic unemployment--so... plenty of reason to "violate policy" there, normally "secure" employees are going to capitulate for that kind of request. Then the people doing the "analysis" stand around later and say "oh my gosh people give up their passwords for no reason!". I've personally, been given such a request in the past, and frankly since I was being directly instructed to do so, I turned over a hand-written copy of my password on the form provided...or at least, what my password was at that specific moment in time. Since I'm a twisted bastard I made up a new password just for them, set it in the system and then filled in the blank.
Don't be a gullible noob. Trust no "survey" coming from a vendor selling a related product unless you are being shown the exact details of the survey--because they're going to lie about it. Of that you can be sure.
This is news ? (Score:5, Interesting)
The switchboard was listening in to calls 100 years ago. The mail room was looking at letters 150 years ago. Heck, I'm sure the equivalent was going on in ancient Sumer (sneaking a peak in those sealed clay tablets). "The help" is always going to eavesdrop. Not all of them, not all the time, but it happens.
Naive (Score:3)
This might sound a little naive, but if I don't have any interaction with the people looking at my stuff, I don't care that much. Obviously the amount I care will slide depending on what the material is, but in general, I don't really care.
That said, if they look intentionally, they should be fired. There is no excuse, they are breaking a code of trust, and are obviously too immature to handle the position they are in.
The worst job I have ever had... (Score:4, Interesting)
... was combing through the new server-side SPAM filter to look for false positives and forward "legitimate" email to the rightful owners. I saw racist jokes sent between executives and their buddies, wives & girlfriends talking dirty and scheduling "play dates", job hunting employees, back-stabbing gossip and internal/external confidential information. Payroll information would have been the least of the issues...
In contrast to what .. (Score:3)
Management has access to this information as well and no one can complain.
Doesn't even have to be computer systems (Score:3)
Re: (Score:2)
Then you haven't done anything past helpdesk. From about a month after I started doing desktop support back in the 90s I'd come across confidential information, I signed confidentiality forms and as far as I'm concerned it's a done deal. Now that I'm in a job where I'm the desktop, network and database administrator I see and have to deal with confidential data every day.
I just don't care, it's all data to be backed up, moved, restored, whatever.
Re:Been a IT Pro for 15 Years (Score:5, Funny)
When I worked for my college's CompSci department, my coworkers and I were responsible for the incremental backups.
One day, we got a call from a professor who accidentally deleted a bunch of data, totally several gigs. When we restored the data, it turned out it was his pr0n folder. We never let him forget that we can see his data.
I got A's in my programming classes after that...
Re: (Score:3)
I'm not saying your story isn't true. I'm not even saying that it isn't likely. Just that if it is true, that college has bigger problems on it's hands than a professor that likes internet porn.
Re: (Score:2)
To simply access it breaks data protection laws in the UK at least.
If you shouldn't be accessing it, you need to be wondering why your security measures don't STOP you accessing it, at least without leaving a nice trail of what you've been accessing.
Of course, real world, etc means I have my CTO phone me, give me his passwords for his personal files on the file server and tell me to read off various bits to him. In this case it was a harmless (unpassworded) document with a list of names on it, but this kind
Re: (Score:2)
Geeks are scum
Hash but a fair point. It's true because geeks are people and people often behave like scum.
Re: (Score:2)
All our salary data is public knowledge anyway:
http://www.tbs-sct.gc.ca/pubs_pol/hrpubs/coll_agre/pa/pa08-eng.asp
Salary, yes, birthdate, actual gender (for those you don't know) home address, phone numbers, dependents, etc. are not public knowledge.
I once worked in a payroll department, overseeing annual disbursement of over $1 billion. Lots of sensitive information there and a lot of care goes into ensuring it states private.
Re: (Score:3)
I have NEVER met a CTO/CIO at a large corperation that knew anything at all about computers, the last one I Observed needed help in launching a Power point presentation... I turned to the guy sitting next to me and asked.... really? this is your CTO?
Maybe a 3 person shop that incorporated and they decided to make the IT guy CTO... they would actually know something. Just read CTO magazine, if that is how those guys think and if any of them take any of the BS in that rag seriously, the average CTO is
Re: (Score:3)
I think you have a very blinkered, and quite probably completely false, opinion based on a single example/incident. The chances of someone in IT *bothering* to monitor your credit card like that are virtually zero anyway (that's what SSL is for, you know) and I've known dozens of people who SWEAR there's no way anyone could have got their info that have been charged fraudulently. Anyone with brain enough to intercept your card number in any way (whether by scraping it en-route via an intermediate SSL cert