Do IT Pros Abuse Their Power? 460
Posted
by
Soulskill
from the hahahaha-yes dept.
from the hahahaha-yes dept.
An anonymous reader writes "I have noticed that many airports and hospitals I've visited have some kind of internet usage policy in place. Some use software similar to Websense, which effectively blocks sites based on blacklisting them by category. A commonly used blacklist prevents users from accessing 'forums or discussion boards,' yet I find that often these networks allow users to access sites like Fark, Slashdot, Digg and other message boards that appeal to the technical culture one might find in the IT world. In your experience, do IT administrators abuse their supervisory powers? Has there ever been a backlash from users or management for doing so?"
Re:Do power users abuse their IT knowledge? (Score:1, Informative)
Aye. I run our network, restrict what the bosses tell me to, but ignore the restrictions when it comes to myself. SSH tunnel to my home network, route all DNS requests through there as well, and turn on FoxyProxy in Firefox. Yes, I use it to do a little slacking off here and there, but in my defense it's also the easiest way to create exceptions when our restrictions get in the way of me getting work done.
Dealing with Blocked Websites... (Score:4, Informative)
Greetings and Salutations.
Perhaps the better questions are "why ARE some websites blocked? and WHO makes that decision?" I administer web access for a client or two, and, the decision to block given websites comes from upper level management, usually NOT the IT command structure. In a business, there is an almost paranoid fear that the employees are sitting around surfing the Net instead of doing work to make money for the company. Any blocking seems focused at keeping that from happening.
Alternatively, I go and sit at Panera Bread (a great place for good pastries, and excellent, light lunch sandwiches and such by the by...) on occasion, and have found a few websites that would not come up because they were blocked. However, it appeared that this was because the company providing the blocking had mis-catagorized them, and, once I sent a note in about the site, they ended up being unblocked. But then, If I were going to surf porn sites I would NOT be doing it in a public place like that....
So, I suppose there are cases where IT admins abuse their powers and block sites that should be available...but I have not run into them. Amazingly enough BOFHs are human too, and, some of them ARE little Herberts....control freaks and generally annoying people. The rest of us are all genial and fun folks with a slightly twisted sense of humor.
Regards
Dave Mundt
Re:Do power users abuse their IT knowledge? (Score:2, Informative)
FTP is left wide open because the IT department uses it for any sort of file transfer, as well as the fact that they heavily rely on Websense, and its default behaviour towards FTP is to allow all incoming and outgoing connections on that port.
Re:New around here? (Score:5, Informative)
e.g. the BOFH substitutes some images, and/or inserts a rather loud audioclip.
Go figure out the details yourself.
Even if you use SSL, the BOFH probably controls what CA certs are installed in your browser
Re:Do power users abuse their IT knowledge? (Score:2, Informative)
I don't understand why people always try to "get around" these restrictions. If there is a legitimate business need, then get it approved. These preventions are put in place for a reason. The more open the network, the more risk. The more risk means more virus, trojans, botnets, data leakage, etc. IT then has to cleanup your mess.
Partially right. The problem is, that in many larger organisations the 'legitimate business need --> approval' process does not scale well with regard to the time required to get the approval. So even if you do have a legitimate business need, waiting for the approval might still keep you from getting your job done. Multiply this by say ... 2,000 people waiting 10 days to get an approval for something. This will cost you real money.
It seems to be difficult to balance these things. But having a good zoning concept at hand might be of great help. It keeps the wrong people from tampering with critical resources, but it also allows employees to use necessary services e.g. SFTP. Yes, I've come across a situation were I was not allowed to get a patch from a vendor using SFTP. The idea was: SFTP may be used for stealing data. Use FTP, this is far more secure, as we can scan it with deep packet inspection.
Re:Since when.. (Score:5, Informative)
you can blame the fact that the websense ceo is the same guy who was ceo of Mcafee during the time when Mcafee was known to be a piece of shit software that wasn't complete or accurate. Is it any more surprising that he's equally badly mismanaging websense, and is selling to the same crowd with both basically?
The issue is a man named gene hodges [forbes.com], the guy is a horrible ceo (and cause for many tech issues relying on anything he is a part of) .
Re:New around here? (Score:2, Informative)
http://www.theregister.co.uk/2008/10/03/bofh_2008_episode_32/
Wiki-Fiddeling: The Art of creating Wikipedia articels, on the fly, to back up your Story / Aliby or Invoce.
Re:Do power users abuse their IT knowledge? (Score:2, Informative)
At my place of work it takes at least a day. And it usually stays unblocked only for a few days, then it is blocked once more.
OpenVPN-over-UDP-over-IP-over-DNS (Score:5, Informative)
Do you allow DNS on your network? OpenVPN-over-UDP-over-IP-over-DNS isn't lightning fast but it does the job most of the time. It's a neat way to (ab)use commercial WiFi hotspots too. You can't stop a determined power user except maybe with a whitelist of a small set of whitelisted remote hosts.
thats business (Score:5, Informative)
In my experience the IT dept generally has rules for other people and rules for themselves. They "know what they are doing" while everybody else "can't be trusted". Their login for general usage is full administrator and bypasses websense, while I am barred from sites "listed as general business" (only sites pre-approved by IT are allowed, which they make very clear they do not do because they don't want people asking them all the time). Our email attachment limits are 2mb ("it takes up space on the server") and FTP is outright barred - even though one time it was the only way for a client to send me files IT wouldn't do it, so I went home and put it onto a USB stick.
They install whatever they like, including such productivity tools as BBC news sports tickers. Despite pretty much being able to do everything on their work-paid cell phone, not having to multi-task or whatever they have brand-new machines. When another member of staff requires a new PC, they get an IT staff's PC and IT get a new PC. Despite the general staff doing work where screen real estate is highly productive, their monitors are 15" and 17" while IT and managers have 19" (although they were quite savvy and gave the partners 21"; monitors are the new bigger desk and chair). In my job where we do quite a lot of printing, speed and quality are important, IT also have the best printer - yet it took a week for them to notice when I unplugged it one Friday night.
IT is all about convenience for IT. All our productivity stuff, which at any given moment 99% of staff is running at any given moment, is quite server intensive. They're all on the same server, while low-intensity stuff rarely used has three idle servers all to itself. I spend a significant portion of my time waiting for the server to respond. It's quite embarrassing when a client turns up asking for a simple copy of a report in a hurry and it takes me 10 minutes, they think I must have forgotten so they ask reception to call up and remind me they're late for their meeting. I pointed out once that the servers could be rebalanced to distribute the load but was told "that would be too much hassle".
All the procedures are laughable. Despite almost completely phasing paper filing out, all staff's basic logins can delete data files and all the backups are kept on a shelf on site. I could obliterate the lot in one minute of madness (probably induced by dealing with IT). It would take me longer to copy it all to a couple of USB sticks, but nobody would notice until they got the blackmail letters or it was on the news.
But let's not get all confused and think I'm bashing IT here. I can say pretty much the same thing about every single department. Like how the time it takes me to obtain new propellant pencil leads costs the firm 16x the price of the leads. If I kept one carton for work then stole the rest of the box it would be cheaper for the firm than following procedure.
As regards other managers, few have the slightest clue about IT. Those that do just work it to their advantage - they get preferential treatment so it makes them look good.
Re:Of course (Score:4, Informative)
I think you missed something. He's saying those sites are not blocked.
Simple syllogism (Score:2, Informative)
Q1: Are IT pros, in general, humans?
Q2: Do humans, in general, abuse power when they have it?
Q3: Is there some reason to believe IT pros different from most humans in this regard?
I'm kinda curious why this question even got asked. Unless the answer to any of the above questions is anything less than as patently obvious as I think they all are, ("Yes", "Yes", and "No", for the record), simple logic would make the answer to the posted question obvious. Q1 & Q2 fall to the same simple "Socrates is mortal" syllogism, unless Q3 is assumed to also be "Yes", but why on earth would anyone think that?
Trying to ruin a presentation (Score:3, Informative)
Re:New around here? (Score:3, Informative)
Nah, that's pretty mundane these days. What TheLink was talking about is intercepting and injecting packets into the http response message from the web server.
So you think you're reading CNN, your browser thinks it's getting packets from cnn.com but a server downstairs in a locked room is injecting a The Onion story as the main headline, backed up by images from a pornographic google image search for the story keywords.
Meanwhile your boss is walking past going, "What's up?" Are you both in for a surprise..
Re:Do power users abuse their IT knowledge? (Score:3, Informative)
Some of the rules and legalities change when it's federal systems involved. If you interpret the US laws strictly, doing anything that you haven't specifically been authorized to do is considered exceeding your authorized access. Being a govt facility also means I don't have much sway in whether charges are pursued, just some discretion in what I report.
There was more to this story that I can't discuss, but this was definitely not casually accessing the internet or even just visiting inappropriate sites. It was using computers he wasn't even allowed to use, deliberately installing software, compromising the security of the local computer, attempting to defeat network protections, and attempting to use that software to enter the network from home.
Would the Feds have pressed charges if this was the only offense? Probably not. Depending on the employee it would have ranged from a minor reprimand up to a possible termination. Usually when I see inappropriate web sites or software being installed, I just discreetly let the user know that it is being monitored, why its a problem, and it never happens again. This case was definitely much more involved than joe user thinking he knows better than the system admin and trying to remotely access his home computer.
Re: whitelist based security (Score:3, Informative)
I can see doing this for your kids, where you're trying to build a safe environment for them to web surf in. (The kidzui plug-in for Firefox is a good example.) But in a corporate environment, whitelisting seems extreme to me. I'd not only be an employee who complained, but one who would quit and seek employment elsewhere, if I was treated that way, (Do you happen to only allow outgoing phone calls to whitelisted numbers, to make sure they aren't spending time talking to someone who doesn't directly benefit the company? I recommend screening the books and newspapers they bring in, as well. Wouldn't want them to read something on their lunch break that doesn't benefit the business, would you?)
There are ways to protect a PC reasonably well from malware attacks without resorting to this.... That's just laziness on the part of I.T., really. I've done this stuff for close to 20 years, and I can only remember a total of about 3 virus infections anyone had on a PC, at any of the places I worked. Honestly, in all cases, they were easy to eradicate too. A properly configured router that blocks access on all ports except specific ones stops a lot of that junk from spreading or downloading "helper apps" that result it in completely taking over and embedding itself in a PC. Beyond that, you run good anti-virus software AND a package providing real-time malware detection and removal (commercial version of Malware Bytes might be a good recommendation here ... NOT junk like Symantec or McAfee want to sell you as an "add-on" to their main product). Lastly, you run things through a web proxy that does know how to block known IPs of sites that distribute the stuff.
As I said in another post, I'm all for blocking SOME web sites. Filter out as much porn as possible, because you really don't want a sexual harassment lawsuit over some co-worker stupidly downloading porn and making it into Windows wallpaper and offending someone, or what-not. You may want to filter known sites promoting violence and racism too. Again, it has no conceivable useful purpose in the workplace. But all in all, people DO expect to be able to use the Internet for a little bit of socializing, checking personal emails, and keeping up with news throughout the day. A happy employee is more productive, and all of this encourages them to be content.
Re:New around here? (Score:3, Informative)
SYSTEM or NETWORK SERVICE internet access (Score:1, Informative)
Blacklists are useless in security.
Even if a user collects malicious JPGs or malware non Windows Administrator can't infect the machine.
Global Blocked filters for everyone INCLUDING IT Administrators
Binary Attachments, Scripting attachments, Compressed Attachments. Office Document Files, exe files
Block Ports other than 80 or 443
Whitelist sites for specific say download.microsoft.com Compressed Attachments. Office Document Files, exe files
The further divided the better
The windows SYSTEM or NETWORK SERVICE in most cases does not need internet access Block it.
Allow authenticated user accounts to pass through web filter.
If for whatever reason a computer does become vulnerable to MS sloppy services the malicious code cannot deploy without SYSTEM or NETWORK SERVICE internet access
Re:Power Corrupts... (Score:3, Informative)
I know the guy who deveoped this:
http://www.web2mail.com/ [web2mail.com]
And at the time I (and others) thought 'what's the point?' - but your post clearly shows there is a need apparantly.
-Jar