Do IT Pros Abuse Their Power? 460
Posted
by
Soulskill
from the hahahaha-yes dept.
from the hahahaha-yes dept.
An anonymous reader writes "I have noticed that many airports and hospitals I've visited have some kind of internet usage policy in place. Some use software similar to Websense, which effectively blocks sites based on blacklisting them by category. A commonly used blacklist prevents users from accessing 'forums or discussion boards,' yet I find that often these networks allow users to access sites like Fark, Slashdot, Digg and other message boards that appeal to the technical culture one might find in the IT world. In your experience, do IT administrators abuse their supervisory powers? Has there ever been a backlash from users or management for doing so?"
Of course (Score:5, Insightful)
Everyone Does (Score:2, Insightful)
People in every line of work take advantage however they can. Janitors, mailmen, military personnel, police, teachers, principals, street sweepers, CEOs, mechanics, and on and on. Its human nature.
IT Pros don't make policy. (Score:5, Insightful)
Policy is made by management. I don't care if you watch gay furry porn for all the three hours you spend in the Office.
I do care about the security of the network - so if you plug your private Laptop into the Office LAN, you won't get any connection because your machine won't authenticate. But i'll know exactly that you did so. And i'll call you out for it.
In all the places i've worked, WebSense etc. only worked in the VLANs for the office workers. All IT networks (as did the Exec's networks) had unrestricted internet access (they still went through a malware filtering proxy, but not content filtering). This might be different in larger organizations.
In the place i work right now, we only have a malware filter. No content filtering at all. I think it's pointless. If someone does not do his job properly, fire him. If someone does his job properly, but uses 10 minutes a day for masturbating to gay furry porn, he's still more productive than someone who takes a 10 minute smoke break every 20 minutes.
Re:Of course (Score:2, Insightful)
Maybe blocking Slashdot isn't an abuse of power. Maybe their intentions are good and they just want to prevent another stupid question from appearing in the Ask Slashdot section. They might reason, if he's smart enough to get around our filters, he probably won't ask such stupid questions. Maybe he'll even consult Google before submitting a "story". I know that last part is wishful thinking.
Ask Google: for when you have two brain cells to rub together so you know how to get good results from a search engine and want to quickly and effeciently answer your inquiry.
Ask Slashdot: for when you refuse to Ask Google, have a common-sense inquiry, or otherwise want some free attention from a bunch of strangers.
I want to see an Ask Slashdot that doesn't make me feel this way. Posted AC for a reason, so go ahead and down-mod the painful truth.
Re:Do power users abuse their IT knowledge? (Score:3, Insightful)
In a properly managed network, you won't get a direct connection to the internet AND you won't able to run any kind of SSH tunneling software.
I know most of the proxy software i use will tear down SSH sessions established through a HTTPS proxy, if you even get that far - i usually configure them to reject self signed certificates (as those would only provide a false sense of security).
I blame the boss. (Score:5, Insightful)
In my experience most draconian restrictions are imposed by Management. The technical staff is simply more empowered to work around them or ignore them.
Re:Do power users abuse their IT knowledge? (Score:1, Insightful)
Besides, SSH tunnels won't work on my network. I've got all protocols being intercepted by the proxy (including encrypted). Then an application firewall behind that to make sure the proxy is doing it's job. Social networking is blocked. End of story. And yes, management backs me.
Want to screw off at work? Get an smartphone and do it on your own device. Get a netbook with an aircard. I don't give a fsck what you do at work. It's not my job to make sure you're spending your time wisely. However, it is my job to protect our computers/network and I do that by blocking "risky" sites.
It's not IT-vs-other, it's business-vs-non (Score:4, Insightful)
Generally, they'll whitelist any site that a user can come defend as needed for work.
If there is abuse of "IT power", it's that IT passes judgment on their own staff's claim that tech-sites are needed for asking questions and finding tech solutions. But, frankly, even a very lame claim that "I need access to localchat.com to check on how other local accountants are handling the new sales tax" will get a pass, too. IT staff aren't exactly Sam Spade. So any extra blind-eyes they get to their favourite sites is pretty marginal.
The big difference is that IT staff aren't shy of asking. Other users imagine some omniscient IT that will just know they really want to chat about their cats.
we're human after all.... (Score:2, Insightful)
Who cares? Really? (Score:4, Insightful)
Does it matter, as long as they get their work done?
Really, some people are too uptight about things. The only metric should be if an employee does their job. If they do their job and do it well, who cares if they visit an amusing website for a laugh to break up an otherwise dull day?
Re:Do power users abuse their IT knowledge? (Score:5, Insightful)
I always figured my employer would be really, really pissed off if they found out I did that. At best you're pointing out a massive security hole in the network. They'd just assume I'd be running ANYTHING (kiddie porn) over the tunnel, and if anything accidentally happened, and I'd been using a "hole", I'd get in huge trouble.
Re:Do power users abuse their IT knowledge? (Score:3, Insightful)
Besides, SSH tunnels won't work on my network.
However, it is my job to protect our computers/network and I do that by blocking "risky" sites.
Good idea. I'd hate for you to accidentally get a virus when I SSH into my home machine and read my email using mutt. You'd be surprised at the number of viruses that can encode themselves in an email as a start ZMODEM trigger and get transfered through a zssh connection back to a work computer. Then all the virus has to do it wait for a double-click... ;)
No (Score:2, Insightful)
Um, most IT pros are too busy to abuse their power.
Re:Power Corrupts... (Score:5, Insightful)
Re:Do power users abuse their IT knowledge? (Score:4, Insightful)
I've worked at a few big banks, and getting sites unblocked only takes a few minutes: just a quick email to IT help saying "information on site XXX is important to our business. The block is costing us money. Please fix."
The less "reasoning" added, the better. Make it a business issue, not a free information issue.
Re:Do power users abuse their IT knowledge? (Score:5, Insightful)
Even assuming you mean "reject certificates not signed by an authority I trust", as opposed to "reject self-signed certificates", it's pretty trivial to get a certificate you'd accept. I also wonder if you allow plain HTTP connections, given your stance on certificate management. HTTP connections are less secure than HTTPS with self-signed certificates, and they don't even generate a warning in the browser -- at least a self-signed certificate would let users know their connection is unauthenticated, but plain HTTP happily transmits in the clear, without encryption or authentication, with no warnings at all. That seems like a much more likely source of false security to me.
In general, your tunnel users aren't very persistent, or you haven't noticed the ones that are -- it's not terribly difficult to setup an plain-old HTTP server and send SSH data in the body of apparently-valid HTML pages. A bit of base-64 encoding, a bit of a random real web page from the browser cache, and you'd have an awfully hard time getting a machine to determine that the web page was actually a proxy connection. It's a bit inefficient and there are TCP over TCP resend issues, but it's perfectly usable for web browsing and the like. Or assuming you just check the SSL setup but otherwise allow HTTPS traffic unchallenged through the proxy (the most typical setup for non-forging, non-plaintext proxies) you could negotiate a standard SSL session and then send raw PPP data through it, without even pretending to be a web page, or using SSH.
Or if you're really pressed for access, you can setup a DNS-based proxy and smuggle data through in perfectly valid DNS requests and responses. The size of packets is limited, but it's running over UDP so you eliminate the TCP issues, and it's virtually unmonitored at most locations, even those that consider themselves "locked down" -- when was the last time you checked your outbound DNS logs? Do you even have outbound DNS request logging? And domains are cheap -- what if I registered a few hundred and spread out my requests across those?
Or if you're willing to put up with a little latency you can use just about any messaging/discussion board to post data to a totally legitimate web page, which a remote proxy could then read and reply to, again on a legitimate web page. And of course there's email.
While it's maybe worth some effort to make data smuggling more difficult, don't fool yourself into thinking you're preventing it from happening. Adding noise to the channel only limits transfer speeds -- so long as there is any way for users to inject and retrieve data to/from the Internet, even through proxies and filters, tunneling will be possible.
Re:New around here? (Score:2, Insightful)
and I don't believe any backlash will ever occur because the users/management don't know how the network works. So its a win win situation for the IT Pros.
Management "I can't access facebook, however I noticed you can access that slashdot website of yours."
Me "Yep, because I get news about IT related stuff... facebook is just a waste of productivity time... its your policy!"
Management "oh, yeah. your right... could you add me to the list of allowed users..."
Me "Nope... policy"
Users "aaawwwwwhhh we can't access myspace!"
Me "suck it!"
Users "grumble grumble"
Either way, neither of the other two groups outside of the IT Admin team should be allowed to do anything.... extreme with the network access... and by extreme, social networking. :-)
Re:Power Corrupts... (Score:5, Insightful)
we currently have an anti-internet micromanager.
While the corporate policy is covered by an 'acceptable use' that is fairly liberal this guy equates having an idle page open equivalent to not working. To that end he's having our IT dept. provide him usage data from all employees. As a counter I developed an http over e-mail application that seems to be working quite nicely.
-nB
Re:Do power users abuse their IT knowledge? (Score:4, Insightful)
Good luck blocking SSH over DNS.
Re:Answer (Score:5, Insightful)
You work at a college and block certain "websites and services?" From the context I'm guessing it's more than simply blocking known phishing sites and the like...
If you are censoring the internet for the students of your college, then frankly I find that abhorrent. It's one thing for a company to filter the internet for their employees at work, but it's completely another to do it to students who-- besides being in an environment which should encourage exploration and allow for the making of mistakes-- may very likely live there and only have access to the internet through the school. As a college IT department, for all internets and purposes you're an ISP and with respect to student internet access you should be held to the same standards of openness and neutrality to which Comcast, Verizon and their likes are.
it depends (Score:1, Insightful)
speaking as "the IT guy" - it always depends on the companies policies and the usage of the sites/services
Let's take Facebook as an example: While it can be [used as] a powerfull business network/tool it's also a major distraction and waste of time.
Even if 90% of your FB friends are [your] business contacts it doesn't make it "legit". It's private like Gmail, Twitter, Skype and everything else
unless you're instructed to use it.
Also it's a question of productivity. You might think "Hey, I always finish projects within the dead line! Why do they care if I 'skype' with friends??"
Well, simply because you might be able to do 2 projects within the same time frame without all the distractions. (time equals money)
And from the IT's eyes it can be a pain for the network and hardware (P2P, streaming video like Youtube, and so on).
Some banks for example only forward emails up to a few 100kb. Everything above is stored locally and send at a specific time (outside business hours)
so it won't interfere with the usual business.
As for not blocking technical sites - working in the IT it's part of the job to be up to date with the latest tech, gadgets and everything related to your job.
So it doesn't really make sense blocking those resources, right? Of course there are situations where it seems unfair in your eyes but if you have a good
point about why you should be allowed to use something take the shot, talk to your supervisor and see if it get's through.
Re:Do power users abuse their IT knowledge? (Score:5, Insightful)
You aught to, especially if your previous "fix" was to block the website used for business purposes in the first place.
The role of IT is not to control information technology, metering it out to the users as the IT gods see fit. The role of IT is to support the business. That means facilitating their work as much as possible, and protecting them from the dangers they are unaware of.
Frankly, if I were your manager and you took that attitude toward your customers on a daily basis, I'd fire you.
IT departments don't make a company money. They either help them make more money by increasing productivity, or they help prevent them from losing money by protecting their information-related assets. If you are doing neither, you don't belong there.
Re:thats business (Score:2, Insightful)
Your IT department must be a bunch of jackasses in a larger corporation.
I work for a small company. Productivity is key. My job (and that of my department) is to allow other departments to be more productive.
I will try to do everything REASONABLE to fulfill those wishes. Using your Macbook at work is not reasonable, but wishing to have a mailbox quota of 5GB mails instead of 500MB is reasonable, and will be fulfilled as soon as possible.
However, more space means more cost - and upper management might not want to give me more money to buy an LTO4 drive, more space for D2D backups and more space in the Exchange servers themselves. This is something that users sometimes don't want to understand.
Re:Power Corrupts... (Score:5, Insightful)
> I have seen that "lockdown" so many times, and it never works.
It works quite well for demonstrating compliance with regulations, which is what it is for.
Re:Who cares? Really? (Score:4, Insightful)
You would hope that the only measurement is if someone is doing their job, but management is always trying to justify the amount that they are spending on staff. That means that it is not enough for the tasks that they expect done to be done, but they must also get as much work as possible out of each "unit" of staff that they are paying. If you have noticed, one of the things management loves to do is "cut costs", which means "lay off people".
The business cycle works like this. New company gets loans and venture capital. If it succeeds it gets flush with money. At that point management starts spending that money like no one's business. Each exec and manager tries to get themselves noticed by creating cool things and hiring employees to increase their empire. Efficiency is not cared about because no one cares about that in a "growth" phase. At that point, it's like management is on cocaine and their jittery fingers are poised over the "spend" button.
Eventually, this stabilizes and it becomes clear that you can't spend money like water any more. Frequently, this is some time after the company goes public. At that point, the original execs with the coke habits (real or virtual) have sold their overpriced shares and have either left or been forced out by a board that is now responsible to shareholders and the SEC. At that point, the new management, and/or the consultants that they have hired try to get a handle on the huge bloated mass of a company they have inherited, try to do something called "reaching profitability". This usually means starting to whittle down staff and make existing staff do more.
The end result is that every sort of perceived "inefficiency" is targeted, including web access. This is not to say that there is not something that needs to be done. Chances are good that a company in this position does start off with staff bloat. Of course, in the end the new management is as ham handed as the old management, just in a different direction and instead of simply trying to cut off the fat, it turns the place into a gulag.
The sad thing is that many of these blanket solutions are used instead of the more valid and useful method of creating and refining cost allocation models. Much like the "mass layoff", it seems that those sorts of solutions exist to create drama for something like instilling obedience or impressing the market to improve share price.
In the end, either due to the unrecoverable status of the initial bloat, or the fact that the place is now a gulag (or outsourced), the company will fail unless it really does have a unique product that can survive that process. Welcome to the 21st Century.
The moral of the story is: don't become personally invested in places that bother to heavily restrict your web access other than for strictly security reasons. You can work at them, but they are just jobs. If someone is willing to spend the time and money on carefully blocking your access to the internet, it's clear that you are seen as a resource that they need to squeeze more efficiency from in lieu of them actually having real, attainable goals that they can measure staff by. If they had those, they would be able to give you assignments that justify your expense and it wouldn't matter if you took 5 minutes or 5 hours to do them in, because they have refined their models and *on average*, each employee would spend the expected amount of time on it.
Re:Power Corrupts... (Score:3, Insightful)
It's management grasping at straws because they don't understand the work well enough to know what needs done.
If you don't understand the job well enough to know what needs done how can you check to see if people are making progress? You can't. So the only thing you can do is run around and make sure everyone's "busy." The trouble is it's easy to look busy in front of some outsider that doesn't understand the work.
If you don't understand the work you won't know if it is taking to long to do. People will exploit that and you will look like an ass to them.
If you do know the work your workers will pick up on it rather quickly and won't try to scam you (not as much anyway). Instead of trying to figure out if people are busy you can move on to finding out what their excuse is for not getting the work done. If the excuse is valid, find out what you can do to help and do it. If the excuse isn't valid, you start using all the dick head moves that a manager has to offer (or at least threaten them with it) until results are seen.
When the work load is light and you are ahead of schedule... let your workers fuck off a bit as a reward. Let them know that you know their fucking off and you're letting them for the moment. When the work starts flowing in again, they'll be ready to kick back into gear for you.
Re:Do power users abuse their IT knowledge? (Score:4, Insightful)
And if I were your manager, I'd explain to you the concept of revenue generation vs. opportunity cost...
I work for a company where every dollar the company makes comes through IT. Without a functioning IT department, the company would be out of business in the space of a few days. But IT is still not making that money - it is made by the sales and marketing people who are going out and getting people to purchase the services that we offer.
But neither of you manage each other, so stop waving your dicks. I guarantee you neither of them are as large as you think they are.
Re:Do power users abuse their IT knowledge? (Score:1, Insightful)
See, that's a POLICY change.
I didn't make the policy. I don't have the authority to change the policy. Neither do you.
When I get your request, I can take the time to discuss it with you first, or I can just forward you the link to the form you need to fill out, PRINT out, have signed by your manager, return to the IT dept, where our admin assistant will route it to my boss who will forward it on to the VP of IT for the division with a note either recommending he OK it or not. If it is a major policy change the VP will take it up in a senior staff meeting for discussion before giving the yes/no. Then it comes back to me and I either make the change, or send a polite note to you/your manager explaining that the request was denied.
Now, get off your fucking high horse and stop pretending that you are the reason why the company exists and that everyone else is just here to service you.
Re:Do power users abuse their IT knowledge? (Score:5, Insightful)
Ummm... IANAL, but even I know that's not a real charge. If you threatened him with that, you guys are probably in the wrong...you know... "hostile work environment" and all those little things. You could have gone after him for unauthorized access... but you'd be hard pressed to claim it was unauthorized access to his home network. And given that he was an employee, you'd be pretty hard pressed to argue he exceeded access on his own desktop or your network. At best, you've got evidence that he used a data processing system in a manner violating policy--and you've already admitted it wasn't malicious and did no damage. Assuming you're using the computer fraud & abuse act--you've already eliminated most of the necessary criteria... which makes anyone accusing him under it guilty of... oh--filing a false report, and possibly perjury depending on how far you take it! Not that you'd ever be prosecuted as that's one of the most abused laws in the country.
While there are states where access in violation of policy *has* been held as unauthorized access, to my knowledge there's really only been one conviction of that so far--and last I'd checked in, it was about due to be thrown out on appeal. Quite simply--you can't open the door of your house to somebody, and then accuse them of trespass when they wander off the yellow brick road you defined in a convoluted fashion.
I don't blame you for looking for that type of traffic--it's a good way to hide botnet. But going after somebody for trying to listen to music... and using that as the excuse to fire him--that's just cowardly and dishonorable. Your users deserve someone more professional than that, even if they themselves are not the most professional based upon their actions.
Re:thats business (Score:5, Insightful)
Re:Do power users abuse their IT knowledge? (Score:3, Insightful)
You aught to, especially if your previous "fix" was to block the website used for business purposes in the first place.
The role of IT is not to control information technology, metering it out to the users as the IT gods see fit. The role of IT is to support the business. That means facilitating their work as much as possible, and protecting them from the dangers they are unaware of.
Frankly, if I were your manager and you took that attitude toward your customers on a daily basis, I'd fire you.
IT departments don't make a company money. They either help them make more money by increasing productivity, or they help prevent them from losing money by protecting their information-related assets. If you are doing neither, you don't belong there.
You're attributing to IT departments a degree of autonomy and self-direction that is rare. The role of IT is to do what they're told by their superiors. If that includes controlling information and metering it out, that's the way it's going to be. It's highly likely that if you're prevented from visiting a particular web site, it's because IT was told to block it. Perhaps not specifically but categorically. If we're told to implement technology to prevent employees from browsing X, Y, and Z, we do our level best to do that. If A, B, and C happen to be included in the lists we haven't created ourselves, we rely on users to tell us when they've been blocked as collateral damage, and we address it. If your note requesting that change is rude - and implying or stating it's our fault, you've got to expect to ruffle feathers. If you arrive at work and it's cold so you send of a snarky e-mail to the janitorial staff to "fix the heat because the cold office is costing you money", it's entirely possible that the recipient janitor is going to shrug his shoulders, forward it to the accounting department that didn't pay the gas bill, then go outside and key your car.
All of your rhetoric is amusing, but you're taking out your frustrations where it's not due.
Often when people behave like idiots, it's because you are unaware of a bunch of motivators in their world.
Re:Power Corrupts... (Score:5, Insightful)
And this is why "direct benefit" is a completely useless metric, and in fact isn't applied to most of the rest of a business's operations. A/C and heating, for example, don't provide a direct benefit except for industrial controls, yet most businesses see the value in providing a comfortable work environment to employees.
By the same token, the studies are now old news that have shown that employees who take "mental breaks" with Facebook and friends are more productive [news.com.au] and that external communications channels are becoming increasingly valuable to businesses [bbc.co.uk].
It's the same old story: Centralized policymaking suffers from a chronic lack of both information and imagination, and policies like global whitelists essentially kill off many useful innovations.
Re:Do power users abuse their IT knowledge? (Score:4, Insightful)
Of course you did. There was some problem (employees are looking up hitmen online and killing their bosses). You fixed it by blocking all applicable websites (it has the work "hitman" in it). Unfortunately, your conglomerate needed someone to clean the port-a-potty (a "shitman" in your part of the world). That site is blocked. You certainly intentionally blocked it. You just didn't specifically block it. And your imprecise fix to an earlier problem is causing new problems.
That's the attitude of a five-year-old. I expect better of adults, and insist upon better in the workplace. You may lose your cool, that is human nature, but I would expect a sheepish apology or mea culpa in that case.
You do realize that point (2) is trying to control information, right? It may be that some of IT's role is to control information, but to say that you don't while claiming that is half your reason for existing is, at best, cognitive dissonence.
I don't have to prove that the concept is poor to prove your implementation is. In every case, there will be sites that need to be black/white listed, and your mechanisms for doing so are subject to judgement without having to attack the idea of a black/white list system. In this case, you are defending a system of employees pleading with IT about making a site accessable. Why not simply automatically unblock the site, and then review it later?
That IT doesn't make money is an accounting truism. Neither does a CEO (well, depending on the company). IT is an overhead cost. It can be important, but where do you bring dollars in the door? Some IT departments bring in blue dollars, but that's it. (Exceptions made, of course, for IT consultant groups.)
Re:Power Corrupts... (Score:3, Insightful)
Truly, if a person wants to do something, they're going to do it. Whether its VNC'ing into their home computer to browse, using an encrypted proxy, encrypting the data for theft, or using their own phones for non-productive use of time, they're going to do it.
Re:Do power users abuse their IT knowledge? (Score:3, Insightful)
At my organisation you'd receive an email back saying "why do you need this?". Just saying it's costing money doesn't cut it, wasting my time costs money. When I make a change to the Firewall(s) I need to put that into at least one log/issue tracking system. If you are up front and say that I need information on foo and the FW is blocking Bar.com then I can put that info into the log and make the change so long as Bar.com is obviously porn/malware.
I hate people that screw around and waste my time when all they need is to actually tell me what they need instead of turning it into a big drama about the BOFH. If it's a business issue then you can tell me what you're doing (yes this is arse covering, I will not be left holding the bag whilst you download half a TB of porn) if not then cease wasting my time.
BTW, If the boss wants to know who's holding the whole thing up I can say Frank isn't following procedure so I cant do anything.
Re:Of course (Score:4, Insightful)
I'm sorry, but /. hasn't been a 'technical' crowd for some time now. It's currently a small population of 'technical' people of various fields and a great deal of September That Never Ended wanna-be haxx0rs.
I would just like to point out... (Score:1, Insightful)
I work in outsourced IT, which pretty much makes me system admin for... say, 30 different companies?
We've only got blacklists set up at a few of our customers, and generally we're forced to because - here's a shocker - 90% of end users are dribbling morons.
If you're blacklisted at work, or don't have administrative rights, there's a good chance that IT did it because the person at the desk next to you (or you yourself) downloaded viruses on facebook 5 days in a row. I can't do my job if I spend every waking hour removing "Internet Security 2009!" from your PC over and over.
Get over it.