Do IT Pros Abuse Their Power? 460
An anonymous reader writes "I have noticed that many airports and hospitals I've visited have some kind of internet usage policy in place. Some use software similar to Websense, which effectively blocks sites based on blacklisting them by category. A commonly used blacklist prevents users from accessing 'forums or discussion boards,' yet I find that often these networks allow users to access sites like Fark, Slashdot, Digg and other message boards that appeal to the technical culture one might find in the IT world. In your experience, do IT administrators abuse their supervisory powers? Has there ever been a backlash from users or management for doing so?"
Since when.. (Score:5, Interesting)
...are Fark and Digg considered 'technical culture' sites. Seriously, this isn't 2001. Last time I checked, the Internet had sort of entered the mainstream and 'slacking off at work' isn't really considered exclusively IT.
Power Corrupts... (Score:5, Interesting)
Absolute power, is even more fun!</bofh>
Yes, we did have something like this happen where I work. Our IT group ended up blocking all social networking sites. Our marketing department raised a fit because they use Facebook for business purposes.
Do power users abuse their IT knowledge? (Score:5, Interesting)
How many people here get around their workplace's blocking software by running an SSH tunnel to a proxy server on their home network?
Re:Power Corrupts... (Score:5, Interesting)
Yes, we did have something like this happen where I work. Our IT group ended up blocking all social networking sites. Our marketing department raised a fit because they use Facebook for business purposes.
At the place were I currently work we have kind of a "feel free to use the internet as you wish" policy. This actually works out quite well. Sites are not filtered specifically. They basically say "hey, if you end up doing illegal stuff, you're screwed, otherwise we don't care as long as you get to do your work."
I used to work for a financial institution before that. And they had sort of a lockdown-mania. Filtering proxies (no checking your private web mail - could be used for stealing information), read-only USB mass storage, scanning outgoing e-mail attachments etc. I guess, these rules came in place because of management being scared to death by compliance requirements, not because of IT admins abusing their power.
And BTW: Had I wished to steal massive amounts of data, I could have still simply sent them via e-mail in a password-encrypted archive. It's a matter of trust, not only of making it difficult. So basically powerful and clueless management are equally effective as power-abusing admins.
Re:Do power users abuse their IT knowledge? (Score:5, Interesting)
I suppose it depends on the size of the business. Where I work, it is usually impossible even to find out who is responsible for a particular policy. As for actually getting a policy changed, you'd be better off pissing into the wind.
Whenever I need information from a blocked site (I'm talking about work-related information here), I just keep trying Google results until I find one that isn't blocked. Sometimes it can take fifteen or twenty minutes, when I know that the top result would have answered my question immediately. On occasions I send myself an email at home so that I can look it up after work, but why should I have to do this?
Re:Everyone Does (Score:3, Interesting)
Its human nature.
... to push the limits of our power and find ways to get around things. This is often seen in a negative light (as in the OP's choice of the word "abuse"), yet it's also a trait that has allowed humans to survive, thrive, and make numerous advancements.
The OP talks about IT people white-listing websites they know to be safe because they themselves use them. I don't see this as having a negative impact for the staff or patrons of the places he mentions. If there is a negative impact, or "abuse", it comes from the executive decision to use censoring software in the first place, not the IT guy poking holes in it.
Re:Do power users abuse their IT knowledge? (Score:3, Interesting)
Get a separate ADSL line for the IT pros. A friend of mine did exactly that. He works in a large bureaucracy and in the end their installed a separate, unfiltered ADSL line that's not under the administrative control from over-the-pond.
Of course, being in IT, they were smart enough to keep this all on a separate network.
Re:Do power users abuse their IT knowledge? (Score:2, Interesting)
With all due respect--as you certainly sound more competent than most network admins I've ever dealt with--you're at an IT site. The properly managed network is a myth and you know it. The two most common reasons for that really ought to be immediately obvious, but if they're not:
1) No network is "properly managed", period. It's just too expensive anywhere. Somebody somewhere has an exception to the policy--even if it's documented because they needed some obscure piece of software. Or they're a marketer doing competitive research and actually would benefit from twitfacespace access. Or the president demands access to penthouse forums, and it's your job on the line (save that email demanding it...)
2) Ummm....yeah...I'm a programmer (I also run my local network. No budget whatsoever for it...you'd hate it if you saw it. Literally--$0 budget...something breaks and I have to beg for cash to replace it). You might work at one of the places where programmers don't get local admin rights (kinda stupid, but fine)--but I guarantee you if I can't compile an app on my desktop and run it, there's going to be a massive stink raised, with me copying HR about how "network admin bob" is actively obstructing my work process and making it impossible to do the most important part of my job description. But I'm going to be able to run that software, or anything else I feel like if I can get the source code and it compiles in whatever craptastic IDE the company mandated. I won't run anything I shouldn't--because I'm a professional--but I'll test it every time you upgrade my desktop because I don't want to deal with the inevitable three week wait the two or three times a year I will need to pull in some third party...something...in order to meet some strange deadline.
Thirdly--rejecting self signed certificates for providing a false sense of security is...a load of BS. My self signed certificate is likely more secure than *any* cert you'll ever generate in your entire network. Because I actually check it. Because my threat model includes a subpoena forcing Verisign to generate a valid signed key for my domain. Because my keys are generated by a ten year old desktop of mine (the o/s isn't that old though) no longer connected to a network, and then physically moved. Yeah, it's not a DoD airgap--but it's better than anything most places will ever.
And lastly because sometimes--people just don't care that a self signed certificate is "less secure"--it's still better against the casual attacker even with readily available MITM tools (even our transparent proxy/IPS will automatically scan SSL content too, just like I'm sure yours does). If it stops the average person from inspecting traffic on a bridged network (and let's face it, flooding a switches ARP tables to force bridged failover is a lot older than MITM tools).
----
Simple point of fact: Self signed certificates increase encryption on the net. Even if people run a MITM, competent parties can positively for that very attack, and identify the presence of an attacker. That's substantially better than the present system where someone can run surveillance and you would never even know. CA's on the other hand...well...it's already well established they're mostly worthless.
Captcha: EXEMPT
Re:Power Corrupts..."Car on Blocks" (Score:1, Interesting)
I have seen that "lockdown" so many times, and it never works. There are no technical solutions to personnel problems. I always use this analogy; "You can make a car very secure by removing the battery and putting it up on blocks. It just doesn't make for a very good car."
"Car on blocks" is a good description. Our PHBs have included a "books and literature" prohibition that blocks all on-line books and magazines, including the archives from the big technical publishers. It makes it hard so satisfy the PHB command "Technical lackey, find out everything about this 20-year old technology and give me a one paragraph summary on how it will be our 'next big thing.'" Especially after PHB burned the technical library to expand his office.
This usually results on having to go home and work it our there, outside IT/PHB control. Then have a long lunch and take the rest of the day off. The productivity improvements are stunning.
Re:Do power users abuse their IT knowledge? (Score:4, Interesting)
Except that's not how SSH over DNS works. On the server end someone installs a custom DNS server on a machine and sets that machine as authoritative for a domain. On the client end the PC sends a seemingly benign request through your local DNS servers, which forward that request to the authoritative domain (running the custom DNS server). The custom DNS server then decodes the "benign" request, passes it off to the SSH server, retrieves the reply, then encodes it so that it can be sent back to the client PC.
Re:Power Corrupts... (Score:4, Interesting)
Take SSL/TLS for example. It is basically protection against a problem that would never happen in reality. What are the chances of someone intercepting your communications link to a website and capturing your credit card numbers? Out of the billions of packets that are flowing through the networks, the chances of someone managing to find the one packet with the 25 bytes of data comprising your credit card number are vanishingly small. The level of access you'd need would mean it'd be easier to just compromise the person's PC directly rather than sorting through all that noise.
Once someone's trapping the message flow, it's trivial to search for particular triggers. The biggest defence is current generations of routers not sending every message to every machine on the local net, but that's not really much of a defence at all. Encryption stops these trivial attacks.
There are problems with SSL as usually deployed:
Mind you, the alternatives are mostly much worse. And in fact SSL can be very good indeed (e.g., when the client has to present a certificate to the server and a private CA that everyone knows about beforehand is the only trust root). It's just that deployment on the scale of the internet is hard; there's just no way to get everyone to know about everyone else before communications start.
Re:Do power users abuse their IT knowledge? (Score:5, Interesting)
There's no reason you can't actually talk HTTP. See http://www.sensepost.com/research/reDuh/ [sensepost.com] for one of many examples on how to do this. And, once you have an arbitrary TCP connection, there's no reason you can't perform a public key exchange for SSH as usual, defeating your proxy's man-in-the-middle attack.
Nice try, man, but you'll never be clever enough to accomplish what you intend.
---linuxrocks123
Re:Power Corrupts... (Score:4, Interesting)
Re:Do power users abuse their IT knowledge? (Score:3, Interesting)
So, just tunnel SSH over SSL, and buy yourself a proper certificate.
At which point, you've crossed the line from causally surfing when you should be working into actively trying to subvert network defenses. That's the line that will get you fired instead of simply told to get back to work. Surfing porn or other "inappropriate" sites will also get you fired pretty quick.
Besides, I happen to watch for unusual stuff like SSL sessions open for long periods of time to address ranges belonging to cable modems and Verizon DSL subnets. Had a guy last month get fired for other reasons, and reviewing the logs and seeing that he was trying to tunnel out to his home music library simply added to the justification for firing him. He was a dipshit and has no recourse as we threatened him with a federal charge of hacking govt computers by trying to install tunneling software.
Re:Do power users abuse their IT knowledge? (Score:1, Interesting)
Guilty!
I used to do that when I worked for The Warranty Group.
They had implemented Websense with INSANE restrictions like, for example, ALL BLOG SITES.
Newsflash: it's been several years since the majority of the useful up-to-date technical information is found mostly on blogs, not corporate sites. I NEEDED to access some of those blogs TO DO MY JOB.
But it was easier to setup the tunnel than to fight a ridiculously bad managed corporation.
Re:thats business (Score:1, Interesting)
In my experience the IT dept generally has rules for other people and rules for themselves.
Different responsibilities, different rules. nothing abnormal. Every department has different rules for itself and for others.
They "know what they are doing" while everybody else "can't be trusted"
And this is why. And it is true, not because other people are idiots, but simply as a matter of policy. Again, the same thing goes for other departments. (ever tried to get the same access to the corporate funds that the finance department has ?)
Their login for general usage is full administrator
If that is true they are idiots.
while I am barred from sites "listed as general business" (only sites pre-approved by IT are allowed, which they make very clear they do not do because they don't want people asking them all the time)
Typically this happens because management demands a system that makes sure people do not waste time on non work related websites. IT say's that is only possible by using a very labor intensive white-list setup for which they do not have to manpower to mange. Management forces it anyway. IT gives change requests for the white list the lowest priority. solution. don't complain to IT. Tell your management what you need to do your work and let them take care of it. After all, they caused the problem.
They install whatever they like, including such productivity tools as BBC news sports tickers
yep, the job comes with some advantages. Of course the everybody else "can't be trusted" rule is the major cause for this.
When another member of staff requires a new PC, they get an IT staff's PC and IT get a new PC. Despite the general staff doing work where screen real estate is highly productive, their monitors are 15" and 17" while IT and managers have 19" (although they were quite savvy and gave the partners 21"; monitors are the new bigger desk and chair). In my job where we do quite a lot of printing, speed and quality are important, IT also have the best printer - yet it took a week for them to notice when I unplugged it one Friday night.
Typically this has to do with budgets.
Business: I need a new PC/printer/whatever.
IT: ok, which budget can we charge.
Business: charge ? budget ? well, I taught you probably have something laying around.
And of course IT needs new stuff first to gain experience with it.
IT is all about convenience for IT. All our productivity stuff, which at any given moment 99% of staff is running at any given moment, is quite server intensive. They're all on the same server, while low-intensity stuff rarely used has three idle servers all to itself. I spend a significant portion of my time waiting for the server to respond.
Budgets again. everyone wants new, faster servers, nobody wants to pay for it. It has probably advised to upgrade/replace them years ago.
I pointed out once that the servers could be rebalanced to distribute the load but was told "that would be too much hassle".
From the mind of the IT department: "Yeah, right you fucking cheap ass. not willing to spend some money for a decent server, even though we warned you for years, and now you want US to do a lot of risky work to alleviate your problem, at the expense of others who did take appropriate action when we warned them. f*ck you."
All the procedures are laughable. Despite almost completely phasing paper filing out, all staff's basic logins can delete data files and all the backups are kept on a shelf on site. I could obliterate the lot in one minute of madness (probably induced by dealing with IT). It would take me longer to copy it all to a couple of USB sticks, but nobody would notice until they got the blackmail letters or it was on the news.
Likely manag
Re:Do power users abuse their IT knowledge? (Score:2, Interesting)
Yep that's what i do, except I don't bother proxying web traffic over it. We only open 8080 and 443 outbound through the proxy, so I run an ssh server on a windows box at home, listening on port 443 (port forwarded through my home firewall.) Then I connect and tunnel RDP over it with Putty, and use the Windows box remotely to grab what i need, copying files back over the RDP connection shared drive. Close Putty and delete the registry settings, and most of my tracks are covered from auditing. I have two batch files, one to add the putty config to the registry and one to remove it. I have separate tunnels set up for all of my home PCs, so once I connect to the SSL box I can hit any PC that happens to be on. As far as the proxy can see it's encrypted traffic over port 443, same as any other HTTPS traffic
Mind you I don't use this to fuck off, but I'm in a position where I occasionally need to find tools for creative problem-solving or follow forum threads where there may only be one or two people posting the same problem I'm researching. Or I've left a file at home that I needed at work. Or sometimes I just really need to get to my personal email for one reason or another. Whatever, it's come in handy to have full access to my home network on more than a few occasions. They let us RDP into our work PCs from home through the corporate VPN, so it can't be any more dangerous for me to RDP home through my own VPN.
DMZ, subnetting, and complete access. (Score:1, Interesting)
Re:Power Corrupts... (Score:5, Interesting)
And everybody in my extended team have web browsers on the mobile phones anyway, so if we do want to look something up we don't even need to use company resources to do so.
Of course, it'll be quicker to use a proper browser on a proper monitor with a proper keyboard, but that just highlights the fallacy of locking things down to promote productivity.
Re:Power Corrupts... (Score:3, Interesting)
The trouble is it's easy to look busy in front of some outsider that doesn't understand the work.
I find the opposite is true.
At any moment in time, one of my team members will be telling a joke to another. A third will be browsing the web. A fourth will be on the phone asking a colleague on another floor where they're going for lunch. A fifth is arguing with a sixth and the boss is listening in without contributing.
It looks like we're a bunch of lazy slackers. Yet.. the joke is his way of saying 'hi' and making up for the fact he's stealing a couple of hours of the other guy's time to help with something. The web browsing is researching competitor information, the lunch date will lead to informal governance of a key project and the argument will force out and address issues that hadn't otherwise been thought through. Meanwhile the boss now knows two of his team better and collectively we've saved the company 100k in 20 minutes of what to an outsider looks like pissing about.
It's one reason I enjoy my job, but also makes it bloody difficult to look busy to outsiders. Sure, I do sit and actually write stuff, but that takes hours; it's the days of appearing to do fuck all that makes the write-up so worthwhile.
Re:YES YES YES (Score:2, Interesting)
Yes, but the question was "Is it abused".
In our building Facebook is blocked along with many other forums that would help developers get their job done. The abuse comes in when our other building (the one where IT & upper management are located) doesn't block these forums or facebook.
Management needs Facebook & YouTube, but I can't read someone's blog about getting around a specific C# programming problem?
Would you rather have them busy with Facebook and Youtube or busy trying to "manage" the developers? I don't know about your work situation, but I've found TOR is pretty much capable of getting around most filters...
It Was The Users That Abused Their Privledges (Score:3, Interesting)