Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Businesses Security

Telling Your Superiors Their Financial Data Is At Risk? 100

Posted by Cliff from the just-because-they-aren't-paranoid-enough... dept.
alterimage asks: "I'm a Computer Science major at night, working by day in Accounting for a major telecom provider, with clients consisting of most the entities on Fortune's Top 20 Most Admired Companies of 2006 list. Daily, I see customer payments in excess of $50,000 come and go. Strangely enough, rather than have these payments conducted by an IVR system or over the Internet, the majority of these payments are conducted over the phone with individuals such as myself, who are instructed to write down, document all the specific banking information, and to keep them on hard-copy in an unlocked file cabinet that is accessible to anyone. Having experience with social engineering and fraud, I've already advised my boss that it's probably not a good idea for those bank routing and account numbers to be laying around unsecured, and was told that I'm over-reacting. So I ask Slashdot: At what point should the human aspect of security be considered in the business environment? Should I just smile, nod, and play along in this situation?"
This discussion has been archived. No new comments can be posted.

Telling Your Superiors Their Financial Data Is At Risk? More

Telling Your Superiors Their Financial Data Is At Risk?

Comments Filter:

  • let it go. your boss doesn't care, and they don't. (Score:4, Insightful)

    by User 956 ( 568564 ) on Wednesday March 07, 2007 @02:48AM (#18259374) Homepage
    I've already advised my boss that it's probably not a good idea for those bank routing and account numbers to be laying around unsecured, and was told that I'm over-reacting. So I ask Slashdot

    translation: I'm looking for a creative way to get myself fired.

    and if it bugs you, just keep your head down and look for a better job. If you make a stink, the first time something goes wrong, you'll be the first guy they blame.
    • If you make a stink, the first time something goes wrong, you'll be the first guy they blame.

      I had a college roommate who had a similar problem when he pointed out an ethical issue at a brokerage firm. He got busted to the mailroom. A friend who was a senior broker at a different firm told him to get out before he gets fired for something he didn't do if he wanted to work in the industry. He decided to become a tech writer instead.

      • Re: (Score:2, Insightful)

        by bladesjester ( 774793 )
        Ethical issues at a brokerage firm? I'm shocked :P

        All kidding aside, I feel kind of sorry for the people who post this kind of ask slashdot. As bad as it sounds, the best course of action most of the time is just to keep your mouth shut and continue with life as usual. Most entrenched management and executives do not want anyone to rock the boat and will make your life a living hell not only in your current job, but also possibly in the industry as a whole if you do rock the boat (and I don't care how bi

        • ...the best course of action most of the time is just to keep your mouth shut and continue with life as usual.

          Depends on your definition of "best", I believe. "Suck it up" and "lemming" do not describe what I view as "best" and certainly wouldn't describe what I want my "life as usual" to be.

          I believe that one can be non-naieve (sic) and still Do The Right Thing. Yes, it could have negative immediate consequences, but the alternative could have significantly worse long term consequences...

        • Re: (Score:3, Insightful)

          by account_deleted ( 4530225 )
          Comment removed based on user account deletion
      • Ethical concerns are different from security concerns, somewhat. If you can suggest a cheap way to increase security, you'll be very mildly rewarded or ignored.

        Still, the requester should likely change jobs before any major security breaks occur, and not mention anything further about security.
    • If you make a stink, the first time something goes wrong, you'll be the first guy they blame.

      There are ways to handle this. It does require a lot of tact and diplomacy to make it sound like your entire concern is for the wellbeing of the company and the manager especially, and that it was your boss's idea in the first place. Unfortunately, tact and diplomacy are traits that Computer Science Majors tend not to have a lot of practice in... Computer Science is a culture where if you do something wrong, y
    • Parent is totally correct. When this operation melts down, it will reflect poorly on those aware of the problems and you brought visibility to a fucked up system. Your name will be dredged up from email records and you will be shown the door, rudely. You will have to find another industry to work in, don't plan on any recomendations. The other plan is to take the bank routing and account numbers, setup a quick exit to a foreign country and steal as much money as possible before you can be detected. There is
    • I was in a similar perdicament once and found that there is a "language" barrier between management and techies. Management speaks in terms of money while we speak in terms of technology. If you can convey the issue in terms of money then he's more likely to listen.

    • Re:let it go. your boss doesn't care, and they don (Score:4, Insightful)

      by markov_chain ( 202465 ) on Wednesday March 07, 2007 @11:01AM (#18261888)
      The sad thing is, his unlocked filing cabinet is probably more secure than having the information sit on some server where hackers from Bulgaria can steal it and blackmail the company.
    • Ask your boss if he'd like to work at McDonald's.

      He's instructing you to perform a non SOX Compliant activity.
      If it was the medical industry, it would also be non HIPAA compliant, as that is personally identifiable information.
      I don't know whether the financial industry has a HIPAA like set of rules to follow. If they don't, they need one.
    • just keep your head down and look for a better job

      While the "look for a better job" part is probably sound advice at some point, I wouldn't say "keep your head down" is the best thing to do...not in the ethical sense in this situation and not as a means to success in general. People who always just "keep their heads down" don't stand out in a crowd, aren't recognised for their achievements (and achieve less overall) and don't advance very fast in their career.

      If you make a stink, the first time something g
    • Since he's a college student and probably NOT going to stay in this job forever, I suggest the best course is:

      1. Say NOTHING to the boss about this matter from here on out.
      2. Collect names and account numbers and contact information.
      3. When you leave this job one day, and you will, and when you need money, and you will, contact the account holders *directly* and offer to tell them where you got your information for a fee.

      • Re: (Score:2, Funny)

        by kennygraham ( 894697 )

        1. Say NOTHING to the boss about this matter from here on out.
        2. Collect names and account numbers and contact information.
        3. When you leave this job one day, and you will, and when you need money, and you will, contact the account holders *directly* and offer to tell them where you got your information for a fee.

        You must be new here.

        1. Say NOTHING to the boss about this matter from here on out.
        2. Collect names and account numbers and contact information.
        3. ???
        4. Profit!

        There, fixed.

      • You do know that extortion and blackmail are illegal, right?
        • In today's international corporate world, legality is for chumps who actually care about the nation they are in or the system they are working for. Simply select the overseas addresses.

    • If you make a stink, the first time something goes wrong, you'll be the first guy they blame.

      So, you're telling me it will go something like this:

      Employee: You might be insecure!
      Boss: You're overreacting. We're fine.
      Some time later...
      Boss: Well, shit, we got 0wned. Employee!
      Employee: Yes?
      Boss: You knew we were vulnerable?
      Employee: Yeah...
      Boss: And you didn't do anything?
      Employee: I tried, but...
      Boss: You're fired! You'll never work in this industry again!

      How does this make sense, even to the b

    • There's an easy answer to this. All big public companies have an ethics or compliance hotline that you can call and anonymously report stuff like this. It usually goes directly to the audit committee of the BoD or similar. Call, and then youcan feel comfortable knowing that you've done your part, and the people who need to know are informed.
    • The correct answer is to tell the companies internal and/or external auditors. If this is a publicly traded company then SOX requires this kind of problem be fixed. If you ask them to they most likely won't even reveal where the information came from (of course your boss will probably know since you already raised the issue).

  • In a word: yes (Score:4, Insightful)

    by Icarus1919 ( 802533 ) on Wednesday March 07, 2007 @02:50AM (#18259378)
    Continue to make good faith efforts to change the policy. However, if you keep getting stonewalled, then let it slide; you may start making enemies if you continue past that point. It won't be your ass on the line if something goes wrong, especially if you can document that you tried to solve the problem.

    • Re:In a word: yes (Score:4, Insightful)

      by Splab ( 574204 ) on Wednesday March 07, 2007 @05:40AM (#18259970)
      Pay particular care to the last part, documenting! Some time back I worked as a PHP programmer part time, and during transition from one server to another for one of our major sites I noticed that forms was open for injection attacks, now this being a legacy system it wasn't just fixing it a few places, but all over the site which means a lot of hours. The reason for this being a non issue on the old server was it was running with magic quotes. The reason for the new one not being able to run it was newer sites was programmed around the assumption that magic quotes was off and would thus escape all input.

      I told my boss on several occations that it also meant you could easily gain admin priviledge, but fixing it meant spending money so it wasn't. I made sure to document my warnings, because sooner or later someone would stumble across the sites admin interface and deface the site - which they did and when the boss wen't haywire I had documentation that he was warned.

      • Re: (Score:3, Informative)

        by Pig Hogger ( 10379 )

        and when the boss wen't haywire I had documentation that he was warned.
        Congratulations! You just found out why you got fired and can no longer work in this industry any more...
        • It might not even be quite that bad... but it can still come out badly if you're not careful with your approach.

          There's always the "Oh! that's what you meant, you know where your job description says you need to be able to communicate clearly and professionally to non-technical folks? Yeah... you sure messed that one up, didn't you?"
    • Quite the contrary, actually. Remember that the crap flows downstream and if there is something that happens, it won't be the suits that make several times your wage that need the shower.

      Documenting that you at least tried would be in your best interest IF something happens and it ends up in court but only if you can prove that you didn't pen the documents the night before you took the witness stand. IANAL, but those are my best guesses as to what happens. There isn't justice in most workplaces, it's def

      • Remember that the crap flows downstream and if there is something that happens, it won't be the suits that make several times your wage that need the shower.

        Funny, that's just what Enron and Martha Stewart said...
  • Move a large sum of money into your least favorite neighbor's bank account. They'll figure it out real quick. If the record keeping is as bad as you claim they will never figure out who did it, plus your loud obnoxious neighbor gets to move into a new apartment courtesy of your local government institution.

    To actually correct it? Wait for someone else to steal a bunch of money, it's bound to happen sooner or later. Problems don't get fixed unless it's obvious more money will be saved by fixing it than let

    • Re: (Score:2)

      by qwijibo ( 101731 )
      Your theory presumes that someone has yet to steal a bunch of money. I don't share your unbridled optimism. I wouldn't be surprised if management set it up this way so they can skim money themselves without anyone being able to figure out who is doing it. Transactions don't have to be untraceable if you can ensure there is a large enough suspect pool to minimize the chances of getting caught.
      • If that was the case he'd already have been fired for gross incompetence and his name would be mud. That's why you have to tread really carefully. If your boss (or the person you tell) is in on it they're gonna frame you.

        • Re: (Score:2)

          by qwijibo ( 101731 )
          Of course they are, but why would they cut the scam short? People who steal money aren't likely to say "ok, I better stop now because I have enough money and I found a patsy." They can pin it on you at any time, even after you leave if they only use information that was available to you at the time you left.
          • If you suspect something then you are a threat. They need to get rid of you anyway they can. If they can also pin it on you then they can deflect the blame. If they're careful they can fire you without enough proof for a criminal investigation (so no one looks too closely).

            Once there's someone who got fired for it they can change the practise and keep the money. Or they could keep stealing, have you disclose to someone else and get caught. Even if they stop an audit could reveal the sortcoming. Someone woul
        • If that was the case he'd already have been fired for gross incompetence and his name would be mud. That's why you have to tread really carefully. If your boss (or the person you tell) is in on it they're gonna frame you.

          Heh, this reminds me of Neil Gaiman's Anansi Boys [wikipedia.org] where the main character's boss keeps an incredibly high turnover rate at his company just so that nobody can figure out that all the rich clients are being embezzled from. As soon as the boss thinks his employee figured him out, the employ

    • Re: (Score:3, Insightful)

      by DreadSi ( 1070682 )
      Better yet - move a large sum of money into your apathetic boss's account. You would be doing your employer a favor and killing two birds with one stone.
  • If you have communicated your concerns to your superiors then your obligation is filled and you don't have to worry about it.

    That said, if you are still worried for some reason then you should either find a way to express the problem to your superiors' superiors (if they have any) or possibly anonymously report it to the clients themselves (if you won't be endangering yourself in the process).

    Good luck.
    • I agree that his duties have been fulfilled by communicating this security issue to his superior. But, so that his ass is covered, I'd extend this to make sure that a paper trail of sorts exists for his recommendation (if one doesn't exist already). Perhaps a last email bcc'ing himself offsite saying something like:

      "
      I know you've already stated that you don't wish to improve the security situation regarding our clients accounting records. So, please consider this my final attempt to improve this security
  • You state you need to keep account numbers and routing info on accessible paper, nowhere did you mention the need to keep transaction details as well.

    Account numbers and routing information aren't confidential, it's just a matter of convenience to put them on paper. It wouldn't be hard for anybody to obtain such information in legal ways.

    • Account numbers and routing information aren't confidential...

      Yes, they are. Many websites will let you debit purchases from a checking account with only this information plus the address on the account. Personal accounts often require a driver's license number as well, but these are businesses. Once again (like Social Security numbers) we have a "cryptosystem" where the "public key" and "private key" are the same thing.

      • If you're giving the routing number and account number of your checking account to 3rd parites to make payments over the web then you're not treating the data as though it were confidential. Now, in addition to any employee at your bank, any random person at the company of the 3rd party has access to this information. They could rack these things up for a year and then sell them on the internet. Or maybe their web server gets hit by a worm which steals all these numbers along with credit card numbers.

  • Start looking for work elsewhere... (Score:4, Informative)

    by unitron ( 5733 ) on Wednesday March 07, 2007 @03:14AM (#18259488) Homepage Journal
    Remember, they will never forgive you for being right.
  • If you don't like your job, want to be on welfare, or already know who you're going to work for next, go for it... Who knows, maybe they'll even listen!

  • Yes and no... (Score:3, Insightful)

    by Cervantes ( 612861 ) on Wednesday March 07, 2007 @03:41AM (#18259564) Journal
    You have a moral responsibility to encourage data to be safe.

    If you push it, you're quite likely to get stonewalled, destroy your future at the company, and possibly hasten the demise of your job.

    If you plan a long future at this company and can live with the moral ambiguity, shut up and leave it until you're higher up in the chain.

    If you can live with possibly losing career opportunities, make your complaints, but target the right person. Usually most companies will have someone who's actually supposed to make sure data is secure and privacy is assured. Find them and explain things to them.

    If you really don't care about the job, make a good list of all the problems, written out and carefully phrased, and push it as far up the chain as you can. You'll get shit for it, maybe tossed, but with those concerns sitting on the CEOs desk, it's quite unlikely they'll get forgotten.

    At the end of the day, it just depends on your personal moral standing.
  • If you warn people and they don't listen you've done your part.

  • You're probably witnessing a scam. (Score:3, Informative)

    by Animats ( 122034 ) on Wednesday March 07, 2007 @03:47AM (#18259590) Homepage

    Remember Enron? WorldCom? Both had major telcom billing fraud components. You may be looking at a fraud.

    If there's an internal audit department, they should know about this. They have Sarbanes-Oxley responsibilities [aicpa.org] to check that internal audit controls are sufficiently tight.

    Sarbanes-Oxley has whistleblower protection [mofo.com]: "Sarbanes-Oxley creates severe criminal penalties (including substantial fines, and up to 10 years in prison) for retaliation against whistleblowers who raise concerns about violation of any federal criminal statute, not simply laws limited to financial fraud." So if your boss threatens you, you can threaten back.

    Also, "Congress required corporate Audit Committees to create mechanisms for receiving anonymous employee concerns about financial improprieties." Find out how that channel works and make a report.

    The burden of proof is on the employer in these cases. This law has real teeth.

    Here's a lawyer who specializes in Sarbanes-Oxley whistleblower claims. [zuckermanlaw.com]

    • Re: (Score:3, Interesting)

      by passthecrackpipe ( 598773 ) *
      Well, Scam may be harsh - there simply isn't enough information to determine that - burglars use crowbars - does that make everyone that uses a crowbar a burglar? However, SOX is right on the money, although it doesn't apply to all organisations. Nevertheless, outside of SOX there is pretty good whistleblower protection anyway.

      The question is, do you *want* to be a whistleblower? I just recently found myself in a similar situation where I was "asked to leave" because I insistently pointed out serious issu

    • Re:You're probably witnessing a scam. (Score:5, Insightful)

      by qwijibo ( 101731 ) on Wednesday March 07, 2007 @08:55AM (#18260816)
      What the law says and how it works are very different. Anyone who takes a hard stand based on being legally in the right is in for a firm reality check.

      Depending on the size of the company, there is a very real possibility that the people in management got there by knowing the law well enough that they can violate it with plausable deniability. I work in a large bank where I see that happen all the time. I have pointed out numerous security problems and blatant violations of company policy, but management is willing to take those risks. We have people telling us what we need to do because sarbox has teeth, but there's absolutely no consequences for when we blatantly ignore them. The reality is that the worst that can happen is the offender gets transferred to another department, or in extreme cases, they could get fired.

      Everyone has a potential security breech waiting to happen. The laws exist to point fingers after the fact. The law isn't going to help someone who is just pointing out a potential flaw. What's worse is that if someone exploits the hole this person identified, the law has good reason to consider him a suspect since he's obviously thought about it.
    • The whislteblower act is relatively clear, as well as SOX requirements on data security. Physical security of financial data is part of SOX and this is a clear violation. As an accountant I know these laws fairly well and this case is a no brainer if proper evidence can be provided. Whistleblowers are afforded much protection, but in reality your career is over even if they can't fire you. They can make you want to quite by treating you poorly and refusing to promote you. If you are labeled a whistleblower

  • the plan! (Score:5, Funny)

    by Tumbleweed ( 3706 ) * on Wednesday March 07, 2007 @03:54AM (#18259616)
    As a proof of concept, steal as much money as you possibly can. As payment for this security evaluation, keep the money and retire to a country with no extradition to the United States.

    One little implementation detail: don't get caught.

    Extra credit: put the blame onto your criminally-negligent boss.

  • Don't Jump To Conclusions (Score:3, Interesting)

    by rueger ( 210566 ) on Wednesday March 07, 2007 @03:55AM (#18259622) Homepage
    You're a junior employee by the looks of it, possibly part time, taking phone orders.

    There is every likelihood that your employer has safeguards in place that you don't know about, and even that they don't want you to know about.

    • Re: (Score:2)

      by qwijibo ( 101731 )
      I think it's even more likely that there are no safeguards in place at all. Security is an expense with the goal of having nothing to show for it, except for a lack of problems. It makes for a horrible powerpoint presentation.

      My cynicism comes from working for a major bank where I have to keep resetting my idea of "bare minimum" to include things like mailing unencrypted CD's of personal identifiable information and account numbers to third parties. At first I was disappointed to see this happening, unti

  • That's normal for the telecommunications industry (Score:1, Funny)

    by Anonymous Coward
    Obvious incompetence is normal in the telecommunications industry. Once you are found out not to be incompetent, you will certainly be let go, possibly following a promotion to recognize your ability. If you do not believe this, I strongly suggest you purchase every Dilbert book you can find, and study them thoroughly. Scott Adams once worked in the telecommunications industry, so it's the best reference available for your line of work. If only I was kidding, unfortunately I am not.

    Good luck.

  • No big deal... It's more secure than you think. (Score:5, Informative)

    by JRHelgeson ( 576325 ) on Wednesday March 07, 2007 @04:04AM (#18259650) Homepage Journal
    It sounds like you're getting account information to create an Electronic Funds Transfer (EFT) or electronic draft whereby the company authorizes a transaction for $50,000 or whatever and you "take" the money from their account. It is the same thing as having a company 1) write a check, 2) submit it to you, 3) you deposit it, only to 4) have the funds transferred to your account. Your company is simply performing step 1, skipping step 2, 3 happens electronically and 4 happens essentially overnight.

    They are giving you the SAME information that you could obtain from a written paper check, no more, no less. Now, obviously these companies have millions of dollars at any given time in their accounts and this alone makes them targets for check fraud; people creating their own checks and trying to pass them. The solution to this problem came about many, many years ago and is what makes the EFT system more secure than any other form of payment.

    I am the accounts payable rep for Massive Corp. I'm going to authorize a payment for $5mil to your company: Dark Fiber Telco. I give you the check number (or transaction number or transaction code) and my bank account number and routing code. I enter the details into my Accounts Payable system which every afternoon uploads a delimited text file to our bank providing them with a list of checks written and their dollar amount. This is very similar to how credit card terminals upload their batch at the end of business day.

    Meanwhile, DFTelco enters the data into their Accounts Receivable system which initiates the electronic draft, (which along with any paper check, EFT or ACH is all generically referred to as an "item"). When the item clears the Federal Reserve and is presented to Massive Corp's bank, if the dollar amount of the item doesn't exactly match the check number and dollar amount that Massive Corp uploaded, it is rejected and returned non-paid to the sender.

    Very simple, very secure, and presenting your biggest customers with an IVR HELL system will only piss them off. They expect, and deserve, to speak to a human being and that is what your company provides. I wouldn't sweat it.

    As an aside, I had an insurance agent come out to my property for a claim. The agent wrote a check from his checkbook and handed it to me, and then he had to enter the dollar amount and check number into his computer, over a VPN connection to his corporate office, so that the check would clear the bank.

    The US Postal Service also does the same thing for Money Orders. Law Enforcement can actually log in to a LE only site provided by the USPS and check the validity of any US Postal Money Order based upon the $ amt and item number so they can see if someone is trying to "wash" a money order to alter the dollar amount, or creating a downright fraudulent Money Order.

    -joel

  • Not credit card numbers. (Score:3, Informative)

    by Ihlosi ( 895663 ) on Wednesday March 07, 2007 @04:56AM (#18259826)
    for those bank routing and account numbers to be laying around unsecured,



    Bank routing and account numbers are different from credit card numbers. There's very little you actually can do with a routing and account number because these two don't give you any authorization to do any withdrawals from that account (at least if the US system has some basic degree of sanity).



    At least over here (Europe), giving your account numbers to other people and have them deposit money to your account is a very common way of receiving payments. They can deposit to your account, but they cannot withdraw from it.



    Now, if you were talking about credit card numbers, that would be a different beast altogether.

    • Re: (Score:2, Informative)

      by JRHelgeson ( 576325 )
      With our system in the USA, if you have someone's account number, basically all the information on the paper check, you then have ALL the information you need to take money from anyone's account.

      Right now, check fraud is more rampant than credit card fraud in the USA, at least among serious ID theft rings:
      Example: http://www.usdoj.gov/usao/fls/PressReleases/051006 -01.html [usdoj.gov]

      These folks cleared out over $4,000,000 before they were caught, using stolen checking account information. It wasn't until the reached t
    • This might be somewhat offtopic, but it's related to credit card information. Take it as an anecdote, if you will.

      Volunteering at a local non-profit community radio station, we have an annual funding drive. Listeners can submit their info online via secure form using a credit card, mail in a cheque, come by the station and drop off cash, or call in their credit card number over the phone. You have to understand that the last option *is* a very significant risk, since we don't have a touch-tone system to
  • Investigate if you might be covered by whistleblower protection laws!
    • Unless you desire to change carrer paths and can talk some very good lawers into taking the case, don't even think about trying it. You will be blackballed, any money will take years to get, if you see any, ever. You can say goodbye to any friends in that industry, Their stocks, raises or profit sharing took a hit because of you. In my case, the government agency I contacted denied that I contacted them. It was a transportation safety issue and I couldn't ignore it. I'll Never do that again.
  • Before you embarrass your boss, make sure your not embarrassing yourself...

    BTW It's never good to embarrass your boss anyway.
  • The first knee-jerk reaction a manager will do to someone who points out security flaws is fire the person, and possibly find some way to press criminal charges. Barring that, from the time you tell them about the flaw, for the rest of the time you work at that place (as well as subsequent places if people know each other), if *anything* happens to breach security, you will be called in front of management (and possibly police) to explain yourself why you did not do the break-in, even though its brain-dead
    • The expectation of hardship does not absolve a person of ethical responsibility to protect others. A company that will not protect the data of its partners is a company you ought not serve. I realize that it might be significantly difficult to find a company that engages in ethical dealings, but the moment you settle for anything less you've become yourself an agent of evil and have sold out your basic principles for a modest paycheck.

      That said: I'm not in a position to evaluate whether or not there is
      • In the abstract world of ethics, reporting security issues is a main thing. So was being taught to take blame for a friend's actions as a noble act. However in the real world, all that does is land a person jobless, with a bad work record, and possibly with criminal charges. (Its VERY trivial to assemble stuff that looks like evidence to put someone away for "cybercrimes"). At the very least, it means management will audit and scrutinize every single thing you do forevermore, every second at the job fro
    • I have had friends fired at jobs on the spot (as in the mgr calling for security and having two guards escort the person out, then calling for a "forensics" expert to go through the person's comp to find anything to have him arrested for) because they pointed to management that the place had wide-open wireless, or wireless with brain-dead security settings.
      Really? Friends? As in, this has happened to more than one person that you know well? How did these people go about "pointing to management"?

  • Trust is always a contentious point (Score:4, Funny)

    by Toreo asesino ( 951231 ) on Wednesday March 07, 2007 @07:06AM (#18260304) Journal
    I'm the sys-admin for my company I work for (when not coding). Only the boss and myself knew the password for the entire domain, and everyone was happy. One day, during a software demo I need to pull some files off my machine for the demo. Boss says "come back once the files are on the public share, and we'll re-test". I say "Not to worry; i'll go through the admin share" (\\machinename\c$ or such) - I'll just log you into my machine as network admin.
    This worried my boss - "What? You can access any machine's drives if you're the network administrator?".

    I try and explain that yes you could; it's by design; the admin being the super-power on the network - full access to everything, etc. This leads him to the next question of "What? Even you could access even my PC? I've got sensitive information on here?!". I reply "Yes, even yours if I really wanted to".

    Unimpressed, he changes the network admin password.

    Precisely 1 hour and 20 minutes later; I get an email saying "User xyz can't access a file YYY on the abc share - what's the problem?". I explain the permissions on the file probably got corrupted/lost and resetting the file-system permissions for the root directory structure should flush out the problem.

    He gives me the new network admin password. Problem was fixed in 2 mins.

    In conclusion, us geeks rule the world. On modern IT systems, someone, must have complete power over all. That is why we are geeks because we can do what others cannot.

    And it's true what they say; being a sys-admin is a power-trip.

    *evil laugh*
    The machines! They're all miiiine! Aaaalll mine!!!!

    • Re: (Score:2)

      by nuzak ( 959558 )
      > In conclusion, us geeks rule the world.

      If you ruled the world, you wouldn't be babysitting the systems 24/7.

      > And it's true what they say; being a sys-admin is a power-trip.

      Speak for yourself. I code, mostly stuff I want to write, in whatever language I want, because it's stuff I thought of, designed, planned, and built (productivity tools, basically). It's like working for myself but with a W-2. And oh yeah, I don't wear a pager.

  • Tell him again.... (Score:4, Funny)

    by hairykrishna ( 740240 ) on Wednesday March 07, 2007 @08:17AM (#18260600)
    ....from your new beach house in the Caymen islands.
  • Send me a sample set of the account numbers, and I'll show you how to do it...
  • Explain your concerns to your supervisor via e-mail. By doing it with e-mail, you are making a record of your worries. This way, if any information is stolen, you can wave your e-mail around saying, "I told you so!" This leaves you in a pretty strong position to spearhead improvements to the system and score yourself a raise.

    I would make a 5 slide presentation as to what your concerns are. Make it brief, but make the security concerns clear. Present this to your boss. If he still doesn't react... well

    • Re: (Score:2)

      by Ihlosi ( 895663 )
      This way, if any information is stolen, you can wave your e-mail around saying,



      Judging from the rest of the thread, it's more likely that your superiors will wave your e-mail around saying "There's our prime suspect !".



      This leaves you in a pretty strong position ...

      ... to get yourself fired/arrested.

  • I have people coming to me every day with problems. After a while, you just feel like 'shooting the messenger', even if it's wrong. Why not sit down & think about how you could fix this, and then suggest this to your boss? If he still blows you off, at least you've managed to document the problem & CYA in a positive way... Send a copy of the document by internal mail & keep a copy of everything at home, or better still at a non-obvious location.
  • Introduce your boss to Kevin Mitnick
  • Where do you work?
    I can't help you without a firm name and address. Any hopeless administrative or cleaning staff that could use some buttering up? What's the filing cabinet look like?
  • and contact a few of the clients.
  • Many countries, states, provinces, etc. have data retention policies; check and see if he is actually doing anything illegal in your locale. If he is, email him a URL to the appropriate laws with a line saying something like, "Hey! I just discovered this, and I thought you should know about it." Inoffensive, and you've covered yourself by letting someone higher up know about it. If you don't have any laws governing such data, I'd go with the emailing him that it would probably be a good idea to get audi
  • Fully document the problem, with a fix. Cost it.

    Wait until your bosses boss comes to visit. Present the report to your bosses boss.

    Make sure you bypass your current boss. Your current boss won't do a thing about it while he has power over you... bosses aren't about the company/organisation/entity... they are all about themselves and having power over other people.

    Seize power.

    I hate to give the example of Hitler and the nazis... but... a soldier once wrote a letter to hitler telling him that his troop
  • Bank routing numbers and account numbers appear on any check you write or receive. This information is just one step away from being public anyway.

    • Re: (Score:1)

      by mysidia ( 191772 )

      Exactly. I wouldn't say routing + acct# is public; it is private, but not secret, and any time you make a payment by bank account (cheque or otherwise), it will be known by the recipient.

      It's not as if just anyone off the street can walk to your bank, show them the routing number + account number of your account, and walk out with 50 grand plus a ship showing a withdrawl.

      To cause payment from an account, you need written authorization, an actual check, or you need to be a bank.

      Most people aren't

Slashdot Top Deals

A morsel of genuine history is a thing so rare as to be always valuable. -- Thomas Jefferson

Close