Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

IT Pros Can't Resist Peeking At Privileged Info

samzenpus posted more than 2 years ago | from the pandora's-email dept.

Privacy 388

Orome1 writes "IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people's Christmas bonus details."

Sorry! There are no comments related to the filter you selected.

This is why I will never trust cloud services (5, Informative)

InsightIn140Bytes (2522112) | more than 2 years ago | (#38267128)

It's not limited only to your company - this means employees in other services can snoop all they want too. This is why you should never trust cloud services. Hell, even Google employees are secretly snooping your personal emails, XMPP chat logs, Google Voice calls and search queries [gawker.com] . And yet even most Slashdotters think it's perfectly fine to trust everything you have with Google - your search queries, your personal emails, your calls, your contacts, your social network, what you watch on YouTube, what you listen to, where you walk and go (Android) and everything else. Screw the law enforcement requests for info, they can't even keep their own personnel from snooping your personal stuff.

It's why I will never trust my personal files on the likes of Dropbox and other backup services. People misuse their privileges whenever they can, that's human nature.

Re:This is why I will never trust cloud services (5, Insightful)

masternerdguy (2468142) | more than 2 years ago | (#38267152)

Not true. I have had plenty of access to such information and have always avoided looking at it. It's immoral.

Re:This is why I will never trust cloud services (5, Funny)

oh-dark-thirty (1648133) | more than 2 years ago | (#38267200)

Nor do I, it would probably just piss me off anyway.

Re:This is why I will never trust cloud services (-1, Offtopic)

Anonymous Coward | more than 2 years ago | (#38267418)

Only white heterosexual males are required to be politically correct. It's only racist if white people say it. All native populations lived in absolute idyllic happiness until White people showed up. The natives lived freely on horseback. Societal aspects like slavery and imperialism are immoral when white people do it, but when anybody else does it then it is "cultural differences." If somebody is making life harder for women then they're being oppressive. If somebody is making life easier for women then they must be assuming women are weak and need help. If there is no longer racial or sexist inequality then think of some other excuse to bitch, censor or subjugate in those two manners (white heterosexual males can't). All males are automatically guilty of women's oppression from birth. All whites and no other race are automatically guilty of the oppression of minorities from birth. If there is any positive changes to racial or gender equality then say that they are negative changes to add insult to injury for those how have made an effort to equalise. Find any excuse you can to write a nasty letter to a TV station, newspaper, or other such media outlet for alleged displays of political incorrectness. For instance, "this page is offensive to people who don't like lists. How could you be so insensitive?" When you see Christmas decorations, the first thing you must think of is all the disenfranchised non-Christians. Bitch and cow are politically incorrect as they compare people to animals, and if you use these terms then you are a male chauvinist pig. Severely chastise people if they are eating any living thing (no, plants and ugly animals like fish don't count). NEVER criticize a politician who is not a white Christian male. Doing so makes you a hateful pig. Even if it is technically true, it is racist and therefore politcally incorrect (for example, "filthy Jew" is offensive, even if used to describe a Hebrew who never showers). If a book, TV show or other entertainment source depicts a minority character that isn't perfect in any way, then they are perpetrating unfair stereotypes. But it must have minority characters, otherwise it is racist for having only white characters. The only justified war that America has ever fought was the Civil War, which replaceded the immoral culture of southerners with the newfound open-minded liberalism of the north. Do not insult anyone who cannot defend himself (herself, itself), only Christians that are instructed to turn the other cheek. It is okay to harshly criticize the worldviews of people who are white men, Christians, and Republicans. They are all bigots, so their opinions make them biased. If anybody tries to point out hypocrisy in this, tell them that they're horrible racists. Christians are bigoted only if they are white Republicans. Being a Black Christian is good, though it is the culture given to them by the slave traders. Using the term "African-American" is offensive because they might not identify themselves as Africans. Using the term "American" to describe a person from the US is offensive to people from Canada, central and South Americans. Using the term "black" is also offensive for some reason. Only black people are ever to use the word Nigger. No white person is allowed to use the word Nigger, unless they are on a website and can't get caught. A vast majority of the world is pessimistic and if you are optimistic then you are oblivious the the dystopian earth. Anyone who disagrees with homosexuals hates homosexuals. Everyone who disagrees with christians loves everyone. The Lord of the Rings is racist because white wizards are better than any others. Pianos are racist because the white keys are bigger. Tell others how to be politically correct and nag them excessively about how it's wrong to preach about one's worldview. Look up any word in the dictionary. If you try hard enough, you will find some kind of xenophobic connotations. Be ready to accuse people of saying something offensive after every sentence. Find a hidden racist history behind every insult known to man. The phrase "heebie-jeebies?" Make up something about it being related to Jews, even though it isn't. In fact, go ahead and make every seemingly innocuous insult offensive to Jews. Use the word "tolerance" excessively, even though the word usually implies only reluctant acceptance. Remember, that kind of logic only applies to hateful white men, not to you. Due to a history of colonialism, it is fine to criticise British people without being racist. It is also acceptable for Scots, Irish or Welsh people to attack the English for being 'evil invading Saxons'. Even if your family just moved to the US a generation ago, you are just as responsible for slavery as every other white person in the US.

Re:This is why I will never trust cloud services (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38267556)

I admin that I have snooped through the financial information... And your right, it does piss you off. Company saying their in financial crises so they have to freeze all raises, but the executives all get their christmas bonuses that equal 1/2 my year salary.. Not sure why I couldn't control myself.. probably I was younger and more immature.. I have full access at my current job to all data, and haven't accessed anything I wasn't suppose to.

Re:This is why I will never trust cloud services (5, Interesting)

Anonymous Coward | more than 2 years ago | (#38267742)

It's not limited to IT either. A friend of mine, who works in HR, as a Temp, basically gets work handed to her that other people don't have time to do. This includes expenses, and occasionally allows her to view peoples salaries, and, scarily, who's getting made redundant. She's a Temp, paid about £16k/y (having been made redundant a few years ago having been making ~22k, she took anything she could get) and has access to her superiors and co-workers salaries, expenses and even their original interview records.
Some would say that's just rubbing her nose in it.
But the reality is that some companies just circumvent internal rules in order to get things done.

and all this she freely shares with me as idle chatter.

Re:This is why I will never trust cloud services (5, Insightful)

1s44c (552956) | more than 2 years ago | (#38267262)

Not true. I have had plenty of access to such information and have always avoided looking at it. It's immoral.

Strongly agree. Plus if caught is destroys the trust that keeps them paying you, and it won't bring you happiness on any level anyway.

Anytime a person tells another person how much they get paid one of them gets very pissed off. You are better off not knowing.

Re:This is why I will never trust cloud services (4, Insightful)

CapnStank (1283176) | more than 2 years ago | (#38267324)

I disagree.... a person lacking confidence would probably be pissed no matter what and was just looking for validation. My friends and I in the same field openly discuss our wages/benefits only to know what's available out there. Am I getting screwed? Why is my pay lower? Is the grass *really* greener? No one openly gets upset with it.

Re:This is why I will never trust cloud services (4, Insightful)

oh-dark-thirty (1648133) | more than 2 years ago | (#38267420)

Sure, in the same field I can understand, I do that too....I just don't want to know that the lazy sales guy down the hall makes double what I do for taking a few phone calls. Even though I already know intuitively, and by the fact his car cost half as much as my house.

Re:This is why I will never trust cloud services (0)

Anonymous Coward | more than 2 years ago | (#38267442)

My friends and I

You see the difference now.....?

Re:This is why I will never trust cloud services (1)

Pieroxy (222434) | more than 2 years ago | (#38267842)

My friends and I

You see the difference now.....?

Do you understand context?

Well, it sure looks like you don't.

Re:This is why I will never trust cloud services (3, Interesting)

1s44c (552956) | more than 2 years ago | (#38267508)

I disagree.... a person lacking confidence would probably be pissed no matter what and was just looking for validation. My friends and I in the same field openly discuss our wages/benefits only to know what's available out there. Am I getting screwed? Why is my pay lower? Is the grass *really* greener? No one openly gets upset with it.

You have a point. I was thinking about talking about pay with people who do a similar job in the same company. Everywhere I've ever worked pay had nothing to do with skills or work throughput but only how much you demanded when they interviewed you and how old you are. I'm really glad I became a contractor because permanent staff are just abused.

Re:This is why I will never trust cloud services (4, Insightful)

somersault (912633) | more than 2 years ago | (#38267768)

Yeah I think the headline is a bit lame. It should read "most IT pros don't look at confidential info". I don't really have any interest in looking at confidential files when it's not required for the job. I also just have a personal sense of morality and honour that makes me want to live up to the responsibility that I have being able to do anything I want on the network.

Let some "normal" users know that they have full admin access for the whole network for the day and see if 75% of them can resist having a peek around.

Re:This is why I will never trust cloud services (4, Insightful)

SecurityGuy (217807) | more than 2 years ago | (#38267818)

You might be better off not knowing what the guy in the next cube gets paid, but you're probably much better off knowing what the reasonable salary range for the job you do is. If you're towards the top and getting tiny raises, you can be comforted knowing it's not because you're not respected, but because you're already well compensated. If you're towards the bottom and are actually good at what you do, perhaps you should be pushing for that raise or looking for an exit.

Re:This is why I will never trust cloud services (5, Insightful)

DarKnyht (671407) | more than 2 years ago | (#38267286)

We are quickly finding ourselves in a society where we lack an absolute morality authority. Therefore what is immoral for you may or may not be immoral to others. In other words, we are reaping the fruits of a society where all ideas are given equal worth. Where we are not to condemn someone because what they do is right from their point of view.

Re:This is why I will never trust cloud services (4, Insightful)

StikyPad (445176) | more than 2 years ago | (#38267618)

I disagree. I don't think the problem is a lack of moral authority, but that people's decision making is based on risk/reward, of which morality is but one aspect. The risk of dying will usually outweigh the intrinsic reward of being moral, for example. So when there's little or no risk of being caught, it boils down to whether it's more intrinsically rewarding to adhere to your morals or to satisfy your curiosity, or even to leverage your ill-gotten knowledge for your advantage. To solve that problem, you have to either entrust the people with access to the information (which makes sense to me), or somehow shift the risk/reward balance.

Re:This is why I will never trust cloud services (2, Interesting)

Threni (635302) | more than 2 years ago | (#38267864)

So what `absolute moral authority` should we use? What IS the correct answer to:

should the state kill people to punish them for doing wrong
should gays be allowed to marry
can i take drugs in my own home
should be outlaw the termination of disabled embryos
can i physically punish my children
can i carry a gun
should kosher/halal food be allowed

etc etc

Re:This is why I will never trust cloud services (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38267346)

have always avoided looking at it. It's immoral.

Luckily most agree with you.. but it only takes one to steal your personal information.

Re:This is why I will never trust cloud services (1)

Anonymous Coward | more than 2 years ago | (#38267426)

I have in the past had this access too. It is simple. Just ask first. 99.9999% of the time they say 'yeah go ahead'. If they do not give you access then you have 0 business looking. Even though I may already have been given clearance. It only takes a little longer. But everyone feels better for it.

Re:This is why I will never trust cloud services (0)

Anonymous Coward | more than 2 years ago | (#38267530)

Morality is flexible.

Re:This is why I will never trust cloud services (2)

cyberchondriac (456626) | more than 2 years ago | (#38267632)

Not true. I have had plenty of access to such information and have always avoided looking at it. It's immoral.

I'm in the same situation. I dunno about immoral, but it's definitely unethical, not to mention, snooping could land me in serious legal trouble to boot.
I'm sure there are people who do this though, probably those of the "gossip" mindset who just have to nose into everything and everyone's business. That's just not my thing, don't care.

Re:This is why I will never trust cloud services (1)

Anonymous Coward | more than 2 years ago | (#38267766)

Completely agree.

And I think IT workers are more interested in spending their time doing more productive things anyway, like reading Slashdot.

Re:This is why I will never trust cloud services (4, Insightful)

SecurityGuy (217807) | more than 2 years ago | (#38267784)

+1.

The only time I've looked at such information was when it was in a database I was required to work on and seeing it was simply unavoidable. It was one of those prepackaged deals where you can't select just the fields you want, you see it all. In other words, not what most of you would call a database, but a non-IT pro friendly consumer package. Not my choice. Anyway, I saw the data and never breathed a word of it to anyone.

It's simple ethics. It's also worth noting that 26% of people doing it means 74% aren't. Ethics aren't dead.

Re:This is why I will never trust cloud services (2)

TheRaven64 (641858) | more than 2 years ago | (#38267828)

You may not, but it only takes one person to leak information. As the adage says, information wants to be free: the natural state of something that is trivial to copy is widely dispersed. If you want something to remain confidential, restrict who has access to it. Or, to put it more simply, the best way to keep a secret is not to tell people...

Re:This is why I will never trust cloud services (2)

sgbett (739519) | more than 2 years ago | (#38267158)

Some don't. Doesn;t make for much of a story though that.

Re:This is why I will never trust cloud services (2, Interesting)

Anonymous Coward | more than 2 years ago | (#38267210)

That's a bit of an overgeneralization though. My boss at my last job used to do this all the time. Blatantly. He'd call me over to look at an e-mail someone had sent. I explained to him that it made me uncomfortable, but he'd still try to get me to join in the invasion of privacy with him time-after-time. However, I always refused and never went any further than I needed to to get the job done. The article says about 1 in 4 admins do this, so it would seem only a minority abuse their privileges whenever they can.

Re:This is why I will never trust cloud services (1)

b0bby (201198) | more than 2 years ago | (#38267578)

That's a bit different; if the owner or boss wants you to look at an email on *their system* it's authorized. I have had to do this & while I told them I wasn't comfortable doing it, I did it anyway. What I haven't done is do that without authorization - as others have said, it's not right.

Re:This is why I will never trust cloud services (1)

1s44c (552956) | more than 2 years ago | (#38267670)

That's a bit different; if the owner or boss wants you to look at an email on *their system* it's authorized. I have had to do this & while I told them I wasn't comfortable doing it, I did it anyway. What I haven't done is do that without authorization - as others have said, it's not right.

That is highly questionable. You don't ignore your duty to the law or to what you know to be right just because your boss tells you to. Or rather you shoudn't.

Re:This is why I will never trust cloud services (4, Interesting)

Pieroxy (222434) | more than 2 years ago | (#38267912)

Right. You should come home to your wife and tell her "I quit my job because my boss wanted me to do something unethical. I know you're pregnant and we just bought a house, but you know, ethics is everything. Now pack your bags, there's a nice bridge down the highway under which there is a patch of grass that'll be nice for us."

Re:This is why I will never trust cloud services (1)

stanlyb (1839382) | more than 2 years ago | (#38267694)

that's why i don't hesitate to to say "nice" words in IM chats, with the false hope that they will become angry and stop peeking. or, at least, they will suffer some good, little, brain stroke.

Re:This is why I will never trust cloud services (1)

Anrego (830717) | more than 2 years ago | (#38267220)

And yet even most Slashdotters think it's perfectly fine to trust everything you have with Google - your search queries, your personal emails, your calls, your contacts, your social network, what you watch on YouTube, what you listen to, where you walk and go (Android) and everything else.

I know I do! At least up until that "and everything else".

I agree more people need to be aware of this and make a decision as to whether they are fine with it. Personally I assume everything you list can be observed by any number of people and have made a mostly informed decision that I really don't care. Anything I _don't_ want people snooping into stays on my encrypted drives in my local machines.. or if it does out on the net, is in an encrypted container.

Re:This is why I will never trust cloud services (2)

scamper_22 (1073470) | more than 2 years ago | (#38267664)

This same argument applies to your own IT department though. I'm really not sure which is a greater abuse.

The local IT admin can snoop your data. I suppose the Google employees can do it too. However, I'd imagine the local IT admin would probably have more incentive to look me up. To Google employees, I'm anonymous.

Then there's the issue of trust and security and process. Most of the 'cloud' companies have the money to spend on security and process and guarantees. They also fear potential lawsuits.

While I can't say it definitively, I'd still trust cloud computing over local networking today.

Much like the network going down. Sure if Amazon or Google goes down, we go down too... But in my years of working for companies... our intranet systems go down far more often than the Googles of the world.

"not interested" (2)

SuperBanana (662181) | more than 2 years ago | (#38267668)

"There's a whole bunch of trust involved. There's a lot of data inside Google, and I'm willing to bet some of it is really valuable. But for me and the people I worked with, it was never worth looking at."

People joke with me that I must be reading their email. I tell them I have enough trouble keeping up with my own email, and besides that, we NEVER read user's mail unless it's specifically necessary to troubleshoot something relating to their account.

What the hell is with Slashdot lately? Did the sysadmin for FSDN piss in everyone's coffee, and that's why the editors have such a hardon for anti-IT-worker stories?

Re:This is why I will never trust cloud services (1)

Anonymous Coward | more than 2 years ago | (#38267692)

FWIW, there are meaningfully encrypted alternatives to Dropbox. SpiderOak and Wuala for example.

Re:This is why I will never trust cloud services (2)

sloth jr (88200) | more than 2 years ago | (#38267810)

Working at a cloud vendor, I can tell you that using privileged access to view information outside of one's job duties is a firing offense in our shop. We take it very seriously.

I Am a Sick Sick Man (5, Funny)

eldavojohn (898314) | more than 2 years ago | (#38267154)

Oh come on, let he who hasn't gotten a massive data rager throw the first stone. So you're telling me that when you're doing a database dump of all your employee's payroll data and you see those beautiful digits paired with a sensual home address and foxy expiration date that you don't pitch a tent right there on the spot? I'm man enough to admit that I've had to walk around cubeland holding a notebook in front of me after taking a selfish glance at a naughty excel spreadsheet filled with transaction after hawt transaction of coffee mugs and pens. As if you've never had to spend your lunch break firing off a few knuckle children in the handi stall of the men's room when you stumbled across every customer's wishlist of your office supply products! Someone actually got to see everyone's Christmas bonus details? Pass the Kleenexes!

The United States' cultural suppression of natural and healthy sexuality just makes me ill sometimes.

Only on Slashdot (5, Funny)

eldavojohn (898314) | more than 2 years ago | (#38267520)

50% Informative
30% Overrated
20% Funny

Where a joke post about masturbating to scads of personal data results in your peers moderating you "informative."

Re:Only on Slashdot (0)

Anonymous Coward | more than 2 years ago | (#38267550)

A trolls work at its finest.

Re:Only on Slashdot (0)

Anonymous Coward | more than 2 years ago | (#38267764)

Where a joke post about masturbating to scads of personal data results in your peers moderating you "informative."

It was "informative" as in, now your future posts can be evaluated in the context of your offline personality.

Re:I Am a Sick Sick Man (0)

Anonymous Coward | more than 2 years ago | (#38267730)

Thread winner, best of show!

Been a IT Pro for 15 Years (1)

Anonymous Coward | more than 2 years ago | (#38267164)

I've never looked at confidential information. I'm not sure which IT pros you surveyed, but they must have a lot of time on their hands. Maybe they should find something more constructive to do with their time.

Re:Been a IT Pro for 15 Years (2)

Wyatt Earp (1029) | more than 2 years ago | (#38267392)

Then you haven't done anything past helpdesk. From about a month after I started doing desktop support back in the 90s I'd come across confidential information, I signed confidentiality forms and as far as I'm concerned it's a done deal. Now that I'm in a job where I'm the desktop, network and database administrator I see and have to deal with confidential data every day.

I just don't care, it's all data to be backed up, moved, restored, whatever.

Re:Been a IT Pro for 15 Years (1)

djsmiley (752149) | more than 2 years ago | (#38267746)

Deal with data and viewing it without reason are two different things.

Not only did you not read / understand the article, you didn't even understand the summary...

"A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. "

*SHOULD NOT HAVE HAD ACCESS TO*.

At least the Parent could read, you clearly can't. Maybe thats what gives IT such a bad name?

Re:Been a IT Pro for 15 Years (4, Funny)

sohmc (595388) | more than 2 years ago | (#38267892)

When I worked for my college's CompSci department, my coworkers and I were responsible for the incremental backups.

One day, we got a call from a professor who accidentally deleted a bunch of data, totally several gigs. When we restored the data, it turned out it was his pr0n folder. We never let him forget that we can see his data.

I got A's in my programming classes after that...

Only 26%? (3, Interesting)

netwarerip (2221204) | more than 2 years ago | (#38267174)

I find that hard to believe. I would have put it well above 50. Years back I ran an MDaemon mail server and let users have the IM client. Was pretty interesting reading, to say the least.

Re:Only 26%? (3, Funny)

Anonymous Coward | more than 2 years ago | (#38267304)

Read the full sentence: Only 26% admit. The other 74% deny everything :)

Re:Only 26%? (2)

ackthpt (218170) | more than 2 years ago | (#38267676)

Read the full sentence: Only 26% admit. The other 74% deny everything :)

Fair point. I know people who I know have peeked. I once put a (I'm such an awful stinker) hook into a program where a certain person was looked up on a certain workstation and it flashed an alarming notice, effectively the user was caught and authorities were being notified. It scared the heck out of the perpetrator (she had a crush on someone and keep bringing up his personal record) and put an end to the behavior. Nobody was harmed or fired over this, ounce of prevention was effective enough.

Re:Only 26%? (2)

1s44c (552956) | more than 2 years ago | (#38267388)

I find that hard to believe. I would have put it well above 50. Years back I ran an MDaemon mail server and let users have the IM client. Was pretty interesting reading, to say the least.

You sir, are a sleazebag.

If you want to know who is having an affair with whom just look for correlation in holidays and sickleave, you don't need to abuse the IT systems. You should be spending your time doing your job though, or trolling /. obviously.

No big suprise (-1)

Anonymous Coward | more than 2 years ago | (#38267244)

Geeks are scum

Re:No big suprise (1)

1s44c (552956) | more than 2 years ago | (#38267560)

Geeks are scum

Hash but a fair point. It's true because geeks are people and people often behave like scum.

Productivity utilization (3, Insightful)

DigiShaman (671371) | more than 2 years ago | (#38267260)

As a consultant who works for a managed service provider, this tells me one thing. If you're snooping around other peoples crap, firstly, you're punk. Second, you have too much time on your hands. Even if you stumble upon data you shouldn't be aware of, it's best to not make it a priority to remember it. And if by chance you have a photographic memory, don't say shit about it to anyone. It's none of your damn business really! You're supposed to be a professional in the industry. Act the part please.

Re:Productivity utilization (1)

Wyatt Earp (1029) | more than 2 years ago | (#38267470)

1. Users are so sloppy with data you don't have to "snoop" to come across confidential data, it's right there.
2. If you deal with anyone in administrative positions, they are the ones who are generally clueless about technology and require the most hands on support and they'll leave "giant_fiancial_secret.xls" open on their computer when you get called in to explain why they can't get on the network today (the cable was unplugged, again).
3. IT professional really is an oxymoron, what percentage of IT works have taken a course on professional ethics? We aren't lawyers, doctors or MBAs the only professional ethics are in regards to keeping a job.

Re:Productivity utilization (1)

Imagix (695350) | more than 2 years ago | (#38267542)

1. Irrelevant. You are in a position of trust. It's your responsibility to ignore the content. 2. Also your responsibility. You know you're going to talk to someone who has access to confidential information. Ask them if they have confidential data on the screen before you look at it.

Re:Productivity utilization (1)

Wyatt Earp (1029) | more than 2 years ago | (#38267658)

You would think that when people are told 4 times a year during an hour training to lock down their screens, clear stuff off when I need to work on their machines they would start to.

But users are goddamned sloppy.

Re:Productivity utilization (1)

DigiShaman (671371) | more than 2 years ago | (#38267580)

Wyatt, I *do* work with lawyers and doctors. I'm also a professional with regards to ethics and ensuring technology works for their needs and not the other way around. Security is extremely important to them and myself. If there's a single person on Earth that can be called an IT Professional, I'm your guy.

Re:Productivity utilization (1)

Wyatt Earp (1029) | more than 2 years ago | (#38267636)

And 90% of the data where I am is HIPAA, in the year I've been here I've been tightening the security screws down, but for the bulk of IT people out there, there is no confidentiality professionalism.

Bad setup (5, Insightful)

ender- (42944) | more than 2 years ago | (#38267268)

If your IT/Security staff can rifle through your sensitive data, you're doing it wrong.

I have no ability to access the data in our HR or Financial systems. Only the HR and Financial folks do. *MAYBE* the DBAs could look at that data, but even if so they'd have to sift through the raw data or come up with their own queries. And I'm pretty sure a lot of that information is encrypted.

Re:Bad setup (4, Informative)

HogGeek (456673) | more than 2 years ago | (#38267450)

^This

The security team should be setting policy and doing audits, not being "the privileged ones"!

Re:Bad setup (1)

Anonymous Coward | more than 2 years ago | (#38267522)

You apparently don't know how adept PeopleSoft savvy SQL geeks are at understanding "raw data". Believe me, it's not hard to find what they're talking about even for those simply doing reporting.

Re:Bad setup (1)

Njovich (553857) | more than 2 years ago | (#38267546)

If you are in security and serious about it, then you probably can get access to most systems in your company that you care about. Probably also know how not to get caught. Especially for smaller or less technical organizations.

But, paraphrasing from the BOFH, we have the internet with all the knowledge, pornography, movies, music in the world. Do you really think I'd spend my time going through some accountant's email?

Re:Bad setup (1)

betterunixthanunix (980855) | more than 2 years ago | (#38267854)

I know it is meant as a joke, but I can actually think of reasons why IT staff might want to look through confidential emails. Suppose you discovered evidence of illegal or unethical activity -- that could be used for blackmail, if you have a low standard of ethics, perhaps to increase your pay grade or improve your job security. The irony of mentioning "some accountant's email" is that accountants' mail is probably the best place to look for evidence of corruption.

Encryption... (2)

betterunixthanunix (980855) | more than 2 years ago | (#38267812)

I'm pretty sure a lot of that information is encrypted.

Given the popularity of identity-based encryption, it is possible that IT staff have access to data that was encrypted, since they probably control the key generation service. Where I am now, secret keys are issued by IT staff and we do not even use IBE. It is unfortunate, but for most people setting up, maintaining, and using decentralized cryptosystems is beyond what they are technically capable of or willing to do.

Not feasible for most businesses. (4, Insightful)

Kamiza Ikioi (893310) | more than 2 years ago | (#38267858)

I'm not saying that what you say is impossible, but it is not very feasible unless you have a very special setup which few companies actually have. In most cases, someone ultimately has the keys to the kingdom. The best most can do is restrict this to as few as possible.

Encrypted DB's won't stop a DBA. The reason is that if you fire an employee, someone has to revoke keys and assign new ones. Someone with the authority to revoke and assign keys can view anything they want, anytime they want.

The only method that is possible is where 2 or more people are needed to use their key to access the information. If you have 3 security IT people, you need to create a situation where at least 2 are needed to unlock something.

And let's not overlook the fact that such systems are not usually set up and audited by a 3rd party.

It's not that they are doing it wrong, it's that without a 3rd party setting up the system you can't have that kind of security at all. The best setup would even require that a 3rd party become the key authority, yet have no direct access to company data whatsoever, and only hand over keys directly to the personnel they are assigned to.

Still, does this stop a determined administrator who disabled AV and installs a key logger on a workstation? No. Granted, that's probably criminal, and at least the 3rd party + dual key authentication system stops casual data breaches.

Most businesses don't have a budget for such things. They take the view, and I'm inclined to agree, that if you don't trust staff who have high level access, you shouldn't have hired them in the first place. As someone who people bring in personal laptops in to fix on occasion, most users are aware that I can see everything on their machine. It's not that I can look that worries them, but that I'll keep my mouth shut if I do happen to see something. I was told in no uncertain terms recently, that a laptop was brimming with porn. But, they trusted that I would not be sending out a company memo entitled, "Looky what I found on X's laptop!"

Businesses often feel the same way. Casual breaches do happen as part of authorized work. For instance, if a payroll file becomes corrupted, I'd have to look at the file. They just want you to shut up about what you see and/or forget what you saw. That's what they mean by trusted. Like any trusted friend, it's not about what secrets you know, but what secrets you can be relied upon to keep.

Re:Bad setup (2)

JasterBobaMereel (1102861) | more than 2 years ago | (#38267904)

Security , always makes me laugh ...

Is your building secure? Well I suspect you have these people who can wander in any time, even when no-one else is around, and have complete access and keys to all parts of the building, .... they are called cleaners and probably are on minimum wage

The company who runs your security system can probably bypass it anytime they want to, and enter the building undetected

and you worry about your own vetted employees ...?

Happy kitty sleepy kitty purr purr purr (-1)

Anonymous Coward | more than 2 years ago | (#38267272)

8==D ~

Facebook (5, Interesting)

Gavin Scott (15916) | more than 2 years ago | (#38267274)

I recall reading an article that said that all of Facebook's (then) hundreds of programmers all have full access to the live system data. Especially on top of the announcement that they want to double their employees in the next year or whatever, it sort of makes it hopeless to expect any sort of privacy there if anyone actually gets interested in you.

G.

Re:Facebook (4, Insightful)

1s44c (552956) | more than 2 years ago | (#38267584)

I recall reading an article that said that all of Facebook's (then) hundreds of programmers all have full access to the live system data. Especially on top of the announcement that they want to double their employees in the next year or whatever, it sort of makes it hopeless to expect any sort of privacy there if anyone actually gets interested in you.

Facebook is and always has been a privacy disaster.

Kinda like Santa, then... (1)

Peter Simpson (112887) | more than 2 years ago | (#38267282)

They see you when you're sleeping...they know when you've been bad or good...and when you've been sleeping around...and with whom.

Loose Controls and too many admins (5, Insightful)

Dakiraun (1633747) | more than 2 years ago | (#38267300)

I find a common problem with companies that have large IT departments is that too many users in those departments have "admin" level rights, which increases temptation and curiosity exponentially. Tighter controls on who needs elevated privileges and specifically where those privileges are needed are a way to help minimize exposure of sensitive data. On the other end of the problem, education is also helpful because most people who would go peeking likely don't understand the ramifications of that action should it be discovered. Have I ever done it as a professional? No. I'll admit, it was very tempting in a past firm since I had access to everything and I knew there were layoffs, salary changes and such going on. Curiosity does not get the better of me though when it means crossing ethical lines, and even if that were not true, I was well aware of the legal fallout that could happen where I to be aware of that information. The same could not be said though for other IT employees with the same access. In this situation, the access we had was certainly not necessary.

Re:Loose Controls and too many admins (1)

Wyatt Earp (1029) | more than 2 years ago | (#38267492)

I'm the only one here with admin level rights, the two agency executies have access as well but they don't know how to access the data and those passwords are just there for documentation if I get hurt, fired or killed.

Re:Loose Controls and too many admins (0)

Anonymous Coward | more than 2 years ago | (#38267846)

I agree that companies should have proper controls in place to either prevent the "peeking" from occurring in the first place, or at the very least, identify when people have been doing it. If you have no way of holding people accountable for their actions then you can't just expect that everyone will always do the right thing. People aren't all inherently good, all the time.

red button (3, Funny)

Anonymous Coward | more than 2 years ago | (#38267340)

don't forget there are IT guys outside the corporate world:

http://xkcd.com/898/

3 out of 4 were trustworthy (1)

Kohath (38547) | more than 2 years ago | (#38267428)

It seems like the majority of the people could actually be trusted. So the solution to a problem like this is to restrict the access of the other 26%, reassign them, or fire them. (That's not precisely what the survey in TFA said about the percentages, but the point is still the same.)

POSTING ANONYMOUSLY BECAUSE I WANT TO (0)

Anonymous Coward | more than 2 years ago | (#38267446)

I have to admit I've looked and have often regretted it lol

Re:POSTING ANONYMOUSLY BECAUSE I WANT TO (0)

Anonymous Coward | more than 2 years ago | (#38267526)

Same

Fire them (1)

ncttrnl (773936) | more than 2 years ago | (#38267466)

If you don't need access to the information, you shouldn't have it. If you have access to the information and don't have business need to look a it, you look at it until you have business need. If you can't handle this, you should be fired and perhaps prosecuted depending on how you used the information.

Re:Fire them (1)

ncttrnl (773936) | more than 2 years ago | (#38267484)

That should have said "you DON'T look at it until you have business need"

Re:Fire them (1)

djsmiley (752149) | more than 2 years ago | (#38267552)

To simply access it breaks data protection laws in the UK at least.

If you shouldn't be accessing it, you need to be wondering why your security measures don't STOP you accessing it, at least without leaving a nice trail of what you've been accessing.

Of course, real world, etc means I have my CTO phone me, give me his passwords for his personal files on the file server and tell me to read off various bits to him. In this case it was a harmless (unpassworded) document with a list of names on it, but this kind of thing happens in IT, and when they ask you "Why can't you access my files for me, your IT for goodness sake!" And you tell them its data protection... you either get a clap on the back, or a right going over...

I work for the Government (0)

Anonymous Coward | more than 2 years ago | (#38267478)

All our salary data is public knowledge anyway:

http://www.tbs-sct.gc.ca/pubs_pol/hrpubs/coll_agre/pa/pa08-eng.asp

Re:I work for the Government (1)

ackthpt (218170) | more than 2 years ago | (#38267626)

All our salary data is public knowledge anyway:

http://www.tbs-sct.gc.ca/pubs_pol/hrpubs/coll_agre/pa/pa08-eng.asp

Salary, yes, birthdate, actual gender (for those you don't know) home address, phone numbers, dependents, etc. are not public knowledge.

I once worked in a payroll department, overseeing annual disbursement of over $1 billion. Lots of sensitive information there and a lot of care goes into ensuring it states private.

Conning the conmen (1)

Baldrson (78598) | more than 2 years ago | (#38267536)

One of the cons pulled by the Fortune 1000 over the last decade or so has been to employ H-1bs in positions where the company is testing the limits of the law and they don't want that information sopenad -- and simply repatriating the H-1b when time comes to "shred". They do this by pretending to reduce IT salaries, knowing full well that that kind of fraud (using the H-1b provision to lower labor costs) is winked at by the FBI.

However, what they don't count on is that the hapless H-1b IT guy is actually part of a tight-knit ethnic network that, back in the old country, can use that information in, oh, let's just say "jurisdictional arbitrage".

Re:Conning the conmen (1)

ledow (319597) | more than 2 years ago | (#38267910)

So you can spell repatriating but not subpoenaed?

Gets old (0)

Anonymous Coward | more than 2 years ago | (#38267572)

In the first maybe two months of my IT career I did just a little bit of poking around. From what I found, people are either way to boring or disgusting. 6 years later and have never done it again, except when requested to by a manager.

One thing to look... (3, Insightful)

ackthpt (218170) | more than 2 years ago | (#38267592)

It's one thing to peek, which is bad...

It's quite another to share it, through gossip, careless revelation or horrors passing on to nefarious individuals with criminal intent in their black hearts.

This report brought to you by... (4, Insightful)

synthesizerpatel (1210598) | more than 2 years ago | (#38267598)

Lieberman Software, a security and identification software vendor.

Yeah. Sounds like a completely scientific report with no bias to me.

analog example (2)

tverbeek (457094) | more than 2 years ago | (#38267614)

I've never had the interest + time to go snooping. But early in my career I used my "privileged" position as the company PC tech, to look at a document that one of the executive admin assistants had neglected to put away when I came to install some software on her computer. As I swapped disks my eyes wandered and I saw this list of people, all of whom had recently been laid off, except for a few names at the bottom that had a line through them. Mine was one of those. I started looking for a new job at that point.

Re:analog example (0)

Anonymous Coward | more than 2 years ago | (#38267780)

And if you think that was an accident.. They were trying to help you out.

Not socked (5, Insightful)

TheCarp (96830) | more than 2 years ago | (#38267634)

I work in healthcare IT, and my mother was an X-Ray tech for years, until about 15 years ago.

Even back when she was in the hospital, she saw people getting slapped and fired for it. Whenever someone famous came in, Princess Di was one of the big ones that I heard of, someone would go look up that persons info who shouldn't have, and of course, for famous people they would audit, and people got caught.

Now? Now you get flagged for all manner of things (I don't know exactly what, but it is well known that it includes looking up family members or people living on your own street etc) and its automatic. We have training on "Ethical Standards" every year, which talks about all of these records access issues. Still... I hear the single most common reason for anyone at the hospital getting fired is.... you guessed it.... inappropriate records access.

Here in MA they have the "CORI" system for doing criminal records checks. You are supposed to need consent to search it for someones info...unless you are a police officer doing his job or that sort of thing. Some auditing was done a while back and they found absolutely RAMPANT abuse. Police looking up their neighbors, looking up spouses, ex-girlfriends etc. (this was several years back... no idea if anything came of it...can't find any articles on it anymore)

The problem is a very human one.

not looking at data.. (1)

psy0rz (666238) | more than 2 years ago | (#38267656)

..gets a lot easier if you DONT care about people little problems and annoying secrets at all.

Yes we can (1)

xrayspx (13127) | more than 2 years ago | (#38267666)

The people "peeking" at info are by definition Not Professional.

I don't snoop (1)

pak9rabid (1011935) | more than 2 years ago | (#38267696)

It is tempting to know what others in my company make, but it's just not worth the risk of getting caught & losing a good job.

Re:I don't snoop (1)

Lumpy (12016) | more than 2 years ago | (#38267870)

SELECT "TITLE", "SALARY" from "PAYROLL" order by "SALARY" DESC;

It does not tell you that the new IT guy hired is getting $5500.00 more a year than you are after 10 years though...

News just in 1 in 4 IT people knows no IT (1)

djsmiley (752149) | more than 2 years ago | (#38267710)

and they lie on surveys and in interviews!

Seriously though - I've got plenty of chances. I could get so much infomation from some places that I could likely walk into a very confertable position else where, but I have no want to. This company treats me well, they gave me a job when no one else would, and I'm happy here.

Just follow management's leadership (2)

vlm (69642) | more than 2 years ago | (#38267720)

Just follow management's leadership, as in many other things.
If you work for a place where morals and ethics are #1 above all else, then follow their lead.
If you work for a place where the almighty dollar is #1 and morals and ethics are for suckers and fools (most corporations), then follow their lead.

Whatever you do, don't get caught doing something you'd not want to be on the evening news.

Note that its a lot like having a police scanner or listening to mobile phone calls, or intercept pocsag digital pagers. Sounds technologically fascinating. It, in fact, IS technologically fascinating. Then you get the ability to do so, and it is boring beyond belief. Gossip monger types are always going to be gossip monger types and the addition or removal of technology will not change them. "Golly, person A is having an affair with person B, using some high tech pager or whatever". Ditto the non gossip monger types are not going to be very interested, beyond the interesting nature of the new technology itself. "Golly, this 8 bit A/D decoder sure works a heck of a lot better on noisy signals than a 1-bit data slicer for pocsag decoding, look at the borderline SNR on this page about some dork's affair or whatever."

I worked at a place decades ago where part of the job was to monitor old fashioned PCM T1 analog phone lines on occasion. Signed lots of secrecy papers to do it. Sounded cool, before I had to do it. It was boring as hell, trust me. I kind of miss listening for slips and echo can malfunctions in this VOIP era. Another funny one was listening for ulaw vs alaw encoding malfunctions on international ckts. And verbal fighting with vendors who couldn't understand the 80 different type of E+M signalling. Good times, I guess, but not from listening to boring phone calls.

Dear CxO's... (1)

Lumpy (12016) | more than 2 years ago | (#38267782)

You have no choice but to trust us. we have admin rights which means we have more power than you do.

Why do we have more power? Because you will screw things up badly as you know nothing about computers, servers, or networks.

If you paid us what we were worth, you would be able to hire more trustworthy people, you get what you pay for.

Re:Dear CxO's... (0)

Anonymous Coward | more than 2 years ago | (#38267888)

I assume you're excluding CIO/CTO's from that mix. I assure you that there is a reason they're in charge.

You people have time to read other people's mail? (1)

Atrox666 (957601) | more than 2 years ago | (#38267838)

I don't have time to read my own damn e-mail let alone yours.

I tried to avoid it (2)

Todd Knarr (15451) | more than 2 years ago | (#38267850)

I tried to avoid looking at that kind of information when I had that kind of access. Firstly, I was usually too busy. I had plenty of authorized work to deal with, and if I had free time I had plenty of personal projects that didn't involve digging through the data. Second, it usually wasn't worth it. I've had to do plenty of company-ordered digging through people's accounts, and the interesting stuff just isn't worth digging through the weapons-grade "I did not need to know that..." material. And thirdly, it again wasn't worth it. I don't like to lie to conceal what I know, and for every useful item that directly affected me there were dozens of things that either weren't useful (I already knew my manager made twice what I did, knowing he makes exactly 2.13x as much... pfffft) or didn't affect me. It was easier overall if I honestly didn't know those things in the first place.

The dirty little secret is that most of the time everyone knows who's doing the unauthorized snooping. But management won't order an investigation because they're under the delusion that what they don't officially know about can't hurt the company. And besides the inevitable need to bleach their brains afterwards, all the front-line admins know that if they go initiating an investigation management will come down on them if they find anything. Even if the investigation was fully justified. Whatever it is needs to be pretty major to be worth the drama, angst and pain that'll result. And I don't see management's attitudes changing any time soon.

Nuclear War (4, Funny)

kbielefe (606566) | more than 2 years ago | (#38267868)

That's why I think nuclear armageddon won't be started by heads of state and their military advisors, but by some disrespected IT guy who constantly has to reset the passwords to the launch codes.

I call "bullshit". (3, Interesting)

Dagmar d'Surreal (5939) | more than 2 years ago | (#38267872)

Lieberman Software is in the business of selling IT security products. Is it really that hard to believe that they've sufficient incentive to "creatively restate" the parameters of the their testing in order to sell more product? Bias matters, and that study is not unbiased.

Net-security.org, for their part, are only inflaming matters further by restating things an even more inflammatory manner.

Basically, you need to ask something that this article neglects to question: Did 26% of the respondents merely say they were aware of other employees *using* the shared passwords, or did it specifically detail abuse of a shared password to gain unauthorized access to information that ethically-speaking, they shouldn't be going anywhere near. Both of those are cases are considered felonies, by the way. It's very easy for someone to argue that *any* shared password use is an "abuse" and that any information access from that point is "illicit"--but without knowing specifically what question was asked, these "results" are more likely just a distortion of fact in order to sell products and services.

I am personally aware of shared passwords in many organizations. I am also occasionally privy to information I shouldn't be--specifically, people's emails. The key difference being, I *don't want to know*. I, and thousands of admins like me, wind up seeing your boring little emails while trying to figure out why they didn't arrive in your inbox already. Over time, we develop the ability to be self-redacting and immediately forget what was just on our screens--because not being able to do that means being burdened with other people's secrets that you'd feel better not knowing. This is a far, far cry from the sort of "abuse" this report pretends to show, but vendors loooove to construe one as the other in order to sell service contracts.

Frankly, this doesn't sound any more realistic than the old one about employees giving up their passwords for a candy bar. What you don't get told about those is that the employees are usually being told they have to give their password up to their immediate supervisor, and not being given any guidance as to why they're being directly ordered to violate company policy. In most offices, people who ignore direct orders being given by a live person over something written on a policy paper tend to suffer bouts of sudden and chronic unemployment--so... plenty of reason to "violate policy" there, normally "secure" employees are going to capitulate for that kind of request. Then the people doing the "analysis" stand around later and say "oh my gosh people give up their passwords for no reason!". I've personally, been given such a request in the past, and frankly since I was being directly instructed to do so, I turned over a hand-written copy of my password on the form provided...or at least, what my password was at that specific moment in time. Since I'm a twisted bastard I made up a new password just for them, set it in the system and then filled in the blank. ...and since the one written down was now "compromised", I then made up another password and changed it in the system again. I was unamused to find out later that someone was doing this as a "survey".

Don't be a gullible noob. Trust no "survey" coming from a vendor selling a related product unless you are being shown the exact details of the survey--because they're going to lie about it. Of that you can be sure.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?