> There's enough interesting things to this that I don't think there's a
> good basis for too strong an opinion either way, though the
> whistleblower's actions seem at least a little ill-advised...
>
Understatement of the year there...but that's just my opinion. =)
> I'm not sure it's a no-brainer- it really depends a lot on policy and
> somewhat on implementation. However, it's still worth looking at, since
> lots of us will be in a position where we'll have to end up monitoring an
> employee's activity over a period of time. I also figured the "stupid
> manager" thing might rile Marcus up a bit ;)
Policy aside...in an organization, there has to be a chain of command
that you go up. And there has to be a motivation and empowerment from
higher-up (before the whistle-blowing) for this ex-employee's case to
hold water at all. If he didn't go through the right channels and just
appeared to be out to get someone (because I'm sure there were others
below him, or maybe his peers that were also *abusing* their computer
privileges...whatever that means), for me, he's gone. Only reason it's
an issue is because he's a gov't employee. I don't think anyone wants
to set the precedent that if you spy on your supervisor and find that
they are doing something wrong, you can get them written up or even
removed. What happens when this guy wins?
I may not like my supervisor as a person, but the thing is, if he looks
good, I look good...
> The more interesting question there is how many folks who might have to
> ever monitor a system have invested in acquiring and testing the software
> they'd use to do it? Grabbing a Trojan off the Internet and installing it
> (especially a binary) seems like the *stupidest* path one could take in
> this situation. But I really didn't want to just push my analysis out
> there, I think it's worth some discussion in this community.
>
I thought it was pretty stupid also...so stupid I didn't think it needed
discussion. I dunno...on Windows-based systems, there are various other
ways of recording what someone is doing (within the confines of the OS
itself) than having to load a trojan. One word for this employee: DUH
> Yet, something must provide the motivation for change for the better-
> somehow organizations need to find a way to channel such energy toward
> the organizational goal, rather than lose valuable talent or even a chance
> to improve the organization...
I guess I'm not that optimistic. Burn it all down. Let's start over.
This is gov't we're talking about.
I might ask what the organizational goal of the dept of transportation
is. In my town, it's to keep the buses running, the streets repaired,
and get the snow off the road in the winter. I don't see how Solitaire
affects that. I DO see how a trojan introduced into the system by a
dumb employee could affect it however.
> I don't think the commercial world is all that different, unless someone
> *cares* enough to do good policy creation and enforcement. That's one of
> the reasons that I'd prefer to see people channel such energy, rather than
> letting it go off on tangents, no matter how just the cause. I also think
> that we need to document and policize against really stupid things like
> downloading Trojans and installing them.
I think it is very different. I think in the commercial world, you're
always cutting the fat off because it's costing your department, your
company cash. This guy would have been cut off a long time ago where I
work...if his version of monitoring someone is loading a trojan.
Windows is nice in that you don't have to load a trojan to see what's
going on...on ANY version.
I don't think any documenting and policizing is going to do it. I think
what the world lacks is critical thinkers. I think that's the problem
here. I don't think this person used their brain enough, and did the
wrong thing...period. Had nothing to do with policy. I also think it
was something personal that prompted this person's actions. I don't
think it was technical ability/inability, anything else optimistic you
can think of. Sorry, I've been on the receiving end of this. I wasn't
guilty of playing Solitaire, but I was accused of spending too much time
websurfing when I was a developer at the USDA. Where do you find 99% of
your code snippets/ideas from to conceptualize? The answer? The web.
This person did the wrong thing.
> I've always thought such things were stupid. They get in the way of many
> legitimate sites, and put you into a "if I can get at it, then it's ok"
> sort of mode. Better to summarize sites surfed and have the employee sign
> the reports, like larger companies do with phone logs. I also get the
> stupid bounce messages from lots of e-mail content filters, which are the
> logical extension, and I know lots of people miss otherwise important
> messages because of some phrase, tool name, or slightly off remark.
I don't see it that way...may just be the nature of the company/business
I'm in. They, like anything else, don't get in the way of anything if
they're tuned correctly. Same thing goes with the AV
gateways/scanners...but that's a different discussion altogether...
> It comes with the OS, one of the problems with general purpose systems.
> Funnily enough, even though we've got "Pro" editions of the OS's now, they
> still have all the cruft. Thought I'll admit that I've loaded my fair
> share of Quake versions and maps on otherwise work systems in the past
> (always with my immediate management being aware of it.)
Not a reason or an excuse. It comes as an option you do not have to
install. If you have a halfway decent Windows network policy (and an
admin who knows what they are doing), you don't let end-users install
their own software...doesn't matter if they are the CEO. And you don't
hand them a PC or laptop with 800 things they don't need on it. If they
have a justification for a piece of software, they document requesting
you load it and for what purpose. If it becomes an item of abuse later
on, you have something to go back to and re-evaluate. If you just hand
them the keys to the castle, don't be surprised when they find the
dungeon and start messing around in it...you're the one who gave them
the keys after all...and don't get mad at anyone but yourself either.
> I'm not sure that follows. If you're supposed to monitor and document,
> it's all for nothing if the documentation doesn't go anywhere. But then,
> I've always been visible enough to get folks to give me their tattles and
> let me decide what to do with them. I've also had the "My boss isn't
> being effective" conversation with the next person up the chain.
I don't believe that at all. I'm not one for quoting scripture, but
there's one that says "Be sure your sins will find you out." If you're
doing the wrong thing, one way or another, the wrong person is going to
find out about it...and then you're toast. It always happens to people
misusing the network. Tools or no tools in place. Misuse long enough,
the right person finds out, then you're done. I've been on the giving
end of this before. I monitor and document everything...from the CEO to
the janitor. I don't tattle-tale, but I let the supervisors-that-be
know that something is going on that shouldn't. IF they are interested,
I tell them more. If they are not, I go back to monitor and document
and do what's in my power. If you have done what's in your power, what
more are you expected to do? Sorry, I don't think it's worth losing
your job over...
If the supervisors continue to not care and I find I cannot work in that
environment, guess what? The monster.com account just got reactivated
and a call is placed to my headhunter the next day.
> That seems to be a short-sighted way to look at things. Certainly, at my
> last employer, I took my fiduciary responsibilities much further than "what
> my boss tells me to do." If an organization doesn't allow people to do
> the *right* thing, absent specific instructions to do so, then I think the
> organization is harmed. If the organization doesn't provide an avenue for
> people who do the right thing to be heard (and note, that I'm not saying
> the individual in this case was doing the right thing) and the good of the
> organization doesn't preclude other things, then I think you're not using
> your employees effectively, and the organization isn't going to get much
> value out of its most expensive resources.
What you're talking about here is ethics. Within ehtical boundaries,
your job ultimately is to do what the shareholders (who ultimately
hires/appoints your boss, who hires you) tell you to. That is dictated
THROUGH policies of the company. If you cannot do your job within
ethical boundaries, you really have three decisions: 1) Suck it up and
just get paid and throw ethics aside, or 2) Leave your job...one way or
the other (like this guy), or 3) If your boss is like mine, approach him
and say there are things going on on the network that could negatively
affect it. If he asks what, then there's your opportunity to progress.
If he doesn't, refer to option 1 or 2.
The problem with this situation, is this person doesn't think they have
an ethical out. I kind of have the same belief. But, I don't think
policies are enforced in any gov't agency anyway (minus the FBI and
places like that), so it's kind of pointless. You're paid to do what
your boss tells you to...minus breaking the law. If you want to make a
difference, go work in private industry where we're trying guard our
assets (with security policies and practices), and not for the
department of transportation where everything is public knowledge
anyway...right down to what people get paid, when they were arrested
last, etc etc.
Which brings me to my next point...just putting 1 and 1 together, what
did this organization stand to lose by one guy playing Solitaire?
Seemed to me that there was more to lose (integrity of the network for
one) by some guy loading a trojan, than by someone else playing
Solitaire. That's why I said earlier it was a no-brainer. You're using
something that's already on your machine that the local admin put on
your desk WITH it loaded vs the local admin loading a trojan that lets
him see what you're (and ONLY you) doing from anywhere in the world with
an internet connection. It's a no-brainer...what's keeping everyone
else from not connecting to and compromising the machine at that point?
If he was so concerned about policy, why didn't he change the policy on
the local machine, and uninstall the game(s)? There are so many things
you can do remotely with a Windows machine without the end-user knowing
the difference...all it takes is a little thought and brainpower...
> Sure it's a management problem, *everything* is a management problem. The
> thing is that organizations need ways for management problems to be
> brought into the open.
I'd say this one was pretty much out there...pretty effective way to get
it out there wouldn't you say? =)
>
>
>>concern...and you should not assume it is. You should do your job
>>within your reach of authority, and when called upon by the right
>>authority for more, do more. This guy clearly overstepped his
>>boundaries. I think it's good for him to be concerned, but he should
>>have never named names with submitting his findings. If anything, it
>>made it look as though he had a vendetta against ONE person. If he
>
>
>>From my reading of the PDFs, it looks more like he was hunting to get
> promoted into the job his manager was in.
Exactly. No-brainer. He's gone. Now that's he's gone, what can we do
to bring in someone MORE qualified to tighten up our assets here? What
do we need to do to change our policies to protect us against abusers?
What do we need to do to keep our employees busy with actual
work?...fire some people and give the remaining raises and more work?
Is Solitaire really abuse? Is checking stocks abuse? Is the network
slow because someone has their Datek real-time ticker going all day, or
because database admin X across the hall is downloading Oracle CD's to
do his job?
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Aug 02 2004
Intro
