Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Do IT Pros Abuse Their Power?

Soulskill posted more than 4 years ago | from the hahahaha-yes dept.

IT 460

An anonymous reader writes "I have noticed that many airports and hospitals I've visited have some kind of internet usage policy in place. Some use software similar to Websense, which effectively blocks sites based on blacklisting them by category. A commonly used blacklist prevents users from accessing 'forums or discussion boards,' yet I find that often these networks allow users to access sites like Fark, Slashdot, Digg and other message boards that appeal to the technical culture one might find in the IT world. In your experience, do IT administrators abuse their supervisory powers? Has there ever been a backlash from users or management for doing so?"

cancel ×

460 comments

Sorry! There are no comments related to the filter you selected.

New around here? (5, Funny)

hedronist (233240) | more than 4 years ago | (#30632454)

You must be new here. All members of /. are (or want to be) a BOFH [theregister.co.uk] !

Re:New around here? (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30632464)

Holy crap.

I met Cal Ripken Jr. today.

I can't believe it. I was sitting outside the Ralleys on Caliborne street, drinking a banana milkshake and eating a large order of rallyfries, when I saw a white SUV pull up to the store across the street, "Cherrry". I didn't think anything of it, but I almost choked on a mouthful of banana milkshake when I saw Cal Ripken Jr. get out of the SUV and go into Cherrry, the porno store!

I'm such a huge fan. I forgot all about my rallyfries and ran with my milkshake across the street, almost getting hit by a school bus on the way across. Even though I am still six months away from being 18, I HAD to go in the store and see Cal Ripken Jr.

So I went inside, and tried to look nonchallant, and there he was! Cal Ripken Jr was haggling with the cashier over the price of a giant rubber cock! My eyes were as wide as dinner plates.

I was afraid they were going to call the cops, since I was underage, but Cal has been my hero ever since I was a little kid.

I marched up to him and asked him for his autograph.

Since I didn't have anything for him to write on, Cal Ripken signed his name on a copy of "Tranny" and gave it to me! But that wasn't all he had to give me.

It turns out Cal is a really nice guy. The owner was eyeing me, and asked me for ID, but Cal said "no, it's cool, he's with me" I couldn't believe it! We started to talk about his incredible consecutive game streak, while Cal browsed their assortment of vibrating butt plugs.

After a little while, he asked if I wanted to see his orioles tatoo, and you better believe I didn't say no.

He gave the cashier a 20$ dollar bill and took me back to one of the private booths, taking with him several of the dildoes and vibrators he had purchased.

Cal Ripken was as good as his word, he wasted no time whipping out a nine inch cock, with a tatoo of the orioles logo on the big meaty head.

"Batter up!" Cal exclaimed, and jammed his big hot cock down my throat so hard and fast that my hand clamped down on my banana milkshake, spraying it all over Cal Ripken Jr!

Fortunately it did not get on my autographed copy of "Tranny" but whoa man!

Cal was pissed!

He took me over his knee and spanked me mercilessly, yelling "Bad boy! Do you know what happens to bad boys?"

"Lick it all off!" Cal said, then he squatted over the viewing bench. I licked all the banana milkshake off of cal's hot hard body, but that wasn't enough for him.

"You missed a spot!" cal ripken jr shouted, and he bent over and pulled down his pants and silk boxers, displaying the chocolate starfish that played more consecutive MLB games than any other. "Lick it ALL OFF!"

I was humiliated, but I felt I had no choice but to lick Cal Ripken Jr's sweaty asshole.

I licked Cal's ass for maybe three minutes, then he swiveled around and came explosively on my face. What the fuck! I'm only 17 years old.

Cal Ripken Jr. cinched up his pants and left, leaving me with nothing but my autographed copy of Tranny to show for it. I didn't even reach orgasm.

Re:New around here? (1)

Z00L00K (682162) | more than 4 years ago | (#30632696)

And those who aren't have other issues to pursuit.

Re:New around here? (5, Informative)

TheLink (130905) | more than 4 years ago | (#30632740)

A BOFH might find it more fun to manipulate data from certain websites, rather than block sites.

e.g. the BOFH substitutes some images, and/or inserts a rather loud audioclip.

Go figure out the details yourself.

Even if you use SSL, the BOFH probably controls what CA certs are installed in your browser ;).

Re:New around here? (1, Informative)

s0litaire (1205168) | more than 4 years ago | (#30632834)

Think they call it "wiki-fiddeling"
http://www.theregister.co.uk/2008/10/03/bofh_2008_episode_32/

Wiki-Fiddeling: The Art of creating Wikipedia articels, on the fly, to back up your Story / Aliby or Invoce.

Re:New around here? (2, Insightful)

jftitan (736933) | more than 4 years ago | (#30632900)

and I don't believe any backlash will ever occur because the users/management don't know how the network works. So its a win win situation for the IT Pros.

      Management "I can't access facebook, however I noticed you can access that slashdot website of yours."
    Me "Yep, because I get news about IT related stuff... facebook is just a waste of productivity time... its your policy!"
      Management "oh, yeah. your right... could you add me to the list of allowed users..."
    Me "Nope... policy"

      Users "aaawwwwwhhh we can't access myspace!"
    Me "suck it!"
      Users "grumble grumble"

Either way, neither of the other two groups outside of the IT Admin team should be allowed to do anything.... extreme with the network access... and by extreme, social networking. :-)

Of course (5, Insightful)

Guiness Boy (1098597) | more than 4 years ago | (#30632462)

Of course we do. Get over it.

Re:Of course (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30632522)

yet I find that often these networks allow users to access sites like Fark, Slashdot, Digg and other message boards

Maybe blocking Slashdot isn't an abuse of power. Maybe their intentions are good and they just want to prevent another stupid question from appearing in the Ask Slashdot section. They might reason, if he's smart enough to get around our filters, he probably won't ask such stupid questions. Maybe he'll even consult Google before submitting a "story". I know that last part is wishful thinking.

Ask Google: for when you have two brain cells to rub together so you know how to get good results from a search engine and want to quickly and effeciently answer your inquiry.
Ask Slashdot: for when you refuse to Ask Google, have a common-sense inquiry, or otherwise want some free attention from a bunch of strangers.

I want to see an Ask Slashdot that doesn't make me feel this way. Posted AC for a reason, so go ahead and down-mod the painful truth.

Re:Of course (5, Funny)

digitig (1056110) | more than 4 years ago | (#30632838)

Don't be silly. It would only be "abuse" if it were a bad thing!

YES YES YES (0)

Anonymous Coward | more than 4 years ago | (#30632482)

  It comes with the work.

 

Re:YES YES YES (0)

Anonymous Coward | more than 4 years ago | (#30632768)

Yes, but the question was "Is it abused".
In our building Facebook is blocked along with many other forums that would help developers get their job done. The abuse comes in when our other building (the one where IT & upper management are located) doesn't block these forums or facebook.
Management needs Facebook & YouTube, but I can't read someone's blog about getting around a specific C# programming problem?

Since when.. (5, Interesting)

dr_strang (32799) | more than 4 years ago | (#30632488)

...are Fark and Digg considered 'technical culture' sites. Seriously, this isn't 2001. Last time I checked, the Internet had sort of entered the mainstream and 'slacking off at work' isn't really considered exclusively IT.

Re:Since when.. (1)

schwit1 (797399) | more than 4 years ago | (#30632574)

Digg and Fark are little more than internet junk food.

Re:Since when.. (4, Funny)

Akira Kogami (1566305) | more than 4 years ago | (#30632668)

Nah, eating junk food is enjoyable.

Re:Since when.. (5, Informative)

poetmatt (793785) | more than 4 years ago | (#30632786)

you can blame the fact that the websense ceo is the same guy who was ceo of Mcafee during the time when Mcafee was known to be a piece of shit software that wasn't complete or accurate. Is it any more surprising that he's equally badly mismanaging websense, and is selling to the same crowd with both basically?

The issue is a man named gene hodges [forbes.com] , the guy is a horrible ceo (and cause for many tech issues relying on anything he is a part of) .

Re:Since when.. (1)

RobertM1968 (951074) | more than 4 years ago | (#30632946)

you can blame the fact that the websense ceo is the same guy who was ceo of Mcafee during the time when Mcafee was known to be a piece of shit software that wasn't complete or accurate.

Why? What is McAfee considered now? Just curious, because lately I've seen a lot of infected machines coming into our shop with fully updated and running McAfee suites...

;-)

Re:Since when.. (0)

Anonymous Coward | more than 4 years ago | (#30632868)

"Technical Culture" = ranting about Ron Paul on the internet because you have zero influence in real life

Power Corrupts... (5, Interesting)

PCGod (86295) | more than 4 years ago | (#30632492)

Absolute power, is even more fun!</bofh>

Yes, we did have something like this happen where I work. Our IT group ended up blocking all social networking sites. Our marketing department raised a fit because they use Facebook for business purposes.

Re:Power Corrupts... (5, Interesting)

2stein (871221) | more than 4 years ago | (#30632624)

Yes, we did have something like this happen where I work. Our IT group ended up blocking all social networking sites. Our marketing department raised a fit because they use Facebook for business purposes.

At the place were I currently work we have kind of a "feel free to use the internet as you wish" policy. This actually works out quite well. Sites are not filtered specifically. They basically say "hey, if you end up doing illegal stuff, you're screwed, otherwise we don't care as long as you get to do your work."

I used to work for a financial institution before that. And they had sort of a lockdown-mania. Filtering proxies (no checking your private web mail - could be used for stealing information), read-only USB mass storage, scanning outgoing e-mail attachments etc. I guess, these rules came in place because of management being scared to death by compliance requirements, not because of IT admins abusing their power.

And BTW: Had I wished to steal massive amounts of data, I could have still simply sent them via e-mail in a password-encrypted archive. It's a matter of trust, not only of making it difficult. So basically powerful and clueless management are equally effective as power-abusing admins.

Re:Power Corrupts... (5, Insightful)

houstonbofh (602064) | more than 4 years ago | (#30632784)

I have seen that "lockdown" so many times, and it never works. There are no technical solutions to personnel problems. I always use this analogy; "You can make a car very secure by removing the battery and putting it up on blocks. It just doesn't make for a very good car."

Re:Power Corrupts... (5, Insightful)

networkBoy (774728) | more than 4 years ago | (#30632934)

we currently have an anti-internet micromanager.
While the corporate policy is covered by an 'acceptable use' that is fairly liberal this guy equates having an idle page open equivalent to not working. To that end he's having our IT dept. provide him usage data from all employees. As a counter I developed an http over e-mail application that seems to be working quite nicely.
-nB

Re:Power Corrupts... (0)

Anonymous Coward | more than 4 years ago | (#30632910)

BTW: Had I wished to steal massive amounts of data, I could have still simply sent them via e-mail in a password-encrypted archive. It's a matter of trust, not only of making it difficult. So basically powerful and clueless management are equally effective as power-abusing admins.

Right, but what you forget is that "clueless management" don't impose these sort of things on a whim. They were a response to the tighter regulations imposed by the federal government in the wake of the early 00's accounting scandals (Enron, WorldCom). The companies were forced to "do something" and they did. Nevermind that it is trivially easy to bypass these sort of things. If something does happen, the company can say "we took every technical measure available to us". And the fact that you encrypted the message before you sent it shows premeditation and an understanding that what you were doing was against the rules and potentially illegal.

It's the same thing with PCI Compliance. If you get breached and you were compliant, the fines / repercussions are orders of magnitude less. Even though many of the rules don't really help, or prevent the sort of issues that happen in reality.

Take SSL/TLS for example. It is basically protection against a problem that would never happen in reality. What are the chances of someone intercepting your communications link to a website and capturing your credit card numbers? Out of the billions of packets that are flowing through the networks, the chances of someone managing to find the one packet with the 25 bytes of data comprising your credit card number are vanishingly small. The level of access you'd need would mean it'd be easier to just compromise the person's PC directly rather than sorting through all that noise.

This is not to say that SSL doesn't have it's place. Wireless networks and VPNs are two counter examples. But for the vast majority of uses of SSL, it adds only a marginal level of security, especially since nearly no one ever verifies the SSL certificate details.

And don't even go into SAS-70 compliance -- accountants telling computer people how to maintain computers!

Do power users abuse their IT knowledge? (5, Interesting)

Wonko the Sane (25252) | more than 4 years ago | (#30632496)

How many people here get around their workplace's blocking software by running an SSH tunnel to a proxy server on their home network?

Re:Do power users abuse their IT knowledge? (3, Insightful)

lukas84 (912874) | more than 4 years ago | (#30632542)

In a properly managed network, you won't get a direct connection to the internet AND you won't able to run any kind of SSH tunneling software.

I know most of the proxy software i use will tear down SSH sessions established through a HTTPS proxy, if you even get that far - i usually configure them to reject self signed certificates (as those would only provide a false sense of security).

Re:Do power users abuse their IT knowledge? (1)

modestgeek (1449921) | more than 4 years ago | (#30632654)

Exactly my thoughts and approach.

Re:Do power users abuse their IT knowledge? (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30632828)

Even assuming you mean "reject certificates not signed by an authority I trust", as opposed to "reject self-signed certificates", it's pretty trivial to get a certificate you'd accept. I also wonder if you allow plain HTTP connections, given your stance on certificate management. HTTP connections are less secure than HTTPS with self-signed certificates, and they don't even generate a warning in the browser -- at least a self-signed certificate would let users know their connection is unauthenticated, but plain HTTP happily transmits in the clear, without encryption or authentication, with no warnings at all. That seems like a much more likely source of false security to me.

In general, your tunnel users aren't very persistent, or you haven't noticed the ones that are -- it's not terribly difficult to setup an plain-old HTTP server and send SSH data in the body of apparently-valid HTML pages. A bit of base-64 encoding, a bit of a random real web page from the browser cache, and you'd have an awfully hard time getting a machine to determine that the web page was actually a proxy connection. It's a bit inefficient and there are TCP over TCP resend issues, but it's perfectly usable for web browsing and the like. Or assuming you just check the SSL setup but otherwise allow HTTPS traffic unchallenged through the proxy (the most typical setup for non-forging, non-plaintext proxies) you could negotiate a standard SSL session and then send raw PPP data through it, without even pretending to be a web page, or using SSH.

Or if you're really pressed for access, you can setup a DNS-based proxy and smuggle data through in perfectly valid DNS requests and responses. The size of packets is limited, but it's running over UDP so you eliminate the TCP issues, and it's virtually unmonitored at most locations, even those that consider themselves "locked down" -- when was the last time you checked your outbound DNS logs? Do you even have outbound DNS request logging? And domains are cheap -- what if I registered a few hundred and spread out my requests across those?

Or if you're willing to put up with a little latency you can use just about any messaging/discussion board to post data to a totally legitimate web page, which a remote proxy could then read and reply to, again on a legitimate web page. And of course there's email.

While it's maybe worth some effort to make data smuggling more difficult, don't fool yourself into thinking you're preventing it from happening. Adding noise to the channel only limits transfer speeds -- so long as there is any way for users to inject and retrieve data to/from the Internet, even through proxies and filters, tunneling will be possible.

Re:Do power users abuse their IT knowledge? (1)

fedcb22 (1215744) | more than 4 years ago | (#30632928)

So, just tunnel SSH over SSL, and buy yourself a proper certificate.

OpenVPN-over-UDP-over-IP-over-DNS (4, Informative)

xororand (860319) | more than 4 years ago | (#30632942)

Do you allow DNS on your network? OpenVPN-over-UDP-over-IP-over-DNS isn't lightning fast but it does the job most of the time. It's a neat way to (ab)use commercial WiFi hotspots too. You can't stop a determined power user except maybe with a whitelist of a small set of whitelisted remote hosts.

Re:Do power users abuse their IT knowledge? (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30632950)

With all due respect--as you certainly sound more competent than most network admins I've ever dealt with--you're at an IT site. The properly managed network is a myth and you know it. The two most common reasons for that really ought to be immediately obvious, but if they're not:

    1) No network is "properly managed", period. It's just too expensive anywhere. Somebody somewhere has an exception to the policy--even if it's documented because they needed some obscure piece of software. Or they're a marketer doing competitive research and actually would benefit from twitfacespace access. Or the president demands access to penthouse forums, and it's your job on the line (save that email demanding it...)

    2) Ummm....yeah...I'm a programmer (I also run my local network. No budget whatsoever for it...you'd hate it if you saw it. Literally--$0 budget...something breaks and I have to beg for cash to replace it). You might work at one of the places where programmers don't get local admin rights (kinda stupid, but fine)--but I guarantee you if I can't compile an app on my desktop and run it, there's going to be a massive stink raised, with me copying HR about how "network admin bob" is actively obstructing my work process and making it impossible to do the most important part of my job description. But I'm going to be able to run that software, or anything else I feel like if I can get the source code and it compiles in whatever craptastic IDE the company mandated. I won't run anything I shouldn't--because I'm a professional--but I'll test it every time you upgrade my desktop because I don't want to deal with the inevitable three week wait the two or three times a year I will need to pull in some third party...something...in order to meet some strange deadline.

Thirdly--rejecting self signed certificates for providing a false sense of security is...a load of BS. My self signed certificate is likely more secure than *any* cert you'll ever generate in your entire network. Because I actually check it. Because my threat model includes a subpoena forcing Verisign to generate a valid signed key for my domain. Because my keys are generated by a ten year old desktop of mine (the o/s isn't that old though) no longer connected to a network, and then physically moved. Yeah, it's not a DoD airgap--but it's better than anything most places will ever.

And lastly because sometimes--people just don't care that a self signed certificate is "less secure"--it's still better against the casual attacker even with readily available MITM tools (even our transparent proxy/IPS will automatically scan SSL content too, just like I'm sure yours does). If it stops the average person from inspecting traffic on a bridged network (and let's face it, flooding a switches ARP tables to force bridged failover is a lot older than MITM tools).

----

Simple point of fact: Self signed certificates increase encryption on the net. Even if people run a MITM, competent parties can positively for that very attack, and identify the presence of an attacker. That's substantially better than the present system where someone can run surveillance and you would never even know. CA's on the other hand...well...it's already well established they're mostly worthless.

Captcha: EXEMPT

Re:Do power users abuse their IT knowledge? (1, Informative)

Anonymous Coward | more than 4 years ago | (#30632564)

Aye. I run our network, restrict what the bosses tell me to, but ignore the restrictions when it comes to myself. SSH tunnel to my home network, route all DNS requests through there as well, and turn on FoxyProxy in Firefox. Yes, I use it to do a little slacking off here and there, but in my defense it's also the easiest way to create exceptions when our restrictions get in the way of me getting work done.

Re:Do power users abuse their IT knowledge? (1, Insightful)

modestgeek (1449921) | more than 4 years ago | (#30632598)

I don't understand why people always try to "get around" these restrictions. If there is a legitimate business need, then get it approved. These preventions are put in place for a reason. The more open the network, the more risk. The more risk means more virus, trojans, botnets, data leakage, etc. IT then has to cleanup your mess.

Besides, SSH tunnels won't work on my network. I've got all protocols being intercepted by the proxy (including encrypted). Then an application firewall behind that to make sure the proxy is doing it's job. Social networking is blocked. End of story. And yes, management backs me.

Want to screw off at work? Get an smartphone and do it on your own device. Get a netbook with an aircard. I don't give a fsck what you do at work. It's not my job to make sure you're spending your time wisely. However, it is my job to protect our computers/network and I do that by blocking "risky" sites.

Re:Do power users abuse their IT knowledge? (5, Interesting)

iangoldby (552781) | more than 4 years ago | (#30632752)

I don't understand why people always try to "get around" these restrictions. If there is a legitimate business need, then get it approved.

I suppose it depends on the size of the business. Where I work, it is usually impossible even to find out who is responsible for a particular policy. As for actually getting a policy changed, you'd be better off pissing into the wind.

Whenever I need information from a blocked site (I'm talking about work-related information here), I just keep trying Google results until I find one that isn't blocked. Sometimes it can take fifteen or twenty minutes, when I know that the top result would have answered my question immediately. On occasions I send myself an email at home so that I can look it up after work, but why should I have to do this?

Re:Do power users abuse their IT knowledge? (3, Interesting)

lukas84 (912874) | more than 4 years ago | (#30632798)

Get a separate ADSL line for the IT pros. A friend of mine did exactly that. He works in a large bureaucracy and in the end their installed a separate, unfiltered ADSL line that's not under the administrative control from over-the-pond.

Of course, being in IT, they were smart enough to keep this all on a separate network.

Re:Do power users abuse their IT knowledge? (3, Insightful)

Gorobei (127755) | more than 4 years ago | (#30632806)

I've worked at a few big banks, and getting sites unblocked only takes a few minutes: just a quick email to IT help saying "information on site XXX is important to our business. The block is costing us money. Please fix."

The less "reasoning" added, the better. Make it a business issue, not a free information issue.

Re:Do power users abuse their IT knowledge? (2, Informative)

iangoldby (552781) | more than 4 years ago | (#30632940)

getting sites unblocked only takes a few minutes

At my place of work it takes at least a day. And it usually stays unblocked only for a few days, then it is blocked once more.

Re:Do power users abuse their IT knowledge? (1)

modestgeek (1449921) | more than 4 years ago | (#30632822)

In our company it's as simple as opening up a ticket. Submit your request as well as your reason and in almost 100% of the cases it gets approved and the proxy/firewall policy gets changed to permit whatever it was you wanted. It goes along the lines of deny all to start and then start allowing as things are needed. It's security 101. Now, if you submit a ticket asking for request to some obvious non work related site (p2p, gambling, pr0n, etc.) its going to get blocked. Otherwise we are very reasonable. We've had requests come though to allow users to listen to their online media subscriptions (sirius) or Zune. Doesn't mean I'm going to allow users to start downloading music via torrent or emule.

Re:Do power users abuse their IT knowledge? (1)

LinuxIsGarbage (1658307) | more than 4 years ago | (#30632898)

You can also try looking at Google's cached results.

Re:Do power users abuse their IT knowledge? (1)

iangoldby (552781) | more than 4 years ago | (#30632970)

You can also try looking at Google's cached results.

That used to work, but Google cache results are now all blocked too - category 'Proxy Avoidance'.

Re:Do power users abuse their IT knowledge? (1)

Azureflare (645778) | more than 4 years ago | (#30632914)

Google Cache FTW?

Re:Do power users abuse their IT knowledge? (2, Informative)

2stein (871221) | more than 4 years ago | (#30632758)

I don't understand why people always try to "get around" these restrictions. If there is a legitimate business need, then get it approved. These preventions are put in place for a reason. The more open the network, the more risk. The more risk means more virus, trojans, botnets, data leakage, etc. IT then has to cleanup your mess.

Partially right. The problem is, that in many larger organisations the 'legitimate business need --> approval' process does not scale well with regard to the time required to get the approval. So even if you do have a legitimate business need, waiting for the approval might still keep you from getting your job done. Multiply this by say ... 2,000 people waiting 10 days to get an approval for something. This will cost you real money.

It seems to be difficult to balance these things. But having a good zoning concept at hand might be of great help. It keeps the wrong people from tampering with critical resources, but it also allows employees to use necessary services e.g. SFTP. Yes, I've come across a situation were I was not allowed to get a patch from a vendor using SFTP. The idea was: SFTP may be used for stealing data. Use FTP, this is far more secure, as we can scan it with deep packet inspection.

Re:Do power users abuse their IT knowledge? (2, Insightful)

darkpixel2k (623900) | more than 4 years ago | (#30632764)

Besides, SSH tunnels won't work on my network.

However, it is my job to protect our computers/network and I do that by blocking "risky" sites.

Good idea. I'd hate for you to accidentally get a virus when I SSH into my home machine and read my email using mutt. You'd be surprised at the number of viruses that can encode themselves in an email as a start ZMODEM trigger and get transfered through a zssh connection back to a work computer. Then all the virus has to do it wait for a double-click... ;)

Re:Do power users abuse their IT knowledge? (1)

modestgeek (1449921) | more than 4 years ago | (#30632788)

Nope, not for that reason. I am worried about you transferring company data to your home server though.

Re:Do power users abuse their IT knowledge? (0)

Anonymous Coward | more than 4 years ago | (#30632926)

As opposed to coming to work with a thumb drive, SD card, or 2.5" external hard drive and transferring company data?

Re:Do power users abuse their IT knowledge? (3, Insightful)

Compholio (770966) | more than 4 years ago | (#30632948)

Nope, not for that reason. I am worried about you transferring company data to your home server though.

Good luck blocking SSH over DNS.

Re:Do power users abuse their IT knowledge? (1)

some-old-geek (1329305) | more than 4 years ago | (#30632796)

Presuming facts not in evidence:

1. There is a process to present a "legitimate business need"
2. The process does not consist of a rubber stamp reading "NO!"
3. Management actually has a clue about what would constitute a "legitimate business need"
4. Management actually has a clue, period
...etc.

Re:Do power users abuse their IT knowledge? (1)

Hatta (162192) | more than 4 years ago | (#30632968)

Besides, SSH tunnels won't work on my network. I've got all protocols being intercepted by the proxy (including encrypted).

How does that work without breaking SSH? Or does it?

Re:Do power users abuse their IT knowledge? (1)

pla (258480) | more than 4 years ago | (#30632988)

Want to screw off at work? Get an smartphone and do it on your own device.

Unfortunately, the "block everything" attitude you express does result in this exact solution... Except, people don't want to browse the web on a smartphone, so they use it as a WiFi or Bluetooth proxy for their (work-issued) PC.

Meaning, in your attempt to block people from surfing the web on their breaks/lunch/"need a few minutes of downtime", you have in effect lost control of real threats such as viruses, spyware, P2P, etc.

Most people will behave if you trust them. And five minutes per week spent analyzing your Squid logs will quickly identify those who abuse your trust.

Re:Do power users abuse their IT knowledge? (0)

Anonymous Coward | more than 4 years ago | (#30632614)

Me :)

Re:Do power users abuse their IT knowledge? (0)

Anonymous Coward | more than 4 years ago | (#30632712)

Where I work, people have been fired for circumventing the security policy in such ways.

Re:Do power users abuse their IT knowledge? (2, Informative)

incongruency (1683022) | more than 4 years ago | (#30632718)

Yes, but I must do so on port 21 as port 22 is blocked outright on the network.

FTP is left wide open because the IT department uses it for any sort of file transfer, as well as the fact that they heavily rely on Websense, and its default behaviour towards FTP is to allow all incoming and outgoing connections on that port.

Re:Do power users abuse their IT knowledge? (1)

lukas84 (912874) | more than 4 years ago | (#30632738)

There's two ways you can interpret that - either your network management team is incompetent, or they don't really mind you using SSH. Decide which one is the case.

Re:Do power users abuse their IT knowledge? (5, Insightful)

Saint Stephen (19450) | more than 4 years ago | (#30632746)

I always figured my employer would be really, really pissed off if they found out I did that. At best you're pointing out a massive security hole in the network. They'd just assume I'd be running ANYTHING (kiddie porn) over the tunnel, and if anything accidentally happened, and I'd been using a "hole", I'd get in huge trouble.

Re:Do power users abuse their IT knowledge? (1)

will_die (586523) | more than 4 years ago | (#30632792)

Blocked already. But there are plenty of programs you can setup at home or on web hosting sites that all you to enter a URL on and will pull the page and images and pass them to you.

Everyone Does (2, Insightful)

Entropy98 (1340659) | more than 4 years ago | (#30632498)

People in every line of work take advantage however they can. Janitors, mailmen, military personnel, police, teachers, principals, street sweepers, CEOs, mechanics, and on and on. Its human nature.

Re:Everyone Does (2, Interesting)

psnyder (1326089) | more than 4 years ago | (#30632776)

Its human nature.

... to push the limits of our power and find ways to get around things. This is often seen in a negative light (as in the OP's choice of the word "abuse"), yet it's also a trait that has allowed humans to survive, thrive, and make numerous advancements.

The OP talks about IT people white-listing websites they know to be safe because they themselves use them. I don't see this as having a negative impact for the staff or patrons of the places he mentions. If there is a negative impact, or "abuse", it comes from the executive decision to use censoring software in the first place, not the IT guy poking holes in it.

Quick answers: (1)

Daniel Dvorkin (106857) | more than 4 years ago | (#30632506)

(1) Yes, of course. Whenever humans get power, many of them will abuse it.

(2) Users, all the time. Management, hardly ever. What else would you expect?

Re:Quick answers: (0)

Anonymous Coward | more than 4 years ago | (#30632586)

Power corrupts. Absolute power corrupts absolutely.

It's all about porn (0)

Anonymous Coward | more than 4 years ago | (#30632508)

The people who put these filtering policies in place are usually morbidly obsessed with how other people jack off, in a sort of proxy-voyeur kind of way. They don't want to admit that they look at porn, but they are 100% focused on what other people *do* want to look at in their spare time.

I often felt like saying, "If you want some good links, just ask me". You really don't need to monitor / block my URLs, while keeping a copy of the log file for your own pleasure later".

IT Pros don't make policy. (5, Insightful)

lukas84 (912874) | more than 4 years ago | (#30632516)

Policy is made by management. I don't care if you watch gay furry porn for all the three hours you spend in the Office.

I do care about the security of the network - so if you plug your private Laptop into the Office LAN, you won't get any connection because your machine won't authenticate. But i'll know exactly that you did so. And i'll call you out for it.

In all the places i've worked, WebSense etc. only worked in the VLANs for the office workers. All IT networks (as did the Exec's networks) had unrestricted internet access (they still went through a malware filtering proxy, but not content filtering). This might be different in larger organizations.

In the place i work right now, we only have a malware filter. No content filtering at all. I think it's pointless. If someone does not do his job properly, fire him. If someone does his job properly, but uses 10 minutes a day for masturbating to gay furry porn, he's still more productive than someone who takes a 10 minute smoke break every 20 minutes.

Re:IT Pros don't make policy. (1)

bmcmurphy (771356) | more than 4 years ago | (#30632566)

I agree. IT workers should have input on things that should be blocked for technical reasons (e.g.,known malware sites), but where I work management tells the IT folks what to block for non-technical reasons (gay furry porn). Not saying I'm in agreement with management's idea of what should be blocked--my point is that they call the shots and IT folks push the buttons. Oh, and they live by the same rules.

Re:IT Pros don't make policy. (1)

lukas84 (912874) | more than 4 years ago | (#30632762)

I've always seen management wanting exceptions to those rules.

As long as they're not security relevant (for example, installing random software on their machines) and just for their leisure time (turning off the porn filter), i really don't care.

Re:IT Pros don't make policy. (1)

mattb47 (85083) | more than 4 years ago | (#30632800)

Porn (especially kiddie porn), torture videos, etc. (the really nasty stuff) etc. should be blocked in most businesses. If you don't, it's a sexual harassment lawsuit waiting to happen.

Yeah, I don't care that someone is jacking off to gay furry porn (if his office door is closed and locked...). But others might. And they might sue. And have a reasonable chance of success.

Warez sites and P2P networks actually fall into both the security and legal bins. And yes, these should be blocked, too. (These tend to be incredible bandwidth consumers to the detriment of all other users. The sites are often filled with viruses and malware. And your company is opening itself up to copyright infringement suits. Yes, you should block this stuff.)

So my take:
- Block malware and any other SECURITY threats
- Block any LEGAL threats

On the legal threats, you will probably need to talk with management or the company's lawyer to set what should be blocked or not.

Other than that, let them goof off a bit. It's good for morale. People need to vent a bit. (And if they're goofing off too much, reprimand or fire them!)

Re:IT Pros don't make policy. (1)

lukas84 (912874) | more than 4 years ago | (#30632856)

Porn (especially kiddie porn), torture videos, etc. (the really nasty stuff) etc. should be blocked in most businesses. If you don't, it's a sexual harassment lawsuit waiting to happen.

I know, i know, i might not get all the fine points of American culture, but how exactly can someone sue the company over this? They're just acting as an internet provider.

Warez sites and P2P networks actually fall into both the security and legal bins.

P2P networks are automatically blocked, since you don't allow direct internet connections. Rapidshare and such? I don't see why i should care.

Re:IT Pros don't make policy. (2, Funny)

daveime (1253762) | more than 4 years ago | (#30632590)

If someone does his job properly, but uses 10 minutes a day for masturbating to gay furry porn, he's still more productive than someone who takes a 10 minute smoke break every 20 minutes

I guess that depends on *where* he masturbated to gay furry porn. If it was in the smoking room, then it's understandable that the smoker needs 10 minutes ... jizz covered Marlboros are a bitch to light.

Re:IT Pros don't make policy. (1)

Cwix (1671282) | more than 4 years ago | (#30632688)

jizz covered Marlboros are a bitch to light.

Excellent I didnt even see that coming. Ill score that 8.6/10

Re:IT Pros don't make policy. (0)

Anonymous Coward | more than 4 years ago | (#30632630)

I'll start by saying that I completely agree with your views. That said... you know, there's more to the Internet than productivity sites and gay furry porn. There's a host of sites in between those categories, it is all the rage these days.

Re:IT Pros don't make policy. (1)

RobertM1968 (951074) | more than 4 years ago | (#30632976)

I'll start by saying that I completely agree with your views. That said... you know, there's more to the Internet than productivity sites and gay furry porn. There's a host of sites in between those categories, it is all the rage these days.

Wow! I learn something new every day!!! ;-)

Re:IT Pros don't make policy. (0)

Anonymous Coward | more than 4 years ago | (#30632978)

All IT networks (as did the Exec's networks) had unrestricted internet access (they still went through a malware filtering proxy, but not content filtering). This might be different in larger organizations. This might be different in larger organizations.

Yeah it can be.

Where I work, filter categories like "Computing" (eclipe.org, sourceforge), "Reference" (OK, Wikipedia can be a horrible time-waster), "Education" (any .edu) are all blocked, while financial sites load just fine (nope, nothing even remotely looking like stock options at our levels). I could understand that if we were actually working in finance, but we are not, we're thrice-damned IT subcontractors who are supposed to be pissing out code day in, day out.

So, good luck getting development tools or libraries, there are none in the standard workstation image and no central repository we can access. We ended up downloading tools from home (with all the attending risk of bringing back viruses and the like) and setting up our own repository in a shared Windows folder.

It doesn't look like we're going to be abusing any power anytime soon...

Digg? (4, Funny)

Akira Kogami (1566305) | more than 4 years ago | (#30632524)

Digg has tech news? I thought it was all libertarianism and marijuana.

IT Pros - Never! (5, Funny)

Anonymous Coward | more than 4 years ago | (#30632532)

IT professionals would never abuse the position of responsibility with which they are entrusted. They would never use their positions to retaliate against the unthinking, uncaring, ungrateful wretches that make their lives a living, seething hell each and every day those worthless pieces of crap continue to suck air.

Upset because... (1)

visualight (468005) | more than 4 years ago | (#30632536)

He can go to slashdot but myspace is blocked? I can spend all day listing reasons why someone might want to block myspace. I could also spend all day listing reasons why people at work should be allowed to browser slashdot.

The submitter places _all_ interactive websites into a single category, and then complains that IT Admins are abusing their powers when some are allowed and some are not.

They are _not_ all the same and the submitter is just looking for someone here to validate the idea that he(she?) is being picked on by IT bullies. This is so obvious I can't help but wonder why it made it to the front page.

liability (1)

Anonymous Coward | more than 4 years ago | (#30632556)

Employees from posting on random forums might expose their companies to liability for fraud ("Company X's products are pieces of junk assembled by slave labor in the Far East"), sexual predation, etc. What the do on their home computers is their own business.

I blame the boss. (5, Insightful)

wheelema (46997) | more than 4 years ago | (#30632558)

In my experience most draconian restrictions are imposed by Management. The technical staff is simply more empowered to work around them or ignore them.

Re:I blame the boss. (0)

Anonymous Coward | more than 4 years ago | (#30632604)

A good IT guy will never have his boss know he has a connection before the filters.

It's not IT-vs-other, it's business-vs-non (3, Insightful)

rbrander (73222) | more than 4 years ago | (#30632606)

Generally, they'll whitelist any site that a user can come defend as needed for work.

If there is abuse of "IT power", it's that IT passes judgment on their own staff's claim that tech-sites are needed for asking questions and finding tech solutions. But, frankly, even a very lame claim that "I need access to localchat.com to check on how other local accountants are handling the new sales tax" will get a pass, too. IT staff aren't exactly Sam Spade. So any extra blind-eyes they get to their favourite sites is pretty marginal.

The big difference is that IT staff aren't shy of asking. Other users imagine some omniscient IT that will just know they really want to chat about their cats.

we're human after all.... (2, Insightful)

jmad777 (1254078) | more than 4 years ago | (#30632616)

Whats the point of having all that power if you can't abuse it?

Dealing with Blocked Websites... (3, Informative)

xmundt (415364) | more than 4 years ago | (#30632622)

Greetings and Salutations.
            Perhaps the better questions are "why ARE some websites blocked? and WHO makes that decision?" I administer web access for a client or two, and, the decision to block given websites comes from upper level management, usually NOT the IT command structure. In a business, there is an almost paranoid fear that the employees are sitting around surfing the Net instead of doing work to make money for the company. Any blocking seems focused at keeping that from happening.
            Alternatively, I go and sit at Panera Bread (a great place for good pastries, and excellent, light lunch sandwiches and such by the by...) on occasion, and have found a few websites that would not come up because they were blocked. However, it appeared that this was because the company providing the blocking had mis-catagorized them, and, once I sent a note in about the site, they ended up being unblocked. But then, If I were going to surf porn sites I would NOT be doing it in a public place like that....
            So, I suppose there are cases where IT admins abuse their powers and block sites that should be available...but I have not run into them. Amazingly enough BOFHs are human too, and, some of them ARE little Herberts....control freaks and generally annoying people. The rest of us are all genial and fun folks with a slightly twisted sense of humor.
          Regards
          Dave Mundt

yes. (0)

Anonymous Coward | more than 4 years ago | (#30632642)

What typically happens is some muppet somewhere in some department spends most of his day on facebook or whatever. Their manager who is pissed off with them already complains to HR that they're slacking, HR wanting a quiet life has a chat with a director who tells I.T to block the site and while they're at it block everything else that's like it too. The director, who has never used facebook or any site like it doesn't know anything has changed, the I.T department will have long ago setup private proxies/gateways to the net so that a) their usage can't be logged and b) they don't have to worry about sites being blocked. For the rest of the users it's tough luck talk to directors.

If your I.T dept has left sites like fark and digg open then they're doing it wrong basically. Is this an abuse of power? Perhaps, but that's the way it works.

No point blocking the tech sites (1)

petes_PoV (912422) | more than 4 years ago | (#30632646)

Any admin worth their pay can run rings around a net-blocker. So why piss-off the talent?

I can't agreee (1)

kosmosik (654958) | more than 4 years ago | (#30632754)

> Any admin worth their pay can run rings around a net-blocker.

What Admin? Oracle admin? AIX admin? SharePoint admin? SAP admin? There is a lot of different types of admins now and what makes them worth their pay is that they help you run your business and earn money. The ability to run rings around a net-blocker is not something you put on your resume.

Also in well implemented network it is not as easy to run around it *undetected*.

Also by doing so you are clearly breaking the rules that your supervisor set for you - what for? So they can fire you easly if they wish? Mobile broadband internet is like 10 bucks a month (at least here in Poland). Just get your own netbook or laptop and use it for unauthorized Internet access.

Why blocking websites is bad for your company (0)

Anonymous Coward | more than 4 years ago | (#30632710)

an interesting blog describing why blocking websites is actually more expensive than letting people browse them freely.
http://uiorean.ro/world/security/why-blocking-websites-is-bad-for-your-company/

Re:Why blocking websites is bad for your company (0)

Anonymous Coward | more than 4 years ago | (#30632810)

now with link [uiorean.ro]

Hanlon (1)

gmuslera (3436) | more than 4 years ago | (#30632714)

Try explaining people using his razor, changes a lot how you see the world.

Who cares? Really? (3, Insightful)

ZorinLynx (31751) | more than 4 years ago | (#30632722)

Does it matter, as long as they get their work done?

Really, some people are too uptight about things. The only metric should be if an employee does their job. If they do their job and do it well, who cares if they visit an amusing website for a laugh to break up an otherwise dull day?

websense astroturf alert! (0)

Anonymous Coward | more than 4 years ago | (#30632730)

Is it just the eggnog making you do crazy shit or are you people who replied really too dumb to recognize astroturfing on /.?

Easy answer (1)

NocturnHimtatagon (1116487) | more than 4 years ago | (#30632734)

yes

Re:Easy answer (1)

NocturnHimtatagon (1116487) | more than 4 years ago | (#30632774)

heh, I can even provide a website that our company blocked except the parts that explain how dumb (l)users are.

(disclaimer: I'm a software developer and I hate the CT/IS division in our company)

Of course they do... (1)

will_die (586523) | more than 4 years ago | (#30632748)

Of course they do, and network people are the worse of the lot. I have yet to be in a network shop where they did not have their computer configured so the corporate site blocker was ignored or they had another easy method of surfing any site.
Better question is how many people use that root/admin permissions to install unauthorized software or ignored corporate policy and installed software themselves.

Don't blame IT (0)

Anonymous Coward | more than 4 years ago | (#30632750)

This is not an evil perpetrated by IT to make it hard to do your job, we have much more subtle ways of doing that (Using Windows, Exchange, "Network Outages", outsourcing, etc). If you don't like this, go talk to your HR department who block all of this to protect your brand and shoe due diligence in preventing hostile work environment issues. Or complain to your politicians about our over litigious world.

No (2, Insightful)

dholowiski (236576) | more than 4 years ago | (#30632766)

Um, most IT pros are too busy to abuse their power.

privacy ? (0)

Anonymous Coward | more than 4 years ago | (#30632772)

since recently there was someone posting on facebook photos of hospital patients without any consent ...I start understanding some limitations

We are asked to balance security and functionality (1)

zerofoo (262795) | more than 4 years ago | (#30632782)

IT guys typically don't abuse their authority. I've found, in the networks I've administered, management asks me to balance functionality with security. It's a very nebulous request, and typically it means that IT staff must use their best judgment when creating IT policies.

I've found the strictest policies are in place in financial firms, and the loosest policies are in place in education, and weirdly enough, law firms.

-ted

Answer (0, Flamebait)

binaryspiral (784263) | more than 4 years ago | (#30632802)

In your experience, do IT administrators abuse their supervisory powers?

No. I want to be able to read about the latest threats, vulnerabilities, and news applicable to my job. I don't want an end user seeing that there is a new hack or proxy available for making my job harder. Likewise, at the college I work at, law enforcement students are provided classes on online threats, sexual predators, and human trafficing - they require access to websites and services that we would normally block - having a web proxy/web scanning solution that allows for group based access lists is an absolute requirement.

Has there ever been a backlash from users or management for doing so?

No. Typically if an IT admin is in charge of the web proxy, he's white listed his laptop/workstation's static IP (or DHCP reserved IP) so that the relaxed rules are only applicable to him/her.

Re:Answer (5, Insightful)

Asmor (775910) | more than 4 years ago | (#30632972)

You work at a college and block certain "websites and services?" From the context I'm guessing it's more than simply blocking known phishing sites and the like...

If you are censoring the internet for the students of your college, then frankly I find that abhorrent. It's one thing for a company to filter the internet for their employees at work, but it's completely another to do it to students who-- besides being in an environment which should encourage exploration and allow for the making of mistakes-- may very likely live there and only have access to the internet through the school. As a college IT department, for all internets and purposes you're an ISP and with respect to student internet access you should be held to the same standards of openness and neutrality to which Comcast, Verizon and their likes are.

Do not mess... (1)

superflit (1193931) | more than 4 years ago | (#30632814)

Do not mess with Slashdot Crowd!
We are watching...

Go back to your MBA friends..

is work getting done (1)

fermion (181285) | more than 4 years ago | (#30632832)

There are clearly a couple different levels to this questions. The first, as might come from the worker bees, is why do they get to do things that we do not? Why does this employee get flexible hours and I do not? Why does this group get new computers and we get hand me downs. It usually involves a fairness argument and usually involves the assumption that everyone will be as undisciplined in the usage of the resources as the person asking the question. In terms of certain sites, it might be a matter of distraction. An employer might not want a data entry clerk on facebook. The IT staff on /.may not be seem to be such a big issue. It isn't far. Grow up.

Second is a matter of information. IT lives on information. Much of the information is useful, if only in a peripheral manner. Right now we see a bug that has hit payment processing, a law suit for uclaimed minutes, an review of the nexus one, a article on censorship,amd an article on plant gene mutation. First we see that there is not a whole lot here for people who just want to waste an hour with mindless junk. Even the stuff that is not directly related to work does help a person become educated. IT staff should be educated, as their purpose shoudl be problem solving, not just working through an algorithm to solve common issues. And the education is not what is happening on One Life to Live, or who did well in a sports event, or what star is sleeping with who. All these things are vital entertainment to be sure, but not to the employer who is paying for 8 hours of paper pushing or answering the phone or direct customer service.

Third is the nature of power. Just because one applies rightfully acquired power does not mean one is abusing the power. As long as we have an hierarchal management system, those at certain levels with certain job responsibilities are going to be assumed to be the best at managing the related resources. On can imagine in an IT department of one person significant abuse going on, but in larger departments, such as stated in the example, it is likely just a management issue. For instance, I block many sites because these sites encourage the installation of software that will break the machine. The user will not fix the machine, but will use it as an excuse to take the day off. Other sites are blocked as the users have shown a lack of discipline when using the sites. It is all a matter of productivity. I imagine that if the IT staff starting spending all their time on fark, it might get blocked.

And fourth is simple exposure. Everyone knows what facebook it and therefore it is a target. How many people really know what fark or digg or /. is. If the PHB don't know what something is, then they won't know to do anything about it.

We do NOT abuse our supervisory powers ... (3, Funny)

VitaminB52 (550802) | more than 4 years ago | (#30632854)

... and if you don't believe me I will delete your account

It's not abuse when it's your responsibility (0)

holophrastic (221104) | more than 4 years ago | (#30632964)

IT blocks users from things that cause more IT work. Consider the user who goes to a forum, gets hit by some malware, doesn't know, it causes problems, and then IT has to fix it.
The IT guy doesn't have that problem. It's his responsibility so if it happens to him, he just fixes it.

It's not illegal to go to those sites. It just causes work for someone else. The "else" part is key. It's the opposite of "at your own risk".

Guess what (0)

Anonymous Coward | more than 4 years ago | (#30632974)

yeah

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?