Re: [fw-wiz] Highlighting Security Issues
From: Victor Williams (vbwilliams_at_neb.rr.com)
To: "Paul D. Robertson" <email@example.com> Date: Sun, 01 Aug 2004 16:08:15 -0500
Might be an unpopular opinion...
But he got what was coming to him. If I was above him in the food
chain, I would have terminated him also...without even thinking about
it...it was a no-brainer. The screenshots also prove nothing. I can
make my computer screen look like anyone's with about 10 minutes of
work, and then take screenshots of it. This dude is an amateur at best.
Having worked as an employee (not a contractor) for the US Dept of
Agriculture for almost 10 years, I can honestly say that this is
commonplace--employees getting into others' business when they have not
enough to do.
Fact is, computer "abuse" is a common problem, and it is only going to
be solved by admins who know what they're doing--which this guy
obviously didn't--coupled with a strict, easy-to-understand policy that
is also able to be enforced. In government (where the lowest bidder
always wins) there just isn't enough resources (money and qualified
people) to make policies and actually implement them.
1. Why didn't he have any security measures in place to disallow
surfing of questionable websites? (my current company doesn't even
allow us to check our company-matched 401k plans while on the company
network, let alone checking stocks).
2. Why didn't his workstation policy (written and implementation)
dictate that no games be loaded on workstations?
3. Regarding point 2, if that was the policy, why wasn't it policy
(written and implementation) that end-users (like his boss) not have
admin rights on their machine to re-install restricted software? This
is a simple Windows NT/2000/XP policy issue.
His methods are that of vigilantism. If he was the actual network admin
(which it doesn't clarify whether he is or not), then his job was to
monitor and DOCUMENT, should any employees whose machines he oversees
become a *problem*...not monitor, document, and tattle-tale. If his job
was just system administrator (which is completely different from
network administrator), then he was overstepping his boundaries again
because it wasn't his job. I would promptly be removed from my current
job if it came to light that I had installed software to spy on my boss
without any order from upper management to do so. That's just common
sense (uncommon these days). You do what you're told unless someone
else higher than your boss tells you to do something
differently...because that's what you're paid to do--what your boss(es)
tell you to in the grand scheme of things.
Fact is, in any business, the bottom line is what matters. If you are
getting your work done with 10% of your time, checking your stocks
another 20%, and the other 70% playing Solitaire, that's a management
problem (above you and your boss), that's not your problem or
concern...and you should not assume it is. You should do your job
within your reach of authority, and when called upon by the right
authority for more, do more. This guy clearly overstepped his
boundaries. I think it's good for him to be concerned, but he should
have never named names with submitting his findings. If anything, it
made it look as though he had a vendetta against ONE person. If he
would have been thinking, he would have submitted a report saying more
ambiguously that there were various abuses of computer resources going
on. If management then wanted to make it an issue and have him provide
more proof of this, then he gets a bit more specific. If he submits
that proof and management turns around and again wants specifics on
named individuals, then you go to that step.
This story is inherently what's so wrong with government at EVERY
level...it's a perfect example. It's why I ultimately left...and
hopefully I will never have to go back.
I hope he learned a valuable lesson...do your job and don't worry about
anyone else. It was good for him to be concerned. It wasn't good for
him to act out based on that concern.
Paul D. Robertson wrote:
> Saw this on Slashdot, and thought it might be worth some thought...
> The short version is that after being frustrated for a while, the person
> in question Trojaned his boss's machine, and gathered screenshots over a 7
> month period that show 70% of the time, his boss was playing solitaire,
> and 20% of the time, checking his stocks. The whistle-blower was removed
> from his position, though he claims policy gave him the right to monitor
> and document abuses.
> Some of the knee-jerk reaction from the organization looks to be "there
> was IDS and it was showing hacking and obviously this got us hacked!"
> balanced by an independent report that says they were up to their ears in
> false positives and didn't have AV updates working.
> Thoughts? Comments? Updates from our favorite copying place?
> Paul D. Robertson "My statements in this message are personal opinions
> firstname.lastname@example.org which may have no basis whatsoever in fact."
> email@example.com Director of Risk Assessment TruSecure Corporation
> firewall-wizards mailing list
firewall-wizards mailing list