Re: [fw-wiz] Highlighting Security Issues

From: Paul D. Robertson (
Date: 08/01/04

  • Next message: Antonomasia: "Re: [fw-wiz] To spoof or not to spoof???? That is the question...."
    To: Victor Williams <>
    Date: Sun, 1 Aug 2004 17:40:09 -0400 (EDT)

    On Sun, 1 Aug 2004, Victor Williams wrote:

    > Might be an unpopular opinion...

    There's enough interesting things to this that I don't think there's a
    good basis for too strong an opinion either way, though the
    whistleblower's actions seem at least a little ill-advised...

    > But he got what was coming to him. If I was above him in the food
    > chain, I would have terminated him also...without even thinking about
    > was a no-brainer. The screenshots also prove nothing. I can

    I'm not sure it's a no-brainer- it really depends a lot on policy and
    somewhat on implementation. However, it's still worth looking at, since
    lots of us will be in a position where we'll have to end up monitoring an
    employee's activity over a period of time. I also figured the "stupid
    manager" thing might rile Marcus up a bit ;)

    > make my computer screen look like anyone's with about 10 minutes of
    > work, and then take screenshots of it. This dude is an amateur at best.

    The more interesting question there is how many folks who might have to
    ever monitor a system have invested in acquiring and testing the software
    they'd use to do it? Grabbing a Trojan off the Internet and installing it
    (especially a binary) seems like the *stupidest* path one could take in
    this situation. But I really didn't want to just push my analysis out
    there, I think it's worth some discussion in this community.

    > Having worked as an employee (not a contractor) for the US Dept of
    > Agriculture for almost 10 years, I can honestly say that this is
    > commonplace--employees getting into others' business when they have not
    > enough to do.

    Yet, something must provide the motivation for change for the better-
    somehow organizations need to find a way to channel such energy toward
    the organizational goal, rather than lose valuable talent or even a chance
    to improve the organization...

    > Fact is, computer "abuse" is a common problem, and it is only going to
    > be solved by admins who know what they're doing--which this guy
    > obviously didn't--coupled with a strict, easy-to-understand policy that
    > is also able to be enforced. In government (where the lowest bidder
    > always wins) there just isn't enough resources (money and qualified
    > people) to make policies and actually implement them.

    I don't think the commercial world is all that different, unless someone
    *cares* enough to do good policy creation and enforcement. That's one of
    the reasons that I'd prefer to see people channel such energy, rather than
    letting it go off on tangents, no matter how just the cause. I also think
    that we need to document and policize against really stupid things like
    downloading Trojans and installing them.

    > 1. Why didn't he have any security measures in place to disallow
    > surfing of questionable websites? (my current company doesn't even
    > allow us to check our company-matched 401k plans while on the company
    > network, let alone checking stocks).

    I've always thought such things were stupid. They get in the way of many
    legitimate sites, and put you into a "if I can get at it, then it's ok"
    sort of mode. Better to summarize sites surfed and have the employee sign
    the reports, like larger companies do with phone logs. I also get the
    stupid bounce messages from lots of e-mail content filters, which are the
    logical extension, and I know lots of people miss otherwise important
    messages because of some phrase, tool name, or slightly off remark.

    > 2. Why didn't his workstation policy (written and implementation)
    > dictate that no games be loaded on workstations?

    It comes with the OS, one of the problems with general purpose systems.
    Funnily enough, even though we've got "Pro" editions of the OS's now, they
    still have all the cruft. Thought I'll admit that I've loaded my fair
    share of Quake versions and maps on otherwise work systems in the past
    (always with my immediate management being aware of it.)

    > His methods are that of vigilantism. If he was the actual network admin
    > (which it doesn't clarify whether he is or not), then his job was to
    > monitor and DOCUMENT, should any employees whose machines he oversees
    > become a *problem*...not monitor, document, and tattle-tale. If his job

    I'm not sure that follows. If you're supposed to monitor and document,
    it's all for nothing if the documentation doesn't go anywhere. But then,
    I've always been visible enough to get folks to give me their tattles and
    let me decide what to do with them. I've also had the "My boss isn't
    being effective" conversation with the next person up the chain.

    > without any order from upper management to do so. That's just common
    > sense (uncommon these days). You do what you're told unless someone
    > else higher than your boss tells you to do something
    > differently...because that's what you're paid to do--what your boss(es)
    > tell you to in the grand scheme of things.

    That seems to be a short-sighted way to look at things. Certainly, at my
    last employer, I took my fiduciary responsibilities much further than "what
    my boss tells me to do." If an organization doesn't allow people to do
    the *right* thing, absent specific instructions to do so, then I think the
    organization is harmed. If the organization doesn't provide an avenue for
    people who do the right thing to be heard (and note, that I'm not saying
    the individual in this case was doing the right thing) and the good of the
    organization doesn't preclude other things, then I think you're not using
    your employees effectively, and the organization isn't going to get much
    value out of its most expensive resources.

    > Fact is, in any business, the bottom line is what matters. If you are
    > getting your work done with 10% of your time, checking your stocks
    > another 20%, and the other 70% playing Solitaire, that's a management
    > problem (above you and your boss), that's not your problem or

    Sure it's a management problem, *everything* is a management problem. The
    thing is that organizations need ways for management problems to be
    brought into the open.

    > concern...and you should not assume it is. You should do your job
    > within your reach of authority, and when called upon by the right
    > authority for more, do more. This guy clearly overstepped his
    > boundaries. I think it's good for him to be concerned, but he should
    > have never named names with submitting his findings. If anything, it
    > made it look as though he had a vendetta against ONE person. If he

    From my reading of the PDFs, it looks more like he was hunting to get
    promoted into the job his manager was in.

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation
    firewall-wizards mailing list

  • Next message: Antonomasia: "Re: [fw-wiz] To spoof or not to spoof???? That is the question...."

    Relevant Pages

    • Re: Physics Researcher: Increase Your Research Productivity with the Leading Web 2.0 Research Portal
      ... increasing your research productivity. ... Those who are stupid without a computer are still stupid with a ... Management is about process not product. ... research is to professionally manage it: Hell's Bells Laboratories, ...
    • Re: Why being Real Smart SUCKS
      ... programming a gamma-ray ... management. ... Stupid businessmen -- Republicans all - ... sucks; what sucks is that everything is ...
    • Re: OT, watch Beldins head explode.
      ... DOUBLETIME Beldin!!. ... at my company how stupid they are. ... Beldin knows more about company management Human Resources than ... You don't need to know "more" to know that payin g someone doubletime to ...
    • Re: OT, watch Beldins head explode.
      ... DOUBLETIME Beldin!!. ... at my company how stupid they are. ... Beldin knows more about company management Human Resources than ... You don't need to know "more" to know that payin g someone doubletime ...
    • Re: [fw-wiz] tunnel vs open a hole
      ... >It's my conviction that all of this is a management problem. ... It's an across the board problem. ... I failed because I simply expected that engineers would be professional enough ...