Re: [fw-wiz] Highlighting Security Issues
From: Paul D. Robertson (paul_at_compuwar.net)
To: Victor Williams <email@example.com> Date: Sun, 1 Aug 2004 17:40:09 -0400 (EDT)
On Sun, 1 Aug 2004, Victor Williams wrote:
> Might be an unpopular opinion...
There's enough interesting things to this that I don't think there's a
good basis for too strong an opinion either way, though the
whistleblower's actions seem at least a little ill-advised...
> But he got what was coming to him. If I was above him in the food
> chain, I would have terminated him also...without even thinking about
> it...it was a no-brainer. The screenshots also prove nothing. I can
I'm not sure it's a no-brainer- it really depends a lot on policy and
somewhat on implementation. However, it's still worth looking at, since
lots of us will be in a position where we'll have to end up monitoring an
employee's activity over a period of time. I also figured the "stupid
manager" thing might rile Marcus up a bit ;)
> make my computer screen look like anyone's with about 10 minutes of
> work, and then take screenshots of it. This dude is an amateur at best.
The more interesting question there is how many folks who might have to
ever monitor a system have invested in acquiring and testing the software
they'd use to do it? Grabbing a Trojan off the Internet and installing it
(especially a binary) seems like the *stupidest* path one could take in
this situation. But I really didn't want to just push my analysis out
there, I think it's worth some discussion in this community.
> Having worked as an employee (not a contractor) for the US Dept of
> Agriculture for almost 10 years, I can honestly say that this is
> commonplace--employees getting into others' business when they have not
> enough to do.
Yet, something must provide the motivation for change for the better-
somehow organizations need to find a way to channel such energy toward
the organizational goal, rather than lose valuable talent or even a chance
to improve the organization...
> Fact is, computer "abuse" is a common problem, and it is only going to
> be solved by admins who know what they're doing--which this guy
> obviously didn't--coupled with a strict, easy-to-understand policy that
> is also able to be enforced. In government (where the lowest bidder
> always wins) there just isn't enough resources (money and qualified
> people) to make policies and actually implement them.
I don't think the commercial world is all that different, unless someone
*cares* enough to do good policy creation and enforcement. That's one of
the reasons that I'd prefer to see people channel such energy, rather than
letting it go off on tangents, no matter how just the cause. I also think
that we need to document and policize against really stupid things like
downloading Trojans and installing them.
> 1. Why didn't he have any security measures in place to disallow
> surfing of questionable websites? (my current company doesn't even
> allow us to check our company-matched 401k plans while on the company
> network, let alone checking stocks).
I've always thought such things were stupid. They get in the way of many
legitimate sites, and put you into a "if I can get at it, then it's ok"
sort of mode. Better to summarize sites surfed and have the employee sign
the reports, like larger companies do with phone logs. I also get the
stupid bounce messages from lots of e-mail content filters, which are the
logical extension, and I know lots of people miss otherwise important
messages because of some phrase, tool name, or slightly off remark.
> 2. Why didn't his workstation policy (written and implementation)
> dictate that no games be loaded on workstations?
It comes with the OS, one of the problems with general purpose systems.
Funnily enough, even though we've got "Pro" editions of the OS's now, they
still have all the cruft. Thought I'll admit that I've loaded my fair
share of Quake versions and maps on otherwise work systems in the past
(always with my immediate management being aware of it.)
> His methods are that of vigilantism. If he was the actual network admin
> (which it doesn't clarify whether he is or not), then his job was to
> monitor and DOCUMENT, should any employees whose machines he oversees
> become a *problem*...not monitor, document, and tattle-tale. If his job
I'm not sure that follows. If you're supposed to monitor and document,
it's all for nothing if the documentation doesn't go anywhere. But then,
I've always been visible enough to get folks to give me their tattles and
let me decide what to do with them. I've also had the "My boss isn't
being effective" conversation with the next person up the chain.
> without any order from upper management to do so. That's just common
> sense (uncommon these days). You do what you're told unless someone
> else higher than your boss tells you to do something
> differently...because that's what you're paid to do--what your boss(es)
> tell you to in the grand scheme of things.
That seems to be a short-sighted way to look at things. Certainly, at my
last employer, I took my fiduciary responsibilities much further than "what
my boss tells me to do." If an organization doesn't allow people to do
the *right* thing, absent specific instructions to do so, then I think the
organization is harmed. If the organization doesn't provide an avenue for
people who do the right thing to be heard (and note, that I'm not saying
the individual in this case was doing the right thing) and the good of the
organization doesn't preclude other things, then I think you're not using
your employees effectively, and the organization isn't going to get much
value out of its most expensive resources.
> Fact is, in any business, the bottom line is what matters. If you are
> getting your work done with 10% of your time, checking your stocks
> another 20%, and the other 70% playing Solitaire, that's a management
> problem (above you and your boss), that's not your problem or
Sure it's a management problem, *everything* is a management problem. The
thing is that organizations need ways for management problems to be
brought into the open.
> concern...and you should not assume it is. You should do your job
> within your reach of authority, and when called upon by the right
> authority for more, do more. This guy clearly overstepped his
> boundaries. I think it's good for him to be concerned, but he should
> have never named names with submitting his findings. If anything, it
> made it look as though he had a vendetta against ONE person. If he
From my reading of the PDFs, it looks more like he was hunting to get
promoted into the job his manager was in.
Paul D. Robertson "My statements in this message are personal opinions
firstname.lastname@example.org which may have no basis whatsoever in fact."
email@example.com Director of Risk Assessment TruSecure Corporation
firewall-wizards mailing list