RE: [Full-Disclosure] Blocking Music Sharing.

From: Rick Kingslan (rkingsla_at_cox.net)
Date: 09/17/03

  • Next message: Brown, Rodrick: "RE: [Full-Disclosure] whoch DCOM exploit code are they speaking about here?" 
    To: "'Jonathan A. Zdziarski'" <jonathan@nuclearelephant.com>, "'Ron DuFresne'" <dufresne@winternet.com>
Date: Tue, 16 Sep 2003 23:27:07 -0500

    "Bottom line is if management won't back the admin's attempts to stop things
    like this from the office, and the admin can't (for whatever
    reason) prevent it from a technical level, then the admin has no place in
    taking upon themself to embarrass or discipline employees. There's no place
    for BOFH in today's corporate environment (IMHO at least) and things like
    this are unfortunately what gives seed to many admin types I've either fired
    or wanted to choke to death in the past.

    Let management enforce the AUP in a professional manner, taking the issue
    seriously or not at all."

    In my current situation - I can't enforce crap because the biggest offender
    is one of the VP's. Seriously. Currently, my hope is that he's d/ling
    enough to catch the attention of the RIAA. With any luck, he'll be served
    and jailed in a week or so.... ;o)

    Honestly, you make good points - and you are clearly correct. Trying to
    enforce policy that is either not communicated, or badly done - is stupid
    and ill advised.

    However, if the policy IS communicated, sometimes you only have to make an
    example of one or two offenders - with your actions strongly backed by
    Executive Management. Typically, if the rest of the peasants see someone
    strung up out in the main courtyard or the main lobby - they get the point.

    I'm really into good examples. AUP works - examples _with_ an AUP works
    better.

    -rtk

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Jonathan A.
    Zdziarski
    Sent: Tuesday, September 16, 2003 9:33 PM
    To: Ron DuFresne
    Cc: Cael Abal; full-disclosure@lists.netsys.com
    Subject: Re: [Full-Disclosure] Blocking Music Sharing.

    > >
    > > I heartily disagree -- if an offense is considered serious enough to
    > > warrant being prohibited in an org's Acceptable Use Policy then
    > > there should be real punishment involved. If an offense isn't a big
    > > deal, then the AUP should be rewritten.
    > >

    My belief is that proactive prevention should always be tried before even
    getting to this level; there should be differing levels of severity in
    punishment for those who violate the AUP, but I see no reason not to block
    the common ports as a first attempt. Nearly every company has a corporate
    firewall (or at least should). Many P2P sharing tools are on obscure ports
    that could easily be blocked. Even a half-baked firewall policy ought to be
    able to prevent sharing.

    > > A Wall of Shame just sets a bad precedent -- a user could argue that
    > > the rules were ambiguous. "What? You can't fire me for running
    > > that root exploit! None of the other rules were ever seriously
    > > enforced, our policy is a joke!"

    Exposing employees instead of dealing with situations privately is always
    bad politics, and can be an easy way to kill morale (not to mention bring on
    a lawsuit by an embarrassed employee). Enforce the AUP in a private, civil
    manner.

    Bottom line is if management won't back the admin's attempts to stop things
    like this from the office, and the admin can't (for whatever
    reason) prevent it from a technical level, then the admin has no place in
    taking upon themself to embarrass or discipline employees. There's no place
    for BOFH in today's corporate environment (IMHO at least) and things like
    this are unfortunately what gives seed to many admin types I've either fired
    or wanted to choke to death in the past.

    Let management enforce the AUP in a professional manner, taking the issue
    seriously or not at all.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Brown, Rodrick: "RE: [Full-Disclosure] whoch DCOM exploit code are they speaking about here?"

    Relevant Pages

    • Re: [Full-Disclosure] Blocking Music Sharing.
      ... > reason) prevent it from a technical level, then the admin ... > Let management enforce the AUP in a professional manner, ... AUP works - examples ...
      (Full-Disclosure)
    • Re: Funny - any comments?
      ... wanted to approach management about this issue. ... > is better than a slapped together system where IT staff simply must know ... >> The actual issue is the Exchange email server is in one Windows ... If absolutely necessary, the admin could ...
      (microsoft.public.security)
    • Re: Problem users
      ... > restricted) but managed to persuade the local supervisor to give them the ... > admin password. ... > profile user. ... > We have raised this time and time again with our management who are too ...
      (microsoft.public.windowsxp.security_admin)
    • Problem users
      ... I have managed to wrestle control back and have locked the admin account ... down and the supervisor doesnt know the password so he cannot compromise it ... profile user. ... We have raised this time and time again with our management who are too busy ...
      (microsoft.public.windowsxp.security_admin)
    • Re: [Full-Disclosure] Blocking Music Sharing.
      ... >> should be real punishment involved. ... >> then the AUP should be rewritten. ... policy ought to be able to prevent sharing. ... reason) prevent it from a technical level, then the admin has no place ...
      (Full-Disclosure)