Firewall Wizards mailing list archives
Re: Re: Highlighting Security Issues
From: <firewalladmin () bellsouth net>
Date: Tue, 3 Aug 2004 15:50:01 -0400
'Scuze me, but whether or not the systems admin guy was a loser or not is just the side note here in my opinion, and it seems to me you are defending a manager who doesn't deserve a defence, nor is what he has been doing over the last 7 months acceptable just because it was pointed out in a wrongful manner. It is stuff like this that - if I may use an outrageous example to help make a point in a much smaller matter - let's the murderer go free because he wasn't read his miranda rights before he confessed to the crime he was caught red-handed doing. If this discussion is about ethical and professional systems administration, okay fire the dork who loaded the trojan. If it is about ethical work habits in the government, then the idiot who plays solitaire and checks his stocks on-line all day at taxpayer expence (and I would guess this guy makes 60-90k per year) needs to lose his job too. Don't defend one criminal just because he was ratted out by another criminal. Either both are wrong or neither are wrong. To sypathize with either individual is understandable in this case depending on which side of the fence you have been on in the past, but to defend either position seems a little ridiculous. From: Victor Williams <vbwilliams () neb rr com> Date: 2004/08/01 Sun PM 10:20:46 EDT To: "Paul D. Robertson" <paul () compuwar net> CC: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Highlighting Security Issues > There's enough interesting things to this that I don't think there's a
good basis for too strong an opinion either way, though the whistleblower's actions seem at least a little ill-advised...
Understatement of the year there...but that's just my opinion. =)
I'm not sure it's a no-brainer- it really depends a lot on policy and somewhat on implementation. However, it's still worth looking at, since lots of us will be in a position where we'll have to end up monitoring an employee's activity over a period of time. I also figured the "stupid manager" thing might rile Marcus up a bit ;)
Policy aside...in an organization, there has to be a chain of command that you go up. And there has to be a motivation and empowerment from higher-up (before the whistle-blowing) for this ex-employee's case to hold water at all. If he didn't go through the right channels and just appeared to be out to get someone (because I'm sure there were others below him, or maybe his peers that were also *abusing* their computer privileges...whatever that means), for me, he's gone. Only reason it's an issue is because he's a gov't employee. I don't think anyone wants to set the precedent that if you spy on your supervisor and find that they are doing something wrong, you can get them written up or even removed. What happens when this guy wins? I may not like my supervisor as a person, but the thing is, if he looks good, I look good...
The more interesting question there is how many folks who might have to ever monitor a system have invested in acquiring and testing the software they'd use to do it? Grabbing a Trojan off the Internet and installing it (especially a binary) seems like the *stupidest* path one could take in this situation. But I really didn't want to just push my analysis out there, I think it's worth some discussion in this community.
I thought it was pretty stupid also...so stupid I didn't think it needed discussion. I dunno...on Windows-based systems, there are various other ways of recording what someone is doing (within the confines of the OS itself) than having to load a trojan. One word for this employee: DUH
Yet, something must provide the motivation for change for the better- somehow organizations need to find a way to channel such energy toward the organizational goal, rather than lose valuable talent or even a chance to improve the organization...
I guess I'm not that optimistic. Burn it all down. Let's start over. This is gov't we're talking about. I might ask what the organizational goal of the dept of transportation is. In my town, it's to keep the buses running, the streets repaired, and get the snow off the road in the winter. I don't see how Solitaire affects that. I DO see how a trojan introduced into the system by a dumb employee could affect it however.
I don't think the commercial world is all that different, unless someone *cares* enough to do good policy creation and enforcement. That's one of the reasons that I'd prefer to see people channel such energy, rather than letting it go off on tangents, no matter how just the cause. I also think that we need to document and policize against really stupid things like downloading Trojans and installing them.
I think it is very different. I think in the commercial world, you're always cutting the fat off because it's costing your department, your company cash. This guy would have been cut off a long time ago where I work...if his version of monitoring someone is loading a trojan. Windows is nice in that you don't have to load a trojan to see what's going on...on ANY version. I don't think any documenting and policizing is going to do it. I think what the world lacks is critical thinkers. I think that's the problem here. I don't think this person used their brain enough, and did the wrong thing...period. Had nothing to do with policy. I also think it was something personal that prompted this person's actions. I don't think it was technical ability/inability, anything else optimistic you can think of. Sorry, I've been on the receiving end of this. I wasn't guilty of playing Solitaire, but I was accused of spending too much time websurfing when I was a developer at the USDA. Where do you find 99% of your code snippets/ideas from to conceptualize? The answer? The web. This person did the wrong thing.
I've always thought such things were stupid. They get in the way of many legitimate sites, and put you into a "if I can get at it, then it's ok" sort of mode. Better to summarize sites surfed and have the employee sign the reports, like larger companies do with phone logs. I also get the stupid bounce messages from lots of e-mail content filters, which are the logical extension, and I know lots of people miss otherwise important messages because of some phrase, tool name, or slightly off remark.
I don't see it that way...may just be the nature of the company/business I'm in. They, like anything else, don't get in the way of anything if they're tuned correctly. Same thing goes with the AV gateways/scanners...but that's a different discussion altogether...
It comes with the OS, one of the problems with general purpose systems. Funnily enough, even though we've got "Pro" editions of the OS's now, they still have all the cruft. Thought I'll admit that I've loaded my fair share of Quake versions and maps on otherwise work systems in the past (always with my immediate management being aware of it.)
Not a reason or an excuse. It comes as an option you do not have to install. If you have a halfway decent Windows network policy (and an admin who knows what they are doing), you don't let end-users install their own software...doesn't matter if they are the CEO. And you don't hand them a PC or laptop with 800 things they don't need on it. If they have a justification for a piece of software, they document requesting you load it and for what purpose. If it becomes an item of abuse later on, you have something to go back to and re-evaluate. If you just hand them the keys to the castle, don't be surprised when they find the dungeon and start messing around in it...you're the one who gave them the keys after all...and don't get mad at anyone but yourself either.
I'm not sure that follows. If you're supposed to monitor and document, it's all for nothing if the documentation doesn't go anywhere. But then, I've always been visible enough to get folks to give me their tattles and let me decide what to do with them. I've also had the "My boss isn't being effective" conversation with the next person up the chain.
I don't believe that at all. I'm not one for quoting scripture, but there's one that says "Be sure your sins will find you out." If you're doing the wrong thing, one way or another, the wrong person is going to find out about it...and then you're toast. It always happens to people misusing the network. Tools or no tools in place. Misuse long enough, the right person finds out, then you're done. I've been on the giving end of this before. I monitor and document everything...from the CEO to the janitor. I don't tattle-tale, but I let the supervisors-that-be know that something is going on that shouldn't. IF they are interested, I tell them more. If they are not, I go back to monitor and document and do what's in my power. If you have done what's in your power, what more are you expected to do? Sorry, I don't think it's worth losing your job over... If the supervisors continue to not care and I find I cannot work in that environment, guess what? The monster.com account just got reactivated and a call is placed to my headhunter the next day.
That seems to be a short-sighted way to look at things. Certainly, at my last employer, I took my fiduciary responsibilities much further than "what my boss tells me to do." If an organization doesn't allow people to do the *right* thing, absent specific instructions to do so, then I think the organization is harmed. If the organization doesn't provide an avenue for people who do the right thing to be heard (and note, that I'm not saying the individual in this case was doing the right thing) and the good of the organization doesn't preclude other things, then I think you're not using your employees effectively, and the organization isn't going to get much value out of its most expensive resources.
What you're talking about here is ethics. Within ehtical boundaries, your job ultimately is to do what the shareholders (who ultimately hires/appoints your boss, who hires you) tell you to. That is dictated THROUGH policies of the company. If you cannot do your job within ethical boundaries, you really have three decisions: 1) Suck it up and just get paid and throw ethics aside, or 2) Leave your job...one way or the other (like this guy), or 3) If your boss is like mine, approach him and say there are things going on on the network that could negatively affect it. If he asks what, then there's your opportunity to progress. If he doesn't, refer to option 1 or 2. The problem with this situation, is this person doesn't think they have an ethical out. I kind of have the same belief. But, I don't think policies are enforced in any gov't agency anyway (minus the FBI and places like that), so it's kind of pointless. You're paid to do what your boss tells you to...minus breaking the law. If you want to make a difference, go work in private industry where we're trying guard our assets (with security policies and practices), and not for the department of transportation where everything is public knowledge anyway...right down to what people get paid, when they were arrested last, etc etc. Which brings me to my next point...just putting 1 and 1 together, what did this organization stand to lose by one guy playing Solitaire? Seemed to me that there was more to lose (integrity of the network for one) by some guy loading a trojan, than by someone else playing Solitaire. That's why I said earlier it was a no-brainer. You're using something that's already on your machine that the local admin put on your desk WITH it loaded vs the local admin loading a trojan that lets him see what you're (and ONLY you) doing from anywhere in the world with an internet connection. It's a no-brainer...what's keeping everyone else from not connecting to and compromising the machine at that point? If he was so concerned about policy, why didn't he change the policy on the local machine, and uninstall the game(s)? There are so many things you can do remotely with a Windows machine without the end-user knowing the difference...all it takes is a little thought and brainpower...
Sure it's a management problem, *everything* is a management problem. The thing is that organizations need ways for management problems to be brought into the open.
I'd say this one was pretty much out there...pretty effective way to get it out there wouldn't you say? =)
concern...and you should not assume it is. You should do your job within your reach of authority, and when called upon by the right authority for more, do more. This guy clearly overstepped his boundaries. I think it's good for him to be concerned, but he should have never named names with submitting his findings. If anything, it made it look as though he had a vendetta against ONE person. If heFrom my reading of the PDFs, it looks more like he was hunting to getpromoted into the job his manager was in.
Exactly. No-brainer. He's gone. Now that's he's gone, what can we do to bring in someone MORE qualified to tighten up our assets here? What do we need to do to change our policies to protect us against abusers? What do we need to do to keep our employees busy with actual work?...fire some people and give the remaining raises and more work? Is Solitaire really abuse? Is checking stocks abuse? Is the network slow because someone has their Datek real-time ticker going all day, or because database admin X across the hall is downloading Oracle CD's to do his job? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards Mark F. MCP, CCNA "You can spend your life any way you want... But you can only spend it once." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Highlighting Security Issues Paul D. Robertson (Aug 01)
- Re: Highlighting Security Issues Victor Williams (Aug 01)
- Re: Highlighting Security Issues Victor Williams (Aug 01)
- Re: Highlighting Security Issues Paul D. Robertson (Aug 01)
- Re: Highlighting Security Issues Victor Williams (Aug 02)
- Re: Highlighting Security Issues Paul D. Robertson (Aug 02)
- Re: Highlighting Security Issues Victor Williams (Aug 02)
- Re: Highlighting Security Issues Victor Williams (Aug 01)
- <Possible follow-ups>
- Re: Re: Highlighting Security Issues firewalladmin (Aug 06)
- Re: Highlighting Security Issues Victor Williams (Aug 06)
- Re: Re: Highlighting Security Issues Dave Piscitello (Aug 06)
- Re: Re: Highlighting Security Issues firewalladmin (Aug 06)
- Message not available
- Re: Re: Highlighting Security Issues Marcus J. Ranum (Aug 06)
- Re: Re: Highlighting Security Issues Christopher Hicks (Aug 12)
- Re: Re: Highlighting Security Issues Adam Shostack (Aug 12)
- Re: Re: Highlighting Security Issues ArkanoiD (Aug 25)
- Re: Re: Highlighting Security Issues Matt Dunn (Aug 12)
- Low Carb Security Dave Piscitello (Aug 12)
- Message not available