Re: Highlighting Security Issues

[Victor Williams <vbwilliams () neb rr com>]

Might be an unpopular opinion...

But he got what was coming to him.  If I was above him in the food 
chain, I would have terminated him also...without even thinking about 
it...it was a no-brainer.  The screenshots also prove nothing.  I can 
make my computer screen look like anyone's with about 10 minutes of 
work, and then take screenshots of it.  This dude is an amateur at best.

Having worked as an employee (not a contractor) for the US Dept of 
Agriculture for almost 10 years, I can honestly say that this is 
commonplace--employees getting into others' business when they have not 
enough to do.

Fact is, computer "abuse" is a common problem, and it is only going to 
be solved by admins who know what they're doing--which this guy 
obviously didn't--coupled with a strict, easy-to-understand policy that 
is also able to be enforced.  In government (where the lowest bidder 
always wins) there just isn't enough resources (money and qualified 
people) to make policies and actually implement them.

1.  Why didn't he have any security measures in place to disallow 
surfing of questionable websites?  (my current company doesn't even 
allow us to check our company-matched 401k plans while on the company 
network, let alone checking stocks).
2.  Why didn't his workstation policy (written and implementation) 
dictate that no games be loaded on workstations?
3.  Regarding point 2, if that was the policy, why wasn't it policy 
(written and implementation) that end-users (like his boss) not have 
admin rights on their machine to re-install restricted software?  This 
is a simple Windows NT/2000/XP policy issue.

His methods are that of vigilantism.  If he was the actual network admin 
 (which it doesn't clarify whether he is or not), then his job was to 
monitor and DOCUMENT, should any employees whose machines he oversees 
become a *problem*...not monitor, document, and tattle-tale.  If his job 
was just system administrator (which is completely different from 
network administrator), then he was overstepping his boundaries again 
because it wasn't his job.  I would promptly be removed from my current 
job if it came to light that I had installed software to spy on my boss 
without any order from upper management to do so.  That's just common 
sense (uncommon these days).  You do what you're told unless someone 
else higher than your boss tells you to do something 
differently...because that's what you're paid to do--what your boss(es) 
tell you to in the grand scheme of things.

Fact is, in any business, the bottom line is what matters.  If you are 
getting your work done with 10% of your time, checking your stocks 
another 20%, and the other 70% playing Solitaire, that's a management 
problem (above you and your boss), that's not your problem or 
concern...and you should not assume it is.  You should do your job 
within your reach of authority, and when called upon by the right 
authority for more, do more.  This guy clearly overstepped his 
boundaries.  I think it's good for him to be concerned, but he should 
have never named names with submitting his findings.  If anything, it 
made it look as though he had a vendetta against ONE person.  If he 
would have been thinking, he would have submitted a report saying more 
ambiguously that there were various abuses of computer resources going 
on.  If management then wanted to make it an issue and have him provide 
more proof of this, then he gets a bit more specific.  If he submits 
that proof and management turns around and again wants specifics on 
named individuals, then you go to that step.

This story is inherently what's so wrong with government at EVERY 
level...it's a perfect example.  It's why I ultimately left...and 
hopefully I will never have to go back.

I hope he learned a valuable lesson...do your job and don't worry about 
anyone else.  It was good for him to be concerned.  It wasn't good for 
him to act out based on that concern.



Paul D. Robertson wrote:
> Saw this on Slashdot, and thought it might be worth some thought...
>
> http://www.aldotwaste.com/
>
> The short version is that after being frustrated for a while, the person
> in question Trojaned his boss's machine, and gathered screenshots over a 7
> month period that show 70% of the time, his boss was playing solitaire,
> and 20% of the time, checking his stocks.  The whistle-blower was removed
> from his position, though he claims policy gave him the right to monitor
> and document abuses.
>
> Some of the knee-jerk reaction from the organization looks to be "there
> was IDS and it was showing hacking and obviously this got us hacked!"
> balanced by an independent report that says they were up to their ears in
> false positives and didn't have AV updates working.
>
> Thoughts?  Comments?  Updates from our favorite copying place?
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson      "My statements in this message are personal opinions
> paul () compuwar net       which may have no basis whatsoever in fact."
> probertson () trusecure com Director of Risk Assessment TruSecure Corporation
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards