Re: Highlighting Security Issues

[Victor Williams <vbwilliams () neb rr com>]

 > There's enough interesting things to this that I don't think there's a
> good basis for too strong an opinion either way, though the
> whistleblower's actions seem at least a little ill-advised...

Understatement of the year there...but that's just my opinion.  =)

> I'm not sure it's a no-brainer- it really depends a lot on policy and
> somewhat on implementation.  However, it's still worth looking at, since
> lots of us will be in a position where we'll have to end up monitoring an
> employee's activity over a period of time.  I also figured the "stupid
> manager" thing might rile Marcus up a bit ;)

Policy aside...in an organization, there has to be a chain of command 
that you go up.  And there has to be a motivation and empowerment from 
higher-up (before the whistle-blowing) for this ex-employee's case to 
hold water at all.  If he didn't go through the right channels and just 
appeared to be out to get someone (because I'm sure there were others 
below him, or maybe his peers that were also *abusing* their computer 
privileges...whatever that means), for me, he's gone.  Only reason it's 
an issue is because he's a gov't employee.  I don't think anyone wants 
to set the precedent that if you spy on your supervisor and find that 
they are doing something wrong, you can get them written up or even 
removed.  What happens when this guy wins?

I may not like my supervisor as a person, but the thing is, if he looks 
good, I look good...

> The more interesting question there is how many folks who might have to
> ever monitor a system have invested in acquiring and testing the software
> they'd use to do it?  Grabbing a Trojan off the Internet and installing it
> (especially a binary) seems like the *stupidest* path one could take in
> this situation.  But I really didn't want to just push my analysis out
> there, I think it's worth some discussion in this community.

I thought it was pretty stupid also...so stupid I didn't think it needed 
discussion.  I dunno...on Windows-based systems, there are various other 
ways of recording what someone is doing (within the confines of the OS 
itself) than having to load a trojan.  One word for this employee:  DUH

> Yet, something must provide the motivation for change for the better-
> somehow organizations need to find a way to channel such energy toward
> the organizational goal, rather than lose valuable talent or even a chance
> to improve the organization...

I guess I'm not that optimistic.  Burn it all down.  Let's start over. 
This is gov't we're talking about.

I might ask what the organizational goal of the dept of transportation 
is.  In my town, it's to keep the buses running, the streets repaired, 
and get the snow off the road in the winter.  I don't see how Solitaire 
affects that.  I DO see how a trojan introduced into the system by a 
dumb employee could affect it however.

> I don't think the commercial world is all that different, unless someone
> *cares* enough to do good policy creation and enforcement.  That's one of
> the reasons that I'd prefer to see people channel such energy, rather than
> letting it go off on tangents, no matter how just the cause.  I also think
> that we need to document and policize against really stupid things like
> downloading Trojans and installing them.

I think it is very different.  I think in the commercial world, you're 
always cutting the fat off because it's costing your department, your 
company cash.  This guy would have been cut off a long time ago where I 
work...if his version of monitoring someone is loading a trojan. 
Windows is nice in that you don't have to load a trojan to see what's 
going on...on ANY version.

I don't think any documenting and policizing is going to do it.  I think 
what the world lacks is critical thinkers.  I think that's the problem 
here.  I don't think this person used their brain enough, and did the 
wrong thing...period.  Had nothing to do with policy.  I also think it 
was something personal that prompted this person's actions.  I don't 
think it was technical ability/inability, anything else optimistic you 
can think of.  Sorry, I've been on the receiving end of this.  I wasn't 
guilty of playing Solitaire, but I was accused of spending too much time 
websurfing when I was a developer at the USDA.  Where do you find 99% of 
your code snippets/ideas from to conceptualize?  The answer?  The web. 
This person did the wrong thing.

> I've always thought such things were stupid.  They get in the way of many
> legitimate sites, and put you into a "if I can get at it, then it's ok"
> sort of mode.  Better to summarize sites surfed and have the employee sign
> the reports, like larger companies do with phone logs.  I also get the
> stupid bounce messages from lots of e-mail content filters, which are the
> logical extension, and I know lots of people miss otherwise important
> messages because of some phrase, tool name, or slightly off remark.

I don't see it that way...may just be the nature of the company/business 
I'm in.  They, like anything else, don't get in the way of anything if 
they're tuned correctly.  Same thing goes with the AV 
gateways/scanners...but that's a different discussion altogether...

> It comes with the OS, one of the problems with general purpose systems.
> Funnily enough, even though we've got "Pro" editions of the OS's now, they
> still have all the cruft.  Thought I'll admit that I've loaded my fair
> share of Quake versions and maps on otherwise work systems in the past
> (always with my immediate management being aware of it.)

Not a reason or an excuse.  It comes as an option you do not have to 
install.  If you have a halfway decent Windows network policy (and an 
admin who knows what they are doing), you don't let end-users install 
their own software...doesn't matter if they are the CEO.  And you don't 
hand them a PC or laptop with 800 things they don't need on it.  If they 
have a justification for a piece of software, they document requesting 
you load it and for what purpose.  If it becomes an item of abuse later 
on, you have something to go back to and re-evaluate.  If you just hand 
them the keys to the castle, don't be surprised when they find the 
dungeon and start messing around in it...you're the one who gave them 
the keys after all...and don't get mad at anyone but yourself either.

> I'm not sure that follows.  If you're supposed to monitor and document,
> it's all for nothing if the documentation doesn't go anywhere.  But then,
> I've always been visible enough to get folks to give me their tattles and
> let me decide what to do with them.  I've also had the "My boss isn't
> being effective" conversation with the next person up the chain.

I don't believe that at all.  I'm not one for quoting scripture, but 
there's one that says "Be sure your sins will find you out."  If you're 
doing the wrong thing, one way or another, the wrong person is going to 
find out about it...and then you're toast.  It always happens to people 
misusing the network.  Tools or no tools in place.  Misuse long enough, 
the right person finds out, then you're done.  I've been on the giving 
end of this before.  I monitor and document everything...from the CEO to 
the janitor.  I don't tattle-tale, but I let the supervisors-that-be 
know that something is going on that shouldn't.  IF they are interested, 
I tell them more.  If they are not, I go back to monitor and document 
and do what's in my power.  If you have done what's in your power, what 
more are you expected to do?  Sorry, I don't think it's worth losing 
your job over...

If the supervisors continue to not care and I find I cannot work in that 
environment, guess what?  The monster.com account just got reactivated 
and a call is placed to my headhunter the next day.

> That seems to be a short-sighted way to look at things.  Certainly, at my
> last employer, I took my fiduciary responsibilities much further than "what
> my boss tells me to do."  If an organization doesn't allow people to do
> the *right* thing, absent specific instructions to do so, then I think the
> organization is harmed.  If the organization doesn't provide an avenue for
> people who do the right thing to be heard (and note, that I'm not saying
> the individual in this case was doing the right thing) and the good of the
> organization doesn't preclude other things, then I think you're not using
> your employees effectively, and the organization isn't going to get much
> value out of its most expensive resources.

What you're talking about here is ethics.  Within ehtical boundaries, 
your job ultimately is to do what the shareholders (who ultimately 
hires/appoints your boss, who hires you) tell you to.  That is dictated 
THROUGH policies of the company.  If you cannot do your job within 
ethical boundaries, you really have three decisions:  1) Suck it up and 
just get paid and throw ethics aside, or 2) Leave your job...one way or 
the other (like this guy), or 3) If your boss is like mine, approach him 
and say there are things going on on the network that could negatively 
affect it.  If he asks what, then there's your opportunity to progress. 
 If he doesn't, refer to option 1 or 2.

The problem with this situation, is this person doesn't think they have 
an ethical out.  I kind of have the same belief.  But, I don't think 
policies are enforced in any gov't agency anyway (minus the FBI and 
places like that), so it's kind of pointless.  You're paid to do what 
your boss tells you to...minus breaking the law.  If you want to make a 
difference, go work in private industry where we're trying guard our 
assets (with security policies and practices), and not for the 
department of transportation where everything is public knowledge 
anyway...right down to what people get paid, when they were arrested 
last, etc etc.

Which brings me to my next point...just putting 1 and 1 together, what 
did this organization stand to lose by one guy playing Solitaire? 
Seemed to me that there was more to lose (integrity of the network for 
one) by some guy loading a trojan, than by someone else playing 
Solitaire.  That's why I said earlier it was a no-brainer.  You're using 
something that's already on your machine that the local admin put on 
your desk WITH it loaded vs the local admin loading a trojan that lets 
him see what you're (and ONLY you) doing from anywhere in the world with 
an internet connection.  It's a no-brainer...what's keeping everyone 
else from not connecting to and compromising the machine at that point?

If he was so concerned about policy, why didn't he change the policy on 
the local machine, and uninstall the game(s)?  There are so many things 
you can do remotely with a Windows machine without the end-user knowing 
the difference...all it takes is a little thought and brainpower...

> Sure it's a management problem, *everything* is a management problem.  The
> thing is that organizations need ways for management problems to be
> brought into the open.

I'd say this one was pretty much out there...pretty effective way to get 
it out there wouldn't you say?  =)
> > concern...and you should not assume it is.  You should do your job
> > within your reach of authority, and when called upon by the right
> > authority for more, do more.  This guy clearly overstepped his
> > boundaries.  I think it's good for him to be concerned, but he should
> > have never named names with submitting his findings.  If anything, it
> > made it look as though he had a vendetta against ONE person.  If he
>
>
> > From my reading of the PDFs, it looks more like he was hunting to get
> promoted into the job his manager was in.

Exactly.  No-brainer.  He's gone.  Now that's he's gone, what can we do 
to bring in someone MORE qualified to tighten up our assets here?  What 
do we need to do to change our policies to protect us against abusers? 
What do we need to do to keep our employees busy with actual 
work?...fire some people and give the remaining raises and more work? 
Is Solitaire really abuse?  Is checking stocks abuse?  Is the network 
slow because someone has their Datek real-time ticker going all day, or 
because database admin X across the hall is downloading Oracle CD's to 
do his job?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards