Do IT Pros Abuse Their Power? 460
An anonymous reader writes "I have noticed that many airports and hospitals I've visited have some kind of internet usage policy in place. Some use software similar to Websense, which effectively blocks sites based on blacklisting them by category. A commonly used blacklist prevents users from accessing 'forums or discussion boards,' yet I find that often these networks allow users to access sites like Fark, Slashdot, Digg and other message boards that appeal to the technical culture one might find in the IT world. In your experience, do IT administrators abuse their supervisory powers? Has there ever been a backlash from users or management for doing so?"
New around here? (Score:5, Funny)
Re: (Score:2)
And those who aren't have other issues to pursuit.
Re:New around here? (Score:5, Informative)
e.g. the BOFH substitutes some images, and/or inserts a rather loud audioclip.
Go figure out the details yourself.
Even if you use SSL, the BOFH probably controls what CA certs are installed in your browser
Re: (Score:2, Informative)
http://www.theregister.co.uk/2008/10/03/bofh_2008_episode_32/
Wiki-Fiddeling: The Art of creating Wikipedia articels, on the fly, to back up your Story / Aliby or Invoce.
Re: (Score:3, Informative)
Nah, that's pretty mundane these days. What TheLink was talking about is intercepting and injecting packets into the http response message from the web server.
So you think you're reading CNN, your browser thinks it's getting packets from cnn.com but a server downstairs in a locked room is injecting a The Onion story as the main headline, backed up by images from a pornographic google image search for the story keywords.
Meanwhile your boss is walking past going, "What's up?" Are you both in for a surprise..
Re:New around here? (Score:5, Funny)
Oh, you mean something like blurring or mirroring images on websites [ex-parrot.com] viewed over an open WiFi access point?
Re: (Score:3, Funny)
I believe your referring to Mrs. Roberts. The ultimate work-from-home admin?
http://xkcd.com/341/ [xkcd.com]
Re: (Score:2, Insightful)
and I don't believe any backlash will ever occur because the users/management don't know how the network works. So its a win win situation for the IT Pros.
Management "I can't access facebook, however I noticed you can access that slashdot website of yours."
Me "Yep, because I get news about IT related stuff... facebook is just a waste of productivity time... its your policy!"
Management "oh, yeah. your right... could you add me to the list of allow
Re: (Score:3, Informative)
Of course (Score:5, Insightful)
Re: (Score:2, Insightful)
Maybe blocking Slashdot isn't an abuse of power. Maybe their intentions are good and they just want to prevent another stupid question from appearing in the Ask Slashdot section. They might reason, if he's smart enough to get around our filters, he probably won't ask such stupid questions. Maybe he'll even consult Google before submitting a "story". I know that last part is wishful thinkin
Re:Of course (Score:4, Informative)
I think you missed something. He's saying those sites are not blocked.
Re:Of course (Score:4, Insightful)
I'm sorry, but /. hasn't been a 'technical' crowd for some time now. It's currently a small population of 'technical' people of various fields and a great deal of September That Never Ended wanna-be haxx0rs.
Re:Of course (Score:5, Funny)
Since when.. (Score:5, Interesting)
...are Fark and Digg considered 'technical culture' sites. Seriously, this isn't 2001. Last time I checked, the Internet had sort of entered the mainstream and 'slacking off at work' isn't really considered exclusively IT.
Re: (Score:2)
Re:Since when.. (Score:4, Funny)
Re:Since when.. (Score:5, Informative)
you can blame the fact that the websense ceo is the same guy who was ceo of Mcafee during the time when Mcafee was known to be a piece of shit software that wasn't complete or accurate. Is it any more surprising that he's equally badly mismanaging websense, and is selling to the same crowd with both basically?
The issue is a man named gene hodges [forbes.com], the guy is a horrible ceo (and cause for many tech issues relying on anything he is a part of) .
Re: (Score:2)
you can blame the fact that the websense ceo is the same guy who was ceo of Mcafee during the time when Mcafee was known to be a piece of shit software that wasn't complete or accurate.
Why? What is McAfee considered now? Just curious, because lately I've seen a lot of infected machines coming into our shop with fully updated and running McAfee suites...
Re:Since when.. (Score:5, Funny)
The McAfee infection is annoying. Popping up all the time, asking for money....
Power Corrupts... (Score:5, Interesting)
Absolute power, is even more fun!</bofh>
Yes, we did have something like this happen where I work. Our IT group ended up blocking all social networking sites. Our marketing department raised a fit because they use Facebook for business purposes.
Re:Power Corrupts... (Score:5, Interesting)
Yes, we did have something like this happen where I work. Our IT group ended up blocking all social networking sites. Our marketing department raised a fit because they use Facebook for business purposes.
At the place were I currently work we have kind of a "feel free to use the internet as you wish" policy. This actually works out quite well. Sites are not filtered specifically. They basically say "hey, if you end up doing illegal stuff, you're screwed, otherwise we don't care as long as you get to do your work."
I used to work for a financial institution before that. And they had sort of a lockdown-mania. Filtering proxies (no checking your private web mail - could be used for stealing information), read-only USB mass storage, scanning outgoing e-mail attachments etc. I guess, these rules came in place because of management being scared to death by compliance requirements, not because of IT admins abusing their power.
And BTW: Had I wished to steal massive amounts of data, I could have still simply sent them via e-mail in a password-encrypted archive. It's a matter of trust, not only of making it difficult. So basically powerful and clueless management are equally effective as power-abusing admins.
Re:Power Corrupts... (Score:5, Insightful)
Re:Power Corrupts... (Score:5, Insightful)
we currently have an anti-internet micromanager.
While the corporate policy is covered by an 'acceptable use' that is fairly liberal this guy equates having an idle page open equivalent to not working. To that end he's having our IT dept. provide him usage data from all employees. As a counter I developed an http over e-mail application that seems to be working quite nicely.
-nB
Re: (Score:3, Informative)
I know the guy who deveoped this:
http://www.web2mail.com/ [web2mail.com]
And at the time I (and others) thought 'what's the point?' - but your post clearly shows there is a need apparantly.
-Jar
Re:Power Corrupts... (Score:5, Insightful)
And this is why "direct benefit" is a completely useless metric, and in fact isn't applied to most of the rest of a business's operations. A/C and heating, for example, don't provide a direct benefit except for industrial controls, yet most businesses see the value in providing a comfortable work environment to employees.
By the same token, the studies are now old news that have shown that employees who take "mental breaks" with Facebook and friends are more productive [news.com.au] and that external communications channels are becoming increasingly valuable to businesses [bbc.co.uk].
It's the same old story: Centralized policymaking suffers from a chronic lack of both information and imagination, and policies like global whitelists essentially kill off many useful innovations.
Re:Power Corrupts... (Score:5, Interesting)
And everybody in my extended team have web browsers on the mobile phones anyway, so if we do want to look something up we don't even need to use company resources to do so.
Of course, it'll be quicker to use a proper browser on a proper monitor with a proper keyboard, but that just highlights the fallacy of locking things down to promote productivity.
Re: (Score:3, Insightful)
Truly, if a person wants to do something, they're going to do it. Whether its VNC'ing into their home computer to browse, using an encrypted proxy, encrypting the data for theft, or using their own phones for non-productive use of time, they're going to do it.
Re: whitelist based security (Score:3, Informative)
I can see doing this for your kids, where you're trying to build a safe environment for them to web surf in. (The kidzui plug-in for Firefox is a good example.) But in a corporate environment, whitelisting seems extreme to me. I'd not only be an employee who complained, but one who would quit and seek employment elsewhere, if I was treated that way, (Do you happen to only allow outgoing phone calls to whitelisted numbers, to make sure they aren't spending time talking to someone who doesn't directly ben
Re:Power Corrupts... (Score:5, Insightful)
> I have seen that "lockdown" so many times, and it never works.
It works quite well for demonstrating compliance with regulations, which is what it is for.
Re: (Score:3, Insightful)
It's management grasping at straws because they don't understand the work well enough to know what needs done.
If you don't understand the job well enough to know what needs done how can you check to see if people are making progress? You can't. So the only thing you can do is run around and make sure everyone's "busy." The trouble is it's easy to look busy in front of some outsider that doesn't understand the work.
If you don't understand the work you won't know if it is taking to long to do. People will
Re: (Score:3, Interesting)
The trouble is it's easy to look busy in front of some outsider that doesn't understand the work.
I find the opposite is true.
At any moment in time, one of my team members will be telling a joke to another. A third will be browsing the web. A fourth will be on the phone asking a colleague on another floor where they're going for lunch. A fifth is arguing with a sixth and the boss is listening in without contributing.
It looks like we're a bunch of lazy slackers. Yet.. the joke is his way of saying 'hi' and making up for the fact he's stealing a couple of hours of the other guy's time to help with somethi
Re:Power Corrupts... (Score:4, Interesting)
Take SSL/TLS for example. It is basically protection against a problem that would never happen in reality. What are the chances of someone intercepting your communications link to a website and capturing your credit card numbers? Out of the billions of packets that are flowing through the networks, the chances of someone managing to find the one packet with the 25 bytes of data comprising your credit card number are vanishingly small. The level of access you'd need would mean it'd be easier to just compromise the person's PC directly rather than sorting through all that noise.
Once someone's trapping the message flow, it's trivial to search for particular triggers. The biggest defence is current generations of routers not sending every message to every machine on the local net, but that's not really much of a defence at all. Encryption stops these trivial attacks.
There are problems with SSL as usually deployed:
Mind you, the alternatives are mostly much worse. And in fact SSL can be very good indeed (e.g., when the client has to present a certificate to the server and a private CA that everyone knows about beforehand is the only trust root). It's just that deployment on the scale of the internet is hard; there's just no way to get everyone to know about everyone else before communications start.
Re:Power Corrupts... (Score:4, Interesting)
Re: (Score:3, Funny)
We brought it the the IT Director and were told we do nothing about it. So we then told him we'd no longer view the proxy logs.
A little while later we also installed DansGuardian. Th
Do power users abuse their IT knowledge? (Score:5, Interesting)
How many people here get around their workplace's blocking software by running an SSH tunnel to a proxy server on their home network?
Re: (Score:3, Insightful)
In a properly managed network, you won't get a direct connection to the internet AND you won't able to run any kind of SSH tunneling software.
I know most of the proxy software i use will tear down SSH sessions established through a HTTPS proxy, if you even get that far - i usually configure them to reject self signed certificates (as those would only provide a false sense of security).
Re:Do power users abuse their IT knowledge? (Score:5, Insightful)
Even assuming you mean "reject certificates not signed by an authority I trust", as opposed to "reject self-signed certificates", it's pretty trivial to get a certificate you'd accept. I also wonder if you allow plain HTTP connections, given your stance on certificate management. HTTP connections are less secure than HTTPS with self-signed certificates, and they don't even generate a warning in the browser -- at least a self-signed certificate would let users know their connection is unauthenticated, but plain HTTP happily transmits in the clear, without encryption or authentication, with no warnings at all. That seems like a much more likely source of false security to me.
In general, your tunnel users aren't very persistent, or you haven't noticed the ones that are -- it's not terribly difficult to setup an plain-old HTTP server and send SSH data in the body of apparently-valid HTML pages. A bit of base-64 encoding, a bit of a random real web page from the browser cache, and you'd have an awfully hard time getting a machine to determine that the web page was actually a proxy connection. It's a bit inefficient and there are TCP over TCP resend issues, but it's perfectly usable for web browsing and the like. Or assuming you just check the SSL setup but otherwise allow HTTPS traffic unchallenged through the proxy (the most typical setup for non-forging, non-plaintext proxies) you could negotiate a standard SSL session and then send raw PPP data through it, without even pretending to be a web page, or using SSH.
Or if you're really pressed for access, you can setup a DNS-based proxy and smuggle data through in perfectly valid DNS requests and responses. The size of packets is limited, but it's running over UDP so you eliminate the TCP issues, and it's virtually unmonitored at most locations, even those that consider themselves "locked down" -- when was the last time you checked your outbound DNS logs? Do you even have outbound DNS request logging? And domains are cheap -- what if I registered a few hundred and spread out my requests across those?
Or if you're willing to put up with a little latency you can use just about any messaging/discussion board to post data to a totally legitimate web page, which a remote proxy could then read and reply to, again on a legitimate web page. And of course there's email.
While it's maybe worth some effort to make data smuggling more difficult, don't fool yourself into thinking you're preventing it from happening. Adding noise to the channel only limits transfer speeds -- so long as there is any way for users to inject and retrieve data to/from the Internet, even through proxies and filters, tunneling will be possible.
OpenVPN-over-UDP-over-IP-over-DNS (Score:5, Informative)
Do you allow DNS on your network? OpenVPN-over-UDP-over-IP-over-DNS isn't lightning fast but it does the job most of the time. It's a neat way to (ab)use commercial WiFi hotspots too. You can't stop a determined power user except maybe with a whitelist of a small set of whitelisted remote hosts.
Re: (Score:2, Interesting)
With all due respect--as you certainly sound more competent than most network admins I've ever dealt with--you're at an IT site. The properly managed network is a myth and you know it. The two most common reasons for that really ought to be immediately obvious, but if they're not:
1) No network is "properly managed", period. It's just too expensive anywhere. Somebody somewhere has an exception to the policy--even if it's documented because they needed some obscure piece of software. Or th
Re: (Score:3, Interesting)
So, just tunnel SSH over SSL, and buy yourself a proper certificate.
At which point, you've crossed the line from causally surfing when you should be working into actively trying to subvert network defenses. That's the line that will get you fired instead of simply told to get back to work. Surfing porn or other "inappropriate" sites will also get you fired pretty quick.
Besides, I happen to watch for unusual stuff like SSL sessions open for long periods of time to address ranges belonging to cable modems and Verizon DSL subnets. Had a guy last month get fired for other re
Re:Do power users abuse their IT knowledge? (Score:5, Insightful)
Ummm... IANAL, but even I know that's not a real charge. If you threatened him with that, you guys are probably in the wrong...you know... "hostile work environment" and all those little things. You could have gone after him for unauthorized access... but you'd be hard pressed to claim it was unauthorized access to his home network. And given that he was an employee, you'd be pretty hard pressed to argue he exceeded access on his own desktop or your network. At best, you've got evidence that he used a data processing system in a manner violating policy--and you've already admitted it wasn't malicious and did no damage. Assuming you're using the computer fraud & abuse act--you've already eliminated most of the necessary criteria... which makes anyone accusing him under it guilty of... oh--filing a false report, and possibly perjury depending on how far you take it! Not that you'd ever be prosecuted as that's one of the most abused laws in the country.
While there are states where access in violation of policy *has* been held as unauthorized access, to my knowledge there's really only been one conviction of that so far--and last I'd checked in, it was about due to be thrown out on appeal. Quite simply--you can't open the door of your house to somebody, and then accuse them of trespass when they wander off the yellow brick road you defined in a convoluted fashion.
I don't blame you for looking for that type of traffic--it's a good way to hide botnet. But going after somebody for trying to listen to music... and using that as the excuse to fire him--that's just cowardly and dishonorable. Your users deserve someone more professional than that, even if they themselves are not the most professional based upon their actions.
Re: (Score:3, Informative)
Some of the rules and legalities change when it's federal systems involved. If you interpret the US laws strictly, doing anything that you haven't specifically been authorized to do is considered exceeding your authorized access. Being a govt facility also means I don't have much sway in whether charges are pursued, just some discretion in what I report.
There was more to this story that I can't discuss, but this was definitely not casually accessing the internet or even just visiting inappropriate sites.
Re: (Score:2)
That seems like a nasty single point of failure just waiting to be hacked, to me.
Re:Do power users abuse their IT knowledge? (Score:5, Interesting)
There's no reason you can't actually talk HTTP. See http://www.sensepost.com/research/reDuh/ [sensepost.com] for one of many examples on how to do this. And, once you have an arbitrary TCP connection, there's no reason you can't perform a public key exchange for SSH as usual, defeating your proxy's man-in-the-middle attack.
Nice try, man, but you'll never be clever enough to accomplish what you intend.
---linuxrocks123
Re: (Score:2, Informative)
FTP is left wide open because the IT department uses it for any sort of file transfer, as well as the fact that they heavily rely on Websense, and its default behaviour towards FTP is to allow all incoming and outgoing connections on that port.
Re:Do power users abuse their IT knowledge? (Score:5, Insightful)
I always figured my employer would be really, really pissed off if they found out I did that. At best you're pointing out a massive security hole in the network. They'd just assume I'd be running ANYTHING (kiddie porn) over the tunnel, and if anything accidentally happened, and I'd been using a "hole", I'd get in huge trouble.
Re: (Score:2)
Re: (Score:2)
But as for you personally, just because you can get out doesn't mean someone hasn't noticed. Usually if you're crafty enough you can find a way, but doing so probably risks either losing your job or, at best, some very serious embarrassment.
Re:Do power users abuse their IT knowledge? (Score:5, Interesting)
I suppose it depends on the size of the business. Where I work, it is usually impossible even to find out who is responsible for a particular policy. As for actually getting a policy changed, you'd be better off pissing into the wind.
Whenever I need information from a blocked site (I'm talking about work-related information here), I just keep trying Google results until I find one that isn't blocked. Sometimes it can take fifteen or twenty minutes, when I know that the top result would have answered my question immediately. On occasions I send myself an email at home so that I can look it up after work, but why should I have to do this?
Re: (Score:3, Interesting)
Get a separate ADSL line for the IT pros. A friend of mine did exactly that. He works in a large bureaucracy and in the end their installed a separate, unfiltered ADSL line that's not under the administrative control from over-the-pond.
Of course, being in IT, they were smart enough to keep this all on a separate network.
Re:Do power users abuse their IT knowledge? (Score:4, Insightful)
I've worked at a few big banks, and getting sites unblocked only takes a few minutes: just a quick email to IT help saying "information on site XXX is important to our business. The block is costing us money. Please fix."
The less "reasoning" added, the better. Make it a business issue, not a free information issue.
Re: (Score:2, Informative)
At my place of work it takes at least a day. And it usually stays unblocked only for a few days, then it is blocked once more.
Re: (Score:3, Insightful)
At my organisation you'd receive an email back saying "why do you need this?". Just saying it's costing money doesn't cut it, wasting my time costs money. When I make a change to the Firewall(s) I need to put that into at least one log/issue tracking system. If you are up front and say that I need information on foo and the FW is blocking Bar.com then I can put that info into the log and make the change so long
Re:Do power users abuse their IT knowledge? (Score:5, Insightful)
You aught to, especially if your previous "fix" was to block the website used for business purposes in the first place.
The role of IT is not to control information technology, metering it out to the users as the IT gods see fit. The role of IT is to support the business. That means facilitating their work as much as possible, and protecting them from the dangers they are unaware of.
Frankly, if I were your manager and you took that attitude toward your customers on a daily basis, I'd fire you.
IT departments don't make a company money. They either help them make more money by increasing productivity, or they help prevent them from losing money by protecting their information-related assets. If you are doing neither, you don't belong there.
Re: (Score:3, Insightful)
You aught to, especially if your previous "fix" was to block the website used for business purposes in the first place.
The role of IT is not to control information technology, metering it out to the users as the IT gods see fit. The role of IT is to support the business. That means facilitating their work as much as possible, and protecting them from the dangers they are unaware of.
Frankly, if I were your manager and you took that attitude toward your customers on a daily basis, I'd fire you.
IT departments don't make a company money. They either help them make more money by increasing productivity, or they help prevent them from losing money by protecting their information-related assets. If you are doing neither, you don't belong there.
You're attributing to IT departments a degree of autonomy and self-direction that is rare. The role of IT is to do what they're told by their superiors. If that includes controlling information and metering it out, that's the way it's going to be. It's highly likely that if you're prevented from visiting a particular web site, it's because IT was told to block it. Perhaps not specifically but categorically. If we're told to implement technology to prevent employees from browsing X, Y, and Z, we do our
Re:Do power users abuse their IT knowledge? (Score:4, Insightful)
And if I were your manager, I'd explain to you the concept of revenue generation vs. opportunity cost...
I work for a company where every dollar the company makes comes through IT. Without a functioning IT department, the company would be out of business in the space of a few days. But IT is still not making that money - it is made by the sales and marketing people who are going out and getting people to purchase the services that we offer.
But neither of you manage each other, so stop waving your dicks. I guarantee you neither of them are as large as you think they are.
Re:Do power users abuse their IT knowledge? (Score:4, Insightful)
Of course you did. There was some problem (employees are looking up hitmen online and killing their bosses). You fixed it by blocking all applicable websites (it has the work "hitman" in it). Unfortunately, your conglomerate needed someone to clean the port-a-potty (a "shitman" in your part of the world). That site is blocked. You certainly intentionally blocked it. You just didn't specifically block it. And your imprecise fix to an earlier problem is causing new problems.
That's the attitude of a five-year-old. I expect better of adults, and insist upon better in the workplace. You may lose your cool, that is human nature, but I would expect a sheepish apology or mea culpa in that case.
You do realize that point (2) is trying to control information, right? It may be that some of IT's role is to control information, but to say that you don't while claiming that is half your reason for existing is, at best, cognitive dissonence.
I don't have to prove that the concept is poor to prove your implementation is. In every case, there will be sites that need to be black/white listed, and your mechanisms for doing so are subject to judgement without having to attack the idea of a black/white list system. In this case, you are defending a system of employees pleading with IT about making a site accessable. Why not simply automatically unblock the site, and then review it later?
That IT doesn't make money is an accounting truism. Neither does a CEO (well, depending on the company). IT is an overhead cost. It can be important, but where do you bring dollars in the door? Some IT departments bring in blue dollars, but that's it. (Exceptions made, of course, for IT consultant groups.)
Re: (Score:2)
Re: (Score:2, Informative)
I don't understand why people always try to "get around" these restrictions. If there is a legitimate business need, then get it approved. These preventions are put in place for a reason. The more open the network, the more risk. The more risk means more virus, trojans, botnets, data leakage, etc. IT then has to cleanup your mess.
Partially right. The problem is, that in many larger organisations the 'legitimate business need --> approval' process does not scale well with regard to the time required to get the approval. So even if you do have a legitimate business need, waiting for the approval might still keep you from getting your job done. Multiply this by say ... 2,000 people waiting 10 days to get an approval for something. This will cost you real money.
It seems to be difficult to balance these things. But having a good zonin
Re: (Score:3, Insightful)
Besides, SSH tunnels won't work on my network.
However, it is my job to protect our computers/network and I do that by blocking "risky" sites.
Good idea. I'd hate for you to accidentally get a virus when I SSH into my home machine and read my email using mutt. You'd be surprised at the number of viruses that can encode themselves in an email as a start ZMODEM trigger and get transfered through a zssh connection back to a work computer. Then all the virus has to do it wait for a double-click... ;)
Re:Do power users abuse their IT knowledge? (Score:4, Insightful)
Good luck blocking SSH over DNS.
Re:Do power users abuse their IT knowledge? (Score:4, Interesting)
Except that's not how SSH over DNS works. On the server end someone installs a custom DNS server on a machine and sets that machine as authoritative for a domain. On the client end the PC sends a seemingly benign request through your local DNS servers, which forward that request to the authoritative domain (running the custom DNS server). The custom DNS server then decodes the "benign" request, passes it off to the SSH server, retrieves the reply, then encodes it so that it can be sent back to the client PC.
Re: (Score:2)
Besides, SSH tunnels won't work on my network. I've got all protocols being intercepted by the proxy (including encrypted).
How does that work without breaking SSH? Or does it?
Re: (Score:2)
Unfortunately, the "block everything" attitude you express does result in this exact solution... Except, people don't want to browse the web on a smartphone, so they use it as a WiFi or Bluetooth proxy for their (work-issued) PC.
Meaning, in your attempt to block people from surfing the web on their breaks/lunch/"need a few minutes of downtime", you have in effect lost control of real threats such as viruses, spyware, P2P, etc.
M
Everyone Does (Score:2, Insightful)
People in every line of work take advantage however they can. Janitors, mailmen, military personnel, police, teachers, principals, street sweepers, CEOs, mechanics, and on and on. Its human nature.
Re: (Score:3, Interesting)
Its human nature.
... to push the limits of our power and find ways to get around things. This is often seen in a negative light (as in the OP's choice of the word "abuse"), yet it's also a trait that has allowed humans to survive, thrive, and make numerous advancements.
The OP talks about IT people white-listing websites they know to be safe because they themselves use them. I don't see this as having a negative impact for the staff or patrons of the places he mentions. If there is a negative impact, or "abuse", it com
Quick answers: (Score:2)
(1) Yes, of course. Whenever humans get power, many of them will abuse it.
(2) Users, all the time. Management, hardly ever. What else would you expect?
IT Pros don't make policy. (Score:5, Insightful)
Policy is made by management. I don't care if you watch gay furry porn for all the three hours you spend in the Office.
I do care about the security of the network - so if you plug your private Laptop into the Office LAN, you won't get any connection because your machine won't authenticate. But i'll know exactly that you did so. And i'll call you out for it.
In all the places i've worked, WebSense etc. only worked in the VLANs for the office workers. All IT networks (as did the Exec's networks) had unrestricted internet access (they still went through a malware filtering proxy, but not content filtering). This might be different in larger organizations.
In the place i work right now, we only have a malware filter. No content filtering at all. I think it's pointless. If someone does not do his job properly, fire him. If someone does his job properly, but uses 10 minutes a day for masturbating to gay furry porn, he's still more productive than someone who takes a 10 minute smoke break every 20 minutes.
Re: (Score:3, Funny)
If someone does his job properly, but uses 10 minutes a day for masturbating to gay furry porn, he's still more productive than someone who takes a 10 minute smoke break every 20 minutes
I guess that depends on *where* he masturbated to gay furry porn. If it was in the smoking room, then it's understandable that the smoker needs 10 minutes ... jizz covered Marlboros are a bitch to light.
Re: (Score:2)
I'll start by saying that I completely agree with your views. That said... you know, there's more to the Internet than productivity sites and gay furry porn. There's a host of sites in between those categories, it is all the rage these days.
Wow! I learn something new every day!!! ;-)
Re: (Score:2)
I know, i know, i might not get all the fine points of American culture, but how exactly can someone sue the company over this? They're just acting as an internet provider.
Anybody can sue anybody for anything. Winning is a different matter. A really bad case, one which gets thrown our of court immediately, can still cost tens of thousands in time to go through the paperwork, document what happened, have various meetings about it, and show up in court.
An employee looking to be fired with a really good packag
Digg? (Score:4, Funny)
IT Pros - Never! (Score:5, Funny)
IT professionals would never abuse the position of responsibility with which they are entrusted. They would never use their positions to retaliate against the unthinking, uncaring, ungrateful wretches that make their lives a living, seething hell each and every day those worthless pieces of crap continue to suck air.
Upset because... (Score:2)
He can go to slashdot but myspace is blocked? I can spend all day listing reasons why someone might want to block myspace. I could also spend all day listing reasons why people at work should be allowed to browser slashdot.
The submitter places _all_ interactive websites into a single category, and then complains that IT Admins are abusing their powers when some are allowed and some are not.
They are _not_ all the same and the submitter is just looking for someone here to validate the idea that he(she?) is
I blame the boss. (Score:5, Insightful)
In my experience most draconian restrictions are imposed by Management. The technical staff is simply more empowered to work around them or ignore them.
It's not IT-vs-other, it's business-vs-non (Score:4, Insightful)
Generally, they'll whitelist any site that a user can come defend as needed for work.
If there is abuse of "IT power", it's that IT passes judgment on their own staff's claim that tech-sites are needed for asking questions and finding tech solutions. But, frankly, even a very lame claim that "I need access to localchat.com to check on how other local accountants are handling the new sales tax" will get a pass, too. IT staff aren't exactly Sam Spade. So any extra blind-eyes they get to their favourite sites is pretty marginal.
The big difference is that IT staff aren't shy of asking. Other users imagine some omniscient IT that will just know they really want to chat about their cats.
we're human after all.... (Score:2, Insightful)
Dealing with Blocked Websites... (Score:4, Informative)
Greetings and Salutations.
Perhaps the better questions are "why ARE some websites blocked? and WHO makes that decision?" I administer web access for a client or two, and, the decision to block given websites comes from upper level management, usually NOT the IT command structure. In a business, there is an almost paranoid fear that the employees are sitting around surfing the Net instead of doing work to make money for the company. Any blocking seems focused at keeping that from happening.
Alternatively, I go and sit at Panera Bread (a great place for good pastries, and excellent, light lunch sandwiches and such by the by...) on occasion, and have found a few websites that would not come up because they were blocked. However, it appeared that this was because the company providing the blocking had mis-catagorized them, and, once I sent a note in about the site, they ended up being unblocked. But then, If I were going to surf porn sites I would NOT be doing it in a public place like that....
So, I suppose there are cases where IT admins abuse their powers and block sites that should be available...but I have not run into them. Amazingly enough BOFHs are human too, and, some of them ARE little Herberts....control freaks and generally annoying people. The rest of us are all genial and fun folks with a slightly twisted sense of humor.
Regards
Dave Mundt
No point blocking the tech sites (Score:2)
I can't agreee (Score:2)
> Any admin worth their pay can run rings around a net-blocker.
What Admin? Oracle admin? AIX admin? SharePoint admin? SAP admin? There is a lot of different types of admins now and what makes them worth their pay is that they help you run your business and earn money. The ability to run rings around a net-blocker is not something you put on your resume.
Also in well implemented network it is not as easy to run around it *undetected*.
Also by doing so you are clearly breaking the rules that your supervisor
Hanlon (Score:2)
Who cares? Really? (Score:4, Insightful)
Does it matter, as long as they get their work done?
Really, some people are too uptight about things. The only metric should be if an employee does their job. If they do their job and do it well, who cares if they visit an amusing website for a laugh to break up an otherwise dull day?
Re:Who cares? Really? (Score:4, Insightful)
You would hope that the only measurement is if someone is doing their job, but management is always trying to justify the amount that they are spending on staff. That means that it is not enough for the tasks that they expect done to be done, but they must also get as much work as possible out of each "unit" of staff that they are paying. If you have noticed, one of the things management loves to do is "cut costs", which means "lay off people".
The business cycle works like this. New company gets loans and venture capital. If it succeeds it gets flush with money. At that point management starts spending that money like no one's business. Each exec and manager tries to get themselves noticed by creating cool things and hiring employees to increase their empire. Efficiency is not cared about because no one cares about that in a "growth" phase. At that point, it's like management is on cocaine and their jittery fingers are poised over the "spend" button.
Eventually, this stabilizes and it becomes clear that you can't spend money like water any more. Frequently, this is some time after the company goes public. At that point, the original execs with the coke habits (real or virtual) have sold their overpriced shares and have either left or been forced out by a board that is now responsible to shareholders and the SEC. At that point, the new management, and/or the consultants that they have hired try to get a handle on the huge bloated mass of a company they have inherited, try to do something called "reaching profitability". This usually means starting to whittle down staff and make existing staff do more.
The end result is that every sort of perceived "inefficiency" is targeted, including web access. This is not to say that there is not something that needs to be done. Chances are good that a company in this position does start off with staff bloat. Of course, in the end the new management is as ham handed as the old management, just in a different direction and instead of simply trying to cut off the fat, it turns the place into a gulag.
The sad thing is that many of these blanket solutions are used instead of the more valid and useful method of creating and refining cost allocation models. Much like the "mass layoff", it seems that those sorts of solutions exist to create drama for something like instilling obedience or impressing the market to improve share price.
In the end, either due to the unrecoverable status of the initial bloat, or the fact that the place is now a gulag (or outsourced), the company will fail unless it really does have a unique product that can survive that process. Welcome to the 21st Century.
The moral of the story is: don't become personally invested in places that bother to heavily restrict your web access other than for strictly security reasons. You can work at them, but they are just jobs. If someone is willing to spend the time and money on carefully blocking your access to the internet, it's clear that you are seen as a resource that they need to squeeze more efficiency from in lieu of them actually having real, attainable goals that they can measure staff by. If they had those, they would be able to give you assignments that justify your expense and it wouldn't matter if you took 5 minutes or 5 hours to do them in, because they have refined their models and *on average*, each employee would spend the expected amount of time on it.
Of course they do... (Score:2)
Better question is how many people use that root/admin permissions to install unauthorized software or ignored corporate policy and installed software themselves.
No (Score:2, Insightful)
Um, most IT pros are too busy to abuse their power.
Re: (Score:2)
is work getting done (Score:2)
We do NOT abuse our supervisory powers ... (Score:4, Funny)
Never ever ever (Score:2)
thats business (Score:5, Informative)
In my experience the IT dept generally has rules for other people and rules for themselves. They "know what they are doing" while everybody else "can't be trusted". Their login for general usage is full administrator and bypasses websense, while I am barred from sites "listed as general business" (only sites pre-approved by IT are allowed, which they make very clear they do not do because they don't want people asking them all the time). Our email attachment limits are 2mb ("it takes up space on the server") and FTP is outright barred - even though one time it was the only way for a client to send me files IT wouldn't do it, so I went home and put it onto a USB stick.
They install whatever they like, including such productivity tools as BBC news sports tickers. Despite pretty much being able to do everything on their work-paid cell phone, not having to multi-task or whatever they have brand-new machines. When another member of staff requires a new PC, they get an IT staff's PC and IT get a new PC. Despite the general staff doing work where screen real estate is highly productive, their monitors are 15" and 17" while IT and managers have 19" (although they were quite savvy and gave the partners 21"; monitors are the new bigger desk and chair). In my job where we do quite a lot of printing, speed and quality are important, IT also have the best printer - yet it took a week for them to notice when I unplugged it one Friday night.
IT is all about convenience for IT. All our productivity stuff, which at any given moment 99% of staff is running at any given moment, is quite server intensive. They're all on the same server, while low-intensity stuff rarely used has three idle servers all to itself. I spend a significant portion of my time waiting for the server to respond. It's quite embarrassing when a client turns up asking for a simple copy of a report in a hurry and it takes me 10 minutes, they think I must have forgotten so they ask reception to call up and remind me they're late for their meeting. I pointed out once that the servers could be rebalanced to distribute the load but was told "that would be too much hassle".
All the procedures are laughable. Despite almost completely phasing paper filing out, all staff's basic logins can delete data files and all the backups are kept on a shelf on site. I could obliterate the lot in one minute of madness (probably induced by dealing with IT). It would take me longer to copy it all to a couple of USB sticks, but nobody would notice until they got the blackmail letters or it was on the news.
But let's not get all confused and think I'm bashing IT here. I can say pretty much the same thing about every single department. Like how the time it takes me to obtain new propellant pencil leads costs the firm 16x the price of the leads. If I kept one carton for work then stole the rest of the box it would be cheaper for the firm than following procedure.
As regards other managers, few have the slightest clue about IT. Those that do just work it to their advantage - they get preferential treatment so it makes them look good.
Re:thats business (Score:5, Funny)
Re:thats business (Score:5, Insightful)
anonymous reader writes... (Score:2)
The point of power is to abuse it (Score:2)
Everyone abuses their power, that's the point in acquiring power in the first place.
Trying to ruin a presentation (Score:3, Informative)
Yes. (Score:3, Funny)
Yes.
Next question.
(Please don't ask "Do cops speed?" "Do restaurant workers get free food?" "Do Real Estate Agents get cheaper houses?" etc...)
It Was The Users That Abused Their Privledges (Score:3, Interesting)
Re:Answer (Score:5, Insightful)
You work at a college and block certain "websites and services?" From the context I'm guessing it's more than simply blocking known phishing sites and the like...
If you are censoring the internet for the students of your college, then frankly I find that abhorrent. It's one thing for a company to filter the internet for their employees at work, but it's completely another to do it to students who-- besides being in an environment which should encourage exploration and allow for the making of mistakes-- may very likely live there and only have access to the internet through the school. As a college IT department, for all internets and purposes you're an ISP and with respect to student internet access you should be held to the same standards of openness and neutrality to which Comcast, Verizon and their likes are.
Re: (Score:2)
Employees from posting on random forums might expose their companies to liability for fraud ("Company X's products are pieces of junk assembled by slave labor in the Far East"), sexual predation, etc. What the do on their home computers is their own business.
While that may be a valid reason, it is even more of a reason to block /.
At least on most forums, comments can be removed... by the forum moderator(s) or the original poster. On /. they are there "forever" and thus continuing the possibility of liability from the post.