Top Mud Sites Forum Return to TopMudSites.com
Go Back   Top Mud Sites Forum > MUD Players and General Discussion > The Break Room
Click here to Register

Reply
 
Thread Tools
Old 03-07-2011, 02:44 AM   #1
Newworlds
Legend
 
Newworlds's Avatar
 
Join Date: Aug 2007
Name: NewWorlds
Home MUD: New Worlds
Posts: 1,384
Newworlds will become famous soon enoughNewworlds will become famous soon enough
Who's Watching the Watchers?

The following quote originated on another thread but it brought me back to an intriquing question I've had for years...
Quote:
Originally Posted by silvarilon View Post
...I'll often block all ports, but allow all websites - I don't care if they're playing a game, I *do* care if they're running bittorrent. And the easiest thing is to just say "Nothing through" then let them ask if they need something opened.
This has always fascinated me. I've often wondered how many Presidents and CEO's of companies realize that the Sysops and NetAdmins actually control all the information sharing of their company. Email, IRC's, Client chats, up to and including company IP phones.

I have friends in positions in system administration that listen in on their company director's calls or view emails indiscriminately and the suits don't even have a clue.

Who's Watching the Watchers?
Newworlds is offline   Reply With Quote
Old 03-07-2011, 01:40 PM   #2
Darren Brimhall
Member
 
Join Date: Jun 2010
Posts: 241
Darren Brimhall is on a distinguished road
Re: Who's Watching the Watchers?

Honestly, a good question.

As a seasonal at the IRS, and even though I don't use a Computer there in my work, it is manditory that I go through a briefing on them--especially reguarding Unauthorized Informaition Access (UMAX) Violations involving accessing accounts in a manner that is not business related.

The Computer Systems which the Clerks use are monitored by TIGFA (I'm not sure what it means, but they are Treasury Agents with full powers of Investigation and Arrest), who will drop a line to the violator some three months later asking them why they commited a UMAX Violation.

Now, whole areas of the Campus are video monitored. But considering how TIGFA works, I would suspect that those who watch the watchers would be whatever Security Company hold the contract to that specific company. They would have 'Squeelers", or Monitoring Programs, which would let them know when an unauthorized access is occuring, log it in their system and then arrange a meeting with the Employee responcible for the violation.

Last year alone some 2000 employees with the IRS got nailed on this, with goodly portion being sent on their way either to the Unemployment line or Federal Prison.

Darren Brimhall
Darren Brimhall is offline   Reply With Quote
Old 03-08-2011, 03:11 AM   #3
silvarilon
Member
 
Join Date: Dec 2009
Posts: 144
silvarilon is on a distinguished road
Re: Who's Watching the Watchers?

Since it was my quote, I'll chime in

As background, I work at a university, in a specialized IT group that looks after one of four faculties.

There is a central, university-wide IT group as well. Some infrastructure is managed by them, some by us, and some by both groups.

Quote:
Originally Posted by Newworlds View Post
The following quote originated on another thread but it brought me back to an intriquing question I've had for years...
This has always fascinated me. I've often wondered how many Presidents and CEO's of companies realize that the Sysops and NetAdmins actually control all the information sharing of their company.
Within our faculty, people seem to be very aware that the IT people have access to a huge amount of information.

Interesting you use the word "control" though - IT people can certainly listen in on a lot of information, but whether thye "control" it is a different matter. I probably don't have the authority to tell someone that they are no longer allowed to use email, for example.

But where "access" and "control" gets blurry is interesting. Officially I don't have the authority to tell staff member A that they can play games, but tell staff member B that they can't. Unofficially, everyone knows that we're the person who control the *access* to what is needed, and therefore, by default, we do have that control. Even if it hasn't been officially recognized.

It isn't limited to only computer systems, though. I've got a keycard that lets me in pretty much wherever I want (there are a few places off-limit, mostly due to safety reasons. For example, my card won't let me into the radiation lab...) - it also lets me in 24/7. Very few other groups get that level of access, but techs seemingly get it by default.

Again, I think the organization is aware of this. We need a high level of information access just to do our jobs - we also tend to be the gatekeepers when giving out access to those same systems, again, a natural consequence of the way we do our job. It's quite possible that a level of middle managers could be put in place to control and authorize access, which would provide a buffer limiting the tech's authority. But that would significantly reduce our ability to be responsive to the users needs, and to give personalized solutions. My group exists specifically because we can provide better service than a generic university-wide IT group. So it doesn't make sense to loose that advantage.

I suspect part of the reason why people are comfortable with high level techs having significant authority and access is because... well, we've already got access. As soon as I can log into the mailserver as an administrator, I can read any of your email. You just have to trust that I won't. If you're putting that sort of trust in me, then giving me access to your physical office is a much smaller step.

The general attitude seems to be that techs aren't necessarily paid a large amount, but they are afforded the same sort of privileges when it comes to company access that upper management would have (and regularly much higher levels of access.)

Quote:
Originally Posted by Newworlds View Post
Email, IRC's, Client chats, up to and including company IP phones.
Certainly. In my case, I don't have direct access to all those services, because some (such as the IP phones) are handled by the central group.

I certainly would be able to steal the passwords for any system I don't control with ease.

But my next question would be: what's the point?
So what if I can control your IRC access? What can I do with that?
- I can deny you access, if you annoy me. Power trip. But pretty petty, and the more I abuse power like that, the more likely someone in authority will get annoyed at me and reign me in. If you're the only person using IRC, then I could certainly deny all IRC with impunity.
- I can listen in on you. Again, power trip, but petty. And there are laws against it. Sure, nobody would know that I'm doing it... (although the other techs might realize) - but... yeah. Illegal, and really not as interesting as you'd think.
- I can play silly buggers. Make it start and stop working, or something. Again, pretty pointless.

And really? I don't care what people are talking about. Unless someone in authority tells me something like "I want you to record and review what this guy is discussing in IRC, due to reason X Y and Z" then I have no interest in what people have to say.

More significantly, there's a certain amount of work that needs to get done - if I have free time to spend screwing around, I'd much rather be making overly-long posts on TMS rather than fiddling with something that's already working. There is always something interesting and productive I can be doing as part of my job. I'm not going to waste my time on trivialities like that.

But then again, I have a large amount of freedom - if I've got the time I can create my own projects, decide what I want to improve or create, and I tend to get a lot of support from my IT group and the faculty. If I was in a job where I was given a list of tasks and no authority to decide things for myself, I might relish the "secret power" of being able to spy on people. I'm glad that isn't the case for me.

Quote:
Originally Posted by Newworlds View Post
I have friends in positions in system administration that listen in on their company director's calls or view emails indiscriminately and the suits don't even have a clue.
I'm quite surprised, actually.

Partly because that's illegal - although you can get away with it - it breaks a number of laws. I know the specifics here in Australia, but I'm sure there are similar laws in the US and most other countries. And regardless of laws, if they get found out, it can loose them their job just by virtue of annoying the wrong person.

Mostly I'm surprised because... I really just don't see the point. I have no interest what people are saying. If I want to find out what's happening around the place, the gossip grapevine is probably going to give me better returns than listening to phone conversations. And some people have, y'know, their own morals that might forbid them from listening in on a private conversation.

Quote:
Originally Posted by Newworlds View Post
Who's Watching the Watchers?
Well... depends on the company. In a company where IT is poor, there may be two or three IT guys who run everything - in which case, chances are nobody is watching them, as they're likely the only people who understand what is going on.

In a larger team, if the team tends to be made up of moral people, they'll be watching each other. The greater company culture will help, but the culture of the IT team will develop, and that culture will set the tone for what is acceptable. Most members of the team will then follow that lead, and the others should reign in the ones that don't. (Of course, if it's the boss that misbehaves, that just sets the culture for the underlings to also misbehave)

In my group the culture seems to be "respect people's privacy, but don't be afraid to delve into personal information if it's part of your job and you're doing it for a productive purpose" - I have never known a member of my team to read someone's email, even though we all have access to it. I have regularly known a member of the team to do a dump of someone's email (which prints it in a readable format to the screen) in order to check what the date of the last received email was, or similar, when trying to help a customer (whether the customer is there at the moment or not)

And I've never seen a customer surprised that we have access to their email in that sort of way. They all already assumed we had that sort of access.

Beyond the team, who watches? In some companies, as Darren posted, there is another body that polices behavior. In many there isn't. And beyond that, there is the law. It might be hard to catch an IT person screwing around with personal behavior, if they're smart enough to only do it in private, but if you do they can face serious legal consequences, including jail time.

So yeah, serious abuses can (and do) happen.
Techs have access to a LOT of information, and in a lot of ways are the most powerful (important?) people in a company
It's up to the company to hire trustworthy people, and to set up oversight where necessary. (Just the same as it's up to a retail store to hire trustworthy staff who won't shoplift or steal money from the register.)

But in a well-run team, that is given useful tasks to complete, independence to do their job, authority to make decisions, and the ability to set the IT agenda and goals - well, they'll be too busy doing the things that they want to bother abusing anything. And the company will benefit from that energy going into something productive.

It's an interesting topic - especially since just last week I was thinking about how I have more information about what each academic does than anyone else at the university, since I was the one that built the database which stores that information, and wrote the rules about how it's calculated. Which has (unintentionally) put me in the position of the "expert" on the topic, and therefore the person who sets policy about what work is worth what. (I'm not quite sure I'm comfortable telling my co-workers how much their work is worth)

Food for thought.

Cheers,
Tony
silvarilon is offline   Reply With Quote
Old 03-08-2011, 04:31 PM   #4
Markov_AU
Member
 
Join Date: Jun 2004
Name: Ben
Location: Zelienople, PA
Home MUD: Adventures Unlimited
Posts: 68
Markov_AU is on a distinguished road
Re: Who's Watching the Watchers?

Email and systems are owned by the company, not the individual users, as the most basic internet/tech usage agreement that you get says. and you are usually told to never use your work email address for private correspondence. IT monitors emails in certain fields to make sure no one is spreading company IP to uncleared people etc. It is part of the security aspect of IT's job.
Markov_AU is offline   Reply With Quote
Old 03-08-2011, 08:15 PM   #5
silvarilon
Member
 
Join Date: Dec 2009
Posts: 144
silvarilon is on a distinguished road
Re: Who's Watching the Watchers?

Quote:
Originally Posted by Markov_AU View Post
Email and systems are owned by the company, not the individual users, as the most basic internet/tech usage agreement that you get says. and you are usually told to never use your work email address for private correspondence. IT monitors emails in certain fields to make sure no one is spreading company IP to uncleared people etc. It is part of the security aspect of IT's job.
Sure. Everyone says that. And it's true... as far as it goes.

Here in Australia, at least, there are still laws against reading someone's email, even if it's their work email. The laws set reasonable bounds - in simple terms, the company (or representative for the company) can read the email as long as there is a reasonable job-related reason for it.

So I (being a tech) can read someone's email to investigate their claims that they aren't getting all their email (for example, to verify if new emails are arriving in their inbox)

I couldn't legally read their email just to see what they're up to, even though "the company owns it"

I could probably *delete* their email, without reading it, because the company owns it.

There was a case recently where someone was suing their company for wrongful dismissal - the company used information gained from reading their email (where they had discussed legal options with their lawyer prior to the dismissal, proving bad intent...) and that evidence both got dismissed from court, and used as evidence for another case about them illegally reading the email.

It was interesting, because the company did read the email to protect their own business. The courts found against the company because, although they were reading the email to find out information that is related to the company, they were not looking for *company* correspondance. So even if you use your work email for your personal emails, you still have some legal protection (at least in Australia) against people reading them.

What I take from this is that the company would have been fine to read his email if they were looking for work-related emails, and could have incidentally seen emails to his lawyer. But they didn't have a legitimate reason to be looking in the first case, since they didn't have a reason to be reviewing his work-related emails.

I know there are companies that review emails - and I know there are legitimate cases where that is necessary. I'm not sure of the legalities (since we don't do that here) but I suspect that the users need to be informed and aware that their email is being reviewed, and they probably also have a requirement to remind/inform the user if personal email is getting reviewed. (i.e. if you send an email to your mother, they should probably bounce it back saying "Please don't send personal mail through this system")

Regardless of user agreements, there are still certain privacy rights that the courts will uphold.

Of course, what those specific rights are will vary from country to country. My intention isn't to get into specifics, just to provide a few examples of "over the line" and "this is acceptable" - the intention is just to illustrate that the system admin does have some legal obligations.
silvarilon is offline   Reply With Quote
Old 03-09-2011, 12:37 PM   #6
Darren Brimhall
Member
 
Join Date: Jun 2010
Posts: 241
Darren Brimhall is on a distinguished road
Re: Who's Watching the Watchers?

The 'Key' is Work Related.

Unless it is nessicarry to perform a job function, then the inforation can be accessed. The accessing of personal corrispondence falls into a very narrow deffination of work related access, unless the company in question can prove that said employee is conducting themselves in a manner that is harmful to the company (selling company information, revealing company secrets, illegally altering company records and other company information (which does occur at the IRS more times that you realize.)).

Many of these reasons fal under Internal Threats, which can range from the above listed to the simple use of company computer equiptment to download music, videos and to play games all of which can allow virius' and hanckers to attack the company mainframe.

In this Thread, the discussions are largely along the lines of UMAX Violations which are untollerable--and most likely why the Company in question lost the Court Battle with the dismissed employee, their search of his personal E-Mail did not fall under Work Related and therefore lost the case.

Darren Brimhall
Darren Brimhall is offline   Reply With Quote
Reply


Thread Tools


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

All times are GMT -4. The time now is 04:14 PM.


Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Style based on a design by Essilor
Copyright Top Mud Sites.com 2014