Hard to believe this was in the Wall Street Journal
-
Ten Things Your IT Department Won't Tell You[^] I find it hard to believe this was in a reputable publication like the Wall Street Journal. :sigh: This is irresponsible. X| It basically tells you how to bypass your company's security procedures. :rolleyes: 1. HOW TO SEND GIANT FILES 2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD 3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS 4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP 5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME 6. HOW TO STORE WORK FILES ONLINE 7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL 8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY 9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY 10. HOW TO LOOK LIKE YOU'RE WORKING
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesAsk yourself why it is that users are so intent on bypassing IT security. I would submit that it is because IT is viewed as a tyranny with no regard for end users. In the eyes of many end users, IT has siezed power and used it to try to control workers, rather than serving the common goal. Mind you, I'm not saying this is the way it is, only that it is perceived as such by office workers. In such an environment, it is only natural that employees would use any opportunity to circumvent IT policies and procedures. If you want to address the problem, address the perception first, particularly the power perception. Start by distinguishing between legitimate security concerns and simple paranoia. Communicate the 'why' to end users of the systems. Then you might start getting buy-in from line-level management and workers.
David Veeneman www.veeneman.com
-
Ten Things Your IT Department Won't Tell You[^] I find it hard to believe this was in a reputable publication like the Wall Street Journal. :sigh: This is irresponsible. X| It basically tells you how to bypass your company's security procedures. :rolleyes: 1. HOW TO SEND GIANT FILES 2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD 3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS 4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP 5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME 6. HOW TO STORE WORK FILES ONLINE 7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL 8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY 9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY 10. HOW TO LOOK LIKE YOU'RE WORKING
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesDon't blame the WSJ, as sources of the information reported in the article came from -- IT people themselves! Now, IT admins & staff will have to deal with the aftermath.
-
Ten Things Your IT Department Won't Tell You[^] I find it hard to believe this was in a reputable publication like the Wall Street Journal. :sigh: This is irresponsible. X| It basically tells you how to bypass your company's security procedures. :rolleyes: 1. HOW TO SEND GIANT FILES 2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD 3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS 4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP 5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME 6. HOW TO STORE WORK FILES ONLINE 7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL 8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY 9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY 10. HOW TO LOOK LIKE YOU'RE WORKING
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesTo be honest, all of these are things that the company IT security professionals should already have thought of. Any proxy administrator worth their salt will have already blocked as many upload sites and 3rd party proxies as they can find, and there are companies that do nothing but provide lists of what to block. The one thing that can't really be blocked is someone setting up their own proxy/upload site that won't be known about by published proxy blacklists.
-
I see your company IT policy, which you haven't subverted yet, includes TYPING IN CAPITALS. (You do make a slight point though. Companies need to change but through proper process not through subversion.)
regards, Paul Watson Ireland & South Africa
Shog9 wrote:
And with that, Paul closed his browser, sipped his herbal tea, fixed the flower in his hair, and smiled brightly at the multitude of cute, furry animals flocking around the grassy hillside where he sat coding Ruby on his Mac...
Paul Watson wrote:
TYPING IN CAPITALS
Just swiped the lines from the WSJ article. Didn't type any of them. I don't type in all caps, except when it is syntactically correct to do so as in forming acronyms. By the way, you really didn't need to type "TYPING IN CAPITALS" (swiped that too) when a simple "typing in capitals" would do nicely.
Paul Watson wrote:
Companies need to change but through proper process not through subversion.
Agreed, some companies need to change their IT policy, but what struck me as irresponsible was a trusted business journal advocating policy that will put the person's job in jeopardy. Storing company documents on public repositories, out of the control of the company, is not something a respected business publication should advocate. I think you probably don't appreciate the WSJ reputation in business. It used to be a very responsible publication.
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopes -
Don't blame the WSJ, as sources of the information reported in the article came from -- IT people themselves! Now, IT admins & staff will have to deal with the aftermath.
robertewilson wrote:
Don't blame the WSJ, as sources of the information reported in the article came from -- IT people themselves!
Then what is the function of the editor if not to edit the content of the newspaper. This article is clearly advocating things that if practiced put someone at risk of losing their job.
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopes -
robertewilson wrote:
Don't blame the WSJ, as sources of the information reported in the article came from -- IT people themselves!
Then what is the function of the editor if not to edit the content of the newspaper. This article is clearly advocating things that if practiced put someone at risk of losing their job.
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesJimmy, A cogent debate here. This august publication reports on more than just business matters and I am a subscriber myself to the Online Journal. I was initially surprised by the appearance of the article, but after reading it, it occurred to me that, if there were no willing IT people divulging these open "secrets," there would have been nothing for the reporter to write. I agree with you that perhaps the article was misguided, but these "tips" can be found on hundreds of sites via any major search engine. The means to circumvent corporate policies and procedures is out there and has been for a long time -- but it requires the will to do so.
-
JimmyRopes wrote:
I didn't say any of this was new or novel in any way for an IT professional. I am just surprised at the Wall Street Journal advocating something like this.
To me this is no big deal. Hell, I was a user that did stuff like this when the pricks in the IT dept refused to do something silly like allow the devs to browse MSDN. The problem isn't the users, the problem is the IT departments like this. Rather than doing their job and meeting their users needs they become a self serving wanna-be programmer elitist group.
JimmyRopes wrote:
As I said before, it's irresponsible.
I still maintain that you are being melodramatic. [EDIT]
JimmyRopes wrote:
I didn't say any of this was new or novel in any way for an IT professional.
BTW, I am not an IT professional. I am a software developer.
My Blog A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects. - -Lazarus Long
Chris Austin wrote:
To me this is no big deal. Hell, I was a user that did stuff like this when the pricks in the IT dept refused to do something silly like allow the devs to browse MSDN. The problem isn't the users, the problem is the IT departments like this. Rather than doing their job and meeting their users needs they become a self serving wanna-be programmer elitist group.
Exactly. We had our firewall system transparently upgraded a couple of weeks ago. E.g. our IT department didn't feel the need to tell anyone as there would be no noticable changes... within 30 minutes of arriving at work, I'd sent a dozen "helpdesk requests" - in each of them I asked whether anything had been changed -- more importantly, we're a software house (but the IT department are "IT" only), I asked each time whether they'd tested it! Apparently, only (good) software engineers know what testing and deployment entails!
Regards, Ray
-
I was once asked to block certain pages (read: porn) to all the users in a factory (1200+) because they were absorving a large amount of bandwidth, **except** for the 6 executives' computers. Those had full free access to anything. After performing the task, logs showed a decrease in 4% to the amount of hits to those pages. That is, those who where so worried that their employees lost time watching porn where the ones actually causing the trouble! No more comments :P
-
My 5 ....mainly because I work for a company with strict IT security policies. I've had attachments stripped out of e-mails sent me by suppliers, my e-mails from home to myself at work get blocked (don't ask me why or how) and yet...I still get spam. Security, eh? (OK, I know security != spam filter, but honestly, if they could only try to do half as well as a free service like Gmail, we'd be getting somewhere). At least they were willing to unblock CP when Websense arbitrarily decided to block it...Websense's reason for blocking? CP was in that set of dangerous websites belonging to the 'Uncategorized' category.
Websense... we had that deployed here a couple of weeks ago. Almost every site I visit was blocked. CP wasn't blocked, MSDN was! Took me about 30 minutes to force the IT manager to "announce" the upgrade and accept that some of the blocking was a little over the top -- however we need to add a business justification!
Regards, Ray
-
To be honest, all of these are things that the company IT security professionals should already have thought of. Any proxy administrator worth their salt will have already blocked as many upload sites and 3rd party proxies as they can find, and there are companies that do nothing but provide lists of what to block. The one thing that can't really be blocked is someone setting up their own proxy/upload site that won't be known about by published proxy blacklists.
Craster wrote:
all of these are things that the company IT security professionals should already have thought of.
I am not saying that any of these things are new or aren't freely available from other sources. I was just commenting on the irresponsibility of a (formerly) respected business publication advocating such practices.
Craster wrote:
The one thing that can't really be blocked is someone setting up their own proxy/upload site that won't be known about by published proxy blacklists.
That is a dangerous one if the site isn't protected properly.
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopes -
Craster wrote:
all of these are things that the company IT security professionals should already have thought of.
I am not saying that any of these things are new or aren't freely available from other sources. I was just commenting on the irresponsibility of a (formerly) respected business publication advocating such practices.
Craster wrote:
The one thing that can't really be blocked is someone setting up their own proxy/upload site that won't be known about by published proxy blacklists.
That is a dangerous one if the site isn't protected properly.
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesThe most interesting one I discovered recently was what happens if you set up a Citrix Presentation Server on the internet. It has a web client that tunnels everything over http on tcp_80, so it's impossible to block at the proxy level, and once you're connected to an external Citrix session that you control, you can pretty much do anything you like.
-
Ten Things Your IT Department Won't Tell You[^] I find it hard to believe this was in a reputable publication like the Wall Street Journal. :sigh: This is irresponsible. X| It basically tells you how to bypass your company's security procedures. :rolleyes: 1. HOW TO SEND GIANT FILES 2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD 3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS 4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP 5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME 6. HOW TO STORE WORK FILES ONLINE 7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL 8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY 9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY 10. HOW TO LOOK LIKE YOU'RE WORKING
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesSounds like employers need to fire some people who do this. If the I.T. Security department doesn't plug holes like that, then they are stupid. The bigger problem is that you have a bunch of employees who aren't working. Hence my original comment. Yes I agree it is stupid of WSJ to publish this for the dolts who are attempting to circumvent security measures. Though I can do that, I don't even try since I actually care about the security within my company and I care about my company's welfare. Sending security folks scrambling when their software triggers an intrusion is not a good idea.
-
Paul Watson wrote:
TYPING IN CAPITALS
Just swiped the lines from the WSJ article. Didn't type any of them. I don't type in all caps, except when it is syntactically correct to do so as in forming acronyms. By the way, you really didn't need to type "TYPING IN CAPITALS" (swiped that too) when a simple "typing in capitals" would do nicely.
Paul Watson wrote:
Companies need to change but through proper process not through subversion.
Agreed, some companies need to change their IT policy, but what struck me as irresponsible was a trusted business journal advocating policy that will put the person's job in jeopardy. Storing company documents on public repositories, out of the control of the company, is not something a respected business publication should advocate. I think you probably don't appreciate the WSJ reputation in business. It used to be a very responsible publication.
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesAnother good point. All employees that come in contact with computers need to be trained again as to how they could be duped into exposing sensitive corporate data.
-
Websense... we had that deployed here a couple of weeks ago. Almost every site I visit was blocked. CP wasn't blocked, MSDN was! Took me about 30 minutes to force the IT manager to "announce" the upgrade and accept that some of the blocking was a little over the top -- however we need to add a business justification!
Regards, Ray
Ray Hayes wrote:
we need to add a business justification!
Yep, us too. Our IT security people don't seem to understand that some people actually need to use IT and the internet to do their job - their first instinct always seems to be 'you're browsing the internet? Can't possibly a legitimate use of company equipment'...
-
Websense... we had that deployed here a couple of weeks ago. Almost every site I visit was blocked. CP wasn't blocked, MSDN was! Took me about 30 minutes to force the IT manager to "announce" the upgrade and accept that some of the blocking was a little over the top -- however we need to add a business justification!
Regards, Ray
Ray Hayes wrote:
we need to add a business justification!
Yep, us too. Our IT security people don't seem to understand that some people actually need to use IT and the internet to do their job - their first instinct always seems to be 'you're browsing the internet? Can't possibly be a legitimate use of company equipment'...
-
Jimmy, A cogent debate here. This august publication reports on more than just business matters and I am a subscriber myself to the Online Journal. I was initially surprised by the appearance of the article, but after reading it, it occurred to me that, if there were no willing IT people divulging these open "secrets," there would have been nothing for the reporter to write. I agree with you that perhaps the article was misguided, but these "tips" can be found on hundreds of sites via any major search engine. The means to circumvent corporate policies and procedures is out there and has been for a long time -- but it requires the will to do so.
I am glad you separated the "IT people" from the "IT department". The internet is a big playground and yes the tips are there. But coagulating it in one place and publishing it in the last vestiges of reason and responsibility is wrong. Just because its there doesn't mean you have to help. There are probably hundreds or thousands of sites on "How to make a bomb" but should any journal accumulate and publish the results of that web search? I think not. If you believe so, then move to any other criminal topic and ask the same question. Since this is not "criminal", the intent of someone using these techniques is to thwart the rules and regulations of the business. The business probably has a rule about stealing, or a dress code, code of conduct, etc. Should there be articles on how to circumvent those rules?
-
Ten Things Your IT Department Won't Tell You[^] I find it hard to believe this was in a reputable publication like the Wall Street Journal. :sigh: This is irresponsible. X| It basically tells you how to bypass your company's security procedures. :rolleyes: 1. HOW TO SEND GIANT FILES 2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD 3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS 4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP 5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME 6. HOW TO STORE WORK FILES ONLINE 7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL 8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY 9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY 10. HOW TO LOOK LIKE YOU'RE WORKING
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesMost of these workarounds are lame old news. And if they ever did work at your company they probably won't now. Anyway, I agree with Chris. In the places I have worked Data Security's policies have at best taken away about 75% of their employees effectiveness. Instead of this antagonistic relationship between IT and the rest of the company there should be a willingness to work together. Colin Albert Code Foo, LLC I just need a Macintosh and my operating system collection will be complete.
-
Ten Things Your IT Department Won't Tell You[^] I find it hard to believe this was in a reputable publication like the Wall Street Journal. :sigh: This is irresponsible. X| It basically tells you how to bypass your company's security procedures. :rolleyes: 1. HOW TO SEND GIANT FILES 2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD 3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS 4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP 5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME 6. HOW TO STORE WORK FILES ONLINE 7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL 8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY 9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY 10. HOW TO LOOK LIKE YOU'RE WORKING
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesIf you read ALL of the article, you will see that the author DOES discuss the reasons why you should NOT use these methods indiscriminately. In the course of doing LEGITIMATE work, many of us MUST use tricks to get around IT department security restrictions. For example, ALL HTML documents and ALL .ZIP files are blocked by our EMail server. We often need to send reports in HTML format to other people and send .ZIP files containing various types of other information. To do this, we have to change the file extension of the attachment. (Equivalent to smuggling AK-47s by putting them in a box labeled "shovels".) This article DOES discuss the risks associated with circumventing security (divulging confidential information, computer infection with viruses and other malware, etc.) Until IT department security policies become 100% based on reason, people who actually want to get their work done NEED to find ways to work around them WHEN NECESSARY. (NOT just to play games during work hours!)
John Morgan Center for Health Statistics Arkansas Department of Health and Human Services
-
I am glad you separated the "IT people" from the "IT department". The internet is a big playground and yes the tips are there. But coagulating it in one place and publishing it in the last vestiges of reason and responsibility is wrong. Just because its there doesn't mean you have to help. There are probably hundreds or thousands of sites on "How to make a bomb" but should any journal accumulate and publish the results of that web search? I think not. If you believe so, then move to any other criminal topic and ask the same question. Since this is not "criminal", the intent of someone using these techniques is to thwart the rules and regulations of the business. The business probably has a rule about stealing, or a dress code, code of conduct, etc. Should there be articles on how to circumvent those rules?
Good analogy about bombmaking, Major Tom. What it all boils down to me is the human factor and whether ethics still matter in the workplace. I'm from the old school and still believe in such but there is no loyalty on either side of the fence these days. Look around your company and count the number of people that have worked there for 5 years -- or even 2 years. Most companies I provide technical services seem to have a revolving door. In most cases, I have more tenancy with any given client than 80% of their entire IT department. Company rules are just words. What matters -- and cannot be truly be controlled -- is the intent and behavior of personnel. Like police departments, no action can be taken unless threats are made or a violation of company policies actually occurs. If anything good comes from publishing this article, it should serve as a wakeup call to admins to tighten security. Uncounted servers have been hacked simply because no one applied critical patches and fixes immediately upon release or were lax in controlling access. It was always "We'll get to it manana..." "Earth below us, drifting falling..." -- from "Major Tom (Coming Home)", Peter Schilling, 1989
-
Ten Things Your IT Department Won't Tell You[^] I find it hard to believe this was in a reputable publication like the Wall Street Journal. :sigh: This is irresponsible. X| It basically tells you how to bypass your company's security procedures. :rolleyes: 1. HOW TO SEND GIANT FILES 2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD 3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS 4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP 5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME 6. HOW TO STORE WORK FILES ONLINE 7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL 8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY 9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY 10. HOW TO LOOK LIKE YOU'RE WORKING
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesI have to say any person in IT calling this irresponsible is a hypocrite. Circumvention of protocols and bureaucracy is as inherent to IT as the keyboard and mouse. IT Elitists don't like it when someone writes about how to circumvent their rules and procedures, but will figure out how to get around any DRM that stands in their way. Or how about installing a non-standard OS on a company PC. It's ok when it applies to you. And just because the layman is given tips that Captain Crunch would be proud of, doesn't mean they will take the time to use them either. I believe the majority of users (especially business users) wouldn't take the time to look at their email if they didn't have to. So I don't think they would take the time to poke, prod, and play with software the way we do.