Hard to believe this was in the Wall Street Journal
-
JimmyRopes wrote:
I didn't say any of this was new or novel in any way for an IT professional. I am just surprised at the Wall Street Journal advocating something like this.
To me this is no big deal. Hell, I was a user that did stuff like this when the pricks in the IT dept refused to do something silly like allow the devs to browse MSDN. The problem isn't the users, the problem is the IT departments like this. Rather than doing their job and meeting their users needs they become a self serving wanna-be programmer elitist group.
JimmyRopes wrote:
As I said before, it's irresponsible.
I still maintain that you are being melodramatic. [EDIT]
JimmyRopes wrote:
I didn't say any of this was new or novel in any way for an IT professional.
BTW, I am not an IT professional. I am a software developer.
My Blog A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects. - -Lazarus Long
Chris Austin wrote:
To me this is no big deal. Hell, I was a user that did stuff like this when the pricks in the IT dept refused to do something silly like allow the devs to browse MSDN. The problem isn't the users, the problem is the IT departments like this. Rather than doing their job and meeting their users needs they become a self serving wanna-be programmer elitist group.
Exactly. We had our firewall system transparently upgraded a couple of weeks ago. E.g. our IT department didn't feel the need to tell anyone as there would be no noticable changes... within 30 minutes of arriving at work, I'd sent a dozen "helpdesk requests" - in each of them I asked whether anything had been changed -- more importantly, we're a software house (but the IT department are "IT" only), I asked each time whether they'd tested it! Apparently, only (good) software engineers know what testing and deployment entails!
Regards, Ray
-
I was once asked to block certain pages (read: porn) to all the users in a factory (1200+) because they were absorving a large amount of bandwidth, **except** for the 6 executives' computers. Those had full free access to anything. After performing the task, logs showed a decrease in 4% to the amount of hits to those pages. That is, those who where so worried that their employees lost time watching porn where the ones actually causing the trouble! No more comments :P
-
My 5 ....mainly because I work for a company with strict IT security policies. I've had attachments stripped out of e-mails sent me by suppliers, my e-mails from home to myself at work get blocked (don't ask me why or how) and yet...I still get spam. Security, eh? (OK, I know security != spam filter, but honestly, if they could only try to do half as well as a free service like Gmail, we'd be getting somewhere). At least they were willing to unblock CP when Websense arbitrarily decided to block it...Websense's reason for blocking? CP was in that set of dangerous websites belonging to the 'Uncategorized' category.
Websense... we had that deployed here a couple of weeks ago. Almost every site I visit was blocked. CP wasn't blocked, MSDN was! Took me about 30 minutes to force the IT manager to "announce" the upgrade and accept that some of the blocking was a little over the top -- however we need to add a business justification!
Regards, Ray
-
To be honest, all of these are things that the company IT security professionals should already have thought of. Any proxy administrator worth their salt will have already blocked as many upload sites and 3rd party proxies as they can find, and there are companies that do nothing but provide lists of what to block. The one thing that can't really be blocked is someone setting up their own proxy/upload site that won't be known about by published proxy blacklists.
Craster wrote:
all of these are things that the company IT security professionals should already have thought of.
I am not saying that any of these things are new or aren't freely available from other sources. I was just commenting on the irresponsibility of a (formerly) respected business publication advocating such practices.
Craster wrote:
The one thing that can't really be blocked is someone setting up their own proxy/upload site that won't be known about by published proxy blacklists.
That is a dangerous one if the site isn't protected properly.
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopes -
Craster wrote:
all of these are things that the company IT security professionals should already have thought of.
I am not saying that any of these things are new or aren't freely available from other sources. I was just commenting on the irresponsibility of a (formerly) respected business publication advocating such practices.
Craster wrote:
The one thing that can't really be blocked is someone setting up their own proxy/upload site that won't be known about by published proxy blacklists.
That is a dangerous one if the site isn't protected properly.
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesThe most interesting one I discovered recently was what happens if you set up a Citrix Presentation Server on the internet. It has a web client that tunnels everything over http on tcp_80, so it's impossible to block at the proxy level, and once you're connected to an external Citrix session that you control, you can pretty much do anything you like.
-
Ten Things Your IT Department Won't Tell You[^] I find it hard to believe this was in a reputable publication like the Wall Street Journal. :sigh: This is irresponsible. X| It basically tells you how to bypass your company's security procedures. :rolleyes: 1. HOW TO SEND GIANT FILES 2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD 3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS 4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP 5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME 6. HOW TO STORE WORK FILES ONLINE 7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL 8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY 9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY 10. HOW TO LOOK LIKE YOU'RE WORKING
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesSounds like employers need to fire some people who do this. If the I.T. Security department doesn't plug holes like that, then they are stupid. The bigger problem is that you have a bunch of employees who aren't working. Hence my original comment. Yes I agree it is stupid of WSJ to publish this for the dolts who are attempting to circumvent security measures. Though I can do that, I don't even try since I actually care about the security within my company and I care about my company's welfare. Sending security folks scrambling when their software triggers an intrusion is not a good idea.
-
Paul Watson wrote:
TYPING IN CAPITALS
Just swiped the lines from the WSJ article. Didn't type any of them. I don't type in all caps, except when it is syntactically correct to do so as in forming acronyms. By the way, you really didn't need to type "TYPING IN CAPITALS" (swiped that too) when a simple "typing in capitals" would do nicely.
Paul Watson wrote:
Companies need to change but through proper process not through subversion.
Agreed, some companies need to change their IT policy, but what struck me as irresponsible was a trusted business journal advocating policy that will put the person's job in jeopardy. Storing company documents on public repositories, out of the control of the company, is not something a respected business publication should advocate. I think you probably don't appreciate the WSJ reputation in business. It used to be a very responsible publication.
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesAnother good point. All employees that come in contact with computers need to be trained again as to how they could be duped into exposing sensitive corporate data.
-
Websense... we had that deployed here a couple of weeks ago. Almost every site I visit was blocked. CP wasn't blocked, MSDN was! Took me about 30 minutes to force the IT manager to "announce" the upgrade and accept that some of the blocking was a little over the top -- however we need to add a business justification!
Regards, Ray
Ray Hayes wrote:
we need to add a business justification!
Yep, us too. Our IT security people don't seem to understand that some people actually need to use IT and the internet to do their job - their first instinct always seems to be 'you're browsing the internet? Can't possibly a legitimate use of company equipment'...
-
Websense... we had that deployed here a couple of weeks ago. Almost every site I visit was blocked. CP wasn't blocked, MSDN was! Took me about 30 minutes to force the IT manager to "announce" the upgrade and accept that some of the blocking was a little over the top -- however we need to add a business justification!
Regards, Ray
Ray Hayes wrote:
we need to add a business justification!
Yep, us too. Our IT security people don't seem to understand that some people actually need to use IT and the internet to do their job - their first instinct always seems to be 'you're browsing the internet? Can't possibly be a legitimate use of company equipment'...
-
Jimmy, A cogent debate here. This august publication reports on more than just business matters and I am a subscriber myself to the Online Journal. I was initially surprised by the appearance of the article, but after reading it, it occurred to me that, if there were no willing IT people divulging these open "secrets," there would have been nothing for the reporter to write. I agree with you that perhaps the article was misguided, but these "tips" can be found on hundreds of sites via any major search engine. The means to circumvent corporate policies and procedures is out there and has been for a long time -- but it requires the will to do so.
I am glad you separated the "IT people" from the "IT department". The internet is a big playground and yes the tips are there. But coagulating it in one place and publishing it in the last vestiges of reason and responsibility is wrong. Just because its there doesn't mean you have to help. There are probably hundreds or thousands of sites on "How to make a bomb" but should any journal accumulate and publish the results of that web search? I think not. If you believe so, then move to any other criminal topic and ask the same question. Since this is not "criminal", the intent of someone using these techniques is to thwart the rules and regulations of the business. The business probably has a rule about stealing, or a dress code, code of conduct, etc. Should there be articles on how to circumvent those rules?
-
Ten Things Your IT Department Won't Tell You[^] I find it hard to believe this was in a reputable publication like the Wall Street Journal. :sigh: This is irresponsible. X| It basically tells you how to bypass your company's security procedures. :rolleyes: 1. HOW TO SEND GIANT FILES 2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD 3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS 4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP 5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME 6. HOW TO STORE WORK FILES ONLINE 7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL 8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY 9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY 10. HOW TO LOOK LIKE YOU'RE WORKING
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesMost of these workarounds are lame old news. And if they ever did work at your company they probably won't now. Anyway, I agree with Chris. In the places I have worked Data Security's policies have at best taken away about 75% of their employees effectiveness. Instead of this antagonistic relationship between IT and the rest of the company there should be a willingness to work together. Colin Albert Code Foo, LLC I just need a Macintosh and my operating system collection will be complete.
-
Ten Things Your IT Department Won't Tell You[^] I find it hard to believe this was in a reputable publication like the Wall Street Journal. :sigh: This is irresponsible. X| It basically tells you how to bypass your company's security procedures. :rolleyes: 1. HOW TO SEND GIANT FILES 2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD 3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS 4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP 5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME 6. HOW TO STORE WORK FILES ONLINE 7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL 8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY 9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY 10. HOW TO LOOK LIKE YOU'RE WORKING
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesIf you read ALL of the article, you will see that the author DOES discuss the reasons why you should NOT use these methods indiscriminately. In the course of doing LEGITIMATE work, many of us MUST use tricks to get around IT department security restrictions. For example, ALL HTML documents and ALL .ZIP files are blocked by our EMail server. We often need to send reports in HTML format to other people and send .ZIP files containing various types of other information. To do this, we have to change the file extension of the attachment. (Equivalent to smuggling AK-47s by putting them in a box labeled "shovels".) This article DOES discuss the risks associated with circumventing security (divulging confidential information, computer infection with viruses and other malware, etc.) Until IT department security policies become 100% based on reason, people who actually want to get their work done NEED to find ways to work around them WHEN NECESSARY. (NOT just to play games during work hours!)
John Morgan Center for Health Statistics Arkansas Department of Health and Human Services
-
I am glad you separated the "IT people" from the "IT department". The internet is a big playground and yes the tips are there. But coagulating it in one place and publishing it in the last vestiges of reason and responsibility is wrong. Just because its there doesn't mean you have to help. There are probably hundreds or thousands of sites on "How to make a bomb" but should any journal accumulate and publish the results of that web search? I think not. If you believe so, then move to any other criminal topic and ask the same question. Since this is not "criminal", the intent of someone using these techniques is to thwart the rules and regulations of the business. The business probably has a rule about stealing, or a dress code, code of conduct, etc. Should there be articles on how to circumvent those rules?
Good analogy about bombmaking, Major Tom. What it all boils down to me is the human factor and whether ethics still matter in the workplace. I'm from the old school and still believe in such but there is no loyalty on either side of the fence these days. Look around your company and count the number of people that have worked there for 5 years -- or even 2 years. Most companies I provide technical services seem to have a revolving door. In most cases, I have more tenancy with any given client than 80% of their entire IT department. Company rules are just words. What matters -- and cannot be truly be controlled -- is the intent and behavior of personnel. Like police departments, no action can be taken unless threats are made or a violation of company policies actually occurs. If anything good comes from publishing this article, it should serve as a wakeup call to admins to tighten security. Uncounted servers have been hacked simply because no one applied critical patches and fixes immediately upon release or were lax in controlling access. It was always "We'll get to it manana..." "Earth below us, drifting falling..." -- from "Major Tom (Coming Home)", Peter Schilling, 1989
-
Ten Things Your IT Department Won't Tell You[^] I find it hard to believe this was in a reputable publication like the Wall Street Journal. :sigh: This is irresponsible. X| It basically tells you how to bypass your company's security procedures. :rolleyes: 1. HOW TO SEND GIANT FILES 2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD 3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS 4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP 5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME 6. HOW TO STORE WORK FILES ONLINE 7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL 8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY 9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY 10. HOW TO LOOK LIKE YOU'RE WORKING
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesI have to say any person in IT calling this irresponsible is a hypocrite. Circumvention of protocols and bureaucracy is as inherent to IT as the keyboard and mouse. IT Elitists don't like it when someone writes about how to circumvent their rules and procedures, but will figure out how to get around any DRM that stands in their way. Or how about installing a non-standard OS on a company PC. It's ok when it applies to you. And just because the layman is given tips that Captain Crunch would be proud of, doesn't mean they will take the time to use them either. I believe the majority of users (especially business users) wouldn't take the time to look at their email if they didn't have to. So I don't think they would take the time to poke, prod, and play with software the way we do.
-
Ten Things Your IT Department Won't Tell You[^] I find it hard to believe this was in a reputable publication like the Wall Street Journal. :sigh: This is irresponsible. X| It basically tells you how to bypass your company's security procedures. :rolleyes: 1. HOW TO SEND GIANT FILES 2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD 3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS 4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP 5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME 6. HOW TO STORE WORK FILES ONLINE 7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL 8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY 9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY 10. HOW TO LOOK LIKE YOU'RE WORKING
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesYour initial problem is that you thought the Wall Street Journal was a respectable journal. Nothing could be further from the truth. It has always been a rag for the conservative establishment and the financial elites. Now that Ruppert Murdoch has bought the bloody thing I imagine its true nature should begin to show its colors soon...
Steve Naidamast Black Falcon Software, Inc. blackfalconsoftware@ix.netcom.com
-
If you read ALL of the article, you will see that the author DOES discuss the reasons why you should NOT use these methods indiscriminately. In the course of doing LEGITIMATE work, many of us MUST use tricks to get around IT department security restrictions. For example, ALL HTML documents and ALL .ZIP files are blocked by our EMail server. We often need to send reports in HTML format to other people and send .ZIP files containing various types of other information. To do this, we have to change the file extension of the attachment. (Equivalent to smuggling AK-47s by putting them in a box labeled "shovels".) This article DOES discuss the risks associated with circumventing security (divulging confidential information, computer infection with viruses and other malware, etc.) Until IT department security policies become 100% based on reason, people who actually want to get their work done NEED to find ways to work around them WHEN NECESSARY. (NOT just to play games during work hours!)
John Morgan Center for Health Statistics Arkansas Department of Health and Human Services
No NEED to PUNCTUATE your WRITING with WORDS in ALL capitals. A paragraph break here and there would also make it easier to read. :)
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopes -
Good analogy about bombmaking, Major Tom. What it all boils down to me is the human factor and whether ethics still matter in the workplace. I'm from the old school and still believe in such but there is no loyalty on either side of the fence these days. Look around your company and count the number of people that have worked there for 5 years -- or even 2 years. Most companies I provide technical services seem to have a revolving door. In most cases, I have more tenancy with any given client than 80% of their entire IT department. Company rules are just words. What matters -- and cannot be truly be controlled -- is the intent and behavior of personnel. Like police departments, no action can be taken unless threats are made or a violation of company policies actually occurs. If anything good comes from publishing this article, it should serve as a wakeup call to admins to tighten security. Uncounted servers have been hacked simply because no one applied critical patches and fixes immediately upon release or were lax in controlling access. It was always "We'll get to it manana..." "Earth below us, drifting falling..." -- from "Major Tom (Coming Home)", Peter Schilling, 1989
I agree with you and I've seen the same. The Manufacturer I work for, reversed that trend back in the 80s. Now we have people who have been here for 50 years (and everything in between). Our turnover is only 2%. We have over 33,000 employees. Screwups and failures are reprimanded (if there was negligence) but you don't get fired for it. However you do get fired over illegal and conduct issues. So this article is lining some people up for a fall. Good to talk to you.
-
Your initial problem is that you thought the Wall Street Journal was a respectable journal. Nothing could be further from the truth. It has always been a rag for the conservative establishment and the financial elites. Now that Ruppert Murdoch has bought the bloody thing I imagine its true nature should begin to show its colors soon...
Steve Naidamast Black Falcon Software, Inc. blackfalconsoftware@ix.netcom.com
I forgot that it has become The Gotham Town Crier. :)
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopes -
Ten Things Your IT Department Won't Tell You[^] I find it hard to believe this was in a reputable publication like the Wall Street Journal. :sigh: This is irresponsible. X| It basically tells you how to bypass your company's security procedures. :rolleyes: 1. HOW TO SEND GIANT FILES 2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD 3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS 4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP 5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME 6. HOW TO STORE WORK FILES ONLINE 7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL 8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY 9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY 10. HOW TO LOOK LIKE YOU'RE WORKING
Simply Elegant Designs JimmyRopes Designs
Think inside the box! ProActive Secure Systems
I'm on-line therefore I am. JimmyRopesI agree 100% with the OP. This is irresponsible. Some of you seem to be so anti-IT that you aren't seeing the danger of this article. Really the sending of big files is the least harmful in the list of things they're instructing users to do. But some of these are down right dangerous, many of them could get you fired, and some are just unproductive. As someone who's been both an IT admin and a programmer for the past 6 years I understand that users need to be able to do the things neccessary for thier job and also that the IT department is resposible for keeping the network safe. We have ways for users to achieve every item on this list that could possibly be deemed work related. But when a new user starts and he's read this article, what's the chances he's going to ask us the right way to do it instead of just using these dangerous methods? Sure an uninformed user could find out about all of these on his own, but if he's going to be doing that much research chances are instead he'd ask us and we'd instruct him in the proper way to achieve his goal.
-
I agree with you and I've seen the same. The Manufacturer I work for, reversed that trend back in the 80s. Now we have people who have been here for 50 years (and everything in between). Our turnover is only 2%. We have over 33,000 employees. Screwups and failures are reprimanded (if there was negligence) but you don't get fired for it. However you do get fired over illegal and conduct issues. So this article is lining some people up for a fall. Good to talk to you.
Nice chat, Major. When I said I'm from the old school, take that literally, as I've been in the work force since 1963. Today, technology is still my profession -- and also my hobby, as I never get enough of it. I've lived through the eras of "work for us for life and we'll take care of you for life" to "what have you done for us lately." That's why I’ve embraced entrepreneurship instead of a corporate career for the last 25 years. I’m pleased to see, however, that your company still retains people of quality, experience and longevity. Perhaps, as you say, the article may be enabling – but only to those who have less than honorable intentions to begin with and are easily tempted to push the envelope in less than honorable ways. These types bring no favor to any employer and should be discharged, even if they are company “stars.” But, management sometimes turns a blind eye to such misconduct because they are solely focused on quarter-to-quarter results to please shareholders and have ways of covering malfeasance. It is unlikely that the WSJ will ever publish such content again, but with the recent sale to Murdoch, we may see more tabloid-style articles like this. If so, they will lose longtime subscribers like me and the world will lose a truly great publication. Also, technology columnists Lee Gomes and Walter Mossberg will have to find other employment; look for them at your company’s next job fair. Rather than clog this blog, reach me at my web site: robertewilson.name and click the eMail button. Otherwise, we can continue our enjoyable dialog here at the discretion of the forum moderator(s). “Ground Control to Major Tom, Take your protein pills and put your helmet on” -- Space Oddity, 1972, David Bowie, aka Ziggy Stardust & The Spiders from Mars, aka glitter rock