Feeds

BOFH: Addressing the Computer Usage Policy

Shredders at the ready

  • alert
  • submit to reddit

Top three mobile application threats

Episode 22 BOFH 2004

Sometimes, the urge to strangle someone is so strong it's almost as if there's a higher power calling you to follow your instincts…

Take today, for instance. A normal, ordinary day at Mission Control. The usual bunch of what the PFY and I refer to as idiot calls, but nothing untoward or out of the ordinary.

A day like any other.

Till the Boss gets involved because no one's paid attention to him all week. His need to be recognised in his role manifests itself today as the requirement to make some sweeping changes to the Computer Usage Policy of the company.

"It's just that we should be consistent with our other policies," he says. "We should have some form of statement to say that you mustn't use computers to harass people for instance."

"Isn't that already in the company's code-of-conduct?"

"Yes, but it doesn't refer to using computers!"

"It's a blanket cover!" I respond.

"No, because someone could say that email isn't harassing."

"Something a mailbomb program takes a very short time to disprove."

"So it's true, you can harass someone with email!"

"YOU CAN HARRASS SOMEONE WITH A BLOODY SAUSAGE ON A STICK, BUT WE DON'T NEED A SAUSAGE USE POLICY TO TELL US NOT TO!" I shout, losing my rag.

"And you really don't want him to prove that last point…." the PFY advises.

"But shouldn’t we be clear about what people should and shouldn't do with computers?"

"Indeed." I say, rage subsiding. "But if an existing policy has it covered, why introduce another piece of bureaucracy?"

"Ok, so maybe harassment is covered, but what about privacy? What about someone reading my email?" he asks.

"What do you mean?" the PFY asks a little too casually.

"Someone. Reading my email without my permission."

"I think that's covered by the existing Computer Usage Policy where it says that no-one should attempt to access information that they're not entitled to access."

"But someone might access it, mightn't they?"

"They could, yes, but they'd leave audit information in the server logs."

"But YOU can erase that information, can't you?" he asks.

"We COULD erase it, yes, but in practice it's a lot harder than that," I admit.

"Really? How?"

"Well, there's audit trails, gaps in logfiles, that sort of thing. I mean if someone were to cover up access to you email, there'd be a myriad of things they'd have to do to make sure it remains undiscovered."

"Like what?"

"Suspend auditing, strip the evidence from the audit file, recreate false evidence to cover up the gaps when the evidence disappeared, possibly tamper with the system time, insert false audit records to cover the time lapse where the auditing was suspended, untamper with the system time and then resume auditing. Off the top of my head of course."

"And how long would that take?"

"Oh, the commonplace user would take days - with mistakes, etc. - to do all that."

"And you?"

"I usually do it while the PFY’s getting a coffee. Mind you, I do have a script that does most of it…"

"THIS IS EXACTLY MY POINT! WE NEED POLICY TO SAY IT SHOULDN'T BE DONE."

"And you believe that a policy would prevent this?"

"Yes."

"There's no policy to say that I shouldn't push the social club piano off the balcony while you're walking underneath it, but it hasn't happened so far!!"

“It’s not my problem, because I’m only interested in computing policy.”

“So if he pushed a desktop machine off the balcony, you’d be concerned?” the PFY asks.

“It’s not a recognized or commonplace use of a computer.”

“It is if it’s got OS2 installed on it!” I respond, confusing the Boss and alienating another batch of OS2-loving readers. On purpose.

"All I'm worried about is computers," the Boss re-states. "And now, the privacy of my email."

"Don't worry, we don't access email that we're not entitled to access," I respond.

"Which email is that?"

"What do you mean?"

"Which email are you not entitled to access?"

"None of it."

"So you mean that you're entitled to access all email?"

"Yes, for the purposes outlined in the service level agreement in our individual contracts with the company. In fact, we're pretty much required to read your email."

"Why?"

"To maintain performance and reliability of the server, to fix problems before they occur."

"How?" the Boss gasps, completely thrown by this revelation.

"Well say there's a server issue with lack of disk resource in the mail store. Obviously we would need to investigate the individual users to see where the resource is wasted."

"Why not just see who's using the most space?"

"Because that doesn't necessarily find mailboxes responsible for, say, fragmentation. I mean do you honestly think that the PFY and I enjoy trolling through the inane messages to your sister-in-law? You might wish to slip away for a quiet weekend in Bristol with her while your wife's visiting your son in Egypt, but WE just don't need to know that."

"But we do," the PFY adds slyly.

"So you're saying I should just drop the policy idea altogether and nothing more will be said?"

"Exactly."

"But how do we discipline questionable computer use?"

"The old fashioned way," I reply.

"Interviews, recommendations then dismissal?"

"No, I said the old fashioned way, not the slow way."

"What's the old fashioned way?"

"Threats, blackmail."

"And when that doesn't work?" the Boss asks, doubtfully.

"The old toaster in the shower has been known to work."

"I.. ... We thought that was a cry for help?!" the Boss gasps, remembering an incident a few weeks back involving a helpdesker with a penchant for running port scanners to find fileshares he shouldn't...

"I think I actually did hear a cry for help at the time. But that was a LONG time before the ambulance showed up..."

"I can't believe you'd do that!" the Boss gasps.

"*I* can't believe the PFY would put a couple of slices of bread in the toaster beforehand," I add. "Now that really confused people - bizarre accident or strange cry for help?"

"Yes," the PFY chuckles, remembering the incident fondly.

"Right, well, I'll just... go and put this in..."

"The shredder," the PFY says.

What do you know, it looks like being a good day after all! ®

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
AMD's 'Seattle' 64-bit ARM server chips now sampling, set to launch in late 2014
But they won't appear in SeaMicro Fabric Compute Systems anytime soon
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.