Feeds

BOFH: Addressing the Computer Usage Policy

Shredders at the ready

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Episode 22 BOFH 2004

Sometimes, the urge to strangle someone is so strong it's almost as if there's a higher power calling you to follow your instincts…

Take today, for instance. A normal, ordinary day at Mission Control. The usual bunch of what the PFY and I refer to as idiot calls, but nothing untoward or out of the ordinary.

A day like any other.

Till the Boss gets involved because no one's paid attention to him all week. His need to be recognised in his role manifests itself today as the requirement to make some sweeping changes to the Computer Usage Policy of the company.

"It's just that we should be consistent with our other policies," he says. "We should have some form of statement to say that you mustn't use computers to harass people for instance."

"Isn't that already in the company's code-of-conduct?"

"Yes, but it doesn't refer to using computers!"

"It's a blanket cover!" I respond.

"No, because someone could say that email isn't harassing."

"Something a mailbomb program takes a very short time to disprove."

"So it's true, you can harass someone with email!"

"YOU CAN HARRASS SOMEONE WITH A BLOODY SAUSAGE ON A STICK, BUT WE DON'T NEED A SAUSAGE USE POLICY TO TELL US NOT TO!" I shout, losing my rag.

"And you really don't want him to prove that last point…." the PFY advises.

"But shouldn’t we be clear about what people should and shouldn't do with computers?"

"Indeed." I say, rage subsiding. "But if an existing policy has it covered, why introduce another piece of bureaucracy?"

"Ok, so maybe harassment is covered, but what about privacy? What about someone reading my email?" he asks.

"What do you mean?" the PFY asks a little too casually.

"Someone. Reading my email without my permission."

"I think that's covered by the existing Computer Usage Policy where it says that no-one should attempt to access information that they're not entitled to access."

"But someone might access it, mightn't they?"

"They could, yes, but they'd leave audit information in the server logs."

"But YOU can erase that information, can't you?" he asks.

"We COULD erase it, yes, but in practice it's a lot harder than that," I admit.

"Really? How?"

"Well, there's audit trails, gaps in logfiles, that sort of thing. I mean if someone were to cover up access to you email, there'd be a myriad of things they'd have to do to make sure it remains undiscovered."

"Like what?"

"Suspend auditing, strip the evidence from the audit file, recreate false evidence to cover up the gaps when the evidence disappeared, possibly tamper with the system time, insert false audit records to cover the time lapse where the auditing was suspended, untamper with the system time and then resume auditing. Off the top of my head of course."

"And how long would that take?"

"Oh, the commonplace user would take days - with mistakes, etc. - to do all that."

"And you?"

"I usually do it while the PFY’s getting a coffee. Mind you, I do have a script that does most of it…"

"THIS IS EXACTLY MY POINT! WE NEED POLICY TO SAY IT SHOULDN'T BE DONE."

"And you believe that a policy would prevent this?"

"Yes."

"There's no policy to say that I shouldn't push the social club piano off the balcony while you're walking underneath it, but it hasn't happened so far!!"

“It’s not my problem, because I’m only interested in computing policy.”

“So if he pushed a desktop machine off the balcony, you’d be concerned?” the PFY asks.

“It’s not a recognized or commonplace use of a computer.”

“It is if it’s got OS2 installed on it!” I respond, confusing the Boss and alienating another batch of OS2-loving readers. On purpose.

"All I'm worried about is computers," the Boss re-states. "And now, the privacy of my email."

"Don't worry, we don't access email that we're not entitled to access," I respond.

"Which email is that?"

"What do you mean?"

"Which email are you not entitled to access?"

"None of it."

"So you mean that you're entitled to access all email?"

"Yes, for the purposes outlined in the service level agreement in our individual contracts with the company. In fact, we're pretty much required to read your email."

"Why?"

"To maintain performance and reliability of the server, to fix problems before they occur."

"How?" the Boss gasps, completely thrown by this revelation.

"Well say there's a server issue with lack of disk resource in the mail store. Obviously we would need to investigate the individual users to see where the resource is wasted."

"Why not just see who's using the most space?"

"Because that doesn't necessarily find mailboxes responsible for, say, fragmentation. I mean do you honestly think that the PFY and I enjoy trolling through the inane messages to your sister-in-law? You might wish to slip away for a quiet weekend in Bristol with her while your wife's visiting your son in Egypt, but WE just don't need to know that."

"But we do," the PFY adds slyly.

"So you're saying I should just drop the policy idea altogether and nothing more will be said?"

"Exactly."

"But how do we discipline questionable computer use?"

"The old fashioned way," I reply.

"Interviews, recommendations then dismissal?"

"No, I said the old fashioned way, not the slow way."

"What's the old fashioned way?"

"Threats, blackmail."

"And when that doesn't work?" the Boss asks, doubtfully.

"The old toaster in the shower has been known to work."

"I.. ... We thought that was a cry for help?!" the Boss gasps, remembering an incident a few weeks back involving a helpdesker with a penchant for running port scanners to find fileshares he shouldn't...

"I think I actually did hear a cry for help at the time. But that was a LONG time before the ambulance showed up..."

"I can't believe you'd do that!" the Boss gasps.

"*I* can't believe the PFY would put a couple of slices of bread in the toaster beforehand," I add. "Now that really confused people - bizarre accident or strange cry for help?"

"Yes," the PFY chuckles, remembering the incident fondly.

"Right, well, I'll just... go and put this in..."

"The shredder," the PFY says.

What do you know, it looks like being a good day after all! ®

Internet Security Threat Report 2014

More from The Register

next story
Docker's app containers are coming to Windows Server, says Microsoft
MS chases app deployment speeds already enjoyed by Linux devs
IBM storage revenues sink: 'We are disappointed,' says CEO
Time to put the storage biz up for sale?
'Hmm, why CAN'T I run a water pipe through that rack of media servers?'
Leaving Las Vegas for Armenia kludging and Dubai dune bashing
'Urika': Cray unveils new 1,500-core big data crunching monster
6TB of DRAM, 38TB of SSD flash and 120TB of disk storage
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
SDI wars: WTF is software defined infrastructure?
This time we play for ALL the marbles
Windows 10: Forget Cloudobile, put Security and Privacy First
But - dammit - It would be insane to say 'don't collect, because NSA'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.