Feeds

BOFH: Addressing the Computer Usage Policy

Shredders at the ready

  • alert
  • submit to reddit

Intelligent flash storage arrays

Episode 22 BOFH 2004

Sometimes, the urge to strangle someone is so strong it's almost as if there's a higher power calling you to follow your instincts…

Take today, for instance. A normal, ordinary day at Mission Control. The usual bunch of what the PFY and I refer to as idiot calls, but nothing untoward or out of the ordinary.

A day like any other.

Till the Boss gets involved because no one's paid attention to him all week. His need to be recognised in his role manifests itself today as the requirement to make some sweeping changes to the Computer Usage Policy of the company.

"It's just that we should be consistent with our other policies," he says. "We should have some form of statement to say that you mustn't use computers to harass people for instance."

"Isn't that already in the company's code-of-conduct?"

"Yes, but it doesn't refer to using computers!"

"It's a blanket cover!" I respond.

"No, because someone could say that email isn't harassing."

"Something a mailbomb program takes a very short time to disprove."

"So it's true, you can harass someone with email!"

"YOU CAN HARRASS SOMEONE WITH A BLOODY SAUSAGE ON A STICK, BUT WE DON'T NEED A SAUSAGE USE POLICY TO TELL US NOT TO!" I shout, losing my rag.

"And you really don't want him to prove that last point…." the PFY advises.

"But shouldn’t we be clear about what people should and shouldn't do with computers?"

"Indeed." I say, rage subsiding. "But if an existing policy has it covered, why introduce another piece of bureaucracy?"

"Ok, so maybe harassment is covered, but what about privacy? What about someone reading my email?" he asks.

"What do you mean?" the PFY asks a little too casually.

"Someone. Reading my email without my permission."

"I think that's covered by the existing Computer Usage Policy where it says that no-one should attempt to access information that they're not entitled to access."

"But someone might access it, mightn't they?"

"They could, yes, but they'd leave audit information in the server logs."

"But YOU can erase that information, can't you?" he asks.

"We COULD erase it, yes, but in practice it's a lot harder than that," I admit.

"Really? How?"

"Well, there's audit trails, gaps in logfiles, that sort of thing. I mean if someone were to cover up access to you email, there'd be a myriad of things they'd have to do to make sure it remains undiscovered."

"Like what?"

"Suspend auditing, strip the evidence from the audit file, recreate false evidence to cover up the gaps when the evidence disappeared, possibly tamper with the system time, insert false audit records to cover the time lapse where the auditing was suspended, untamper with the system time and then resume auditing. Off the top of my head of course."

"And how long would that take?"

"Oh, the commonplace user would take days - with mistakes, etc. - to do all that."

"And you?"

"I usually do it while the PFY’s getting a coffee. Mind you, I do have a script that does most of it…"

"THIS IS EXACTLY MY POINT! WE NEED POLICY TO SAY IT SHOULDN'T BE DONE."

"And you believe that a policy would prevent this?"

"Yes."

"There's no policy to say that I shouldn't push the social club piano off the balcony while you're walking underneath it, but it hasn't happened so far!!"

“It’s not my problem, because I’m only interested in computing policy.”

“So if he pushed a desktop machine off the balcony, you’d be concerned?” the PFY asks.

“It’s not a recognized or commonplace use of a computer.”

“It is if it’s got OS2 installed on it!” I respond, confusing the Boss and alienating another batch of OS2-loving readers. On purpose.

"All I'm worried about is computers," the Boss re-states. "And now, the privacy of my email."

"Don't worry, we don't access email that we're not entitled to access," I respond.

"Which email is that?"

"What do you mean?"

"Which email are you not entitled to access?"

"None of it."

"So you mean that you're entitled to access all email?"

"Yes, for the purposes outlined in the service level agreement in our individual contracts with the company. In fact, we're pretty much required to read your email."

"Why?"

"To maintain performance and reliability of the server, to fix problems before they occur."

"How?" the Boss gasps, completely thrown by this revelation.

"Well say there's a server issue with lack of disk resource in the mail store. Obviously we would need to investigate the individual users to see where the resource is wasted."

"Why not just see who's using the most space?"

"Because that doesn't necessarily find mailboxes responsible for, say, fragmentation. I mean do you honestly think that the PFY and I enjoy trolling through the inane messages to your sister-in-law? You might wish to slip away for a quiet weekend in Bristol with her while your wife's visiting your son in Egypt, but WE just don't need to know that."

"But we do," the PFY adds slyly.

"So you're saying I should just drop the policy idea altogether and nothing more will be said?"

"Exactly."

"But how do we discipline questionable computer use?"

"The old fashioned way," I reply.

"Interviews, recommendations then dismissal?"

"No, I said the old fashioned way, not the slow way."

"What's the old fashioned way?"

"Threats, blackmail."

"And when that doesn't work?" the Boss asks, doubtfully.

"The old toaster in the shower has been known to work."

"I.. ... We thought that was a cry for help?!" the Boss gasps, remembering an incident a few weeks back involving a helpdesker with a penchant for running port scanners to find fileshares he shouldn't...

"I think I actually did hear a cry for help at the time. But that was a LONG time before the ambulance showed up..."

"I can't believe you'd do that!" the Boss gasps.

"*I* can't believe the PFY would put a couple of slices of bread in the toaster beforehand," I add. "Now that really confused people - bizarre accident or strange cry for help?"

"Yes," the PFY chuckles, remembering the incident fondly.

"Right, well, I'll just... go and put this in..."

"The shredder," the PFY says.

What do you know, it looks like being a good day after all! ®

Beginner's guide to SSL certificates

More from The Register

next story
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
NASA launches new climate model at SC14
75 days of supercomputing later ...
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
Don't worry about that cable, it's part of the config
Stop the IoT revolution! We need to figure out packet sizes first
Researchers test 802.15.4 and find we know nuh-think! about large scale sensor network ops
SanDisk vows: We'll have a 16TB SSD WHOPPER by 2016
Flash WORM has a serious use for archived photos and videos
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.