BOFH: Addressing the Computer Usage Policy
Shredders at the ready
Episode 22 BOFH 2004
Sometimes, the urge to strangle someone is so strong it's almost as if there's a higher power calling you to follow your instincts…
Take today, for instance. A normal, ordinary day at Mission Control. The usual bunch of what the PFY and I refer to as idiot calls, but nothing untoward or out of the ordinary.
A day like any other.
Till the Boss gets involved because no one's paid attention to him all week. His need to be recognised in his role manifests itself today as the requirement to make some sweeping changes to the Computer Usage Policy of the company.
"It's just that we should be consistent with our other policies," he says. "We should have some form of statement to say that you mustn't use computers to harass people for instance."
"Isn't that already in the company's code-of-conduct?"
"Yes, but it doesn't refer to using computers!"
"It's a blanket cover!" I respond.
"No, because someone could say that email isn't harassing."
"Something a mailbomb program takes a very short time to disprove."
"So it's true, you can harass someone with email!"
"YOU CAN HARRASS SOMEONE WITH A BLOODY SAUSAGE ON A STICK, BUT WE DON'T NEED A SAUSAGE USE POLICY TO TELL US NOT TO!" I shout, losing my rag.
"And you really don't want him to prove that last point…." the PFY advises.
"But shouldn’t we be clear about what people should and shouldn't do with computers?"
"Indeed." I say, rage subsiding. "But if an existing policy has it covered, why introduce another piece of bureaucracy?"
"Ok, so maybe harassment is covered, but what about privacy? What about someone reading my email?" he asks.
"What do you mean?" the PFY asks a little too casually.
"Someone. Reading my email without my permission."
"I think that's covered by the existing Computer Usage Policy where it says that no-one should attempt to access information that they're not entitled to access."
"But someone might access it, mightn't they?"
"They could, yes, but they'd leave audit information in the server logs."
"But YOU can erase that information, can't you?" he asks.
"We COULD erase it, yes, but in practice it's a lot harder than that," I admit.
"Well, there's audit trails, gaps in logfiles, that sort of thing. I mean if someone were to cover up access to you email, there'd be a myriad of things they'd have to do to make sure it remains undiscovered."
"Suspend auditing, strip the evidence from the audit file, recreate false evidence to cover up the gaps when the evidence disappeared, possibly tamper with the system time, insert false audit records to cover the time lapse where the auditing was suspended, untamper with the system time and then resume auditing. Off the top of my head of course."
"And how long would that take?"
"Oh, the commonplace user would take days - with mistakes, etc. - to do all that."
"I usually do it while the PFY’s getting a coffee. Mind you, I do have a script that does most of it…"
"THIS IS EXACTLY MY POINT! WE NEED POLICY TO SAY IT SHOULDN'T BE DONE."
"And you believe that a policy would prevent this?"
"There's no policy to say that I shouldn't push the social club piano off the balcony while you're walking underneath it, but it hasn't happened so far!!"
“It’s not my problem, because I’m only interested in computing policy.”
“So if he pushed a desktop machine off the balcony, you’d be concerned?” the PFY asks.
“It’s not a recognized or commonplace use of a computer.”
“It is if it’s got OS2 installed on it!” I respond, confusing the Boss and alienating another batch of OS2-loving readers. On purpose.
"All I'm worried about is computers," the Boss re-states. "And now, the privacy of my email."
"Don't worry, we don't access email that we're not entitled to access," I respond.
"Which email is that?"
"What do you mean?"
"Which email are you not entitled to access?"
"None of it."
"So you mean that you're entitled to access all email?"
"Yes, for the purposes outlined in the service level agreement in our individual contracts with the company. In fact, we're pretty much required to read your email."
"To maintain performance and reliability of the server, to fix problems before they occur."
"How?" the Boss gasps, completely thrown by this revelation.
"Well say there's a server issue with lack of disk resource in the mail store. Obviously we would need to investigate the individual users to see where the resource is wasted."
"Why not just see who's using the most space?"
"Because that doesn't necessarily find mailboxes responsible for, say, fragmentation. I mean do you honestly think that the PFY and I enjoy trolling through the inane messages to your sister-in-law? You might wish to slip away for a quiet weekend in Bristol with her while your wife's visiting your son in Egypt, but WE just don't need to know that."
"But we do," the PFY adds slyly.
"So you're saying I should just drop the policy idea altogether and nothing more will be said?"
"But how do we discipline questionable computer use?"
"The old fashioned way," I reply.
"Interviews, recommendations then dismissal?"
"No, I said the old fashioned way, not the slow way."
"What's the old fashioned way?"
"And when that doesn't work?" the Boss asks, doubtfully.
"The old toaster in the shower has been known to work."
"I.. ... We thought that was a cry for help?!" the Boss gasps, remembering an incident a few weeks back involving a helpdesker with a penchant for running port scanners to find fileshares he shouldn't...
"I think I actually did hear a cry for help at the time. But that was a LONG time before the ambulance showed up..."
"I can't believe you'd do that!" the Boss gasps.
"*I* can't believe the PFY would put a couple of slices of bread in the toaster beforehand," I add. "Now that really confused people - bizarre accident or strange cry for help?"
"Yes," the PFY chuckles, remembering the incident fondly.
"Right, well, I'll just... go and put this in..."
"The shredder," the PFY says.
What do you know, it looks like being a good day after all! ®
Sponsored: Becoming a Pragmatic Security Leader