How to take a small problem and turn it into a big one
by Volker Weber
Mordac, the preventer of information services, is my hero. He is the quintessential corporate IT guy, who never stops thinking about how to make the computers less useful. What is Mordac's biggest nightmare? USB. Any user can connect USB devices to a computer, and some of them do not even require a driver. Like the ubiquitous thumb drive.
Ray Ozzie once told me that he has seen organisations where users have two computers. One supplied by their organization, and another one which they bought themselves. They did all their work on their own computers and then transferred the results to their employer's machine. How do you do that? You use a thumbdrive. Plug in, transfer file, remove and plug into other machine, transfer.
Even without this absurd situation, people have good uses for thumb drives. They are this decade's version of the floppy disk. Need to go to a meeting and take your presentation? Put it on a thumb drive. Mordac cannot allow this. He does not care about usefulness. He thinks about control. So he must close that hole. Disable the USB port.
So what does the user do? He has to find a way around Mordac. Ask Paul. The user will simply send the file by email. To a public address. On Google Mail for instance, since he has lots of storage there. That would be a novice user. An experienced user just attaches the file to a draft on Google Mail.
Comments
Of course the kind of organisation that would pour epoxy into the USB slots (apparently this is how they block them sometimes) would also block access to all webmail providers, and limit attachment sizes, and even strip any attachment that isn't a Microsoft Office document.
The corporation I work for hasn't blocked USB ports yet.. (yes, they have done the other 2).
Blocking all webmail providers is another Mordac solution. Users will find a different way around this. One of Mordac's smaller problems is that he cannot possibly know all providers. A bigger one is that there are more users than Mordacs.
Excellent. The Mordacs of the world create a computing environment that is so dysfunctional they turn their co-workers into the enemy. I call this the Maximum Security Myth, and I wrote an article about it a few years ago for e-Pro. Too many so-called security policies don't actually solve any problems, they simply create different ones. A little common sense goes a long way, and building systems and policies that actively prevent people from doing their jobs is not terribly sensible.
Is your system more secure if the users stop using it, but rather turn to other methods you don't control? Your system, maybe. Your organization, no. A security policy that leads to decreased usage statistics is a failure in more ways than one, but you will never see that listed as a success criteria for a security administrator. Mordac is everywhere.
Ho!
I'm buried in a Mordac-like environment right now. No access to anything on the corporate web, and the stuff that does work is so slow it reminds me of satellite ADSL days.
Still. Not all is lost. Someone in an apartment opposite the office building has open wireless! So the blingmaster sits on my desk....
Seeing this more and more.
---* Bill
Unfortunately most large companies in Germany are Mordac Enterprizes. This is particularly true for government related organizations. You are not even allowed to email to somebody outside the own network nor to connect to the internet. Strange, if you are an open source developer in such an organization. Funny enough most of them have not discovered the USB port ... but this is only a matter of time.
Just bear in mind that in some organisations it’s not the IT guys who make these decisions.
Anyway, be sure to add instant messaging applications to the block-list too: heaven forbid your users should save you money by using something like VOIP in Skype (vowe knows to what I allude here ;o) )
To play the devil's advocate for a minute, consider the issues the IT security people are trying deal with.
Having been involved in many security review processes as a third (or in some cases fourth) party, here are some:
1. The accidental distribution of private information though things like "reply with history" which can include customer data that the customer expects to be kept private. -- This is becomming more and more an issue.
2. The civil law suit exposure related to private electronic mails or simply short replies to legitimate issues taken out of context.
3. The accidental exposure to zero day exploits through browser or mail client vulnerabilities resulting in keylogger and data mining trojan ware. This is a common corporate espianage tool now. An exec makes a habbit of going to Starbucks and logging in with his laptop over coffee. A corporate data spy (and they absolutely exist) uses easily obtained scripts to substitute not images, but script files on common web pages. The user inadvertantly turns on a trojan which compiles data while the laptop is on the corporate network. The next morning, at the same bat-time, on the same bat-channel (Starbucks in this case) said hacker simply retrieves the stored data.
-- these kinds of things do happen, and for financial institutions this risk is very high. Imagine the negative exposure to a major bank if customer data is stolen?
I'm not saying I like working in that environment at all. You know me, and you know I'm one of the most connected people out there. That said, if you take a job and a prerequisite is to live under these rules; then you have no business subverting them.
In fact, subverting the methods is IMO the least effective way to fight the "mordac" types in this world. Instead, consider holding firm to the rules as set forth -- to the point of the extreme. The best way to fight stupid corporate policy is to follow them to the letter and insist on those around you doing the same. If the policies make work impossible, they will change.
The best way to fight stupid corporate policy is to follow them to the letter and insist on those around you doing the same. If the policies make work impossible, they will change.
Good points Andrew, and I bet this would work for a whole lot of people. Sadly, many organisations (my own included) don’t take kindly to this argument. If I didn’t deliver, and claimed idiotic “policy” as my defence, alas, I would be out on my arse (and would therefore have stopped working at my current employer approximately six years ago ;o) )
Thanks, Ben. I was going to say this, but you can do that with much more authority. ;-)
The german term for this is "Dienst nach Vorschrift". Just following orders. This never plays well.
Ah vowe, if you wondered where Mordac's second job is, he's alive and kicking at the company I work for. To use a USB mouse, you need a USB to DIN plug adaptor as all USB ports on all PCs are disabled (but not using epoxy glue, I hasten to add!).
Yes, in some cases doing strictly, exactly what you're told can equate to going on strike:
http://www.joelonsoftware.com/items/2004/12/06.html
Which is fine as long as you really do want to go on strike. But it can get you in trouble if you're just trying to make a point.
Our policy says we are allowed limited web access but are not allowed to download any files.
Go figure, lol.
We don't do this where I work, but just out of interest, how do you prevent the corporate thief who connects up their 20GB iPod to their computer and downloads huge amounts of data? Put in more layers of security and make the data more difficult to access=exactly the same problem, that is, access to info takes longer and therefore interupts business. Or a system that tracks file access and rings alarms when files are saved somewhere else? Who polices it all? This isn't particularly my area, but I'd love to see what solutions there are.
