Comments on: The Ethics of Geekdom

By: susabelle

susabelle — Thu, 21 May 2009 14:55:03 +0000

Thank you for your comments, Eddie. It turns out that I am not the only one leaving a computer unlocked for bathroom trips or mail runs. I did a little impromptu research this morning, and found that many of my department’s workers leave their computers unlocked when they walk away for short breaks, even in shared offices. There is no “security” class we all must attend, and this information is not part of any orientation I received when I was hired 9 years ago. I don’t think anyone here believes that the information that could be accessed from our office computers is a violation of anything, and I would tend to agree. Our financial and student systems are part of a proprietary system that is accessed through a browser but requires two levels of logins to get to. The only thing easily available on my computer is my own home directory, which is full of memos, letters, proposals and white papers I’ve written (which is what the coworker was aiming for on my computer) and audio books we’ve created for disabled students. I am required to log in with a separate login and password to access mapped drives to my pc that contain installation files, server manuals and procedures, forms, etc. So there are multiple levels of security in place. But we’ve never been forced into an auto-lock/log off procedure, and were never told that we should be locking our machines when we walk out of our (secure) offices.

I am, however, appreciative of your comments and suggestions and will be making some changes in my own behavior and habits. But for me, it is all about trust, and it is still a sad thing that my own coworkers cannot be trusted. Temptation abounds, in all parts of our lives, and the same people that would never think of shoplifting, would easily access another’s computer files with no qualms whatsoever. I find that disturbing, at it’s very base.

By: Eddie S

Eddie S — Thu, 21 May 2009 14:11:22 +0000

I hate to say it, but I’m with Richard (I work for a bank, btw) on this.

Has your institution a mandatory class on computer security with signed acknolwedgement? If not, consider it pronto. It’s not about trust or lack thereof per say; it’s about the the law and/or procedural protection of your clients information.

Our desktops auto-lock at 5 minutes of inactivity. (Pain in the butt, but dem’s da’ rules…)

Something like you described would be grounds for IMMEDIATE termination in the IT department where I work, and a full investigation by the bank’s security and Compliance department as s result.

You mentioned: “Locking my computer because I need to go to the bathroom is paranoid and should be unnecessary, except in the case of a nosy coworker, which is really a whole other issue than campus network security.”

Sorry to say, but, No, you are wrong. You as much indicated it IS a security issue. People are human, and that is EXACTLY why the strict security measures are required. Doesn’t matter if it is a nosy or non-nosy coworker, or paranoia, or whatever.

Look at it this way – let’s say you step away for restroom break, and your superiors bring by a vistor, or perhaps a Federal or State Auditor stops in to see the department; what do you say then in reponse to your unlocked terminal?

Just a thought.

Think smarter, not harder.

By: susabelle

susabelle — Thu, 21 May 2009 00:42:14 +0000

Thanks for writing, Richard. IT staff working in our open areas do not leave machines logged in with administrator credentials, and our public and private networks are secured. There have been no hacks, and we rarely have a virus or trojan attack, and when we do, it’s shut down pretty quickly. I work in an office with one other person, and my office is in a secure and monitored location. Locking my computer because I need to go to the bathroom is paranoid and should be unnecessary, except in the case of a nosy coworker, which is really a whole other issue than campus network security. Our server room is locked from students, the general public, and all staff except campus police, with only the IT department having access (by door lock code) to that area, and it is monitored by recorded video. I am not sure what additional physical security should be enabled, considering we’ve had no issues. In the case of my coworker accessing my files, she was simply perusing my home directory, something she can only see if she’s using a computer I’m logged into. She has the same administrator rights as the rest of the department (just as I do). For what we have to do, this is necessary, so where do you draw the line on who has access to what? Personal and professional ethics MUST play a role in what gets accessed, as well. If you can’t trust the people in your own department, then your problems (in my opinion) run way deeper than any intrusion that could be manufactured from outside our campus.

By: Richard Clark

Richard Clark — Wed, 20 May 2009 20:08:22 +0000

As a security analyst, I am equal parts aghast and terrified that you, working for an IT department for a university, have not implemented forced desktop locking after a 16 minute interval (15 +1). The implications of you being the “norm” in the industry only exhibits the terrifying and sorry state of affairs and also explains why viruses, malware and black hats are so rampant on campuses throughout the world, let alone the US.

You are (likely) subject to Sarbanes-Oxley and if the regulations had any real teeth, your management and/or trustees could be in court if any sort of breach incident was escalated to federal investigation, as leaving a workstation with an administrator’s credentials active in your environment (with dbs full of names and SSNs) could, at minimum, land a jumbo fine.

Just what are you thinking and why haven’t any of your people had any real IT security training? Doesn’t anyone there read the security industry news?

By: susabelle

susabelle — Wed, 20 May 2009 19:58:01 +0000

We lock the door to the server room, then give everyone in the department the code for the door. So yes, and no. I am locking my computer because it has been shown to me that I can’t trust my coworker(s), but that is still a disappointing thing to contemplate. There are plenty of temptations around the workplace, but that doesn’t mean we have to act on it. It is incomprehensible to me.

By: Joe

Joe — Wed, 20 May 2009 19:37:32 +0000

I agree with you about your nosy cow-orkers. There is no reason they should be accessing your systems. But I disagree with you on locking the computer.

I, too, work for a university and even though I trust every member of my team, I hit Windows-L every time I leave the office. EVERY time. Of course, it’s almost automatic for me because of my former employment. We were required to lock our computers if we stepped away from our desk. If you were unfortunate enough to forget, you would get visited by the My Little Pony bandit. A young coworker that sat across from me who would change your wallpaper to a My Little Pony picture. Nothing harmful but it was an embarrassing reminder.

My point is, even if you trust the people you work with, don’t give them any temptation. I mean, you lock the door to the server room, don’t you?