Great reporting on your part - shame on WSJ. This screams journalistic improprieties. How could an editor working for a publication, no, an institution like the WSJ, knowingly allow such information to be disseminated to their readers?
I commend you for your reporting of this and your opinions. However, I'm sure that many people who don't care about corporate policies already know much of this, those who are sitting on the fence will undoubtedly try some of these techniques.
All this at a time when data breach laws are being passed that puts all of the responsibility on the employer and some heavy penalties too.
Great job.
I look forward to the rest of your follow-up.
An unsurprising reaction to heavy-handed "security" policies
I think that the WSJ article is a fairly predictable reaction to the level of anger and frustration I see out in the field among ordinary employees subjected to heavy-handed and arbitrary "security" policies.
I quite agree that some of these "tips" could let a worm behind the firewall, or hamper a forensic reconstruction -- but I also think that it is no coincidence that this appeared in a mainstream newspaper, either (these things are certainly no surprise to those of us in the field).
In my experience, people are pretty eager to protect their jobs and help out the security staff if a reasonable job is done explaining why certain security measures are in place -- but this seems to be very rarely done, since so many of the policies would need to be explained by "because we don't trust you to actually do your work." And I won't even mention the outrages that are perpetrated in the name of "SOX Compliance" (though a poorly-written law, a lack of legal precedents, and predatory SOX consulting firms surely share some blame).
Sure we're overworked. Sure we're generally understaffed. But until both the security folk and the senior management are willing to take on their employees as partners in security, instead of potential criminals and layabouts, we're going to see even more of this sort of article.
"I think that the WSJ
"I think that the WSJ article is a fairly predictable reaction to the level of anger and frustration ..."
That's exactly right on. I'd rather see it in the WSJ than in those stupid email forward-chain messages (which arguably could reach an even wider audience more willing to non-comply). I'm not surprised by this article at all. And I'd suggest that if you are, you should rethink your perspective-- perhaps you have forgotten how much perpetual motion exists in current computing products, especially enterprise computing products.
And this is not a spin in favor of full-disclosure, either. I'm against full disclosure, but in this case, there's nothing being disclosed. There's nothing new at all. If anything, this is going to bring a general security awareness to people who are otherwise trying to work through frustrations.
Maybe it's time to walk a mile in their shoes and build better security solutions, instead of just chiding the WSJ for speaking the obvious.
rights
the magazine has a right to publish whatever they want. it's their right. the only good point you made is the moral one. i am happy to find articles like this and i hope they print more in the future
WSJ editors irresponsible
Unbelievable that this article was allowed to be published in a respected business publication.
The last thing I need is the WSJ telling people how to circumvent the security controls (and often legal requirements) that have been implemented on the network.
Ms. Vara's lame follow up is a second slap to the face for IT workers - a total retraction of the first article should have been the WSJ's response.
Completely Irresponsible
That article has to be, without a doubt, the most irresponsible piece of tech (if you want to call it that) journalism I have ever read. Ms. Varna should stick to writing about subjects about which she actually has knowledge. For example, simply going HTTPS does NOT lock your company out of your doings on the web.
To Ms. Varna,
Did you forget that the PC is not yours? And just maybe those nerdy guys saw your "Oh, sooo clever self" coming. Ever heard of SMS or Spector, or half a dozen other applications that pipe me directly into your desktop, without your knowledge (yes, even over the Internet) and let me record your activities like a DVR? All of these are perfectly legal, and you agreed to them when you hit "Ok" on that pesky little login banner when you sign into the network (read: "welcome to the privacy waiver clause"). All of the techniques in your article are old hat, nothing new, nothing impressive and are completely defeatable. The reason we "the IT" dept. dictate these systems so heavily is precisely because of morons like yourself, who continually whine about not being able to complete your job (i.e. watch the game on ESPN Motion). And then complain when the network is "slow". Simply pathetic, bet your home network is a mess and you've had identity theft problems. Put the computer back n the box and ship it back to Dell, you're too dumb to be allowed to own one!
Actually, I take it all back, you just assured me of another decade of job security and six-figure+ salary, You Rock!
Not so simple...
Rather than brag about how simple it is to circumvent Ms. Varna's "workarounds" (and I'm sure we all know ways to circumvent SMS or even tunnel all of our IP traffic out through a VPN connection to some other, less-restrictive environment, and also how to adjust the routing tables to make the workstation essentially invisible (and inaccessible) from almost the entire internal network), perhaps it would be more productive to ask why it is that there is so much interest in circumventing security restrictions and procedures? Does your company make sure that your users understand (and buy into) the reasons for all of the restrictions? Are there easy-to-use (and quick to navigate) procedures in place to make it possible to ethically circumvent them when there is a real business need? Do you have silly (and insulting) restrictions in place simply because it's easier that way?
Sure, the company "owns" the equipment, and legally can do pretty much what it wants -- but that doesn't prevent some things regularly practiced from being pretty reprehensible.
The overwhelming majority of employees are eager to help protect their companies (and their paychecks) from harm. All they really ask is to be treated like responsible adults. Few restrictions (if they really make sense) are resented once the reason for them is known, and once that happens, the need to treat everyone as a potential malefactor pretty much goes away. That way, it becomes a lot easier to find the real "bad eggs", and the real threats.
They DO own the equipment
rjbeilstein,
You're on the right track, but it cannot be downplayed that the employer DOES own the equipment and yes, can do what they want. I'm not an advocate of big brother type tactics, as I don't care for them any more than anyone else.
As noted in another comment, this is about ethical behavior. Just because you don't like the rules, or your boss is a jerk, or you don't get paid enough, or any other number of reasons, it's not right to cheat your employer.
Because I think most folks are pretty ethical, you're also right to comment that most are willing to help, things just need to be explained, and no draconian rules or language would help. With that, you can spend more time getting the bad ones who, as you said, are "the real threats" . Ms. Vera falls into that category (real threat)in my book now.
Ethical doesn't mean you publish hacks that are well known and could be looked up other places. If it's wrong to do, it's wrong to do, period. There is no excuse for what Ms. Vera did, and I would guess, if she were to implement any of her "tips" at work, she wouldn't find amusement in her boss's reaction, especially after he heard it from IT. It's not nice to cheat, or encourage others to do so.
Hmm...
While I can't disagree with anything you've said, I have to say that it really bothers me that so much of what we do relies so heavily on the ignorance of "general users".
I think that a lot of the angst here is directly related to the fact that most of these simple, obvious (to us) and easy-to-do "workarounds" actually DO work in many (if not most) shops.
Just think if all of our minimally-technically-oriented users got a copy of the MS spreadsheet (you know, the one most of us keep handy) that lists all of the registry entries affected by GPO's, and learned all about .reg files (and how they work just fine for even users locked out of registry editing tools). Shudder.
One wonders how many sophisticated (and less-than-totally-ethical) users we all have that are slipping under our radars (so to speak) because of how much we rely on user cluelessness.
In an ideal world, we would have all of the potential holes plugged, and articles like this one would be totally harmless -- but I don't believe that I will hold my breath waiting for that to happen. Sigh...
Irresponsible? Maybe.
Was it irresponsible? Maybe. Was it new information? Definitely not. Could readers have found the information elsewhere? Certainly. Was it entertaining? Sure. Will it provoke changes into better security? Unfortunately, it probably will. ("Unfortunately" because it should happen on its own accord, not just because some journalist popularizes ideas to subvert common controls.) Will the security community blow up and call foul? Definitely-- they already are. Did the WSJ look like a modern grocery-aisle paper? Yeah, a bit. But does it deserve our attention? Probably not-- it's really time to just move on and make improvements to security controls that cannot be circumvented by directions from some controversy-seeking journalist.
Secularized Society Loses Sight Of Ethics
We, in the United States, live in a secular, non-theistic world; one where the distinction between morals and ethics are blurred, if visible at all. I do not want to turn this into a religious discussion, however, it was the Christian Writer John Maxwell that stated, "There's no such thing as business ethics [...] only ethics". This cuts to the very core of the problem. We try to define propert ethics for businesses, but the reality is that business, or human, there are only ethics. The distinction of business ethics from non-business ethics implies that businesses operate under a different set of rules than society. I believe this to be: businesses operate under a set of morals--a definition of right a wrong--and the leaders of these businesses interpret these morals into a minimal collection of what they believe to the the ethics of their business.
When ethics are defined by morals, which are defined by nothing more than laws, those ethics are inherently flawed, and subject to differing interpretations of what is ethical and what is not. The Wall Street Journal is one such business that would seem to operate under this new ideal of business ethics, rather than just plain ordinary, everyday ethics. Because of this business ethic ideal,the publishers apparently saw no wrong in publishing the article about how to hack at work--afterall, there is nothing illegal about the article. However, it is not ethical by most people's standards.
Post new comment