Wednesday, August 01, 2007

Hello, Mr Darwin!

"Hello, Mr Darwin!" - "Hi there."

IT user "gene pool" will probably lose some of its stupidest critters as a result of reading this WSJ article, which is making round in the security community: "Ten Things Your IT Department Won't Tell You."

It starts like fun for some and like utter nightmare for others: "we use our office PCs to keep up with our lives. We do birthday shopping, check out funny clips on YouTube and catch up with friends by email or instant message."

Niiiice. It gets better:

"There's only one problem with what we're doing: Our employers sometimes don't like it." :-) Geee, I guess "some-other-times" they do :-)

OK, great, now what? This:

"To find out whether it's possible to get around the IT departments, we asked Web experts for some advice. [...] How to surf to blocked sites without leaving any traces, for instance, or carry on instant-message chats without having to download software."

And then it all rolls neatly downhill from there; check out such fun items as "6. HOW TO STORE WORK FILES ONLINE" (A "no-brainer" (indeed you are...): "Use an online-storage service") and "8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY" (Wonder how? Eeeeeasy: "Just set up your work email so that all your emails get forwarded to your personal email account." :-)). Even such gems as "7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL" (answer: encrypt it!) are there.

But you know what? There is nothing wrong with publishing this; such violations are clearly not rocket science. In fact, there are three possible outcomes:
  1. Users do this and are caught, then fined, fired, tortured, shot and otherwise abused. Awesome! :-)
  2. Users do this and are NOT caught since you don't really enforce your policy banning such activities. In fact, you - the security pro - don't even know that they are breaking the rules. Sorry, you suck! You need to get another job before your company is sued ...
  3. Users do this and are NOT caught since they manage to bypass the deployed security controls. Ah, this is a fun one; that is what makes security a "calling, not just a job" for so many. Go back and deploy, tune, log (yes, logging all such activities is important, especially when HR wakes up and swings the ax...) and have fun. 0days and mafia hackers might be more challenging to fight, but users are surely more numerous :-)
Overall, I expect more security bloggers to jump and dropkick this paper. Let the fun begin!

Dr Anton Chuvakin