Privacy

10 tips for personal security when you leave an employer

Employers aren't the only people who have to look after security in an employment transition period. You should pay attention to threats to your personal privacy and security when you leave a job, too.

Last Thursday's 10 important categories of employment transition security discussed several areas where a business should spend some time considering, developing, and implementing security measures related to employment transitions. The period of transition, from just before to a few months after an employee leaves an organization for any reason, can be a period of increased vulnerability for the organization's information technology resources.

There is another side to the coin, however. There's job security, of course, though that isn't the kind of "security" we'll discuss here. Matters of information technology security are not entirely one-sided, after all; individual employees have such concerns as well. Matters of privacy are particularly important to consider as an employee, in case of future employment transitions. After all, privacy is security.

A simple list of ten ways to help safeguard your privacy in particular, and security in general, in the event of leaving an employer for any reason, follows. It includes some common sense advice that may seem obvious to some, but at the same time -- human nature being what it is -- we may often be tempted to ignore the advice when it becomes convenient to do so. Hopefully, having a list spelled out for you will help remind you what you should do to protect yourself, and that sometimes what seems like it is for someone else's benefit may actually help you as well.

  1. Don't violate company policies. I'm not a fan of arbitrary rules and overly restrictive behavioral policies myself, but that doesn't mean you should violate rules set by the employer and your immediate supervisor whenever you feel like it. Not only can this potentially cause problems for the employer and hasten the approach of any potential loss of employment there, but it can also give the employer more reason than usual to invade your privacy where the law and corporate policy allow. Remember that the more you violate company policy, the more scrutiny you're likely to attract if you get fired or laid off -- or even if you leave on what look like good terms from your perspective. Even if they only find some minor hint of policy violations a month after you leave, this may lead to a more in-depth examination of what you have left behind, and potentially to attempts to gain legal access to information about your life outside of the workplace in a worst-case scenario.
  2. Don't log instant messages. If you are allowed to use any of the various IM networks at work, it is best to keep any messages unrelated to work from being logged on company resources -- such as the computer on your desk. Comments made about frustration in the workplace can come back to haunt you if found lingering on the hard drive, and a laissez-faire policy in good times may turn into a fishing expedition for incriminating statements you may have made when your name comes up in the list of people to lay off. If anything suggestive of misbehavior on your part comes to light, this may lead to further investigations, prying into your private communications even more. It's best to just avoid leaving tracks, even if they seem innocent now, because of how they may be interpreted under other circumstances.
  3. Use encryption for private communications. If company policy allows for private communications from the company network, it may be a good idea to encrypt everything so that potentially embarrassing private emails and IMs will not be logged by network traffic monitoring systems, in addition to ensuring you do not leave such communications lying around on the hard drive when you're done with them. Otherwise, the content of those communications may end up on some hard drive over which you have no control at all, archived in perpetuity. Even if you have an IT department role that allows you access to the logging servers, it is best to minimize the number of places that such information gets stored in plain text.
  4. Don't trust everything to encryption. While encryption tools are a great resource for protecting privacy, they are not a silver bullet. It is always possible that encrypted communications may be later decrypted, whether because the encryption scheme is cracked at some future point or because you don't have a chance to clear your encryption keys from your workstation before being escorted out of the building, allowing someone cleaning up in your wake can get his or her hands on those keys and possibly crack whatever passphrase you use to apply the keys to encrypt and decrypt.
  5. Don't bring your private encryption keys to work. Using public key encryption schemes such as any of the several options for OpenPGP that exist is a good idea, of course, and can help ensure greater privacy in your life. You may be tempted by convenience to simply copy your encryption keys from home to your work computer, but that's a bad idea, mostly because of point 4 above. Instead, you should generate a new key set at work if you want to use OpenPGP there, and ensure that anyone who communicates with you via that set of keys knows that it is ultimately more subject to compromise than your more private, "home" keys. If and when you leave your employer, or have reason to believe it may have been compromised (many employers still install keyloggers on company desktop computers to monitor employee behavior, after all), inform everyone that uses the public key for that set of keys to communicate with you privately that you are invalidating the key set. If you have uploaded the public key to a keyserver, you should invalidate the key on the keyserver as well.
  6. Protect your private IM and email passwords. It is generally best to avoid using the same IM accounts at work that you use at home, since instant messaging networks often do not encrypt login transactions between the client and the server. Just as the communications themselves may be intercepted by network traffic monitoring software, including tcpdump, so too can your user IDs and passwords for your IM accounts be intercepted, sometimes even if the messages themselves are encrypted by some third-party plugin. The same can be true of emails, if your email logins are not encrypted. If you employ standard Unix mail user agents, tools such as getmail and sSMTP can help you ensure those logins are protected -- as well as rest of the session. It is possible to use complete session encryption with Gmail, too, and GUI mail clients usually provide some mechanism for ensuring logins at least are encrypted if the server supports it. When such options are not available, though, it is best to avoid using an email account you use elsewhere, just as it is with IM accounts.
  7. Don't store browser history or Website passwords not directly related to work. To the extent possible, you should ensure that you leave no tracks when browsing the Web. Many browsers, such as Firefox 3, provide a built-in password manager that can be used to automate the process of entering passwords for the plethora of Websites you may visit regularly. Some of you may not be aware that many of them -- again like Firefox 3 -- can allow you to recover those passwords in plain text if you forget them and need to remind yourself what passwords you have used. This may allow a former employer to do the same thing after you are not longer in the office. Browser history can be likewise problematic, allowing a glimpse further into your private habits than you may like, or even serving to heighten suspicion and motivate more investigation and prying into your private life similar to the potential effects of inferences drawn from IM logs.
  8. Use encrypted proxies for private browsing. Just as you can encrypt IMs and emails to protect your privacy, you can also protect Web browsing from local eavesdropping at work. You can use OpenSSH as a secure Web proxy, for instance, so that all that is seen on the local network when you fire up your browser is encrypted traffic sent to a computer at your home. The advisability of this may be open to question, however, as any encrypted proxy traffic may appear suspicious to very watchful netadmin, and you may have to explain why you have near-constant encrypted traffic streaming to some off-site computer outside of your normal duties at work.
  9. Don't store the sole copy of anything important at work. It is often the case that employers will escort employees out of the building when employment is terminated for any reason, without giving them the opportunity to recover anything from company computers. Sometimes, you may get invited to speak to a specific contact in the IT department, and have him or her recover any files for you that you need, but of course if that is the case the process can be long and annoying, and since it isn't their data, it may be prone to being lost somewhere along the way. Perhaps worse, any such files are likely to be scrutinized before being turned over to you, to ensure that they do not contain company secrets or otherwise present a risk to the business or its resources. It is better to ensure that anything you don't want to lose, but need to have available at work, is not only stored on a work computer.
  10. Never give your employer reason to distrust you. Show the highest levels of integrity, even if you are angry with your employer over some deceptive behavior or other breach of trust by the employer. Do not sink to your employer's level. Don't skimp on reporting what you use, don't try to arrange surplus supplies and other resources for yourself -- just don't try to "get away with" anything at all that might impugn your character in the eyes of the employer or any third party to which the employer may present evidence of your "misdeeds". Even if you trust the chain of management all the way to the highest levels, in an uncertain economy it may be possible that business resources will fall to creditors, and your personal security may then be at risk. This risk can only be compounded if any evidence of your behavior can be construed by someone looking for excuses to pry into your life as justification for such an investigation. Always take pains to protect the company's security as well as your own, and avoid conflicts of interest or the appearance of impropriety, to the extent reasonably possible. In times of economic desperation, in an increasingly litigious world, good intentions are often not enough to protect you.

Finally, always remember that in many ways your employer's security is also your own security, and security measures employed by someone else for his or her own benefit may prove beneficial to you, too. When it comes to security, we're all in this together. Don't let disputes over employment transition distract you from that fact.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

72 comments
tscorwin
tscorwin

Let me explain "SSL proxy to your home computer". If your company has to comply with PCI/SOX etc, we already have a device inline which looks at your SSL packets. If we find that you're using SSL or SSH proxying, it's grounds for termination, since losing you is far less important than losing the company. Go home to surf the net for crying out loud.

drac13
drac13

i should remove my files as fast as possible

jdclyde
jdclyde

Especially after my recent layoff, I realize how easy all of this can happen. I got lucky, as my employer considers this a short term layoff, so my boss let me [b]take my system home[/b] to copy my personal information off of it. I took it back a week later. I would have lost several GIGS of research if they would have been hardcore about this like many places are. Next job, all personal data will stay on a thumb drive. I need to look into setting up the proxie. B-) Thanks for the write-up. Side note about security the other way. I have been laid off for two weeks now, and STILL have full access via my VPN to all of the routers because no one there knows my job, so are unable to kill the access. B-) And no, I would never do anything with that access. Sure, they could call in a consultant to do it, but then they would have to admit how little they know, AND pay out big cash at a time when money is tight (hence my layoff).

seanferd
seanferd

Sound advice to remember. Or print and frame to be displayed in your home.

Marty R. Milette
Marty R. Milette

>Use encrypted proxies for private browsing. In most organizations, this would be a direct VIOLATION of corporate Internet access policies. Many organizations utilize applications like WebSense, etc. to ensure employees are not browsing 'inappropriate' or 'non-business' sites. An employee violating this policy by using any form of non-authorized proxy could be dismissed for that alone.

santeewelding
santeewelding

And I predict the heavens will open for you. (end of first sentence, second graph)

Neon Samurai
Neon Samurai

I'm a big fan of the Ironkey flashdrives. For a more homebrew aproach, a honking big flashdrive and Truecrypt would give you a good starting point.

michael.speyer
michael.speyer

Marty - You're absolutely correct there. Certainly, if I found someone using any form of encryption, public proxy or any other such processes to circumvent policies which have been put in place for VERY GOOD reasons, they'd be out the door so fast that their feet wouldn't touch the ground. This article certainly does FEEL to be leading people to be covert, secretive and operating not in the best interests of their company (or their own future careers for that matter).

apotheon
apotheon

Did you notice the first, and foremost, tip? It said something about adhering to company policies.

Agatsu
Agatsu

I investigate security issues as part of my role, and the advice given in rules 2-9 would make me take great interest in what an employee is doing.

Neon Samurai
Neon Samurai

setup an "include()" browser proxy at home over https. Port 443 has to be open to traffic and can't be decrypted in transit. setup ssh at home and tunnel home with a proxy. Set your socks proxy on port 8080 and your off to the races. setup your ssh tunnel on port 443 and take advantage of your own proxy through the open by necessity https port. I don't think I've seen an IT policy document that didn't forbid this. It's harder to enforce with blinky lights so responsible use policy becomes the primary way of enforcing it should a problem or overuse draw attention to a staff member. Now, the trick will be thinking up a way to block that with a mechanism rather than documentation.

jdclyde
jdclyde

for the files kept on the pc? I think I will be just keeping all of my files on flash drives. If I do get called back to my job before finding something else, I will also use my personal laptop for just about everything I do. (yes, I can do that).

apotheon
apotheon

I have a recommendation for you (with two links about related concepts): Read the article. Don't "feel" it. (. . . unless you get a Braille printout first).

rkuhn040172
rkuhn040172

He did mention several things warning people about company policy and what not. But the article does "feel" like it is suggesting ways for employees to circumvent company policy.

Marty R. Milette
Marty R. Milette

They will most certainly have an IT Acceptable Use policy that stipulates it must not be circumvented. (WebSense costs about $30 per user per year.) Circumventing Internet access control systems with web proxies to access unauthorized web sites, use unauthorized applications and/or conduct unauthorized activities would most certainly be a violation of company computer or network usage policy. Whether or not it is 'easy' is irrelevent. I've fired employees for breaking IT policies. One wanker racked up over $15,000 in excess Internet traffic charges while downloading DVDs during every night shift. Catching offenders is dead easy -- in a Windows network with active directory -- user workstations can be locked down and prevented from accessing the proxy sites or installing unauthorized applications. In non-Windows systems, the choices are somewhat less clear. ISA Server and pretty much any commercial-grade firewall/proxy can provide detailed analysis of traffic -- allowing utilization to be tracked to/from specific web sites, IP Addresses, ports or protocols -- back to the originating user by time/date, computer name, IP address and in many cases the individual user name. Believe it or not -- IT management DOES review these reports periodically -- or more often in the case users complain about poor network/internet performance. The user WILL be caught and if the case is blatant -- they WILL be fired. Advising someone to circumvent corporate safeguards, break rules and/or break the law - no matter how easy or trivial it may seem is extremely poor advice.

Neon Samurai
Neon Samurai

For work and personal, that will be very useful.

poscribes
poscribes

TrueCrypt can be run in what is referred to as 'traveler mode' whereby you do not need to install the application in order to use it. This works very well with flash drives of any size. Personally I have found it to be of great use!

Neon Samurai
Neon Samurai

Ironkey is a specific brand of self encrypting flashdrive but truecrypt could be used to encrypt any flashdrive. You'd need truecrypt on any machine opening the flashdrive thoug.

Osiyo53
Osiyo53

Chuckle, Apotheon, I rarely ever claim to be right about anything. And it is my nature, the way my mind works on a very fundamental level, to always look at things with the thought firmly in my mind that I may not have the ONLY right or correct answer, solution, opinion, or viewpoint. And am always aware of the fact that others may believe differently, may see something differently, or may have a different answer or solution to some issue that's at least as valid and correct as my own, if not more so. This is a core principle within me. Taught to me from earliest childhood as its a core principle to the thinking of the clan within which I was raised. So when I assert something here, or anywhere for that matter, I am doing nothing more than trying to let others "see through my eyes". Past that objective, I have no other objective or purpose. Agree with me or not, believe as I do or not, that is your choice and your right (or the choice and right of anybody who reads or listens to anything I say). I am perfectly fine with the idea that someone else may disagree with me, see things differently from myself, etc. I was raised in such a way that it was stressed most strongly that each adult human has a right to believe as they wish, to go their own way and to make their own path. So when I say or type something here, I am merely making the attempt to let others see through my eyes. To understand my viewpoint. It is NOT an attempt to prove that I'm right, someone else is wrong; or to force my beliefs upon someone else. Agree with me or not, believe as you wish. I'd not expect anything else. I'd hardly think that I have the only correct view or answer to anything. Now, as concerns your post ... "On the other hand, you don't sound like a coworker in that case; you sound like a hall monitor. Perhaps you should have been spending more time thinking about doing your own job, and less about whether he was doing his." If you think that calling me a hall monitor would bother me in the least. Please think again. While I was taught that its the right of any human to have their own beliefs and opinions. I was also taught that if one lives within a home that is not one's own (as in you built it, or paid for it, and provided the food on the table) ... regardless of what you believe, you follow the rules of the home owner. Or LEAVE, and go set up your own home. Likewise, if you are a member of a group, organization, business, society, or whatever you obey the rules of that group. Regardless of whether or not you agree with all the rules that group has. Or, LEAVE and go form your own group, business, society, or whatever. Or go live alone so that everyone around you will always agree with you and the only rules you must follow are your own. I was never a hall monitor in school. But if I had been, I'd have enforced the rules whether I agreed with them or not. OR, I'd have told whomever was in charge of selecting hall monitors that I could not do that task because I was unwilling to enforce certain rules I did not agree with. Would have said it that way, to their face. The point being, if I were selected as a hall monitor and accepted the position I'd have carried out job as it was expected to be done. I was in fact a coworker in the situation I mentioned and that you responded to. WE had a job to do, and an obligation to carry it out properly. I fully intended to ensure that happened. It was my obligation and responsibility since I was accepting the pay that the company paid me. Certain parts of the work we were doing required two people working together. Other parts of the job meant we were working separately. When that other fellow was being distracted and delayed by all his phone usage for personal business ... -I- was being delayed in getting some of my parts of the job done. In addition, that whole job was on a time schedule for getting completed. A time schedule we needed to adhere to in order for the job to be completed satisfactorily ... to the customer and to the company that employed us. Upshot is that in the end I was running around doing not only my assigned parts of the tasks, I did several of HIS pieces of the job. The additional work I had to do did not in itself bother me. I am not one to complain that I had to do more than the other guy. Who cares? Extra work doesn't hurt my feelings. I just wanted to get the job done, correctly, and on time. If it'd been a matter of this fellow being a newbie, still learning and perfecting his skills. I'd have not thought anything of having to do more of the work. We were all newbies at some point. But the fact that he was goofing off on personal business, getting paid for it, while risking the fact that we'd not complete the assigned job on time ... pi**ed me off. When the manager who sends me out on a job sends me out ... he KNOWS that if I say I can and will do it ... it'll get done. On time, properly, and within budget. Or, I'll have a very good, valid reason why not. End of subject, he can dismiss that task from his mind knowing he can trust me to get it done. Or nobody could. So this guy was not only jeopardizing his reputation, he was jeopardizing mine. And I don't appreciate such things. As it was, I simply confronted him with the issue, to his face. In an attempt to cut him some slack and to choose to believe that he really wasn't aware of how much time he was wasting conducting personal business while on the clock. As it later turned out. This seemed to be a habit of his he could not break or control. I worked with him a few more times and then made a request that we not be assigned together on future projects. Same thing happened when he'd worked with other fellows. Several asking that he not be assigned to their jobs. Management finally got the hint. And one day I was called in and asked directly why I did not want to work with the guy. When asked directly, I give a direct and honest answer. I owe that to my employer. And so I gave an honest answer. They did some checking of phone records and such. That fellow no longer works for us. "Furthermore, the fact you had a coworker that abused company resources and violated company policy in no way supports your original thesis -- that what was said in the article in any way suggests that anyone should violate company policy. " I don't think I asserted any such thing. I believe, meant to, assert that one should not be violating company rules, engaging in excessive and unnecessary personal business during paid company time. And that one should not consider anything sent out or received on company facilities to be truly PRIVATE. If one is following those guidelines ... what's the problem? If one is not ... why should you be surprised if it comes back and bites yah in the a**?

apotheon
apotheon

The person whose telephone time you logged should not have been engaged in personal communications so much on company time. You're right about that. On the other hand, you don't sound like a coworker in that case; you sound like a hall monitor. Perhaps you should have been spending more time thinking about doing your own job, and less about whether he was doing his. Furthermore, the fact you had a coworker that abused company resources and violated company policy in no way supports your original thesis -- that what was said in the article in any way suggests that anyone should violate company policy.

apotheon
apotheon

And was doing hacking and cracking back before most people even knew there was such a thing as an Internet. And before some folks started picking a nit about there being some difference between a hacker and a cracker. People started "picking a nit" about the misuse of the term "hacker" back when it first started getting misused by journalists to refer to malicious security crackers, before the term "cracker" was even invented for the same purpose. That's because the term already had a meaning long before it started getting misused that way. I'm not particularly interested in some technical differentiation that some group of self appointed "experts" decided to make between the usage of those terms. So . . . you don't care about the original, proper use of the term. Do you care about the proper use of the term "human"? What about "shoes"? Does using the term "book" to refer to a ham sandwich bother you at all? How do you feel about the usage of racial slurs? Are you at all interested in the original meaning of the word Jew, or do you think it's perfectly acceptable to use it to refer to anyone who's stingy? I stopped hanging around and reading info from alt.2600, alt.hackers, etc YEARS ago. And in fact started what I call hacking before those groups even came into existence. 2600 started publication in the 1980s (and alt.2600 was created to support the publication, so it's even newer than that). The term "hacker", in its use to refer to a programmer subculture and related phenomena, arose in the 1960s -- and is still in strong use in that capacity today. Tho, after they did, I got many a chuckle over the debates folks had there about the differences in how those terms should be used and assigned to someone. Your laziness in application of a term with a specific cultural meaning is part of those debates, and you're effectively on the same side of the debates as two types of people, as far as I can tell: 1. similarly lazy abusers of the term 2. people who have arrogated the usage of the term for themselves, undeservedly, because they believe it makes them "cool" to do so The "technical differentiation" to which you refer is an important part of communication -- the purpose of language. When we blur the lines between correct and incorrect definitions of terms, we lose the ability to communicate clearly in particular areas, generating confusion in discourse. Technical jargons, like those that have arisen around the (actual) hacker subculture, are important to clear and efficient communication about subjects that gave rise to those subcultures in the first place, and sucking all the substance out of the terms of those jargons is a great way to hinder communication (and thus productivity and co?peration) within those subcultures. Diffusing the meaning of a term by redefining it to be purposelessly inclusive, and simultaneously accepting an inaccurate pejorative meaning assigned by a handful of clueless outsiders, is just stupid. The only people it really serves are those clueless outsiders who wish to use it as an insult and those clueless megalomaniacs who think that arrogating the use of such a term to themselves somehow makes them more impressive without having to do anything more impressive.

Neon Samurai
Neon Samurai

Or as I generally refer to it; the advertising subscription. Go without cable tv for a few months and you'll be blown away by how much advertising time you pay to watch when you resubscribe. It's usually the lowest common denominator shows that get carried for more than a pilot or season. if it's intelligent, it will be lucky to last it's first six episodes while Everybody Loves Raymond continues to get recycled; and who is this "everybody" that likes the show anyhow? Survivior is in which Nth season now? hehe.. contrary to popular belief, advertisements are not there to support the shows. Rather, shows are there to fill five minute sports between the advertising segments. It's far better to drop the advertising subscription and just watch what you want when the season comes out on DVD. I can totally see how you'd only discover more crap of no interest after solving the mashed-screen puzzle.

Neon Samurai
Neon Samurai

That's where the floating line lies. Hundreds of hours of personal calls on company time is clearly on the abuse of resources side. I've seen office networks that would make most IT techs skin crawl and all within the approval of the decision makers far above the IT branch. In those cases, the IT staff where more of a janitorial cleanup crew rather than focusing on securing and improving systems. As a security professional, I'd love it to be as black and white as it can be on base but sadly, we are limited by the decisions of management and fact that civilians are not very accepting of strict best practices and policies. I do agree that anything done through company resources is wide open to company logging and review. Someone running an unsanctioned proxy to get around company policy would have some explaining to do.

Osiyo53
Osiyo53

I used the term hacker in its generic form. And was doing hacking and cracking back before most people even knew there was such a thing as an Internet. And before some folks started picking a nit about there being some difference between a hacker and a cracker. I'm not particularly interested in some technical differentiation that some group of self appointed "experts" decided to make between the usage of those terms. I stopped hanging around and reading info from alt.2600, alt.hackers, etc YEARS ago. And in fact started what I call hacking before those groups even came into existence. Tho, after they did, I got many a chuckle over the debates folks had there about the differences in how those terms should be used and assigned to someone. When speaking about myself, and ONLY about myself, I always preferred the term hacker. As what I was interested in doing was taking on the challenge of defeating a protection or security scheme, or modifying a supposedly unmodifiable program, or whatever solely for the challenge. Just to see if I could do it. I never used my skills or the results for any malicious reason nor personal profit. In fact once I completed a project, accomplished whatever, I lost interest in whatever. And moved on to something else. i.e. I had guys give me copies of copy protected stuff ... a game for instance. And they say it had a scheme that could not be broken. So I'd do it. Then toss the game to the side. Often never even played it except as much as was necessary to prove I'd broken the copy protection. Other times I figured a way out to break into and use a secure military communications system. But as soon as I'd accomplished that, I quit using it. Just wanted to see if it could be done. On another occasion I exercised my electronic skills to figure out a way to defeat a cable TV security box that's limit the channels one could watch. Once I'd done that, I never even bothered to watch all those extra channels except to glance at them once through. Found out it was just more junk shows I didn't want to watch anyway. I'm not much of a TV watcher. Mostly I have given up such activities. Although I get tempted from time to time. i.e. Not long ago we started using a piece of specialized software where I work. That requires a dongle to work and a special license key code. One of the guys commented that this software was locked up really, really tight now and the protection scheme was near impossible to break. LOL ... took me some spare hours during a single weekend to crack that protection scheme. BUT ... I never use that crack. Haven't any reason to use it. As we, the company I work for, have legal license to use it and paid for dongles for each person who needs to use the app. I just wanted to see if I could do it. My only reason for even mentioning such things in my previous post was to make folks think. If they think that something on their employer's system if truly safe and secure, they're fooling themselves.

Osiyo53
Osiyo53

"never talked to your wife, kids or friends on company time?" My wife, kids, and friends know better than to call me when I'm at work unless they have a pressing need to do so. And when that occurs, they know to keep the conversation short and to the point. Virtually all such calls are about subjects like, "My car won't start. Can I use your spare vehicle?", "So and so just had an accident and is on the way to the hospital.", etc. Add a call or, more often, a text message from my dear wife reminding me that I have a doctor's appointment or some such thing. On average, I doubt if such communications, while I'm on the clock occurs more than once a week. And when they occur the conversations are usually less than a minute in total time. There are exceptions, of course. But I doubt if such exceptions occur more than once or twice a year. And those exceptions are almost always (always as near as I can remember) related to some emergency. i.e. Not long ago, a couple of months, a very close and long time friend was involved in a serious vehicle accident during a severe snow storm. The wife called me about it. Probably took ~5 minutes for her to relate the essential details of where, how badly he was hurt, etc. Of course I listened and asked questions. And then hung up and placed a call to my boss and told him that as of that moment I was off the clock and needed to take time off to take care of personal business. I agree with you, these things are not utterly black and white. And the company for whom I work does not object to "necessary and reasonable" personal communications using company owned equipment or during company time. But that doesn't mean spending company time and resources BS'ing or exchanging pleasantries that could have waited until after hours or your lunch break. I've personally observed folks who waste what adds up to be considerable time, over time, conducting personal business on company time using company equipment. Often, I'm pretty sure that they don't even realize how much time they spend doing so. But it can add up quick. I have had occasions where I've watched and observed such actions get so out of control that I've needed to confront the individuals about it. i.e. I was working on one job, at a job site one day with another guy from our company. Dang guy kept getting and making phone calls. From what I could overhear, several were conversations with his wife of a personal nature. Others appeared to be from buddies of his who were just checking in to see how things were going with him, or vice versa. And at least a couple were from guys he'd worked with at his previous employer asking for technical advice and help. Which lasted considerable time. That is, he was on the phone each of those times for from 10 to 15 minutes on at least 4 occasions. Let's call it an hour total during the work day spent helping out someone who didn't even work for the same company as he now did. I kept my cool til the end of the day and then let him have it. Told him that as far as I knew, he'd blown 1.5 to 2 hours of company time on personal business. And not only was his productive time lost, he'd slowed me down as he was there to be assisting me and what I'd been doing would've gone much faster if he'd actually been there to help instead of blabbing away on that darn phone. The thing was, he looked shocked when I mentioned the total time I'd estimated that he was on that phone, and in fact tried to deny it. But there was no denying. I was only talking about time when I KNEW he was on that phone discussing other things than the job at hand and I'd taken to checking my watch and keeping a running rough total. The number might have been higher for the day since on a number of occasions during the day he was off in other parts of that customer's building and I had no idea how much BS'ing over his phone he did at those times. The thing is ... he did look honestly surprised at how much time I had clocked and counted up. And that's my point. People get comfortable with, and used to carrying on personal business on the job. Especially if they do not discipline themselves to always keep in mind that they're "on the clock", and really shouldn't be doing such things unless it is actually important personal communications that can not wait. And often start to spend more time, company time, conducting personal business than they're consciously aware they're spending. The same goes with other things, such as personal emails, web browsing, etc. It starts innocent enough, but can get easily carried away. And it often does. In my previous post I stated, "I pass NOTHING ... that I consider personal ... over a employer's system. Nothing that I'm not willing to let the entire world know about." When I do engage in personal communications on company time, as I said, it is seldom, and kept brief and to the point. AND ... the contents of such communications are only things I'm willing to let the whole world know about. Nothing that I consider a secret or would claim to be private info. Wouldn't bother me in the least if they're recording it, logging it, or whatever. And any time I spend more time than I think appropriate and justifiable conducting personal business on company time, I make a mental note of said occurrence and make it a point to make up that time afterward doing company business on my own, unpaid time off the clock. More clear?

husserl
husserl

ITYMTS 'cracker' or black hat hacker. Hacking is not what most people think as a browse of news:alt.2600 or news:alt.hackers.malicious will demonstrate. Posters in those groups tend to be security folk, and you will find all sorts of attachments in the posts of script kiddies who post there, or duff links. Anyhow, there is often a good discussion there of the term 'hacker', and it ain't what you say it is. No l33t stuff there, if J00 kn0 \/\/0t I m3an.

Neon Samurai
Neon Samurai

Generally, there is some wiggle room between using company resources and abusing them. Talking to friends or family on the company provided phone is not usually frowned on. Using your own mobile phone still means company time is being used even if not company communications wire. I do agree that there is a limit where this becomes unreasonable abuse but it's far from an absolute black and white rule.

Osiyo53
Osiyo53

Reading those articles is much like listening to Clinton asking, "Well ... it depends on your definition of sex ..." Etc... etc ... etc. It's very simple. Don't conduct personal business on a company computer, or on a company internet connection, or on company time. OR ... you're leaving your a** wide open, with a bulls-eye drawn on it. And you deserved and earned any consequences that result. Period. What else is there to say or discuss? In all honesty? In all truthfulness, I haven't really understood this thread at all. What is there to protect as far as personal security when leaving an employer? I pass NOTHING ... that I consider personal ... over a employer's system. Nothing that I'm not willing to let the entire world know about. Besides the fact that I don't believe in using an employer's system for personal business. Do yah think there is any possibility I'd trust his/her system to actually be secure. OR ... the knowledge and ability of the company's IT department to keep such things secure? ROTFLMAO !!! To be perfectly honest. In my past I have been two things relevant here. For one, I used to be a hacker. Way back when. Didn't have any interest whatsoever in personal gain. It was a challenge. Somebody would say, "It can't be done !" And I'd think, "Hmmmm ... REALLY? I think I can figure out how to do that." Really, that's all it was. But it was a challenge. I just couldn't leave alone the idea that someone said it couldn't be done. I worked countless hours cracking codes JUST ... to prove it could be done. Once I'd cracked it, I lost interest and moved on to something else. Gad, I cracked a lot of games and such that were supposedly protected. And never played a one, except for testing purposes. Just to prove my cracked worked. Secondly, I used to be a military security specialist. (Well, it was my secondary specialty) The very first thing yah learned in that field was that anything known by two or more persons was less secure by a geometric order. In short, if yah felt secure to let 2 know, and they each felt secure to let 2 more each know ... that was 7 who knew. If that went one more tier, that was 15 who knew. Further? 31 knew the secret. Then 63, then 127, then 255, etc. 255 in 7 steps? It's no longer private, confidential, or secret. It's common, public knowledge. By this time , EVERYONE knows you've been tapping your first cousin. Gad, the very idea that anyone would even believe that there is anything they've put on a computer or network controlled by someone else that they believe to be PRIVATE ... just amazes me no end. As for myself. Anything I've told an employer, or put on a PC or network controlled by them ... I consider PUBLIC info. Might as well be. Anything I wish to be private, I keep private. Even the source and origination of this message, if back tracked, doesn't resolve to a real name and address for myself. The very idea that anything one does at work should be private just amazes me.

husserl
husserl

This is very true, and it is also true that people who use their employer's facilities are probably making a mistake. I say this in the light of, e.g., the recent Deutsche Bundesbahn scandal: http://www.spiegel.de/international/business/0,1518,616316,00.html I am more than certain that anyone using their facilities will have had their keystrokes logged, to say nothing of the deleted email sent out by a union.

apotheon
apotheon

What are you talking about? What button?

Marty R. Milette
Marty R. Milette

Just to be 100% sure that Microsoft's secret gremlin team hasn't done anything to the transcript site -- I checked it with FireFox version 3.0.3. Works perfectly. How about you post YOUR link so we can see if it works under IE? Again, you completely skirt the issues and try to divert attention and twist words. Rather transparent to anyone who can use the button. Amazing.

apotheon
apotheon

You boggle the mind. Again, you not only demonstrate your paranoia about Microsoft's intentions (which you couldn't possibly have any clue about whatsoever unless you are as skilled a phsycic as you claim to be about both Windows and Linux environments) I'm trying to figure out, at this point, whether you: 1. have your head in the sand 2. are astroturfing 3. are trolling your lack ability to read what is simply and plainly written. That's ironic, coming from you. (edit: and considering your grammatical errors) This deep dark secret must have been published a special edition of the Microsoft-anonymous penguin fanboyz cult magazine or something. (I'm sure happy that I missed that issue.) This isn't a deep dark secret. There have been lawsuits about this. Microsoft has lost several of them. However, to get back to the point -- please go back and re-read my post to find out where exactly I told you to use Internet Explorer... Speaking of not being able to read what is simply and plainly written: I asked whether you were telling me I should use IE. I didn't not claim you were saying so. Get a clue, please. Read very, very slowly... That's good advice. Why don't you follow it? In fact, knowing how paranoid you are, and knowing that you probably don't have anything Microsoft-built anywhere around you -- I paid particular attention NOT to mention it. You clearly don't know anywhere near as much as you think. Does a Microsoft keyboard count? Does a computer running Microsoft Windows XP count? Does another computer that dual-boots MS Windows XP count? Never mind. I'll stop asking rhetorical questions. You don't care -- you'll just ignore evidence that would, if you paid attention, disabuse you of your misbegotten notions, just as you have all along. There were aparently a LOT of points you misread or simply didn't comprehend. I don't have time to explain them all point by point here. Every time I recall, off the top of my head, you claiming I misunderstood something you said, you only thought I misunderstood something you said -- and, thus, the problem was that you misunderstood something I said. This time is no different. As for your insinuation that I didn't have any ammunition left -- believe me, I have plenty but you've already demonstrated beyond a shadow of a doubt that debate is useless, as are substantiated facts and intelligent reasoning. You started this whole little flame war of yours with claiming people said things they didn't. Please go back and fix your own problems before you start trying to accuse others of such problems, rather than doggedly ignoring your own culpability and blaming everyone else for your own failures. One can only hope that your next blog is backed up with a few more facts and a bit less fanaticism. One can only hope that you learn to read before you encounter another one of my articles. I'm sure you know a lot about the Linux side of the equation. You're clearly not interested in what I do or don't know. You're just interested in whether I agree with your opinions. Since I don't, you'll libel me, put words in my mouth, and accuse me of what you yourself have done. I don't need it.

Marty R. Milette
Marty R. Milette

In response to this wonderful reply: >That's just asinine. Why should I use IE as >a result of Microsoft intentionally >introducing incompatibility with other >browsers? Screw that. Nice comeback. :) Again, you not only demonstrate your paranoia about Microsoft's intentions (which you couldn't possibly have any clue about whatsoever unless you are as skilled a phsycic as you claim to be about both Windows and Linux environments) and your lack ability to read what is simply and plainly written. For a start, yes, those little gremlins are in some secret back room in Redmond Washington spending time and money deliberately coming up and ever more devious ways of making every Microsoft product incompatible with everything else on the planet -- oh yes, oh yes -- that's it! How could we all be so blind?!?! This deep dark secret must have been published a special edition of the Microsoft-anonymous penguin fanboyz cult magazine or something. (I'm sure happy that I missed that issue.) However, to get back to the point -- please go back and re-read my post to find out where exactly I told you to use Internet Explorer... Read very, very slowly... I believe what was said was that you should try using "a BETTER browser". Is that not correct? In fact, knowing how paranoid you are, and knowing that you probably don't have anything Microsoft-built anywhere around you -- I paid particular attention NOT to mention it. There were aparently a LOT of points you misread or simply didn't comprehend. I don't have time to explain them all point by point here. As for your insinuation that I didn't have any ammunition left -- believe me, I have plenty but you've already demonstrated beyond a shadow of a doubt that debate is useless, as are substantiated facts and intelligent reasoning. We'll have none of that on Chad Perrin's blog -- at least not this one. If you think the simple questions I asked were 'rhetorical' or seemed incomprehensible to you -- it would be interesting to see what you'd do in the situation where you are surrounded by a room full of C-Level executives and senior IT people asking you to explain (and JUSTIFY) some of the nonsense you've posted here. One can only hope that your next blog is backed up with a few more facts and a bit less fanaticism. I'm sure you know a lot about the Linux side of the equation. Some of your posts have been reasonably coherent on that side. However, for the Microsoft side.... Well, that's another story...

apotheon
apotheon

That's just asinine. Why should I use IE as a result of Microsoft intentionally introducing incompatibility with other browsers? Screw that. I'd rather use a browser that better serves my needs than one that better serves Microsoft's needs. edit: I guess you must have run out of evasions. I can't imagine why you would have hurled passive-aggressive insults at me so long, and just give up now, otherwise.

Marty R. Milette
Marty R. Milette

You seem to be the only person unable to pull up the transcript with the link given. Perhaps time to try a better browser? Other responses not worthy of reply.

apotheon
apotheon

If that's the best your reading comprehension skills can do, the educational system has failed you. If all you know about Active Directory is contained in the phrase: with modifications for no effective purpose >other than incompatibility, One must wonder whether you have visions of some mysterious team of goblins at Microsoft who sit around all day and devise new and creative ways of making products incompatible just for the fun ot it? No, I don't. What I do know is the specifics of some of the changes Microsoft has made -- particularly to the Kerberos protocol -- that serve no technically useful purpose, but they do impose incompatibilities with MIT Kerberos from which the Microsoft implementation was derived. Anyone who thinks Microsoft hasn't leveraged intentional incompatibilities between its software and other parties' software for business advantages just isn't paying attention. Most business people happen to LIKE integrated interfaces. I know. That doesn't make rigidly integrated interfaces technically good, though, just as Coca Cola with high fructose corn syrup and sodium benzoate in it isn't healthy just because a lot of people like it. In fact, integration is one of the main reasons Linux and FOSS is held back. There's a big difference between the ability to integrate functionality and having a "rigidly integrated interface". The former provides a way to combine disparate tools to produce more useful outcomes. The latter produces monolithic, brittle systems that may provide 80% of the functionality that 90% of the people need, but fails to provide the last 20% for that 90%, and fails to provide 80% of what 10% of people need (to make up an example). The fact that most people don't even know they need things not provided by tightly coupled systems like AD is not a good thing, no matter how you try to spin it. Judging by my experience and observations, very few users of MS Active Directory are actually 100% served by its functionality, even when they think they are. Of course there is plenty of money to be made from writing 'glue code' to hack together complete solutions from bits and pieces -- but that rather kills off any financial or business benefit from the pieces themselves being 'free'. Take two options for an example: 1. You can pay $50K for a five-year license for an integrated "enterprise" solution that provides 80% of what you would need to really optimize operations. That system requires four admins at $60K per year, plus their supervisor at $80K per year, to maintain. Because of the accelerating benefit for greater satisfaction of the needs for which you bought the system, you might see an overall improvement of 2% of your $30M per year profits, not counting the costs for using this system. That gives you a $600K annual increase in profits, but costs you $330K per year, for a net improvement of $270K per year. Over five years, that amounts to $1.35M, after which you have to pay for another five year license, which will probably cost more than the previous five year license thanks to inflation, resulting in reduced net benefit if all else remains constant. 2. You can pay $0 for licensing on a number of open source tools, but $50K for initial customization and integration of the tools, which thus "kills off any financial or business benefit from the pieces themselves being 'free'," as you put it. This approach, being more appropriately configurable to your specific business needs, provides 98% of what you would need to really optimize operations. That system requires two admins at $60K per year, one supervisor at $100K per year, and one system developer at $80K per year, to maintain. Because of the accelerating benefit for greater satisfaction of the needs for which you bought the system, you might see an overall improvement of 6% of your $30M per year profits, not counting the costs for using this system. That gives you a $1.8M annual increase in profits, but costs you $50K up front, plus $300K per year, for a net improvement of $1.5M per year. Over five years, that amounts to $7.5M, which is $6.15M more than you'd have gotten out of the integrated solution. Over the next five years, though, you don't have to pay the initial $50K for customization any longer, so if everything else remains equal, rather than reducing the margin of benefit as when paying higher licensing rates, you can just keep your system developer on staff and actually increase the margin of benefit. Ultimately, it isn't even the costs that make the biggest difference between these two examples, though. The real difference is made by virtue of the fact that you're using a system that suits your needs, and not simply some "one size fits all" marketability criteria. Regarding your personal attack -- you obviously know nothing about me. Leaving aside the fact that you don't seem to know the difference between "personal attack" and "responding to the evidence you've given me", let's focus on the second half of your sentence: I only know what you've told me about yourself, both directly and indirectly. You told me that you "don't 'do' FOSS". Those were your words. I simply responded to your words. Now, suddenly, you're backpedaling and telling me a bunch of crap about how you "taught Linux", whatever that's supposed to mean exactly. You contradict yourself -- so all I can do now is assume you lied somewhere along the way. You've destroyed your own credibility even more than the damage done by airing your mistaken impressions of how things work, trying to tell me that you know something about me that wasn't based on anything I said, and spending most of your time reading things into what I said rather than actually reading what I said in and of itself. Considering that you don't appear to know what you're talking about in technical matters relating to Unix-based network management options, I'm inclined to believe your earlier statement -- that you "don't 'do' FOSS" -- more than your later statement to the effect that you know all about it. If you review the following: the result: "No match found for Transcript Access User Id/ Transcript Access Code entered OR an error occurred." I posted an honest question to you, and you came back with a personal attack and still didn't answer the question. Poppycock. You attacked me rather than addressing my arguments, asked snide and passive-aggressive rhetorical questions, and misrepresented things I (and others) said at almost every turn, starting with your completely (and obviously) inaccurate characterization of Neon Samurai's comments (and, by extension, the article) as having advocated for violating company policy. With a track record like that, you should definitely not be surprised at the outcome. Precisely what business need is satisfied by this 'flexibility' that can ONLY be offered in a FOSS environment and not in a Windows environment? That's a straw man fallacy. I never said that flexibility can only be offered in a free/libre/open source software environment and not in an MS Windows environment. Your snide, passive-aggressive, rhetorical questions are mis-aimed. Try again with an actually honest question -- not just something you call "honest" and hope I'll accept without thinking about it. What sort of solution is there to centrally manage and secure a hodge-podge of non-Windows systems in a non-Windows environment? There are lots of such solutions -- including integrated solutions specific to Novell, Red Hat, HP, and IBM supported systems among many others, as well as custom solutions. Look at that: I decided to answer one of your snide, passive-aggressive, rhetorical questions as though you really wanted to become informed on the subject, despite the clearly pejorative language you used while asking the question (thus the snideness in your question). Aren't I nice? Considering your disdain for Active Directory, how would YOU propose to to secure or 'lock down' Windows desktops in a non-Windows server environment? Um . . . what? Since when is "Windows desktops in a non-Windows server environment" the topic of discussion? I'd prefer to stay on-topic for now, thanks. No more straw men for me. Of course, these are difficult questions but are certainly of interest in today's business environment. I look forward to seeing your expert -- and hopefully more 'professional' reply. You'll have earned the credibility to request "more 'professional'" replies when you, yourself, behave in a more professional manner -- responding to what I actually said rather than what you think I should have said to make it easier to disagree with me; refraining from using pejorative language for everything you don't know enough about to be able to appreciate there are good options in the world other than worshipping at the altar of Microsoft; avoid using passive-aggressive insults such as this very statement of yours about professionalism; and generally stop engaging in the hypocrisy of being what you want to accuse me of being.

Marty R. Milette
Marty R. Milette

If all you know about Active Directory is contained in the phrase: >Considering AD is basically just a >combination of three open source Unix >services, Then perhaps the certification process has failed for you? If you hate Microsoft or their products -- that's fine, however, when making statements like this: >with modifications for no effective purpose >other than incompatibility, One must wonder whether you have visions of some mysterious team of goblins at Microsoft who sit around all day and devise new and creative ways of making products incompatible just for the fun ot it? >plus a rigidly integrated interface Most business people happen to LIKE integrated interfaces. In fact, integration is one of the main reasons Linux and FOSS is held back. Of course there is plenty of money to be made from writing 'glue code' to hack together complete solutions from bits and pieces -- but that rather kills off any financial or business benefit from the pieces themselves being 'free'. Regarding your personal attack -- you obviously know nothing about me. I've been in Information Technology since the late 1970's -- as a teen-ager wire-wrapping my first computer from an 8080 processor, an EPROM and a few bytes of RAM. My operating system experience started with building the operating system necessary to scan a hex keypad so I'd have a convenient input device -- and grew to include writing the device drivers for a Silent 700 terminal and IBM Selectric. Probably much before most reader's time. Since then, I've TAUGHT Linux, C programming and many other topics based on that environment -- but gave it up as being too primitive and having limited business demand. I have plenty of experience with UNIX and many other operating systems -- from the VAX-11/780 days in College to the BSD UNIX used in the hotel POS system. Certainly this experience may be a bit more than the 'crap-all' you had the audacity to write. Although I have built and used many operating systems -- I certainly wouldn't have the balls call myself a 'professional' in any but one -- and only then after over 12 years of study dedicated to that single environment. If you review the following: http://www.microsoft.com/learning/mcp/transcripts Transcript ID: 657151 Access Code: 657151aa It should be pretty clear that I've read considerably more than just 'marketing BS' you told your readers -- would you not agree? I posted an honest question to you, and you came back with a personal attack and still didn't answer the question. Perhaps if I rephrase it and break it down this would help: 1. Precisely what business need is satisfied by this 'flexibility' that can ONLY be offered in a FOSS environment and not in a Windows environment? 2. What sort of solution is there to centrally manage and secure a hodge-podge of non-Windows systems in a non-Windows environment? (Hodge-podge refers to an environment containing some unknown combination of one or more of the 400+ 'popular' Linux distributions available -- and 'hacks' aka 'flexibility' which may potentially be done to each.) 3. Considering your disdain for Active Directory, how would YOU propose to to secure or 'lock down' Windows desktops in a non-Windows server environment? Of course, these are difficult questions but are certainly of interest in today's business environment. I look forward to seeing your expert -- and hopefully more 'professional' reply.

apotheon
apotheon

Notice most of the other writers on TR when confronted with some opposing opinion handle it much more gracefully than you. I handle differing opinions quite gracefully. It's logically fallacious, maliciously contrarian misrepresentations like yours that drive me to distraction. They will construct some argument based on facts and some opinion but yet don't attack their readers. When you start reading what I write, rather than skimming it for keywords to attack, I might treat you like a reader. Go your way and I'll go mine but I do have to say you take criticism about as poorly as I have yet to see. I take constructive criticism extremely well.

santeewelding
santeewelding

Were Apotheon to apply the excellence he applies at large, you could be dead meat. I know. I try. He fails.

rkuhn040172
rkuhn040172

Notice most of the other writers on TR when confronted with some opposing opinion handle it much more gracefully than you. They will construct some argument based on facts and some opinion but yet don't attack their readers. You've put yourself in the public eye but yet don't seem to want to deal with the repercussions of such. Go your way and I'll go mine but I do have to say you take criticism about as poorly as I have yet to see. Like always, when faced with an opposing point of view (valid or not) you come out swinging and or throw a tantrum.

apotheon
apotheon

Earlier, you were reading a bunch of nonexistent nonsense into what I said. Now, you're just skimming what I said, and ignoring a lot of it. Good job, Milette. What's next -- attributing what someone else said to me, then attacking me for it? I can't wait to see what you do for your next trick.

Marty R. Milette
Marty R. Milette

Linux guys seem to think that AD is nothing but a glorified form of LDAP. This is an extremely common misconception. Wikipedia has a couple of simple definitions: The Lightweight Directory Access Protocol, or LDAP, is an application protocol for querying and modifying directory services running over TCP/IP. That's it. That's all. Nothing more. LDAP has absolutely nothing to do with locking down machines and relatively little to do with security. And this: LDAP-like directory services, Kerberos-based authentication, DNS-based naming and other network information. Using the same database, for use primarily in Windows environments, Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization. Active Directory stores information and settings in a central database. The question to Apotheon was about what EQUIVALENT to Active Directory exists for FOSS? His answer was a personal attack rant that completely ignored the question. I suppose that means he doesn't know. Pity about that. PS: Neon, I honestly didn't 'get' your subject line. Sorry! I've read a lot of your posts and have only taken exception to a few that relate to the Windows environment where you have less experience. Cheers.

apotheon
apotheon

I, too, took your article as a means of circumenting company policy. There's a simple fix for that: learn to read. And when you do mention company policy and what not, it's almost as if it's some kind of fine print or covering one's ass. I guess your acute powers of observation must have failed you, if you failed to notice that obeying company policy was point number one. How exactly did you manage to miss that? While your technical advice might be accurate, your professional advice is completely lacking. I guess that's a reasonable view, based on assumptions that what you say is correct -- when what you say is obviously based on an intentionally warped perspective. When you specifically look for reasons to misinterpret what others say, misinterpretation is the only kind of interpretation you're going to get. Your obviously very personal dislike for me is the evident source of your confirmation bias. Don't conduct personal affairs at work or on company property and this entire conversation is mute. 1. Some companies allow employees to conduct personal affairs at work. Not all employees are going to refrain from doing so when work allows them to do so. They need security advice, too. 2. Mute? WTF? Did you get your education from a correspondence course? No wonder you lack reading comprehension skills. . . .

Neon Samurai
Neon Samurai

He suggested Active Directory and asked what alternatives for centralized management exist. On that topic, I'm very interested. MS-AD being a hyped brand of LDAP solution, what other's are available. How does Novell and REd Hat'd LDAP stack up along side and such.. If that slammed into something already in the works; totally coincidence. :D

rkuhn040172
rkuhn040172

Why TR allows you to continue to write for them is beyond me. Once again, your buddies come running to defend you and you attack those that don't agree with you. Your level of professionalism is quite amazing. I, too, took your article as a means of circumenting company policy. Any company policy worth a grain of salt would make virtually all of your advice a potential reason to fire someone. And when you do mention company policy and what not, it's almost as if it's some kind of fine print or covering one's ass. Bottom line: While your technical advice might be accurate, your professional advice is completely lacking. Don't conduct personal affairs at work or on company property and this entire conversation is mute.

apotheon
apotheon

Since LDAP is basically one of the key underpinnings of Active Directory, asking about it in response to Milette was great timing.

apotheon
apotheon

Don't forget -- you were the one originally suggesting to use unauthorized proxies to hide activities. No, I didn't. Where the hell do you get off making statements like that? Show me where I said anyone should use anything "unauthorized". Either you're scrambling like mad to come up with excuses for making mistakes of interpretation, and have decided to try to blame part of it on me, or you have a chronic problem misunderstanding people and reading things into what they say that they never actually said. I recommend you try reading what's actually said, refrain from adding crap that wasn't said, and stop trying to blame others for your problems of understanding. Claiming that I told people to violate company policy, when I very clearly stated that people should do the opposite, is insulting, laughably inaccurate, and generally not a good plan. Stop it. Of course, I haven't run into many Unix/Linux people who actually understand AD or what it can do in terms of security, so it is natural to suggest that it somehow isn't adequate -- or isn't 'flexible' enough. I haven't run into many Windows people who know their anuses from holes in the ground when it comes to OS architecture or Unix-based software, so they wouldn't know "flexible" if it bit them in their eyeballs. Thank you for insinuating I'm an ignoramus. I guess I should return my Microsoft certifications now, since you say I don't know anything about AD. I don't 'do' FOSS, so indeed it is 'not clear' what sort of solution there is to centrally manage and secure In that case, you should have said something more like "I don't know crap-all about OSes other than MS Windows, so it's not clear to me what can be done outside of the MS Windows world," rather than phrasing your statement to make it sound like you do think you know what you're talking about, and anything other than MS Windows is substandard. This is a disturbingly common trend among people who know some things about MS Windows from personal experience and marketing materials, but don't know anything about open source software other than what they've "learned" from Microsoft marketing BS and maybe forty-five minutes of playing with Ubuntu. They tend to jump to conclusions and assume they know more about the comparative differences between MS Windows and Unix/Linux systems, based on this minimal "experience", than people who have worked professionally with both. Your admission that you don't "do" open source software coupled with your dismissive, clearly uninformed references to what's available outside of your narrow little AD world puts you clearly in that camp. Considering AD is basically just a combination of three open source Unix services, with modifications for no effective purpose other than incompatibility, plus a rigidly integrated interface, I think you're far off-base.

Neon Samurai
Neon Samurai

.. if Jack, Chad or one of the other writers needs a topic. :D

Neon Samurai
Neon Samurai

If someone working in a military IT shop is reading TR and thinking that an ssh tunnel back to a home PC is a good idea, I'd suggest that articles on TR are not the problem in that IT shop. My original comment seems only to have been taken seriously by yourself as the other responses indicate that the satire was recognized if not entertaining. My original intent was to express agreement with your point about company policy. I expect there are more than a few points we disagree on so I thought it important to agree when presented with the opportunity. I am interested to see this thing between you and Apoth if it continues past two comments though so I'll go back to my barstool and watch quietly again.

Marty R. Milette
Marty R. Milette

Neon's post was obviously misinterpreted by by both myself and several others -- if you read the posts. Only the title gave the least clue -- and not a very good one at that. Some people may not take security or corporate policies and rules very seriously -- but in some environments -- such as the military -- one needs to be extremely careful what you do or suggest others to do. For example, installing and/or using unauthorized software could mean charges of disobeying direct orders or conduct to the prejudice of good order and discipline. (Or US-equivalent 'catch all'.) If there is confidential data leakage as a result -- it could come under the charge of espionage. If there was damage to systems or a negative effect on operational capabilities -- it could become a charge of sabbotage. Don't forget -- you were the one originally suggesting to use unauthorized proxies to hide activities. In 20+ years in IT, I have never worked in an environment where this kind of dubious behaviour would have been tolerated. Regarding choices -- in a Windows environment, Active Directory does everything that is necessary. Of course, I haven't run into many Unix/Linux people who actually understand AD or what it can do in terms of security, so it is natural to suggest that it somehow isn't adequate -- or isn't 'flexible' enough. I don't 'do' FOSS, so indeed it is 'not clear' what sort of solution there is to centrally manage and secure a hodge-podge of non-Windows systems in a non-Windows environment -- or even more confusing is how to secure Windows desktops in a non-Windows server environment. Perhaps you could suggest how this would be done? I'm sure many people would like to learn about that -- myself included.

apotheon
apotheon

You seem to have assumed Neon was recommending people violate company policy -- which strikes me as the opposite of what he was saying. Others have already addressed that, though, so I'll address a smaller mistake of yours: In non-Windows systems, the choices are somewhat less clear. 1. One might very well say the choices are "somewhat less clear" when speaking of "non-Windows systems", since you aren't talking about a specific non-Microsoft OS. Your statement is essentially meaningless, though. Pick a non-Microsoft OS, and options become more clear. One might as easily say that choices are "somewhat less clear", either "in non-Linux systems" or "in non-Mac systems". The choices are bound to be less clear when what you're talking about is less clear to begin with. 2. If you're trying to claim that, for instance, choices are "somewhat less clear" in Linux-based systems, in each of the various BSD Unix systems, in OpenSolaris systems, in OpenVMS systems, in MacOS X systems, and so on -- in each case, choices are "somewhat less clear" -- then I think you're using the wrong phrasing. The way I'd put it is "choices are somewhat more flexible". I, for one, actually like being able to customize my solution to my needs, rather than just using whatever's handed to me by the vendor.

Neon Samurai
Neon Samurai

it was an indication that the comment was satirical in suggesting ways for one to commit employment suicide

seanferd
seanferd

I think he said the same thing much more succinctly. I believe you misread this "advice".

Editor's Picks