August 13, 2008 at 10:53 am
I was asked to help a supervisor to figure out where he had stored a staff evaluation on his PC. Turned out the staff eval was for the staff member whom he had been openly ridiculing on a regular basis. And who was a person I liked. And the supervisor was someone who had been rude to me personally (in front of others!).
I found the staff eval, and had to open it and save it to a new location. It took a LOT of effort on my part NOT to even glance at the content. I'm glad I didn't. If I had let down my guard and read even a little part - what would I have done with that information.. For me - that was almost as important as the integrity aspect of not looking. Almost.
That being said, I have glanced at faxes while trying to find mine and been AMAZED at the personal information people will have faxed in or out without standing there waiting for it!
I've always liked the comment about - honesty, integrity, character (whatever) is what you do when no one is looking or no one knows.
August 13, 2008 at 12:05 pm
The snooping issue for DBAs is an extension of the same issue faced by managers and those in HR (Personnel we used to call it) departments. That is, just because we can access data does not imply that we ought to. Now, as both a manager and DBA (de facto), the opportunity to use that level of access is even greater.
The main point is that one must weigh the privacy of individuals, the interests of the company, and one's own personal scruples and assign appropriate priority. Several people have stated some singular cases where "snooping" was justified. Perhaps the test ought to be "is it my business to know".
It's not clear-cut and neither "the ends justifies the means" nor "never, no never" is sufficient as a basis for decision-making.
August 13, 2008 at 12:20 pm
Thanks for bringing this topic up Steve. This is issue is rarely discussed, but it affects almost every DBA every day. As the "protectors" of the organization's data, DBAs are in a privileged position, and trust is very important.
Personally, I have stayed away from checking out data stored in databases, as I have always wanted to maintain a high standard of trust between me and my manager(s).
But at one company I worked at (it was a long time ago), I noticed a complete lack of interest in security. The company had over 350 employees and the network administrator in charge seemed clueless. In order to build a "case" for the company to do something about the lax security, I run a network sniffer and password breaker on the network, and within a couple of hours, I had everybody's login name and password. When I skimmed the results, I was appalled how many people, including top managers, were using a blank password (passwords weren't required by policy). I then presented this information to my manager, lettering her know how poorly the company was protected. The response I got: "Yea, we know security is bad, but we don't really care." That was a shock. I destroyed the list and forgot about it. I also left the company shortly thereafter for a better opportunity. No point in working for an organization that doesn't even care about such important basics, like security.
I wonder how many companies still have this same attitude? As part of being a DBA, I think it is an inherent part of the DBA's role to take a leadership role in security, but that can only work if the organization' leaders are interested in it.
Brad M. McGehee
DBA
August 13, 2008 at 2:26 pm
My advice is to get over your idle curiosity as soon as possible! ...
I'm with Charles on this one.
At one job in the past, we were getting royally screwed by the customer's contracted IT Manager. As sysadmins, a colleague and I had full access to everybody's mailboxes, so could have raided this person's mail to see just how we were being screwed now and future. However, we were both of the mindset that as much as we would like to, it was not the ethical thing to do. Not to mention that there wouldn't really be any practical way to use the information without it becoming apparent that we had gone mailbox diving (and no, that wasn't the driving factor behind not doing it).
The position I am currently in gives me access to all manner of customers' personal information. The Oracle DBA here has access to the HR & Finance databases. We are both of the same mindset (ethics aside) - we cannot be bothered with looking at the information therein because it simply doesn't interest us (beyond what we need to see in order to tune queries, indexes et al). :doze:
MARCUS. Why dost thou laugh? It fits not with this hour.
TITUS. Why, I have not another tear to shed;
--Titus Andronicus, William Shakespeare
August 13, 2008 at 8:05 pm
I have not snooped but I worked on a team of 4 DBA's where one did. One of our many responsibilities was PeopleSoft that included the HR modules. The snoop access peoples salaries and didn't like what he found. We had one of the factories across the street from corporate headquarters where we worked and there was a vacuum tube thing like bank drive thrus use linking the two so that paperwork could be passed between the two buildings without having to cross the busy highway. The snoop printed a sheet worth of peoples salaries show how people who had been with the company for less than a year were making far more money than people who had been with the company for decades. He then sent it over to the factory. It was copied and made it through the company like wild fire. A lot of hard feelings arose out of that mean spirited episode.
August 13, 2008 at 9:23 pm
I was a manager at a company that was about to have a layoff. Several managers at my peer level were sent an email that had been put together by more senior level managers. The email had a list of everyone in the organization that we were to use to evaluate people to keep or let go.
When they prepared the email, they had pasted in a list of staff from an Excel worksheet. Someone discovered that what they pasted was actually an embedded object containing the entire worksheet. If you double-clicked it, the entire worsheet opened showing their comments and evaluations of everyone, including me. There wasn't anything bad about me, but I saw some very harsh comments about other people that I knew would be reading this email.
I wasn't really snooping, but is was disturbing to see info that was obviously not meant for my eyes. I can't say that I felt better for seeing it, and it is the kind of thing I keep in mind if I am ever tempted to pry.
Of course, most companies do not do a good job at handling layoffs, but it's probably best not to work someplase that is good at layoffs.
August 14, 2008 at 10:56 am
Many of your comments center on whether you have or have not snooped and most of the data that was looked at was about job security (or lack thereof) or $ (or lack thereof!). But we hold the 'keys' to a lot more information than that. Intellectual property for one. The comments concerning selling this info oversees is a very real concern. So I think the future discussion should not be whether we have or haven't snooped, but how can we keep those with the keys to the system from accessing data. In most cases DBAs and system admins can do everything we need to without actually looking at the data. We have been looking at third party products that monitor or prevent access, but it is a very difficult door to keep closed from the sysadmins with keys. Any suggestions on options that have worked well? Because despite the fact that most of us are trustworthy - some are not. And companies are getting more concerned.
August 14, 2008 at 11:23 am
kdv (8/14/2008)
Many of your comments center on whether you have or have not snooped and most of the data that was looked at was about job security (or lack thereof) or $ (or lack thereof!). But we hold the 'keys' to a lot more information than that. ...
(emphasis mine)
We most certainly do. I have access to SSNs, home address and phone numbers, heck, I have bank account information. And that last piece is not in a database, I saw it due to poor document management by someone else.
And therein is the rub. We might be able to add restrictions and monitoring to database information, but there's always the human element. I could easily pillage that information and sell it, and it probably would be undetected and unprovable, but I won't because of my personal ethics.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
August 14, 2008 at 12:54 pm
This is really an age old problem with no true solution. People have to be trusted with access to various valuable things, and there are always those that will misuse that trust.
The check-out clerk who pockets cash from a sale, the stockroom clerk who takes home a new coat, the payroll clerk who pays a fake employee, the CEO who gives them self a no-interest, no-repay loan, the salesman who leaves with a list of top customers, the CFO who makes straw-man stock trades based on unreleased financial statements, and the DBA who looks at confidential payroll information are all abusing their trust.
In the big scheme of things, the potential for abuse by a DBA is probably less than many other jobs, because the ability to turn the abuse into profit is limited.
August 15, 2008 at 8:27 am
snooping is good. it leads to open communication.
also if the snoop does find something illegal is going on then they need to take it to the authorities. Whether it be the local police, fbi, cia, etc. This is why there are whistle blower protection laws. I know those laws don't always help the whistle blower, especially the more corrupt the criminal is the more the whistle blower's life/life stlye is at stake.
granted using that information to abuse the privacy of non criminals would be or at least should be a violation of privacy laws.
and using that information to blackmail or extort something from the criminal one is just taking their own life/life style in their own hands and they are then also a criminal.
in the case of those situations where there's immoral judgments going on at any level then yes all everyone has a right to know what kind of company they are involved with.
EDIT ADDED: Oh I can not cite any real life cases, but a great dramatization case would be "Weekend at Bernie's", Mind you just the first 45 minutes or so.
August 15, 2008 at 9:43 am
Michael Valentine Jones (8/14/2008)
In the big scheme of things, the potential for abuse by a DBA is probably less than many other jobs, because the ability to turn the abuse into profit is limited.
Why do you say that?
I have worked places where I was just about the only person that had access to all relevant data for sales and contracts. Since I was in a company that only has one other competitor in their market, I am willing to bet I could easily have made good money by contacting the right people there.
Account information, SSNs, mother's maiden name......, all data that I COULD access if I wanted it where I work now. And sometimes end up seeing as part of doing my job unfortunatly. I am one of the pushers of encryption etc. of that kind of data in the company. Why? Because if it gets loose and in the right hand, I might be the first one to be investigated since people know I have access to it.
August 16, 2008 at 9:12 am
but if indeed you did sell those secrets to competitors or in your case a single competitor you are cutting your own throat unless you have some arrangement with the competitor to either work for them or for them to help you get work somewhere. even if you helped them outbid your company for a multimillion dollar contract I'm guessing your not going to get more then 10K as payment. And I'll bet even if you are single with no children or any other kind of dependents to take care of that 10K isn't going to last more then 3 months. Remember you'll still have to claim it as income and pay taxes on it with the IRS. that kind of money is a huge trigger in the banking industry. so you may not get caught selling company contracts, but
personally if I was to pay you for your companies contract agreements so I could outbid the company you work for. You wouldn't be working for that company for very long cause it would quickly close, and I wouldn't let you near any sensitive data in my company. if you made an attempt to black mail me well your just a disgruntled competitor laid off employee.
selling personal information on your fellow employees: you probably would get away with that forever since the justice system and the finical industry likes people's identities to be stolen. It gives them targets to kick around in court and abuse even more, cause they have declared themselves not responsible for money lost or stolen even if it's their fault. Which is wrong.
but I'm guessing your not going to make that much money from selling personal info from a database, or even selling the whole database. So is it really worth the future aggravation and anxiety to actually sell that info. Cause when you get drunk / high/ laid/(aka pillow talk) however you loose your lips about it, you will comprise your self. and that perosn can go to authorities, or blackmail/extort you for cash.
so it's really not in the dba's best interest (especially long term) to disclose the information for personal reasons.
now I do agree with you, that yes the info should be encrypted to protect the dba so that even if someone else has hacked the information (doesn't matter how), but you become less of a suspect and that person can't smell (point) you out first and say it's your fault.
August 18, 2008 at 12:28 am
kdv (8/14/2008)
We have been looking at third party products that monitor or prevent access, but it is a very difficult door to keep closed from the sysadmins with keys. Any suggestions on options that have worked well? Because despite the fact that most of us are trustworthy - some are not. And companies are getting more concerned.
SQL Server 2008 Audit includes the ability to audit sysadmin activity. If the sysadmin tries to change or turn off auditing, then this is also logged. It may not be perfect, but it is much better than what we have had in the past.
Brad M. McGehee
DBA
August 18, 2008 at 8:33 am
But can 2008 monitor me copying a backup, compressing it, and loading it to a thumb drive? USB memory drives are up to at least 16gig, so that'll hold a 30-40gig database. Anything bigger than that, and there are terabyte portable USB HDs.
I'd like to see a comprehensive, item by item, log of DBA activity on servers if there are any object changes or file activity. I think not enough DBA activity gets logged.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
August 18, 2008 at 10:01 am
Nope, SQL monitors SQL.
There are some file system solutions, but there really isn't a good way to do this and make it available to the security folks. Maybe set permissions to allow you to write a file, but not read it?
Two factor authentication would help here for some permission sets.
Viewing 15 posts - 16 through 30 (of 34 total)
You must be logged in to reply to this topic. Login to reply