I've never believed in job security by obscurity. I document everything, explain everything, because I want my bosses to know I'm doing the job they're paying me for.

To this end, if your boss thinks you'd steal data if you were fired, take the 'root' or 'domain admin' or 'enterprise admin' or whatever account -- you know, the account that can't get locked out from too many bad passwords -- make a nice long password for it, and put the username and password in a sealed envelope. Hand it to the PHB, and explain that if something bad happened, they could hand it to the next admin.

If they don't open the envelope right away, they trust you to do your job. You can check your server security logs for this. You might reconsider your employment there if they open and use it.

I generally don't use the built-in admin account for any actual administration. I just use it to create admin accounts that are subject to lockout rules, and I don't even use that for day to day use. Instead I use an account that's part of some kind of account operators or server operators group, so I don't need admin on my desktop to administer the network. But that's going off on a tangent.

Mine's the one with the envelope to hand to my boss.

According to that survey, 88% of admins SAY they would steal data if fired.

The amount that actually WOULD steal data would need to be based upon the amount of those who have been fired and did.

Actually, there can be good reasons for taking sly backups of the situation when you leave....

If you feel you are likely to be held accountable by management for later disasters caused by your replacement its nice to be able to chapter and verse them in court..

For that reason alone I would recommend the offsite backup location to be your glovebox!!

Taking data and releasing it inappropriately are different things...

Ha Ha, If my experience is anything to go by, you could solve this by merely asking the IT Admins to give you all the post-it notes (stickies) with passwords written on them that they keep in their wallets. Then fire them :-p

Developers trustworthy? yeah right, you can trust them to never write a bloated, insecure resource hogging piece of Sh%t eh?

Developers can embed backdoor stuff much deeper than admin's can.

I sense someone didn't get their own way on a network issue, or the purchase of a company iphone, so is stamping their little feet. Obviously Ac as he is scared of what his BOFH would do if he new what this luser wrote. What sort of MAC do you use anyway?

Talk about overblown sense of self importance!

Hope your admin turns off your remote server for good, and electrifies the door handles!

This was pretty much standard policy when I worked in finance for all top level passwords. Put in 2 sealed envolopes, sign over the seal, one to offsite backup, one to safe/vault. Each month have envolopes returned, check seal, change password and repeat. It also serves as disaster recover backup in case I am hit by a bus.

Unfrtunately I could never get myself fired with the accompaning 1 month to 1 years compensation, I always quit out of political frustration when the sane management who hired me moved on.

Without admins you would not have a environment to develop on.

Get back into your cube and eat some more skittles. Sandle wearing freak.

Mines the one with mouse balls in the pocket.

Oh I have just discovered that any data I have access to is worthless and the passwords on hundreds of post-it notes.. so if they sack me I cant even get warm place to stay free. if you have 800 passwords on 800 boxes,all of them like "LetmeinOhyesPlease1234567" only all different, how are you supposed to remember them, unless they are written down somewhere.

You are absolutely right! All good sysadmins are REQUIRED to know at least some development. Scripting is a must, in a number of languages, and object oriented scripting is a requirement of any good admin who doesn't want to keep repeating unnessesary work.

If a sysadmin is doing his job, then he has nothing to do, except wait for the phone to ring with a change request, or swap out the odd dead part. (Or backup drive.)

I guess that's why good sysadmins are required to be project leaders, developpers, analysts, and a host of other things.

I guess that's also why they nobody wants to hire developpers anymore. Why hire a developper for twice the salary when you can hire a Sysadmin for less, and get someone who bothered to learn how a system works before trying to code on one. Don't worry though, there will always be plenty of developper jobs in India for you, so you are safe.

For now though, I just finished pushing an OS to a few dozen pieces of metal, and while the scripts install the apps and run the patch sets, I'm gonig to go patch the SSI on the Intranet one more time, since those useless devs forgot to cross-test thier JS in multiple browsers. maybe I should throw a few more snikers bars over the roof at them; might get some better results.

:)

Mine the one with the card that's one stamp shy of a free pint at the pub...

You're just sore because the admins get all the babes.

Paris 'cos she's hanging out with us at Mission Control as I write this.

I take it they won't let you have admin rights then?

Hey, if it wasn't for developers and their hooky coding, the world wouldnt need systems admins!

As opposed to most developers I've met, who don't know what a fucking subnet is, and think that "routing" is something done by that thing stuck to their windscreen; that's before the snide, supercilious little fucks decide that they don't need to worry about software licenses and end up getting the company raided by FAST, or decide to change the IP addressing on their machine (because the thick bastards decided to hard-code IP addresses into the fucked-up abortion of an application that they're trying to pass off as working software to the clients that they've conned into thinking that they're anything like competent) and then complain because "the network's broken".

I don't suppose it occurred to you, numb-nuts, that they might have installed remote admin software to provide better and more timely support after you and others of your misbegotten ilk fuck your machines up again and then decide to complain about how the "IT doesn't work..."? And if that put "many projects" at "risk", then you probably weren't competent to be running them anyway.

As to this survey, gosh, company that depends on persuading people that there's a problem conducts a survey that "proves" there's a problem. Pardon me while I regain consciousness after fainting from fucking shock. I've been an administrator for a good many years, and I have been made redundant once after the company downsized drastically. I didn't consider stealing anything from the company in question, and I know quite a few other people who've been in similar situations and they never have either. The survey is bollocks, and to Austin Modine? How much did they pay you to shill for them?

Dude. I hope that's a joke because that's insane - and absolutely incorrect. That's exactly the kind of thinking that see's huge databases put on CD and left on the train and stuff.

I hope your boss doesn't read el reg and you work at some tiny little non-audited firm.

after all - i still have a fantastic "boot disk" and the internal email addresses of a couple of friends.

"Under no circumstances will said employee be allowed to interact with a computer or use company machinery before leaving"

That's why my logic bombs are designed to detonate if I don't renew their password every 3 months!

It's not harsh, it's plain common sense. As long as the employee is paid for outstanding notice / holiday, are you seriously telling me that they would *prefer* to work their notice period?

A friend of mine got an interview for a rival IT company, and when offered the job, immediately informed his PHB. An hour later he walked out of the building with three months pay and was able to start his next job a month early. He called it his, "disloyalty bonus" :-)

>you can trust developers, but admins never!<

Yeah, we can trust developers to cut corners and write poor code and generally f*ck up the company product, when they're not writing backdoors and security loopholes in to it.

Besides, how would you know what an admin does?

When he's freezing his arse off in an 18C server room, fixing the machine that your crappy code has crashed, you are in the games room being "creative" with your newest i-extension.

Given the recent progress made in "self-programming code" I think your job might be under threat WAY before they start to fire the bofh's of this world. To be honest, most developers I have met qualify under the "Get an infinate number of monkeys" scheme promulgated by most companies.

Finally, you really should be cowering under your desk by now (like the wimpy gray geek you are) as once your bofh discovers it was you that posted that comment MR ANONYMOUS COWARD, I wouldn't give a <clickety> for your continued employment or freedom <BWAH-HAH-HAH>

There's data and there's data.

Would I take handy scripts, procedures and stuff I have created there for my work .. probably, if I don't have those privately backed up already.

Would I create a backup of the CRM/ERP DB ? (how the #$%@^& would you fit that on a USB drive anyway)

Why ? And besides the obvious ethical objections, what would I do with it ?

Go the the competitors ? Who would I approach ? Why would they take it and pay for it ? (it's usually more the sales dept. that would have such contacts and insights). Would I ever get a job in this line of work ? (the world is smaller then you think)

Then again, if it would be a direct dismissal due to BOFH behaviour, a good IDM system would prevent the taking of such important corporate data anyway. (single click account blocking on over 15 systems is a fun thing to do :) )

(Pris, 'cause she also seems to be missing something, when 'stepping out' )

Abuse or betrayal of trust, treason by another name, is a very, very serious matter. They have a word for folk like this, traitor.

Hey, isn't treason still punishable by Hanging in the UK?

Admins hold a very great deal of trust and if the guys answering this survey aren't just having a laugh then they should firstly be utterly ashamed of themselves and secondly named, shamed, bagged on the spot, ID'ed, RFID'ed and never, ever allowed to work in any position of trust again.

My ex-boss changed external IT support suppliers one day and a few days later the one-man-support-company IT guy visited and got the grand tour from me. I was the IT Projects Manager and resident IT guru, but as I officially was NOT support staff, we still had external support suppliers.

2 days later I noticed the Admin password had changed, and the new IT guy was refusing to give it to me. (over the phone, mind you, he was freelance, and not to stay in the office. Lucky him.)

The next day bossman called me "for a chat" and announced I was being made redundant, as the projects I was working on had wrapped up.

Had I cared about what they did, I'd be regretting not having a chance to... make my departure memorable in various interesting ways.

Alas I was too busy seething at being made to work my 1 month notice period, and while idly reading job board across the net, finding out I'd have worked there 3 weeks short of a year, the legal UK minimum after which you are allowed to claim for unfair dismissal.

I'm sure the comments were tongue-in-cheek, but I have lost count the number battles telling developers that they are not having admin privs because their app isn't written correctly!

No way I would steal even so much a paper clip from the office, way too risky and as an average "smo" with a mortgage and family to look after, every thing I touch gets thought about twice. I too always document everything, then I get a good reputation for being open and honest. No price would be high enough, ever heard of proceeds of crim act? No matter what you get for nicking something, they can fleece the lot out of you, so don't give me that do the time and then live in the Bahamas BS!

Seriously, if you get sacked today, forget the old place, take your notice period payment, get another job and take a wee holiday.

Stealing data? Too obvious. You're the obvious first name on any investigation. You're better off closing that chapter of your life and moving on. It's not like a decent admin can't pretty much pick and choose a new job.

It's not clear. Did they ask the IT admin, or did they ask the Info Security Officer? If the latter, then it is the ISO's lack of trust / perception of their IT staff.

Doesn't matter. 88% of all stats are made up on the spot anyway.

Also remember that what goes around, comes around. If you steal someone else's data today - and promote such data theft - you should expect to have your's stolen tomorrow.

My name is Mark Fullbrook, I'm the Director for the UK and Ireland for Cyber-ark and it was me that commissioned this survey.

Let me give you some feedback on how this survey was run.

We asked 300 people with Administrative privileges a series of questions at the Infosecurity Europe Show which took place in April in London. How did we know they had administrative privileges? Well we asked them of course!

Once we had established their suitability we asked them a series of questions. Things like:

"Have you ever used your administrative privileges to access information that was NOT relevant to your role?" (That was had over a 30% positive response rate)

or

"If you left your company tomorrow which of the following would you consider taking with you" - followed by a list of things like Company records, HR records of course, highlighting one which said NOTHING. (we had 88% of people choose somethign OTHER than NOTHING)

There were a few other questions of course, and we intend to publish this as a white paper, but I just want to address some of the responses on this site.

First of all, I find it amazing how many times admins respond to these types of survey with the view that it is the users fault that they have to set up back doors or that they do not need to be monitored because of some God given right to anonymity.

Cyber-ark produce software that provides companies with the ability to automate password changes on privileged accounts, whilst ensuring that Administrators and Privileged users get the full access they have always had. The alternative is to just trust your user base and (from our survey) whilst that is fine for 12 of your 100 Admins, it might be a little foolish for the other 88 (I'm being slighty sarcastic here - but I'm trying to keep in line with the tone of most of the responses!!)

We dont supply companies with software to monitor privileged access because most IT Admins and Privileged Users are good, we do it because every now and again, you are going to have a bad one....... and why give them the opportunity if you dont have to.

Feel free to get in contact with me if you want to here any more about the survey and please, feel free to visit us at Infosecurity 2009 and take the survey yourself, and then you can see if things turn out differently. Personally, I dont think they will.

Incidentally, to those that say "it was fixed" ZDNET responded to an earlier release centered around the "would you use your administrative privileges to access information NOT relevant to your role" question by running their own survey... Guess what? The results were exactly the same.

BIG SMILEY FACE because generally, Im a pretty happy guy..

(I just get a little excited when people say my company is lying)

Water is wet, fire burns, the Pope's a Catholic, bears shit in woods.