Lacking reality: Sysadmins slam “snooping” claims

22

news Australia’s peak representative body for systems administrators has taken an axe to claims published in the Sydney Morning Herald last week that a huge proportion of IT professionals abused their system access to illegitimately read others’ email, calling for evidence to be presented to back the claim.

The claim was made in an article published by the newspaper last week, by Carlo Minassian, founder and chief executive of Earthwave, a minor IT security company based in North Sydney. “We know that 40 per cent of IT email administrators and IT managers look inside their manager’s, their board’s, their chief information officer’s, and chief executive officer’s emails regularly and read their email,” Minassian reportedly said.

However, in a statement issued this morning, the System Administrators Guild of Australia (SAGE-AU) strongly repudiating the claim, stating that it “does not reflect reality”. “SAGE-AU condemns the article for lacking any qualification or validation of this figure,” the organisation’s statement read. “The only source quoted is an organisation whose primary focus is the outsourcing of email and other computer system management for Australian businesses. SAGE-AU believes the claimed figure does not reflect reality and that the actual figure across all industries is substantially lower than this. SAGE-AU invites clear evidence from any party to the contrary – if it should exist!”

SAGE-AU highlighted figures published by the Australian Bureau of Statistics, which showed crime victimisation rates in the low single digit percentages across a wide range of crimes. The organisation noted that it anticipated a similar figure (in the low single digit percentages) would apply in the case of IT professionals illegitimately accessing email systems at their workplace. The systems administrator’s group additionally pointed out that modern technology platforms came with audit features built in, which would chronicle both authorised an unauthorised (or even attempted) access to data such as archived email.

“Actions which result in data access by any user, including system administrators, are logged at time of access and recorded in security log files,” the organisation wrote. “Access by administrators to private data of the scale suggested in the article would simply not go un-noticed.”

Furthermore, SAGE-AU added that its members committed to a published code of ethics upon joining the organisation, which contained provisions specifically applying to the appropriate use of an employer’s computing assets, and “to the need to uphold the privacy and confidentiality of material stored on computing systems”. SAGE-AU could expel members for breaches of the code, it noted — and it encouraged Australian organisations to employ IT professionals which were members of such a professional group.

SAGE-AU’s code of ethics on the matter of privacy asks its members to commit to the following statement: “I will access private information on computer systems only when it is necessary in the course of my duties. I will maintain the confidentiality of any information to which I may have access. I acknowledge statutory laws governing data privacy such as the Commonwealth Information Privacy Principles.”

Update: Minassian has provided some further information on the issue, including some of the statistical basis for his claims, in this article on ZDNet.com.au.

opinion/analysis
What disturbs me about the Sydney Morning Herald’s article is two things. Firstly and most obviously, there is the fact that it completely unfairly demonises a whole class of professionals for merely having access to the resources needed to do their job, without providing a shred of evidence that there is systemic abuse of those resources.

Take this sentence for example, referring to Minassian: “He said IT administrators “can’t help themselves” as soon as they have control and authority over IT assets.”

To my mind, this is a grossly inaccurate and stereotypical generalisation of an entire category of professional. I’ve worked as a systems administrator myself at several major organisations (for example, David Jones), and I can say that if sysadmin staff had been busted spying on sensitive corporate email outside of their remit, they would have been shown the door in almost all cases with no hesitation. I know the IT managers of the groups I have worked for would have taken it very seriously.

It is true that in the IT community, there are a number of recurring jokes about this kind of behaviour, with The Register’s Bastard Operator From Hell series being the best example of it. However, the reason that these jokes exist is that by and large, sysadmins understand that by virtue of their job, they have been given a very large amount of access. The jokes are there to underscore the fact that with that great power, comes great responsibility. Almost all of the sysadmins who I have worked with or dealt with over the years have a high degree of integrity — and I simply cannot imagine them casually reading someone’s private email and covering their tracks.

Secondly, there’s also a broader issue here with the Sydney Morning Herald’s reporting.

Do sysadmins and other IT professionals have higher levels of access to sensitive organisational data than other staff? Of course they do. It’s part of their job to keep the systems running which store such data, and they are also often called upon by management to carry out certain acts with respect to that data. If they can’t access that data, they often can’t do their job.

However, sysadmins aren’t the only professionals with similar access. HR staff, for example, have extensive access to employee data, and anyone above a basic managerial level is usually able at most companies to obtain a certain level of access to the data of their employees. I’m sure a chief executive would be able to access whatever data they wanted inside their organisation. None of this is new or unusual — it’s part of the normal functioning of corporate life.

So why has the SMH chosen this moment to highlight this decades-old fact of corporate life, and attack sysadmins? Why sysadmins and not another profession such as HR professionals? Why cover this story at all? The answer, of course, is because of public relations (what else?).

Earthwave recently hired Australian PR firm Watterson to drum up some free publicity for its security services. Watterson is a very experienced PR firm which specialises in dealing with Australian technology journalists, and so has already been successful in getting Earthwave coverage with a number of the nation’s major technology media outlets (here, for example, or here, or here). It’s also recently begun issuing a ‘wave’ of self-promoting media releases. No doubt one of these, perhaps based on the ‘snooping’ scare campaign issue, found its way into the hands of the Sydney Morning Herald’s technology journalist team, and from there Bob was Earthwave’s uncle, so to speak.

It’s a classic IT security industry campaign: Use the press to scare businesses into thinking there’s some kind of threat, and then sell them the solution to dealing with that threat. In this case, however, I’m rather of the opinion, especially reading the dozens of outraged comments under the SMH’s article (outraged at Minassian, rather than at the issue of sysadmin snooping), that Earthwave’s PR efforts here might have backfired. This one in particular summed it up for me:

“I call bullshit. I’ve been in this industry for a long time now, people who would be stupid enough to display that lack of professionalism don’t last long. Way to pump your own services Mr. Minassian.”

My thoughts, precisely.

Image credit: Mateusz Stachowski, royalty free

22 COMMENTS

  1. Articles like this are why I love the news / opinion split format of Delimiter. Kudos Renai.

      • Indeed, very well spake. Earthwave have chosen to respond via ZDNet, and lo, apparently they have proprietary information that supports there view, and also a paid-for-by-HP report which suggests that sysadmins are slavering with lust to ravage your precious datas, and so you should consider outsourcing everything to HP. Sigh.

        It’s a worrying trend. There’s a hell of a lot of money in selling paranoia, and when the unsavory vendor can use that in confluence with a drive to outsource for great profit, the profession could be in for a rough ride.

  2. Well spake, that man.

    The question arises: Does Grubb allow himself to be used by PR hacks in this way and not care, or does he lack the wherewithal to understand the difference between getting a story with a byline in this manner is dubiously ethical? Neither prospect appeals.

    Herpaderpas with breathless anecdata to appear here, I’m sure. I wonder how many of them commenting in the fairfax article were PR hacks.

  3. SAGE AU would represent a tiny drop in a large ocean of System Admins in AU. They should not attempt to speak for larger community of System Administrators. It is also possible to access files on storage servers without modifying a timestamp anywhere, and on Linux these are not logged, only access times changed, but again, if on say a NetApp or some other NAS, it is very easy to access files without leaving much if any trace. SAGE AU is populated by too many windows Sys Admins who only see out windows, not doors :)

    But all that said, I kinda of agree with them, I think most Sys Admins have far better things to do with their time, and it seems like this FUD smearer is trying to spread FUD to make a name for themselves, and for their own monetary gain, which I hope backfires, I for one would never entrust my data with someone who acts like a 16yo, ooops, I’m sorry, I don’t mean to offend any 16yo’s, maybe an 8yo ? hrmmm, now I’ve offended 8 yo’s oh dear….

    I’d say that the number of Sys Admins in this country who are unprofessional, commit unlawful, immoral, or other miscreant actions, you could probably count on one hand.

    • Nobby, all things are possible when you have root or admin access to systems, which you need to actually do your job. The issue is what you do then.

      The improper use of data you might examine in the course of your duties is already covered under the privacy act. I might well be able to see your privileged information, but there are hefty punishments for misusing that, not least of which would be summary dismissal, and ranging up to enormous fines and imprisonment. No thanks. I just want to go home at 5.

      Infosec is *hard*, and many companies sadly only pay lip-service to it, and then finding they need to manage this important area, look for a quick fix and turn to the yapping shoals of Yet Another Intercept Box That Magically Fixes All Things salesdroids. That one of them managed to get the ear of a fairfax journalist is a coup for them, but speaks nothing about their actual effectiveness.

      Lastly, I’d take issue with SAGE-AU representing a ‘fraction’ of the system administration community. SAGE-AU represents a broad range of administrators, vendors and skillsets. If you’re talking shere numbers, then there really isn’t a representative organisation with those characteristics! You’ve got to be in it, to win it.

      • Whoops – ran out of room for my disclaimer and forgot to add it here. Disclaimer: I’m on the SAGE-AU exec, but I don’t presume to speak for anyone but myself here.

      • Yes, anything is possible, that is why we are in such a trusted position, those that abuse it, need removing.
        There are a few too many Sys Admins who go to work for 9-5 and that’s it, demonstrated by the lack of network configuration care (DNS PTR records = prime example), but mot do care, and work hard, and I got to tell ya, a lot of the kids (new sys admins 18-early 20’s), seem to have their head screwed on more so than some 40 and 50 yo’s in this game, maybe cause they are “fresh” and feel the need to prove themselves, I don’t know, but there is an element of laziness creeping in , in some areas, but that laziness should never be mistaken for anything untoward.

        “The real problem comes from those in the field who are intent on malcious or mischievous behavior. ”
        Yes, but like I more or less said, they are few and far between, as you would know.

        But you’re right, the story is just a “look at me, look at me” load of bullshit, and although I’ve had little regard for what Grubb has printed in the past, many others in this game speak highly of him, I wonder if that’s still true tonight… I feel rather justified in my decisions.

        “Lastly, I’d take issue with SAGE-AU representing a ‘fraction’ of the system administration community. SAGE-AU represents a broad range of administrators”

        I was once a member of sage-au myself, but saw little use or good from it, the only thing that happened was it ended up costing me about 10% plus GST each year more, for getting far less, and I fail to see paying 110 a year (or is it more now) when there are a myriad of industry based free mailing list with diverse professionals on it, granted, it might be worth it for windows admins in a SMB environment, but for others, like ISP/Hosting Admins, nope :)

    • I wouldn’t trust my personal data with someone who has the same ethics as for example a journalist who puts his bye line on a press release from a PR firm without checking the details.

  4. No offense to any customers, but most System Adminstrators (Including myself) could not give two shits about the contents of most others emails, just stand by the water cooler and you will find that most gossip already abounds the halls of most offices anyway.

    The real problem comes from those in the field who are intent on malcious or mischievous behavior. Then does this not then come down to a few bad Apples in the field? How is this different to Doctors/Nurses, Police Officers or others in possesion of similar data from from missuing it?

    This again is just another example of Security Firms creating Fear/Uncertanty & Doubt in customers in order to sell them another security product and in order to keep their big fat checks nice and juicy. This is just a scare tatic to further promote their own product, i would not be surprised if this ploy was of the sole person to drum up more business for Earthwave.

  5. Talking with a colleague:

    “lemme do some math here. 40% of all IT staff & managers at 400 mid and enterprise companies are snooping. call it 15? 20 staff in each org that qualify, x 40% x 400 == 2400 people who have either been sacked or severely disciplined. that’s a lot of people. funny how I haven’t heard anything about it.”

    It’s true. Within the industry, you hear about this sort of thing. It would follow you around like a bad smell. Yet here we are. Hrm.

  6. I’ve figured it out where the stats come from, 40% of sysadmin working for the SMH are abusing email access.
    The 6 they have working for their IT department are fine but the 4 they “employ” for story leads are not.

    I can see the headline in competing newspapers in a few weeks “SMH in email tapping scam”.

    For the people at the SMH who so obvious lack critical reading skills(based on the contents of their papers) the above was satire.

  7. Well said Renai.

    As stated, the scare campaign here is not even particularly related to IT. There’s lots of jobs out there where you can make similar claims.

    Something I’ve learned so far from my time as an IT professional, IT is not that big a world (those new to IT usually think the opposite). If you spend a while here, you start running into the same people time and time again. You also witness a few layoffs here and there from (usually inexperienced) admins that thought they could get away with dodgy behaviour.

    IT polices itself rather well, because as with any group of professionals, word gets around, and those inclined toward unsavory behaviour languish in helpdesk positions with minimal access, and that’s if they can still get a job in IT at all.

    While I might be appearing to say “just trust us”, the average person does exactly that with any amount of sensitive information every day, prime example, credit card numbers.

    Can we access your emails and HR data? Yep, we can. Do we? Only as much as we have to in order to do our jobs. If you can’t live with that, then go and study up, and manage your own damn systems. Which then makes you an IT professional, welcome to the club!

  8. @pblakez +1 Couldn’t agree more.

    Question, why does Grubb not do a followup story with sys admins POV, yes, I’ll even let SAGE-AU speak for me… this time :)

    If Grubb wants to keep whatever credibility he had remain, I hope to see this, and soon, and he should ask himself why did he not do his job properly in the first place, by getting another opinion.

    40% of sys admin according to HP? this is likely in countries like Iran, Peru, Berma, China, North Korea and so on, which this goose would know, but hardly in a democratic society like ours, and I take offence to his allegations.

    Hey Carlo/Earthwave, what are you doing? What are your Sys Admins doing? I guess we all know now, don’t we.

    • SAGE-AU does not pretend to speak for the entire industry. We do speak on behalf of our members, who notwithstanding the relatively small number, is already larger than the sample size than what was used by Earthwave (and Ben Grubb when quoting them) to justify their claim.

      Regardless of who we speak for, we stand by our position that the claim that 40% of IT systems administrators and IT Managers are abusing privilege and illegitimately accessing emails/corporate data is unsupportable by the evidence available, and we believe that level of incidence would be significantly lower than claimed by Earthwave/Ben Grubb.

      Windows admins are neither over nor under-represented within our organisation. SAGE-AU believes that good system administration practices are platform independent.

      Disclaimer. Like snerd above, I am also serving on the SAGE-AU National Executive Committee of Management, and I am authorised to comment on behalf of the organisation.

    • Just to clarify on the 40% thing.

      The 40% claim is based on something stated by Earthwave, though it’s a fallacy.

      What actually happened (by their own admission) is that 40% of a subset of their clients (a reasonable subset for them to choose as long as the conclusion drawn is relevant) have experienced issues where IT staff with privileged access have inappropriately accessed data they didn’t need to access as part of their job.

      This is not the same as their claim though, that 40% of admins are doing the wrong thing. Their claim would be like saying the following: take 100 people, split them into ten groups of 10 people each. Hand a red ticket to one person in each of four of the groups of 10 people – and then claim that 40% of the 100 people in the sample are personally in possession of a red ticket.

      The study sponsored by HP is actually worse – 61% or 64% (both figures are stated) believe that inappropriate access is occurring in their workplace. But that’s a belief, and has nothing to do with detected or proven cases of inappropriate access. I believe I may win lotto one day – but that doesn’t mean I will.

      Finally, a link is being drawn between the ability to do the wrong thing, and the act of doing the wrong thing. The two are not one and the same, they’re not even close.

      • Sorry, I did note in that reply that this was my personal opinion now, not that of SAGE-AU, but the system seems to have swallowed my disclaimer because I encased it in &gt and &lt brackets…

  9. I spend a few hours a week helping out the Sysadmin with physical tasks (moving computers, that sort of thing) since he has a slipped disc and can’t lift anything. I had a chance to ask him if he’s ever had the temptation to snoop on emails or other data, and he just looked at me and said there’s no way he’d ever do that. He then went on to clarify that he DOES access private information, but each request has to go to the CEO of my work, then get approved by legal (in that the request isn’t un-necessarily broad) and then the request is submitted to the sysadmin. It’s a clear policy that everyone knows, and it’s got it’s accountability measures built in.

    If the sysadmin was caught accessing that data without permission, and there’s not a good reason for that access (for example, accessing email that flags against the filters at work) then he faces immediate dismissal, as well as potential criminal proceedings.

Comments are closed.