Last Updated on October 5, 2018 by Dave Farquhar
On Slashdot, a newcomer to the IT field asked a really good question: What do you do to avoid seeing things you’re not supposed to see?
Clearly, some people do it better than others, but it seems to me it’s a fact of life that eventually you will see things you’re not supposed to see. How you handle it is the bigger problem.
I know what the guy is talking about. One time I was working on a computer when a sensitive e-mail message came up. The user took me for a walk. He’d applied for a new job, and his dad–who also worked there–e-mailed him wanting to know everything.
“You weren’t supposed to see that,” he told me. “Promise not to tell anyone?”
I told him I see stuff like that way too often, and that I wouldn’t tell anyone, just like I never told anyone about the other stuff I found. I kept my word, he got his job, I got the next job I applied for, and everyone was happy.
It seems like something like that happened at least once a year, and more like once a month people would tell me their passwords. I’d cut them off as early as I could, saying I didn’t need to know their password and didn’t want to know it. That’s one thing you can do. The other thing you can do is to ask someone to close their e-mail and close any sensitive documents they may have open while you work. People will appreciate that, and it can only help your professional reputation, but let’s face it. When everyone’s trying to squeeze 60 hours of productivity out of your 40 hours at the office, from time to time you’re going to forget to ask that question.
The inescapable fact is that most IT professionals have an administrative account that lets them see a lot of things. A company’s computers collect tons and tons of information anyway. So we need to operate by a high code of ethics anyway. Our employers or clients have entrusted us with a great deal of power, and we have to not misuse it.
Part of being an ethical professional is that we won’t gossip about the things we see, or the things we happen to overhear because cubicle neighbors didn’t realize we were there, working on a machine.
Now, people won’t notice when you keep your mouth shut about things you’re not supposed to know, because they can’t possibly know you know about it if you’re not talking. But they’ll certainly notice when your mouth is running and it shouldn’t be. In IT, people assume you’re trustworthy until you prove otherwise, and talking about stuff you shouldn’t be is the best way for you to prove that you aren’t.
And in the long run it pays. I’ve seen people who stepped on other people, used things they shouldn’t know to their advantage, or were otherwise dishonest, but it’s always caught up with them. Sometimes it takes years, but it catches up with them. While people who are honest and trustworthy may hit a bump in their career here and there, they always land on their feet, and some do a whole lot better than landing on their feet.
In my case, doing better than landing on my feet meant moving from the sysadmin side of the house to the security side of the house. One of the very fundamentals of security is not talking about stuff you’re not supposed to talk about. There are lots of opportunities in security, and that’s not going to change for a very long time. Seeing things you aren’t supposed to see is inevitable, but one should minimize it, and then when it happens, look at it as an opportunity to practice being honest and being careful what you talk about.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
4 thoughts on “IT personnel and knowing things they aren’t supposed to know”
There is a feller in Russia that just had his visa extended for three years. If he had followed your advice, he would be home, and happy, instead of hoping for amnesty.
At least Putin is allowing him to work in I.T., even though he isn’t trustworthy.
“The hacker mindset doesn’t actually see what happens on the other side, to the victim.”
Yes indeed, although I do suspect he had other motives in mind other than his IT career and I think he knew exactly what he was doing. Only he can answer how close the outcome he got came to what he wanted, though.
Back in the mid-to-late 90s, I spent a lot of time working on people’s computers, mostly belonging to friends and co-workers. I can’t tell you how many potentially embarassing things I ran across, from resumes to lots (and lots) of personal photographs. Probably the most embarassing one was when a co-worker (in front of our boss) asked me what cookies were; when I showed him (on his computer) there were a bunch to some pretty embarassing websites, many of which consisted of… uh… lonely men and innocent animals.
As someone with access to every machine in our domain (tens of thousands of workstations and thousands of servers), I run across thigns I’d rather not see from time to time. If it happens in front of a user, I usually jokingly tell them “it’s not one of the 20 most interesting things I’ve seen today.” One time I told a co-worker, “that’s nothing, you know what I saw on the boss’s computer?” When they asked what I said, “I don’t remember,” and walked away.
Rob, you reminded me of something I saw on the boss’ computer. And I’m gonna spill it, because I don’t work there anymore and neither does he.
At a previous job, we had an executive who was a retired Army general, probably in his 50s. We were running an antivirus scan on his computer, and in those days it was slow so you could see what it was scanning. We got to his MP3 directory, and saw stuff like Celine Dion, Brooks & Dunn… OK, no great surprise there. But then, it was boy band city all the way. The guy I was working with and I both looked at each other and asked, “Did I just see that?”
One other time the same guy and I saw things on someone else’s computer that prompted a call to HR. And that’s all we need to say about that.
Comments are closed.