vvmarko at gmail.com
Fri Oct 14 21:04:07 UTC 2011
On Friday 14 October 2011 16:28:17 Ed Greshko wrote:
> All I know is this.... If I were Marko's employer and I read his views
> on circumventing or flouting the rules of a company I'd start to worry.
Oh, I understand you completely! :-)
The opinion that I have comes from the experience of being on both sides of
the "fence" --- at times, I was the client needing some access, and other
times I was the admin being asked to provide such sort of things.
The point is that when someone asks me to change firewall rules to allow him
some type of access, I take it very seriously into consideration. If there are
no security threats, I would typically grant access. If there are security
issues, I would invest some effort into helping the client to achieve his goal
in a different manner, and/or help him understand why his wish is a Bad Idea
from a security standpoint, and I would not stop until I was sure he
understood. If I don't do that, I run the risk that he is going to provide
himself access behind my back, and that would be even worse.
OTOH, whenever I was in a position of a client asking for something, I
expected nothing less from my admin. If I ask for, say, a firewall rule to
grant me some access to something, admin's reply "it's against the rules" is
not enough. I go on to ask which rule, why, how, for what purpose, etc., and
if the admin has good answers, I get persuaded to give up on my request for
But quite often, the admin doesn't have a valid response to "which rules",
"why are those rules in place" and "what could happen if someone disobeys that
rule". If I am not persuaded that the rule actually makes sense, I go on to
challenge it in one way or another. Quite often I found out that such rules
are a consequence of someone's incompetence or a relict from the past, and
that they are completely useless and artificial (a typical case is when the
company burocracy doesn't keep up with technological development).
In such cases, as well as when the admin insults my intelligence with an
answer of type "it's too complicated for you to understand why...", I come to
the conclusion that the rule can be ignored.
Once I even got caught ignoring one of the rules, and when audited by my boss,
I presented arguments for my defense that eventually led to removing the
offending rule from the "terms of service" and company policy (it was about
allowing access for p2p communication, torrent in particular). I wasn't even
punished in any way. The rule was just plain stupid and unnecessary.
The point is that I am not some hippie, ignorant of security or other policies
that are enforced on the users, I just don't want to blindly "uphold the
rules" without any sanity. :-)
P.S. <quote>Rules are made to be broken...</quote> ;-)
More information about the users