The Ethics of Geekdom

I have just had my second encounter with a coworker accessing my computer without my permission, on my login.  This means two of the twenty people in my department have some questionable ethics.  I’m laying odds that it’s more than that, but I’ve only known of two at this point, and I don’t want to make too many assumptions.

What really bugs me is that I would never do this to either of the people who did it to me, or to anyone else in my department, much less the entire campus.  There is no reason I would need to, and quite honestly, whatever they are working on is none of my business.  This most recent episode was borne of nosiness, a coworker wanted to know what fun new toy I was getting that she is not.  I had been gone from my desk for about twenty minutes, and came back to find her hunched over my desk with her hand on the mouse, clicking through my recent documents folder.  When she saw me, she made a very lame joke and laughed, as if I would just think it was all some sort of harmless chicanery.

There is nothing harmless about accessing someone else’s files.  It should never occur in the workplace, especially between members of the IT department.  Our jobs, out of necessity, give us access to things that other people on campus don’t have access to.  I have a master key that will let me in any room in any building on campus.  I also have rights to servers and desktop machines, for the purpose of fixing problems or providing training to our end users.  I take my job seriously, and I cannot imagine a time when it would be okay for me to access the files of our campus president, for example, or those of a faculty member.  There is just no rationale for me doing that, and further, my own personal ethics would stop me from doing so.  I equate snooping in someone’s computer the same as snooping through a purse or wallet or dresser drawers.  It just isn’t done.

I have been told by our department manager that I need to lock my computer when I leave my office.  And yes, I know I can lock it and it is easy to do, even though I have to do it three times (three active computers on my desk).  But I don’t feel that I should have to do that.  I should be able to trust my coworkers, the people that sit in the same office with me, the people that I am entrusting work to and accepting work from.  These are people that, presumably, have the same “best interests” of the campus and the department in mind in everything they do.

Of course, presumption and assumption are one thing, and reality can be vastly different.  As a geek with a lot of technical power over users, it is a disappointing to think that our users may not be safe from the geeks tasked with keeping them up and running.  Very sad indeed.

6 thoughts on “The Ethics of Geekdom

  1. I agree with you about your nosy cow-orkers. There is no reason they should be accessing your systems. But I disagree with you on locking the computer.

    I, too, work for a university and even though I trust every member of my team, I hit Windows-L every time I leave the office. EVERY time. Of course, it’s almost automatic for me because of my former employment. We were required to lock our computers if we stepped away from our desk. If you were unfortunate enough to forget, you would get visited by the My Little Pony bandit. A young coworker that sat across from me who would change your wallpaper to a My Little Pony picture. Nothing harmful but it was an embarrassing reminder.

    My point is, even if you trust the people you work with, don’t give them any temptation. I mean, you lock the door to the server room, don’t you?

  2. We lock the door to the server room, then give everyone in the department the code for the door. So yes, and no. I am locking my computer because it has been shown to me that I can’t trust my coworker(s), but that is still a disappointing thing to contemplate. There are plenty of temptations around the workplace, but that doesn’t mean we have to act on it. It is incomprehensible to me.

  3. As a security analyst, I am equal parts aghast and terrified that you, working for an IT department for a university, have not implemented forced desktop locking after a 16 minute interval (15 +1). The implications of you being the “norm” in the industry only exhibits the terrifying and sorry state of affairs and also explains why viruses, malware and black hats are so rampant on campuses throughout the world, let alone the US.

    You are (likely) subject to Sarbanes-Oxley and if the regulations had any real teeth, your management and/or trustees could be in court if any sort of breach incident was escalated to federal investigation, as leaving a workstation with an administrator’s credentials active in your environment (with dbs full of names and SSNs) could, at minimum, land a jumbo fine.

    Just what are you thinking and why haven’t any of your people had any real IT security training? Doesn’t anyone there read the security industry news?

  4. Thanks for writing, Richard. IT staff working in our open areas do not leave machines logged in with administrator credentials, and our public and private networks are secured. There have been no hacks, and we rarely have a virus or trojan attack, and when we do, it’s shut down pretty quickly. I work in an office with one other person, and my office is in a secure and monitored location. Locking my computer because I need to go to the bathroom is paranoid and should be unnecessary, except in the case of a nosy coworker, which is really a whole other issue than campus network security. Our server room is locked from students, the general public, and all staff except campus police, with only the IT department having access (by door lock code) to that area, and it is monitored by recorded video. I am not sure what additional physical security should be enabled, considering we’ve had no issues. In the case of my coworker accessing my files, she was simply perusing my home directory, something she can only see if she’s using a computer I’m logged into. She has the same administrator rights as the rest of the department (just as I do). For what we have to do, this is necessary, so where do you draw the line on who has access to what? Personal and professional ethics MUST play a role in what gets accessed, as well. If you can’t trust the people in your own department, then your problems (in my opinion) run way deeper than any intrusion that could be manufactured from outside our campus.

  5. I hate to say it, but I’m with Richard (I work for a bank, btw) on this.

    Has your institution a mandatory class on computer security with signed acknolwedgement? If not, consider it pronto. It’s not about trust or lack thereof per say; it’s about the the law and/or procedural protection of your clients information.

    Our desktops auto-lock at 5 minutes of inactivity. (Pain in the butt, but dem’s da’ rules…)

    Something like you described would be grounds for IMMEDIATE termination in the IT department where I work, and a full investigation by the bank’s security and Compliance department as s result.

    You mentioned: “Locking my computer because I need to go to the bathroom is paranoid and should be unnecessary, except in the case of a nosy coworker, which is really a whole other issue than campus network security.”

    Sorry to say, but, No, you are wrong. You as much indicated it IS a security issue. People are human, and that is EXACTLY why the strict security measures are required. Doesn’t matter if it is a nosy or non-nosy coworker, or paranoia, or whatever.

    Look at it this way – let’s say you step away for restroom break, and your superiors bring by a vistor, or perhaps a Federal or State Auditor stops in to see the department; what do you say then in reponse to your unlocked terminal?

    Just a thought.

    Think smarter, not harder.

  6. Thank you for your comments, Eddie. It turns out that I am not the only one leaving a computer unlocked for bathroom trips or mail runs. I did a little impromptu research this morning, and found that many of my department’s workers leave their computers unlocked when they walk away for short breaks, even in shared offices. There is no “security” class we all must attend, and this information is not part of any orientation I received when I was hired 9 years ago. I don’t think anyone here believes that the information that could be accessed from our office computers is a violation of anything, and I would tend to agree. Our financial and student systems are part of a proprietary system that is accessed through a browser but requires two levels of logins to get to. The only thing easily available on my computer is my own home directory, which is full of memos, letters, proposals and white papers I’ve written (which is what the coworker was aiming for on my computer) and audio books we’ve created for disabled students. I am required to log in with a separate login and password to access mapped drives to my pc that contain installation files, server manuals and procedures, forms, etc. So there are multiple levels of security in place. But we’ve never been forced into an auto-lock/log off procedure, and were never told that we should be locking our machines when we walk out of our (secure) offices.

    I am, however, appreciative of your comments and suggestions and will be making some changes in my own behavior and habits. But for me, it is all about trust, and it is still a sad thing that my own coworkers cannot be trusted. Temptation abounds, in all parts of our lives, and the same people that would never think of shoplifting, would easily access another’s computer files with no qualms whatsoever. I find that disturbing, at it’s very base.

Comments are closed.