In a predicament at work...

DiscoDave · 6 Jan 2009 at 18:18

Hey all,

Just a bit of background info..

I work as an IT contractor but I essentially work full time on a client site managing their entire IT (~80 users, 8 servers etc). This company has a very "open" policy regarding Internet access, ie they don't block anything and trust people not to abuse it.

I've only been in this job a few months and I'm relatively inexperienced (22 years old, finished uni at 21).

I was working over the Christmas period and thought I would check the firewall logs for usage, found out someone was using bittorrent and downloading bleach episodes. Gave him a bit of a slap on the wrist and let him go.

However, I checked the firewall logs today and noticed that the most popular website being checked by the entire company is a porn site. 33000 hits in 24 hours (I understand that this isn't direct hits on the site, probably individual http requests). But still, very alarming. We have a very basic firewall package, it will log what sites are accessed and how many hits it receives, but will not tell me who accessed them.

I simply wanted to send an e-mail to all the employees where I'm at to keep their Internet traffic relevant and legitimate, the company director disagreed.

Instead, he's asked me to put in place software that can provide traceability and retrospectively log everyones usage, so that there is evidence to prove peoples abuse of the Internet connection, mentioning that people will get fired if there's proof of this kind of activity.

The funny thing is, I was in a very similar situation when I was on my placement year, I viewed someones internet explorer history and found it full of porn sites (I was on the computer removing malware because of it.) The empoyee in question got fired, and I felt really guilty about it.

But I'm just sitting here pondering, if I didn't report anything:

Users will continue to view porn sites and download movies, games etc
Malware would spread through the network (the company operates 24/7)
We could get into a lot of trouble with the ISP
If someone else found ouy that people were browsing porn sites and downloading but knew I did nothing about it, it would look very bad on me

I'm pretty sure I've done the right thing here, but if someone else gets fired because of their net abuse I think I would feel really guilty again...

What are your views on this?

Thanks,

Doonhamer · 6 Jan 2009 at 18:21

You did the right thing and should simply do as asked by the relevant person in authority.

Porn is not suitable work viewing and anybody disciplined for doing so will receive little sympathy from any body in my opinion.

edit: If you do feel guilty about doing this is it possible to perhaps drop hints that activity is being looked at closely without getting yourself in trouble?

DUNDOIT · 6 Jan 2009 at 18:22

People surfing t'internet at work are stealing from the company, and by extension everyone that works there. They are being paid to work, you should feel no guilt at all about it, though it may be nice to send an email round explaining your new security capabilities.

Maximum Triceratops · 6 Jan 2009 at 18:25

Its your job to do this so dont feel guilty, though if I were the manager you spoke to I would send ot a mail outlining what is not acceptable to view at work so it is crystal clear. Then I would start conducting all the people who were still breaking the rules, then you can say that they have being warned.

MrKeeno · 6 Jan 2009 at 18:26

IMHO you did the right thing, its your job after all.

Your boss however should give people a warning and say that he knows exactly what is being accessed and measures are being put in place to trace the individuals responsible. If they keep doing it after that then they would have nobody to blame but themselves.

Knubje · 6 Jan 2009 at 18:27

When you sign the contract to work for your company is there a disclaimer or something written talking about Information Technology within the company and how they are expected to use it for work purposes only and not to abuse it by doing X,Y,Z?

If so then they have signed saying they won't abuse whatever the rules may be and are therefore subject to get owned by the company. If not then I suppose there is less of a leg for the company to stand on in terms of getting rid.

However, I'm really no expert in employment law or anything like that but it's worth a consider.

My opinion working in I.T similar situation to you is that the company needs to sort it's act out in terms of firewall/blocking/monitoring what users are really upto. Where I am, anything deemed not suitable is instantly on the no go list: Pr0n, Alchohol, Drugs, etc. It can't be accessed unless you know what you're doing but then you will get owned for "going around the system".

I wouldn't feel guilty about doing your job though. They have abused their privileges working for your company, in doing your job you have made the management aware of the situation and the reprecussions of whatever they may do is more than likely down to the user.

DiscoDave · 6 Jan 2009 at 18:28

22B said:
Its your job to do this so dont feel guilty, though if I were the manager you spoke to I would send ot a mail outlining what is not acceptable to view at work so it is crystal clear. Then I would start conducting all the people who were still breaking the rules, then you can say that they have being warned.

Indeed this is what I wanted to do, and I drafted out an e-mail to remind the users and sent it off to the Director for approval (typical procedure) but he said no... which I thought was odd.

K.C. Leblanc · 6 Jan 2009 at 18:28

You've done the right thing getting a senior member of staff involved and if you'd failed to mention it and it came come to light you knew what was going on you could be in deep doodoo.

However if I was in the director's position I would be covering my back side by making sure there was an acceptable use policy in place and informing staff that their internet use was being logged.

waso_dude · 6 Jan 2009 at 18:29

He Can't just monitor everyones internet usuage like that,

they will have to put a policy through and get all staff to sign it.

z0mbi3 · 6 Jan 2009 at 18:29

DUNDOIT said:
People surfing t'internet at work are stealing from the company, and by extension everyone that works there.

That's a bit extreme isn't it? There's a difference between having a browse and looking at porn all day.

Granted you're there to work, and not everyone has the internet luxury, but if it was really as extreme as you describe then all companies would just put a block on all but a few essential sites.

DiscoDave said:
Indeed this is what I wanted to do, and I drafted out an e-mail to remind the users and sent it off to the Director for approval (typical procedure) but he said no... which I thought was odd.

Can you actually retroactively log the hits or are you going to start logging then present the Director with your findings? You've done the right thing, no doubt, but if there was a way you could find out who this guy is in the interim and make him aware that you're going to start logging then it'll help ease your conscience. I'm not saying that's what you should do either, it's just an option.

Richdog · 6 Jan 2009 at 18:30

Why on earth are you having a guilty conscience for implementing a system that stops people viewing porn at work? It's a workplace, it's not meant for porn, and if I were boss i'd also discipline/fire people for doing that when 9 times out of 10 they signed a contract agreeing to an IT policy that bars misuse like that. Even if they didn't sign, it's still gross misconduct to view that sort of material on such a regular basis.

Do what your wage-payer reasonably asks, and stop being so silly about it.

Ben643 · 6 Jan 2009 at 18:30

It might be a good idea to get it put in writing in the company policies too so everyone knows they're being monitored?

Edit - Doh, I took too long to post this

lumpeh · 6 Jan 2009 at 18:32

^ what he said. They should have signed something before management go disciplining employees for looking at pron. Might wanna write an AUP up, get it approved by the uppers then have copies made and signed by everyone and put on file.

BTW if you want some decent tracking software i might recommend something like Impero as you can have it bring up an AUP everytime they log on.

DiscoDave · 6 Jan 2009 at 18:35

To my knowledge there isn't even a misuse policy for anyone to sign when they join the company, which I guess would complicate things. I can understand why they would like such an open approach to IT usage, but from my standpoint it just complicates things so much...

mmj_uk · 6 Jan 2009 at 18:38

Could the 33k hits in less than 24hrs be from a trojan trying to dial home? just wondering before you get anyone sacked like.

DiscoDave · 6 Jan 2009 at 18:41

mmj_uk said:
Could the 33k hits in less than 24hrs be from a trojan trying to dial home? just wondering before you get anyone sacked like.

All the info I have to go by is a web address and number of hits. Therefore I don't have enough evidence to point the finger.

There's also a lot of web hits to megaupload.com....

Doonhamer · 6 Jan 2009 at 18:44

waso_dude said:
He Can't just monitor everyones internet usuage like that,

they will have to put a policy through and get all staff to sign it.

Is that considered good practise or legislation?

lumpeh · 6 Jan 2009 at 18:45

Its legislation for schools at least. Or at least thats how my management approached it.

Ben M · 6 Jan 2009 at 18:52

DiscoDave said:
if someone else gets fired because of their net abuse I think I would feel really guilty

What? Don't be stupid.

Steve2000 · 6 Jan 2009 at 18:53

Just block the sites anyway. Just tell your boss that they are linked with malware/spyware/viruses and you're fed up of cleaning up after them all. Just block the lot, I would.