I’m not enough of a barely-qualified, bloody-minded, muppet.
Specifically: I know enough about securing the average company network to not be overly paranoid, and within those parameters of security, I believe in letting people do more or less as they wish. I’m confident in my ability to remain a step ahead of anyone that isn’t in IT, basically.
Many of you will have heard/remember what happened to me in my first few weeks here, when I got slapped with the internet use policy. Broadly: because they thought I might not have been doing my job 24/7, they completely removed my ability to do any work whatsoever. That all got sorted out, in the end, but I thought it was a fantastic bit of muppetry.
They’ve topped it.
Doing some entirely legitimate, work related web browsing, I found a really useful website that will be a great help in keeping the company’s webserver safe and unhacked. Of course, when I tried to go to it, I got an “access denied” message – something about it was tripping the AUP. So I went around it, in the manner that my colleagues kindly showed me how to do. It’s not good for much besides scanning LJ and checking personal mail, though. Which is, to be fair, all I normally want it for.
But anyway: having seen that it will be really usful with the security-type bits of my job, and confident that it was completely work-related, I email my boss and IT to ask if I could please be allowed access to it, in order to do my job better.
They said no.
The site is basically a listing of the various hacking vulnerabilites a website may have that can be exposed by Google. Very, very handy. Go through them, check your site doesn’t have them, generally keep up to date.
But, because (and I think the standard of their English gives something away here) “there is various tools on the site that allow the proxy servers to be hacked and jumped so that its possible to access restricted websites”, I’m not allowed to do it.
Point a) No, there aren’t. There are ways to discover if a proxy is open to exploitation, but not, as far as I can see, anything that would actually allow me to do so. And frankly, I don’t give a shit about exploiting their poxy proxy.
Point b) though, is a doozy. The email from them goes on to say that if I want to access this site, I can do so via the ADSL line we have in the office, that isn’t on the company network. So, they’re OK with me being able to go there, and learn all I can from it, it turns out. Including, apparently, how to bypass their proxy. Just so long as I don’t do it through their proxy. Are they assuming that it’d be beyond me to get any of these (supposed) hacking tools I damn well pleased from the ADSL machine onto another machine sitting six feet away, or something?
So, they don’t want me to do my job easily and well, and to help keep the company’s machines secure, but they’re fine with me learning how to break their rules (and therefore make the company network less secure) so that I can do my job easily and well.
What do they teach PFYs these days on their IT courses?
Still, in the event that any of our webservers should get hacked, it just became IT’s fault, rather than mine. They wouldn’t let me keep up-to-date with how to stop it happening, after all…