02 December 2009

"Your account has been locked. Please contact your system administrator."

When I arrived at work this morning I attempted to log onto my desktop and got the dreaded "Your account has been locked. Please contact your system administrator."

Calling the "help desk" the technician cheerfully confirmed that my account had indeed been locked, and that there was a note not to enable it, but to contact the "security center."

Calling the "security center" the person answering the phone also confirmed that my account had been locked (thanks!) and claimed that it had been done on behalf of someone in another security office.

Calling the next security office it was confirmed a third time that my account had been locked, and the kind gentleman let me know that he would have it unlocked in no time.

But wait, I asked. What had I done to warrant my account being locked? He said he was looking into it. Really? They lock my account, is readily prepared to unlock it, but is still looking into why it was locked in the first place?

About ten minutes later my phone rang and the nice lady on the other end told me she was writing up an "incident report." Oh, great. Well, I figured, I would at least figure out what I had done wrong.

She asked me if I had visited a site called CoTweet. Well, of course I had. I use CoTweet at work to manage my Twitter account, and had been using it every day for at least six months or so. She kindly informed me that CoTweet was on the "prohibited sites" list. She then asked, "What do you use the site for? Is it work-related?" I explained that I use CoTweet (or Twitter for that matter) to keep in contact with other people in the security community. And that yes, it was work-related, but if they insisted, I could live without going to this site (while you might see this as backing down, from my perspective as a contractor it would not be a good idea to pick such a fight with a client's IT staff).

The phone call was short and sweet, and I politely mentioned that if CoTweet was indeed prohibited they should actually block it, which they do not. (Some other sites like Facebook and YouTube are in fact blocked, but neither CoTweet, nor Twitter for that matter, are blocked). She finished up the incident report and my account was active again within 15 minutes or so.

The incident brings up a few questions:

1. Why lock someone's account but not provide them with the information that it had actually been locked, and a means to contact someone for it to be unlocked? I had to figure out everything myself, which clearly wasn't rocket science, but surely there should be some notification procedure in place.

2. Why isn't Twitter, or CoTweet, actually blocked? If you were to go to Facebook, YouTube, or any number of other sites, you would be greeted with a bright red warning screen (affectionately called the "red screen of death") explaining that the site was blocked (incidentally, this seems to happen fairly regularly for most users; mostly by accident, and doesn't ever seen to result in any "incidents"). However, Twitter is generally accessible (at least it has been; lately it errors out but the RSOD is never displayed); and CoTweet works.

3. What sites are actually on the prohibited list? Clearly the blocked sites are on this list, but apparently other non-blocked sites (like Twitter and CoTweet) are also on the list). You might be wondering at this point (as I was), would it be possible to see this list so that we know what sites to avoid? Well, of course not. No one has ever claimed to have seen such a prohibited list, but it apparently does exist. I am not suggesting that my place of work does not have the right to block whatever sites they see fit; they clearly do have this right. But I think they also have a responsibility to their users to let them know the specific policy. Social networking sites are embraced by some businesses, but under fire by many others. So I understand the issues with these sites. But educating your users on such policies is key.

One could argue that Twitter is not really necessary, or "work-related," but I find it invaluable on a number of fronts. With Twitter and CoTweet effectively out of bounds (and third party clients like TweetDeck would just been seen as attempting to bypass their apparent restrictions, or a violation by installing unapproved software. So for the time being (during the day at least), I'm out...
Post a Comment