Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)
From: Chris Blask (chris_at_blask.org)
Date: 06/03/05
- Previous message: Paul D. Robertson: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
- In reply to: Scott Stursa: "Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)"
- Next in thread: Brian Loe: "RE: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)"
- Reply: Brian Loe: "RE: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)"
- Reply: R. DuFresne: "Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Scott Stursa <stursa@mailer.fsu.edu>, "Marcus J. Ranum" <mjr@ranum.com> Date: Thu, 02 Jun 2005 23:35:30 -0400
Hey, Scott!
At 04:28 PM 6/2/2005, Scott Stursa wrote:
.d.
>So I held my ground and we did it my way. The result - no compromised
>hosts since then (beginning of March).
>
>But I've paid for that. Two months ago he did a performance appraisal on
>me, giving me the first "unsatisfactory" rating I've received in 26 years
>of working for the university. I'm on probabtion and having to document
>literally every minute of my day. Not that it will make any difference - I
>fully expect to be unemployed when my contract expires in August.
>
>This is the price I'm paying for *not* being a "sissy".
That sucks! I mean, it is quite possible he is just the breed of
pencil-neck career-monkey that occur so often in the wild and you would
never be able to live with him, anyway, but this is precisely the kind of
situation that occurs again and again and grinds us down as a group. Of
course it's grinding you now specificially, but I bet you a bottle of
Jameson's that you end up making more money this time next year than you
are now (and maybe more than your petty boss :-) and enjoy your work more.
I've been following the accountability thread, and it occurs to me that the
one thing we desparately lack is the ability to deliver good practices that
people can follow and be held accountable for following. In a Perfect
World it would be a piece of paper that Scott could take to his boss's boss
and say "I insisted we follow this, as is my responsibility, and Rung Lemur
here is all pissy about it."
o I know good classes are being taught, but obviously it isn't enough
and/or we have other issues (and Quantity < Need, certainly).
- The scale thing is certainly a big part of the problem, even most CTOs
are working with a barbaric understanding of security.
- the sheer newness of all this IP stuff (and buried in that is their
first confrontation with Security) creates a dynamic load of issues for any
CTO doing their job, so even the very few who have had a first-hand
conversation with a well-spoken Clue Club Member most likely never hear the
wisdom again and the message is plowed under.
- I'd like to find some one-liner to address the problem, but it looks
like just lots more work developing and delivering education (pick a
medium) and allowing the passage of time to inculcate the masses with some
experience.
- One metric that gives me hope on the Edumacation front is my endless
Brownian Public Survey, and I see the savvy-factor in the average Joe going
up consistently. I poll people ceaselessly about (well, everything, but
among that:) their interaction with information technology. I still can't
have an in-depth useful conversation about security with the least capable
of computer clickers, but today those folks are now the very last of the
living-in-the-woods (literally) people who said they would "never own a
confuser". Mom still has a hard time following the thread if I get too
enthusiastic about details, but she gets all the basics and can apply them
to her own experiences using 'puters and the net. The average
plane-seat-neighbor can usually play a good foil for thinking out loud
about an issue - but it's always the first time they've considered it that
closely, even if they are IT folks.
o Product classes and categories have shifted around enough that even we
have to pay attention, everyone else is like the cancer patient listening
to two doctors disagree on his treatment.
o There obviously isn't a given Best Practices Precedent out there, or
lawyers would have found it and sued the crap out of people by
now. Without such precedent, it's impossible to hold management types
accountable for following it, and it's impossible to nail mismanagement
mid-weasles like Scott's boss for gross incompetence. We could use a good
sue-able precendent...
o Auditing tools need to get better. If it could be clearly shown that a
commonly accepted practice was not followed, leading to losses to the
oragnization involved, then the accountability chain can be established and
Paul's lawyerfests can be directed at creating Darwinistic impulses among
CTOs, and thereby creating same in high-expectation-having,
upward-managing, lickspittles like Scott's Uberviser. Fixing auditing is
not my problem anymore at the moment, but Marcus and tbird and Partha and
the rest need to keep plugging until the next Scott can have a leg to stand
on against his Hindmost.
Scott's boss still needs a swift kick. I'm leaving for Disney tomorrow,
can I stop by and rough him up for you... :-)
-grrrrr
-chris
PS - somebody get Scott a better job!
Chris Blask
chris@blask.org
http://blaskworks.blogspot.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul D. Robertson: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
- In reply to: Scott Stursa: "Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)"
- Next in thread: Brian Loe: "RE: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)"
- Reply: Brian Loe: "RE: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)"
- Reply: R. DuFresne: "Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
