Re: Rather funny; looks like page defacement to me

• Previous message: Srinivasa Rao Addepalli: "Re: HELP ON POP3 FALSE ATTACHMENT SIGNATURE"
• In reply to: Paul Schmehl: "Re: Rather funny; looks like page defacement to me"
• Next in thread: Robert Huber: "Re: Rather funny; looks like page defacement to me"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Paul Schmehl <pauls@utdallas.edu>, broyds@rogers.com
Date: Wed, 18 Jun 2003 11:56:28 +0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 17 June 2003 22:54, Paul Schmehl wrote:
> I'm not picking on you. You just happened to be the one that articulated
> it, OK?

No problem. It was written when I had severe caffeine withdrawal, so I
expected a reply of some sort.

> I see this attitude a lot, and it troubles me a great deal. I think all
> too often we "IT people" get isolated from the real world and think that
> everyone else should be just like us.
>
> An admin who doesn't know TCP/IP? There are many. The norm in most small
> companies is to "promote" the "computer guy" to the IT slot when they can
> afford one (and often when they can't afford one this person works
> "part-time" in computers.) Oftentimes this guy (or gal) just knows more
> about computers than most people in the office, but they're a long way from
> trained on networking and TCP/IP, security, etc.

I understand this; which is why I feel compelled to clarify my previous point.

> Yet they are expected to perform and "get the job done" without any
> training or preparation. They spend many sleepless nights reading books,
> trying to learn the myriad of things that they have to know to protect
> their companies. On top of all that pressure, they have the pressure from
> their *peers* constantly denigrating them because they don't know enough.

Ok, so I was a bit caustic on the "incompetent admin" point; and if I hurt any
feelings, or was too harsh, then I apologize. However, in order to perform
the job well, even seasoned admins need to constantly spend countless hours
reading up and learning just in order to keep up. And it just validates my
point of a company not caring enough about their infrastructure to hire
someone who can hit the ground running.

Nobody would hire me (I'm a security engineer) to draw structural diagrams.
Similarly, companies should not promote their non-tech staff to do IT
security/admin. It is not fair to the individual involved (extra pressure,
workload), and their work performance almost invariably suffers. It is also
unfair to the company, as that individual cannot perform up to their
expectations. It's a lose-lose situation.

> When is the last time *you* took time to teach someone who was less
> knowledgeable than you? When is the last time *you* were responsible for
> *everything*? Mail, web, DNS, networking, routers, switches, wiring, IDS,
> firewall, virus protection, OS updates and patches, backups, disaster
> recovery, printers, faxes, applications, hardware repairs, etc., etc.?
> Most of these folks are doing *all* of that, *by themselves*, because
> that's *all* their companies can afford. And they're doing yeoman duty for
> 2/3rds the pay that the high-paid pros are.

Actually, my current job is the only one so far where I don;t have to handle
everything, so I know and understand the pressures associated with it.
However, I cannot say I was in a position where the company cannot afford a
dedicated IT guy on staff, or at least outsourced the admin to external
vendors. It is increasingly a must for companies to have at least a vendor to
call on for help, as the reliance on technology increases.

This is especially true in Singapore, where I live and work. Most small to
medium sized enterprises (SMEs) outsource their IT support.

> I took on the task of trying to help one of these types of people (because
> he emailed me privately with a question about snort), and I quickly
> realized what a daunting task it is for him. He had to learn Unix, mysql,
> snort, apache, sendmail and TCP/IP all at the same time. Yet he tackled it
> with enthusiasm and he's making great progress.
>
> He's the "computer guy" in a small architectural firm, and he got the job
> because he was constantly helping people in the office who had computer
> problems. Once they decided they *had* to have an Internet presence, he
> was tapped for the job.

As I said, if they _have_ to have an internet presence, the least they could
do is to get a consultant and help the poor lad out. They wouldn't want to
lose him to exhaustion, would they?

> If you want our profession to improve, the onus is on *you* to do something
> about it. Criticism is easy. Anybody can do that. Teaching others what
> you know and helping them get up to speed is much more difficult and time
> consuming. It's also a great deal more fulfilling *and* humbling. There's
> no better way of realizing the gaps in your own knowledge than trying to
> teach someone else.
>
> Instead of wallowing in your smug self-righteousness, going home after work
> and complaining about "them", get out there and make a friend. Teach one
> of those poor "draftees" how to protect their enterprise. (Trust me,
> they're no threat to you professionally.)

Ok, that accusation of my "wallowing in smug self-righteousness" was a little
uncalled for. Believe when I say I know a lot of these "draftees", friends of
mine who wants to be in the line, and I do my best to help in whatever way I
can, be it answering their questions, guiding them, asking them to come over
and try their hand at stuff in my home LAN, lending them books, etc. I
definitely do not believe imparting knowledge contitutes a threat to me
professionally. I agree that there's no better way to find out my own
weaknesses by teaching others. But they've got to absorb the knowledge
themselves, and I cannot help much in that.

It all boils down to the individual. No one can finish learning everythinig,
and if they show the effort, they will get better at it. But I believe you
have seen your fair share of incompetent admins who _believe_ they're
untouchable; and those are the ones I'm lambasting, along with the companies
who say "We've got a firewall, so we're safe."

There, I've thrown another $0.02 SGD into the fray. Hope I've clarified my
points.

Callan
- --
"I disapprove of what you say, but I will defend
to the death your right to say it." - Beatrice Hall
Registered Linux User #311796
ICQ UIN: 1926211
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+7+LznyMhcbScbQYRAjVpAJ43+hd8fbjV5vj086WZo0tb5tw8CACdEHQS
eBp3DDHUr4ffpOvwjtEE3u0=
=QY0K
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------

• Previous message: Srinivasa Rao Addepalli: "Re: HELP ON POP3 FALSE ATTACHMENT SIGNATURE"
• In reply to: Paul Schmehl: "Re: Rather funny; looks like page defacement to me"
• Next in thread: Robert Huber: "Re: Rather funny; looks like page defacement to me"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]