Re: I have been asked to leave the company for having spotted serious security breaches
From: Curious George (curious_at_spampoop.com)
Date: 02/03/05
- Next message: Curious George: "Re: I have been asked to leave the company for having spotted serious security breaches"
- Previous message: winged: "Re: Washington Mutual -- network security?"
- In reply to:(deleted message) Leythos: "Re: I have been asked to leave the company for having spotted serious security breaches"
- Next in thread: Bill Unruh: "Re: I have been asked to leave the company for having spotted serious security breaches"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 2 Feb 2005 21:36:36 -0500
> Good, I was hoping you were not a troll, this happened in a group once
> before.
No Troll here sir. . . nope, I wish.
> So, have you put together a plan on correcting the problem? Instead of
> just alerting them to the situation and making it seem like it's been
> blown out the window, if you were to present a sound plan to secure the
> network with time-line estimates and resources they might accept it and
> turn around their issue with you.
Actually, with the bitter taste I have in my mouth at this point, and were I
asked, I think that my answer would be something like "I think we should
bring in a firm that specializes in that sort of thing". If I were to
suggest it, then I would still have to deal with one person who "always"
knows more than me and things would get buggered up. . . Its so alien to
have to actually argue such an obvious point and if I were to suggest
something like separating things with VLANS (with the equipment we already
have). . . well, I would find myself having to argue these things in a very
uphill manner. The fact is that I know that there is a certain amount of
argument that goes with asking for any new improvement and I could see
having to explain things, but when it comes to something so rudimentary,
plus being second-guessed by people who know so, so much less than I do
(which is fine, so long as they admit it and trust in what I have so say) .
. . well, maybe its time to just move on.
> We did a job for a state's department of health, when I was asked about
> Web security and portals I mentioned that they had public IP's on their
> internal network and that I could access any machine with a public IP from
> anywhere in the country... As it turned out they didn't understand the
> firewall and had done and ANY rule inbound to the entire developers
> segment of the network... They figured that since they ran Windows with
> Novel as the network that there were no problems :)
>
> I asked the departments supervisor if I could present a plan for securing
> the network while still permitting developers to work without problem and
> also a solution for remote access where needed. It took about 3 days to
> document everything, but they bought the solution from us. It was
> interesting to see the look of shock from the various department heads on
> how open their network was and how easy it was to gain access to personal
> information.
>
> The funny part was that after it was secured another company came in and
> sold them on the idea that if they had been using a PIX that it would
> never have been a problem, and they bought it without asking about the
> proposal from that company - spending all that money to replace something
> they didn't understand with something they still didn't understand and was
> harder to maintain :)
Oh I can relate to that, except that with me the uphill battle is so much
steeper and, well, even when somebody comes in who agrees with what I have
said, they still find ways to bury their heads in the sand - as if the
problem were going to go away by itself. I think that management, in
general, needs to start realizing that if they don't know something, they
have to realize that perhaps simply saying that they don't understand it and
then trusting the people they have is a good idea - then again, when it hits
the fan, they are very, very good at finding flowery excuses.
> You should still present them with a plan on resolving the issue, it may
> come back as a good reference and also could get you promoted if your plan
> actually fixes the problems - sometimes people react from fear/shock, but
> when you put the facts and solution on paper they get a little time to
> settle down and realize the implications.
Been there, done that. The silence is deafening. Promotions are not an
option here, and the only promotion I am likely to see is the one that I
give myself by leaving the organization because, God knows, when it hits the
fan because of something, they are going to try and point the fingers of
blame at anybody they can find and never accept the responsibility for their
failures. In the meantime, I have documented my findings rather splendidly
and this may have them scared.
>
> You do understand that your password length means nothing of anyone else
> has admin rights?
Yeah, and a good password cracker took about fifteen seconds to crack 75% of
their passwords, but if you mention this to people, the first thing out of
their mouth is that you are trying to "hack" into their system - now this
would seem rather retarded to anybody else, because you have domain admin
rights, but to them. . . whatever.
> Never pissed me off, I just wasn't sure if you were real or not.
Sadly, this is real.
CC
>
> --
> spam999free@rrohio.com
> remove 999 in order to email me
>
- Next message: Curious George: "Re: I have been asked to leave the company for having spotted serious security breaches"
- Previous message: winged: "Re: Washington Mutual -- network security?"
- In reply to:(deleted message) Leythos: "Re: I have been asked to leave the company for having spotted serious security breaches"
- Next in thread: Bill Unruh: "Re: I have been asked to leave the company for having spotted serious security breaches"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
