I have been asked to leave the company for having spotted serious security breaches

Discussion in 'Computer Security' started by Curious George, Feb 1, 2005.

  1. Dear Colleagues:

    At the tail end of this post is my original post with regards to this
    matter. Basically, I went and told my superiors that our network was
    seriously exposed.

    Today I had a meeting and, guess what, it was suggested that I find another
    job. This is great, essentially having the dipshits at work side with a
    completely ignorant person who knows nothing about security.

    Guess what industry I work in? Education!

    Thats right folks, education. Maybe the people who are in education need a
    bit of it themselves.

    And we wonder why our system is so screwed up!

    Curious George



    Dear Colleagues:

    For the life of me I don't know why I have to ask this question since the
    answer is so obvious, however, I need to have others tell me that I am not
    completely insane.

    I work at a place where we have a myriad of wireless access points and NO, I
    am not writing from there at present.

    NONE of the wireless access points has any form of security on them
    whatsoever. No WEP, no CHAP. . . no nothing. Everything is open so you
    could walk into our joint, grab an IP address and surf the web to your
    heart's content.

    Here is the problem. My boss insists that its "no big deal" and that since
    the servers are on the inside and protected, we really don't have a thing to
    worry about. Furthermore, my boss is under the impression that since we are
    situated in a wide area, that nobody would be able to get into our network
    because of this distance. Needless to say, my boss does not consider
    somebody sneaking into a parking lot with a laptop, a good network card and
    a directional bazooka antenna a possibility.

    So here is what I have to explain to my boss' boss and, perhaps, the board
    of directors. . . and here is where I can't help but laugh. I hope that I
    will be able to keep a straight face come Monday when I have to explain
    myself to people why its important.

    Okay, so I know the analogies. For example, I understand that not having a
    secure wireless network with many Waps and high gain transmission antennas
    is the same as putting cables out to anybody within 'x' amount of yards with
    a sign that says "free internet access", but since I am going to be asked
    these obvious questions, just what type of damage could somebody do?

    Yeah, I know about denial of service attacks, yeah I also know about
    enumeration and password guessing, but considering that we have an SQL
    server on the inside of our network (no, the sa account password is not
    null) what are we talking about.

    I can envision so many things. Like somebody just sitting there caputring
    packets to get things like usernames, passwords and the like, but come on. .
    .. what else could they do.

    I have read my boss the riot act many times, but this is now going to go in
    front of somebody over my boss' head, so, aside from giving them worst case
    scenarios, end of the world analogies, etc., how else could people break in.

    Creative responses are appreciated and will be rewarded with much praise.

    I can't believe that I have to actually explain this to people, and this
    entire thing would last about two seconds when it comes to talking with a
    computer professional, but you see, my boss is under the impression that
    they are a computer professional because they received a Master's degree in
    Comp Sci back in the 80's. I know that this line of thinking is dangerous,
    but I really want some creative answers to put my point across strongly, and
    yet professionally.

    Although I realize that this post will likely be the butt of many jokes
    (which I will appreciate immensely) I never the less would appreciate a bit
    of useful information in your responses.

    I am going to have a serious drink now, and then bang my head against the
    wall.

    Thanks in advance,

    CC
    Curious George, Feb 1, 2005
    #1
    1. Advertising

  2. Curious George

    Rodney Kelp Guest

    Rule number 1... Don't mess with the boss.
    Make your findings known at the staff meeting. It's is his decision. You
    sound like you were hounding him.
    Rule number 2...You are not the boss.

    "Curious George" <> wrote in message
    news:5HCLd.2344$...
    > Dear Colleagues:
    >
    > At the tail end of this post is my original post with regards to this
    > matter. Basically, I went and told my superiors that our network was
    > seriously exposed.
    >
    > Today I had a meeting and, guess what, it was suggested that I find
    > another job. This is great, essentially having the dipshits at work side
    > with a completely ignorant person who knows nothing about security.
    >
    > Guess what industry I work in? Education!
    >
    > Thats right folks, education. Maybe the people who are in education need
    > a bit of it themselves.
    >
    > And we wonder why our system is so screwed up!
    >
    > Curious George
    >
    >
    >
    > Dear Colleagues:
    >
    > For the life of me I don't know why I have to ask this question since the
    > answer is so obvious, however, I need to have others tell me that I am not
    > completely insane.
    >
    > I work at a place where we have a myriad of wireless access points and NO,
    > I
    > am not writing from there at present.
    >
    > NONE of the wireless access points has any form of security on them
    > whatsoever. No WEP, no CHAP. . . no nothing. Everything is open so you
    > could walk into our joint, grab an IP address and surf the web to your
    > heart's content.
    >
    > Here is the problem. My boss insists that its "no big deal" and that
    > since
    > the servers are on the inside and protected, we really don't have a thing
    > to
    > worry about. Furthermore, my boss is under the impression that since we
    > are
    > situated in a wide area, that nobody would be able to get into our network
    > because of this distance. Needless to say, my boss does not consider
    > somebody sneaking into a parking lot with a laptop, a good network card
    > and
    > a directional bazooka antenna a possibility.
    >
    > So here is what I have to explain to my boss' boss and, perhaps, the board
    > of directors. . . and here is where I can't help but laugh. I hope that I
    > will be able to keep a straight face come Monday when I have to explain
    > myself to people why its important.
    >
    > Okay, so I know the analogies. For example, I understand that not having
    > a
    > secure wireless network with many Waps and high gain transmission antennas
    > is the same as putting cables out to anybody within 'x' amount of yards
    > with
    > a sign that says "free internet access", but since I am going to be asked
    > these obvious questions, just what type of damage could somebody do?
    >
    > Yeah, I know about denial of service attacks, yeah I also know about
    > enumeration and password guessing, but considering that we have an SQL
    > server on the inside of our network (no, the sa account password is not
    > null) what are we talking about.
    >
    > I can envision so many things. Like somebody just sitting there caputring
    > packets to get things like usernames, passwords and the like, but come on.
    > .
    > . what else could they do.
    >
    > I have read my boss the riot act many times, but this is now going to go
    > in
    > front of somebody over my boss' head, so, aside from giving them worst
    > case
    > scenarios, end of the world analogies, etc., how else could people break
    > in.
    >
    > Creative responses are appreciated and will be rewarded with much praise.
    >
    > I can't believe that I have to actually explain this to people, and this
    > entire thing would last about two seconds when it comes to talking with a
    > computer professional, but you see, my boss is under the impression that
    > they are a computer professional because they received a Master's degree
    > in
    > Comp Sci back in the 80's. I know that this line of thinking is
    > dangerous,
    > but I really want some creative answers to put my point across strongly,
    > and
    > yet professionally.
    >
    > Although I realize that this post will likely be the butt of many jokes
    > (which I will appreciate immensely) I never the less would appreciate a
    > bit
    > of useful information in your responses.
    >
    > I am going to have a serious drink now, and then bang my head against the
    > wall.
    >
    > Thanks in advance,
    >
    > CC
    >
    Rodney Kelp, Feb 1, 2005
    #2
    1. Advertising

  3. Curious George

    Bill Unruh Guest

    To some extent your boss is right. Having an open wireless is like having
    an open plug in port in a public place. That is not necessarily very very
    bad. Eg, if you firewall off the wireless network, they they have no less
    difficulty getting into the corporate lan than they would have getting in
    from Rimingi on the net. Of course often the company does not properly
    firewall the wireless network, allowing potential attackers behind any
    firewall. Also once they are on the net, if the company does not use point to point
    encryption, the attacker can read off all of the traffic on the net,
    opening company secrets .

    However there is another issue. An attacker could use your network to
    attack others, and the courts could well find your company partially
    culpable for having an "attractive nuisance" without having erected the
    requisite fences. (Like with swimming pools and kids drowning in them).
    Of course the current legal situation is very murky, but I doubt that they
    want to be the first to test it.


    >"Curious George" <> wrote in message
    >news:5HCLd.2344$...
    >> Dear Colleagues:
    >>
    >> At the tail end of this post is my original post with regards to this
    >> matter. Basically, I went and told my superiors that our network was
    >> seriously exposed.
    >>
    >> Today I had a meeting and, guess what, it was suggested that I find
    >> another job. This is great, essentially having the dipshits at work side
    >> with a completely ignorant person who knows nothing about security.
    >>
    >> Guess what industry I work in? Education!
    >>
    >> Thats right folks, education. Maybe the people who are in education need
    >> a bit of it themselves.
    >>
    >> And we wonder why our system is so screwed up!
    >>
    >> Curious George
    >>
    >>
    >>
    >> Dear Colleagues:
    >>
    >> For the life of me I don't know why I have to ask this question since the
    >> answer is so obvious, however, I need to have others tell me that I am not
    >> completely insane.
    >>
    >> I work at a place where we have a myriad of wireless access points and NO,
    >> I
    >> am not writing from there at present.
    >>
    >> NONE of the wireless access points has any form of security on them
    >> whatsoever. No WEP, no CHAP. . . no nothing. Everything is open so you
    >> could walk into our joint, grab an IP address and surf the web to your
    >> heart's content.
    >>
    >> Here is the problem. My boss insists that its "no big deal" and that
    >> since
    >> the servers are on the inside and protected, we really don't have a thing
    >> to
    >> worry about. Furthermore, my boss is under the impression that since we
    >> are
    >> situated in a wide area, that nobody would be able to get into our network
    >> because of this distance. Needless to say, my boss does not consider
    >> somebody sneaking into a parking lot with a laptop, a good network card
    >> and
    >> a directional bazooka antenna a possibility.
    >>
    >> So here is what I have to explain to my boss' boss and, perhaps, the board
    >> of directors. . . and here is where I can't help but laugh. I hope that I
    >> will be able to keep a straight face come Monday when I have to explain
    >> myself to people why its important.
    >>
    >> Okay, so I know the analogies. For example, I understand that not having
    >> a
    >> secure wireless network with many Waps and high gain transmission antennas
    >> is the same as putting cables out to anybody within 'x' amount of yards
    >> with
    >> a sign that says "free internet access", but since I am going to be asked
    >> these obvious questions, just what type of damage could somebody do?
    >>
    >> Yeah, I know about denial of service attacks, yeah I also know about
    >> enumeration and password guessing, but considering that we have an SQL
    >> server on the inside of our network (no, the sa account password is not
    >> null) what are we talking about.
    >>
    >> I can envision so many things. Like somebody just sitting there caputring
    >> packets to get things like usernames, passwords and the like, but come on.
    >> .
    >> . what else could they do.
    >>
    >> I have read my boss the riot act many times, but this is now going to go
    >> in
    >> front of somebody over my boss' head, so, aside from giving them worst
    >> case
    >> scenarios, end of the world analogies, etc., how else could people break
    >> in.
    >>
    >> Creative responses are appreciated and will be rewarded with much praise.
    >>
    >> I can't believe that I have to actually explain this to people, and this
    >> entire thing would last about two seconds when it comes to talking with a
    >> computer professional, but you see, my boss is under the impression that
    >> they are a computer professional because they received a Master's degree
    >> in
    >> Comp Sci back in the 80's. I know that this line of thinking is
    >> dangerous,
    >> but I really want some creative answers to put my point across strongly,
    >> and
    >> yet professionally.
    >>
    >> Although I realize that this post will likely be the butt of many jokes
    >> (which I will appreciate immensely) I never the less would appreciate a
    >> bit
    >> of useful information in your responses.
    >>
    >> I am going to have a serious drink now, and then bang my head against the
    >> wall.
    >>
    >> Thanks in advance,
    >>
    >> CC
    >>
    Bill Unruh, Feb 1, 2005
    #3
  4. Curious George

    Celtic Leroy Guest

    "Curious George" <> wrote:

    >Dear Colleagues:
    >
    >At the tail end of this post is my original post with regards to this
    >matter. Basically, I went and told my superiors that our network was
    >seriously exposed.
    >
    >Today I had a meeting and, guess what, it was suggested that I find another
    >job. This is great, essentially having the dipshits at work side with a
    >completely ignorant person who knows nothing about security.
    >
    >Guess what industry I work in? Education!
    >
    >Thats right folks, education. Maybe the people who are in education need a
    >bit of it themselves.
    >
    >And we wonder why our system is so screwed up!
    >
    >Curious George


    Whoa!!! Wait just a minute!

    Did you quit, or get fired? DO NOT QUIT! Make them fire you. I
    would also suggest you actively search for other employment now. It
    will take some time to get in the door of another job, but start now.
    The main point is that you do not leave your current job...if they
    want to fire you before you find a new job, that's their option. But,
    it will leave you with the ability to receive unemployment
    compensation while you're looking.

    Good luck,
    Celtic Leroy, Feb 1, 2005
    #4
  5. Celtic Leroy wrote:

    > "Curious George" <> wrote:
    >
    >>Dear Colleagues:
    >>
    >>At the tail end of this post is my original post with regards to this
    >>matter. Basically, I went and told my superiors that our network was
    >>seriously exposed.
    >>
    >>Today I had a meeting and, guess what, it was suggested that I find
    >>another
    >>job. This is great, essentially having the dipshits at work side with a
    >>completely ignorant person who knows nothing about security.
    >>
    >>Guess what industry I work in? Education!
    >>
    >>Thats right folks, education. Maybe the people who are in education need
    >>a bit of it themselves.
    >>
    >>And we wonder why our system is so screwed up!
    >>
    >>Curious George

    >
    > Whoa!!! Wait just a minute!
    >
    > Did you quit, or get fired? DO NOT QUIT! Make them fire you. I
    > would also suggest you actively search for other employment now. It
    > will take some time to get in the door of another job, but start now.
    > The main point is that you do not leave your current job...if they
    > want to fire you before you find a new job, that's their option. But,
    > it will leave you with the ability to receive unemployment
    > compensation while you're looking.
    >
    > Good luck,



    Also, document everything and send the information to the board of
    directors. Unfortunately some companies/Institutions are more concerned
    about covering up stuff than fixing it. Send the info out.

    Michael
    Michael J. Pelletier, Feb 2, 2005
    #5
  6. Re: I have been asked to leave the company for having spotted serioussecurity breaches

    Celtic Leroy wrote:

    >
    > Did you quit, or get fired? DO NOT QUIT! Make them fire you. I
    > would also suggest you actively search for other employment now. It
    > will take some time to get in the door of another job, but start now.
    > The main point is that you do not leave your current job...if they
    > want to fire you before you find a new job, that's their option. But,
    > it will leave you with the ability to receive unemployment
    > compensation while you're looking.


    Actually, in Washington State, unemployment insurance benefits are not
    available to anyone who was "fired for cause".
    Gualtier Malde (Chuck), Feb 2, 2005
    #6
  7. Curious George

    Bill Unruh Guest

    "Gualtier Malde (Chuck)" <> writes:

    >Celtic Leroy wrote:


    >>
    >> Did you quit, or get fired? DO NOT QUIT! Make them fire you. I
    >> would also suggest you actively search for other employment now. It
    >> will take some time to get in the door of another job, but start now.
    >> The main point is that you do not leave your current job...if they
    >> want to fire you before you find a new job, that's their option. But,
    >> it will leave you with the ability to receive unemployment
    >> compensation while you're looking.


    >Actually, in Washington State, unemployment insurance benefits are not
    >available to anyone who was "fired for cause".


    On the other hand, "for cause" requires a degree of proof. you cannot
    simply claim that the firing was for cause, since then all firings would be
    for cause.
    Bill Unruh, Feb 2, 2005
    #7
  8. Curious George

    Beachcomber Guest


    >On the other hand, "for cause" requires a degree of proof. you cannot
    >simply claim that the firing was for cause, since then all firings would be
    >for cause.
    >

    It sounds like you made somebody above you look bad and they want to
    get rid of you.

    Most companies want the easy way out. They will suggest that you
    resign and they want you to resign because, indeed they do not have to
    pay unemployment benefits, your severance pay, etc.

    It is harder for them to fire you. They might want to avoid any
    possibility of a lawsuit for "unjust termination". Even if you did
    something seriously wrong, a lawsuit is embarrasing for a company.
    They don't want to stir up other employees and they will have to come
    up with proof either you were laid off for economic reasons or you
    violated some rule or discriminated or harrassed a fellow employee,
    etc. Plus, there are legal expenses on both sides if you sue and it
    goes to trial (which in most of these cases, it almost never does).

    Furthermore, if you work for a school district, you may have civil
    service rights that further specify reasons for just and unjust
    termination. No government agency, let alone a school district wants
    to be involved in an expensive lawsuit over terminating an employee.

    Basic advice - Don't leave voluntarily. Don't sign any papers that
    say you did bad things. If the job is that valuable to you, start
    looking for a good employment lawyer.

    Beachcomber
    Beachcomber, Feb 2, 2005
    #8
  9. Curious George

    Jim Watt Guest

    On Wed, 02 Feb 2005 18:40:13 GMT, (Beachcomber)
    wrote:

    >Basic advice - Don't leave voluntarily. Don't sign any papers that
    >say you did bad things. If the job is that valuable to you, start
    >looking for a good employment lawyer.


    OTOH if you know about computer security and you are good at
    what you do, move on to a better paid job where you are appreciated
    and say " **** the bastards" what have you lost? a bad job.

    Move out and move on.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Feb 2, 2005
    #9
  10. Curious George

    Leythos Guest

    On Wed, 02 Feb 2005 22:58:11 +0100, Jim Watt wrote:

    > On Wed, 02 Feb 2005 18:40:13 GMT, (Beachcomber)
    > wrote:
    >
    >>Basic advice - Don't leave voluntarily. Don't sign any papers that
    >>say you did bad things. If the job is that valuable to you, start
    >>looking for a good employment lawyer.

    >
    > OTOH if you know about computer security and you are good at
    > what you do, move on to a better paid job where you are appreciated
    > and say " **** the bastards" what have you lost? a bad job.
    >
    > Move out and move on.


    Wonder why we've not seen a single post by the OP since that one about his
    being removed? Could it have been a trolling?

    --

    remove 999 in order to email me
    Leythos, Feb 2, 2005
    #10
  11. Curious George

    Leythos Guest

    On Wed, 02 Feb 2005 14:39:47 -0800, Michael J. Pelletier wrote:

    > Leythos wrote:
    >
    >> On Wed, 02 Feb 2005 22:58:11 +0100, Jim Watt wrote:
    >>
    >>> On Wed, 02 Feb 2005 18:40:13 GMT, (Beachcomber)
    >>> wrote:
    >>>
    >>>>Basic advice - Don't leave voluntarily. Don't sign any papers that
    >>>>say you did bad things. If the job is that valuable to you, start
    >>>>looking for a good employment lawyer.
    >>>
    >>> OTOH if you know about computer security and you are good at
    >>> what you do, move on to a better paid job where you are appreciated
    >>> and say " **** the bastards" what have you lost? a bad job.
    >>>
    >>> Move out and move on.

    >>
    >> Wonder why we've not seen a single post by the OP since that one about his
    >> being removed? Could it have been a trolling?
    >>

    >
    > Or he has been "escorted" out the door and is busy looking for
    > employment....
    >
    > In ether case, I have done allot of consulting for the past couple of years
    > and I am amazed at how sleazy people can become....


    Yea, I've been doing work all over the country (US) and found many people
    that won't listen when you tell them their network is fully exposed and
    that a few hours with their firewall would fix it without any noticeable
    impact on their business functions...

    --

    remove 999 in order to email me
    Leythos, Feb 2, 2005
    #11
  12. Leythos wrote:

    > On Wed, 02 Feb 2005 22:58:11 +0100, Jim Watt wrote:
    >
    >> On Wed, 02 Feb 2005 18:40:13 GMT, (Beachcomber)
    >> wrote:
    >>
    >>>Basic advice - Don't leave voluntarily. Don't sign any papers that
    >>>say you did bad things. If the job is that valuable to you, start
    >>>looking for a good employment lawyer.

    >>
    >> OTOH if you know about computer security and you are good at
    >> what you do, move on to a better paid job where you are appreciated
    >> and say " **** the bastards" what have you lost? a bad job.
    >>
    >> Move out and move on.

    >
    > Wonder why we've not seen a single post by the OP since that one about his
    > being removed? Could it have been a trolling?
    >


    Or he has been "escorted" out the door and is busy looking for
    employment....

    In ether case, I have done allot of consulting for the past couple of years
    and I am amazed at how sleazy people can become....

    Michael
    Michael J. Pelletier, Feb 2, 2005
    #12
  13. Allright guys. . .

    All of you have made your point. This is the Original Poster and I am not a
    troll unless you catch me on a Friday night after a few drinks.

    The advise given here is solid, good and very much appreciated.

    Actually, I have not been asked to leave. . . its a subtle hint, but I
    think thats where they are going. After all, it would look really, really
    sleeeazy to the board of directors if their chief IT guy was escorted out or
    asked to leave or something else because he brought up a major, major, major
    security issue which, I must add, they have NOT addressed yet!

    The memos are not flying, indeed, the issue is so silent you could hear a
    mouse fart. I think I have made peace with my boss, rather, tolerating it.
    Never the less, considering the nature of the information that is at stake
    (e.g. children's record, to name but a few), I think that I am doing the
    right thing.

    On the other hand, this type of stuff is not something that schools like to
    get out.

    On a brighter note, I posted this and then called a buddy of mine who has
    been in the IT field about as long as I have. A phone call later and I was
    on the horn with a real headhunter - no, not the sleazy employment agency
    troll type, but a bona fide headhunter.

    In any event, I think that what is going to happen is that they are going to
    try to make things work out and then, oh well, then the ball is in my court.

    I think that this underscores that its time to move on to greener pastures.
    Hey, because of this I have started toying with security utilities I had not
    touched in about two years. Darn, this stuff has gotten really, really
    sophisticated and. . . well, I have become rather paranoid about things. SO
    guess what the first thing I did this AM was??? Yep, my password is now so
    long and has so many characters in it that. . .

    The short of it is that its really sad that these are the sort of people who
    we entrust to oversee the administration of schools and handle our most
    precious resource, our children. I think its not so much the teachers,
    although there are plenty of bad ones I assure you, its the administration
    of these schools that is at issue. The really good teachers, the
    progressive ones who want to really make a difference and truly enage these
    young minds with challenges are being squashed.

    Enough rambles, I am boring the crap out of everyone.

    Thank you so very, very much to all of you for having contributed to this
    thread. My apologies to those of you whom I have pissed because of my
    excessive cross posting and I hope that if we ever have the opportunity to
    work together I can return the favor.

    Curious George
    "Leythos" <> wrote in message
    news:p...
    > On Wed, 02 Feb 2005 14:39:47 -0800, Michael J. Pelletier wrote:
    >
    >> Leythos wrote:
    >>
    >>> On Wed, 02 Feb 2005 22:58:11 +0100, Jim Watt wrote:
    >>>
    >>>> On Wed, 02 Feb 2005 18:40:13 GMT, (Beachcomber)
    >>>> wrote:
    >>>>
    >>>>>Basic advice - Don't leave voluntarily. Don't sign any papers that
    >>>>>say you did bad things. If the job is that valuable to you, start
    >>>>>looking for a good employment lawyer.
    >>>>
    >>>> OTOH if you know about computer security and you are good at
    >>>> what you do, move on to a better paid job where you are appreciated
    >>>> and say " **** the bastards" what have you lost? a bad job.
    >>>>
    >>>> Move out and move on.
    >>>
    >>> Wonder why we've not seen a single post by the OP since that one about
    >>> his
    >>> being removed? Could it have been a trolling?
    >>>

    >>
    >> Or he has been "escorted" out the door and is busy looking for
    >> employment....
    >>
    >> In ether case, I have done allot of consulting for the past couple of
    >> years
    >> and I am amazed at how sleazy people can become....

    >
    > Yea, I've been doing work all over the country (US) and found many people
    > that won't listen when you tell them their network is fully exposed and
    > that a few hours with their firewall would fix it without any noticeable
    > impact on their business functions...
    >
    > --
    >
    > remove 999 in order to email me
    >
    Curious George, Feb 2, 2005
    #13
  14. Curious George

    Leythos Guest

    On Wed, 02 Feb 2005 18:39:00 -0500, Curious George wrote:

    > Allright guys. . .
    >
    > All of you have made your point. This is the Original Poster and I am not a
    > troll unless you catch me on a Friday night after a few drinks.


    Good, I was hoping you were not a troll, this happened in a group once
    before.

    > The advise given here is solid, good and very much appreciated.
    >
    > Actually, I have not been asked to leave. . . its a subtle hint, but I
    > think thats where they are going. After all, it would look really, really
    > sleeeazy to the board of directors if their chief IT guy was escorted out or
    > asked to leave or something else because he brought up a major, major, major
    > security issue which, I must add, they have NOT addressed yet!


    So, have you put together a plan on correcting the problem? Instead of
    just alerting them to the situation and making it seem like it's been
    blown out the window, if you were to present a sound plan to secure the
    network with time-line estimates and resources they might accept it and
    turn around their issue with you.

    > The memos are not flying, indeed, the issue is so silent you could hear a
    > mouse fart. I think I have made peace with my boss, rather, tolerating it.
    > Never the less, considering the nature of the information that is at stake
    > (e.g. children's record, to name but a few), I think that I am doing the
    > right thing.


    We did a job for a state's department of health, when I was asked about
    Web security and portals I mentioned that they had public IP's on their
    internal network and that I could access any machine with a public IP from
    anywhere in the country... As it turned out they didn't understand the
    firewall and had done and ANY rule inbound to the entire developers
    segment of the network... They figured that since they ran Windows with
    Novel as the network that there were no problems :)

    I asked the departments supervisor if I could present a plan for securing
    the network while still permitting developers to work without problem and
    also a solution for remote access where needed. It took about 3 days to
    document everything, but they bought the solution from us. It was
    interesting to see the look of shock from the various department heads on
    how open their network was and how easy it was to gain access to personal
    information.

    The funny part was that after it was secured another company came in and
    sold them on the idea that if they had been using a PIX that it would
    never have been a problem, and they bought it without asking about the
    proposal from that company - spending all that money to replace something
    they didn't understand with something they still didn't understand and was
    harder to maintain :)

    > On the other hand, this type of stuff is not something that schools like to
    > get out.
    >
    > On a brighter note, I posted this and then called a buddy of mine who has
    > been in the IT field about as long as I have. A phone call later and I was
    > on the horn with a real headhunter - no, not the sleazy employment agency
    > troll type, but a bona fide headhunter.


    You should still present them with a plan on resolving the issue, it may
    come back as a good reference and also could get you promoted if your plan
    actually fixes the problems - sometimes people react from fear/shock, but
    when you put the facts and solution on paper they get a little time to
    settle down and realize the implications.

    > In any event, I think that what is going to happen is that they are going to
    > try to make things work out and then, oh well, then the ball is in my court.
    >
    > I think that this underscores that its time to move on to greener pastures.
    > Hey, because of this I have started toying with security utilities I had not
    > touched in about two years. Darn, this stuff has gotten really, really
    > sophisticated and. . . well, I have become rather paranoid about things. SO
    > guess what the first thing I did this AM was??? Yep, my password is now so
    > long and has so many characters in it that. . .


    You do understand that your password length means nothing of anyone else
    has admin rights?

    > The short of it is that its really sad that these are the sort of people who
    > we entrust to oversee the administration of schools and handle our most
    > precious resource, our children. I think its not so much the teachers,
    > although there are plenty of bad ones I assure you, its the administration
    > of these schools that is at issue. The really good teachers, the
    > progressive ones who want to really make a difference and truly enage these
    > young minds with challenges are being squashed.
    >
    > Enough rambles, I am boring the crap out of everyone.
    >
    > Thank you so very, very much to all of you for having contributed to this
    > thread. My apologies to those of you whom I have pissed because of my
    > excessive cross posting and I hope that if we ever have the opportunity to
    > work together I can return the favor.


    Never pissed me off, I just wasn't sure if you were real or not.

    --

    remove 999 in order to email me
    Leythos, Feb 3, 2005
    #14
  15. Curious George wrote:

    > Allright guys. . .
    >
    > All of you have made your point. This is the Original Poster and I am not
    > a troll unless you catch me on a Friday night after a few drinks.
    >
    > The advise given here is solid, good and very much appreciated.
    >
    > Actually, I have not been asked to leave. . . its a subtle hint, but I
    > think thats where they are going. After all, it would look really, really
    > sleeeazy to the board of directors if their chief IT guy was escorted out
    > or asked to leave or something else because he brought up a major, major,
    > major security issue which, I must add, they have NOT addressed yet!
    >
    > The memos are not flying, indeed, the issue is so silent you could hear a
    > mouse fart. I think I have made peace with my boss, rather, tolerating
    > it. Never the less, considering the nature of the information that is at
    > stake (e.g. children's record, to name but a few), I think that I am doing
    > the right thing.
    >
    > On the other hand, this type of stuff is not something that schools like
    > to get out.
    >
    > On a brighter note, I posted this and then called a buddy of mine who has
    > been in the IT field about as long as I have. A phone call later and I
    > was on the horn with a real headhunter - no, not the sleazy employment
    > agency troll type, but a bona fide headhunter.
    >
    > In any event, I think that what is going to happen is that they are going
    > to try to make things work out and then, oh well, then the ball is in my
    > court.
    >
    > I think that this underscores that its time to move on to greener
    > pastures. Hey, because of this I have started toying with security
    > utilities I had not
    > touched in about two years. Darn, this stuff has gotten really, really
    > sophisticated and. . . well, I have become rather paranoid about things.
    > SO guess what the first thing I did this AM was??? Yep, my password is now
    > so long and has so many characters in it that. . .
    >
    > The short of it is that its really sad that these are the sort of people
    > who we entrust to oversee the administration of schools and handle our
    > most
    > precious resource, our children. I think its not so much the teachers,
    > although there are plenty of bad ones I assure you, its the administration
    > of these schools that is at issue. The really good teachers, the
    > progressive ones who want to really make a difference and truly enage
    > these young minds with challenges are being squashed.
    >
    > Enough rambles, I am boring the crap out of everyone.
    >
    > Thank you so very, very much to all of you for having contributed to this
    > thread. My apologies to those of you whom I have pissed because of my
    > excessive cross posting and I hope that if we ever have the opportunity to
    > work together I can return the favor.
    >
    > Curious George
    > "Leythos" <> wrote in message
    > news:p...
    >> On Wed, 02 Feb 2005 14:39:47 -0800, Michael J. Pelletier wrote:
    >>
    >>> Leythos wrote:
    >>>
    >>>> On Wed, 02 Feb 2005 22:58:11 +0100, Jim Watt wrote:
    >>>>
    >>>>> On Wed, 02 Feb 2005 18:40:13 GMT, (Beachcomber)
    >>>>> wrote:
    >>>>>
    >>>>>>Basic advice - Don't leave voluntarily. Don't sign any papers that
    >>>>>>say you did bad things. If the job is that valuable to you, start
    >>>>>>looking for a good employment lawyer.
    >>>>>
    >>>>> OTOH if you know about computer security and you are good at
    >>>>> what you do, move on to a better paid job where you are appreciated
    >>>>> and say " **** the bastards" what have you lost? a bad job.
    >>>>>
    >>>>> Move out and move on.
    >>>>
    >>>> Wonder why we've not seen a single post by the OP since that one about
    >>>> his
    >>>> being removed? Could it have been a trolling?
    >>>>
    >>>
    >>> Or he has been "escorted" out the door and is busy looking for
    >>> employment....
    >>>
    >>> In ether case, I have done allot of consulting for the past couple of
    >>> years
    >>> and I am amazed at how sleazy people can become....

    >>
    >> Yea, I've been doing work all over the country (US) and found many people
    >> that won't listen when you tell them their network is fully exposed and
    >> that a few hours with their firewall would fix it without any noticeable
    >> impact on their business functions...
    >>
    >> --
    >>
    >> remove 999 in order to email me
    >>


    Unfortunately, George, the people that rise to the top of an organization
    are more times than not sellouts. Those people that hide issues instead of
    fixing them. Even worse, they are the type when something happens say "Why
    did you not fix that". When you have been bringing up the issue for months!
    Corporations have gotten really bad...well, I guess I am ranting and raving
    too much....

    Like I have said many times "Those that rise to the top of an organization
    rise because they float. Remember shit floats!"

    Take care, the IT biz in the US is really starting to pick up. You are in NY
    right? I have some good contacts, in the NY area, if you are interested.
    Email me if you are.

    Michael
    Michael J. Pelletier, Feb 3, 2005
    #15
  16. Curious George

    Bill Unruh Guest

    "Curious George" <> writes:

    >Allright guys. . .


    >All of you have made your point. This is the Original Poster and I am not a
    >troll unless you catch me on a Friday night after a few drinks.


    .....

    >The short of it is that its really sad that these are the sort of people who
    >we entrust to oversee the administration of schools and handle our most
    >precious resource, our children. I think its not so much the teachers,
    >although there are plenty of bad ones I assure you, its the administration
    >of these schools that is at issue. The really good teachers, the
    >progressive ones who want to really make a difference and truly enage these
    >young minds with challenges are being squashed.


    It has never been clear what the topology of your situation was.

    Having this in the schools is in some ways more dangerous, since the
    kids are going to try things out, and in fact you want them to try things
    out-- that is how they learn. However it means that they may well
    "innocently" do damage. (innocent in that they do not really know what the
    consequences of their actions are.) Thus you really do want them in a
    sandbox.
    The problem is that in such a situation often the admin network stuff
    (teacher's reports, children's files, etc) are not well protected from the
    rest of the stuff the kids are supposed to be able to use. The teachers
    want to be able to use the wireless to enter their grades, etc. and also
    have the kids use it to connect and surf the net.

    Do they really want the kids to be able to pull up their own or othr kid's
    files and read them, or even alter them? Ie, you need a really strong
    firewall between the admin stuff and the "play" stuff. And you want any
    access of the admin stuff from the play or from outside to be encrypted.
    Bill Unruh, Feb 3, 2005
    #16
  17. > Good, I was hoping you were not a troll, this happened in a group once
    > before.


    No Troll here sir. . . nope, I wish.

    > So, have you put together a plan on correcting the problem? Instead of
    > just alerting them to the situation and making it seem like it's been
    > blown out the window, if you were to present a sound plan to secure the
    > network with time-line estimates and resources they might accept it and
    > turn around their issue with you.


    Actually, with the bitter taste I have in my mouth at this point, and were I
    asked, I think that my answer would be something like "I think we should
    bring in a firm that specializes in that sort of thing". If I were to
    suggest it, then I would still have to deal with one person who "always"
    knows more than me and things would get buggered up. . . Its so alien to
    have to actually argue such an obvious point and if I were to suggest
    something like separating things with VLANS (with the equipment we already
    have). . . well, I would find myself having to argue these things in a very
    uphill manner. The fact is that I know that there is a certain amount of
    argument that goes with asking for any new improvement and I could see
    having to explain things, but when it comes to something so rudimentary,
    plus being second-guessed by people who know so, so much less than I do
    (which is fine, so long as they admit it and trust in what I have so say) .
    .. . well, maybe its time to just move on.

    > We did a job for a state's department of health, when I was asked about
    > Web security and portals I mentioned that they had public IP's on their
    > internal network and that I could access any machine with a public IP from
    > anywhere in the country... As it turned out they didn't understand the
    > firewall and had done and ANY rule inbound to the entire developers
    > segment of the network... They figured that since they ran Windows with
    > Novel as the network that there were no problems :)
    >
    > I asked the departments supervisor if I could present a plan for securing
    > the network while still permitting developers to work without problem and
    > also a solution for remote access where needed. It took about 3 days to
    > document everything, but they bought the solution from us. It was
    > interesting to see the look of shock from the various department heads on
    > how open their network was and how easy it was to gain access to personal
    > information.
    >
    > The funny part was that after it was secured another company came in and
    > sold them on the idea that if they had been using a PIX that it would
    > never have been a problem, and they bought it without asking about the
    > proposal from that company - spending all that money to replace something
    > they didn't understand with something they still didn't understand and was
    > harder to maintain :)


    Oh I can relate to that, except that with me the uphill battle is so much
    steeper and, well, even when somebody comes in who agrees with what I have
    said, they still find ways to bury their heads in the sand - as if the
    problem were going to go away by itself. I think that management, in
    general, needs to start realizing that if they don't know something, they
    have to realize that perhaps simply saying that they don't understand it and
    then trusting the people they have is a good idea - then again, when it hits
    the fan, they are very, very good at finding flowery excuses.

    > You should still present them with a plan on resolving the issue, it may
    > come back as a good reference and also could get you promoted if your plan
    > actually fixes the problems - sometimes people react from fear/shock, but
    > when you put the facts and solution on paper they get a little time to
    > settle down and realize the implications.


    Been there, done that. The silence is deafening. Promotions are not an
    option here, and the only promotion I am likely to see is the one that I
    give myself by leaving the organization because, God knows, when it hits the
    fan because of something, they are going to try and point the fingers of
    blame at anybody they can find and never accept the responsibility for their
    failures. In the meantime, I have documented my findings rather splendidly
    and this may have them scared.
    >
    > You do understand that your password length means nothing of anyone else
    > has admin rights?


    Yeah, and a good password cracker took about fifteen seconds to crack 75% of
    their passwords, but if you mention this to people, the first thing out of
    their mouth is that you are trying to "hack" into their system - now this
    would seem rather retarded to anybody else, because you have domain admin
    rights, but to them. . . whatever.

    > Never pissed me off, I just wasn't sure if you were real or not.


    Sadly, this is real.

    CC

    >
    > --
    >
    > remove 999 in order to email me
    >
    Curious George, Feb 3, 2005
    #17
  18. >
    > Take care, the IT biz in the US is really starting to pick up. You are in
    > NY
    > right? I have some good contacts, in the NY area, if you are interested.
    > Email me if you are.
    >
    > Michael


    Mike,

    Thanks for the impromptu offer. Unfortunately I still have to be under the
    surface for the time being. But dont worry, the resumes are flying I can
    assure you and the butt is being covered. . . with a few layers of teflon
    to say the least.

    CC
    Curious George, Feb 3, 2005
    #18
  19. > It has never been clear what the topology of your situation was.

    I cannot even begin to comment on that matter. Essentially, the topology is
    this. . . we have each and every piece of hardware and software in place to
    make our network totally what it should be. Its not a question about having
    to go out and spend a lot of money. . . its a question of letting the IT
    people do their jobs.

    > Having this in the schools is in some ways more dangerous, since the
    > kids are going to try things out, and in fact you want them to try things
    > out-- that is how they learn. However it means that they may well
    > "innocently" do damage. (innocent in that they do not really know what the
    > consequences of their actions are.) Thus you really do want them in a
    > sandbox.


    Its not the kids. The kids are dead easy to get on board. Indeed, if you
    take a few kids and tell them to help you check out your security, you would
    have to put up gates. But that is not the case in schools - forget about
    the fact that if you take a curious young mind that is having problems with
    something like math and put them to work on complex algos or something of
    the sort. . . doing that is akin to asking them to sell coke and people
    would be fired. Actually, if you pick up a copy of 2600 you will see a
    whole section dedicated to what some kids go through in schools. Hell, if a
    kid found a security hole and it were up to me, I would pin a medal on him
    or her. If its up to school administration, they would have the kid
    expelled.

    > Do they really want the kids to be able to pull up their own or othr kid's
    > files and read them, or even alter them? Ie, you need a really strong
    > firewall between the admin stuff and the "play" stuff. And you want any
    > access of the admin stuff from the play or from outside to be encrypted.


    Pipe dreams are all that is. Schools are full of so many people that want
    to bury their heads in the sand and avoid any problems that they would
    rather have everything exposed. Now they are not going to come out and say
    it, but thats the way it is in schools. Encryption, ha ha ha. . . dont take
    my word for it, get a laptop with a good wireless card and sit outside of a
    school sometime with a few decent utilities. Hell, I once sat outside of my
    kids school with a laptop for about four hours (the little darling told me
    to pick him up at 230 but "neglected" to tell me he had a game to go to) and
    was able to get so, so, so much information it was not even funny - mind
    you, I had just picked up a few things here and there but with the free web
    access I was getting I got a copy of a nifty utility whose name I dont
    recall. The funny thing was that when I discreetly approached the head of
    the technology departmet with this, he basically started admonishing me. As
    gently as I could, I told him that he had better secure his network, but I
    stopped just short of calling him an incompetent moron and has been who
    could not cut it in the real world because I did not want my kid singled
    out. Still, my little darlings and his bretherin had a lot of fun with him.
    .. . hell, I heard that a kid almost got expelled because he installed the
    blue screen of death screen saver on a workstation. . . hey, who is the
    moron who sets up an XP Pro box and lets any user have the rights to install
    a program in the first place??? Oh do NOT get me started, that is an entire
    thread in and of itself.

    I think that this problem is just a part of a greater problem, and that is
    that our schools, in terms of technology, really suck. And its not just
    about the money they have. . . its about the incompetence that they
    tolerate. Those of you out there who have kids and want a good laugh, go
    visit the school and ask the simplest of questions of some of these so
    called technology teachers. My personal favorite was when I asked somebody
    if they used the NTFS file system or FAT32. . . the guys answer was that he
    used Netscape. . .

    I have to go now, its really sad.

    >
    >
    >
    Curious George, Feb 3, 2005
    #19
  20. Curious George

    winged Guest

    Re: I have been asked to leave the company for having spotted serioussecurity breaches

    Bill Unruh wrote:
    > "Curious George" <> writes:
    >
    >
    >>Allright guys. . .

    >
    >
    >>All of you have made your point. This is the Original Poster and I am not a
    >>troll unless you catch me on a Friday night after a few drinks.

    >
    >
    > .....
    >
    >
    >>The short of it is that its really sad that these are the sort of people who
    >>we entrust to oversee the administration of schools and handle our most
    >>precious resource, our children. I think its not so much the teachers,
    >>although there are plenty of bad ones I assure you, its the administration
    >>of these schools that is at issue. The really good teachers, the
    >>progressive ones who want to really make a difference and truly enage these
    >>young minds with challenges are being squashed.

    >
    >
    > It has never been clear what the topology of your situation was.
    >
    > Having this in the schools is in some ways more dangerous, since the
    > kids are going to try things out, and in fact you want them to try things
    > out-- that is how they learn. However it means that they may well
    > "innocently" do damage. (innocent in that they do not really know what the
    > consequences of their actions are.) Thus you really do want them in a
    > sandbox.
    > The problem is that in such a situation often the admin network stuff
    > (teacher's reports, children's files, etc) are not well protected from the
    > rest of the stuff the kids are supposed to be able to use. The teachers
    > want to be able to use the wireless to enter their grades, etc. and also
    > have the kids use it to connect and surf the net.
    >
    > Do they really want the kids to be able to pull up their own or othr kid's
    > files and read them, or even alter them? Ie, you need a really strong
    > firewall between the admin stuff and the "play" stuff. And you want any
    > access of the admin stuff from the play or from outside to be encrypted.
    >
    >
    >

    SSSHH I need that A to graduate ;-) Of course the secretary has her
    password written on the pullout of her desk.

    Winged

    Winged
    winged, Feb 3, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Curious George

    Getting canned for brining forth obvious security breaches

    Curious George, Feb 1, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    505
    Curious George
    Feb 1, 2005
  2. Curious George

    getting canned for finding security breaches

    Curious George, Feb 1, 2005, in forum: Wireless Networking
    Replies:
    2
    Views:
    523
    Curious George
    Feb 4, 2005
  3. henry
    Replies:
    1
    Views:
    508
    Michael S. Cooper
    Nov 8, 2003
  4. Replies:
    12
    Views:
    929
    Sebastian Gottschalk
    Jun 28, 2006
  5. Giuen
    Replies:
    0
    Views:
    874
    Giuen
    Sep 12, 2008
Loading...

Share This Page