[rescue] Do you remember when? Security software.....

Michael A. Turner mturner at whro.org
Mon Aug 11 13:00:37 CDT 2003

> > 	So we have no firewall, no dmz, no bastions. All of our 
> servers sit
> > on the internet with routable IP addresses and no one 
> bothers to patch them
> > very often. Our administrator password has not changed in 
> three years. When
> > I at least tried to implement a patching scheme my boss 
> actively stopped me.
> > He has gotten burned by patches in the past, his philosophy 
> is if it ain't
> > broke don't fix it. Our routers are all in the same state.
> Obviously your organization doesn't have investors/share holders... 
> This kind of behavior is never going to be considered 
> anything close to
> "diligence" or "due care".  By not following the analyst's
> recommendations, he is futher cementing his own doom.  It would be
> better for him to continue doing nothing and try to coax a 
> non-technical
> jury "or boss" with an "it's all just so complicated" defense.
> -Daniel

	/me looks left and right.
	Here is some more dirt since I am dishing. One of the big things we
do is provide bandwidth to the local school districts. there are 13 major
ones we deal with and a lot of private schools. Part of our mandate and
such. Help them get there E-rate discounts. 
	The Dirt is that the vast majority of them are operating the same
way. At least most of the private schools are and at least half the public
school districts. We are talking about a DS3 worth of bandwidth split out to
massively under defended machines spread around systems run by admins that
until 5 years ago were the shop teacher, or the teacher who could not teach,
and got drafted into IT because the union would not let them be fired. I
have one guy I deal with on a regular basis that has a certification for
Novell 3. That's it. No other education and experience. Once he started
running Novell 4 and above he contracted that work out. Yet he is the
network/ systems admin for a very large private school.
	I know this because I am the one they call when it fails. I have
cleared so many hacked machines that I cannot keep count. I have helped to
find a kiddie pornographer and have him prosecuted. One school district
there are only three people in IT and one of them is a Mac only specialist
who occasionally will wander off and swap out a switch or router and then
not configure them. Refuses to touch PC which swamps the other tech people
to the point that they cannot do anything else but flounder. 
	Sigh, thanks for letting me vent.

Michael A. Turner
Systems Engineer WHRO
michael.turner at whro.org

More information about the rescue mailing list