back to article YOU are the threat: True confessions of real-life sysadmins

Some sysadmins will go to extremes to secure a network, viewing it (wrongly) as their property. For proof, look no further than Terry Childs, the City of San Francisco sysadmin who lost his job and subsequently refused to give over the system's virtual keys to his superiors in 2008. It took just under a million dollars, …

Page:

  1. Michael H.F. Wilkinson Silver badge
    Joke

    Simon will be recharging the cattle-prod

    "Some sysadmins will go to extremes to secure a network, viewing it (wrongly) as their property."

    What do you mean WRONGLY?

    >KZZZEERRT!!!<

  2. Lee D Silver badge

    I've generally found that, given the amount of trust in IT people, they are in the higher tier of people who actually can be trusted with such data and control. I work in schools and, technically, I have more access to more information, with more "potential" for mischief than anyone else - even the head, governors or bursar combined.

    Yet you find that, aside from laziness or incompetence, actual malicious intent is incredibly, extremely rare; almost non-existent.

    That said, in job interviews, I'm often asked in true cliche: What is my biggest weakness?

    My answer is truthful... it is MY network. I might be running it for YOU and your business and your users, but it's MY network. That's a weakness, yes, as I get protective over my network, access to it, and what changes are made with it. But it's also what keeps "OUR" network running and safe.

    If I implement a rule (as I have just done) banning USB sticks, then USB sticks are banned. I don't do such things lightly, or for no reason, or because I like to punish the users. I do it to save the school from legislative issues, or network compromise, or some other requirement that are more important than you needing to put in that £2 USB stick you got from some exhibition to transfer your stuff home because you're too lazy to email or work out how to use Google Drive or similar.

    Your sysadmin is protective of your network. It *is* his baby is his eyes. That's a good thing, and a bad thing at the same time, depending on your sysadmin. But if your sysadmin is any good, then let them do that. Let it be their domain, quite literally. Complain when what your business needs isn't present, by all means, but accept that your quick-fix solution is not necessarily the solution the sysadmin needs you to have.

    It's like leaving your house with a house-sitter and then complaining that they fixed the gutters, cleared the drains, set all the clocks to the right time, etc. Let it be their house for a while (if not in law, then at least in practice) if they are going to look after it more by it being so. The worst thing in the IT world is complacency because they're not allowed to fix things properly, so they lose interest in fixing things at all.

    1. Groaning Ninny

      *MY* network? Not really.

      I hope you continue to work well in your job, and that your honesty doesn't cause you to fail in any future job interviews. I'd certainly mark you down if you gave that sort of answer to me. It may well be *my* network, but I am really just custodian of it for the people who matter. The security changes I'm implementing are done with the consent of my users, after informing/consulting as appropriate. Maybe the difference is that I work with people who are prepared to listen, or maybe it's that they've learned that it's worth listening, and that I'll listen to them.

      If my house sitter decided to change all my bulbs for very low energy (dimmer than I had and still want) then I'd complain. If they changed the locks and security on my door to include procedures that are unacceptable then I'd seek recompense, and never ask them back again.

      1. K

        Re: *MY* network? Not really.

        " I am really just custodian of it for the people who matter. The security changes I'm implementing are done with the consent of my users"

        Give that Ninny a prize!

        You've hit the nail on the head, the key here is custodian, guardian and sentinel..

        The company I work for started off with just 3-4 of us, I was the original back-end developer and systems administrator, ultimately sole responsibility for all infrastructure was my responsibility, including all changes and purchases, so being naive, it was my network.

        But as time has rolled on the company has increased to 120 staff, the infrastructure is still my responsibility, but I "matured" and realised it wasn't mine, I simply had oversight of it, and it was even more difficult to reliquish some of that responsibility and trust others with it, but now I have a team of Administrators and sharing this responsibility is the best thing I could have done...

      2. Anonymous Coward
        WTF?

        Re: *MY* network? Not really.

        "I hope you continue to work well in your job, and that your honesty doesn't cause you to fail in any future job interviews. I'd certainly mark you down if you gave that sort of answer to me."

        I would never give that kind of answer but I'm really assured that *every* recommendation I give is writen and all the people in the board are awere of it. If they decided they know better how to manage the IT department, in the end I have something to recall them of it and say "Told you so..." .

        "It may well be *my* network, but I am really just custodian of it for the people who matter. The security changes I'm implementing are done with the consent of my users, after informing/consulting as appropriate."

        Consent?? You dont deal directly with the beancounters do you? They are "IT masters!"...

        Informing? Yes, that's correct.

        1. Cynic_999

          Re: *MY* network? Not really.

          "I would never give that kind of answer but I'm really assured that *every* recommendation I give is writen and all the people in the board are awere of it. If they decided they know better how to manage the IT department, in the end I have something to recall them of it and say "Told you so..." .

          It's really great when your only consideration is for one aspect of the company. You can then afford to adopt such an "I told you so" approach if everything possible is not done to advantage that single part and something goes wrong as a result. If you are running the entire company however, you would soon realise that many compromises have to be made, and some things have to be run at sub-optimum levels so that other things work better. Crossing the road carries risks, so if your only concern was safety you would prohibit people from ever crossing a road, and if they ignore you because and someone got run over while going to the shop to buy your food, you can sit high on your horse and say, "I told you so ...."

          1. Anonymous Coward
            Anonymous Coward

            Re: *MY* network? Not really.

            My recommendations go well over the entire aspects of the business because, well, that's my job. But if I'm asked about the idea of certain people (finantial, HR...) becoming local admins in their windows boxes, for example (just because they need that important software callled iTunes be available), should I simply say yes and aceept the "compromise"? I have responsability over the security and stability of the network and everything related with it. The everything "writen" it's because boards and bosses love to have a scapegoat whenever is needed.

    2. DropBear

      It's like leaving your house with a house-sitter and then complaining that they fixed the gutters, cleared the drains, set all the clocks to the right time, etc.

      No, it's like expressing your displeasure about the house-sitter boarding up the main door considering he has no real need to leave and that the small inconvenience of you not being able to get back in is far outweighed by the greatly enhanced protection against a potential zombie apocalypse...

      1. wolfetone Silver badge

        I always see the systems I look after as children, and I'm the legal guardian of them. People entrusted them to me, expecting me to look after them and protect them. Once they outlive their usefulness - get too old (like we all do) they get thrown out and left to fend for themselves.

        So really, if you look after a network or any sort of system, it is YOUR network and you do with it what you see fit. I admired the Childs story back in the day because he did his job properly to a point. I bet you can count on the one hand how many times that network was compromised compared to other networks where configurations and access were much more freely accessible.

        1. JEDIDIAH
          Linux

          Other professionals have to worry about personal liability for their mistakes.

          The problem in San Francisco is that management beyond Childs was incompetent. They should have had an exit strategy for ANY employee and made proactive steps to make sure they would not be in precisely the sort of position they ended up in.

          Other professions have standards and licensing to the point where they will tell upper management to "go pound sand" because they have a license to look after.

      2. Apdsmith

        While I agree with what you're saying, isn't part of being a sysadmin being mindful of the business requirements - keeping the systems fit for purpose has to include being able to trade, after all.

    3. Anonymous Coward
      Anonymous Coward

      Malicious people are out there

      Yet you find that, aside from laziness or incompetence, actual malicious intent is incredibly, extremely rare; almost non-existent.

      Is this your gut feeling, or is it an evidence-based opinion?

      I worked for a company where the CTO decided he was going to snoop in on my telephone calls. He took two private telephone calls I made to my partner at home and shared them amongst his friends. He then proceeded (along with his friends) to blackmail me out of my job and a 5 figure sum of money. When I left I signed an agreement preventing me from disclosing details in public (for reasons I won't go into but are probably obvious).

      To be clear, reasonable personal use of your work phone was permitted within the company.

      This person is now a CTO in a company that provides telecoms services to other businesses. It's clear to me that if he feels he can profit from listening in on others private conversations, he will do so.

      I've also worked at a company where a sys-admin took great delight in walking around the office with a t-shirt that said "I read your email ;-)". I kid you not!

      So please don't tell me this is extremely rare or almost non-existent.I see no reason why a CTO or sys admin should be considered more trustworthy than any other person - and there's plenty of dishonest people out there.

      1. Anonymous Coward
        Anonymous Coward

        Re: Malicious people are out there

        I worked for a company where the CTO decided he was going to snoop in on my telephone calls. ... shared them amongst his friends ... blackmail me out of my job and a 5 figure sum of money ... I signed an agreement preventing me from disclosing details in public.

        This person is now a CTO in a company that provides telecoms services to other businesses. It's clear to me that if he feels he can profit from listening in on others private conversations, he will do so.

        So because you didn't have the balls to stand up to his criminal acts, he is now in a more powerful position, able to perform more such criminal acts, against even more innocent people.

        I hope you're proud of yourself there, champ.

        1. Anonymous Coward
          Anonymous Coward

          Re: Malicious people are out there

          So because you didn't have the balls to stand up to his criminal acts, he is now in a more powerful position, able to perform more such criminal acts, against even more innocent people.

          I guess you've never been the victim of blackmail.

          I hope you're proud of yourself there, champ.

          Thanks for condemning me without having the slightest understanding of the situation. You seem to be under the impression that I did nothing about his 'criminal' acts. Maybe you should check what the CPS's conditions are about deciding when they will and won't prosecute someone? Many guilty people are able to avoid justice despite the victims doing all they can to try and seek it.

          1. Anonymous Coward
            Anonymous Coward

            Re: Malicious people are out there

            I guess you've never been the victim of blackmail.

            Sounds like you're not the type to employ violence, and the person who did this knew that.

      2. Anonymous Coward
        Anonymous Coward

        Re: Malicious people are out there

        took two private telephone calls I made to my partner at home and shared them amongst his friends. He then proceeded (along with his friends) to blackmail me out of my job

        Blackmail is never acceptable, and I sympathise with you that he was able to get some compromising info on you such that you didn't feel you could report him to the police, but you surely bear some responsibility here?

        Even when reasonable personal use of your work phone was permitted it's likely that there is some small print saying that such calls can be recorded or reviewed. I work for a respectable company, and I still wouldn't use company resources for any communications which would reflect badly on me if they were known. It's a company network, I work on the basis that the company has full access, whether or not they openly say so.

      3. amanfromMars 1 Silver badge

        Malicious people are out there but there be no safe secure place in virtual cyberspace to hide*

        When I left I signed an agreement preventing me from disclosing details in public (for reasons I won't go into but are probably obvious). ... AC

        Ye olde thirty pieces of silver doing their right dodgy crooked thing, AC, or was it the clumsy blunt threat of physical violence doing its crazy thing? They be the obviously probable reasons which are oft paraded and offered to buy an unpleasant silent compromise and continuing sub-prime third party privacy for a proprietary protocol breach.

        * And that really fcuks up abused and abusive sysadmin and there aint no easy solution for resolution of their problems ..... which are all most probably revolving around trying to prevent greater intelligence revealing arrogant ignorant actions and wannabe universal emperor plans. Oh dear, what a shame .... not.

        Plonkers are as plonkers do ..... and the future requires not their leads and leaderships.

        1. Anonymous Coward
          Anonymous Coward

          Re: Malicious people are out there but there be no safe secure place in virtual cyberspace to hide*

          Ye olde thirty pieces of silver doing their right dodgy crooked thing, AC, or was it the clumsy blunt threat of physical violence doing its crazy thing?

          A threat that they would have me arrested and prosecuted. They showed me the evidence that they had fabricated which would be used for their proof of my wrongdoing. There was never a direct physical threat, but I did believe I was at risk of physical violence. I must be one of a very small number of people in history who has signed a compromise agreement (under duress) that gave me less than I was contractually entitled to.

      4. SoaG

        Re: "I read your email ;-)"

        Did he actually read the email? Or was it a simple and effective way to educate users (at least a little bit) about data security?

    4. Anonymous Coward
      Anonymous Coward

      @Lee

      My answer is truthful... it is MY network. I might be running it for YOU and your business and your users, but it's MY network.

      Good luck to you, but I'd be terminating your interview at this point. It's the employers network, not yours. Not mine.

      I own the car, not the mechanic that does the service, repair, or upgrades.

      (This analogy is intended as a slur against neither mechanics, nor admins, as both require enviable skills and experience to do right)

      If I implement a rule (as I have just done) banning USB sticks, then USB sticks are banned. I don't do such things lightly, or for no reason, or because I like to punish the users.

      Try this where I work and you'd be out the door the same day. Don't misunderstand, USB sticks are already banned, but in large corporates decisions on removing a technology require extensive forward planning and are never cost free - you'd make recommendations, but ultimately even the CTO doesn't make all the decisions - the business has priorities for its budget that may not include additional network security and associated redevelopment costs for processes or systems built within the current specification.

      My BOFH decided he wanted to ban internal FTP. His reasoning is sound in my view, however, he's just about to be overruled on that from further up the pay grades as the cost to the business of using SFTP, SCP, DTU et al is simply higher than the budget allows. His recommendations have been taken on board but it has been decided that his preference will be set aside for the time being.

      I realise I'll get downvoted to hell for this, but what can you do. Network admins don't get to determine the toolset or security policy anymore than the doorman downstairs gets to determine the corporate dress code. Staff are staff: they ALL dance to the corporate tune. Anyone wanting to dance to their own beat is free to start their own company and then it really will be their network.

      1. zen1

        @ AC: Re: @Lee

        ..."My BOFH decided he wanted to ban internal FTP...."

        I guess I'm lucky because both Security and myself decide on the policies that will be implemented on our network. As for the "It's my network" argument. I view it as a stewardship. It's ours to care for while we're there, but it never belongs to us. Quite honestly, if it were my network and I had a fraction of their money, I would have purchased the RIGHT equipment the first time, before something blows up and causing a system wide domino effect type of outage. But that's not the case so I will manage and care for the equipment I'm responsible for, the best I can.

        I am responsible for the firewalls, the content filters and proxies for my employer. They have the expectations that the equipment will as close to every time, all the time, as possible. Since my performance review is on the line, plus pride in the level and quality of services I provide, I take it damn personally when a piece of equipment fails because of hardware or software problems.So much so that I look like a doting parent taking care of deranged child... That has a few extra arms, heads kidneys and maybe a multiple personality or two...

    5. Cynic_999

      I see what you are saying, but to use your own analogy, would you really be happy with a babysitter who painted your living-room purple and replaced all the meat in your refrigerator with vegetables and nuts because in her opinion purple was a far better colour than magnolia, and eating meat was unhealthy or unethical?

      Sure, you can recommend certain things to your boss and explain why you think they are necessary, but at the end of the day if the boss says that he wants people to be able to transfer data via USB sticks, you will have to actively facilitate it.

      1. JEDIDIAH
        Mushroom

        Simply astounding.

        The stupidity of comparing a trained network administrator with a nanny is just mind bogglingly stupid.

        That analogy only (maybe) works if the nanny also is the legal guardian of the parents as well. The IT staff may well claim ownership of the IT infastructure because they are the only ones that know how it works and no one else is even capable of supervising them.

        Nothing like a "nanny".

        More like the nursing home that will wipe your butt when you are old and senile and no longer capable of taking care of yourself.

  3. Anonymous Coward
    Anonymous Coward

    Joe

    Can we get Joe to take down those bastards calling from "Microsoft" and delete ALL the numbers from their database.

    Let's shoot for the moon: If they have computerised door locks, can we lock everyone out of the building?

    Maybe even cause an explosion, a la Skyfall.

    (Note for the NSA/GCHQ/whoever: That was a joke. I'm making fun of what Hollywood thinks computers and hackers can do.)

    1. DropBear

      Re: Joe

      It wouldn't work. As any fule kno, any true hacker brought in to help could reverse any and all that in thirty seconds, tops...

      1. Cynic_999

        Re: Joe

        "It wouldn't work. As any fule kno, any true hacker brought in to help could reverse any and all that in thirty seconds, tops..." ... by furiously typing in reams of machine code interspersed with cryptic Unix commands to patch running programs as they read and understand megabytes of raw hex values cascading down 15 different screens at the rate of 100's of lines per second ...

        Hollywood has taught me that most code is green, but malware always executes in red.

    2. Cpt Blue Bear

      Re: Joe

      "Let's shoot for the moon: If they have computerised door locks, can we lock everyone out of the building?"

      Not out. In...

  4. Ben Liddicott

    You can't defend against your bodyguards...

    ...as Mrs Ghandi learned.

    Your only option is to pick trustworthy guards... and be the sort of person they are willing to be loyal to.

  5. Anonymous Coward
    Anonymous Coward

    Anyone will compromise anything given the right incentives. For some the incentive is gain, money, cars, holidays, women, whatever. For others it is loss, threatening their family, privacy (everyone has secrets), or some other such angle. Fear and greed, and it will be forever thus.

    While I’m not an admin, I’m perfectly capable of extracting much confidential data from my employer; The keys to the kingdom, as it were. My principles aren’t for sale for any amount of money, but I prioritise the health and safety of my family above any career, employer, or indeed anyone else that isn’t my family. Would I “compromise critical life support systems” to protect my family from harm? Absolutely, and I rather suspect you’d all do the same.

    1. Anonymous Coward
      Anonymous Coward

      Old phrase....

      You'd kill for your wife but die for your kids....

    2. Anonymous Coward
      Anonymous Coward

      Re: anyone/anything - I rather suspect you’d all do the same.

      I'm not sure what I'd do, and I hope I never get given an ugly choice of the type(s) mooted here. But it's worth noting that some people would refuse and do refuse under extreme bribery or coercion. I mean, what about those people that Amnesty International campaign for? They have typically paid various prices for not being quiet or not staying in line.

      Why is it that Reg commentards should be so uniquely lacking *as compared to* the rest of the human race?

      Would I “compromise critical life support systems” to protect my family from harm? Well now - just how many tens, hundreds, thousands, (etc) of deaths of other people should my family be worth? I think if I want to test (however hypothetically) my behaviour under coercion, I need something a little more specific to be going on with. Are we talking about an 10% increase in the failure chance of some really old sick guy's respirator, or 10% of all airliners suddenly dropping out of the sky?

      1. Anonymous Coward
        Anonymous Coward

        Re: anyone/anything - I rather suspect you’d all do the same. @AC

        Would I “compromise critical life support systems” to protect my family from harm? Well now - just how many tens, hundreds, thousands, (etc) of deaths of other people should my family be worth?

        How many deaths are my family worth? To me? It would be worth all of them. And I'm not sorry if that offends anyone. We could be talking about one death, one thousand, one million, or everyone else. It would be worth all of them to me.

        Thankfully, it's a purely hypothetical situation, with the sole purpose of realising that once you can be made to do something in extreme circumstances, there are many less severe variations in which you can be made to do something less severe. Everyone can be bribed or coerced to act against their principles or preferences - perhaps not for direct personal gain, but there's always a way.

        Segmenting admin power, particularly in larger companies where more than one admin exists, can reduce your "administrator risk" more effectively than just about anything else you can do. One account does not need to rule them all.

  6. chivo243 Silver badge
    Headmaster

    Do this

    Open your directory service, what ever platform it runs on, AD, OD or whatever is in place. Have a look at the names, and how many are no longer employed? I am regularly asking HR if so and so is still employed? NO? Why weren't we notified?

    1. Chris King

      Exit Procedures and the "V'Ger Rule"

      I've ended up writing "Exit Procedures" for previous employers just because they didn't consider this.. and invariably used myself as the first example.

      No matter what the reason for my departure **, I like to make sure that my now ex-employer can't claim I left back-doors into systems. and that everything will continue to run without the presence of my user account. If I'm gone, I'm TOTALLY gone, end of story.

      (** I've never been sacked from an IT gig, only from a summer job as a waiter. One of my "mates" phoned up the restaurant and posed as an angry customer who claimed that I'd told him to f**k off)

      As I said on the Internet Storm Center a few years back...

      When I design or build a system, I make absolutely sure that it's designed to what I call the "V'Ger Rule". If you've seen "Star Trek: The Motion Picture", you'll understand.

      Put simply, the "V'Ger Rule" states:

      "A System must continue to operate in a correct and safe manner in the absence of its Creator".

      Or, put another way:

      1. No blowing up any spaceships ;

      2. No joyriding in Carbon Units ;

      3. Fat, balding starship captains are to be shot on sight, especially ones that follow the "If you can't eat it, drink it, steal it, spend it or have sex with it, blow it up" mantra.

      1. Anonymous Coward
        Anonymous Coward

        Re: Exit Procedures and the "V'Ger Rule"

        One of my "mates" phoned up the restaurant and posed as an angry customer who claimed that I'd told him to f**k off

        Ah, this is obviously some strange usage of the word 'mate' that I wasn't previously aware of.

        1. Jes.e

          Re: Exit Procedures and the "V'Ger Rule"

          "Ah, this is obviously some strange usage of the word 'mate' that I wasn't previously aware of."

          Downvotes to a HHGTTG reference.. here!?!

          What is wrong with you people???

    2. Blake Davis

      Re: Do this

      Payroll sends the IT dept a list monthly of terminated employees just for this situation. HR occasionally forgets to let us know about a termination, but they never forget to stop the pay checks!

      1. Anonymous Coward
        Anonymous Coward

        Re: Do this

        What about automatically disabling the account if it's not used for 30 days and then doing an automatic cleanup after 90 days? Zeeze...

        1. Peter2 Silver badge

          Re: Do this

          >"What about automatically disabling the account if it's not used for 30 days and then doing an automatic cleanup after 90 days? Zeeze..."

          I take it that you haven't heard of "pregnancy" or the common employment terms of "maternity leave", "long term sickness", "suspension" (ie; garden leave) and the army of related issues where simply deleting an account because a user hasn't used it for 3 months can cause the company serious problems?

          "No, your honour, and esteemed members of the jury. We had fully intended to allow employee X to resume their duties after their time away from the workplace. The person standing in for them was only working on a temporary basis and we hadn't already made a decision to dismiss employee X and replace them with this temp..., no the fact that employee X's computer account had been deleted is a total coincidence and this entire court case is a terrible misunderstanding! No, your honour, we don't think you look stupid and we aren't trying to insult your intelligence..."

          Motto of the story. IT has one job- HR has another.

          1. JEDIDIAH
            Thumb Down

            Re: Do this

            > I take it that you haven't heard of "pregnancy"

            Revoked access can always be granted again. It's not like this is a one way process. You are only removing them from some database. You aren't actually killing them.

            The worst that can happen is that you inconvenience someone that's been away from the office from a long time.

  7. Anonymous Coward
    Anonymous Coward

    Fine line

    There is a fine line to walk. Most people waver from one side to the other at times, but most try to walk along it.

    To me, the network is mine, in as much as it is my responsibility to keep it running well. This means I will make "executive" decisions at times which users dislike, but are for their own good. I lock things down, refuse to let them have software XYZ, etc. I will normally provide an alternative, or at least a good reason, and that is always open to debate with me and my manager.

    The problem I currently have is that the network is not mine. My boss is a techy person himself, and he makes the decisions. I am just the most recent "child minder". As an example, when I started there was no AV solution in place. I was repeatedly told "we've never had a virus in the X years we have been running, so we obviously don't need an AV". Which was fine, until we got a virus.

    We now have a system in place, but I'm still ignored on other fronts, like security (which is practically non-existent, everyone uses the same password, even on external sites, "so we can access other people's accounts if they are off"). They do not change, even when members of staff move on.

    For me, I keep plugging away in the vain hope that I will be listened to some day. I also ensure that these conversations are logged in my email, to cover my back. In the end, though, I will be the one who has to clear up the mess when something goes wrong...

  8. Conrad Longmore

    One trick I heard of..

    One trick I heard of (and I cannot remember where I heard it, it may be apocryphal) was that a large organisation wanted to fire a sysadmin, but they needed a few hours to make sure that all the passwords could be changed and accounts disabled.

    So, they made up an excuse to get the employee on a LONG flight to another location (I think this was in the US) where they would be completely out of contact with everything and everyone. When they got to the other end, they were met by management and HR and then terminated.

    I don't know if this story is even true, but it does demonstrate the lengths you might have to go to if you need to fire a potentially rogue sysadmin. Alternatively giving them a large pile of cash on a smooth transition might also work..

    1. Paul Crawford Silver badge

      Re: One trick I heard of..

      They were kind. The alternative punishment/time-waste is to send them to a meeting to suffer hours of "death by powerpoint"!

      But seriously, the problem in some cases is they only have one admin, or only one that every looks after XYZ systems, so on antagonistic exit (or a bus accident, etc) they find they can't do anything due to a lack of passwords or alternative admin accounts.

      Businesses, particularly those with only one admin person, should have a policy of root passwords being written down and kept in a safe and regularly tested to ensure they still allow access, and that password changes are recorded and done for good reason[1].

      [1] Changing periodically to me is dumb, it just promotes writing stuff down in insure places. For example, changing once per year would give a hacker a mean time of 6 months to do stuff. just how long do you need to set up shadow accounts, email redirects, etc?

      However, if you think a compromise might have occurred, or someone leaves, then changing is essential.

      1. Anonymous Coward
        Anonymous Coward

        Re: One trick I heard of..

        I recall leaving one company for a competitor and the company I left changed their primary system root password. Fair enough.

        I was then asked to go back in to the old company to help them out of a bind (before starting at the new company however) and had to be given the password again.

        It was something along the lines of

        <xxx>Tr41T0R

        Where xxx represented three letters of the company I was moving to. Nice! :)

      2. Number6

        Re: One trick I heard of..

        Businesses, particularly those with only one admin person, should have a policy of root passwords being written down and kept in a safe and regularly tested to ensure they still allow access, and that password changes are recorded and done for good reason[1].

        The one I've seen for small companies is for the critical passwords to be written down, sealed in an envelope with a couple of signatures (sysadmin and manager) across the seal. If any sort of access is needed in the absence of the sysadmin then it can be done, but then the passwords need to be changed and a new envelope created. It's more a way of ensuring access if the sysadmin wants to check out the underside of a bus, or similar, but doesn't protect against a malicious sysadmin.

        1. Pascal Monett Silver badge

          Sealed envelopes are impressive and all that, to be sure, but I doubt they'll be of any use against a rogue BOFH that went and changed the passwords without creating a new envelope.

          Said envelopes are only an insurance if the passwords are regularly checked and validated.

          And even that doesn't guard against an additional shadow account created with the same credentials and abilities, but using a different password that only the BOFH knows.

          Not unless there is a log of some sort that the sysadmin cannot touch that records all instances of password change.

          I'll believe in it when you show me an example of something that runs under sysadmin supervision that the sysadmin cannot touch or prevent its functioning.

    2. Number6

      Re: One trick I heard of..

      It wouldn't work now unless you made sure to pick a flight without on-board wifi...

    3. JEDIDIAH
      Linux

      Re: One trick I heard of..

      If I were terminated and then stranded, I wouldn't have to ever work anymore. Whatever company that pulled that stunt on me would be paying for my retirement.

  9. Yugguy

    IDIOTS

    "what's 5 years in the big house"

    Proof positive the average IT nerd knows eff all about the real world and the kind of people they are likely to meet in prison.

    1. Anonymous Coward
      Anonymous Coward

      Re: IDIOTS

      Proof positive the average IT nerd knows eff all about the real world and the kind of people they are likely to meet in prison.

      Mostly grandmothers who haven't paid their TV/Council tax these days, isn't it?

      5 years in a US jail? No ta. 5 years in a UK country club? For £20M? If I didn't have a family to support, then I'd swap 5 years free time for that.

      You just find the meanest, toughest guy in there and pay him £1M to guarantee nobody touches you. Then you go to the library, get some books, and catch up on some reading. Maybe do what everyone else does and hit the gym or do a law degree?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like