I cannae dae it, cap'n! Why I had to quit the madness of frontline IT It took a massive hack attack against the United States government resulting in the theft of up to 14 million 21.5 million records to make me realise why I want to quit working in IT. Over the past year I've significantly drawn down my involvement in day-to-day IT operations, and I'm much happier for it. The US Office of …
...the problem is not management, it's the IT staff. The author was unusually insightful when he says he believes he's more like LaForge than Scotty. We ALL need to be more like Scotty.
We are a logical, methodical, analytic group, so let's analyze this: These things we know -
- management/business types will automatically cut our budget by 30-50%
- our deadlines and resource requirements will be similarly cut
- we will be dealing with this 'solution' and it's issues for a long time
Assuming these facts as stated, wouldn't the following be a logical response:
- Increase budget estimate by 45-80%. Resulting budget after 30-50% cut will be 90-125% of actual need.
- Increase lead times and resource requirements similarly to result in similar results following cuts
- Always include professional services, training, documentation and knowledge transfer in budget
If we ALL decide to adhere to these principles, then there are no options left to the business types. Anyone not experienced enough to follow these guidelines will regularly fail to meet deadlines, SLA's and budget limits. They will have a short career and remove themselves as competition.
It's in the hands of the geeks to change our lot and that of our fellow workers. Only we can change what needs changing and it's we that need changing, not the management team. They do what they do and we need to acknowledge this and act accordingly.
Oh, and document EVERYTHING including any objections or warnings when your budget is cut too much to do the job. It's my guess that Katherine Archuleta is either being paid VERY well to take the abuse she didn't deserve or she did NOT document her concerns, objections, warnings when her budget was cut to a level inadequate to the job.
Remember: "It's not them, It's us!" - We can't change them, we can only change ourselves.
Just my 2 cents.
There are three stages here. 1) Learning the truth. 2) Accepting the truth. 3) Being in a position to do something about it. It's only in the past few years that I started to get in a position to exit, and doing so without screwing over some good people in the process took time to orchestrate. I'll not dwell on how long it took me to go from "learning the truth" to "accepting the truth" because that's more than a little depressing.
Alas, the root of the problem is that the majority of the people who control the money (managers, investors, VCs, and legislatures) did NOT get where they are by being rational about what results can be expected for what cost and schedules; instead, they got where they are by twisting the dial to 11 (and gluing it back on when it broke off the shaft), getting good-looking results for long enough to be promoted/bought out/off/elected, and running away from the inevitable wave of catastrophe that follows at a distance behind them wherever they go.
There ARE leaders who don't work that way, but since true leadership ability is much rarer than bluster, bluff, and amorality atop a crumbly foundation of short-horizon opportunism, such leadership is unfortunately rather uncommon.
It is useful to think of it as another version of the tragedy of the commons.
GigglyPuff, you forgot a very important point - get the people that work at the coal face up to the top floor to make sure that budgets and time scales are adequate.
The only problem is to ensure they keep up with what is going on, which is why, although I own the company, I do regular night shifts and go out on service calls just like my engineers. I need to know just what my staff face and what help they need to do the job.
I learned all that early on when I worked in engineering before I worked in IT. It did cost me some jobs where I'd tell management what was needed (with the requisite padding for negotiation). They'd start slashing. Eventually, I'd say "you're out of your mind... fast, cheap, and works... pick 2". Being shown the door because they said they'll find someone who would do it on their terms wasn't so bad. I heard stories afterwards about a guy who replaced me at one place. All I can say is, I was glad I was gone.
The idea that the people being thorough, accurate and honest are the 'problem' is perverse.
The problem is with the 'management types' not understanding how IT is not just another cost-centre and can't be treated the same way they treat the other areas of the business.
Perhaps more IT people should learn to speak 'management' more fluently but it is, again, perverse that this gets so turned-around that it becomes IT's responsibility to understand management rather than management's responsibility to understand the operation of the component parts of the organisation they are supposed to be leading and guiding.
Of course, in any situation you have to evaluate what it is that you can do to achieve the results you need, but that does not effect the kind of systemic change that is needed.
I join the list of agreers, but having fell into this industry as one of the Sinclair generation (there was nothing else that was going to happen for me, considering the economic situation at that time), I am vocationally a square peg but I've made the best of it.
I've done my time as one of the blind ambitious and discovered I really didn't like the dangling Damocletic blade and the best skill I ever learned to survive in this industry is how to find a quiet corner from which I can focus on doing my best work. I don't stick my neck out any more, I just turn out good stuff.
I dream of the day that I step off the carousel and fill my life with music and travel, I just hope I'm not too old and still have my health when that day comes.
Working on it.
<snip>
"I dream of the day that I step off the carousel and fill my life with music and travel, I just hope I'm not too old and still have my health when that day comes.
Working on it."
I did that years ago and I am all the better for it. I am sitting in 40 degree heat, filing pictures from the past month that include trips to London, Cyprus, Spain, Gibraltar, Lisbon and Madeira.
Nowadays I have to dweal with complex issues such as what day is it? and what shall I make for breakfast. Life is indeed good.
"Perhaps more IT people should learn to speak 'management' more fluently" An issue with that is that whilst Managementese and ITese share many common words, they apply to different meanings and concepts. Where in IT we say something like ............ ahhh, who cares, Simon Travaglia and Scott Adams say it all anyway.
I think that the take home message for all of you stakeholders out there (management speak, like it?) is that when an Oracle like one of the afore mentioned give forth, we should listen and pay a dutiful observance and then get out the carpet, shovel and quick lime.
No other part of the company is just another cost center. Each part thinks it is unique and ought to have special consideration. But the other parts of the company eventually come to understand that they have to communicate with management and understand the operations of the company. Only IT seems to persist in the belief that management needs to learn to speak its unique language.
This is our, or perhaps your problem to fix, not management's.
@tom 13.
Spot on. The change has to be driven not expected.
I've worked across disciplines and every dept wants (needs) X to do y, and they rarely get it. One difference with IT (generalisation warning!) is the response that 'management' doesn't understand. In most cases they do understand but have more important priorities. Saying that they don't understand when really they just don't agree with you won't get you anywhere.
Sitting in your darkened corners or bitching on blogs won't change a thing. Get yourselves into management and drive the change.
I thank you all for reading this and take the downvotes as a compliment.
Step 1 - Management asks IT to ensure systems are secure.
Step 2 - IT presents researched, costed solution to Managment.
Step 3 - Management requests system to be provide 40% cheaper.
Step 4 - 40% less-effective/resourced solution put in place.
Step 5 - Everything run perfectly in perpetuity - yay management!
Oh, wait . . .
Yes, management often have 'other priorities' but actually it's really just one: do more with less. That's great, from a business perspective, but sometimes more takes more. Or at least can't be done with less. Some things in IT absolutely can but security is not somewhere you can cut too many corners and security of a massive and very sensitive collection of data is certainly not somewhere you can afford to skimp.
Great that 'management' has other priorities but if security of sensitive data is not a high priority then their priorities are wrong. It's not: "hey, let's replace all out SANs with new flash-only arrays" or "hey, let's give everyone iPads" or "hey, let's upgrade the helpdesk ticketing system to make life easier for our staff".
>Perhaps more IT people should learn to speak 'management' more fluently
The issue is temperament. People drawn to IT usually like to be precise and correct. They are the kinds of people you want dealing with machines and data which require precision and accuracy. "Management" likes expectations met. This is how consultancies survive, you put a layer of Management between the techies and the customers' Management, who pad the budgets and the time-scales. Yes, it far more expensive and takes longer, but it gives the customer's Management a warm fuzzy feeling when projects come in "on-time" even if "on-time" is far later than a non-padded project would take.
Agree, I always overestimate the costs and time of a project, for those little niggles that always show up and when I hand back a bag of saved cash, the bean counters smile, the bosses smile and I have sneak off with a smirk on my face and a pat on the back. Unethical, probably, warranted definately !
The problem with inflating the budget is that the accountants now pore over every line, looking for accuracy of estimates. They do this because management believe that all budgets are getting inflated and in any cash-strapped times they want to cut back not just the inflation, but the actual real cost. So inflating your initial figures will eventually get found out (and more probably before work begins now than after the project fails - unless you're working on Universal Credit).
As for the main article I'm one of those honest types too, one who finds it difficult to stretch (or compress) the figures with fictions and make up a believable story to support them. Unfortunately, it seems being able to bamboozle management with smoke and mirrors and trick them into seeing wonderful $$$ where there are none is becoming more and more of a required skill for all jobs (of any kind in any industry) these days, not just the 'sales teams'. It seems that that kind of trickery isn't something IT types like those of us who read El Reg have aptitude for.
The problem with putting in an inflated budget, is that people know and expect that your budget is inflated, which is why they try and cut it down. It's a silly charade, rather like negotiating on a price for a car you are selling. You want £5000 for it, so you price it as £5500. Buyer knows you want £5000 for it so they bid you at £4500. You go through a ridiculous ritual exchange of numbers and end up at the £5000. Ridiculous. Just cut the BS.
Won't work.
I've been sitting on the other side of the table in a non-IT context. We knew the guy asking for money. We knew he was planning to overspend his budget by 10% figuring that was allowed. So we cut his budget by an extra 10% so that when he overspent by 10% he'd still be about where we needed him to be. The people who weren't planning to overspend their budgets by 10% got what they asked for, at least in as much as we could fund them in any given year. The thing about budgets is that the guys running the numbers aren't really setting them. They are reporting them. They know how much money the company is going to generate and they know what all the Wants the company has. But Wants always exceed Income, so something has to give. The budget planning process is supposed to be about doing that rationally.* Oh, and for the record, the guy we knew would overspend was in a high visibility, high PR, medium impact on on "business" position.
The budgeting guys are as smart as you are. And they're watching your behavior on the numbers, not the way you set your budget.
So if you're getting your budget cut by 50% and can't make do, find another job. You've either got an asshole for in finance and you won't be able to change it, or a problem elsewhere in your IT management system which you probably won't be able to change that either.
*To the best of my knowledge the only time we shorted IT was once when I overlooked one of the needs we'd have for storage on a server. As I was the one submitting the request on that one, I can't really blame the budget committee for that one. If I had asked for it, I think I would have gotten it.
@ Hollerith 1
"Do you not think that science and technology are just are riddled with politics as any other place?"
Sure they are - in universities and research centres - but that's why i don't work there...
University grant system is perfect to shady pseudo scientists and promotes the importance of "who can get funding?" instead of "who can do science?"
FOR THE RECORD, OPM has been telling its vendors to do things that it does not even do themselves for YEARS before this happened. I know because I have seen it myself.
It's right in their background investigator contracts to do everything with 2FA, Anti Virus, VPN, no browsing from work computers, locked down hardware and software, etc.
This proves that OPM was already aware of the issue and their inability to use any common sense on their own networks proves that they are incompetent bumbling fools all the way to the top level including their director and the man who is supposed to over see them, the President.
Fire them ALL!
An audit said, the OPM systems are horrendously insecure: turn them off. Archuleta said, we need them for work: keep them on. Then they got hacked. Then Archuleta goes in public and goes, at least her security initiatives let them detect the hack. A year after it happened.
The Malaysians with machetes that just take your fingers...
http://www.theregister.co.uk/2005/04/04/fingerprint_merc_chop/
The largest security measure ever taken (and which is clearly visible from SPAAAAACE) is the Gret Wall of China. It was defeated by bribing gate guards.
Ultimately there is no security that will resist a strong enough and capable enough force, but that'sw still no reason to not try.
No the largest security measure ever taken was the Berlin Wall and all the Steel Curtain installations. Although they were designed to avoid people getting out, not getting in, it actually worked well enough - very few were able to cross it, and all of them needed clever and risky efforts to achieve it.
It worked because it was continually improved - any "bug" that led to someone escaping was analized and fixed - even if it was expensive. Guards had better treatment than most people living there, so they had little incentives to be bribed (and punishment would have been hard enough to be another incentive), and were anyway properly "vetted" before being employed, to ensure they were loyal. Also, it employed an obsessive 24x7 continuos control.
Like the Maginot Line, the Great Wall of China (and other large defensive fortification) were designed to counter large dull frontal attacks, ignoring the cunning ones. The the Wall and the Curtain was designed not to counter a large attack force (atomic bombs would have taken care of it), but exactly to stop people "hacking" it and escape the "communit paradise".
In IT, there's exactly the temptation to build Maginot Lines - because that's what generals or executives like, but attackers needs just to find a weak spot to penetrate, and if behind the front line there's nothing, it's almost impossible to "counter attack". It becomes the equivalent of a "deep strike" attack.
"A state level attacker who has the capacity to subvert the firmware on hard disks, routers and the like in transit, if not before they leave the factory."
If that is sincerely your concern then working around those requirements requires controlling those elements of the supply chain yourself. Either by having the ability to write your own firmware/replace the operating system on your routers or by buying a firm who makes them from the ground up and rolling your own from scratch.
I never said it would be cheap. I said I could do it. And you know what? There are plenty of companies out there who make their own routers and an ever increasing number that make their own flash drives/flash arrays. That includes the firmware. So yeah, it's doable.
This post has been deleted by its author
This post has been deleted by its author
Yeah but how can you be *sure* that those companies haven't been got at?
By owning the companies. If you own the companies you own the code. Do external code audits...like you should be doing with all the code you own anyways. Never trust anyone. Not even yourself. Everything and everyone is a potential point of failure. Build as many checks and balances as you can with the resources you have. Then try to get more resources.
But keep off the "cloud", you don't own that and you don't know who does or who has access to it. And do your Chinese made routers have back doors? And is that a key logger plugged in to the back of your machine.
Oh God I'm so glad I don't have to do this anymore.
Type it on paper put it in a safe and throw away the key.
“Just because you're paranoid doesn't mean they aren't after you.”
― Joseph Heller, Catch-22
Very true Trevor but you must also look out for your team just as they must look for each other. If everyone backstops everyone else, while it might take a little longer to get the end results those results work. The client is happy, the engineers are happy and even the accountant is happy and on that happy note you get on with the next project expecting the same happy results at the end of it.
By owning the companies. If you own the companies you own the code.
You are absolutely sure that the VHDL compiler they used to cook up the masks for all the chippery or the microcode for your CPU is not compromised? That Japanese factory making the tantalum's didn't place a transmitter inside?
I'd say You can't. Even if you buy Intel, you can't. Even if you could build a trustworthy AI capable of holding all of Intel's design information in it's head and simulate it's operation with quantum-level resolution, you can never be sure. Because you would be long dead before it was done. There simply isn't enough time in the universe to x-ray every component, check every single bit, verify all code and confirm that all of the design tools are not lying or hiding information.
You have to assume that the operation is compromised and then work out what the consequences are and how to mitigate this.
You are absolutely sure that the VHDL compiler they used to cook up the masks for all the chippery or the microcode for your CPU is not compromised?
No. Which is why I talked about ensuring that you write firmware that presumes you can't know this and tries to compensate. By doing that you have done everything humanly possible and can stand up in front of a judge and say so.
"hat Japanese factory making the tantalum's didn't place a transmitter inside?"
Yes. Yes, this one I can think at least three ways to verify conclusively.
"You have to assume that the operation is compromised and then work out what the consequences are and how to mitigate this."
Which is exactly what I said. But you also work to minimize the number of different points of compromise so that you have fewer potential holes through which nasties can get you. Security is a comprehensive affair that should be done in depth.
This post has been deleted by its author
It is very naive to think that you can solve every security need. If it was that easy then big companies wouldn't be getting hacked. They would pay big $$$ for the black box to secure themselves.
The reason you can never be fully secure are the meatbags who write the code, they're not perfect and have faulty code. The meatbags who work for you, they're not perfect (and like to click on stuff), most places get hacked due to social engineering.
Remove the meatbags, do a full audit on all code (ALL OS's - servers, desktops, phones, routers, switches, etc), using an AI since those pesky meatbags had to be removed, to verify you have no new vulnerability whenever a new technology comes out and you might stand a chance of being "better secured".
Read the article. Nowhere did I say I would solve every security need.
I merely said that I could build the best network that has ever been built, if the resources were provided. That includes counters for every known security problem, policies/procedures that limit new problems for occurring, incident response plans to mitigate damage when breaches do occur and resolution plans to deal with breaches once they have occurred.
Now, bad code, state actors slipping things into hard drives/switches/etc...these are all easy to solve. Expensive, yes, but these are known issues that can be worked around. Automated testing can be built to look for them. Mitigation programs designed to handle them. If you know about an attack vector you can plan for it, assuming the resources are there to do so.
This includes social engineering. It even includes some thigns I can't talk about related to automated incident response because I'm under NDA with several companies developing next generation technologies.
Suffice it to say that yes, security is actually not that hard. It's spectacularly expensive, and the experts required to implement the things you need to be properly secure are in high demand, but it's all perfectly doable.
That's the problem. It is doable. Worse: I know how it's doable. I can detail for you every single corner cut, every compromise made, every bent copper clawed back in exchange for deepening the risk pool.
You can't guard against what you don't know, but you can absolutely can put in place mitigation and response, compartmentalization and...and...and...FUCK IT. ENOUGH! I'm not going down this goddamned rabbit hole one more time.
Look, companies aren't willing to pay money to secure themselves. Sony wasn't. The US Government wasn't willing to. Many health care providers aren't willing to. Over and over and over and over, up and down the whole damned list.
Every week I have sysadmins from the largest companies on earth telling me very blunt, honest tales about how they have raised flags about things they KNOW are issues, but which management utterly refuses to address. They want me to write about these things in The Register, but somehow keep them completely isolated so that nobody can trace the leak of info back to them.
Government malpractice? Pick a fucking country! SMBs? Cloud providers? SaaS providers? Startups? You name a segment, I'll tell you tales of cut corners that will make your blood run ice cold. Corners they know they are cutting, but take the risk to cut anyways because they delude themselves into thinking that the risk of incidence is low.
Christ man, you read about these things here in The Register every single week! It's now gotten to the point that most of us just tune it out because the frequency and scope of the digital apathy and ignorance is so astoundingly staggering that we, as pratitioners of the art can do nothing but weep.
Then we go to work and pretend that same restrictive penny-pinching bullshit approach to everything is somehow not leaving our precious networks vulnerable. Or we fellate marketing (and oruselves) with the trumped up idea that by using public cloud computing we will somehow offload all risk and responsibility to a third party provider, without, of course, reading the EULA which very explicitly is Nelson Muntz says "ha ha" with both middle fingers in the air.
It is not naieve to think that with the right resources a competent administrator can build the best network on earth. Not impenetrable, but damend close, well monitored, segmented, compartmentalized, isolated and with incident response for when it is inevitably compromised.
What is naive is thinking that anyone will ever be given even a fraction of the resources required to do so, or that any of us are even remotely secure unless and until we do.
And who takes the blame when the hammer falls? When you don't have the incident response you should have? When you are pwned by a known vulnerability, or you didn't have the latest security measures due to budget cuts? Your boss? Accounting? The shareholders?
Nunh uh.
You. The systems administrator. Every single person reading this comment does not have the resources to secure their networks enough to be able to stand in front of a judge and say "I did everything I could, your honour". The best that they can hope for is to document each and every incidence of resources being denied, log strenuous objections and keep paper copies of it all locked away in case you end up in front of that judge.
And if you don't? You just leave room for the attorneys of your employer to blame you. You should have known. that's your job. By not objecting you either didn't know - and are thus incompetent - or you didn't object, and thus committed malpractice. Either way, it's your fault.
But no, sir. Nobody is willing to pay "big $$$ to secure themselves". That's the whole goddamned problem right there.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
