Design for failure
Organisations using third parties should always design for failure and assume stuff like this can and indeed will happen. All your eggs in a single vendor basket is a recipe for a CIO on the chopping block.
619 publicly visible posts • joined 16 Jun 2009
I have worked in various organisations - from payment providers which are extremely secure, to those elsewhere which are achingly insecure. Internet access is given as standard nowadays in most organisations on a default allow basis. This is a massive change from when I started out and most organisations were on a default disallow basis - you had specific sites allowed if they were relevant to your role. Much of this change comes from the massively lower cost of internet transit - no need to be precious about people on YouTube or Netflix if it doesn't cost much or you won't hit your ISDN dialup capacity. The genie is out of the bottle for user systems. For non user systems, servers etc, the default should always be specific allowed flows only.
That's fairly standard practice these days - quite a lot of large organisations either don't advertise a default route to the Internet or have only recently started doing so. The private CA sanctioned man in the middle - or SSL inspection as it's euphemistically called - is also pretty common. You can't really trust your browser to only have legit CAs in it, especially if it's managed by someone else.
That's small fry, the current government can waste far more far quicker if it sets its mind to it. Take the 37Bn on the test and trace spreadsheet. My only question is who in government trousered the ill gotten gains from this white elephant? Who is going to get a job handed to them when they are inevitably given their P45 next year?
Having worked there this is not surprising at all. I was once told in a performance meeting that I wouldn't get rewarded for doing a good job because they only paid people for an OK job; the reason being that customers only paid for an OK job so Capita only aims to do just enough to avoid being sued.
I was doing a server and client upgrade at a small automotive company which included a VPN to connect them to their new owner's head office. We had a very busy weekend reimagine PCs and swapping out servers and migrating data - tested everything and got completed by mid afternoon Sunday feeling really good about ourselves.
Come Monday we were on floor walk to make sure users could log on and get started - teaching them the art of the three fingered Microsoft Salute (they had moved from Win98 to XP so had never had to log in with CTRL-ALT-DEL before). All was going well until in walks Maureen from accounts.
She may not have been called Maureen, but you know the type. Been swapping the tapes for decades without ever checking if a backup has actually run.
She looked at the teletubby desktop background and the green start button and immediately announced that she couldn't use it because she hadn't been trained on it so we would have to put it all back to how it was. She marched off to speak to her boss. At this point I had the bright idea to switch the desktop theme to "windows classic" and put the picture of her grandchildren back on her desktop and told her that we had downgraded her machine so it was how it used to be. She mastered the three finger salute to 'get past the new security software' and was logged in and working in minutes. She even bragged that she had special treatment because she was so important as accounts needed to be able to run 'special applications'.
This is not something that will help contractors. The main disadvantage of the current rules is that the risk sits with the client, not the contractor as it used to. This means that previously companies could pay someone a rate and offer a contract that suggested outside IR35 but then if HMRC disagreed it was the contractor on the hook. Now the client is on the hook if they haven't done the assessment correctly. Their only way to mitigate this risk is to move away from PSCs and go umbrella but that has proven to be expensive - I don't pay more tax in an umbrella, the client does because my rate went up to reflect their choice so I take home the same amount each month.
Gov.uk has already started to erode this a bit by discretely changing the rules so the risk can be shoved back onto the contractor if it is found that they misled the client on the IR35 assessment. Any review will be a further erosion of the responsibility of the client as those risks are shifted back onto the contractor. As for how HMRC interprets things, they have proven to be a law unto themselves when it comes to how the rules are interpreted. I can imagine they would be happiest if the contractor paid taxes like an employee and had all the risk while the clients would like to pay rates that are more in line with permies.
My current contract has scheduled tasks and processes that still run under the user account of a guy who died two years ago at the start of the pandemic. His user account has gradually and very carefully had privileges removed so it's basically a service account now it can't be deactivated because nobody really knows how many important things run under that user account.
I am reminded of GNU Terry Pratchett.
I spent some time at a well known retail client a few years ago and we got a similarly unplanned lunch break when one of the service desk guys wrote a small script to change user passwords using powershell. As he was not a developer he completely bypassed user input sanitisation and error handling and basically strung the get-aduser commandlet (which gets user objects) and the set-aduser commandlet (which changes attributes, for example the password) together with a variable instead of a pipe.
At some time before lunch he ran his script and, as it was taking a bit of time to run, scuttled off to lunch. Over his hour lunch break those of us who ate at our desks started getting the 'windows needs your current credentials' message pop up on our computers inviting us to lock and unlock our desktops.
What had transpired, it seems, is that he had fallen victim to a classic faux pas - the get-aduser commandlet will assume, if you do not specify a filter, that you want every user object. "get-aduser jsmith" will return the object matching that name whereas "get-aduser" on its own will return an object containing every user object in the director (unless the command is scoped in another way). Fortunately for our hero he had scoped the command to an OU that was UK head office only and didn't extend to international users, store users, or more importantly the service accounts upon which the business ran. Around 3000 people had their passwords reset and it took quite a while to fix the issue. As everyone had their password set the same they couldn't just tell people that the password was "ChangeMe123" because that meant that anyone could access any account. The passwords had to all be reset again to something unique to the user (DoB and NI number I recall) so that it could be communicated widely. There was then the 2 day password retention rule that prevented anyone changing their password for a couple of days afterwards.
Companies should either hire people directly (fixed term or permie contracts) or use contractors that are proper contractors and treat them as such (not disguised employees/umbrella/inside IR35). If you are a contractor you provide a service and don’t have a manager or go to team meetings or have your hours and location of work dictated to you. Fixed term and perm get the benefits. If companies hire a contractor and then treat them like an employee they should be liable for the tax and benefits of an employee.
"Former UK trade minister and current Conservative MP Dr. Liam Fox"
I think you'll find that his actual title is "The disgraced former defence secretary, Dr Liam Fox" - it's a well worn title with a proud history of Tory defence secretaries who have been disgraced.
Surely if gov.uk have declared this person an employee then there are large amounts of holiday pay and other benefits, not to mention a hefty redundancy payment.
Can't have it both ways - or employees might soon find that they too are being taxed as an employee but treated like a contractor.
At a place I worked as a contractor there was a low level server ops guy, let's call him John Smith, and he wrote a very simple script to change passwords. I don't quite know how his script was more efficient that the one line of powershell that it ran but then he was a very low level person, the type who tend to do the stuff that nobody can be bothered to script because they can't script clicking on the next box.
So the script that "John" wrote basically took a username and changed the password. I would hazard a guess that it basically did:
Get-ADUser $user | Set-ADAccountPassword -NewPassword "Changeme123!"
OK, so there were some other options in there as well but you get the gist.
Anyway, "John' runs this script using his privileged account (let's him do desktop stuff like change passwords) and it seems to hang. He goes off to lunch.
At this point it's worth noting that in the line of powershell above if $user is null then Get-ADUser will get every user object in the domain and pipe all of them to the password change applet. It hadn't hung, it was just a little busy.
While "John" was off at lunch the rest of the IT department realised that they were unable to reach stuff, many had locked their desktops while eating their own supermarket "own brand" sandwiches at their desk and when they tried to unlock their desktops found that their passwords were no longer valid.
Later in the incident room it became apparent that "John" was responsible however he not only managed to retain his job but eventually managed to move sideways (and slightly down) into the desktop team.
Particularly domain names and hosting stuff - I spend a good few months in an old job (2007 - sub prime mortgage lender) identifying all the various domain names owned by present and former sales or IT directors and getting them transferred into one company account. The main company website nearly went because the domain was registered as a personal registration to the original sales director when the company started up and had never been transferred - he left nearly a year before my work started.