Re: Going meta (was RE: Ok, so now we have a firewall...)

[Chris Blask <chris () blask org>]

Hey, Scott!

At 04:28 PM 6/2/2005, Scott Stursa wrote:

.d.
> So I held my ground and we did it my way. The result - no compromised
> hosts since then (beginning of March).
>
> But I've paid for that. Two months ago he did a performance appraisal on
> me, giving me the first "unsatisfactory" rating I've received in 26 years
> of working for the university. I'm on probabtion and having to document
> literally every minute of my day. Not that it will make any difference - I
> fully expect to be unemployed when my contract expires in August.
>
> This is the price I'm paying for *not* being a "sissy".

That sucks!  I mean, it is quite possible he is just the breed of 
pencil-neck career-monkey that occur so often in the wild and you would 
never be able to live with him, anyway, but this is precisely the kind of 
situation that occurs again and again and grinds us down as a group.  Of 
course it's grinding you now specificially, but I bet you a bottle of 
Jameson's that you end up making more money this time next year than you 
are now (and maybe more than your petty boss :-) and enjoy your work more.

I've been following the accountability thread, and it occurs to me that the 
one thing we desparately lack is the ability to deliver good practices that 
people can follow and be held accountable for following.  In a Perfect 
World it would be a piece of paper that Scott could take to his boss's boss 
and say "I insisted we follow this, as is my responsibility, and Rung Lemur 
here is all pissy about it."

o  I know good classes are being taught, but obviously it isn't enough 
and/or we have other issues (and Quantity < Need, certainly).
 - The scale thing is certainly a big part of the problem, even most CTOs 
are working with a barbaric understanding of security.
 - the sheer newness of all this IP stuff (and buried in that is their 
first confrontation with Security) creates a dynamic load of issues for any 
CTO doing their job, so even the very few who have had a first-hand 
conversation with a well-spoken Clue Club Member most likely never hear the 
wisdom again and the message is plowed under.
 - I'd like to find some one-liner to address the problem, but it looks 
like just lots more work developing and delivering education (pick a 
medium) and allowing the passage of time to inculcate the masses with some 
experience.

 - One metric that gives me hope on the Edumacation front is my endless 
Brownian Public Survey, and I see the savvy-factor in the average Joe going 
up consistently.  I poll people ceaselessly about (well, everything, but 
among that:) their interaction with information technology.  I still can't 
have an in-depth useful conversation about security with the least capable 
of computer clickers, but today those folks are now the very last of the 
living-in-the-woods (literally) people who said they would "never own a 
confuser".  Mom still has a hard time following the thread if I get too 
enthusiastic about details, but she gets all the basics and can apply them 
to her own experiences using 'puters and the net.  The average 
plane-seat-neighbor can usually play a good foil for thinking out loud 
about an issue - but it's always the first time they've considered it that 
closely, even if they are IT folks.

o  Product classes and categories have shifted around enough that even we 
have to pay attention, everyone else is like the cancer patient listening 
to two doctors disagree on his treatment.

o  There obviously isn't a given Best Practices Precedent out there, or 
lawyers would have found it and sued the crap out of people by 
now.  Without such precedent, it's impossible to hold management types 
accountable for following it, and it's impossible to nail mismanagement 
mid-weasles like Scott's boss for gross incompetence.  We could use a good 
sue-able precendent...

o  Auditing tools need to get better.  If it could be clearly shown that a 
commonly accepted practice was not followed, leading to losses to the 
oragnization involved, then the accountability chain can be established and 
Paul's lawyerfests can be directed at creating Darwinistic impulses among 
CTOs, and thereby creating same in high-expectation-having, 
upward-managing, lickspittles like Scott's Uberviser.  Fixing auditing is 
not my problem anymore at the moment, but Marcus and tbird and Partha and 
the rest need to keep plugging until the next Scott can have a leg to stand 
on against his Hindmost.

Scott's boss still needs a swift kick.  I'm leaving for Disney tomorrow, 
can I stop by and rough him up for you... :-)

-grrrrr

-chris

PS - somebody get Scott a better job!


Chris Blask
chris () blask org
http://blaskworks.blogspot.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards