I have been asked to leave the company for having spotted serious security breaches

[Curious George]

Dear Colleagues:

At the tail end of this post is my original post with regards to this
matter. Basically, I went and told my superiors that our network was
seriously exposed.

Today I had a meeting and, guess what, it was suggested that I find another
job. This is great, essentially having the dipshits at work side with a
completely ignorant person who knows nothing about security.

Guess what industry I work in? Education!

Thats right folks, education. Maybe the people who are in education need a
bit of it themselves.

And we wonder why our system is so screwed up!

Curious George



Dear Colleagues:

For the life of me I don't know why I have to ask this question since the
answer is so obvious, however, I need to have others tell me that I am not
completely insane.

I work at a place where we have a myriad of wireless access points and NO, I
am not writing from there at present.

NONE of the wireless access points has any form of security on them
whatsoever. No WEP, no CHAP. . . no nothing. Everything is open so you
could walk into our joint, grab an IP address and surf the web to your
heart's content.

Here is the problem. My boss insists that its "no big deal" and that since
the servers are on the inside and protected, we really don't have a thing to
worry about. Furthermore, my boss is under the impression that since we are
situated in a wide area, that nobody would be able to get into our network
because of this distance. Needless to say, my boss does not consider
somebody sneaking into a parking lot with a laptop, a good network card and
a directional bazooka antenna a possibility.

So here is what I have to explain to my boss' boss and, perhaps, the board
of directors. . . and here is where I can't help but laugh. I hope that I
will be able to keep a straight face come Monday when I have to explain
myself to people why its important.

Okay, so I know the analogies. For example, I understand that not having a
secure wireless network with many Waps and high gain transmission antennas
is the same as putting cables out to anybody within 'x' amount of yards with
a sign that says "free internet access", but since I am going to be asked
these obvious questions, just what type of damage could somebody do?

Yeah, I know about denial of service attacks, yeah I also know about
enumeration and password guessing, but considering that we have an SQL
server on the inside of our network (no, the sa account password is not
null) what are we talking about.

I can envision so many things. Like somebody just sitting there caputring
packets to get things like usernames, passwords and the like, but come on. .
.. what else could they do.

I have read my boss the riot act many times, but this is now going to go in
front of somebody over my boss' head, so, aside from giving them worst case
scenarios, end of the world analogies, etc., how else could people break in.

Creative responses are appreciated and will be rewarded with much praise.

I can't believe that I have to actually explain this to people, and this
entire thing would last about two seconds when it comes to talking with a
computer professional, but you see, my boss is under the impression that
they are a computer professional because they received a Master's degree in
Comp Sci back in the 80's. I know that this line of thinking is dangerous,
but I really want some creative answers to put my point across strongly, and
yet professionally.

Although I realize that this post will likely be the butt of many jokes
(which I will appreciate immensely) I never the less would appreciate a bit
of useful information in your responses.

I am going to have a serious drink now, and then bang my head against the
wall.

Thanks in advance,

CC

 

[Rodney Kelp]

Rule number 1... Don't mess with the boss.
Make your findings known at the staff meeting. It's is his decision. You
sound like you were hounding him.
Rule number 2...You are not the boss.

 

[Bill Unruh]

To some extent your boss is right. Having an open wireless is like having
an open plug in port in a public place. That is not necessarily very very
bad. Eg, if you firewall off the wireless network, they they have no less
difficulty getting into the corporate lan than they would have getting in
from Rimingi on the net. Of course often the company does not properly
firewall the wireless network, allowing potential attackers behind any
firewall. Also once they are on the net, if the company does not use point to point
encryption, the attacker can read off all of the traffic on the net,
opening company secrets .

However there is another issue. An attacker could use your network to
attack others, and the courts could well find your company partially
culpable for having an "attractive nuisance" without having erected the
requisite fences. (Like with swimming pools and kids drowning in them).
Of course the current legal situation is very murky, but I doubt that they
want to be the first to test it.

 

[Agent_C]

Dear Colleagues:

<merciful snip>

Based on these two posts, I can safely say that if you reported to me,
I'd fire you as well.

A_C

 

[Guest]

Agent_C ([email protected])[Thu, 03 Feb 2005 17:45:04 -0500]:

Based on these two posts, I can safely say that if you reported to me,
I'd fire you as well.

But then you have this piece of TP on your shoes to haunt your efforts:

 

[Agent_C]

But then you have this piece of TP on your shoes to haunt your efforts:

No, not really.

?

A_C

 

[Curious George]

Well, based on these two posts, if I reported to you, yes you may have the
option to fire me. . . but six months from now when your entire network is
taken down, when all of your records are out in the open, when all of the
information contained in your organization is out in the open because some
kid with a laptop, a freakin can of pringles, and a little imagination, not
to mention the ability to pick up a book and read a little bit of something,
then maybe, just maybe you would be the one out of a job, as in blackballed
forever.

For me, I can always get another job because at least I tried to improve the
situation, for closed minds like the ones I have had to report to, the only
answer is to change your identity and pray that it never surfaces again.

Curious George

 

[Agent_C]

Well, based on these two posts, if I reported to you, yes you may have the
option to fire me. . . but six months from now when your entire network is
taken down, when all of your records are out in the open, when all of the
information contained in your organization is out in the open because some
kid with a laptop, a freakin can of pringles, and a little imagination, not
to mention the ability to pick up a book and read a little bit of something,
then maybe, just maybe you would be the one out of a job, as in blackballed
forever.

For me, I can always get another job because at least I tried to improve the
situation, for closed minds like the ones I have had to report to, the only
answer is to change your identity and pray that it never surfaces again.

You know; you're far too fascinated with yourself for your own good.

A_C

 

[Curious George]

Wait. . .

Let me get this straight. An employee comes to you and says "hey, we have a
huge security hole, we need to patch it and quick"

You ignore him, completely.

Then you fire him?

What the hell sort of world do you work in?

CC

 

[Agent_C]

What the hell sort of world do you work in?

You completely miss the point. I'll bet you do all the time and THAT's
why you get on the wrong side of your superiors.

Bottom line, is that I'm sure you're perceived as a annoying little
brat, who isn't nearly as brilliant as you think you are.

"A Little Knowledge Is Dangerous" -Voltaire, 1777

A_C

 

[Curious George]

Wow. . . annoying little brat. Thats very original - enjoy the instant
kharma, oh, and just remember that these dipshits are the ones who are
taking your money, yes, your money and even though we may be at each other's
throats at this moment, the ones that are being hurt by these dipshits are
our children. . . and they are using our money, yours and mine to do it.

Besides, maybe I want to be perceived as an annoying little brat. . . sure
as hell worked for you now didn't it?

Enough, you win. . . there, are you happy now?

 

[Curious George]

Oh, yes. . .

Actually, I take it all back. I see your history of positings and
understand completely.

 

[Some Bloke]

Agent C. . .

Yes, while I think that George may be a bit flippant about his approach,
there was another bloke he reminds me of back in the late 1930's who went
around warning about an attack on the US by Japan. His name was Billy
Mitchell and for his troubles he was court-martialed.

I think that you are being a bit too harsh on him. While he may be an
annoying little brat in your eyes, in my eyes I think that he brought about
what is a glaringly obvious problem to his superiors and they choose to do
nothing about it. In my estimation, his actions are commendable and while
his approach may appear a bit bratty, I think that the nature of the problem
he has discovered and his organization's failure to address the issue is at
stake.

Maybe you should reconsider your chastizement of this lad.

M

 

[Phillip Windell]

You know; you're far too fascinated with yourself for your own good.

I don't see that being the case at all. I have followed this from the first
post. I can see why the closed minded people fired him because that is what
closed minded people do when they feel threatened. I really don't see that
much wrong with the process that "Curious George" went through over all,
other than maybe he could have backed off a little sooner because you can't
stop fools from being fools.

Either way the job was inevitably over whether by them releasing him or by
leaving on his own to get out of the trap he was in since he would have got
the blame for the network being hacked afterwards, in spite of the fact that
he opposed it to begin with. Him saying "I told you so" may have got him off
the hook with normal people, but not with closed minded fools because such
people always blame others for their problems,..and he would have been the
target.

I would not have fired him,...I would have either given the project to him,
then if it failed it would rest on him,..or if I decided against him I would
have just left him to "get over it".

 

[Phillip Windell]

Yes, while I think that George may be a bit flippant about his approach,
there was another bloke he reminds me of back in the late 1930's who went
around warning about an attack on the US by Japan. His name was Billy
Mitchell and for his troubles he was court-martialed.

A perfect illustration!

Hang in there George! I think AgentC is just starting to sounds as
unreasonable as the people you worked for.

Like I said in an earlier post,..I think your only real mistake was not
knowing when to give up and back off so that you could leave on your own
terms. The job was already over either way. No one who actually cares about
the quality of their work could continue in that situation.

 

[William Stacey [MVP]]

At the surface, George is absolutely right to do what he did. In fact, it
was his job to do it (if he is an admin/security person). However,
sometimes it may be the way we say things that gets us into trouble, not
what we say. Not saying that is case here, but maybe what the issue was.
If it was based strickly on technical merits, please send them here to
discuss why you (George) is correct.

 

[Bill Unruh]

Agent C. . .

Yes, while I think that George may be a bit flippant about his approach,
there was another bloke he reminds me of back in the late 1930's who went
around warning about an attack on the US by Japan. His name was Billy
Mitchell and for his troubles he was court-martialed.

I think that you are being a bit too harsh on him. While he may be an
annoying little brat in your eyes, in my eyes I think that he brought about
what is a glaringly obvious problem to his superiors and they choose to do
nothing about it. In my estimation, his actions are commendable and while
his approach may appear a bit bratty, I think that the nature of the problem
he has discovered and his organization's failure to address the issue is at
stake.

I took the bus in to the University yesterday, and while riding scanned
with my laptop ( iwlist scan)
Almost everywhere along the route I found between 5-11 listed wireless
ports, and over half of them stated that they had no key.
Some with business names listed (eg CUPExxxx-- for those not from Canada,
that is a Union-- Canadian Union of Public Employees.).

What astonished me was that I could detect all of these from a bus roaring
by on the highway.

Maybe you should reconsider your chastizement of this lad.

While his first post did make it look like he was somewhat obnoxious, it is
hard to tell whether or not he had a legitimate concern. The proximate
issue was the open wireless, which in itself is not necessarily a great
danger. It depends on what is on that wireless.
On considered reflection, I guess I would not want an open wireless at a
school-- not that it is a real danger in itself if all critical parts were
firewalled off from that wireless, but because of the danger that predators
could use it to get at the kids. Having an open entry into a net where you
know there are lots of andlots of kids does not seem like the safest thing
to do.

Mind you with the state of WEP, it is not clear how much of a shield even
that would do much but I guess it might keep out the more clueless.

 

[Bill Unruh]

I don't see that being the case at all. I have followed this from the first
post. I can see why the closed minded people fired him because that is what
closed minded people do when they feel threatened. I really don't see that

They did not fire him. They suggested that maybe it was time he looked
elsewhere. Whether that was said in the heat of the momemt (from the posts,
things were heated) or was a considered response, we do not know.

 

[Patrick J. LoPresti]

At the surface, George is absolutely right to do what he did. In
fact, it was his job to do it (if he is an admin/security person).

Well, yes and no. Once he brought the issue to his boss's attention
and she made up her mind to ignore it, the responsibility for any
resulting problem was hers, not his. Every organization recognizes
this, which is one reason companies love memos.

Where final decisions are concerned, your boss is always right by
definition. If you find that your boss is often wrong (or rather,
that YOU are often wrong, because your boss cannot be), then it is
time to get a new boss. Raising issues with your boss's boss is one
way to do that; no matter who wins in such an escalation, you are
unlikely to keep the same reporting structure for long. This appears
to be what happened to George.

However, sometimes it may be the way we say things that gets us into
trouble, not what we say. Not saying that is case here, but maybe
what the issue was. If it was based strickly on technical merits,
please send them here to discuss why you (George) is correct.

Certainly. In my experience, many technical people confuse
"technically correct" with "correct because the boss has made up his
mind". And an awful lot of technical types have trouble with the
concept of "not your decision to make".

Any organization with more than a handful of people works like this.
That is why it is so important to find a job where the management
generally sees things your way.

- Pat

 

[Stephen K. Gielda]

I took the bus in to the University yesterday, and while riding scanned
with my laptop ( iwlist scan)
Almost everywhere along the route I found between 5-11 listed wireless
ports, and over half of them stated that they had no key.
Some with business names listed (eg CUPExxxx-- for those not from Canada,
that is a Union-- Canadian Union of Public Employees.).

What astonished me was that I could detect all of these from a bus roaring
by on the highway.



While his first post did make it look like he was somewhat obnoxious, it is
hard to tell whether or not he had a legitimate concern. The proximate
issue was the open wireless, which in itself is not necessarily a great
danger. It depends on what is on that wireless.
On considered reflection, I guess I would not want an open wireless at a
school-- not that it is a real danger in itself if all critical parts were
firewalled off from that wireless, but because of the danger that predators
could use it to get at the kids. Having an open entry into a net where you
know there are lots of andlots of kids does not seem like the safest thing
to do.

The problem with this whole thread is that full details are missing.
Everyone sees "open wifi" and we all know that is a security problem, so
judgements are all being made from this point. However, there are
instances where open wifi is a good thing, and yes, even on college
campuses. If something is unsecured, and was done deliberately with the
understanding of the risks, then there is a reason for it. To then have
someone who knows a little about security start raising a huge stink
about it and bothering higher ups would be very annoying to anyone.

Picture this, you are tasked with creating a wireless "kiosk" where
anyone on any device, can connect to get to a directory. The design is
deliberately wide open, the net is segragated from anything important,
it's supposed to allow anyone within range to be able to connect. Now
someone who works for you tells you this is bad, that it's open. You
say you know and explain that it is deliberate. This person doesn't
like that answer, posts to usenet groups (extreme crossposts), and goes
over your head to complain to your bosses. Everyone involved is going
to tell this person to go look for another job.

I'm not saying that is the case here, but there are at least two sides
to every story and we are only seeing one.

/steve