The Dumber coffee maker

Online now: Google [Bot], Majestic-12 [Bot]
Post Reply
maurvir Steamed meat popsicle
User avatar
dv
User avatar
obvs Social Distancing Grandmaster
Send private message
Security technician is the job chosen by the IT technician who couldn't figure out how anything works and found out there's a job where they can make sure that no one else gets to make anything work, either.
dv
User avatar
obvs posted:
Security technician is the job chosen by the IT technician who couldn't figure out how anything works and found out there's a job where they can make sure that no one else gets to make anything work, either.


On one hand, I'm kinda sad you've had to deal with that caliber of security nerd.

OTOH, I'm pretty sure that microservice/API style distributed application architecture where everything's a REST endpoint is, at least in part, a response to the fact that security can't block HTTPS traffic without wasting off the C-suite.
obvs Social Distancing Grandmaster
Send private message
dv posted:
obvs posted:
Security technician is the job chosen by the IT technician who couldn't figure out how anything works and found out there's a job where they can make sure that no one else gets to make anything work, either.


On one hand, I'm kinda sad you've had to deal with that caliber of security nerd.

OTOH, I'm pretty sure that microservice/API style distributed application architecture where everything's a REST endpoint is, at least in part, a response to the fact that security can't block HTTPS traffic without wasting off the C-suite.
Oh, no.

The reason I left my last job was this:

It was a startup, and the head of security was the CISO(which I did not know). My supervisor was the director of IT. The CISO said some things which were factually inaccurate as far as security goes(and I know this, having worked on the STIG for the Mac computers at the Department of Defense years ago, and being familiar with the way the Department of Defense did things). This guy was amateur hour. I didn't know that the security guy was higher than my supervisor in the chain.

if you don't know, CIS level 1 is basically secure, and CIS level 2 is locked down to the point that the computer would likely experience annoyance, so when I announced that I supported the move to Jamf, he pretty much lost his mind and yelled at me "I will NEVER let you deploy a SINGLE SYSTEM using Jamf without it meeting CIS level 1 AND level 2 security standards." And I said "Sure, just let me know which settings need to be mandatory," and he responded "ALL OF THEM!" So that day, early on, I made sure that all of the security systems would be applied to all systems enrolled in Jamf.

So when there was a discussion about security topics and I knew that the security guy was wrong, I said so. And oh my God did he hate me.

I also knew that he knew absolutely jack squat about Mac security, configuration profiles, scripting, et cetera. He knew Linux scripting with bash, and his knowledge of Mac scripting was limited to that. He wasn't familiar with MDM and wasn't familiar with how it fit into Mac security, and yadda yadda yadda.

They were using fly-by-night software that I'd never heard of, and I recommended moving to Jamf, which he called a "fly by night" company, and I recommended some Mac management tools(pretty standard stuff), and he called them "shifty" as well. Meanwhile, I tried to vet his credentials and found absolutely nothing on him, and couldn't get verification that the software they were using to manage things was in use at any company other than the one we were working for. I came to suspect he was getting kickbacks from the company. When I pressed for literally anyone else using it, he insisted on a porn company(which, I mean, I mentioned major government entities using Jamf, as well as large enterprise companies, et cetera, so if a porn company is literally the only company you can think of, that's not good). But I contacted them anyway, and they would not confirm what he said. So when I was hired I had been hired with the understanding that I would migrate everything to Jamf(which, after I was hired, they told me wasn't so much a done deal and they made me do comparisons and defend my recommendation of Jamf, which he hated-- Oh dear GOD did he hate me for being one of the only people with the guts to stand up to him). And then during a security review of his favorite product, it was obvious that he wasn't even familiar with the product's security settings, that he didn't know the importance of turning on certain settings(ones which I would have known to turn on), et cetera.

He wouldn't even let people use BBEdit or numerous other Mac programs, insisting that his choice of editors were adequate(and he was clueless).

He let their antivirus subscription lapse, and hadn't understood that new versions of macOS won't let the antivirus run without users approving it or without MDM. I explained that if we migrated to Jamf, Jamf's MDM could approve the software without user interaction, and I migrated everything from their old software solution to Jamf in ONE DAY, from the day I found out it needed to be done(Thursday morning) to Thursday night/Friday morning at 2:30. But I got the package ready, and tested it the next day/Friday.

He scheduled an "intrusion exercise" on a day, "conveniently", so even though the work was done, neither my supervisor nor he were available to approve it going out to everyone. So it didn't go out that night and instead went out Friday morning. The security guy said "Well, that will be considered a failure," which, thankfully I had the most amazing person in the world also working on the same team with me to point out that at any other job, accomplishing that migration in less than one day would be considered an amazing success, which I thought of, and went "You know, that's probably true!" --but I'm getting off on a tangent.

So the next day they noticed that people started having problems, like their systems were locked down too much, and when I asked, I calmly told people that yes, the system had the security settings that ((security guy)) had told me to put in place. So someone went and told him that I had said such a thing, and then he came and tried to gaslight me, telling me that I hadn't been told to apply the settings(when everyone on the team had seen him yell at me). He was very clearly a narcissist, and the first time I'd had a meeting with the security guy, afterward, I had told my supervisor I never wanted to meet with said guy without my supervisor present.

So anyway, back to the problems they were having. They came to me and told me to remove the settings, which I did.

The next weekend, the security guy sends out a nastygram email to all of IT, entitled "ROGUE IT", mentioning a "MANDATORY MEETING THAT EVERYONE IN IT MUST ATTEND" where they'd talk about "the IT department's failure to take responsibility for unapproved changes" and said he "considered the migration to Jamf an ongoing and malicious attack on the company". So I texted Ms. Wonderful, and told her the email I'd just gotten, and telling her that I was probably going to quit. She, being the amazing calming influence she's always been, convinced me to just see what would happen, that the guy still didn't have the ability to do much, so I came in.

That was Monday.

Our supervisor was in a meeting for most of that day, and at 3:00, he came and told us his son was sick and he needed to go pick him up, which we thought nothing of.

Next morning, there are only two people from our team in the room: me and her. And our supervisor doesn't come in.

At 11:30, the head of all technology, the CTO(boss of the CISO) comes in, tells us that the database for the product we had just migrated away from had been compromised, and that it had been detected four hours after the nastygram was sent(which was coincidentally two days after 100% of our computers had been migrated away from it and all that remained using that server were a few Windows servers)(because we all know how often servers get compromised the day after they're no longer being used. Can you say "fraud"?!?!), and telling us that our supervisor has been fired, and that the CISO will now be our supervisor.

The week after I had started, the person who was to get me oriented put in two weeks notice, and the security guy insisted he be escorted out that day, so on the day where I was told that the CISO would be our new supervisor, the two of us had a discussion about it, where I tried to convince her to quit, too, but couldn't, but she knew the situation, and knew that I was right when I said it was basically either him or me, and that by me being there I made her a target. So I waited until 5:00, and emailed the CTO that that had been my last day.

And the two of us had also worked together at the place before that, where we'd had huge problems with the security people insisting that the Macs had security problems for lack of patching. Turns out that the Macs had been completely patched, but that years before, they'd had backup software which archived to the drive itself before backing up, so their security scans were detecting inactive items in the archive directory, and when we removed the archive directories from all of the computers, that got rid of all of the security scan vulnerabilities.

But yeah, she knew more than the security jackass, too. The two of us had worked on the smartcard configurations for our previous job and had been the only Mac team to ever get them to work.

He was awful. The people at the job prior to that were awful.

At my new job(the third job I'm mentioning in this post), a few weeks ago I wrote a script to archive all scripts from the server, and I got a notification from the security people that they'd detected a snippet of code that was malicious running on my computer.

What it was is that my script had made an API call and copied the contents of an old script on the server into a variable(since I was archiving all of the old scripts so they could be removed from the server and deleted), and had written that out to a file. So I told the security people at my workplace, and closed their security ticket. They rejected my closure and reopened it, saying "I analyzed the code, and it's malicious."

I tried to come up with a metaphor to explain this to anyone reading this:
Imagine that you were holding a picture of COVID-19, and a diagnostician came in and told you you likely had COVID-19. So you told him "No, this is a picture," and he responded "I've analyzed the contents of what I see there, and that is definitely dangerous, so you likely have COVID-19."


That's basically what happened.

And it took me a good half hour of trying to explain to the security tech the difference between code that was stored in a variable versus code that was actively being executed. And he had to go back and explain that to the person who had rejected and reopened the ticket.

To make matters worse, though, what the supposedly-malicious code(which, again, was in no danger of being executed) was written to do was to apply a security setting, and it was in a similar format as the malicious code snippet they were using, because it was laid out in the way the API presented the information. It was not even inherently malicious! And it was six years old!

I have encountered some security people who know what they're doing. I won't immediately assume incompetence. But oh dear God have I encountered a lot of "security" people who are just mean to everyone, who will understand THAT something is vulnerable but don't understand the MECHANISM BEHIND the thing they're seeing the vulnerability in, WHY the vulnerability exists, and ALTERNATIVES TO THE RECOMMENDED FIXES which are sometimes just as secure as the recommended fixes.

I am NOT in any way claiming that I am the best security person out there. Information Security is NOT my area of expertise, and I don't claim that it is. That being said, I am not clueless, and I am capable of having an informed discussion on the subject. There are people who are drastically more qualified than I am on the subject. No question about that. But Information Security seems to attract just a TON of people who are incredibly mean, who like to get their way, who can't defend their claims, and who actively hinder things needlessly.

Information Security is very important. But it's very important to have Information Security employees who are (1)capable, and (2)not competing for "World's biggest uncouth individual".
Malkin kick 'em in the face; taste the body
User avatar
Yeah, you used to have to be smart to get into IT. Now it’s just another job.

I remember when I went to college around the time of the first dot com bust. The prof asked how many students were there because they were basically in it for the money, and about half the hands in the room shot up. It really dismayed me, a lifelong geek who just loved technology and computers and couldn’t get enough.

And sure, we still exist. But most IT folks are just there for the paycheck. Not the love of it. They’re not talented or good at what they do. They don’t care. Security is like the cops of the tech world. They like power. They pass the buck and bully.
maurvir Steamed meat popsicle
User avatar
The problem is that security became a necessary cost center - a department that generates no revenue, but costs a small fortune. It is natural for the small-minded moron MBA to start hacking away at it in the name of "profit", encouraging the lowest common denominator of employee, only to be caught in the short hairs when something goes horribly wrong. It's a bit like trying to cut your insurance bill by raising your deductible above what you can afford to pay out of pocket.
ukimalefu want, but shouldn't, may anyway
User avatar
Image

and before anybody says it, that's NOT a percolator
Subsequent topic  /  Preceding topic
Post Reply

The Dumber coffee maker