Survival of the WTFest
-
I'm an IT guy, I've always been an IT guy until this last year. I've climbed my way up from selling hardware to software development via building, repairing, cabling, installing and sysadmin. I've ranted about this before and how when I got this job doing testing it was a little strange, the whole reason I got this job was because I wrote them some software so I thought I'd end up doing that or the sysadmin thing again.
Anyway, the regular IT guy is on holiday so the boss asks me to cover. I'm happy to do this because A. I'm more comfortable doing the job I'm most familiar with and B. I'm getting paid extra for it.
Last Friday afternoon I track the regular IT guy down about ten minutes before we close up for the day and try and get a little help, he is a mechanical engineer by trade (yes I know, nobody in this company is tasked with doing the job they are best suited to, that's manglement for you!) and the IT thing is his way of keeping the company by the balls, its basically empire building and making himself invaluable.
I'm asking simple questions like "Are their any common problems I should watch out for.", "How do you manage your backups.", "Please provide me with a domain administrator account." etc.
Long story short, I had to ask him for a lot of things that should be written down in the safe. I have made the point to the higher ups, "What would happen if this guy suddenly died and took all his passwords with him?"
So he runs me through a few basic things, shows me how he handles his backups but won't give me a domain administrator account or control over our Google apps. He isn't prepared to relinquish that much power and besides "You won't need that." (Because of course users never do things like, forget their password or want software updates installing.)
Fortunately he didn't have to because his systems are about as secure as a cheap wall safe, inch thick front, tin foil back.
The WTFery started when I was running nmap past our own network, because there is no inventory of kit connected or map of what goes where, my first day consisted of this and snooping around the back of the racks.
Side WTF: Because of the 'thick front', ordinary users quite rightly have very little access to their own machines, to install and run tools like nmap unimpeded I have to boot from a CD and give myself admin rights. Side-side WTF: Yes despite locking down the OS he hasn't even put a BIOS password on anything.
Anyway, when I'm done scanning our own network I find an XP box with a VNC server, a VNC server with no password. On connecting to it I find it is left logged in and unlocked 24/7 running a bunch of scheduled tasks, logged in as domain.com\administrator
A couple of clicks in dsa.msc and wadya know, I'm a domain administrator!
Then there was a similar incident involving the wifi network, it has no authentication, its just a network with a key but guess what, nobody knows the key. I had to find an XP machine which had already been given access so that I could drag the key out of the registry.
I can't decide if the WTF is that I was asked to look after IT and not even given the basic knowledge required, that I even had to ask because simple things like a list of passwords and a diagram of our systems do not exist, that I had to essentially hack into our own kit to fix basic day to day IT problems for the aforementioned two reasons, or that it was so easy when I did.
The guy seems to have secured the things people see everyday, which I imagine serves two purposes when the MD gets 'access denied', firstly he thinks "Wow ITGUY has got our system so secure not even I can mess it up!" and secondly he has to call in ITGUY to fix it making him seem invaluable.
But in reality the only thing that has prevented disaster so far is obscurity and luck, I mentioned to a co-worker that we are only a compromised device away from industrial espionage or a disgruntled employee away from a disaster and I'm told "Oh that already happened. A few years back ITGUY really fancied this girl in sales and he was sending her some pretty raunchy emails even after she made it clear she wasn't interested, she complained up the chain about him and the same day the mail server suffered some sort of mysterious disaster and we lost all of our emails."
Yeah that's right, this guy was harassing the female staff and was on the brink of getting fired for it when co-incidentally all the evidence required to seal his fate is destroyed. I think everyone connected the dots but what could they do about it? There was also no evidence that any foul play was involved in the mail server incident because the only people who could have proved that would be the IT department, he is the IT department!
-
And this is why I love using archives in Outlook. Mail server gets completely wiped cleaned, my archive is still in business.
-
@EncoreSpod said:
Yeah that's right, this guy was harassing the female staff and was on the brink of getting fired for it when co-incidentally all the evidence required to seal his fate is destroyed. I think everyone connected the dots but what could they do about it? There was also no evidence that any foul play was involved in the mail server incident because the only people who could have proved that would be the IT department, he is the IT department!
What could they do about it? Fire him because he is not doing his work properly. The mail server should have been backed up.
-
To be honest I wouldn't worry too much about the last bit, I mean, like the old song goes, believe half of what you see and none of what you hear. That story I got told supposedly happened before I started at the company and could well be complete bullshit/exageration.
You have valid points though, archives could have existed and backups should have existed which does make it a lot less believeable.... but then, seeing the way things are set up now, call me cynical but I can kinda imagine it happening and him getting away with it
I'll never know for sure, I just cite the example I posted: Everyone else in the company is so computer illiterate and he is such a bad sysadmin that I got domain admin rights because he left a box logged in as the default domain admin accesible via VNC with no password. He didn't even rename the administrator account and I don't know if that was because he's a f00l or because he feels so safe that no-one knows how to check that he just didn't have to bother. I assume its the forme.
-
And if you want to experience some fun office political WTFs find the highest boss you can reasonably get a hold of and report your findings of the IT guy's incompitence. It would not surprise me if that boss then reports you to HR for hacking their system.
-
@Anketam said:
And if you want to experience some fun office political WTFs find the highest boss you can reasonably get a hold of and report your findings of the IT guy's incompitence. It would not surprise me if that boss then reports you to HR for hacking their system.
Yeah true, I get what you're saying. ITGUY hasn't survived because he is any good at it, he's survived because he is good at social stuff. Is too true. If I really tried to make a difference, all I'd do is really make my homeless.
-
@EncoreSpod said:
The guy seems to have secured the things people see everyday, which I imagine serves two purposes when the MD gets 'access denied', firstly he thinks "Wow ITGUY has got our system so secure not even I can mess it up!" and secondly he has to call in ITGUY to fix it making him seem invaluable.
That's bad security. Security is about preventing access to unauthorised parties. It's not about preventing access to anyone - authorised or not. If you put a lock on something, you should also ensure the right people have keys. He's missed the last bit out, and it's impacting upon business productivity.
@EncoreSpod said:
she complained up the chain about him and the same day the mail server suffered some sort of mysterious disaster and we lost all of our emails."
That's okay, because during her complaint she produced evidence (like printouts of emails harrassing her) to support her claims, right?
And secondly, how come nobody pressed him into recovering those lost emails from backups? Didn't anyone enquire the possible outcomes should your company suffer a catastrophic server failure? Explaining away that some mails"have been lost" is simply highlighting his incompetance.
-
@EncoreSpod said:
ITGUY hasn't survived because he is any good at it, he's survived because he is good at social stuff.
.. and that his practises are accepted by the powers that be. Keep your head down and your lip buttoned, and you're only contributing to the problem.
@EncoreSpod said:
If I really tried to make a difference, all I'd do is really make my homeless.
Not quite. If you tried to make a difference and it didn't work out, then you'll probably make your position untenable with your current employer, but that wont make you homeless. Not looking for another job once you've left that one will.
You've got to ask yourself the simple question: how long are you going to stay in a job surrounded with WTFs that - for political reasons - you don't want to upset? People like $ITGUY cost organisations a helluva lot of money in their incompetence and underhand practises - money that could have gone to benefiting others in the firm, including pay raises.
Someone that doesn't provide value into a firm can only cost it.
-
@Cassidy said:
You've got to ask yourself the simple question: how long are you going to stay in a job surrounded with WTFs that - for political reasons - you don't want to upset? People like $ITGUY cost organisations a helluva lot of money in their incompetence and underhand practises - money that could have gone to benefiting others in the firm, including pay raises.
Someone that doesn't provide value into a firm can only cost it.
I've gotta second that one. There's no reason to be worried that you'll be out of a job... for the simple reason that you're GOOD at your job. You just got this job, and you'll get the next one!
I promise you, you're bosses will be happy to have someone who finally makes sense and doesnt try to do a snow-job on them, with ham-fisted attempts at jargonizing everything. As you most aptly put, creating an inch-thick front door with a tinfoil back-door is pointless, yet it happens all the time. Our outgoing uber-admin (who did the same things as your guy) wouldn't let wi-fi devices talk to wired devices (for security reasons ofcourse), yet at the same time he personally wrote a website that was vulnerable to SQLI and ran as the domain admin...
If you can, bring down as much organizational scrutiny on this guy as possible, and burn his ill-gotten empire to the ground. It's not that hard, and is immensely satisfying to see them crash and burn. People like that don't last long. Especially if you've got the skill to uncover what is nothing more than modern-day quackery.
-
@caffiend said:
If you can, bring down as much organizational scrutiny on this guy as possible, and burn his ill-gotten empire to the ground. It's not that hard, and is immensely satisfying to see them crash and burn. People like that don't last long. Especially if you've got the skill to uncover what is nothing more than modern-day quackery.
I would advise caution if planning this route, if only for the fact that whilst the Quack may not exhibit a high level of security knowledge, he does already have a great deal of business knowledge and could easily leave the systems in such a shit state to make management regret firing his useless arse.
@caffiend said:
for security reasons ofcourse
I always challenge what people mean by that: if only to clarify what kind of security they are adding, what they seek to prevent and what perceived threats exist.
Often "security reasons" is a FUD way of hand-wafting away further discussion. Unless the actual reasons can be explained to show evidence that a proper threat assessment has been conducted to provide a framework for containment measures then I'm afraid I have no confidence in these "security reasons".
-
You mean someone actually ensuring they can't be suddenly made redundant at short notice by making themselves irreplaceable?
Any sensible person protects their job if they can and doesn't start to reveal all until he has found elsewhere to go.
-
@Cbuttius said:
Any sensible person protects their job if they can and doesn't start to reveal all until he has found elsewhere to go.
Any idiot that makes themselves irreplaceable also finds their promotional prospects (and holiday approval) limited.
The sensible ones work in such a way that if they were made redundant today, they could pick up another position tomorrow.
Those that tend towards irreplaceability tend towards niche skillsets or business knowledge that - not only means very few people can do their job - but they can do very few jobs other than their current position.
