[Techtalk] hacked on solaris

[Caitlyn Martin]

Hi, Kai, and everyone else,
> 
> I've heard lines like that before. They generally mean that the
> company explicitly told the admin *not* to take the time to properly
> secure the network, because "it would cost too much".

Yep.  One of the scientists we were supporting actually said "We do
science, not security."  After they were hacked the second time and
security was being forced down their throats I was actually told by one
of my users, "Caitlyn, since you started working here our jobs are
harder and that is just not acceptable".  I felt like telling the idiot
that I wasn't the one who hacked his systems, but I held my tongue.
> 
> The thing that really burns me up is that, when the system gets
> cracked and the company's Web page reads "j00 hAv3 b33n 0wnZ0r3d by mY
> sKriPt kiDDi3Z klUb!!!", at least one or two managers in the company
> will try to blame the admin for not taking enough precautions. The
> admin pointing out (generally somewhat forcefully) that s/he was
> explicitly told not to do that is usually enough to save his/her job.

Our company knew who was responsible.  I actually won an award for my
recovery efforts and efforts to put in proper security.  Our customer (a
government agency) tried to blame us, of course.  
> 
> But what about the person who stopped the admin from securing the
> system? How come *that* person never winds up under the gun? 

Because they are the customer/VIP and they are always right.

> I'd really love to see 
> the people who clamor for the admin's head on a platter turn some of
> that politicking ire against the one who was *really* responsible for
> the system's vulnerability. But somehow, it never seems to happen.

It's much easier to blame IT, a department that generally isn't well
liked in most places.

It is so nice to be working in a company full of geeks where they know
they have security deficiencies and hired me to, among other things,
really do something about it.

All the best,
Caity