Archive for July, 2016

Hell Hath No Fury Like an Admin Scorned

Friday, July 29th, 2016

Take a good look at this guy, because he may be potentially more devastating you your company than a major natural disaster. He is an admin, and he’s not happy about going to work every day.

maurice-moss

A network admin from Citibank was recently sentenced to 21 months in prison and $77,000 in fines for trashing his company’s core routers, taking down 90% of their network. Why did he do it? His manager got after him for poor performance.

I don’t know how the manager delivered his news, but it was enough to cause that admin to think he was about to be fired and that he wanted to take the whole company down to hell with him. Thing is, he could have done much worse.

What if he had decided to sell information about the network? What if he had started to exfiltrate data? What if he had set up a cron job to trash even more network devices after his two-week notice was over? And there could be worse scenarios than those… what can companies do about such threats?

It’s not like watching the admin will keep the admin from going berserk. This guy didn’t care about being watched. He admitted to it and frankly stated that he was getting them before they got him. His manager only reprimanded him – who knew the guy was going to do all that just for a reprimand? But, then, would the company have endured less damage if it had wrongfully terminated the admin, cut him a check for a settlement, and then walked him on out? So what about the other admins still there? Once they find out how things work, they could frown their way into a massive bonus and we’re heading towards one of those extremes I mentioned.

So what does a manager do with a poorly-performing employee that’s about to get bad news? Or an amazingly good employee that nobody (including him) is about 10 minutes away from an experience that will make him flip out? Maybe arranging a lateral transfer for the first guy while everyone changes admin passwords during the meeting… but the second guy… there was no warning. He just snapped.

Turns out, good managers don’t need warnings. Stephen Covey wrote about the emotional bank account, and IT talent needs a lot of deposits because the demands of the job result in a lot of withdraws. A good manager is alongside her direct reports, and they know she’s fighting battles for them. That means a great deal to an employee. I know it’s meant a great deal to me. My manager doesn’t have to be my buddy, but if my manager stands up for me, I remember that.

Higher up the ladder, there needs to be a realization in the company that it needs to pay the talent what it is worth. I’ve known people that earned their CCIE, expected a significant bump in pay, and got told that company policy does not allow a pay increase of greater than 3% in a year. They leave the company, get paid 20% more to work somewhere else for a year or two, and then their former employer hires them back for 20% more than that. By that time, though, they’re now used to following money and not growing roots to get benefits over time. By contrast, maybe a 20% bump – or even a 15% bump, maybe – could have kept the employee there.

What are the savings? Not just the pay. The firm doesn’t have to go through the costs of training someone to do the job of the person who’s left. The firm retains the talent, the talent is there longer and now has a reason to try to hold on to those benefits, and there’s a sense of loyalty that has a chance to develop.

If an employee has a sense of loyalty, feels like compensation is commensurate with skills, and has a manager that fights real battles, that employee is better able to ride out the storms of the job and not snap without warning. If that manager has to encourage an employee to do better, maybe then he’ll try harder instead of trashing all the routers.

There may be no way to completely prevent these damaging outbursts from happening, but the best solutions for people’s problems aren’t technological. They’re other people, doing what’s right.

Republican Party: Ur DOIN IT WRONG

Wednesday, July 27th, 2016

Well done, Rince Priebus. The chairman of the Republican National Committee (RNC) said, “Maybe our folks are better at securing our e-mail and our cloud and our data than the DNC. I don’t know what the answer to that is, Andrea, but at this point, we haven’t been hacked… but, I can assure if someone hacked my e-mails, they wouldn’t find me calculating against particular candidates and it’s not something that I would do.”

He could have saved some effort by simply saying, “We are pleased to announce a hackathon, starting now, directed against the RNC servers. While I doubt I have anything embarrassing on them, please feel free to share whatever you find with public sources of shared information including, but not limited to WikiLeaks, Pastebin, and an open Dropbox folder.” Or, for the even shorter translation that would produce the same invitation as in the above two comments: “ALL UR h4x R WEAKSAUSE!!!!@!~~~!!~~~!!!!111!!!eleven!!!”

Organizations need to have some defined style codes and talking points when representatives are speaking about security issues. Foremost among such codes and points should be an admonition to not tempt fate by declaring invulnerability to attacks or by saying there’s nothing worth finding on one’s network. Now, the people already attacking the RNC network are about to be joined by other, previously unmotivated individuals who now, out of a sense of curiosity or self-righteousness, are going to see if the RNC’s servers are indeed better secured and/or have nothing of value on them. Such information would then be shared, most likely on one of the Internets or maybe even a website, because Internets and websites are things hackers will use in their cyber.

I wrote that last sentence in jest, but it pains me to think that there are people in the RNC as well as the DNC, and a number of other organizations, that would have taken notes on that sentence if I presented it to them in a PowerPoint. I would then be asked follow up questions to clarify what is meant by “Internets”, “websites”, and “cyber.” Internet security is so much more than just looking both ways before crossing the street. It also involves not standing defiantly in the intersection while yelling “COME AT ME, BRO!” to approaching drivers.

Come to think of it, that would make another really cool slide. If you’re in the RNC or DNC, call me. I got a slide deck that will open your eyes!

This News Just in…

Friday, July 22nd, 2016

If you’re an infamous person that the government is out to get, don’t use iTunes. Or Facebook. The guy supposedly in charge of Kickass Torrents used both, his IP address for iTunes matched the IP address for editing his website’s Facebook page, and it was all over for him. He would seriously have benefited from adversary-resistant computing and adversary-resistant networking.