Saturday, November 22, 2008
Here's a little bedtime story about Life in Hinky Dink's Security World.
Back in the Old Days, when l33t H@X0Rs and scriptkidz wrote viruses just for lulz and masssive IT butthurt (as well as worldwide credz) and had no clue how to make The Big Bucks pimping juicy 0day hax for e-gold, anti-virus companies used to send out newsletters enumerating newly discovered lulzware.
Back then (c. 2001-2005), people used to like to make the Security Team look bad by being better informed about such matters. We had to stay one step ahead, ready with a risk assessment at the drop of a hat. It was simple. In those days, viruses and worms travelled from East to West. Some guy in Hong Kong would go to work at 8AM, open an email, get infected, and begin the process of spewing lulz all over the Intertubes. By the time 8AM rolled around to New York City, most of Europe and Asia would be already infected and the security mailing lists would be well ahead of the anti-virus vendors (it was a funny time - all the "security experts" on those lists got hit the hardest and were generally the most butthurt of them all).
Scanning the lists and sending out local alerts became part of my job. If something was serious enough an email would be blasted to the entire IT department. Since this tended to make otherwise only mildly neurotic server room Trevs completely shit their pance and go into Full Panic Mode, it was avoided as much as possible. It was more important to keep them calm and focused. Otherwise they'd get so scared they wouldn't come back from lunch. For days (I'm not kidding).
At the very least, I would email the security team just to keep them informed. The same went for security patches and the like. It was extrememly important to keep on top of things. It still is.
That was then, this is now. Anti-virus companies can't keep up with the malware anymore and they don't send out alerts (in fact, AV is hardly any defense anymore). The Security mailing lists are just short of useless. The oneupsmanship is gone, mostly because now it's all about patches and the server room Trevs hate patching. As far as they're concerned patches don't exist and they never heard anything about them.
And instead of three people in the Team, there are now nine security droids. Most of them are newbs, and will freely admit it. And with minor exceptions they appreciate the "heads up" email I - used to - send.
Everyone except His Nibbs, the Chief Security Officer.
To be fair, the CSO gets a lot of email and it causes him unbearable butthurt. It's so bad he's just now answering emails from last May (again, totally serious). In this respect he is an extremely poor communicator. I'm convinced he does this on purpose for "plausible deniability", but a large part of the problem is all his responses must be perfect in every detail, the right font, the right bullet, the right signature, pertinent hyperlinks, etc. so it takes him the better part of an hour to respond - masterfully - to a single e-mail.
It was no big surprise that the Directive came down to "Stop Discussing Things In Email". The Team didn't stop. We simply refrained from cc'ing him. This worked very well, the CSO was oblivious, and everyone was happy, until one day His Nibbs got a hard-on for a huge, steaming pile of Microsoft SHIT called SharePoint.
Then we got a new Directive, "Start Discussing Things In Sharepoint".
OK, fine. I moved my "alerts'n'stuff" to the SharePoint Discussion Board. Only there was one problem: when you discuss something it sends everyone in the Team an email notifying you of the new discussion. When someone joined into the discussion, everyone got another e-mail. Net effect: no change in the amount of e-mail you received.
Frankly, this is configurable. You don't have to do it and there are other ways (RSS) to get some kind of notification. So then Mr. CSO had a Bright Idea: we would vote on whether or not to turn off e-mail notifications. The "Or Not's" won.
Honestly, I think most of the Team voted it down because the CSO was such a whiner about e-mail. (Note to CSOs who may be reading this: Democracy does not work in your favor. Whether you like it or not - and most do - you are a Dictator. So start acting like one and stop being a Whiny Little Bitch.)
After that, Yet Another Directive came down from the CSO: "Only Discuss Things That I Want To Discuss On The Discussion Board".
That immediately put an end to all discussion, all email notifications, etc. The crickets moved in and the Discussion Board promptly died. Not only did he not want to discuss anything, but the things he wanted to discuss amounted to nothing but Boring Shit. Plus he used it as a venue for new Directives, which, in his perfect and sublime mind, require no discussion. Who would dare argue with the CSO? Problem solved.
Naturally, the Team went back to e-mailing each other without cc'ing the CSO. "Fuck that noise" was the general consensus.
Noticing the Discussion Board traffic dropped down to nothing, and thoroughly annoyed by the all chirping crickets, the CSO decreed SharePoint should be expanded to include Blogs.
Therefore, New Directive: "Discuss Things I Don't Want To Discuss In Your Blog" or, more aptly, "Put That Shit Somewhere I'll Never Have To See It".
I became a reluctant, but prolific, Corporate SharePoint Blogger, starting out with a series on Why You Shouldn't Blog At Work Or Anywhere Else (there are no guidelines, no policy, no list of "Do's and Dont's", nothing). I made certain all my blogs were simple Cut & Paste articles. No original content whatsoever, with proper attribution and a link to the original whenever possible. I don't "say" anything and I'm going to keep it that way until these bozos can tell me what kind of trouble I'm getting myself into.
So that goes on for a few days and one morning I get a call from the CSO. It seems the CFO got her panties all in a bunch about the Pentagon getting infected with a virus and he wanted to know what the Hell was going on.
"Oh," I said, nonchalantly, "DIDN'T YOU READ MY BLOG? I WROTE ABOUT THAT TWO DAYS AGO."