Equifax announces "retirement" of the IT execs who presided over the mass-doxing of America

They didn’t merely forget to encrypt, it’s not that simple. They either neglected to properly fund security, accepted inadequate funding from their management, or mismanaged the funding they received.

1 Like

Yeah, I’ve worked for two large firms with physical security standards for equipment. Screensavers with passwords kicked in after a minute of inactivity. If someone walked by a workstation and could see information on a screen (other than the screensaver or a login prompt) the person working there would be written up. Two strikes and you would be out of a job. In places with forms, there could be nothing left on top of a desk or in an unlocked drawer.

Those were firms where they didn’t treat IT staff like janitors. Instead, they were worried that the janitors could see the data IT was working with. Those policies were enforced by management in companies dealing with far less sensitive data than in this most recent incident, too.

5 Likes

Though I did work in a place where the guy in charge of security thought that being a dick would make everything secure.

Also, when you have incompetent managers, firing them is the right way to go.

I’ve only once worked in a high security environment for a temporary assignment and it was the most miserable thing I’ve ever done. It’s like trying to get real work done while underwater.

I admire the institution that cared enough about security to do it right, but dear God I can’t imagine how they manage to retain any high productivity employees.

I was going mad in a week, much of which was spent waiting for three other branches to complete clearance and permissions before I could touch anything. (And programming without access to Stack Overflow? There’s another 10% drop in productivity…)

2 Likes

They’re doing it wrong then. Why have you in the building if you haven’t been cleared? Security of that nature should be invisible up to the point when they decide they don’t want you for some reason.

Though I do agree that googling for solutions is a terrible risk. Its too easy to paste something critical into a browser.

3 Likes

You’re right - it does take some getting used to. After the initial shock and learning to deal with really dull edge technology (two steps behind cutting edge, y’know, for safety), it really lowers your stress level. Moving to that after working for start-ups where everyone was tearing their hair out was a relief. I did not miss trying to keep up with patches needed to plug holes in the latest and greatest OS/development tool/productivity software!

2 Likes

Retired. Like the replicants in Blade Runner ?

4 Likes

Sadly, I’m really the wrong personality type for that. I’m not psychologically capable of leaving something as “someone else’s problem”, even when it’s “someone else’s problem”. I just get more stressed, unlike my coworker who understood the limits of her responsibilities (and fulfilled them admirably) and will probably live a great deal longer because of that.

it doesn’t help that I was a contractor brought in because something needed to be done by a certain time. Period. And you can’t really ask employees to put their life on hold for the few months to just get it done, regardless of the obstacles. (I wrote a lot of simulators for missing pieces of hardware and software…)

This means I’m constantly looking for work-arounds to short-circuit things that keep me from getting things done.

And of course, in a high-security environment, you don’t take those shortcuts or creative endeavors.

Which means you lose days because the documentation didn’t come with the software, and you have to google from home and transcribe the needed information on paper. Or the database holding your credentials goes down. Or your contract renewal didn’t reach one of the four authorities that needed to know, etc., etc.

It’s why I vastly prefer to work in non-production environments. They may get annoyed if you reverse engineer the master keys in the HSM in order to build accurate simulators (Why refuse to tell us the test keys? Why?), but security is not going to be compromised.

2 Likes

Anecdote time. I once worked at a conservatory school. The admin staff (like me) were mostly former or failed artsy types. The faculty were, of course, performers in their respective instruments. Ditto the students.

There were four full-time IT people. Every single one of them had a music degree (not from us) that focused on piano performance. I’d make the obvious jokes about transferring keyboard skills, and they’d just blink at me and tell me that it would be weirder, by IT standards, if they didn’t have at least ten years of serious piano study.

That was 20 years ago, so the situation may have changed, but the point is that your undergraduate major isn’t a contract of indenture. If they’re incompetent 20-40 years after college, don’t blame their undergraduate major. Blame them, or the idiots who hired them with no experience.

2 Likes

Whoa, that environment sounds really frustrating! You make me appreciate the projects where we had enough time to make sure we had what we needed in advance (or enough flexibility in the plans to cover unexpected setbacks). I’m surprised that you’re working with such a distinction between contractors and employees. Having been both, I’ve never met a manager who didn’t put all hands on deck to meet a deadline!

1 Like

Have they ever retired a human by mistake?

2 Likes

Can’t fault the music degree. There is no degree in Computer Security, or at least there wasn’t when a C-level would have been in school. That’s something that has to be learned from experience. But a lack of experience - yeah, that’s a fault.

It points out a clash though. If you just take your top-notch computer security person and promote them to management (where they have no competence) then you lose. If you instead hire someone who’s good at management but knows little or nothing about what they’ll be managing, then you lose.

Time for companies to learn that people need to be cross-trained or trained up to management. Of course, companies hate to pay for training and the workers are too busy working to train for new things.

I love that one. And yes, we’ve all done it. The stories are great, partly because the person telling it had to solve their problem while completely flipping out. :grin:

I’d bet money it was set up by the marketing department (they love to buy new domains that they can control and hate to set things up on a company’s own site). And whoever had to do it knew that they needed IT to make portions of it work, but that couldn’t be coordinated in time and IT was too busy dealing with the breach and fallout therefrom. They had no choice but to deploy knowing that it wouldn’t work. To whoever was in charge, it would’ve been nice if it’d worked, but that didn’t really matter. They can blame the in-house techs or outsourced agency if it doesn’t work and still get a gold star for having the idea and making it happen so quickly.

True but it’s necessary, especially when dealing with third-party libraries/frameworks/etc. The best way to avoid trouble there is to make it so that those critical things (like database credentials) are things that you never need to copy and paste so they’ll never accidentally be in your clipboard.

Aside from that, it’s very easy to copy something and then accidentally right-click on the wrong window and paste a bunch of stuff into a command line terminal and then have to figure out what it might have accidentally done. That can be worse. But the work can’t be done if you ban command line terminal use.

3 Likes

Well, it’s the usual case: deal gets arranged for customer with an end date (often specified by external factors). Then the customer’s bureaucracy prevents them actually signing off until 3 months after the projects was supposed to have started. However, the final deadline doesn’t change.

Instant crisis.

So, the company throws in a contractor or two who will “get it done”. Unlike the full time staff - the contractors get paid by the hour (no overtime rates, but still). So the deal is I’ll put in as many hours as necessary to deliver, but the company will pay for for those hours.

And hey, that’s why I got hired as a contractor, so I’m not going to complain. (Sadly, you really only get rich as a contractor being a serious expert in some rare field. I simply learned fast.)

Anyway, I went full time once I reached 55. When your 45, it’s kind of fun (if a bit scary) going into each job with no knowledge of the hardware, language, and procedures for this particular project, knowing you have 2-3 weeks to learn enough about the system to start being productive. But eventually my brain finds it harder and harder to pick up stuff on a dime. (Well that, and I’m starting to hit projects where the necessary knowledge didn’t have a straight mapping to my mid-80’s education.)

Eventually it’s nice to actually be able to rely on previous knowledge and actually even better, have a peer or three to consult with.

Anyway, if your employer manages to have at least some projects were they didn’t start in crisis and then get worse, I’d stick with them. I’ve heard of such companies, but never seen any in practice :-).

No no, you’ve got that backwards - you sell the stocks just before the breach is public, not after :>

Edit: wait you said discovered, sorry my brain processed that as “became public knowledge”, which is clearly not what you meant.

This topic was automatically closed after 5 days. New replies are no longer allowed.