Sad to say, that’s still how government IT works 🙁 .
Badtux´s last blog post..Hmm, he don’t like Dick Cheney
]]>Those are the state requirements, not even considering any Federal requirements.
One year budgets, locked accounts, and no local flexibility makes for a totally screwed-up non-system. Charter schools have none of these restrictions, and people wonder why they look more efficient on paper.
]]>Now, granted, you have these kinds of issues in private enterprise too. But you don’t have the politicians and outside special interest groups involved in that case, just the normal internal politics. In private enterprise, you could share a student database server between school lunch and special education without a problem, each department would simply get invoiced by the IT department for the IT services involved, shuffle the money in their budget, and so it goes. With government you’d end up having to do a RFC, RFB, bid, bid response, blah blah blah *plus* you’re guaranteeing an audit by the Feds that’ll chew up even more time and money to guarantee that not one dime of special ed money is benefiting free lunch and vice-versa, to the point where it’s cheaper just to buy a second server for special education rather than to share one with school lunch (especially considering the manpower shortage that most government IT bodies have, where there’s not enough to people to handle all normal responsibilities, much less any added ones like putting together bids). And all this despite the fact that the money for both comes from the exact same damned place…
Like I said, I am *so* glad to no longer have any involvement in government IT.
Badtux´s last blog post..Dr. Doom: We’ve probably averted a total collapse
]]>Yeah, they have the same stupid segregation of funding in Florida, which makes government services more expensive. Coupled with the rules against government agencies competing for contracts, is guaranteed to increase costs.
In hurricane country I would co-locate the server farm with the emergency management center so you only have to build a single hardened structure with back-up power and satellite communications capabilities.
I keep thinking like a systems analyst when there really isn’t a system to analyze.
]]>Regarding the state server farm: But Bryan, whose budget would have financed that state server farm? Will the Federal Medicaid administrative overhead grant cover hosting costs for a shared server? I mean, c’mon. You’re talking sense, but we’re talking *government* here. When I was doing school automation, the attendance system wouldn’t talk to the free lunch system because they were on two entirely different funding mechanisms and purchased by two entirely different departments from two entirely different venders via two entirely different bidding processes. If the IT department had a server to share between the school lunch and attendance systems under the Federal rules they would have had to bid it out as if they were a private vender, which would work only if both the attendance and lunch systems were bid out at the same time because otherwise you have IT carrying that cost and where’s the funding stream for that? Take all the bureaucratic nonsense you have to go through in any large business, and scale it up a thousand times, and you might *start* to appreciate the difficulties here of what you proposed…
Goverment work is just… different. I’m sure glad I’m out of that business now!
Badtux´s last blog post..Grumpy about the newspaper industry
]]>Even a software firewall would have stopped or set off all kinds of alerts at this wholesale damage. This job required administrative privileges, and even without the hardware, you can throw up a “hedge of thorns” until the permanent fortifications get built. There are well documented ways of locking down IIS, but they seem to have been waiting for someone else to do something.
This is the problem with low bid – the same groups keep winning the bids and getting contracts even though they continue to fail. The contractor names occasionally change, but the people who profit remain the same.
It would have been cheaper and faster to build a state server farm that could be secured, and have the agencies use it just like most of the world uses hosting companies.
]]>My reason for guessing that this was an infrastructure issue have to do with the sheer scale of the data loss. Web servers getting compromised is an everyday occurance, but it is rare that there’s this scale of data loss on a properly designed network. The firewall between the web server and the database server keeps data from leaving the company (the database server only being allowed to talk to a small set of internal addresses and only on specific ports with specific protocols), the web proxy between the web server and the Internet only allows web requests in and out, the IDS detects any breaches of the proxy and web server long before they can somehow figure a way to worm into the database server, and in general a properly designed infrastructure just isn’t going to be utterly and catastrophically breached like this, regardless of whether IIS patches have been applied or not, and regardless of whether the application was breached or the OS was breached.
But of course government IT is done by the lowest bidder, and I know from first-hand experience how that works — underpaid peons (because lowest bidder can’t afford to pay market rates) who have little opportunity to advance their skills (because lowest bidder can’t afford to buy the latest stuff for them to play with and overworks them to keep from having to hire more people meaning they have no time to just advance their skills), and just generally second-rate work. Add in insane agencies that don’t know what they want and keep changing their minds (most budget slips come not because of the contractor, but because the contracting agency decides “oh yeah, we need this one more feature” — hundreds and hundreds of times), and the wonder is that any government IT project actually works.
Add in the fact that Virginia was one of the first states on the Internet, and like most early government attachments to the Internet assumed it was connecting to a secure government network (only government agencies and defense contractors allowed to connect to the Internet back then, remember?) and not to a hostile network succeptible to Russo-Chinese hackers and such, and thus originally every single computer on Virginia’s network *had a public IP address*, and you start to see the magnitude of the infrastructure issues Virginia faced upon the dawn of the modern Internet era…
Badtux´s last blog post..Grumpy about the newspaper industry
]]>