I could understand his ability to muck about with the system in Hawaii, but he apparently could wander at will. I was the sysadmin at a college for the teaching systems that were used by the IT department. They were locked up like a vault because I knew damn well somebody would attempt to break in. They tried and got caught, so they stopped trying. The system was available in the lab 8am-10pm six days a week, and I had no desire to go in on my time off to babysit. We used TAs to cover the lab, and their access was only sufficient to the tasks they were allowed to perform. I liked most of them, but I wasn’t going to trust them with my Friday and Saturday nights.
It is more complex today, but damn, the tools are part of the operating system, and if you are trying to establish your credibility to advise people on hardening their systems, you have to harden your own.
Contracts run from 3 to 5 years, so people aren’t going to invest their lives in the job.
When I was in, even the cleaning crew were Federal employees and almost everyone was former military. Security and confidentiality was not a problem.
]]>I have utilities going to track anything done as root, and I get emailed a report every morning. You can f**k with the utility’s database files, but if you do, I get emailed a report on *that* too, in real time. I have golden handcuffs going where if the company does well, I do well too, that’s how they buy my loyalty. This is just common sense, that you track everything and put only people who have a vested interest in the success of the institution in charge of critical infrastructure. But I guess common sense ain’t so common….
]]>