Yesterday, Kevin D. Clark gleaned this insight:
>
> Jerry Feldman writes:
>
> > In an engineering
> > environment, the engineer frequently needs to test on his/her own
> > system. Many times there is a need for the engineer to have thew ability
> > reconfigure the system as necessary without bothering the system
> > admin people.
>
> Let me just chime in and agree with Bob and Jerry here.
Yeah, anyone responsible for developing products, and not responsible for
the security of the network will chime in here. It's not your job to
worry about security, so you don't.
We do.
Basically, you're only concerned about your little corner of the world (or
the company or whatever). The fact remains, there are ways around ALL of
the issues you have all raised. They do not make your job impossible, but
they assuredly make it less convenient. If you need security, that's
tough cookies. And my personal opinion is, if you're connected to the
outside world in any way, then you DO need security.
Ultimately, it's up to the company's management to decide what level of
security they require. If the desired level is high (as with shops like
Raytheon), you simply will have to live with it, or work somewhere else
that doesn't care about security.
But you can't tell me it can't be done, because there ARE shops that
ALREADY work this way, EVERY SINGLE DAY.
> In my world, the sysadmin staff are busy running the network and
> keeping servers up and running.
This is either because of bad management or a bad sysadmin team. Once the
servers are up and running, they should not require much maintenance.
Tools should be in place to automate maintenance. So either you don't
have enough sysadmins (bad management), or they don't know how to do their
jobs.
We're always busy, definitely, but we always make time for user's
requests, except for crisis mode, which SHOULD be very, very rare. If
that's not the case in your shop, then something is wrong.
> If an engineer needs help maintaining his or her system, he or she can
> ask the sysadmin staff for help. But in general, engineers do most of
> their own sysadmin work on their own development systems.
That's fine, but as I've already said, development systems don't get
access to network resources. The sad fact is, no matter how trustworthy
YOU may be, the users as a whole can not be trusted. You have no idea who
is going to screw you, so YOU TRUST NO ONE.
> The only caveat I should mention is that the sysadmin staff pretty
> aggressively says to the engineering staff "don't hose the network".
> This means "don't kill the backbone routers" and "don't attach a modem
> to your system and comprimise security" and "don't mess with the
> firewall".
That's great, but it overlooks the fact that most security problems are
INTERNAL. Disgruntled employees, company spies, and the like.
No offense to anyone, but the only thing you all have demonstrated to me
is that you have no concept of what data security means and how important
it is to your company. Or at least should be. Companies lose MILLIONS
over this stuff every year. All because the engineers don't want to be
inconvenienced, or because managers don't understand how easy it is to
compromize your network, and just exactly how easy it is to get at your
data and copy/sell/destroy it.
Don't believe me? Just ask Kevin Mitnick. Or go to the web or the
library and read up on it yourself. The documentation is all out there.
Have root on your machine? That should SCARE you. Seriously. It scares
me sometimes. I can take my company down hard in seconds, with a typo.
How screwed do you think I would be then? Pretty screwed.
I think this is one class that should be taught in all freshman computer
science programs, cuz no one gets it. The Net ain't a friendly place
anymore... the honeymoon's over.
--
PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
------------------------------------------------------
Derek D. Martin | Unix/Linux Geek
[EMAIL PROTECTED] | [EMAIL PROTECTED]
------------------------------------------------------
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
