Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Searching For Backdoors From Rogue IT Staff

CmdrTaco posted more than 3 years ago | from the i-left-you-a-present dept.

Security 328

WHiTe VaMPiRe writes "When IT staff are terminated under duress, there is often justification for a complete infrastructure audit to reduce future risk to a company. Here is an exploration of the steps necessary to maintain security." Of course the first piece of advice is to basically assume you've been rooted. Ouch.

cancel ×

328 comments

Sorry! There are no comments related to the filter you selected.

terminated under duress (1)

cmiller173 (641510) | more than 3 years ago | (#33362196)

Seems like it would make sense to simply terminate "with extreme prejudice" when getting rid of potential security threats....

Three words (4, Insightful)

pjt33 (739471) | more than 3 years ago | (#33362220)

Dead man's switch.

Re:Three words (2, Funny)

frinkacheese (790787) | more than 3 years ago | (#33362248)

It's great for a bit of extra consultancy work when you have been made redundant too.. Walk out and guess what, a week later things break and you're on $1000 a day fixing it ;-)

But really, the best thing to do is to treat your IT staff properly in the first place.

Re:Three words (2, Interesting)

Ironhandx (1762146) | more than 3 years ago | (#33362390)

This.

I've worked in a highly stressful environment before where I didn't know if I was going to still have a job the next day or not. I had everything set up sufficiently complex but still for good reasons, that if they had fired me getting someone else to fix it would have been a nightmare and cost them a fortune, which they would find out as soon as they tried to get someone else to go in and fix it.

Since I left on good terms I overhauled everything before I left and took out most of the non bog standard bits I had implemented. They ended up with a slightly worse but fixable in a pinch system.

Had the work environment been less stressful I wouldn't have felt it necessary to go through all of the trouble, but they decided to make it that way, so I decided to build some security into my job that was otherwise nonexistant.

Re:Three words (5, Insightful)

CharlyFoxtrot (1607527) | more than 3 years ago | (#33362448)

But really, the best thing to do is to treat your IT staff properly in the first place.

This. I don't understand why it's so hard to grasp for some organizations. Pissing off IT is like telling your mechanic he's an asshole while he's working on your brakes. Sure most are consummate professionals but sooner or later you'll hit on one that isn't and then there'll be hell to pay.

Re:Three words (1)

blair1q (305137) | more than 3 years ago | (#33362832)

But really, the best thing to do is to treat your IT staff properly in the first place.

This. I don't understand why it's so hard to grasp for some organizations.

Organizations learn slowly, and often by having their cost-saving measures (aka laziness) blow up in their face, then they overcompensate and kill efficiency.

The correct answer is "trust but verify,", aka "internal controls." You don't let one of your accountants sign your checks, so don't let your admins do anything without cognizance and review from another admin. Then it takes two people conspiring to screw you over, and if they both know it's better for them to catch the other screwing you over, you win.

Two words (2, Insightful)

Sycraft-fu (314770) | more than 3 years ago | (#33362408)

Prison sentence.

Seriously trying to do something like install a dead man switch to fuck over your employer would be the height of stupidity. Wonderful way to end up with a sentence that make the Child's thing look lenient. While I realize that pedantic geeks think they could cover their tracks that isn't the case. They don't have to prove it was you beyond any and all doubt, they just have to prove it was you beyond a reasonable doubt. If they can show means, motive, and opportunity, they've gone a long way to that.

Sounds like the real answer if for companies to get rid of egomaniac assholes in IT before they are in a position to cause trouble.

Re:Two words (1)

DigiShaman (671371) | more than 3 years ago | (#33362594)

I would recommend subjecting all IT staff to a psychological evaluation test. Myself included. Who wants to work with egotistical assholes? I sure don't. I love working in a non-abusive collaborative team environment.

Re:Two words (1)

Nrrqshrr (1879148) | more than 3 years ago | (#33362846)

With all due respect. Someone working in IT and with a reasonnable level of sense and intelligence would probably know how to make the results look a bit more... satisfying? Psychology tests are the most rigged things made to date. They work with illeterate people and rather badely rised kids, for the others, they don't work.

Re:Two words (1)

blair1q (305137) | more than 3 years ago | (#33362848)

But that's where we put the egotistical assholes to keep them out of the rest of the building...

Re:Two words (0)

Anonymous Coward | more than 3 years ago | (#33363002)

That's a personality test you're talking about. I don't know about you, but there are some people I instantly dislike, as soon as I lay my eyes on them I can't stand them, sure I try to behave nicely, but I simply can't stand being around them. Others feel the same, around others or around myself, it's not something you can control, and I don't think it's a reason to not hire or fire someone.

As for the backdoors and such, if I would be in a position to do something like that I would resign long before I would get a chance to find out how things work. But I'll give you a few suggestions, there are certain things you do at work that happen only every few months or at the end of the year or like that, you sabotage those, insert a rm -rf /a/very/specific/file or add a script to change the date to and back again at certain intervals, so reports get messed up. Little things that make life hell, but are nearly impossible to find because you don't know they exist in the first place. Then there are always the backups, force them to restore from backup, with more treasures packed inside, or whenever they backup data you make sure it gets corrupted, not enough to be noticed, but enough to make them useless. All you need is a vivid imagination, and disregard for other peoples work and feelings. If you knew he wouldn't fit in, then why the fuck did you hire him in the first place? Oh right, he worked for less than the other guys ... well, you got what you paid for.

Re:Two words (1)

dangitman (862676) | more than 3 years ago | (#33363036)

But psychological evaluation tests are almost completely worthless, so what would that achieve? Even if the tests did work, humans are not machines. People who are completely stable and sane today can easily become completely insane next week. The human mind is a very fragile thing.

Re:Two words (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33362834)

You are seriously delusional if you believe you can.....

A) Find it. Before or after activation.
B) Atribute it to a specific employee.
C) Even recognize that it was malicious and not just a bug, glitch, human error or outside attack when done properly.

You lack imagination.

Re:Two words (2, Insightful)

Peach Rings (1782482) | more than 3 years ago | (#33362878)

You could easily just badly document or fail to document passwords and configuration info and stuff. As long as you're around and working with the systems daily, everything runs smoothly. If you get fired, there's confusion with the new guy and your memory fades... it's not like they can really tell exactly what isn't a matter of the new guy not being up to speed for weeks. And you're not responsible for giving them consulting services for free after they fire you. If they can't figure out the non-standard port numbers you used, then that's their problem.

Childs took an idiotic stand where he admitted he knew the passwords and refused to hand them over. That's not the most lenient case, that's the worst case I can think of other than destroying data.

Re:Two words (1)

timeOday (582209) | more than 3 years ago | (#33362898)

Sure, it would be dumb to do. But it does happen, thus it is a legitimate security concern.

As for preventing problems by firing anybody who's going to do something wrong before they do it, good luck. Even Stalin wasn't 100%, and not for lack of trying.

Re:Two words (2, Insightful)

Requiem18th (742389) | more than 3 years ago | (#33362920)

Did you hear *woosh* over your head? That's the sound of missing that he was proposing revenge for being terminated with extreme prejudice. If you are dead, you don't have to worry about being jailed.

If they fire you without firing AT you, that's good reason to kindly warn them to remove the DMS.
All of this of course, as a joke.

Re:Two words (1)

Znork (31774) | more than 3 years ago | (#33362960)

Sounds like the real answer if for companies to get rid of egomaniac assholes in IT before they are in a position to cause trouble.

Just be careful that the companies policy for getting rid of egomaniac assholes doesn't mean fast-tracking them for management.

Of course, the downside with that might mean missing out on the next Bill/Steve/Larry level CEO material...

Re:terminated under duress (3, Insightful)

arth1 (260657) | more than 3 years ago | (#33362308)

Yeah, that will really solve the problem of time bombs and dead man's switches...

How about not disgruntling the employee in the first place?

Re:terminated under duress (1)

Mongoose Disciple (722373) | more than 3 years ago | (#33362356)

How about not disgruntling the employee in the first place?

It's a good policy and should be encouraged, because it does solve most problems. However, believing that will solve all your problems rests on the assumption that your employees are basically rational and won't do anything crazy just because. This won't always be true.

Relatively current events counterexample A: Terry Childs.

Re:terminated under duress (1)

duguk (589689) | more than 3 years ago | (#33362554)

How about not disgruntling the employee in the first place?

Relatively current events counterexample A: Terry Childs.

I would argue that Terry Childs was disgruntled, being as he had an ongoing disciplinary case.

Re:terminated under duress (1)

Surt (22457) | more than 3 years ago | (#33362838)

So the solution, clearly, is never to hire anyone who in the future might cause you to have to resort to disciplinary action.

Re:terminated under duress (4, Interesting)

bill_mcgonigle (4333) | more than 3 years ago | (#33362868)

Relatively current events counterexample A: Terry Childs

He may have bucked the chain of command, but if his employer had sat him down, said, "look, Terry, we think you'd be better off somewhere else - we're going to keep you on until you find a better opportunity, and we're going to help you do that," he would have probably said, "yeah, but you have nobody else here who can handle this thing. You're going to need to hire a firm to manage this or get some better talent on staff," which seemed to be his motivating concern. And so they probably would have done that, and nobody would have gone to jail.

Instead it seemed like a "give us the passwords and um, no you don't need to clean out your desk, why?" kind of scenario. I'm not meaning to absolve Childs of incorrect behavior, but a little Golden Rule would have gone a long way there. I think this is what the GP meant by not disgruntling the employees.

More like not keeping people who'd do that (1)

Sycraft-fu (314770) | more than 3 years ago | (#33362476)

Seriously, it takes a rather large amount of egomania and lack of respect for others to consider doing something like that. Most non-sociopathic types just wouldn't do it. They wouldn't rig up something to damage their employer just on the off chance they ever got mad. Anyone who seems to be that kind of person, well show them the door before they have the ability to cause trouble.

While I fully agree employers should be nice to their employees treating it like a hostage situation where you can never do anything to disgruntle them, which in some cases means let them do whatever the fuck they want, isn't realistic.

Re:More like not keeping people who'd do that (4, Insightful)

cjb658 (1235986) | more than 3 years ago | (#33362856)

As an (ex-)employee, it would be to your advantage to maintain good relations with your previous employer anyway, unless you don't plan on ever using them as a reference.

Re:terminated under duress (1)

mysidia (191772) | more than 3 years ago | (#33362708)

How about not disgruntling the employee in the first place?

I suppose this could be used against Terrorists and suicide bombers as well.

Don't make people dissatisfied with your country. Oh wait, you only have limited control of that, oh well....

Re:terminated under duress (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#33362416)

I know what you're thinking, but not every company has a nuke stationed in orbit. Let's try to be practical here.

Re:terminated under duress (1, Interesting)

cjb658 (1235986) | more than 3 years ago | (#33362738)

Reminds me of a speech Ian Angell gave at Defcon. I guess a CEO of a bank there terminated and outsourced the entire IT department. A couple days later, it surfaced that he had all kinds of pr0n on his computer.

the work involved.. (5, Insightful)

Nick (109) | more than 3 years ago | (#33362202)

to audit your system under the assumption you've been rooted should happen once a year at a minimum anyway, not just when you suspect a rogue employee left on bad terms. I've worked at places that never changed passwords and I found former employee logins enabled from months ago..

Re:the work involved.. (5, Interesting)

arth1 (260657) | more than 3 years ago | (#33362444)

It's fairly impossible to audit all systems to the extent needed. You can easily burn enormous amounts of money and time doing that, and the remedies can disrupt production more than the damage the disgruntled employee would do.

There are so many ways to hide what you're doing that even rebuilding all systems isn't enough. Dangers can hide not only in backdoors, but dead man switches built in to compilers, stored procedures in databases, backups, or the Boss' PC, for that matter.

So instead of sending good money after bad, it can be immensely sensible to let things be and instead try to ensure that the employees don't leave disgruntled.

Re:the work involved.. (4, Interesting)

techno-vampire (666512) | more than 3 years ago | (#33362956)

It's fairly impossible to audit all systems to the extent needed.

If the back door is as well hidden as the one Ken Thompson [foldoc.org] hid in an early version of Unix, a complete audit of the source code and complete recompile of everything won't be enough to get rid of it. Of course, not many people are capable of pulling that kind of stunt off.

Re:the work involved.. (2, Insightful)

bloodhawk (813939) | more than 3 years ago | (#33362632)

That would be nice but is in reality completely impractical. The time and money to do such an audit properly would be more expensive than just rebuilding your entire environment from the ground up. I could effectively hide a rooted box or backdoor on windows or *nix systems I look after that unless you are going to strip the boxes and mount the drives on seperate boxes to check the binaries you are simply not going to find the holes.

The ONLY way to handle a suspected rooting is a rebuild, anything less is always an assumption that your smarter at finding the exploit than they are at hiding it.

Duh... (1)

Captain Centropyge (1245886) | more than 3 years ago | (#33362214)

Considering many IT staff have full control over your infrastructure, it's good to take the cautious route of assuming they've planted a back door or some other problem. After all, they likely had the root passwords to your systems. Better get those changed ASAP!

Why? (1)

antirelic (1030688) | more than 3 years ago | (#33362446)

Why assume that the employee is a criminal? Many people get terminated because of bad relationships with their managers every single day. Very few of those people resort to criminal activities against their previous employers, even if they have the ability to do so. I suppose everyone should suspect secretaries of publishing address books, bank statements, inventories, employee social security numbers, etc., all over the internet because they had access to that information all along. How about janitors? They go through garbage. How many things dont get shredded? Perhaps every business should conduct documentation accounting practices because who knows what the janitor might know.

Seriously. This is a bit over exaggerated. Most IT professionals have invested tens of thousands of dollars in their education and training, as well as years into a profession that doesnt really have any value outside of their relevant field. Treating every employee who gets fired as a potential criminal is stupid, and is a good sign that you do not want to work for that business. Everyone who ever works for a company has potential to cause damage to some degree... some employees more than others. But to treat your network as if that person has "rooted and back doored" it is just bad business (fairly disruptive too, considering in many cases its best to take some systems off line if you believe they've been compromised).

But to each their own.

Re:Why? (0)

Anonymous Coward | more than 3 years ago | (#33362990)

well maybe you don't have to assume its rooted but its nice to make sure there are no bugs or inactive accounts. It's just proper security. Sure you can live your life and not lock your door to your car but one day you might find yourself carjacked.

If I left I would expect a competent admin to revoke all my access. That's just standard procedure.

I'd say treat it like a DR drill (3, Insightful)

BobMcD (601576) | more than 3 years ago | (#33362238)

If you're seriously considering this as a possibility, I'd say treat it like a DR drill. Burn everything down to bare metal and restore only the data. It's the only way to be sure...

However, before taking my advice, I'd suggest you get your boss to sign off on it, whichever way. Present a list of options from 'ignore it' to 'burn everything' and have them pick. This way, whatever happens, you're covered.

Re:I'd say treat it like a DR drill (3, Funny)

Locke2005 (849178) | more than 3 years ago | (#33362276)

"I say we take off and nuke the entire site from orbit. It's the only way to be sure."

Re:I'd say treat it like a DR drill (1)

BobMcD (601576) | more than 3 years ago | (#33362378)

Just the movie I had in mind, yep.

Re:I'd say treat it like a DR drill (1)

Meshach (578918) | more than 3 years ago | (#33362296)

If you're seriously considering this as a possibility, I'd say treat it like a DR drill. Burn everything down to bare metal and restore only the data. It's the only way to be sure...

That seems a bit risky. I cannot see any manager worth his salt giving authorization to purposely destroying data "to see if the backup works".

Re:I'd say treat it like a DR drill (3, Interesting)

BobMcD (601576) | more than 3 years ago | (#33362366)

If you're seriously considering this as a possibility, I'd say treat it like a DR drill. Burn everything down to bare metal and restore only the data. It's the only way to be sure...

That seems a bit risky. I cannot see any manager worth his salt giving authorization to purposely destroying data "to see if the backup works".

That's because the order of operations is out of whack.

Rebuild, then cut over. Same result, less risk.

Sorry for glossing that over.

Re:I'd say treat it like a DR drill (1)

Fulcrum of Evil (560260) | more than 3 years ago | (#33362400)

You don't start with 'burn the building down'. You start with restoring to a backup set of hardware and doing basic validation, then work up to milton style DR by steps. Besides, backups are never the problem - it's the restores.

Re:I'd say treat it like a DR drill (2, Informative)

fishbowl (7759) | more than 3 years ago | (#33362604)

>That seems a bit risky. I cannot see any manager worth his salt giving authorization to purposely destroying data "to
>see if the backup works".

We do it routinely, but it's not chaotic or risky like your choice of words makes it sound. OTOH we have invested a lot of money and brainpower into getting the redundant system we need to have in order to fail over a production system, tear one down, build it up again, verify it and put it back into production. That costs money... and probably not something the IT manager that had to be "fired under duress" actually accomplished.

Unless you can deploy your standard configuration with nothing but the LTO tape from Iron Mountain and a charge account at your server vendor, you don't have a Disaster Recovery plan. (A fire in our facility probably takes out 4 city blocks. We seriously take this under consideration, and we do drill for it.)

Use different HW, don't changing working HW (1)

perpenso (1613749) | more than 3 years ago | (#33362392)

If you're seriously considering this as a possibility, I'd say treat it like a DR drill. Burn everything down to bare metal and restore only the data. It's the only way to be sure...

To elaborate on this idea I would emphasize that the existing and working hardware is not touched, ideally at least. Use a new/different system (your backup/spare hardware - which should be tested anyway and isn't this a good test?) or maybe a new virtual machine. Once the OS and apps are restored from trusted sources, the data is restored, and its verified that all is well then replace the original hardware. Maybe the original hardware now becomes the back/spare for the next machine to go through this process.

Re:Use different HW, don't changing working HW (1)

BobMcD (601576) | more than 3 years ago | (#33362510)

Yes, definitely.

Re:I'd say treat it like a DR drill (1)

DigiShaman (671371) | more than 3 years ago | (#33362450)

Backups are easy, restores are not.

1. How do you know everything was backed up properly to begin with? Are you sure those logs are being interpreted correctly?

2. Almost every small to medium size businesses do NOT perform disaster recovery drills. Running a test restore of small data is one thing, but a full scale DR drill is quite another task entirely. If they do, it's because they have extra hardware to test them on and/or can spool up a VM. Again, were not talking about fortune 500 companies here with a dedicated IT department.

3. If the restore fails and data is lost, it's your ass on the line. Do you want to come in as a rookie (new hire) and suggest restoring servers from backup? Bad idea regardless what your boss thinks. As IT staff, we don't look after the network but rather the entire operation of the company. The moment the mail server goes down, that bat-line of yours will ring off the hook. Would the entire company and staff be willing to take that risk?

Re:I'd say treat it like a DR drill (1)

BobMcD (601576) | more than 3 years ago | (#33362568)

You're not suggesting any alternative that I can see. I'll just assume you're advocating the 'head in sand' approach, and assert that the new IT guy cannot afford that risk either. The boss makes the call, or you walk. Better to be job hunting than to be sacrificed when the ousted guy attacks the network, in my opinion.

To answer your concerns, however:

1) It needs testing, period. Further I'm absolutely not advocating recovering everything. Data only. Reinstall the apps and platform by hand.

2) They do not, but they should. Most, if not all, are required by Federal law to do so. Also your false dichotomy where only fortune 500 companies have IT departments is upsetting. If for no other reason, are we not discussing a company with a dedicated IT person being dismissed and replaced? The stock trading angle is moot, and you ought to know it.

3) As others have point out, I left out the necessary order of operations. Build new servers, and THEN burn the old ones. I should have been more clear... And finally, when the ENTIRE PLATFORM GOES DOWN, due to the attack we're assuming will happen, will that same phone not also ring? Outages are what we're hoping to prevent...

Re:I'd say treat it like a DR drill (1)

fishbowl (7759) | more than 3 years ago | (#33362682)

>Do you want to come in as a rookie (new hire) and suggest restoring servers from backup?

I did :-)

My premise was correct: The backups that they had, were mostly useless.

One of the very first things I did was to establish a backup regime, including offsite storage, nearline rotations and so on, and every new hire in IT learns how it works, how to verify what is backed up, how it is retained, how it is restored, and how to recover a server or a workstation with one of several standard configurations.

Lost data for a single day could expose the company to regulatory liabilities, and could severely impact customer business to the tune of grounded aircraft (commercial and military) so it's a pretty big deal.

Coming in as a non-management role, or as a new guy in a shop where the procedures are already very sound and operating well, that's different. Then I have to wonder why the last guy got fired...

Re:I'd say treat it like a DR drill (1)

fishbowl (7759) | more than 3 years ago | (#33362558)

If your last IT manager had to be fired, you may have months or years of work to do before you can actually do that DR-bare-metal drill.

Re:I'd say treat it like a DR drill (1)

BobMcD (601576) | more than 3 years ago | (#33362634)

Maybe, maybe not. Hard to say. What if it he or she tripped a zero-tolerance?

Re:I'd say treat it like a DR drill (1)

Jason_D_Berg (745832) | more than 3 years ago | (#33362574)

It's absolutely the best option to tear everything out and start over again. It's really hard to make a business case to spend the time and labor when all you have is a hunch. The reason I asked this question to begin with is because most C level staff don't see the justification. Active Directory, Exchange, Sharepoint...they're all pretty big beasts. If risk can be mitigated and proper backups are in place, I don't see a reason to tear apart the IT infrastructure.

Re:I'd say treat it like a DR drill (1)

BobMcD (601576) | more than 3 years ago | (#33362654)

Well, if the C's won't support it, then you're off the hook. But it still needs to be on the table.

If you can't see the reason, then you've never rooted a system... A proper back door can get you the resources you need to do just about anything at all. And even complex systems need a mechanism by which they can be restored. Maybe you don't do it all in a day, sure, but you ought to spend time knocking them out one-by-one at the very least.

Re:I'd say treat it like a DR drill (1)

Trivial Solutions (1724416) | more than 3 years ago | (#33362684)

This is entertaining ROFLAO.

Umm... guess again. Say hello to Mr,. God...

indulgent maid glorious seed fears victory guessed vehemence
floods overcame racks commemorated stimulus whether poured
enticing thriven Small chaste fund debts blamed imperishable
brotherly strings moral promise risen melody burnest rebelled
through steals displacing outer witnesses guardianship
flowers healthfully just ridiculous wert great immersed
groat ice translated Wilt delayed enervated suppliant
dispense judgest bethink soon confess cloudiness Divers
aim stanzas means returned archive highly fees holdest

Except in S.F. (0)

Anonymous Coward | more than 3 years ago | (#33362746)

Don't so this if you work IT for the City of San Fransisco. They will seem to want to prosecute you for this.

Re:I'd say treat it like a DR drill (1)

Lehk228 (705449) | more than 3 years ago | (#33362758)

and the data being restored contains a buffer overflow exploit that reroots the new system

Re:I'd say treat it like a DR drill (1)

CharlyFoxtrot (1607527) | more than 3 years ago | (#33362800)

If you're seriously considering this as a possibility, I'd say treat it like a DR drill. Burn everything down to bare metal and restore only the data. It's the only way to be sure...

However, before taking my advice, I'd suggest you get your boss to sign off on it, whichever way. Present a list of options from 'ignore it' to 'burn everything' and have them pick. This way, whatever happens, you're covered.

That takes care of backdoors in the OS assuming you run everything stock. But if you're running custom in-house software that might have backdoors too so it'll still need to be audited. I wouldn't recommend this approach except for the most extreme cases anyway. Best is just to keep a log of all installs and changes from stock and have outside auditors come in regularly to check for anything that can't be accounted for as well as audits of all installations. Not to mention having a strictly enforced change management process.

little OT.... (3, Insightful)

Anonymous Coward | more than 3 years ago | (#33362260)

One of many reasons CEOs are given golden parachutes are to keep them quiet about trade secrets and certain contacts. Whether or not that happens is debatable, but discretion is basically paid for.

Why not give similar parachutes to IT admins to follow these unwritten practices? If the CEOs are the frontmens, ITs are the infrastructure of the organization. Treat them like gatekeepers instead of disposable footmen. They have the keys to the castle. And all the secret entrances.

More golden parachutes probably a bad idea (1)

perpenso (1613749) | more than 3 years ago | (#33362532)

One of many reasons CEOs are given golden parachutes are to keep them quiet about trade secrets and certain contacts. Whether or not that happens is debatable, but discretion is basically paid for.

Why not give similar parachutes to IT admins to follow these unwritten practices?

Since golden parachutes have been a source of abuse and unintended consequences maybe the concept should not be more widely used?

FWIW golden parachutes are not really about keeping quiet regarding trade secrets, contracts and other material non-public information. Contracts, non-disclosure agreements and other legal tools already cover this area.

Re:More golden parachutes probably a bad idea (1)

dbitter1 (411864) | more than 3 years ago | (#33362824)

Golden parachutes can be effective if reasonably written.

For example, cutting all the legalese out of mine it waters down to "your non-compete is as long as your severance package of normal salary". Thus, they give me a year's pay of severance, I don't show up at my competitors door for a year. If the checks bounce, I'm there, and the NDAs say I can do it free and clear.

Having pissed off sysadmins because your employer is an ass is one thing, and I agree there is no reason to torment the keepers of the keys. However, the parachutes come into play when you work in an industry full of hostile and semi-hostile takeovers. It gives me security regardless if my boss is someone I trust as well as [satan|$evil_diety]. Someone wants to buy us out and kill our product because it is killing theirs, fine. I'll take my ball and play elsewhere. :P

Re:little OT.... (4, Insightful)

CharlyFoxtrot (1607527) | more than 3 years ago | (#33362616)

One of many reasons CEOs are given golden parachutes are to keep them quiet about trade secrets and certain contacts. Whether or not that happens is debatable, but discretion is basically paid for.

Why not give similar parachutes to IT admins to follow these unwritten practices? If the CEOs are the frontmens, ITs are the infrastructure of the organization. Treat them like gatekeepers instead of disposable footmen. They have the keys to the castle. And all the secret entrances.

The janitor has all the keys to the building and the cook could poison everyone if he wanted but those people aren't afforded the respect they deserve either. CEO's are given golden parachutes by their buddies who they'll see at the golf club and who they can maybe return the favor later on the board of some other company. We're just staff and staff don't get golden parachutes, they get concrete shoes.

Re:little OT.... (1)

mysidia (191772) | more than 3 years ago | (#33362778)

But George, don't we have the firewall for that?

The Janitor has the keys to your building too, and your most sensitive offices.

But they are just disposable, what you do when they leave is really simple.... you make them hand in their badge, so they can no longer get through the front gate.

The IT admin equivallent is the changing of the passwords to the firewall.

And manually verifying the firewall is indeed properly configured so no access to the inside network is possible, except through authorized personnel's VPN credentials.

Then you force all VPN users to change their VPN passwords immediately.

Re:little OT.... (1)

Lehk228 (705449) | more than 3 years ago | (#33362950)

and the extra ethernet wire running to a cantenna'd WAP lets the bad guy back in

or the main database server accepts a normal looking connection from a normal employee workstation, that isn't a workstation but actually is a wall wart computer mounted inside the wall masquerading to the network as a workstation.

Re:little OT.... (1)

b4upoo (166390) | more than 3 years ago | (#33362782)

Giving benefits to people according to the potential harm that they could do is not right according to me. Bosses that take that attitude might want to consider what harm some low level employee could do with a bomb or guns. The lowest guy in the food chain could easily kill off upper management. So who gives the floor cleaner or the gal Friday a golden parachute? Or is it only financial loss that must be prevented?

Re:little OT.... (1)

antifoidulus (807088) | more than 3 years ago | (#33362906)

The reason golden parachutes exist is because the sec has repeatedly dismantled shareholder rights in order to guarantee political kickbacks from said CEOs. The CEO now essentially owns the company and spends more time figuring out ways to enhance their own salary than they do actually trying to do any real work. Stocks have gone nowhere in the past decade while CEO salaries have skyrocketed.

Re:little OT.... (1)

rsborg (111459) | more than 3 years ago | (#33362924)

One of many reasons CEOs are given golden parachutes are to keep them quiet about trade secrets and certain contacts. Whether or not that happens is debatable, but discretion is basically paid for.

No, with your example, lots of individual contributor types would wield a lot of power and get golden parachutes... the reality is that the CEO is powerful enough to command respect from the company, and that's the only reason (s)he gets the golden parachute.

Multiple Backdoors (4, Interesting)

Bryansix (761547) | more than 3 years ago | (#33362262)

I usually put in multiple backdoors. Not out of malicious intent but because I support customers who are so far away that I don't want to drive out there all the time. Now this might include software or even out of band management, VPN, etc. Basically, if you put yourself in a position where you have to fire your IT staff then you are a moron. Always do background checks because you are going to be giving these people the keys to the city.

Re:Multiple Backdoors (2, Insightful)

Kozar_The_Malignant (738483) | more than 3 years ago | (#33362468)

Basically, if you put yourself in a position where you have to fire your IT staff then you are a moron. Always do background checks because you are going to be giving these people the keys to the city.

  • Not every problem employee comes with "Crazy MF With Drug Habit" tattooed on his forehead.
  • Sometimes people lie when you do background checks. They want their problem to become your problem.
  • Your IT guy might be just fine until his wife leaves him for a younger woman who also works for your company.
  • Or, like my experience, the first thing you have to do in your new job is fire the sadistic moron that your predecessor tolerated for years.

The point being, you don't always "put yourself" in that position. Sometimes shit happens.

Re:Multiple Backdoors (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#33362538)

All of those problems could be handled in a variety of ways with a competant HR department.

Re:Multiple Backdoors (2, Insightful)

greenbird (859670) | more than 3 years ago | (#33362636)

All of those problems could be handled in a variety of ways with a competant HR department.

Isn't that an oxymoron, even if it was spelled correctly.

Re:Multiple Backdoors (1, Funny)

Anonymous Coward | more than 3 years ago | (#33362638)

Your HR can make the IT guys wife not leave him? That is truly competant.

Re:Multiple Backdoors (0)

Anonymous Coward | more than 3 years ago | (#33362612)

Your IT guy might be just fine until his wife leaves him for a younger woman who also works for your company.

And then the IT guy frantically spends all his time trying to work himself into a threesome?

Re:Multiple Backdoors (1)

Belial6 (794905) | more than 3 years ago | (#33362486)

Thinking that a background check is going to protect you is naive at best.

Re:Multiple Backdoors (0)

Anonymous Coward | more than 3 years ago | (#33362686)

Basically, if you put yourself in a position where you have to fire your IT staff then you are a moron. Always do background checks because you are going to be giving these people the keys to the city.

You really can't think of a reason why sometimes you have to let people go? What an ideal world you must live in. You also assume that a problematic person will have exhibited problematic behavior before you hire him. Truly a utopia. Mind if I come by for some tea and biscuits to admire this wonderful world you live in? Surely, the garden of Eden must pale in comparison.

Re:Multiple Backdoors (1)

mysidia (191772) | more than 3 years ago | (#33362826)

The difference between OOB management and a malicious backdoor, is OOB management is documented very clearly, as essential documentation for accessing the system.

And it's on the "list of security sensitive services" that need to have creds changed when an admin leaves

If the backdoor is not documented, and nobody else is told about it, then you have a problem (potential liability on your part).

First Step: ( +4, Informative ) (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33362268)

Remove ALL Microslop operating systems from ALL computers.

Yours In Krasnoyarsk,
K. Trout

I've missed you all these years. How's it been? (0)

Anonymous Coward | more than 3 years ago | (#33362916)

I see nothing's changed. I've been on 4chan, Skaldi, Stormfront, and a few other places. you?

Well... (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33362274)

Of course the first piece of advice is to basically assume you've been rooted. Ouch.

That's only painful if you didn't have well thought out policies in place beforehand.*

*for everything but the edge cases, of course.

Make your list prresent it to your stupid boss (1, Insightful)

shoehornjob (1632387) | more than 3 years ago | (#33362284)

who doesn't have a clue what you're telling him and watch him veto this because his budget would take a hit. Make notes of what you discussed save emails etc for evidence when said evil admin hacks in and trashes your servers, domain etc. In other words cover your ass.

Re:Make your list prresent it to your stupid boss (2)

boristdog (133725) | more than 3 years ago | (#33362376)

Just make sure to CC your boss's boss when you do this.

THEN your ass is covered!

If they used Macs (0)

Anonymous Coward | more than 3 years ago | (#33362286)

It should be pretty easy to find and explore their backdoors.

Alot of software opens holds due to poor codeing a (1)

Joe The Dragon (967727) | more than 3 years ago | (#33362320)

Alot of software opens holds due to poor coding as well.

And look at printers and Vender pc's running RIP software likely on a os that lagging behind on updates but the Vender does let you / says we will void the printer contract over messing with the software / os on the RIP PC.

Re:Alot of software opens holds due to poor codein (1)

crontabminusell (995652) | more than 3 years ago | (#33362968)

Alot of software...

http://hyperboleandahalf.blogspot.com/2010/04/alot-is-better-than-you-at-everything.html [blogspot.com]

I'm not a grammar Nazi, but I think you (and everyone else) can appreciate the humor in the link. "Alot" is actually two words: "a" and "lot". ;)

1. Drink Heavily (1)

jgtg32a (1173373) | more than 3 years ago | (#33362360)

2. ???
3. Profit

Non evil stuff may look like logic bombs and if yo (1)

Joe The Dragon (967727) | more than 3 years ago | (#33362398)

Non evil stuff may look like logic bombs and if you don't keep track of all of it. How knows what hacks and work around that you will fine and taking them out may just lead to have to call old guy back just to find out how some of the stuff works.

how meny times do you have have the old come back at X2 X3 X4 times the pay to just to work out stuff that only the people who got layed off know about?

Re:Non evil stuff may look like logic bombs and if (0)

Anonymous Coward | more than 3 years ago | (#33362952)

Good thinking, I think. Maybe instead of logic bombs, they could just pay you to write the documentation. :D

logic bombs on a timer (4, Interesting)

ei4anb (625481) | more than 3 years ago | (#33362464)

The worst timed logic bomb I have had to deal with was by an intern who was looking for more pay. He had written a statistical analysis program that would have started to introduce subtle errors several weeks after he had left. If I had not found it then our stats would have become useless after a few months of that mangling. I assume he was hoping we would notice data errors, panic and re-hire him to fix it without realizing that he had caused the errors. I became suspicious when the timestamp on the Java source was newer than the class file so I did some reverse engineering. He had edited the logic bomb out of the source after compiling.

Re:logic bombs on a timer (2, Insightful)

jjohnson (62583) | more than 3 years ago | (#33362922)

That's a really good catch. Well done.

Re:logic bombs on a timer (3, Insightful)

grahamsaa (1287732) | more than 3 years ago | (#33362938)

He knew how to program a logic bomb and how to cover his tracks by removing it from the source, but he didn't have the smarts to change the source file's time stamp? Sounds like an obvious step to take -- not that I'd ever do anything like that, but seriously, changing a time stamp isn't rocket science.

Re:logic bombs on a timer (0)

Anonymous Coward | more than 3 years ago | (#33363024)

You get interns that can code? I wouldn't trust the ones HR dumps on us anywhere near a computer.

But seriously, we would never let an intern work on a business critical system. Contractors are much the same.... none of them are allowed access to the code signing keys, and all code, written by employees or not, is reviewed by a security team. Our competitors did not see the value of doing this and are now dealing with internal theft of a couple million credit card numbers.

You can pay for security now, or you can pay for not having it later.

(name withheld by request)

pray he hasn't read Thompson (1)

ei4anb (625481) | more than 3 years ago | (#33362494)

Some backdoors are hard to get rid of

Reflections on Trusting Trust http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com]

Re:pray he hasn't read Thompson (1)

trb (8509) | more than 3 years ago | (#33362696)

Yep, exactly what I thought of when I saw this "backdoors" article. "Trusting Trust" was Ken's acceptance speech for the ACM's 1983 Turing award, and described hacking that he had contemplated before then (i.e., more than 25 years ago).

the zeroeth piece of advice... (1)

pedantic bore (740196) | more than 3 years ago | (#33362670)

... don't hire sysadmins who act unprofessionally or criminally under duress, and then treat them like professionals, like everyone else.

I haven't seen any reason to think that IT staff would be more likely to do such harm than anyone else. Sure, maybe they have easier means to effect harm than your average employee, but they have no more motivation nor mind to do so.

My accidental SSH backdoor... (4, Interesting)

Anonymous Coward | more than 3 years ago | (#33362692)

I had to administer a system when the vendor's software would fail on the rollover for the day. So it would fail at 5 am, and I would have to be the one to come in to fix it. As it happens at least once every two weeks I started to SSH in to fix it rather than rush to work and have to work an extra three hours that day (and not be compensated for it). The policy that I fought to implement at work was to do a quick audit, change any passwords/keys for any remote entry and to actually create passwords for many of the accounts that did not have passwords. So done and done I thought.

To continue: I had many problems with upper management, one of which was their wanting me to 'tweak' time sheet accounting so that new entry level minimum wage employees were paid for as little as 75% of their legitimate hours worked. I thought this was particularly dickish as they fired employees on a project basis and anyone was usually fired within two weeks. So I quit and tried to get myself as good as a parachute as I could.

Well two weeks after I left I found out the newbie replacement didn't perform the audit when I accidentally clicked on a bookmark at home (Putty) and I was suddenly in a server from my old job. I logged out and didn't feel particularly compelled to tell them that my keys were still trusted. About a month later I made the same mistake. The hole was no longer there. I thought to myself, "Good for him. I guess he's not so incompetent at all."

But curiousity a la Facebook and Twitter revealed that a server had actually gone down that day. Apparently there was a 'rm -rf' oopsy!!!

The story continues, but the end result is that he managed to destroy three servers within a month of my leaving. If I had been malicious I don't think I could have caused that much destruction...

Not to stand in the way of healthy paranoia... (1)

Target Practice (79470) | more than 3 years ago | (#33362760)

... but if you go around assuming you've been rooted by everyone your company has let go, pretty soon your cycles will be consumed by constant self-evaluation. The result would likely be catastrophic money and time loss, akin to the South Park episode where San Francisco disappeared entirely up its own asshole.

So what is the advice (4, Interesting)

bugs2squash (1132591) | more than 3 years ago | (#33362786)

for those that are terminated and have no intention of connecting back in ? After all, if I am let go, the last thing I want is for my old credentials to be used by someone to trash something and have suspicion fall on me.

Re:So what is the advice (1)

PPH (736903) | more than 3 years ago | (#33363052)

Yeah. When I left Boeing, they kept a couple of my logins active for several years. I guess they figured I was coming back. Although I had no way of getting back through the firewall to use them, if something had happened, who do you think they'd come looking for?

Before changing all the passwords (1)

gmuslera (3436) | more than 3 years ago | (#33362792)

Verify that no keylogger is installed in any computer used to login to other systems

Punish them (1)

dukerobinson (624739) | more than 3 years ago | (#33362858)

I say if you fire an employee unjustly or lay them off to hire some workers for less money then you deserve punishment. While there are not technological solutions to capitalist exploitation currently (only political solutions exist to my knowledge), in the mean time I hope you IT staff who are unjustly terminated bring the pain and cover your tracks.

easy solution (1)

roman_mir (125474) | more than 3 years ago | (#33362944)

it's OK, no problem, just rewrite everything from scratch, guarantees you won't have backdoors from the previous guy.

Separation of rights and duties (0, Redundant)

damn_registrars (1103043) | more than 3 years ago | (#33362974)

A good IT department for a sizable company should have some technicians and some administrators. There is rarely - if ever - reason for technicians to have root access to servers and other administrative rights. Your admins should themselves be vetted well enough to not have to worry about them compromising your network after the fact.

Has to be said (5, Insightful)

Dunbal (464142) | more than 3 years ago | (#33362994)

You get what you pay for. You hire for the lowest possible salary and treat your professionals like unskilled laborers, well, don't be surprised. A professional would never dream of doing something like this - but then again a professional would not work for peanuts either.

Treat people humanely? (4, Insightful)

happyhamster (134378) | more than 3 years ago | (#33363060)

How about a radical idea of treating employees as people, with respect and dignity, and they will treat you likewise in return? I know I'm stepping a little above the topic, as you asked what to do when you do fire people suddenly without a cause. Please bear with me and don't "escort me out" yet. The way employees are treated in the U.S nowadays is despicable. It would be unacceptable just a few decades ago in this very country, and it is still unacceptable in many parts of the world. An executive firing employees without good cause would and should be roughed up good after work to freshen their understanding of "immoral". American society should make it socially unacceptable, with after-work consequences, to fire people without a good cause, regardless of "laws' bought by corporations in the last decades.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>