July 17th, 2002, 09:30 AM
Question for programmers and people in the business world who have tech. jobs.
I have a question for all of you who have tech. jobs not dealing with security, but just a tech job not having security a related matter. I know it is strange to ask in this website, but I do need an outlook. When you do answer, if you can, pls. provide what company you work for, position and what do you do exactly.
Heres the question: How important is security to you and why are some others like you, not care about security although you handle things like networking and such?
I know someone who has a BS in telecommunications, but not really care about security. That's why I'm asking.
July 17th, 2002, 12:13 PM
I would like to keep the company and position confidential. Although, I will share a little bit of what I learned throught my years here. I do in fact work in a position that cares very much about security, to give you a hint "we are similiar to security education, in a way". Alot of the users we work with tend to toss security aside for convience. Why should someone view a document in a hex editor, when they see what prints out. Well here a mixture of ignorance comes in. There are a huge percentage of individuals that have no idea about track changes. So the write up a business proposal to one company send it electronically and save it. This will be used for many similair companies, and every time it is resent the information from the company before will be reviewable. Passwords? They have phone numbers, meetings, cell phone passwords, voice mail passwords, clock numbers, why should I have a password like d0.NuT? They thing Mike is just fine as a password. So to answer your question.... People put security aside for any reason that keeps them from making more work for themselves.
July 17th, 2002, 12:19 PM
I'll keep it simple as well and not reveal my company either...Most of the time security is not a big deal because the people who design the networks have WAY too many other things they have to do for the same salary and going beyond their job description is unheard of; in other words why would you do the job of someone else and still make the same? It's a matter of personal interest we have to make sure that people use strong passwords in my organization, yet these people tell everyone what their password is and tape it to their monitor---even the net admins have the server admin password taped somewhere. Most hackers use the polite way to hack by calling the helpdesk or even another user and tell them they are such and such and locked themselves so unknowingly they give this person the pass and baboom-ba-bing they are in doing whatever they want. Security is a big deal but at the same time it is laxed on a side note I work for a major financial institute so go figure huh?
July 17th, 2002, 12:29 PM
I think the primary reason is the same as there is not enough testing of software in the development process: The customer isn't willing to pay for it. Most of the time when you get approached by a customer they want a this-and-that system and they want it like yesterday so when you show them the specs for the development process they always decide that the testing and the security should go. The customer want his product as quick as possible.
At least that has been my experience over the last four years.
\"The purpose of abstraction is not to be vague, but to create a new semantic level in which one can be absolutely precise.\"
- Edsger Dijkstra
July 19th, 2002, 08:27 AM
Thanks for the response, I think I know why telecommunications doesn't teach so many things about security since they are mainly on networking and such. Your responses do help. The only other thing is that, he is going to set up a network with a router and he says that software firewalls just corrupt your hard drive that's why I'm not to get one on my computer which is going to be apart of the network. That true or is he just trying to get me not to use what he calls "crap" on my computer? It pisses me off especially all the stuff I learned and read about is against the stuff he says. If any of you have a telecommunications degree, can you tell me if security is ever taught? Another question, he says that firewalls (software or hardware) are only for enterprise networks and don't need it on home PC's. That true in a sense?
July 19th, 2002, 08:49 AM
Humm sorry Azn but your queston smaks of social engineering all over the place. Seems to me what you really want to know is if your employer knows what you are doing and the answer is yes Admin see everything. And if you have a Admin stating things such as this you should advise the proper people. Home computers need to be secure as well oh was a Admin company well go find out. If mom and dad know what your doing well depends if at school well any network has servers and all traffic is seen. Good try
I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg
July 19th, 2002, 09:25 AM
Umm.....Palemoon, I'm only 13 and an incoming freshman in high school. I don't know how you came up with that, but I'm only talking about my home computer networked with my brothers with a router. My brother is the person I'm talking about. That's just to clarify things. I didn't mean for any misunderstanding of any sort. I just want to know why my brother doesn't care so much about security when he already took a network security class. There's just a little feud with what me and my brother know about networking and I'm trying to clear things in my head. This is a personal thing for me so any help with letting me understand why would help even more. Joey_Batch_File and grygst76 answered most of the things I had trouble understanding and I greatly apprecitate it. My main point is that the things my brother says about security on my computer just makes me tick a lot and he can't just understand why I'm actually downloading different software to see how it works and reading about security articles. Security is the only thing in computers that make me like computers. If my self-esteem is killed by him then I might as well say goodbye to everything I know and not care why things happen.
Humm sorry Azn but your queston smaks of social engineering all over the place. Seems to me what you really want to know is if your employer knows what you are doing and the answer is yes Admin see everything.
July 19th, 2002, 12:42 PM
Good (well at least experienced) java programmers can pull down $150 an hour for server side programming. It's offtopic but I learned it the other day and have been looking for a place to put it.
Alternate realities celebrate reality. If you cant handle the reality your in, then you wont be able to handle the one your attempting to escape to.
July 19th, 2002, 01:21 PM
For once I agree with Palemoon, this really sounds like social engineering to me also. A 13 year old can be a social engineer as good as a 30 year old. Or atleast they can try.
zepherin> I don't know java, but hook me up anyway. I can learn quite fast for $150/hour... Maybe that company needs some new network techs?
Azn> I am an IS Coordinator for a company that you have never heard of. If you have heard of it, then you either don't live in California, or you have been to way to many bars for a 13 year old. My "job" has absoutely nothing to do with security, except some virus protection. At least my job description doesn't. I use my spare time at work (never have that, do I irc'ers) to play with the network security here. Oh yeah, and telecom has absoutely NOTHING to do with security. Most telcos don't hire telecom majors for their security, they leave that to computer geeks. Even companys that run pbx systems don't have security as part of the telcom guys job.
\"Ignorance is bliss....
but only for your enemy\"
July 19th, 2002, 01:31 PM
Security has always been a thorn in the side of business. I personally believe this for 2 reasons: 1) because you can't quantify the value of security until you've experienced a breach, and 2) because good security is often inconvenient. The first reason is especially true of a well-designed security policy. How do you justify financially supporting a department (security), that never seems to do anything? It's hard to explain to managers that, in this case, the security department is doing something -- they're keeping up with software patches, they're running security audits, they're managing accounts. Just because you haven't seen a battle (like with a hacker, for example), doesn't mean there isn't a war on.
The second reason is usually a pain for everybody, and not just managers. In my position, for example, I was recently appointed "security officer" for my team. I ran security audit on all of our servers and discovered an old generic account that had root access. When I inquired about it, I found that at least 4 people knew the password and were using it frequently to do random (unauthorized) software installs and things they couldn't do with their own account. After I removed the account I discovered that more than 10 people knew the password to that account, and they were now all ticked off at me for removing their root account. Even though I tried to explain, "YOU'RE NOT SUPPOSED TO HAVE ROOT", they didn't understand. In that case, everyone saw security as nothing more than a major inconvenience.
/* You are not expected to understand this. */