They hired a new hotshot engineering manager (the kind that makes physical things). He hates the engineering software we run. I don’t blame him, it’s crap software. He constantly complains about how slow it its. He’s right again. Crap Software Vendor says it’s my platform that makes their software slow and buggy. I’m willing to make any changes they recommend, but they’ve got nothing. They’re like, “it runs fine in our test env.” So hotshot goes rogue and signs contracts to move engineering to a cloud platform that he used at his old job. I wasn’t brought in until after the ink dried.

New vendor sends me a link, login, and password via email. I go to the link. It’s fucking remote desktop gateway. Open to the internet. The password isn’t a temp, that’s my permanent unchangeable password. This is how they handle user access control. No MFA. Nothing between the screaming void and our data but IIS and an AD password.

So I start pissing in the tent. I tell everyone this is unacceptable security for our IP. Vendor acknowledges that their security is insufficient and lays out their roadmap to fix it, hopefully by the end of year(I’m holding my breath). I ask if we can just run the software ourselves.

I have a convo with our CEO who usually listens to my advice. He asks if we can just host the new software on our platform (the one that already has MFA and a whole lot of other security measures). I say, “That’s exactly what I was thinking.” So, CEO email in hand I go back to the group and tell them to make preparations to move the implementation to our platform.

Hotshot starts bitching and moaning about how he doesn’t want another slow app. A data analyst chimes in with her two cents out of fucking nowhere. I’m not even sure why she’s on the email chain. I’m about two seconds away from going Joe Pesci on these goombas.

What the fuck guys? Who cares if the app is slower on our platform (not that it necessarily will be)? What good is a fast app that’s insecure? How fast is it gonna be when it’s ransomwared to hell? It’ll be nice that the app is fast when BianLian is downloading all our designs so they can extort us.

“Well they’re a big company and they haven’t gotten hacked yet?” Thanks for that Captain Smith, but I know a fucking iceberg when I see one.

  • @satanmat@lemmy.world
    link
    fedilink
    401 year ago

    Get three envelopes….

    Yeah that’s a shirt move on his part to not bring you in. I can’t believe that his boss allowed it to go through

        • @Numenor@lemmy.world
          link
          fedilink
          371 year ago

          A fellow had just been hired as the new sysadmin of a large high tech corporation. The sysadmin who was leaving met with him privately and presented him with three numbered envelopes. “Open these if you run up against a problem you don’t think you can solve,” he said.

          Well, things went along pretty smoothly, but six months later, there a major DoS attack against the infrusture and he was really catching a lot of heat. About at his wit’s end, he remembered the envelopes. He went to his drawer and took out the first envelope. The message read, “Blame your predecessor.”

          The sysadmin went to his superiors and tactfully laid the blame at the feet of the previous admin because of bad security. Satisfied with his comments, management responded positively, he sorted it all out, got the servers running again and the problem was soon behind him.

          About a year later, the company was again experiencing a major outage, combined with serious hacking problems. Having learned from his previous experience, the sysadmin quickly opened the second envelope. The message read, “Blame the cloud hosts.” This he did, and the company quickly rebounded.

          After several consecutive months of no downtime, the servers once again acted up. The admin went to his office, closed the door and opened the third envelope.

          The message said, “Prepare three envelopes.”

  • @signofzeta@lemmygrad.ml
    link
    fedilink
    English
    221 year ago

    Simple. Your users don’t care if it’s insecure. They click on fake password reset emails. You’re the bad guy here. They still haven’t forgiven you for requiring them to enter numbers when they want to log in.

  • chiisanaA
    link
    111 year ago

    Just say your cybersecurity insurance will not cover damages caused as result of inclusion of applications that are not compliant with the policy, loop in legal, sit back and watch how quickly bricks are shat.

    • @somedaysoon@lemmy.world
      link
      fedilink
      English
      61 year ago

      He still has the ear and backing of the CEO, so I’d say stick around, but if that changes then I would be looking to bounce the fuck on out of there.