DevDisaster: For Security Purposes, of Course
Small software shop's Internet security redefines job security.
If you think back to the last job you regretted taking, there's probably at least one non-defining moment that you wish you had paid more attention to. To any outsider, that moment -- when the boss asked you to pick up his dry cleaning (jokingly, of course), or when your coworker gave you the "First Day Hug" -- would have immediately sounded the something-is-seriously-wrong alarm. But, blinded by optimism of the job opportunity, that moment -- and many subsequent moments -- get written off as "quirks of the new job." For Leigh, who had recently started as a development manager at a small software shop, that first non-defining moment was on her first day, when she met Shredder.
Shredder didn't get his moniker by wearing a spiked helmet, purple cape and blade-covered metal pauldrons. In fact, he even had a soft spot for ninja turtles. As it turned out, Shredder's name came from his job, which entailed feeding sheet after sheet of paper into the company's relatively small paper shredder. That, and tech support.
Leigh did a bit of mental math and realized that, based on the tech's salary, the company was paying nearly six times what it would cost to hire a company like Iron Mountain to do the job.
Figuring that the owner had been scared off by some sensationalized news story, Leigh didn't press the issue and continued on with the first day tour. And that's when she encountered the second peculiarity that, in retrospect, should have been an a-ha moment.
For security purposes, the only computer with Internet access was the owner's, and he was more than happy to print off whatever "Web page" an employee needed.
Between her Internet-enabled cell phone and her company e-mail -- which, apparently, was not considered "Internet access" -- Leigh wasn't all too worried. Sure, it'd be incredibly inconvenient, but she figured she'd just have to deal with it like everyone else.
When Leigh finally had a chance to sit down and fire up her computer, she instinctively typed in "news.google.com" and hit enter. Surprisingly, the page loaded just fine. She typed in a few other addresses, and they loaded up just fine, too. Curious, Leigh dug in a bit further and noticed that her predecessor had configured the proxy settings to point to 192.168.3.28.
That IP address belonged to the owner who, apparently, had some sort of proxy server installed. Envisioning some oddball program that popped up an alert on the owner's computer whenever a request went through, Leigh decided not to tempt fate. Instead, she navigated to SharePoint and downloaded the dev-configuration document.
With Subversion (SVN) already installed, Leigh skipped to the part that provided the repository access info and noticed that the repository address -- 188.8.131.52 -- looked awfully familiar. Apparently, the owner's computer also served as the company's SVN repository. Worse still, the SVN repository was directly exposed to the Internet to allow developers to work remotely.
Concerned by the openness of the owner's computer and the network in general, Leigh advised him to consider a virtual private network (VPN). Not only would providing network access be easier, but a VPN would be significantly more secure.
"No," said the owner. "We're perfectly safe as is. I bought the MegaLinkUltra Network Firewall DX800-D! No one's breaking in here."
The MegaLinkUltra Network Firewall DX800-D was an $850 appliance that allowed all sorts of advanced configuration, from rotating pinholes to traffic throttling. Of course, the owner had never upgraded the firmware and simply configured it to route most Internet traffic to his computer. Leigh tried to explain why this mostly defeated the purpose of a firewall.
"No, no," the owner chuckled. "The firewall keeps us all very safe."
Clearly, he wasn't going to budge on his $850 security blanket, so Leigh offered another bit of network advice: Move the "important" Internet-facing services -- such as the company's Web site and e-mail -- to a data center. That way, even with a power outage, their e-mail would still come through and visitors would actually have a Web site to visit.
|Tell Us Your Tale
Each issue Alex Papadimoulis, publisher of the popular Web site The Daily WTF, recounts first-person tales of software development gone terribly wrong. Have you experienced the darker side of development? We want to publish your story. Send us your 300- to 600-word tale -- if we print it, you'll win $100 and an RDN T-shirt! E-mail your story to Senior Editor Kathleen Richards at firstname.lastname@example.org and use "DevDisasters"as the subject line.
"Actually," the owner paused for a moment, thinking over the suggestion. "No, we couldn't do that! The hosting company would steal our Web site! Or read our e-mail! We can't afford that."
The final straw came a few weeks later when the owner decided to pull Shredder off of tech-support -- thereby crippling Leigh's team -- to focus on an emergency task: shredding the piles of 20-plus-year-old floppy disks that the owner had found in his closet. The disks were all commercial software and operating systems, but the owner insisted that they be shredded anyway.
The next day, Leigh happily tendered her resignation, satisfied with the knowledge that her employment files would be shredded. For security purposes, of course.
Alex Papadimoulis is a managing partner at Inedo LLC and publisher of the Web site "Worse Than Failure" (WorseThanFailure.com). He writes the DevDisasters page in every issue of Redmond Developer News.