If you think back to the last job you regretted taking, there’s probably at least one non-defining moment that you wish you had paid more attention to. To any outsider, that harbingering moment – be it when the boss asked you to pick up his drycleaning (jokingly, of course) or when your coworker gave you the “First Day Hug” – would have immediately sounded the something-is-seriously-wrong alarm. But, blinded by optimism of the job opportunity, that moment – and many subsequent other moments – get simply written off as “quirks of the new job.” For Leigh, who had recently started as a development manager at a small software shop, that first non-defining moment was on her first day, when she met Shredder.
Shredder didn’t get his moniker by wearing a spiked helmet, purple cape, and blade-covered metal pauldrons. In fact, he even had a soft spot for ninja turtles. As it turned out, Shredder’s name came from the fact that his job entailed feeding sheet after sheet of paper into the company’s relatively-small paper shredder. That, and tech support.
Leigh did a bit of mental math and realized that, based on the tech’s salary, they were paying nearly six times what it would cost to hire a company like Iron Mountain to do the job. She mentioned this to her boss, The Owner, that her previous company had bi-weekly onsite service and asked if they had ever considered such an option.
“Oh, no-no-no-no,” The Owner mumbled, “that wouldn’t work. We can’t have just some company come in and touch our papers. They could steal something! They could see what we’re doing! They can’t be trusted!”
Figuring that The Owner had been scared off by some sensationalized news story, Leigh didn’t press the issue and continued on with the first day tour. And that’s when she encountered the second moment that, in retrospect, should have been an ah-ha moment.
For security purposes, so The Owner said, all computers in the office were walled-off from the outside. Many even had a red label affixed to the monitor that read NO INTERNET ACCESS. The only computer with outside access was his, and he was more than happy to print off whatever “internet page” an employee needed. Just so long as the employee would take the print out to Shredder when he was done. For security purposes, of course.
Between her internet-enabled cell phone and her company email (which, apparently, was not considered “internet access”), Leigh wasn’t all too worried. Sure, it’d be incredibly inconvenient but she figured she’d just have to deal with it like everyone else.
When Leigh finally had a chance to sit down and fire up her computer, she instinctively typed in “news.google.com” and hit enter. Surprisingly, the page loaded just fine. She typed in a few other addresses, and they loaded up just fine, too. Curious, Leigh dug in a bit further and noticed that her predecessor configured the proxy settings to point to 192.168.3.28.
That IP address belonged to The Owner who, apparently, had some sort of proxy server installed. Envisioning some oddball program that popped-up an alert on The Owner’s computer whenever a request went though, Leigh decided not to tempt fate. Instead, she navigated to Sharepoint and downloaded the developer configuration document.
With SVN already installed, Leigh skipped to the part that provided the repository access info and noticed that the repository address – 192.169.3.28 – looked awfully familiar. Apparently, The Owner’s computer also served as the company’s SVN repository. Worse still, the SVN repository was directly exposed to the internet to allow developers to work remotely.
Concerned by the openness of The Owner’s computer and the network in general, Leigh advised him to consider a VPN. Not only would providing network access be easier, it’d be significantly more secure.
“Heh, no-no-no-no,” explained The Owner, “we’re perfectly safe as is. I bought the MegaLinkUltra Network Firewall DX800-D! No one’s breaking in here.”
The MegaLinkUltra Network Firewall DX800-D was an $850 appliance that allowed all sorts of advanced configuration, from rotating pin-holes to traffic throttling. Of course, The Owner had never upgraded the firmware and simply configured it to route most internet traffic to his computer. Leigh tried to explain why this mostly defeated the purpose of a firewall.
“No-no-no-no,” The Owner chuckled, “the firewall keeps us all very safe. That’s what it’s there for!”
Clearly, The Owner wasn’t going to budge on his $850 security blanket, so Leigh offered another bit of network advice: move the “important” internet-facing services – such as the company’s website and email – to a data center. That way, should there a power outage, their email would still come through and visitors would actually have a website to visit.
“Actually,” The Owner paused for a moment, thinking over the suggestion, “No-no-no-no, we couldn’t do that! The hosting company would steal our website! Or read our email! We can’t afford that.
It didn’t take too long after that for the something-is-seriously-wrong alarm to go off in Leigh’s head. The final straw came, however, a few weeks in when The Owner decided to pull Shredder off of tech-support (thereby crippling Leigh’s team) to focus on an emergency task: shred the piles of 20+ year-old floppy disks that The Owner had found in his closet. They were all commercial software and operating system disks, but The Owner insisted that they be shredded anyway.
The next day, she happily tendered her resignation, satisfied with the knowledge that her employment files would be shredded. For security purposes, of course.